[go: up one dir, main page]

TWI820961B - Electronic device and method for processing intelligence based on microservice and public cloud component - Google Patents

Electronic device and method for processing intelligence based on microservice and public cloud component Download PDF

Info

Publication number
TWI820961B
TWI820961B TW111138494A TW111138494A TWI820961B TW I820961 B TWI820961 B TW I820961B TW 111138494 A TW111138494 A TW 111138494A TW 111138494 A TW111138494 A TW 111138494A TW I820961 B TWI820961 B TW I820961B
Authority
TW
Taiwan
Prior art keywords
information
public cloud
microservice
microservices
effective
Prior art date
Application number
TW111138494A
Other languages
Chinese (zh)
Other versions
TW202416696A (en
Inventor
徐正磬
詹偉銘
黃傳強
翁振芳
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW111138494A priority Critical patent/TWI820961B/en
Application granted granted Critical
Publication of TWI820961B publication Critical patent/TWI820961B/en
Publication of TW202416696A publication Critical patent/TW202416696A/en

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • General Factory Administration (AREA)
  • Image Processing (AREA)

Abstract

An electronic device and a method for processing intelligence based on microservice and public cloud component are provided. The method includes the following steps: scheduling, by an original-intelligence-processing-module, a microservice and a public cloud component and obtaining a processed-intelligence using an original-intelligence, the microservice and the public cloud component; scheduling, by a valid-intelligence-obtaining-module, the microservice and the public cloud component and obtaining a valid-intelligence using the processed-intelligence, the microservice, and the public cloud component; and scheduling, by an effective-intelligence-providing module, the microservice and the public cloud component and providing the valid-intelligence using the microservice and the public cloud component.

Description

基於微服務及公雲元件處理情資的電子裝置及方法Electronic device and method for processing information based on microservices and public cloud components

本發明是有關於一種基於微服務及公雲元件處理情資的電子裝置及方法。The present invention relates to an electronic device and method for processing information based on microservices and public cloud components.

隨著網路威脅的數量不斷增加且複雜度提高,相關的情資的資料量也變得龐大且難以處理。如何更有效率的處理網路威脅相關的情資,是本領域技術人員應致力的目標。As the number and complexity of cyber threats continue to increase, the amount of relevant intelligence data has become large and difficult to handle. How to handle information related to cyber threats more efficiently is a goal that technicians in this field should strive for.

本發明的基於微服務及公雲元件處理情資的電子裝置包括微服務、原始情資處理模組、有效情資獲得模組以及有效情資提供模組。原始情資處理模組調度微服務以及公雲元件,並且利用原始情資、微服務以及公雲元件獲得處理後情資;有效情資獲得模組調度微服務以及公雲元件,並且利用處理後情資、微服務以及公雲元件獲得有效情資;有效情資提供模組調度微服務以及公雲元件,並且利用微服務以及公雲元件提供有效情資。The electronic device for processing information based on microservices and public cloud components of the present invention includes microservices, an original information processing module, an effective information obtaining module, and an effective information providing module. The original information processing module schedules microservices and public cloud components, and uses original information, microservices, and public cloud components to obtain processed information; the effective information acquisition module schedules microservices and public cloud components, and uses processed information Information, microservices and public cloud components obtain effective information; effective information provides module scheduling microservices and public cloud components, and uses microservices and public cloud components to provide effective information.

本發明的基於微服務及公雲元件處理情資的方法包括以下步驟:由原始情資處理模組調度微服務以及公雲元件,並且利用原始情資、微服務以及公雲元件獲得處理後情資;由有效情資獲得模組調度微服務以及公雲元件,並且利用處理後情資、微服務以及公雲元件獲得有效情資;以及由有效情資提供模組調度微服務以及公雲元件,並且利用微服務以及公雲元件提供有效情資。The method of processing information based on microservices and public cloud components of the present invention includes the following steps: scheduling the microservices and public cloud components by the original information processing module, and using the original information, microservices and public cloud components to obtain the processed information. information; obtain module scheduling microservices and public cloud components from effective information, and use processed information, microservices, and public cloud components to obtain effective information; and provide module scheduling microservices and public cloud components from effective information , and use microservices and public cloud components to provide effective intelligence.

圖1是根據本發明的一實施例繪示的一種基於微服務及公雲元件處理情資的電子裝置100的示意圖。電子裝置100可包括微服務110a、微服務110b、…直到微服務110n。進一步而言,電子裝置100可包括原始情資處理模組120、有效情資獲得模組130、有效情資提供模組140以及應用程式閘道160。需先說明的是,圖1所示的微服務的數量僅為示意,本發明不對此限制。在本實施例中,電子裝置100可通訊連接至情資來源裝置200、公雲元件400以及公雲儲存體500。FIG. 1 is a schematic diagram of an electronic device 100 based on microservices and public cloud component processing information according to an embodiment of the present invention. The electronic device 100 may include microservices 110a, microservices 110b, ... until microservices 110n. Furthermore, the electronic device 100 may include an original information processing module 120, a valid information obtaining module 130, a valid information providing module 140, and an application gateway 160. It should be noted that the number of microservices shown in Figure 1 is only for illustration, and the present invention is not limited to this. In this embodiment, the electronic device 100 can be communicatively connected to the intelligence source device 200 , the public cloud component 400 and the public cloud storage 500 .

在一實施例中,各微服務(微服務110a、微服務110b、…直到微服務110n)、原始情資處理模組120、有效情資獲得模組130、有效情資提供模組140以及應用程式閘道160可為由處理器所執行的軟體及/或韌體程式碼。在另一實施例中,各微服務、原始情資處理模組120、有效情資獲得模組130、有效情資提供模組140以及應用程式閘道160可實作為電路。在另一實施例中,各微服務、原始情資處理模組120、有效情資獲得模組130、有效情資提供模組140以及應用程式閘道160可實作為軟體及/或韌體程式碼及電路的組合。本發明不限制各微服務、原始情資處理模組120、有效情資獲得模組130、有效情資提供模組140以及應用程式閘道160的實作方法。在本實施例中,微服務110a、微服務110b、…直到微服務110n例如可用API的方式互相溝通。In one embodiment, each microservice (microservice 110a, microservice 110b, ... until microservice 110n), the original information processing module 120, the effective information obtaining module 130, the effective information providing module 140 and the application Program gateway 160 may be software and/or firmware code executed by the processor. In another embodiment, each microservice, the original information processing module 120, the effective information obtaining module 130, the effective information providing module 140, and the application gateway 160 may be implemented as circuits. In another embodiment, each microservice, the original information processing module 120, the effective information obtaining module 130, the effective information providing module 140 and the application gateway 160 can be implemented as software and/or firmware programs. A combination of codes and circuits. The present invention does not limit the implementation methods of each microservice, the original information processing module 120, the effective information obtaining module 130, the effective information providing module 140, and the application gateway 160. In this embodiment, microservices 110a, microservices 110b, ... until microservice 110n can communicate with each other through API, for example.

圖2是根據本發明的一實施例繪示的一種基於微服務及公雲元件處理情資的方法的流程圖。請同時參照圖1及圖2,本實施例的方法適用於圖1所示的電子裝置100。以下即搭配電子裝置100說明本發明之基於微服務及公雲元件處理情資的方法的詳細步驟。Figure 2 is a flow chart illustrating a method of processing information based on microservices and public cloud components according to an embodiment of the present invention. Please refer to FIG. 1 and FIG. 2 at the same time. The method of this embodiment is applicable to the electronic device 100 shown in FIG. 1 . The detailed steps of the information processing method based on microservices and public cloud components of the present invention will be described below with the electronic device 100 .

在步驟S210中,原始情資處理模組120可調度微服務以及公雲元件400,並且利用原始情資、微服務以及公雲元件400獲得處理後情資。In step S210, the original information processing module 120 can schedule the microservices and public cloud components 400, and obtain processed information using the original information, microservices, and public cloud components 400.

詳細而言,原始情資處理模組120可從情資來源裝置200接收原始情資。情資來源裝置200例如是企業的伺服器或網路設備。原始情資例如是網路設備日誌或網路流量。進一步而言,原始情資處理模組120可監控微服務110a、微服務110b、…直到微服務110n當前的指派狀況/資源使用狀況。在接收原始情資之後,原始情資處理模組120可根據過濾規則或者原始情資的情資類型調度微服務。例如,針對每一個過濾規則,原始情資處理模組120可從微服務110a、微服務110b、…直到微服務110n中調度(指派)一個或數個微服務。另一方面,原始情資處理模組120可針對原始情資的不同情資類型來調度(指派)不同的微服務。在其他實施例中,針對屬於相同情資類型的大量原始情資,原始情資處理模組120可對此些原始情資進行切片(Slicing and Dicing)以獲得特定數量的原始情資切片,並且從微服務110a、微服務110b、…直到微服務110n中調度此特定數量的微服務,來加快原始情資的處理。在完成微服務的調度之後,原始情資處理模組120可執行過濾規則以利用原始情資獲得過濾後情資。舉例來說,過濾規則可包括但不限於,刪除原始情資中的缺失欄位、辨識原始情資中的模糊字串、移除原始情資中的無法識別字串以及根據特定情資欄位(例如原始情資的時間戳記、原始情資的來源位址、原始情資的來源連接埠、原始情資的目的位址及/或原始情資的目的連接埠)對原始情資執行正規化。In detail, the original information processing module 120 may receive original information from the information source device 200 . The information source device 200 is, for example, an enterprise's server or network equipment. Raw intelligence is, for example, network device logs or network traffic. Furthermore, the original information processing module 120 can monitor the current assignment status/resource usage status of the microservices 110a, microservices 110b, ... until the microservice 110n. After receiving the original information, the original information processing module 120 may schedule the microservice according to the filtering rules or the information type of the original information. For example, for each filtering rule, the original information processing module 120 can schedule (assign) one or several microservices from the microservices 110a, microservices 110b, ... until the microservice 110n. On the other hand, the original information processing module 120 can schedule (assign) different microservices for different types of original information. In other embodiments, for a large number of original information belonging to the same information type, the original information processing module 120 can slice (Slicing and Dicing) these original information to obtain a specific number of original information slices, and This specific number of microservices is scheduled from microservices 110a, microservices 110b, ... until microservice 110n to speed up the processing of raw information. After completing the scheduling of the microservices, the original information processing module 120 can execute filtering rules to obtain filtered information using the original information. For example, filtering rules may include, but are not limited to, deleting missing fields in the original information, identifying ambiguous strings in the original information, removing unrecognizable strings in the original information, and based on specific information fields. (e.g. the timestamp of the original information, the source address of the original information, the source port of the original information, the destination address of the original information, and/or the destination port of the original information) Perform normalization on the original information .

在本實施例中,原始情資處理模組120可監控公雲元件400的資源使用狀況。在獲得過濾後情資之後,原始情資處理模組120可調度公雲元件400,並且儲存過濾後情資於公雲儲存體500(例如,原始情資處理模組120可用批次的方式儲存過濾後情資於公雲儲存體500)。公雲儲存體500可作為情資的資料湖,換言之,公雲儲存體500可被彈性地擴充以儲存大量情資。接著,為了避免後續有效情資獲得模組130中的各情資分析子模組的運作造成情資的汙染,及/或為了針對特定情資分析子模組進行平行分析處理,原始情資處理模組120可調度公雲元件400,並且從公雲儲存體500複製所述過濾後情資以獲得處理後情資。In this embodiment, the original information processing module 120 can monitor the resource usage status of the public cloud component 400. After obtaining the filtered information, the original information processing module 120 can schedule the public cloud component 400 and store the filtered information in the public cloud storage 500 (for example, the original information processing module 120 can store it in a batch manner The filtered information is stored in public cloud storage 500). The public cloud storage 500 can be used as a data lake for intelligence information. In other words, the public cloud storage 500 can be flexibly expanded to store a large amount of intelligence information. Next, in order to avoid contamination of the intelligence caused by the operation of each intelligence analysis sub-module in the subsequent effective intelligence acquisition module 130, and/or in order to perform parallel analysis and processing for a specific intelligence analysis sub-module, the original intelligence is processed The module 120 can schedule the public cloud component 400 and copy the filtered information from the public cloud storage 500 to obtain the processed information.

請回到圖2。在步驟S220中,有效情資獲得模組130可調度微服務以及公雲元件400,並且利用處理後情資、微服務以及公雲元件400獲得有效情資。在本實施例中,有效情資獲得模組130可包括多個情資分析子模組。後續將對此進一步說明。Please return to Figure 2. In step S220, the effective information obtaining module 130 can schedule the microservices and the public cloud component 400, and obtain effective information using the processed information, the microservices and the public cloud component 400. In this embodiment, the effective intelligence obtaining module 130 may include multiple intelligence analysis sub-modules. This will be further explained later.

具體而言,有效情資獲得模組130可根據多個情資分析子模組調度微服務。在一實施例中,所述多個情資分析子模組可包括但不限於,域名系統通道(Domain Name Server Tunneling)人工智慧偵測模組、仿冒域名人工智慧偵測模組以及域名生成算法(DGA,Domain Generation Algorithm)人工智慧偵測模組。以下將繼續說明。Specifically, the effective information acquisition module 130 can schedule microservices according to multiple information analysis sub-modules. In one embodiment, the plurality of intelligence analysis sub-modules may include, but are not limited to, Domain Name Server Tunneling artificial intelligence detection module, counterfeit domain name artificial intelligence detection module and domain name generation algorithm (DGA, Domain Generation Algorithm) artificial intelligence detection module. The explanation will continue below.

圖3是根據本發明的一實施例繪示的多個情資分析子模組的示意圖。請同時參照圖1、圖2及圖3。需先說明的是,圖3所示的情資分析子模組的數量僅為示意,本發明不對此限制。為了方便說明,在此假設有效情資獲得模組130包括情資分析子模組130a、情資分析子模組130b、情資分析子模組130c、情資分析子模組130d以及情資分析子模組130e。有效情資獲得模組130可監控微服務110a、微服務110b、…直到微服務110n當前的指派狀況/資源使用狀況,並且為情資分析子模組130a、情資分析子模組130b、情資分析子模組130c、情資分析子模組130d以及情資分析子模組130e分別調度/指派一個微服務。在此假設有效情資獲得模組130為情資分析子模組130a調度了微服務110a、為情資分析子模組130b調度了微服務110b、為情資分析子模組130c調度了微服務110c、為情資分析子模組130d調度了微服務110d以及為情資分析子模組130e調度了微服務110e。有效情資獲得模組130可根據微服務110a~微服務110e各自的運作負載量,來為微服務110a~微服務110e分別設定微服務權重值。接著,針對特定的處理後情資,有效情資獲得模組130可決定情資分析子模組130a~情資分析子模組130e是否需要以特定順序執行。若情資分析子模組130a~情資分析子模組130e不需以特定順序執行,則有效情資獲得模組130可根據微服務110a~微服務110e各自的微服務權重值,來決定情資分析子模組130a~情資分析子模組130e的執行順序,即,決定微服務110a~微服務110e的執行順序(微服務路由拓樸)。例如,若微服務110a的微服務權重值為1、微服務110b的微服務權重值為2、微服務110c的微服務權重值為3、微服務110d的微服務權重值為4以及微服務110e的微服務權重值為5(即,微服務的運作負載量由低至高依序為,微服務110a、微服務110b、微服務110c、微服務110d以及微服務110e),則有效情資獲得模組130可決定出情資分析子模組130a~情資分析子模組130e的執行順序依序為,情資分析子模組130a、情資分析子模組130b、情資分析子模組130c、情資分析子模組130d以及情資分析子模組130e。在其它實施例中,有效情資獲得模組130可根據最短路徑演算法來決定情資分析子模組130a~情資分析子模組130e的執行順序。FIG. 3 is a schematic diagram of multiple intelligence analysis sub-modules according to an embodiment of the present invention. Please refer to Figure 1, Figure 2 and Figure 3 at the same time. It should be noted that the number of intelligence analysis sub-modules shown in Figure 3 is only for illustration, and the present invention is not limited to this. For convenience of explanation, it is assumed here that the effective information acquisition module 130 includes an information analysis sub-module 130a, an information analysis sub-module 130b, an information analysis sub-module 130c, an information analysis sub-module 130d, and an information analysis sub-module. Submodule 130e. The effective information acquisition module 130 can monitor the current assignment status/resource usage status of the microservices 110a, 110b, ... up to the microservice 110n, and provide the information analysis sub-module 130a, the information analysis sub-module 130b, and the information analysis sub-module 130b. The information analysis sub-module 130c, the information analysis sub-module 130d and the information analysis sub-module 130e respectively schedule/assign a microservice. It is assumed here that the effective intelligence acquisition module 130 schedules microservices 110a for the intelligence analysis sub-module 130a, microservices 110b for the intelligence analysis sub-module 130b, and schedules microservices for the intelligence analysis sub-module 130c. 110c. The microservice 110d is scheduled for the intelligence analysis sub-module 130d and the microservice 110e is scheduled for the intelligence analysis sub-module 130e. The effective information acquisition module 130 can respectively set microservice weight values for the microservices 110a ~ microservices 110e according to their respective operating loads. Next, for specific processed information, the effective information obtaining module 130 can determine whether the information analysis sub-modules 130a to 130e need to be executed in a specific order. If the information analysis sub-module 130a ~ the information analysis sub-module 130e do not need to be executed in a specific order, the effective information acquisition module 130 can determine the information based on the respective microservice weight values of the microservices 110a ~ microservices 110e. The execution order of the information analysis sub-module 130a ~ the information analysis sub-module 130e, that is, determines the execution order of the microservices 110a ~ microservices 110e (microservice routing topology). For example, if the microservice weight value of microservice 110a is 1, the microservice weight value of microservice 110b is 2, the microservice weight value of microservice 110c is 3, the microservice weight value of microservice 110d is 4, and the microservice weight value of microservice 110e The weight value of microservices is 5 (that is, the operating load of microservices in order from low to high is microservice 110a, microservice 110b, microservice 110c, microservice 110d and microservice 110e), then the effective information acquisition model The group 130 can determine the execution order of the intelligence analysis sub-module 130a ~ the intelligence analysis sub-module 130e as follows: intelligence analysis sub-module 130a, intelligence analysis sub-module 130b, intelligence analysis sub-module 130c , intelligence analysis sub-module 130d and intelligence analysis sub-module 130e. In other embodiments, the effective intelligence obtaining module 130 may determine the execution order of the intelligence analysis sub-modules 130a to 130e according to the shortest path algorithm.

在決定情資分析子模組130a~情資分析子模組130e的執行順序之後,有效情資獲得模組130可(依照此執行順序)執行情資分析子模組130a~情資分析子模組130e以利用處理後情資獲得情資分析結果。例如,有效情資獲得模組130可根據上述情資分析子模組130a~情資分析子模組130e的執行順序,來對處理後情資依序調用/執行微服務110a、微服務110b、微服務110c、微服務110d以及微服務110e,以獲得情資分析結果。After determining the execution order of the intelligence analysis sub-modules 130a ~ the intelligence analysis sub-modules 130e, the effective intelligence acquisition module 130 can execute the intelligence analysis sub-modules 130a ~ the intelligence analysis sub-modules (according to this execution order) Group 130e uses the processed intelligence to obtain intelligence analysis results. For example, the effective information acquisition module 130 can sequentially call/execute the microservices 110a, 110b, and Microservice 110c, microservice 110d and microservice 110e to obtain intelligence analysis results.

如前實施例所說明的,有效情資獲得模組130可監控微服務110a~微服務110e當前的指派狀況/資源使用狀況。舉例來說,有效情資獲得模組130可監看微服務110a~微服務110e的運作負載量及/或運作時間。若特定微服務的運作負載量及/或運作時間超過最高門檻值或者低於最低門檻值,有效情資獲得模組130可擴充/調整此特定微服務的執行資源及/或儲存資源,並且在執行完此特定微服務之後重新啟動此微服務。除此之外,若特定微服務需處理的處理後情資的情資量較大,有效情資獲得模組130可複製此特定微服務,藉此同步/平行地執行此特定微服務。在其他實施例中,當有新的情資分析子模組被加入至有效情資獲得模組130時,有效情資獲得模組130可建立新的微服務,並且為此新的情資分析子模組調度/指派此新的微服務。在其它實施例中,有效情資獲得模組130可將不常用且已無運行的微服務關閉。在其它實施例中,有效情資獲得模組130可將常用且目前無運行的微服務休眠。在其它實施例中,有效情資獲得模組130可喚醒/重新運行正在休眠的微服務。在其它實施例中,針對運行中但無回應的特定微服務,有效情資獲得模組130可先複製此特定微服務,並且刪除原無回應的該微服務。As explained in the previous embodiment, the effective information acquisition module 130 can monitor the current assignment status/resource usage status of the microservices 110a to 110e. For example, the effective information acquisition module 130 can monitor the operating load and/or operating time of the microservices 110a ~ 110e. If the operating load and/or operating time of a specific microservice exceeds the maximum threshold or is lower than the minimum threshold, the effective information acquisition module 130 can expand/adjust the execution resources and/or storage resources of the specific microservice, and Restart this microservice after executing this specific microservice. In addition, if a specific microservice needs to process a large amount of processed information, the effective information acquisition module 130 can copy the specific microservice to execute the specific microservice synchronously/in parallel. In other embodiments, when a new intelligence analysis sub-module is added to the effective intelligence acquisition module 130, the effective intelligence acquisition module 130 can create a new microservice, and for this new intelligence analysis The submodule schedules/assigns this new microservice. In other embodiments, the effective information obtaining module 130 can shut down microservices that are infrequently used and no longer running. In other embodiments, the effective information acquisition module 130 can hibernate microservices that are commonly used and are not currently running. In other embodiments, the effective information acquisition module 130 can wake up/re-run the dormant microservice. In other embodiments, for a specific microservice that is running but has no response, the effective information obtaining module 130 can first copy the specific microservice and delete the microservice that originally had no response.

在獲得情資分析結果之後,有效情資獲得模組130可調度微服務,並且執行沙箱驗證程序以利用情資分析結果獲得有效情資。詳細而言,有效情資獲得模組130可為多個外部情資提供者分別調度一個微服務,並將上述情資分析結果鏡設(mirror)至此些為多個外部情資提供者調度的微服務,藉此,有效情資獲得模組130可將情資分析結果與來自外部情資提供者的外部情資比對/驗證,以從情資分析結果中,過濾出(與外部情資匹配的)有效情資。After obtaining the intelligence analysis results, the effective intelligence acquisition module 130 can schedule the microservice and execute the sandbox verification program to obtain effective intelligence using the intelligence analysis results. Specifically, the effective intelligence acquisition module 130 can schedule a microservice for multiple external intelligence providers, and mirror the above intelligence analysis results to the microservices scheduled for multiple external intelligence providers. Microservice, whereby the effective intelligence acquisition module 130 can compare/verify the intelligence analysis results with external intelligence from the external intelligence provider, so as to filter out the intelligence analysis results (with the external intelligence matching) valid information.

在本實施例中,有效情資獲得模組130可監控公雲元件400的資源使用狀況。在獲得有效情資之後,有效情資獲得模組130可調度公雲元件400,並且儲存有效情資於公雲儲存體500。詳細而言,有效情資獲得模組130可調度公雲元件400以在公雲儲存體500建立情資佇列、關聯式情資資料庫、圖形式情資資料庫以及時序型情資資料庫。進一步而言,有效情資獲得模組130可監控關聯式情資資料庫、圖形式情資資料庫及/或時序型情資資料庫的負載情形,並且動態地對各情資資料庫進行資源擴充。在一實施例中,有效情資獲得模組130可將有效情資儲存於公雲儲存體500的情資佇列。在另一實施例中,有效情資獲得模組130可將有效情資儲存於,公雲儲存體500的關聯式情資資料庫、圖形式情資資料庫及/或時序型情資資料庫。以下將進一步說明。In this embodiment, the effective information acquisition module 130 can monitor the resource usage status of the public cloud component 400 . After obtaining the valid information, the valid information obtaining module 130 can schedule the public cloud component 400 and store the valid information in the public cloud storage 500 . Specifically, the effective intelligence acquisition module 130 can schedule the public cloud component 400 to create an intelligence queue, an associated intelligence database, a graphical intelligence database, and a time series intelligence database in the public cloud storage 500 . Furthermore, the effective information acquisition module 130 can monitor the load status of the associative information database, the graphical information database, and/or the time series information database, and dynamically perform resource allocation for each information database. Expand. In one embodiment, the valid information obtaining module 130 can store the valid information in the information queue of the public cloud storage 500 . In another embodiment, the valid intelligence information acquisition module 130 can store the valid intelligence information in a relational intelligence database, a graphical intelligence database and/or a time series intelligence database of the public cloud storage 500 . This will be explained further below.

請回到圖2。在步驟S230中,有效情資提供模組140可調度微服務以及公雲元件400,並且利用微服務以及公雲元件400提供有效情資。有效情資提供模組140可監控微服務110當前的指派狀況/資源使用狀況,且有效情資提供模組140可監控公雲元件400的資源使用狀況,以執行下述實施例所說明的流程。Please return to Figure 2. In step S230, the effective information providing module 140 can schedule microservices and public cloud components 400, and use the microservices and public cloud components 400 to provide effective information. The effective information providing module 140 can monitor the current assignment status/resource usage status of the microservice 110, and the effective information providing module 140 can monitor the resource usage status of the public cloud component 400 to perform the process described in the following embodiments. .

在一實施例中,有效情資提供模組140可(主動地)提供有效情資。具體而言,有效情資提供模組140可調度微服務以及公雲元件400以從公雲儲存體500的情資佇列接收有效情資,並且通過應用程式閘道160傳送有效情資至外部情資系統(圖未繪示)。舉例來說,有效情資提供模組140可通過應用程式閘道160以將有效情資定期地傳送至外部情資系統。In one embodiment, the effective information providing module 140 may (actively) provide effective information. Specifically, the valid intelligence providing module 140 can schedule the microservices and the public cloud component 400 to receive valid intelligence from the intelligence queue of the public cloud storage 500 and transmit the valid intelligence to the outside through the application gateway 160 Information system (not shown). For example, the valid intelligence providing module 140 can periodically transmit valid intelligence to an external intelligence system through the application gateway 160 .

在另一實施例中,有效情資提供模組140可在接收情資查詢請求之後,才被動地提供有效情資。具體而言,響應於通過應用程式閘道160從情資查詢端裝置(圖未繪示)接收情資查詢請求,有效情資提供模組140可調度微服務以及公雲元件400以從公雲儲存體500的關聯式情資資料庫、圖形式情資資料庫以及時序型情資資料庫接收有效情資。接著,有效情資提供模組140可通過應用程式閘道160傳送有效情資至情資查詢端裝置。詳細而言,在本實施例中,關聯式情資資料庫可儲存有效情資中的入侵威脅指標相關情資,圖形式情資資料庫可儲存有效情資中的威脅關聯情資,且時序型情資資料庫可儲存有效情資中的被動網域名稱查詢相關情資。有效情資提供模組140可調度微服務(例如可調度/指派微服務110a、微服務110b、…直到微服務110n中的一或多個微服務)以利用圖形介面等視覺化的方式,來通過應用程式閘道160傳送有效情資至情資查詢端裝置,藉此讓情資查詢者後續能較方便地閱讀/審視有效情資。值得說明的是,有效情資提供模組140可針對,被調度來執行上述流程的各微服務所在的實體網路/虛擬網路,進行網路連線負載監控。若網路連線超過負載,則有效情資提供模組140可複製此特定微服務。進一步而言,若後續網路連線低於負載,則有效情資提供模組140可刪除所複製的特定微服務以進行降載。In another embodiment, the effective information providing module 140 may passively provide effective information after receiving the information query request. Specifically, in response to receiving an information inquiry request from an information inquiry end device (not shown) through the application gateway 160, the effective information provision module 140 may schedule the microservice and the public cloud component 400 to obtain the information from the public cloud. The associative intelligence database, graphical intelligence database and time series intelligence database of the storage body 500 receive valid intelligence. Then, the valid information providing module 140 can send the valid information to the information inquiry terminal device through the application gateway 160 . Specifically, in this embodiment, the correlational intelligence database can store intelligence related to intrusion threat indicators in the effective intelligence, and the graphical intelligence database can store threat-related intelligence in the effective intelligence, and the time series The type of information database can store the passive domain name query related information in the valid information. The effective information providing module 140 can schedule microservices (for example, one or more microservices among the schedulable/assignable microservices 110a, microservices 110b, ... until microservices 110n) to use visual methods such as graphical interfaces to The valid information is sent to the information query terminal device through the application gateway 160, thereby allowing the information queryer to more conveniently read/review the valid information in the future. It is worth mentioning that the effective information providing module 140 can monitor the network connection load for the physical network/virtual network where each microservice that is scheduled to execute the above process is located. If the network connection exceeds the load, the active intelligence module 140 can replicate this particular microservice. Furthermore, if the subsequent network connection is lower than the load, the effective information providing module 140 can delete the copied specific microservice for downloading.

在其他實施例中,有效情資提供模組140可將有效情資中的較常被查詢的部份有效情資儲存於快取。當有效情資提供模組140通過應用程式閘道160從情資查詢端裝置接收情資查詢請求,且情資查詢端裝置欲查詢的情資已預存於快取時,有效情資提供模組140可從快取取得欲查詢的情資並且通過應用程式閘道160傳送有效情資至情資查詢端裝置。另一方面,當情資查詢端裝置欲查詢的情資並未預存於快取時,有效情資提供模組140可從公雲儲存體500的關聯式情資資料庫、圖形式情資資料庫以及時序型情資資料庫接收有效情資,接著,有效情資提供模組140可根據此有效情資更新快取,並且通過應用程式閘道160傳送有效情資至情資查詢端裝置。In other embodiments, the valid information providing module 140 may store in the cache part of the valid information that is more frequently queried. When the effective information providing module 140 receives an information inquiry request from the information inquiry terminal device through the application gateway 160, and the information to be inquired by the information inquiry terminal device has been pre-stored in the cache, the effective information provision module 140 can obtain the information to be queried from the cache and send the valid information to the information inquiry terminal device through the application gateway 160 . On the other hand, when the information to be queried by the information query terminal device is not pre-stored in the cache, the effective information providing module 140 can obtain the relevant information database or graphical information data from the public cloud storage 500 The database and the time-series intelligence database receive the valid intelligence. Then, the valid intelligence providing module 140 can update the cache according to the valid intelligence, and transmit the valid intelligence to the intelligence inquiry terminal device through the application gateway 160 .

在其他實施例中,有效情資提供模組140可調度公雲元件400,以在通過應用程式閘道160傳送有效情資至外部情資系統及/或情資查詢端裝置時,執行應用程式閘道160的負載平衡操作。In other embodiments, the effective information providing module 140 can schedule the public cloud component 400 to execute the application when transmitting effective information to the external information system and/or the information query terminal device through the application gateway 160 Load balancing operation of gateway 160.

在其他實施例中,有效情資提供模組140可調度公雲元件400,以在應用程式閘道160設置網站應用程式防火牆(WAF,Web Application Firewall),來增加提供有效情資時的安全性。In other embodiments, the effective information providing module 140 can schedule the public cloud component 400 to set up a Web Application Firewall (WAF, Web Application Firewall) on the application gateway 160 to increase security when providing effective information. .

在其他實施例中,有效情資提供模組140可調度公雲元件400,以利用金鑰將應用程式閘道160與外部情資系統及/或情資查詢端裝置的連線加密,來增加提供有效情資時的安全性。In other embodiments, the effective intelligence providing module 140 can schedule the public cloud component 400 to use a key to encrypt the connection between the application gateway 160 and the external intelligence system and/or the intelligence query terminal device to increase Security when providing valid intelligence.

綜上所述,本發明的基於微服務及公雲元件處理情資的電子裝置及方法可基於微服務及公雲元件來對情資執行過濾及分析,並且提供有效情資。由於各微服務間具有獨立性,微服務各自的程序及資料不會互相干擾,藉此,提高了情資的安全性。除此之外,藉由監控微服務以及公雲元件的資源使用狀況,本發明的基於微服務及公雲元件處理情資的電子裝置及方法可動態地調度微服務以及公雲元件來完成對情資的各種操作,從而提高了處理情資的效率。In summary, the electronic device and method for processing information based on microservices and public cloud components of the present invention can perform filtering and analysis of information based on microservices and public cloud components, and provide effective information. Since each microservice is independent, the programs and data of each microservice will not interfere with each other, thereby improving the security of information. In addition, by monitoring the resource usage status of microservices and public cloud components, the electronic device and method based on microservices and public cloud component processing information of the present invention can dynamically schedule microservices and public cloud components to complete the processing. Various operations of information, thus improving the efficiency of processing information.

100:基於微服務及公雲元件處理情資的電子裝置 110a、110b、110c、110d、110e、110n:微服務 120:原始情資處理模組 130:有效情資獲得模組 140:有效情資提供模組 160:應用程式閘道 200:情資來源裝置 400:公雲元件 500:公雲儲存體 S210、S220、S230:步驟 130a、130b、130c、130d、130e:情資分析子模組 100: Electronic devices that process information based on microservices and public cloud components 110a, 110b, 110c, 110d, 110e, 110n: microservices 120: Original information processing module 130: Effective information acquisition module 140: Effective information provision module 160:Application Gateway 200:Information source device 400: Public cloud components 500:Public cloud storage S210, S220, S230: steps 130a, 130b, 130c, 130d, 130e: Intelligence analysis sub-module

圖1是根據本發明的一實施例繪示的一種基於微服務及公雲元件處理情資的電子裝置的示意圖。 圖2是根據本發明的一實施例繪示的一種基於微服務及公雲元件處理情資的方法的流程圖。 圖3是根據本發明的一實施例繪示的多個情資分析子模組的示意圖。 FIG. 1 is a schematic diagram of an electronic device based on microservices and public cloud components processing information according to an embodiment of the present invention. Figure 2 is a flow chart illustrating a method of processing information based on microservices and public cloud components according to an embodiment of the present invention. FIG. 3 is a schematic diagram of multiple intelligence analysis sub-modules according to an embodiment of the present invention.

S210、S220、S230:步驟 S210, S220, S230: steps

Claims (7)

一種基於微服務及公雲元件處理情資的電子裝置,包括:微服務;原始情資處理模組,調度所述微服務以及公雲元件,並且利用原始情資、所述微服務以及所述公雲元件獲得處理後情資;有效情資獲得模組,調度所述微服務以及所述公雲元件,並且利用所述處理後情資、所述微服務以及所述公雲元件獲得有效情資;以及有效情資提供模組,調度所述微服務以及所述公雲元件,並且利用所述微服務以及所述公雲元件提供所述有效情資。 An electronic device for processing information based on microservices and public cloud components, including: microservices; an original information processing module, scheduling the microservices and public cloud components, and utilizing the original information, the microservices, and the The public cloud component obtains the processed information; the effective information obtaining module schedules the microservice and the public cloud component, and uses the processed information, the microservice and the public cloud component to obtain valid information. and an effective information provision module that schedules the microservice and the public cloud component, and uses the microservice and the public cloud component to provide the effective information. 如請求項1所述的電子裝置,其中所述原始情資處理模組根據過濾規則或者所述原始情資的情資類型調度所述微服務,並且執行所述過濾規則以利用所述原始情資獲得過濾後情資;所述原始情資處理模組調度所述公雲元件,並且儲存所述過濾後情資於公雲儲存體;所述原始情資處理模組調度所述公雲元件,並且從所述公雲儲存體複製所述過濾後情資以獲得所述處理後情資。 The electronic device of claim 1, wherein the original information processing module schedules the microservice according to a filtering rule or an information type of the original information, and executes the filtering rule to utilize the original information. Obtain filtered information; the original information processing module schedules the public cloud component, and stores the filtered information in a public cloud storage; the original information processing module schedules the public cloud component , and copy the filtered information from the public cloud storage to obtain the processed information. 如請求項1所述的電子裝置,其中所述有效情資獲得模組包括多個情資分析子模組,其中所述有效情資獲得模組根據所述多個情資分析子模組調度所 述微服務,並且執行所述多個情資分析子模組以利用所述處理後情資獲得情資分析結果;所述有效情資獲得模組調度所述微服務,並且執行沙箱驗證程序以利用所述情資分析結果獲得所述有效情資。 The electronic device according to claim 1, wherein the effective information obtaining module includes a plurality of information analysis sub-modules, and the effective information obtaining module is scheduled according to the plurality of information analysis sub-modules. Place Describe the microservices, and execute the multiple intelligence analysis sub-modules to obtain intelligence analysis results using the processed intelligence; the effective intelligence acquisition module schedules the microservices, and executes a sandbox verification program The effective information is obtained using the information analysis results. 如請求項3所述的電子裝置,其中所述有效情資獲得模組調度所述公雲元件,並且儲存所述有效情資於公雲儲存體。 The electronic device of claim 3, wherein the effective information acquisition module schedules the public cloud component and stores the effective information in a public cloud storage. 如請求項1所述的電子裝置,更包括應用程式閘道,其中所述有效情資提供模組調度所述微服務以及所述公雲元件以從公雲儲存體的情資佇列接收所述有效情資,並且通過所述應用程式閘道傳送所述有效情資至外部情資系統。 The electronic device of claim 1, further comprising an application gateway, wherein the effective information providing module schedules the microservice and the public cloud component to receive the information queue from the public cloud storage. Describe valid information and transmit the valid information to an external information system through the application gateway. 如請求項1所述的電子裝置,更包括應用程式閘道,其中響應於通過所述應用程式閘道從情資查詢端裝置接收情資查詢請求,所述有效情資提供模組調度所述微服務以及所述公雲元件以從公雲儲存體的關聯式情資資料庫、圖形式情資資料庫以及時序型情資資料庫接收所述有效情資,並且通過所述應用程式閘道傳送所述有效情資至所述情資查詢端裝置。 The electronic device of claim 1, further comprising an application gateway, wherein in response to receiving an information inquiry request from an information inquiry terminal device through the application gateway, the effective information providing module schedules the The microservice and the public cloud component receive the effective information from the relational information database, the graphical information database and the time series information database of the public cloud storage, and pass the application gateway Send the valid information to the information inquiry terminal device. 一種基於微服務及公雲元件處理情資的方法,適用於包括微服務、原始情資處理模組、有效情資獲得模組以及有效情資提供模組的電子裝置,所述方法包括以下步驟: 由所述原始情資處理模組調度所述微服務以及公雲元件,並且利用原始情資、所述微服務以及所述公雲元件獲得處理後情資;由所述有效情資獲得模組調度所述微服務以及所述公雲元件,並且利用所述處理後情資、所述微服務以及所述公雲元件獲得有效情資;以及由所述有效情資提供模組調度所述微服務以及所述公雲元件,並且利用所述微服務以及所述公雲元件提供所述有效情資。 A method for processing information based on microservices and public cloud components, suitable for electronic devices including microservices, original information processing modules, effective information obtaining modules, and effective information providing modules. The method includes the following steps : The original information processing module schedules the microservices and public cloud components, and uses the original information, the microservices and the public cloud components to obtain processed information; the effective information acquisition module Scheduling the microservice and the public cloud component, and using the processed information, the microservice and the public cloud component to obtain effective information; and scheduling the microservice by the effective information providing module services and the public cloud components, and utilize the microservices and the public cloud components to provide the effective information.
TW111138494A 2022-10-11 2022-10-11 Electronic device and method for processing intelligence based on microservice and public cloud component TWI820961B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111138494A TWI820961B (en) 2022-10-11 2022-10-11 Electronic device and method for processing intelligence based on microservice and public cloud component

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111138494A TWI820961B (en) 2022-10-11 2022-10-11 Electronic device and method for processing intelligence based on microservice and public cloud component

Publications (2)

Publication Number Publication Date
TWI820961B true TWI820961B (en) 2023-11-01
TW202416696A TW202416696A (en) 2024-04-16

Family

ID=89722413

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111138494A TWI820961B (en) 2022-10-11 2022-10-11 Electronic device and method for processing intelligence based on microservice and public cloud component

Country Status (1)

Country Link
TW (1) TWI820961B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI644203B (en) * 2017-12-28 2018-12-11 中華電信股份有限公司 System and method for monitoring cloud network convergence
TWI709874B (en) * 2019-04-01 2020-11-11 中華電信股份有限公司 Method of sharing cyber threat intelligence with external device and electronic device thereof
CN112580006A (en) * 2020-12-24 2021-03-30 中国建设银行股份有限公司 Access right control method and device of multi-cloud system and authentication server
TWI764607B (en) * 2021-03-08 2022-05-11 中華電信股份有限公司 System, method and computer readable storage medium for cyber threat information sharing
TWI779993B (en) * 2022-01-20 2022-10-01 中華電信股份有限公司 Model management system, model management method based on iot and computer program product thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI644203B (en) * 2017-12-28 2018-12-11 中華電信股份有限公司 System and method for monitoring cloud network convergence
TWI709874B (en) * 2019-04-01 2020-11-11 中華電信股份有限公司 Method of sharing cyber threat intelligence with external device and electronic device thereof
CN112580006A (en) * 2020-12-24 2021-03-30 中国建设银行股份有限公司 Access right control method and device of multi-cloud system and authentication server
TWI764607B (en) * 2021-03-08 2022-05-11 中華電信股份有限公司 System, method and computer readable storage medium for cyber threat information sharing
TWI779993B (en) * 2022-01-20 2022-10-01 中華電信股份有限公司 Model management system, model management method based on iot and computer program product thereof

Also Published As

Publication number Publication date
TW202416696A (en) 2024-04-16

Similar Documents

Publication Publication Date Title
CA2607536C (en) Dynamic provisioning of protection software in a host intrusion prevention system
US7996896B2 (en) System for regulating host security configuration
US7882262B2 (en) Method and system for inline top N query computation
CA2607540C (en) Host intrusion prevention server
US9372995B2 (en) Vulnerability countermeasure device and vulnerability countermeasure method
CN112534432A (en) Real-time mitigation of unfamiliar threat scenarios
CN102474431A (en) Identification of underutilized network devices
CN113127199A (en) Load balancing configuration method, device, equipment and storage medium
CN119885168B (en) Virtual machine mirror image static scanning method and system based on super fusion platform
US12056000B1 (en) Anomaly detection by analyzing logs using machine learning
US9122546B1 (en) Rapid processing of event notifications
JP6294847B2 (en) Log management control system and log management control method
EP3278536A1 (en) Network operation
TWI820961B (en) Electronic device and method for processing intelligence based on microservice and public cloud component
US20250039222A1 (en) Cybersecurity threat hunting
CN114938303B (en) A micro-isolation security protection method suitable for power grid regulation cloud platform
CN113139878A (en) Method and system for identifying network security risk of power distribution automation master station
CA2939610C (en) Methods and systems for regulating host security configuration
US20250133093A1 (en) Method for analyzing alerts of an organization using alert clusters and chains of events that trigger the alerts
US20250039204A1 (en) Network alert enrichment
CN120238345A (en) A method, device, equipment and medium for determining threat intelligence life cycle
CN105871593A (en) Method for implementing control mechanism of reliable and controllable network
CN121012778A (en) Network attack path generation methods, devices, electronic devices, storage media, and computer program products
CN113194075A (en) Access request processing method, device, equipment and storage medium