CN111898105A - External terminal protection equipment with user tracing function and protection system - Google Patents
External terminal protection equipment with user tracing function and protection system Download PDFInfo
- Publication number
- CN111898105A CN111898105A CN202010736732.2A CN202010736732A CN111898105A CN 111898105 A CN111898105 A CN 111898105A CN 202010736732 A CN202010736732 A CN 202010736732A CN 111898105 A CN111898105 A CN 111898105A
- Authority
- CN
- China
- Prior art keywords
- user
- external
- information
- equipment
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/36—User authentication by graphic or iconic representation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
An external terminal protection device and protection system with user tracing function includes: the external interfaces are used for respectively connecting one or more external devices and protected devices; the user identity information acquisition module is used for acquiring user identity information of a user in real time; the file monitoring module is used for verifying and managing user identity information of the user, so that the user can trace and feed back a retrieval result; the file monitoring module is also used for controlling the safety authentication of external equipment accessed by the external interface; and the file transmission module is used for transmitting the file data imported by the external equipment to the protected equipment under the control of the file monitoring module. The invention can achieve the purpose of carrying out safety protection on the protected equipment without installing safety protection software on the protected equipment, determines the use permission of the operating personnel through various verification modes, greatly reduces the system safety risk and comprehensively solves the potential safety hazard possibly generated by each interface.
Description
Technical Field
The invention belongs to the technical field of computer security, and particularly relates to an external terminal protection device with a user tracing function and a protection system.
Background
In recent years, computers and information technologies have been developed at a high speed, so that popularization of networks is greatly promoted, and people increasingly enjoy convenience brought by the computers and the information technologies, and meanwhile, new threats are brought to data security in computers used by people in production/life, such as common unauthorized access, impersonation of legal users, destruction of data integrity, interference of normal operation of systems, transmission of viruses by using networks, interception by middlemens and the like.
Many technical means for solving the problem of intranet security exist, for example, network security products such as firewalls, antivirus systems, intrusion detection systems and the like are installed and used in equipment, but various network security events still occur frequently after the measures are taken. According to statistics, 70% of computer crimes are caused by illegal use of key resources such as equipment by internal personnel, the true threat from the outside is only 30%, the internal personnel lack safety awareness when using the equipment, the internal personnel are positioned at the rear end of a firewall, various external equipment is accessed to the firewall without specification, and misoperation or deliberate damage of a system can cause severe influence or even great loss to organs, enterprises and public institutions and the like.
Meanwhile, for some special devices, such as devices equipped with special software control, and devices of engineer stations/worker stations in some industrial fields, these devices/devices often have no security protection software adapted to such systems in the market due to system specificity, or have compatibility problems of original software of the devices easily caused by installing security software, even the performance is affected. In addition, the equipment of the engineer station/the workstation basically cannot upgrade the operating system after being on line, and even if the security software is installed, the anti-malicious code software version and the malicious code library are not updated in time, so that the comprehensive security protection effect cannot be achieved.
And adopt external terminal protection equipment, then need all authenticate again and delay time when using every time, and because the work of external terminal protection equipment is independent, can't look over and all have specifically who used, bring inconveniently for the user.
Disclosure of Invention
In view of the above, the main objective of the present invention is to provide an external terminal protection device and a protection system with a user tracing function, so as to at least partially solve at least one of the above technical problems.
In order to achieve the above object, a first aspect of the present invention provides an external terminal protection device with a user tracing function, including:
the external interfaces are used for respectively connecting one or more external devices and protected devices;
the system comprises a user identity information acquisition module, a user identification information acquisition module and a user identification information processing module, wherein the user identity information acquisition module is used for acquiring user identity information of a user in real time, and the user identity information comprises fingerprint information, palm print information, iris information, face information, voice information and/or preset special pattern information of the user;
the file monitoring module is connected with the user identity information acquisition module and used for verifying the user identity information of the user and managing the user identity information for the user to trace and feed back a retrieval result; the file monitoring module is also used for controlling the safety authentication of external equipment accessed by the external interface;
and the file transmission module is connected with the file monitoring module and used for transmitting the file data imported by the external equipment to the protected equipment under the control of the file monitoring module.
As a second aspect of the present invention, there is also provided a protection system including:
one or more external devices;
a protected device; and
the external terminal protection device as described above,
the external terminal protection device is externally connected to the protected device, so that the one or more external devices are in interface communication with the protected device through the external terminal protection device.
Based on the technical scheme, compared with the prior art, the external terminal protection device with the user tracing function and the protection system have at least one of the following beneficial effects:
the external terminal protection device can take over each data interface of the protected device, ensures that data communication using each interface of the protected device is completed through the external terminal, and determines the use permission of the current operator through various verification modes, thereby achieving the purpose of carrying out safety protection on the protected device without installing safety protection software on the protected device, greatly reducing the system safety risk and comprehensively solving the potential safety hazard possibly generated by each interface.
Drawings
Fig. 1 is a schematic view of an application scenario of an external terminal protection device with a user tracing function according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an internal configuration of an external terminal protection device with a user trace function according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., "a and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The invention discloses an external terminal protection device with a user tracing function, which comprises:
the external interfaces are used for respectively connecting one or more external devices and protected devices;
the system comprises a user identity information acquisition module, a user identification information acquisition module and a user identification information processing module, wherein the user identity information acquisition module is used for acquiring user identity information of a user in real time, and the user identity information comprises fingerprint information, palm print information, iris information, face information, voice information and/or preset special pattern information of the user;
the file monitoring module is connected with the user identity information acquisition module and used for verifying the user identity information of the user and managing the user identity information for the user to trace and feed back a retrieval result; the file monitoring module is also used for controlling the safety authentication of external equipment accessed by the external interface;
and the file transmission module is connected with the file monitoring module and used for transmitting the file data imported by the external equipment to the protected equipment under the control of the file monitoring module.
According to a preferred embodiment of the present invention, the file control and test module includes:
the identity storage unit is used for storing user identity information of a user and/or external equipment information correspondingly accessed each time;
the identity recognition unit is used for verifying whether the user identity information of the user meets the access right or not;
and the identity management unit is used for reading the related user identity information and/or the external equipment information from the identity storage unit when the user traces the user use record and outputting the information to the tracing initiating user.
According to a preferred embodiment of the present invention, the identity storage unit is further configured to pre-store user identity information satisfying the access right and external device information accessed by the user.
According to a preferred embodiment of the present invention, when the user identity information of the user satisfies the access right, the identity recognizing unit is further configured to:
and matching the external device information of the user with the pre-stored external device information meeting the access authority, and allowing the user to obtain the access authority when the user identity information and the external device information are all successfully matched.
According to a preferred embodiment of the present invention, the external terminal protection device further comprises an input/display module, configured to enable a user with administrator qualification to input user identity information and/or external device information with access right in advance;
preferably, the input/display module comprises a display screen and a plurality of keys arranged on the external terminal protection device, or the display screen and the keys are connected in a remote control mode.
According to a preferred embodiment of the present invention, the document monitoring module further comprises:
the data detection unit is used for detecting whether the file data stored in the external equipment meets a preset safety condition;
and the data storage unit is used for storing the file data passing the security authentication.
According to a preferred embodiment of the present invention, the document monitoring module further comprises:
and the file service unit is used for managing the file data stored by the data storage unit and sending the index information corresponding to the stored file data to the file transmission module.
According to a preferred embodiment of the present invention, the document monitoring module further comprises:
a control unit for implementing the following control logic:
if the external equipment does not pass the security authentication, setting the external equipment as the unauthorized access equipment, and keeping the line physical disconnection state between the external equipment and the protected equipment; and/or
And if the external equipment passes the security authentication, confirming that the external equipment is the authorized access equipment, and connecting the physical connection of the line between the external equipment and the protected equipment.
According to a preferred embodiment of the present invention, one or more of the external interfaces are USB interfaces.
According to the preferred embodiment of the invention, when the file monitoring module receives a request sent by a user to disconnect the external terminal protection device from the protected device, the user identity information is verified, and if the user identity information is not verified, an alarm indication signal is triggered.
The invention also discloses a protection system, comprising:
one or more external devices;
a protected device; and
the external terminal protection device as described above,
the external terminal protection device is externally connected to the protected device, so that the one or more external devices are in interface communication with the protected device through the external terminal protection device.
In order that the objects, technical solutions and advantages of the present invention will become more apparent, the present invention will be further described in detail with reference to the accompanying drawings in conjunction with the following specific embodiments.
Fig. 1 is a schematic view of an application scenario of an external terminal protection device with a user trace function according to an embodiment of the present invention, as shown in fig. 1, the external terminal protection device is externally connected to a protected device through interface connection lines, and interfaces (UC 1 and UC2 of a USB port, CC0 of a COM port, and internet access EC0) of the protected device that need to be protected are connected to internal interfaces of the external terminal protection device through various types of connection lines, for example, the interfaces UC1 and UC2 of the protected device are respectively connected to the internal USB ports UA4 and UA3 of the external terminal protection device, the serial port CC0 is connected to the internal serial port CA2, and the internet access EC0 is connected to the internal internet access EA 2. And various external devices (USB flash disk, CD-ROM, serial port connecting device, etc.) are all received on the external terminal protection device, just can carry out data communication with protected equipment through external terminal protection device, for example the USB flash disk passes through the external interface UA1 access of external terminal protection device, and USB CD-ROM passes through the access of external interface UA2, and serial port connecting device passes through the access of external interface CA 1. The external devices such as the USB flash disk, the USB CD-ROM and the serial port connecting device need to carry out data communication with the protected device, cannot be directly connected to the protected device, and need to be switched to communicate through the corresponding external interface of the external terminal protection device.
Fig. 2 is a schematic diagram of an internal configuration of an external terminal protection device with a user trace function according to an embodiment of the present invention. As shown in fig. 2, the external terminal protection device with the user tracing function includes: the device comprises a plurality of external interfaces, a user identity information acquisition module, a file monitoring module and a file transmission module.
External interfaces such as USB interfaces, serial ports, network ports and the like are used for being connected with one or more external devices and protected devices respectively.
The system comprises a user identity information acquisition module, a user identification information acquisition module and a user identification information processing module, wherein the user identity information acquisition module is used for acquiring user identity information of a user in real time, and the user identity information comprises fingerprint information, palm print information, iris information, face information, voice information and/or preset special pattern information of the user. Specifically, in the embodiment of the invention, the user identity information acquisition module comprises a small electronic device which is composed of a display screen and a verification device. When a user inserts external equipment into the external terminal protection equipment, the circuit is not switched on, the user is prompted to identify the user identity through the display screen, and various functions of subsequent data detection and transmission are performed only after the user identity passes through the user identity.
The file monitoring module is connected with the user identity information acquisition module and used for verifying the user identity information of the user and managing the user identity information for the user to trace and feed back a retrieval result; the file monitoring module is also used for controlling the safety authentication of the external equipment accessed by the external interface. Specifically, the file monitoring module includes: the system comprises an identity storage unit, an identity recognition unit, an identity management unit, a data detection unit, a data storage unit and a file service unit.
The identity storage unit is configured to store user identity information of a user and/or external device information correspondingly accessed each time, for example, the user identity information of a person with an authority and/or the external device information correspondingly accessed may be previously recorded and stored in the identity storage unit, and meanwhile, the user identity information of the external terminal protection device and/or the external device information correspondingly accessed each time the external terminal protection device is used may also be stored.
And the identity recognition unit is used for verifying whether the user identity information of the user used each time meets the access authority. The identity recognition unit is connected with the verification device, the user closely aligns the verification device and selects any verification mode to verify through the display screen, for example, when the user needs to verify fingerprint information, palm print information and iris information, the verification device can scan the fingerprint, palm print or iris of the user; when a user needs to verify face information, the verification equipment can shoot a face; when the user needs to verify the voice information, the user reads out characters displayed in the display screen from the verification device, the identity recognition unit compares the user identity information provided by the user with the user identity information stored in the identity storage unit, if the matching is successful, the verification is passed, and the identity information of the current user is displayed on the display screen.
When the user provides the user identity information, the identity recognition unit does not match the corresponding user identity information in the identity storage unit, a word without using permission is prompted on a display screen of the user identity information acquisition module, meanwhile, the identity storage unit can record the user identity information provided by the user, the user can contact an administrator to record and store the user identity information in the identity storage unit, and the permission for using the external terminal protection equipment is set.
And the identity management unit is used for reading the related user identity information and/or the external equipment information from the identity storage unit when the user traces the user use record and outputting the information to the tracing initiating user.
For example, when a user needs to search which users use the external terminal protection device in a time period from 3 pm to 5 pm on the day, the time period to be inquired can be input, and after the user passes the identity information verification, the identity management unit reads the identity information and/or the external device information of the user using the external terminal protection device in the time period, and displays the identity information and/or the external device information in the display screen.
The external terminal protection device also comprises an input/display module, a storage module and a display module, wherein the input/display module is used for inputting user identity information and/or external device information with access authority in advance by a user with administrator qualification;
preferably, the input/display module comprises a display screen and a plurality of keys arranged on the external terminal protection device, or the display screen and the keys are connected in a remote control mode. The administrator inputs the user identity information and/or the external device information with the access right into the identity storage unit for storage through keys, preferably, the administrator can also register the external device of the user with the access right to the external terminal protection device in advance, namely, the user and the corresponding external device are bound, and the protection device can be accessed only when the registered external device is connected.
The file monitoring module further comprises:
the data detection unit is used for detecting whether the file data stored in the external equipment meets a preset safety condition; the data storage unit is used for storing the file data passing the security authentication; and the file service unit is used for managing the file data stored by the data storage unit and sending the index information corresponding to the stored file data to the file transmission module.
When the external storage device is connected to the file monitoring module through a port (for example, a USB port), the file monitoring module detects the external storage device itself, detects the security of file data, and the like, and then the file monitoring module is controlled by a user or stores a file to be transmitted to the protected device according to a predetermined security policy, and the file is managed by the security file service module, and simultaneously provides file index information to the file output module. The security function implemented by the external terminal protection device includes but is not limited to: an administrator sets the authority and the security policy of the external terminal protection equipment in advance; security policies include, but are not limited to: enabling data import (such as a USB interface), enabling data export (such as a USB interface), USB access device restriction (such as Vendor ID and/or Product ID based on USB devices, i.e. Product ID), data import antivirus policy, data export blacklist control policy, data export format control policy, enabling serial access policy, USB interface insertion protection, enabling network communication audit, enabling firewall function, setting serial command blacklist and whitelist, etc.
In a preferred embodiment, the security policy comprises: after the administrator sets each security policy, the related security policies are executed one by the external terminal protection device. In a preferred embodiment, the security policy comprises: and the administrator also controls whether the external terminal protection equipment enters a monitoring protection mode, the mode monitors the connection between the external terminal protection equipment and the protected equipment, and an alarm is given under the abnormal condition.
In a preferred embodiment, the interface protection provided by the external terminal protection device further includes device electrical security protection, and protection against abnormal conditions in use, including but not limited to, attempting to forcibly skip the external terminal protection device, attempting to access an illegal USB device after passing security verification using a legal USB device, and the like.
In a preferred embodiment, the device electrical safety protection provided by the external terminal protection device means that physical hardware damage to the protected device through an external interface such as a USB can be effectively prevented, and actions such as a USB bomb that damages the protected device through strong discharge can be prevented.
To achieve this, in a preferred embodiment of the present invention, the electrical safety is designed specifically in two levels:
(1) the interface adopts the design of current and voltage limiting
According to the scheme, the terminal protection equipment has the function of protecting the electrical safety of the equipment, namely the equipment is protected from being damaged by strong discharge equipment by adopting a hardware design, the condition of preventing current and voltage from being overlarge is realized by introducing a current-limiting and voltage-limiting circuit, and a first protection system is constructed;
(2) external equipment connection mechanism based on physical switch switching
The external terminal protection device further improves the electrical safety protection function by introducing hardware switching logic. Taking USB external device as an example, when a USB disk device or other USB devices are inserted into a terminal protection device for operation, necessary security authentication must be performed first, only the authorized device allows the next operation, and the inserted USB device cannot communicate with the protected device until the security authentication is not obtained. That is to say, before the inserted external device passes the security authentication, there is no communication line between the external device and the protected device, so even if the current-limiting and voltage-limiting design of the first layer protection does not play a role, the current-voltage impact caused by the inserted USB device will not affect the security of the protected device.
As an optional implementation manner, the external terminal protection device has a function of protecting against an interface abnormal condition in use, and is mainly used for a case that a malicious user pulls out a connection between the external terminal protection device and a protected device, so that the external terminal protection device is tried to be skipped over, the protected device is directly accessed, or a legal device is pulled out and replaced by an illegal USB device after the legal USB device is subjected to security verification.
One preferred embodiment of the present invention is specifically designed for protection against abnormal situations during use:
(1) interface connection locking, e.g. USB connection locking
The traditional interface locking is realized by preventing misuse or plugging and unplugging interfaces of other people through a mechanical mode, namely through a special interface, such as a special wide-port U disk or a special network port used in the confidential industry. The method has the defects that the universality is poor, the equipment interface needs to be modified to meet the mechanical connection requirement, the method is only suitable for equipment forcibly managed in special industries, the implementation is poor, and the equipment maintenance dispute is easily caused.
The invention provides an interface locking function of the external terminal protection equipment, which is realized by analog signal sampling and analog-to-digital conversion signal acquisition technologies, wherein when a specific interface of the external terminal protection equipment A is connected with a specific interface of protected equipment B, an interface control board in the external terminal protection equipment monitors the connection state of the specific interface connected with the protected equipment B in real time; and when the connection state is abnormal, the circuit connection between the interface control board and the protected equipment is automatically triggered and disconnected. Furthermore, the current/voltage change of the internal interface is captured by a monitoring circuit, the abnormal connection state is determined, and an alarm indication signal is triggered. Still further, after the line connection between the interface control board and the protected device is automatically triggered to be disconnected, the connection state is recovered from abnormal to normal, and the disconnection state of the line connection between the interface control board and the protected device is still maintained. Taking the USB port connection between the external terminal protection device a and the host B as an example, the external terminal protection device a will monitor the current and voltage conditions of the connection interface with the protected device B in real time, so as to obtain the connection line condition between the device a and the host B. When a malicious user pulls out the connecting line between the equipment A and the equipment B, the monitoring circuit captures the current and voltage change in time, triggers the audible and visual alarm and triggers the disconnection operation, so that the connection between the A and the B cannot be automatically recovered even if the user is plugged back into the connecting line, and the recovery is performed after the administrator is required to authorize the user to perform manual configuration.
(2) External device plugging and unplugging monitoring
The external equipment plugging and unplugging monitoring function of the external terminal protection equipment provided by the technical scheme of the invention refers to that the interface control board monitors the connection state of an external interface accessed to the external equipment in real time, and when the external equipment of the access equipment is confirmed to be allowed to be plugged out of the external interface, the physical connection of the connected circuit is automatically disconnected; furthermore, when the external device is accessed again after being pulled out of the external interface, the file monitoring module performs the security authentication operation on the external device again. As an embodiment, when a user obtains authorization and performs data import and export operations, the external terminal protection device a realizes effective monitoring of an inserted external device (for example, a USB device) through a monitoring interface, and prevents a behavior that the user pulls down a compliance device and inserts an illegal device after using the compliance device to pass security check. Once the user pulls out the equipment, the system automatically restores to an unauthorized disconnection state, thereby ensuring the connection safety of the equipment to the maximum extent.
As an optional implementation manner, the data storage unit is connected to the identity recognition unit, and before the data storage unit receives the file data passing the secure authentication, the identity recognition unit sends a request for acquiring user identity information to the user identity information acquisition module, and verifies whether the user identity information of the user meets the file transmission permission.
When the file monitoring module receives a request sent by a user to disconnect the external terminal protection device from the protected device, the current user is required to verify the user identity information again to ensure the user to operate, if the verification is not passed for a plurality of times (which can be set to 3 times), an alarm indication signal is triggered, and an administrator is automatically notified to process the alarm indication signal.
And the file transmission module is connected with the file monitoring module and used for transmitting the file data imported by the external equipment to the protected equipment under the control of the file monitoring module. The file transmission module provides file index information for the protected device, a user of the protected device sends a file acquisition request to the file transmission module through the file index information, and the file transmission module acquires a corresponding file from the file monitoring module. Note that the file transfer protocol between the file transfer module and the file monitoring module is an internal security protocol to increase the security of the transfer.
When a user controls to import files of the external storage device into the protected device, user identity information identification and verification are required to be carried out, and the safety and accuracy of data are ensured.
The data storage unit also records the file index of the protected device imported from the external device each time for later check in a tracing way.
The external terminal protection equipment can take over each data interface of the protected equipment, ensure that data communication using each interface of the protected equipment is completed through the external terminal, and determine the use authority of the current operator through various verification modes, thereby achieving the purpose of carrying out safety protection on the protected equipment without installing safety protection software on the protected equipment, greatly reducing the safety risk of a system, and comprehensively solving the potential safety hazard possibly generated by each interface.
The invention also provides a protection system, which comprises one or more external devices, protected devices and external terminal protection devices, wherein the external terminal protection devices are externally connected to the protected devices, so that the one or more external devices are in interface communication with the protected devices through the external terminal protection devices. Here, the external terminal protection device is as described above, and is not described herein again.
Furthermore, the protection system also comprises a control center for remotely controlling the external terminal protection equipment, wherein the control center consists of a server, a management workstation and other nodes and is connected to the internet access of the external terminal protection equipment through a network switching node.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some embodiments, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the text-enabled photograph entry apparatus, computing device, and computer-readable storage medium according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
While the foregoing embodiments have described the objects, aspects and advantages of the present invention in further detail, it should be understood that the present invention is not inherently related to any particular computer, virtual machine or electronic device, and various general-purpose machines may be used to implement the present invention. The invention is not to be considered as limited to the specific embodiments thereof, but is to be understood as being modified in all respects, all changes and equivalents that come within the spirit and scope of the invention.
Claims (10)
1. The utility model provides an external terminal protective equipment with user traces back function which characterized in that includes:
the external interfaces are used for respectively connecting one or more external devices and protected devices;
the system comprises a user identity information acquisition module, a user identification information acquisition module and a user identification information processing module, wherein the user identity information acquisition module is used for acquiring user identity information of a user in real time, and the user identity information comprises fingerprint information, palm print information, iris information, face information, voice information and/or preset special pattern information of the user;
the file monitoring module is connected with the user identity information acquisition module and used for verifying the user identity information of the user and managing the user identity information for the user to trace and feed back a retrieval result; the file monitoring module is also used for controlling the safety authentication of external equipment accessed by the external interface;
and the file transmission module is connected with the file monitoring module and used for transmitting the file data imported by the external equipment to the protected equipment under the control of the file monitoring module.
2. An external terminal protection device according to claim 1, wherein the file control and test module comprises:
the identity storage unit is used for storing user identity information of a user and/or external equipment information correspondingly accessed each time;
the identity recognition unit is used for verifying whether the user identity information of the user meets the access right or not;
and the identity management unit is used for reading the related user identity information and/or the external equipment information from the identity storage unit when the user traces the user use record and outputting the information to the tracing initiating user.
3. An external terminal protection device according to claim 2, wherein the identity storage unit is further configured to pre-store user identity information satisfying the access right and external device information accessed by the user.
4. An external terminal protection device according to claim 3, wherein when the user identity information of the user satisfies the access right, the identity recognition unit is further configured to:
and matching the external device information of the user with the pre-stored external device information meeting the access authority, and allowing the user to obtain the access authority when the user identity information and the external device information are all successfully matched.
5. An external terminal guard device according to claim 2, wherein the external terminal guard device further comprises an input/display module for a user qualified as an administrator to previously input user identification information and/or external device information having access rights;
preferably, the input/display module comprises a display screen and a plurality of keys arranged on the external terminal protection device, or the display screen and the keys are connected in a remote control mode.
6. An external terminal protection device according to claim 2, wherein the file monitoring module further comprises:
the data detection unit is used for detecting whether the file data stored in the external equipment meets a preset safety condition;
and the data storage unit is used for storing the file data passing the security authentication.
7. An external terminal protection device according to claim 6, wherein the file monitoring module further comprises:
and the file service unit is used for managing the file data stored by the data storage unit and sending the index information corresponding to the stored file data to the file transmission module.
8. An external terminal protection device according to claim 6, wherein the file monitoring module further comprises:
a control unit for implementing the following control logic:
if the external equipment does not pass the security authentication, setting the external equipment as the unauthorized access equipment, and keeping the line physical disconnection state between the external equipment and the protected equipment; and/or
And if the external equipment passes the security authentication, confirming that the external equipment is the authorized access equipment, and connecting the physical connection of the line between the external equipment and the protected equipment.
9. A circumscribed terminal guard device according to claim 1,
one or more of the external interfaces are USB interfaces;
preferably, when the file monitoring module receives a request sent by a user to disconnect the external terminal protection device from the protected device, the file monitoring module verifies the user identity information, and if the verification fails, an alarm indication signal is triggered.
10. A protective system, comprising:
one or more external devices;
a protected device; and
the external terminal guard of any one of claims 1-9,
the external terminal protection device is externally connected to the protected device, so that the one or more external devices are in interface communication with the protected device through the external terminal protection device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010736732.2A CN111898105A (en) | 2020-07-28 | 2020-07-28 | External terminal protection equipment with user tracing function and protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010736732.2A CN111898105A (en) | 2020-07-28 | 2020-07-28 | External terminal protection equipment with user tracing function and protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111898105A true CN111898105A (en) | 2020-11-06 |
Family
ID=73190449
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010736732.2A Pending CN111898105A (en) | 2020-07-28 | 2020-07-28 | External terminal protection equipment with user tracing function and protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111898105A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113282901A (en) * | 2021-07-26 | 2021-08-20 | 中航金网(北京)电子商务有限公司 | File protection method, device, system, medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107944307A (en) * | 2017-12-15 | 2018-04-20 | 安徽长泰信息安全服务有限公司 | A kind of computer security management system |
| CN109543475A (en) * | 2018-10-29 | 2019-03-29 | 北京博衍思创信息科技有限公司 | A kind of circumscribed terminal protection equipment and guard system |
| CN109561071A (en) * | 2018-10-29 | 2019-04-02 | 北京博衍思创信息科技有限公司 | A kind of the circumscribed terminal protection equipment and guard system of data traffic control |
| CN210536657U (en) * | 2019-08-28 | 2020-05-15 | 北京数字认证股份有限公司 | Multi-user intelligent password terminal based on biological identification technology |
-
2020
- 2020-07-28 CN CN202010736732.2A patent/CN111898105A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107944307A (en) * | 2017-12-15 | 2018-04-20 | 安徽长泰信息安全服务有限公司 | A kind of computer security management system |
| CN109543475A (en) * | 2018-10-29 | 2019-03-29 | 北京博衍思创信息科技有限公司 | A kind of circumscribed terminal protection equipment and guard system |
| CN109561071A (en) * | 2018-10-29 | 2019-04-02 | 北京博衍思创信息科技有限公司 | A kind of the circumscribed terminal protection equipment and guard system of data traffic control |
| CN210536657U (en) * | 2019-08-28 | 2020-05-15 | 北京数字认证股份有限公司 | Multi-user intelligent password terminal based on biological identification technology |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113282901A (en) * | 2021-07-26 | 2021-08-20 | 中航金网(北京)电子商务有限公司 | File protection method, device, system, medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109543475B (en) | External terminal protection device and protection system | |
| CN110011848B (en) | Mobile operation and maintenance auditing system | |
| CN109063476A (en) | A kind of computer system to ensure information security | |
| CN112217835A (en) | Message data processing method and device, server and terminal equipment | |
| CN105530356A (en) | Mobile communication terminal and data protection method and apparatus thereof | |
| WO2015117507A1 (en) | Authentication method, collection device, authentication device and system, and cabinet and unlocking method therefor | |
| CN109684804A (en) | A kind of method for security protection and system of BMC serial ports | |
| CN111898167A (en) | External terminal protection equipment and protection system including identity information verification | |
| CN110087238B (en) | Information security protection system of mobile electronic equipment | |
| CN114266081A (en) | Operation and maintenance computer safety protection system and method of power monitoring system | |
| CN111901418B (en) | External terminal protection equipment and system based on unidirectional file transfer protocol | |
| CN111898105A (en) | External terminal protection equipment with user tracing function and protection system | |
| CN114139226A (en) | USB device access control method and device and electronic device | |
| CN114186293A (en) | Communication control method and device for USB (universal serial bus) equipment and protected equipment and electronic equipment | |
| CN111885179B (en) | External terminal protection device and protection system based on file monitoring service | |
| CN107332862A (en) | A kind of identity identifying method, front end processor and identity authorization system | |
| Braband | What's Security Level got to do with Safety Integrity Level? | |
| CN107968777B (en) | Network security monitoring system | |
| CN111859434A (en) | External terminal protection device and protection system for providing confidential file transmission | |
| CN113268743B (en) | Method for improving safety of movable ring monitoring system | |
| CN113704061A (en) | Secret-related computer protection system | |
| CN111885178A (en) | External terminal protection equipment and protection system including voice information verification | |
| KR20100085459A (en) | Personal information protecting device for using filtering network transferring data method thereof | |
| CN111859344A (en) | External terminal protection equipment and protection system including face information verification | |
| CN111859473A (en) | External terminal protection equipment and protection system based on space detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |