CN113505367B - Security audit method, device, system, electronic device and readable storage medium - Google Patents
Security audit method, device, system, electronic device and readable storage medium Download PDFInfo
- Publication number
- CN113505367B CN113505367B CN202110732009.1A CN202110732009A CN113505367B CN 113505367 B CN113505367 B CN 113505367B CN 202110732009 A CN202110732009 A CN 202110732009A CN 113505367 B CN113505367 B CN 113505367B
- Authority
- CN
- China
- Prior art keywords
- audit
- security
- data
- task
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012550 audit Methods 0.000 title claims abstract description 510
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000003860 storage Methods 0.000 title claims description 21
- 238000012545 processing Methods 0.000 claims description 37
- 238000004590 computer program Methods 0.000 claims description 15
- 230000000977 initiatory effect Effects 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 4
- 230000002776 aggregation Effects 0.000 description 3
- 238000004220 aggregation Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 241001178520 Stomatepia mongo Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 229920001971 elastomer Polymers 0.000 description 1
- 239000000806 elastomer Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application relates to a security audit method, which comprises the following steps: acquiring a security audit strategy, and acquiring a target audit template based on the security audit strategy; acquiring a data acquisition mode based on a target audit template; and acquiring security event audit data based on a data acquisition mode, and inputting the security event audit data into a target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events. The application solves the problem that the safety audit efficiency cannot be effectively improved in the related technology.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a security audit method, device, system, electronic device, and readable storage medium.
Background
The security audit refers to the systematic and independent checking and verification of related activities or behaviors in a computer network environment by professional auditors according to related laws and regulations, delegation of property owners and authority of management authorities, and corresponding evaluation is made.
In the related technology, the monitoring, alarming, processing and closing of the security events are effectively combined to form a closed loop, so that the management cost of auditors is reduced, the disposal efficiency of the security events is improved, and a clear quantitative index is provided for the value of information security work in enterprises. However, with this method, after the security event is processed, the auditor is required to confirm the closing of the security event one by one. When a large number of security events are reported, auditors need to close and confirm the large number of security events one by one, so that the auditors have large workload, and the problem of low security audit efficiency is caused.
Aiming at the problem that the safety audit efficiency cannot be effectively improved in the related technology, an effective solution is not proposed at present.
Disclosure of Invention
The embodiment provides a security audit method, a device, a system, an electronic device and a readable storage medium, so as to solve the problem that the security audit efficiency cannot be effectively improved in the related art.
In a first aspect, in this embodiment, there is provided a security audit method, including:
Acquiring a security audit strategy, and acquiring a target audit template based on the security audit strategy;
acquiring a data acquisition mode based on the target audit template;
And acquiring security event audit data based on the data acquisition mode, and inputting the security event audit data into the target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events.
In some embodiments, the acquiring the data acquisition mode based on the target audit template includes:
Determining an audit task type based on the target audit template, and acquiring a data query statement from the target audit template;
and determining an audit trigger condition based on the audit task type, and obtaining the data acquisition mode based on the data query statement and the audit trigger condition.
In some of these embodiments, the determining an audit trigger condition based on the audit task type includes:
If the audit task type is a timing audit task, determining that the audit trigger condition reaches a preset time interval;
And if the audit task type is a conditional audit task, determining that the audit trigger condition is a preset matching condition.
In some embodiments, the audit task type is a timing audit task, and the acquiring the security event audit data based on the data acquisition mode includes:
Acquiring the completion time of a last task and the current time, and acquiring a target time interval corresponding to the completion time of the last task and the current time;
judging whether the target time interval is larger than or equal to the preset time interval;
and if the target time interval is greater than or equal to the preset time interval, acquiring security event audit data in a time period corresponding to the last task completion time and the current time based on the data query statement.
In some embodiments, the audit task type is a conditional audit task; the obtaining the security event audit data based on the data obtaining mode comprises the following steps:
Judging whether each audit task meets the preset matching condition or not, and starting the audit task meeting the preset matching condition;
And aiming at the started audit task, acquiring the security event audit data corresponding to the audit task based on the data query statement.
In some embodiments, the security event audit data includes event processing detail data and event statistics data, and the inputting the security event audit data into the target audit template, the obtaining a security audit report includes:
generating a security event processing detail list based on the event processing detail data;
generating a security event statistics chart based on the event statistics data;
and inputting the security event processing detail list and the security event statistical chart into the target audit template to obtain the security audit report.
In some embodiments, after the inputting the security event processing detail list and the security event statistics chart into the target audit template to obtain the security audit report, the method further includes:
Obtaining an audit item to be audited, wherein the audit item to be audited comprises audit data corresponding to a security event which cannot be automatically reported;
and inputting the to-be-checked items into the security audit report to update the security audit report.
In some of these embodiments, after the entering the audit-to-be-checked item into the security audit report to update the security audit report, the method further includes:
Creating a security audit flow sheet based on the approval tool;
adding the updated security audit report as an accessory to the security audit flow sheet;
And initiating an audit flow based on the security audit flow list after adding the accessory, so that the auditor carries out security audit on a plurality of security events based on the security audit flow list.
In a second aspect, in this embodiment, there is provided a security audit device comprising:
the audit template acquisition module is used for acquiring a security audit strategy and acquiring a target audit template based on the security audit strategy;
the acquisition mode determining module is used for acquiring a data acquisition mode based on the target audit template;
And the audit report generation module is used for acquiring security event audit data based on the data acquisition mode, inputting the security event audit data into the target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events.
In a third aspect, in this embodiment, there is provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the security audit method of the first aspect described above when executing the computer program.
In a fourth aspect, in this embodiment, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the security audit method of the first aspect described above.
Compared with the related art, the security audit method provided in the embodiment obtains the security audit strategy and obtains the target audit template based on the security audit strategy; acquiring a data acquisition mode based on the target audit template; and acquiring security event audit data based on the data acquisition mode, and inputting the security event audit data into the target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events. According to the application, the audit template is configured, and the reported multiple security events are classified and summarized based on the configured audit template, so that a security audit report is automatically generated, and the problem that the security audit efficiency cannot be effectively improved in the related technology is solved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a block diagram of a hardware architecture of a terminal of a security audit method according to an embodiment of the present application;
FIG. 2 is a flow chart of a security audit method according to an embodiment of the present application;
FIG. 3 is a flowchart of a method for acquiring data based on a target audit template in an embodiment of the present application;
FIG. 4 is a flow chart of determining audit trigger conditions based on audit task types in an embodiment of the present application;
FIG. 5 is a flowchart of a method for obtaining security event audit data based on a data obtaining method according to an embodiment of the present application;
FIG. 6 is a second flowchart of acquiring security event audit data based on a data acquisition method according to an embodiment of the present application;
FIG. 7 is a flowchart of a security audit report acquisition in an embodiment of the present application;
FIG. 8 is a flow chart of a security audit method according to a second embodiment of the present application;
FIG. 9 is a flow chart of a security audit method according to a third embodiment of the present application;
fig. 10 is a block diagram of a security audit device according to an embodiment of the present application.
Detailed Description
The present application will be described and illustrated with reference to the accompanying drawings and examples for a clearer understanding of the objects, technical solutions and advantages of the present application.
Unless defined otherwise, technical or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terms "a," "an," "the," "these" and similar terms in this application are not intended to be limiting in number, but may be singular or plural. The terms "comprising," "including," "having," and any variations thereof, as used herein, are intended to encompass non-exclusive inclusion; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (units) is not limited to the list of steps or modules (units), but may include other steps or modules (units) not listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this disclosure are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. Typically, the character "/" indicates that the associated object is an "or" relationship. The terms "first," "second," "third," and the like, as referred to in this disclosure, merely distinguish similar objects and do not represent a particular ordering for objects.
The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or similar computing device. For example, the method runs on a terminal, and fig. 1 is a hardware structure block diagram of the terminal of the security audit method according to an embodiment of the present application. As shown in fig. 1, the terminal may include one or more (only one is shown in fig. 1) processors 102 and a memory 104 for storing data, wherein the processors 102 may include, but are not limited to, a microprocessor MCU, a programmable logic device FPGA, or the like. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a security audit method in the present embodiment, and the processor 102 executes the computer program stored in the memory 104, thereby performing various functional applications and data processing, that is, implementing the above-described method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. The network includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as a NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In this embodiment, a security audit method is provided, and fig. 2 is a flowchart of the security audit method according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps.
Step S210, a security audit strategy is obtained, and a target audit template is obtained based on the security audit strategy.
Wherein the target audit template represents an audit template associated with a security audit policy.
It should be noted that, the auditor formulates a security audit policy according to audit plan configuration information provided by the audit system, determines a target audit template according to the type of the audit task corresponding to the security audit policy, and associates the target audit template with the security audit policy.
Step S220, acquiring a data acquisition mode based on the target audit template.
Step S230, security event audit data is obtained based on a data obtaining mode, and is input into a target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events.
The data acquisition mode has a data query function and a classification summarization function so as to realize classification summarization of a plurality of safety events. The security event audit data represents audit data corresponding to the classified and aggregated plurality of security events.
Step S210 to step S230 are carried out by obtaining a security audit strategy and obtaining a target audit template based on the security audit strategy; acquiring a data acquisition mode based on a target audit template; and acquiring security event audit data based on a data acquisition mode, and inputting the security event audit data into a target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events. According to the application, the audit templates are configured, and the reported multiple security events are classified and summarized based on the configured audit templates, so that a security audit report is automatically generated, the problem that the security audit efficiency is low because auditors need to close and confirm a large number of security events one by one when a large number of security events are reported is avoided, and the problem that the security audit efficiency cannot be effectively improved in the related technology is solved.
In some embodiments, fig. 3 is a flowchart of a method for acquiring data based on a target audit template according to an embodiment of the present application, as shown in fig. 3, where the flowchart includes the following steps:
and step S310, determining the type of the audit task based on the target audit template, and acquiring a data query statement from the target audit template.
Wherein the type of audit template includes at least one of a timing audit template and a conditional audit template.
And step S320, determining an audit trigger condition based on the audit task type, and obtaining a data acquisition mode based on the data query statement and the audit trigger condition.
Wherein the audit trigger condition includes at least one of a timed trigger condition and a matched trigger condition. The data acquisition mode comprises a data query statement and an audit triggering condition.
Step S310 to step S320 are carried out by determining the type of the audit task based on the target audit template and obtaining a data query statement from the target audit template; and determining an audit trigger condition based on the audit task type, and obtaining a data acquisition mode based on the data query statement and the audit trigger condition. According to the embodiment, the audit trigger conditions are determined based on the audit task types so as to set different trigger conditions for different types, so that the accurate trigger of the audit task can be improved, and the safety audit effect can be improved.
In some of these embodiments, fig. 4 is a flowchart of determining an audit trigger condition based on an audit task type according to an embodiment of the present application, as shown in fig. 4, where the flowchart includes the following steps:
Step S410, if the audit task type is a timing audit task, determining that the audit trigger condition is up to a preset time interval.
The preset time intervals corresponding to different moments can be fixed or variable, and the preset time intervals corresponding to different moments can be obtained by analyzing the time interval expression. The time interval expression may be a Cron expression or other time interval expressions, which is not limited by the present application. Cron is a timed execution tool under linux, and can run jobs without manual intervention.
And step S420, if the type of the audit task is a conditional audit task, determining that the audit trigger condition is a preset matching condition.
In some embodiments, the audit task type is a timing audit task, and fig. 5 is a flowchart of acquiring security event audit data based on a data acquisition mode in an embodiment of the present application, as shown in fig. 5, where the flowchart includes the following steps.
Step S510, obtaining the last task completion time and the current time, and obtaining a target time interval corresponding to the last task completion time and the current time.
Step S520, determining whether the target time interval is greater than or equal to a preset time interval.
Step S530, if the target time interval is greater than or equal to the preset time interval, acquiring the security event audit data in the time period corresponding to the last task completion time and the current time based on the data query statement.
Step S510 to step S530 are described above, in which the last task completion time and the current time are obtained, and the target time interval corresponding to the last task completion time and the current time is obtained; judging whether the target time interval is larger than or equal to a preset time interval or not; if the target time interval is greater than or equal to the preset time interval, acquiring security event audit data in a time period corresponding to the last task completion time and the current time based on the data query statement. According to the embodiment, the timing tasks are configured, so that the system automatically initiates the timing audit tasks, and audit staff is not required to start the audit tasks at regular time, so that the workload of the audit staff can be reduced, and the audit efficiency is further improved.
In some embodiments, the audit task type is a conditional audit task, and fig. 6 is a second flowchart of acquiring audit data of a security event based on a data acquisition manner in an embodiment of the present application, as shown in fig. 6, where the flowchart includes the following steps.
Step S610, judging whether each audit task meets the preset matching condition, and starting the audit task meeting the preset matching condition.
Further, for each audit task, event field data corresponding to the security event under the audit task is obtained, whether the event field data accords with a preset matching condition is judged, and if the event field data accords with the preset matching condition, the audit task is started.
Step S620, aiming at the started audit task, acquiring security event audit data corresponding to the audit task based on the data query statement.
Specifically, aiming at an started audit task, acquiring audit data corresponding to a security event under the audit task from a memory or a storage medium based on a data query statement to obtain the security event audit data.
Step S610 to step S620 are performed by judging whether each audit task meets the preset matching condition or not, and starting the audit task meeting the preset matching condition; and aiming at the started audit task, acquiring security event audit data corresponding to the audit task based on the data query statement. According to the embodiment, the audit process is initiated for the audit tasks meeting the preset matching conditions by configuring the preset matching conditions, so that the audit process is initiated in a targeted manner, the problems of long audit time, heavy audit tasks and low audit efficiency caused by the audit process initiated for all the audit tasks can be avoided, and the audit efficiency can be further improved.
In some embodiments, the security event audit data includes event processing detail data and event statistics, and fig. 7 is a flowchart of a process for obtaining a security audit report according to an embodiment of the present application, as shown in fig. 7, where the process includes the following steps.
Step S710, a security event handling details list is generated based on the event handling details data.
The event handling details data includes current handling instances of a plurality of security events.
It should be noted that, by generating the security event processing detail list based on the event processing detail data, the current processing situation of each security event is checked and confirmed, so that a certain security event is avoided being missed, and further the auditing effect can be further improved.
Step S720, generating a security event statistics chart based on the event statistics data.
It should be noted that, by generating the security event statistics chart based on the event statistics data, the overall situation of the whole security event can be presented more intuitively, so as to facilitate the evaluation and auditing of the auditor, and further improve the auditing effect and auditing efficiency.
And step S730, inputting the security event processing detail list and the security event statistics chart into a target audit template to obtain a security audit report.
The target audit template includes an event processing detail area and an event statistics area. Specifically, the security event processing detail list is input into an event processing detail area, and the security event statistics chart is input into an event statistics area, so that a security audit report is obtained.
Generating a security event processing detail list based on the event processing detail data through the above steps S710 to S730; generating a security event statistics chart based on the event statistics data; and inputting the security event processing detail list and the security event statistics chart into a target audit template to obtain a security audit report. According to the embodiment, the security event processing detail list is generated based on the event processing detail data, and the security event statistics chart is generated based on the event statistics data, so that security event audit data is presented to auditors in a relatively visual and clear form of the list and the chart, the workload of the auditors is reduced while the event problem is ensured to be repaired, and the audit efficiency is improved. In addition, the auditor can flexibly customize the report template according to the actual audit requirement, so that the audit effect can be further improved.
In some of these embodiments, the data query statement includes at least one of a conditional query statement and a statistical query statement. The conditional query statement is used for acquiring event processing detail data from the storage medium, and the statistical query statement is used for acquiring event statistical data from the storage medium. The storage medium may be Jira, mySQL, or mongo db, and the present embodiment does not limit the type of storage medium.
Further, the conditional query statement and the type of statistical query statement are determined based on the type of the storage medium. The statistical query statement may be an aggregate query statement or other statistical query statement, which is not limited in this embodiment. For example, when the storage medium is JIRA, the conditional query statement is determined to be JQL query statements. For another example, when the storage medium is ELASTIC SEARCH, the statistical query statement is determined to be an ES bucket aggregate query statement.
JIRA is a project and transaction tracking tool, and is widely applied to the work fields of defect tracking, customer service, demand collection, flow approval, task tracking, project tracking, agility management and the like.
The elastiscearch is a distributed, highly extended, high real-time search and data analysis engine. It can conveniently provide a large amount of data with searching, analyzing and exploring capabilities. The horizontal scalability of the elastomer search is fully utilized, enabling the data to become more valuable in a production environment. The implementation principle of the elastic search is mainly divided into the following steps, firstly, a user submits data to an elastic search database, then a word segmentation controller is used for word segmentation of corresponding sentences, the weight and word segmentation results are stored in the data together, when the user searches the data, the results are ranked according to the weight, scoring is carried out, and then the returned results are presented to the user.
In some of these embodiments, after step S230, the method further comprises step S240: obtaining a to-be-checked item, wherein the to-be-checked item comprises audit data corresponding to a security event which cannot be automatically reported; and inputting the to-be-checked items into the security audit report to update the security audit report.
It should be noted that, for the security event that can not be reported automatically, the auditor can input to the inspection item to be checked through text description, so as to confirm one by one when the audit process is initiated, and prevent omission.
In some of these embodiments, after step S240, the method further comprises step S250: creating a security audit flow sheet based on the approval tool; adding the updated security audit report as an accessory to a security audit flow sheet; and initiating an audit flow based on the security audit flow list after the accessory is added, so that an auditor carries out security audit on a plurality of security events based on the security audit flow list.
Further, a preset warehousing field is obtained, warehousing audit data is obtained from the security event audit data based on the preset warehousing field, and the warehousing audit data is stored in a memory. The preset warehouse entry fields include, but are not limited to, creation time, audit template ID, and audit policy ID.
The following description and illustration of the present embodiment are made by three embodiments, wherein the security audit method provided by the first embodiment of the present application includes the following steps.
Step 1: acquiring a security audit strategy, and acquiring a target audit template based on the security audit strategy; and determining the type of the audit task based on the target audit template, and acquiring a data query statement from the target audit template. Determining an audit trigger condition based on the audit task type, and if the audit task type is a timing audit task, determining the audit trigger condition as reaching a preset time interval; if the audit task type is a conditional audit task, determining that the audit trigger condition is a preset matching condition. And obtaining a data acquisition mode based on the data query statement and the audit triggering condition.
Step 2: acquiring security event audit data based on a data acquisition mode, and specifically: when the type of the audit task is a timing audit task, acquiring the completion time and the current time of the last task, and acquiring a target time interval corresponding to the completion time and the current time of the last task; judging whether the target time interval is larger than or equal to a preset time interval or not; if the target time interval is greater than or equal to the preset time interval, acquiring security event audit data in a time period corresponding to the last task completion time and the current time based on the data query statement. When the type of the audit task is a conditional audit task, judging whether each audit task meets a preset matching condition, and starting the audit task meeting the preset matching condition; aiming at the started audit task, acquiring security event audit data corresponding to the audit task based on a data query statement; the security event audit data includes audit data corresponding to a plurality of security events.
Step 3: the security event audit data comprises event processing detail data and event statistics data, and a security event processing detail list is generated based on the event processing detail data; generating a security event statistics chart based on the event statistics data; and inputting the security event processing detail list and the security event statistics chart into a target audit template to obtain a security audit report.
Step 4: obtaining a to-be-checked item, wherein the to-be-checked item comprises audit data corresponding to a security event which cannot be automatically reported; and inputting the to-be-checked items into the security audit report to update the security audit report.
Step 5: creating a security audit flow sheet based on the approval tool; adding the updated security audit report as an accessory to a security audit flow sheet; and initiating an audit flow based on the security audit flow list added with the accessory, so that an auditor carries out security audit on a plurality of security events based on a security audit report in the security audit flow list.
Fig. 8 is a flow chart of a security audit method according to a second embodiment of the present application, as shown in fig. 5, the security audit method includes the following steps:
Step (1): when the audit task type is a timing audit task, the timing task platform creates a timing audit task, an automatic audit system acquires a security audit strategy, and a target audit template is acquired based on the security audit strategy; and acquiring JQL query sentences, ES barrel aggregation query sentences and preset time intervals based on the target audit template.
Step (2): the automatic auditing system inquires the completion time of the last task and acquires the current time, and acquires a target time interval corresponding to the completion time of the last task and the current time; judging whether the target time interval is larger than or equal to a preset time interval or not; if the target time interval is greater than or equal to the preset time interval, acquiring event processing detail data in a time period corresponding to the last task completion time and the current time from the JIRA storage medium based on JQL query sentences, and acquiring event statistical data in a time period corresponding to the last task completion time and the current time from the ELASTIC SEARCH storage medium based on ES barrel aggregation query sentences.
Step (3): generating a security event handling details list based on the event handling details data; generating a security event statistics chart based on the event statistics data; and inputting the security event processing detail list and the security event statistics chart into a target audit template to obtain a security audit report.
Step (4): and acquiring a preset warehousing field, acquiring warehousing audit data from the security event audit data based on the preset warehousing field, and storing the warehousing audit data into a memory.
Step (5): creating a security audit flow sheet based on the approval tool; adding the updated security audit report as an accessory to a security audit flow sheet; and initiating an audit flow based on the security audit flow list after the accessory is added, so that an auditor carries out security audit on a plurality of security events based on the security audit flow list.
Fig. 9 is a flow chart of a security audit method according to a third embodiment of the present application, as shown in fig. 5, the security audit method includes the following steps:
When the audit task type is a conditional audit task, the third party system automatically reports the security event to an automatic audit system, and the automatic audit system performs condition matching on the reported security event based on a preset matching condition. For the security event meeting the preset matching condition, acquiring event processing detail data corresponding to the security event from the JIRA storage medium based on JQL query sentences, and acquiring event statistics data corresponding to the security event from the ELASTIC SEARCH storage medium based on ES barrel aggregation query sentences.
Step (3): generating a security event handling details list based on the event handling details data; generating a security event statistics chart based on the event statistics data; and inputting the security event processing detail list and the security event statistics chart into a target audit template to obtain a security audit report.
Step (4): and acquiring a preset warehousing field, acquiring warehousing audit data from the security event audit data based on the preset warehousing field, and storing the warehousing audit data into a memory.
Step (5): creating a security audit flow sheet based on the approval tool; adding the updated security audit report as an accessory to a security audit flow sheet; and initiating an audit flow based on the security audit flow list after the accessory is added, so that an auditor carries out security audit on a plurality of security events based on the security audit flow list.
According to the security audit method provided by the application, the security audit policy is configured, the audit flow is initiated according to the binding target audit template, and the auditor intervenes in the review, so that the security audit efficiency is optimized while the closed-loop audit of a plurality of security events is realized.
It should be noted that the steps illustrated in the above-described flow or flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein. For example, referring to fig. 4, the execution order of step S410 and step S420 may be interchanged, i.e., step S410 may be executed first, and then step S420 may be executed; step S420 may be performed first, and then step S410 may be performed.
The embodiment also provides a security audit device, which is used for implementing the above embodiment and the preferred implementation manner, and is not described in detail. The terms "module," "unit," "sub-unit," and the like as used below may refer to a combination of software and/or hardware that performs a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware, are also possible and contemplated.
Fig. 10 is a block diagram of a security audit device according to an embodiment of the present application, where the security audit device includes, as shown in fig. 10.
The audit template acquisition module 1010 is configured to acquire a security audit policy, and acquire a target audit template based on the security audit policy.
The acquisition mode determining module 1020 is configured to acquire a data acquisition mode based on the target audit template.
The audit report generation module 1030 is configured to obtain security event audit data based on a data obtaining manner, and input the security event audit data into a target audit template to obtain a security audit report, where the security event audit data includes audit data corresponding to a plurality of security events.
In some embodiments, the acquisition mode determining module 1020 includes a first determining unit and a second determining unit, where.
The query statement acquisition unit is used for determining the audit task type based on the target audit template and acquiring the data query statement from the target audit template.
And the acquisition mode determining unit is used for determining audit trigger conditions based on the audit task types and obtaining a data acquisition mode based on the data query statement and the audit trigger conditions.
In some of these embodiments, the acquisition mode determining unit includes a first determining unit and a first determining unit, where.
And the first determining unit is used for determining that the audit trigger condition reaches a preset time interval if the audit task type is a timing audit task.
And the first determining unit is used for determining that the audit trigger condition is a preset matching condition if the audit task type is a conditional audit task.
In some embodiments, the audit task type is a timed audit task, and the audit report generation module 1030 includes an audit data acquisition unit including a time acquisition subunit, a time determination subunit, and a data acquisition subunit.
The time acquisition subunit is used for acquiring the last task completion time and the current time and acquiring a target time interval corresponding to the last task completion time and the current time.
And the time judging subunit is used for judging whether the target time interval is larger than or equal to a preset time interval.
The data acquisition subunit is used for acquiring the security event audit data in the time period corresponding to the last task completion time and the current time based on the data query statement if the target time interval is greater than or equal to the preset time interval.
In some embodiments, the audit task type is a conditional audit task; the audit data acquisition unit comprises a task matching subunit and a data query subunit, wherein the task matching subunit and the data query subunit are used for performing the audit.
And the task matching sub-unit is used for judging whether each audit task meets the preset matching condition and starting the audit task meeting the preset matching condition.
And the data query sub-unit is used for acquiring security event audit data corresponding to the audit task based on the data query statement aiming at the started audit task.
In some of these embodiments, the security event audit data includes event processing detail data and event statistics data, and the audit report generation module 1030 further includes an audit report acquisition unit including a list generation subunit, a chart generation subunit, and a chart input subunit.
And a list generation subunit for generating a security event processing details list based on the event processing details data.
And the chart generation subunit is used for generating a security event statistical chart based on the event statistical data.
And the chart input subunit is used for inputting the security event processing detail list and the security event statistics chart into the target audit template to obtain a security audit report.
In some embodiments, the security audit device further comprises an audit report updating module, wherein the audit report updating module comprises a check item acquisition unit and a check item input unit.
And the check item acquisition unit is used for acquiring a check item to be checked, wherein the check item to be checked comprises audit data corresponding to the security event which cannot be automatically reported.
And the checking item input unit is used for inputting the checking item to be checked into the security audit report so as to update the security audit report.
In some embodiments, the security audit device further comprises an audit flow initiating module, wherein the audit flow initiating module comprises a flow creating unit, an accessory adding unit and a flow initiating unit.
And the flow creation unit is used for creating a security audit flow sheet based on the approval tool.
And the accessory adding unit is used for adding the updated security audit report as an accessory to the security audit flow sheet.
The flow initiating unit is used for initiating an audit flow based on the security audit flow list after the accessory is added, so that an auditor carries out security audit on a plurality of security events based on the security audit flow list.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
There is also provided in this embodiment an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:
S1, acquiring a security audit strategy, and acquiring a target audit template based on the security audit strategy.
S2, acquiring a data acquisition mode based on the target audit template.
S3, acquiring security event audit data based on a data acquisition mode, and inputting the security event audit data into a target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and are not described in detail in this embodiment.
In addition, in combination with the security audit method provided in the above embodiment, a storage medium may also be provided for implementation in this embodiment. The storage medium has a computer program stored thereon; the computer program, when executed by a processor, implements any of the security audit methods of the above embodiments.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure in accordance with the embodiments provided herein.
It is to be understood that the drawings are merely illustrative of some embodiments of the present application and that it is possible for those skilled in the art to adapt the present application to other similar situations without the need for inventive work. In addition, it should be appreciated that while the development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as a departure from the disclosure.
The term "embodiment" in this disclosure means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive. It will be clear or implicitly understood by those of ordinary skill in the art that the embodiments described in the present application can be combined with other embodiments without conflict.
The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the claims. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (9)
1. A security audit method comprising:
Acquiring a security audit strategy, and acquiring a target audit template based on the security audit strategy;
acquiring a data acquisition mode based on the target audit template;
The data acquisition mode based on the target audit template comprises the following steps:
Determining an audit task type based on the target audit template, and acquiring a data query statement from the target audit template;
Determining an audit trigger condition based on the audit task type, and obtaining the data acquisition mode based on the data query statement and the audit trigger condition;
wherein the determining an audit trigger condition based on the audit task type includes:
If the audit task type is a timing audit task, determining that the audit trigger condition reaches a preset time interval;
if the audit task type is a conditional audit task, determining that the audit trigger condition is a preset matching condition;
And acquiring security event audit data based on the data acquisition mode, and inputting the security event audit data into the target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events.
2. The method of claim 1, wherein the audit task type is a timed audit task, and wherein the obtaining security event audit data based on the data acquisition mode comprises:
Acquiring the completion time of a last task and the current time, and acquiring a target time interval corresponding to the completion time of the last task and the current time;
judging whether the target time interval is larger than or equal to the preset time interval;
and if the target time interval is greater than or equal to the preset time interval, acquiring security event audit data in a time period corresponding to the last task completion time and the current time based on the data query statement.
3. The method of claim 1, wherein the audit task type is a conditional audit task; the obtaining the security event audit data based on the data obtaining mode comprises the following steps:
Judging whether each audit task meets the preset matching condition or not, and starting the audit task meeting the preset matching condition;
And aiming at the started audit task, acquiring the security event audit data corresponding to the audit task based on the data query statement.
4. The method of claim 1, wherein the security event audit data comprises event processing detail data and event statistics, wherein the inputting the security event audit data into the target audit template, obtaining a security audit report, comprises:
generating a security event processing detail list based on the event processing detail data;
generating a security event statistics chart based on the event statistics data;
and inputting the security event processing detail list and the security event statistical chart into the target audit template to obtain the security audit report.
5. The method of claim 1, wherein after said entering said list of security event handling details and said security event statistics chart into said target audit template to obtain said security audit report, said method further comprises:
Obtaining an audit item to be audited, wherein the audit item to be audited comprises audit data corresponding to a security event which cannot be automatically reported;
and inputting the to-be-checked items into the security audit report to update the security audit report.
6. The method of claim 5, wherein after the entering the audit entry into the security audit report for updating the security audit report, the method further comprises:
Creating a security audit flow sheet based on the approval tool;
adding the updated security audit report as an accessory to the security audit flow sheet;
and initiating an audit flow based on the security audit flow list after the accessory is added, so that an auditor carries out security audit on a plurality of security events based on the security audit flow list.
7. A security audit device comprising:
the audit template acquisition module is used for acquiring a security audit strategy and acquiring a target audit template based on the security audit strategy;
the acquisition mode determining module is used for acquiring a data acquisition mode based on the target audit template;
The acquisition mode determining module is also used for determining the type of the audit task based on the target audit template and acquiring a data query statement from the target audit template;
Determining an audit trigger condition based on the audit task type, and obtaining the data acquisition mode based on the data query statement and the audit trigger condition;
The acquisition mode determining module is further used for determining that the audit triggering condition reaches a preset time interval if the audit task type is a timing audit task;
if the audit task type is a conditional audit task, determining that the audit trigger condition is a preset matching condition;
And the audit report generation module is used for acquiring security event audit data based on the data acquisition mode, inputting the security event audit data into the target audit template to obtain a security audit report, wherein the security event audit data comprises audit data corresponding to a plurality of security events.
8. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the security audit method according to any of claims 1 to 6.
9. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the security audit method according to any of the claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110732009.1A CN113505367B (en) | 2021-06-29 | 2021-06-29 | Security audit method, device, system, electronic device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110732009.1A CN113505367B (en) | 2021-06-29 | 2021-06-29 | Security audit method, device, system, electronic device and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113505367A CN113505367A (en) | 2021-10-15 |
| CN113505367B true CN113505367B (en) | 2024-05-28 |
Family
ID=78010975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110732009.1A Active CN113505367B (en) | 2021-06-29 | 2021-06-29 | Security audit method, device, system, electronic device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113505367B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114462373B (en) * | 2022-02-09 | 2022-11-15 | 星环信息科技(上海)股份有限公司 | Audit rule determination method and device, electronic equipment and storage medium |
| CN115659325B (en) * | 2022-09-28 | 2023-08-08 | 北京亚控科技发展有限公司 | Audit method, electronic device and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561035A (en) * | 2004-02-19 | 2005-01-05 | 上海复旦光华信息科技股份有限公司 | Universal safety audit strategies customing method based on mapping table |
| CN101853289A (en) * | 2010-05-26 | 2010-10-06 | 杭州华三通信技术有限公司 | Database auditing method and equipment |
| CN102592092A (en) * | 2012-01-09 | 2012-07-18 | 中标软件有限公司 | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem |
| CN103812682A (en) * | 2012-11-14 | 2014-05-21 | 深圳中兴网信科技有限公司 | Safety audit method and device |
| CN104506351A (en) * | 2014-12-18 | 2015-04-08 | 北京随方信息技术有限公司 | Method and system for performing online full-automatic configuration of compliance safety audit |
| CN105357170A (en) * | 2014-08-21 | 2016-02-24 | 中兴通讯股份有限公司 | Security service audit processing method and device |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN110941632A (en) * | 2019-11-19 | 2020-03-31 | 杭州迪普科技股份有限公司 | Database auditing method, device and equipment |
| CN111461668A (en) * | 2020-04-08 | 2020-07-28 | 国网天津市电力公司 | Digital auditing system and method based on process automation technology |
| CN111813627A (en) * | 2020-07-06 | 2020-10-23 | 深信服科技股份有限公司 | Application auditing method, device, terminal, system and readable storage medium |
| CN112860637A (en) * | 2021-02-05 | 2021-05-28 | 广州海量数据库技术有限公司 | Method and system for processing log based on audit strategy |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA3048056A1 (en) * | 2018-06-27 | 2019-12-27 | NuEnergy.ai | Methods and systems for the measurement of relative trustworthiness for technology enhanced with ai learning algorithms |
-
2021
- 2021-06-29 CN CN202110732009.1A patent/CN113505367B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561035A (en) * | 2004-02-19 | 2005-01-05 | 上海复旦光华信息科技股份有限公司 | Universal safety audit strategies customing method based on mapping table |
| CN101853289A (en) * | 2010-05-26 | 2010-10-06 | 杭州华三通信技术有限公司 | Database auditing method and equipment |
| CN102592092A (en) * | 2012-01-09 | 2012-07-18 | 中标软件有限公司 | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem |
| CN103812682A (en) * | 2012-11-14 | 2014-05-21 | 深圳中兴网信科技有限公司 | Safety audit method and device |
| CN105357170A (en) * | 2014-08-21 | 2016-02-24 | 中兴通讯股份有限公司 | Security service audit processing method and device |
| CN104506351A (en) * | 2014-12-18 | 2015-04-08 | 北京随方信息技术有限公司 | Method and system for performing online full-automatic configuration of compliance safety audit |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN110941632A (en) * | 2019-11-19 | 2020-03-31 | 杭州迪普科技股份有限公司 | Database auditing method, device and equipment |
| CN111461668A (en) * | 2020-04-08 | 2020-07-28 | 国网天津市电力公司 | Digital auditing system and method based on process automation technology |
| CN111813627A (en) * | 2020-07-06 | 2020-10-23 | 深信服科技股份有限公司 | Application auditing method, device, terminal, system and readable storage medium |
| CN112860637A (en) * | 2021-02-05 | 2021-05-28 | 广州海量数据库技术有限公司 | Method and system for processing log based on audit strategy |
Non-Patent Citations (3)
| Title |
|---|
| The effect of automatic blink correction on auditory evoked potentials;Jussi Korpela等;《2012 Annual International Conference of the IEEE Engineering in Medicine and Biology Society》;20121110;第625-628页 * |
| 基于ZeroMQ的SOA分布式通信系统设计;李冬琦等;《计算机与数字工程》;20180630;第46卷(第06期);第1257-1262页 * |
| 数据库审计与防统方系统的实现;常建国等;《中国医疗设备》;20130425;第28卷(第04期);第52-54+138页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113505367A (en) | 2021-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110807085B (en) | Fault information query method and device, storage medium and electronic device | |
| CN113505367B (en) | Security audit method, device, system, electronic device and readable storage medium | |
| US20220129816A1 (en) | Methods and arrangements to manage requirements and controls, and data at the intersection thereof | |
| US20130238375A1 (en) | Evaluating email information and aggregating evaluation results | |
| US10592507B2 (en) | Query processing engine recommendation method and system | |
| CN110457371A (en) | Data managing method, device, storage medium and system | |
| CN109241068A (en) | The method, apparatus and terminal device that foreground and background data compares | |
| CN112419044A (en) | Credit auditing method, equipment, electronic device and storage medium | |
| CN113868498A (en) | Data storage method, electronic device, device and readable storage medium | |
| CN111459629A (en) | Azkaban-based project operation method and device and terminal equipment | |
| CA2793400C (en) | Associative memory-based project management system | |
| CN110502692A (en) | Information retrieval method, device, equipment and storage medium based on search engine | |
| CN110909129B (en) | Abnormal complaint event identification method and device | |
| CN116596455A (en) | Work order processing method, device, server and computer readable storage medium | |
| CN110019813A (en) | Life insurance case retrieving method, retrieval device, server and readable storage medium storing program for executing | |
| CN109947797B (en) | Data inspection device and method | |
| CN110309147B (en) | Bidirectional tracing method and device for aircraft on-orbit test | |
| CN115658620B (en) | Data authorization sharing method and system based on big data | |
| KR20080055279A (en) | Sarps management and implementation system | |
| CN110489569B (en) | Event processing method and device based on knowledge graph | |
| CN109934740B (en) | patent monitoring method and device | |
| CN108846634B (en) | Case automatic authorization method and system | |
| CN109165442B (en) | Design rule processing method, intelligent terminal and storage medium | |
| CN113377604A (en) | Data processing method, device, equipment and storage medium | |
| CN110737775A (en) | comprehensive evaluation system based on knowledge graph and target ontology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |