CN113411297A - Situation awareness defense method and system based on attribute access control - Google Patents
Situation awareness defense method and system based on attribute access control Download PDFInfo
- Publication number
- CN113411297A CN113411297A CN202110492998.1A CN202110492998A CN113411297A CN 113411297 A CN113411297 A CN 113411297A CN 202110492998 A CN202110492998 A CN 202110492998A CN 113411297 A CN113411297 A CN 113411297A
- Authority
- CN
- China
- Prior art keywords
- attribute
- information
- user
- access
- network node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000007123 defense Effects 0.000 title claims abstract description 22
- 230000001960 triggered effect Effects 0.000 claims abstract description 8
- 238000004458 analytical method Methods 0.000 claims description 10
- 239000002131 composite material Substances 0.000 claims description 6
- 238000002372 labelling Methods 0.000 claims description 2
- 230000007613 environmental effect Effects 0.000 claims 1
- 230000006399 behavior Effects 0.000 description 22
- 230000002159 abnormal effect Effects 0.000 description 19
- 238000004891 communication Methods 0.000 description 11
- 238000001514 detection method Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 238000013024 troubleshooting Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000007499 fusion processing Methods 0.000 description 1
- 235000019580 granularity Nutrition 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000010079 rubber tapping Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a situation awareness path defense method and system based on attribute access control, and relates to the technical field of network security. The defense method comprises the following steps: setting attribute access authority and attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, and sending the user attribute information and/or the environment attribute information to a situation awareness system; acquiring the information security level of the operation object through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user; and triggering an alarm under the condition of judging mismatching. The invention can perform network security defense when the network node is attacked by the network so as to ensure the safe and stable operation of the network.
Description
Technical Field
The invention relates to the technical field of network security, in particular to situation awareness defense based on attribute access control.
Background
The network situation awareness aims at obtaining, understanding and displaying security elements which can cause network situation changes in a large-scale network environment, and conducting delay prediction of recent development trends, so as to make decisions and actions.
At present, the situation awareness technology is mainly realized by collecting information such as network original data and dynamic security data generated by system operation and then analyzing the data in real time. The method is suitable for general information systems, and the systems with high security level required by national level protection need to take an access control mechanism as a core. Therefore, for high security level information systems, situational awareness should be dominated by the use of access control related information.
In Access Control, Attribute-Based Access Control (ABAC) uses attributes of related entities such as subjects, objects, and environments as basic decision elements, and makes flexible use of Attribute sets possessed by requesters to decide whether or not to give Access rights to the requesters, thereby separating policy management from rights decision. The attributes are inherent in the related entities, manual allocation is not needed, the attributes can describe the related entities from multiple angles, so that the ABAC has enough flexibility and expandability, and coping strategies of access control can be changed according to actual conditions to realize safe anonymous access.
In the existing network attack scenario, an attacker often steals user identity information and falsely uses the user identity to obtain important data of the user, and the access right under the user identity covers a large data information range, so that access control of a credible relation in industry distributed application is difficult to effectively solve. In addition, the access control based on the attributes performs authorization judgment by dynamically calculating whether one or a group of attributes meet certain conditions, and often, the authority control with different granularities is realized as required, but the relationship between the user and the object is not easy to see when defining the authority. When the rule is complicated, it is easy to cause trouble in maintenance and follow-up by the administrator.
In summary, how to provide a situation awareness defense method and system based on attribute access control is urgent to combine the situation awareness system with the existing access control technology to realize the security protection of network node data information. When a user accesses a network node, the entity attribute is used as an authorization basis to study access control, and how to set admission permission for the attribute access control so as to guarantee the security of data information of the network node is also a technical problem which needs to be solved at present.
Disclosure of Invention
The invention aims to: the situation awareness defense method and system based on attribute access control are provided, and attribute access control rules of information security levels of data information of network nodes matched with access authority and operation authority based on attributes are set, are applied to a situation awareness system to detect a network environment, and perform network security defense when the network nodes are attacked by a network.
In order to solve the prior technical problem, the invention provides the following technical scheme:
a situation awareness defense method based on attribute access control comprises the following steps:
setting attribute access authority and attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; the attribute operation authority comprises the information security level of the data information which can be operated by the user; acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, judging whether the user accords with attribute access authority or not according to the user attribute information and/or the environment attribute information, and allowing the access request under the condition of judging that the user accords with the attribute access authority; acquiring operation information of a user on data information in a network node and operation object information of the operation, and sending the operation information and the operation object information to a situation awareness system; acquiring the information security level of the operation object through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user; and triggering an alarm under the condition of judging mismatching.
And further, judging whether the information security level is matched with the attribute operation authority of the user according to the operation attribute information and/or the object attribute information corresponding to the operation.
Further, the attribute access control rule comprises an attribute-based access control list; the access control list comprises attribute access authority information and attribute operation authority information; the attribute access authority information is used for acquiring user attribute information and/or environment attribute information when a user accesses a network node, and judging whether the user attribute information and/or the environment attribute information are matched with attribute access authority; and the attribute operation authority information is used for judging whether the operation information of the user in the accessed network node is matched with the attribute operation authority.
Further, the access control list further includes attribute priority information, and the attribute priority information is used for setting an access priority corresponding to the user attribute and/or the environment attribute, and setting an operation priority corresponding to the operation attribute and/or the object attribute; when a plurality of users access the same data information of the same network node at the same time, the user attributes and/or the environment attributes of the users are subjected to priority ranking, and the access of the users with high priority is processed preferentially.
Further, the access control list comprises a single attribute access control list and a composite attribute access control list; the single attribute access control list sets an accessible behavior according to a user attribute or an environment attribute, and sets an accessible operation behavior according to an operation attribute or an object attribute; the composite attribute access control list sets an access behavior that can be performed according to the user attribute and the environment attribute, and sets an operation behavior that can be performed according to the operation attribute and the object attribute.
Further, an IP address of an access request provided by a user is collected, and when the access or operation of the user is judged to be not in accordance with the attribute access control rule, the access or operation record information of the IP address is obtained, and track tracing and/or track safety analysis are/is carried out.
Further, after the user makes an access request through the IP address, whether the user attribute information and/or the environment attribute information of the user accord with the attribute access authority is judged.
Further, the environment attribute information is stored in a situation perception system, and labeling and tracing are carried out.
Further, the alarm comprises an emergency alarm and a non-emergency alarm, when the emergency alarm is judged, safety defense is carried out on the corresponding network node, network access of the network node is disconnected, and fault processing is carried out on the network environment where the network node is located; and/or detecting the network node with the alarm periodically, and sending the log information of the network node to a situation awareness system for safety analysis.
A situational awareness defense system based on attribute access control, comprising:
and the network node is used for receiving and transmitting data.
And the situation awareness system periodically detects the network nodes with alarms and carries out security analysis on the log information of the network nodes.
And the system server is connected with the network node and the situation awareness system.
The system server is configured to set an attribute access authority and an attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; the attribute operation authority comprises the information security level of the data information which can be operated by the user; acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, judging whether the user accords with attribute access authority or not according to the user attribute information and/or the environment attribute information, and allowing the access request under the condition of judging that the user accords with the attribute access authority; acquiring operation information of a user on data information in a network node and operation object information of the operation, and sending the operation information and the operation object information to a situation awareness system; acquiring the information security level of the operation object through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user; and triggering an alarm under the condition of judging mismatching.
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects as examples: and setting an attribute access control rule of the information security level of the data information of the network node matched with the access authority and the operation authority based on the attribute, applying the attribute access control rule to a situation awareness system to detect a network environment, and performing network security defense when the network node is attacked by a network so as to ensure the safe and stable operation of the network.
Drawings
Fig. 1 is a first flowchart provided in an embodiment of the present invention.
Fig. 2 is a second flowchart provided in the embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a system according to an embodiment of the present invention.
Description of reference numerals:
the system S200, the network node S201, the situation awareness system S202 and the system server S203.
Detailed Description
The situation awareness defense method and system based on attribute access control disclosed in the present invention are further described in detail with reference to the accompanying drawings and specific embodiments. It should be noted that technical features or combinations of technical features described in the following embodiments should not be considered as being isolated, and they may be combined with each other to achieve better technical effects. In the drawings of the embodiments described below, the same reference numerals appearing in the respective drawings denote the same features or components, and may be applied to different embodiments. Thus, once an item is defined in one drawing, it need not be further discussed in subsequent drawings.
It should be noted that the structures, proportions, sizes, and other dimensions shown in the drawings and described in the specification are only for the purpose of understanding and reading the present disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, and any modifications of the structures, changes in the proportions and adjustments of the sizes and other dimensions, should be construed as falling within the scope of the invention unless the function and objectives of the invention are affected. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be executed out of order from that described or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flow chart provided by the present invention is shown. The implementation step S100 of the method is as follows:
s101, setting attribute access authority and attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; the attribute operation authority comprises the information security level of the data information which can be operated by the user.
The attribute access control rule comprises an attribute access authority, an attribute operation authority and an information security level of data information of the network node, and the attribute access control rule is formed after the attribute access authority, the attribute operation authority and the information security level of the data information of the network node are integrated.
Preferably, the attribute access right can be divided according to user attribute information and environment attribute information in the attribute information; the attribute operation authority can be divided according to the operation attribute information and the object attribute information in the attribute information. The attribute information is divided into four types, namely user attribute information, environment attribute information, operation attribute information, object attribute information and the like.
The user attribute information includes personal information of the user, and the personal information includes but is not limited to the following categories:
basic information refers to personal basic information including name, gender, age, telephone number, Email address and the like, which is submitted by a user according to the requirements of a service provider in order to complete most of network behaviors, and meanwhile, the personal basic information can include but is not limited to personal basic information with relative privacy such as marital, credibility, occupation, working units, income and the like;
the device information refers to basic information of various computer terminal devices (including mobile and fixed terminals) used by a user, such as position information, Wifi list information, Mac addresses, CPU information, memory information, SD card information, operating system versions and the like;
account information including an internet bank account, a third party payment account, a social account, an important mailbox account and the like;
the privacy information comprises address list information, call records, short message records, IM application software chat records, personal videos, photos and the like;
social relationship information including friend relationship, family member information, work unit information and the like;
the network behavior information refers to the record of the internet surfing behavior, and various activities of the consumer on the network, such as the personal information of the internet surfing time, the internet surfing place, the input record, the chat friend-making, the website access behavior, the network game behavior and the like.
The environment attribute information includes, but is not limited to, a user's first access time when a user performs access and/or operation in a network environment, a user's access times, an operation type of the user at a current time, and access rate information of a control user.
And the operation attribute information comprises operation types of reading, storing, newly building and/or deleting the data information on the network node after the access permission is given.
The object attribute information includes type information, size information, creation time information, modification time information, and file attributes of the aforementioned operation object (such as a document), compression encryption attributes, and the like.
Preferably, the attribute access right may be set by a user having an administrator identity in the network environment, according to access request information of a historical user in the network environment, user attribute information, environment attribute information, operation attribute information, and object attribute information according to a network access requirement.
By way of example and not limitation, a user with an administrator identity may organize any one of user attribute information, environment attribute information, operation attribute information, and object attribute information into a class of attribute access control rules, so as to identify a standard for a user to access a network node to grant access in a network environment; any two kinds of attribute information can be combined and arranged into an attribute access control rule; the four kinds of attribute information can be arranged into one kind of attribute access control rule.
The attribute operation authority refers to the authority set for the operation attribute information. The attribute operation authority includes but is not limited to access, storage, editing and other operation types, and meanwhile, the situation awareness system records the operation type of each time the user accesses the network node, so that the access path of the user can be conveniently tracked.
The network node refers to a terminal having an independent network address and data processing function in a network environment, and the data processing function includes, but is not limited to, a function of transmitting data, receiving data, and/or analyzing data. The network nodes may be workstations, clients, network users or personal computers, servers, printers and other network-connected devices. The whole network environment comprises a plurality of network nodes, and the network nodes are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
The information security level may be five levels of computer information system security protection capability specified by the national quality and technology administration standard: the system comprises a user autonomous protection level, a system audit protection level, a security label protection level, a structured protection level and an access verification protection level, and can also be a network data information security protection level based on user-defined division.
By way of example and not limitation, the information security level may be divided into five levels, and the information is divided into first-level information, second-level information, third-level information, fourth-level information and fifth-level information according to the security level, wherein the first-level information is the most important data information, the importance degree of the data information of each level is decreased in sequence, and the fifth-level information is the least important data information.
As a preferred implementation manner of this embodiment, the user attribute information may be set as first-level user attribute information, second-level user attribute information, third-level user attribute information, fourth-level user attribute information, and fifth-level user attribute information. For example, the first-level user attribute information corresponds to data information allowing access to all network nodes in the network system, which have the highest information security level; the second-level user attribute information corresponds to data information of all network nodes except the data information of the network node with the highest information security level in the network system; and by analogy, the range of the accessible network node data information corresponding to the user attribute information of each level is decreased progressively, and the range of the accessible network node data information corresponding to the five-level user attribute information is the smallest. After the access request with the first-level user attribute accords with the attribute access authority, all data information including first-level information, second-level information, third-level information, fourth-level information and fifth-level information can be accessed, and/or operation types such as editing, reading and writing are executed; after the access request aiming at the second-level user attribute accords with the attribute access authority, all data information including second-level information, third-level information, fourth-level information and fifth-level information can be accessed, and/or operation types such as editing, reading and writing and the like are executed; by analogy, the lower the level, the less is the allowable range of access and operation of the data information of the network node.
Meanwhile, preferably, in the attribute information, information security levels corresponding to the user attribute information, the environment attribute information, the operation attribute information, and the object attribute information may be managed by a user having an administrator identity. The various attribute information can be hooked with the information security level of the data information of the network node after being divided into different information security levels so as to match the attribute access authority in the network environment; or various attribute information for dividing the information security level can be combined and integrated into the attribute access control rule; and the authentication sequence of the attribute information passing the rule in sequence can be adjusted according to the change of the network environment on the access control requirement.
The authentication refers to a series of operations of judging attribute information of information when a user accesses a network node, identifying whether the attribute information accords with the access authority of each attribute access network, and granting the user access network access meeting the access request of the access network.
The authentication sequence refers to a sequence for identifying each attribute information according to a preset attribute access control rule and accessing and/or executing corresponding operation on a user access network when judging the attribute information of the information when the user accesses the network node.
By way of example AND not limitation, the authentication order may be an authentication order of user attribute-environment attribute-operation attribute-object attribute, an authentication order of (user attribute AND environment attribute) -operation attribute-object attribute, OR an authentication order of (user attribute OR environment attribute) - (operation attribute AND object attribute), for example, to determine an access request of a user.
It should be noted that the attributes include a user attribute, an access attribute, an operation attribute, and an object attribute. The specific information of the attributes is also called attribute information, and the attribute information includes user attribute information, access attribute information, operation attribute information and object attribute information.
In addition, in the whole network environment, the preset attribute access control rule can screen and combine the attributes according to the actual requirement of authentication in the network to form an attribute group, so as to form the attribute access control rule in the form of the attribute group.
Acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, judging whether the user accords with attribute access authority or not according to the user attribute information and/or the environment attribute information, and allowing the access request under the condition of judging the conformity; and acquiring operation information of the data information in the network node and operation object information of the operation by the user, and then sending the operation information and the operation object information to the situation awareness system.
In this embodiment, the access request information includes, but is not limited to, a request line, a request header, and request data, and the access request information is subjected to real-time association analysis and path tracking to implement dynamic analysis of network security.
The situation awareness system can be a plurality of data information systems such as integrated antivirus software, a firewall, an intrusion monitoring system, a security audit system and the like so as to realize the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
Preferably, the situation awareness system can include, but is not limited to, data acquisition, feature extraction, situation assessment, and security precaution.
Preferably, the data acquisition may be to extract data of the current whole network state, including but not limited to performing overall arrangement on a plurality of data such as a website security log, a vulnerability database, a malicious code database, and the like, or may be to establish an information database of the data acquisition device itself, and perform data acquisition according to data attributes.
Preferably, the feature extraction can extract data collected in the data acquisition process, and further, data cleaning is performed on the data to guarantee data integrity and operability and complete data preprocessing operation.
Preferably, the situation assessment may perform data fusion processing through an association event, including but not limited to performing association identification from multiple aspects such as time, space, protocol, and the like, and further, perform risk assessment on the current time and determine the risk level of the event by combining data information.
Preferably, the safety early warning may be that after the data acquisition, the feature extraction, and the situation evaluation processes, the network environment is evaluated and predicted according to a specified standard, and further, safety state early warning processing is given.
And acquiring the information security level to which the operation object belongs through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user.
And if the judgment result shows that the signals are not matched, triggering an alarm.
Namely, under the condition that the network nodes are judged not to be matched, the network nodes are considered to be attacked by the network, and an alarm is triggered.
The network attack refers to attacking systems and resources by using vulnerabilities and security flaws existing in a network information system, and can be any type of attack action aiming at a computer information system, infrastructure, a computer network or personal computer equipment. For a network environment, the network attack may be to destroy, expose, modify, disable software or services, steal or access data of any computer without authorization, so as to destroy, spoof, and steal data information.
Preferably, the network attack includes, but is not limited to, tampering with a data stream, generating a dummy data stream, tampering with, forging message data, and terminal denial of service, tapping, analyzing traffic, breaking a weakly encrypted data stream, password intrusion, trojan horse, hacking software, security loophole, and other attack modes.
Preferably, whether the information security level matches the attribute operation authority of the user is determined according to the operation attribute information and/or the object attribute information corresponding to the operation.
As a preferred implementation of this embodiment, the attribute access control rule includes an access control list based on an attribute; the access control list includes attribute access authority information and attribute operation authority information.
Preferably, the attribute access right information is used for acquiring user attribute information and/or environment attribute information when a user accesses a network node, and judging whether the user attribute information and/or the environment attribute information matches the attribute access right.
Preferably, the attribute operation authority information is used to determine whether the operation information of the user in the accessed network node matches the attribute operation authority.
As a preferred implementation manner of this embodiment, the access control list further includes attribute priority information, where the attribute priority information is used to set an access priority corresponding to the user attribute and/or the environment attribute, and set an operation priority corresponding to the operation attribute and/or the object attribute. When a plurality of users access the same data information of the same network node at the same time, the user attributes and/or the environment attributes of the users are subjected to priority ranking, and the access of the users with high priority is processed preferentially.
By way of example and not limitation, in a network structure, an access request is made to the same network node for more than two users at the same time, and in this case, referring to fig. 2, step S110 is executed:
and S111, when more than two users simultaneously make access requests to the network node, identifying the attribute information of the users in the access request information.
And judging whether the attribute information accords with the attribute access authority, and acquiring the operation information of the user and the operation object information of the operation under the condition of judging that the attribute information accords with the attribute access authority.
The operation information of the user and the operation object information of the operation which accord with the network node access situation are subjected to priority sequencing; and setting the same priority for access requests with the same attribute access authority and/or attribute operation authority.
And judging whether the attribute information of the network node requested to be accessed by the user is matched with the information security level of the data information of the network node, and executing corresponding operations of accessing the data information of the network node, including but not limited to editing, reading, writing and the like, on the user meeting the access request of the network node under the condition of matching.
For access requests made by other users, different priorities can be set for different attribute access permissions and/or attribute operation permissions according to the time, attribute access permissions, and attribute operation permissions of the access requests made by the users to complete corresponding operations of network node data information in the network, and the operations include but are not limited to editing, reading, writing and the like.
It should be noted that, in the process of accessing the network by the user, security check may be performed on the network environment where the user is located and the network node that is accessed, including but not limited to various antivirus software versions, terminal patch vulnerabilities, black, white, and red list detection of application software, abnormal traffic, sensitive operation type detection, and the like, so as to ensure the security and stability of the entire network.
As a preferred implementation of this embodiment, the access control list may further include a single attribute access control list and a composite attribute access control list. The single attribute access control list sets the access behavior which can be carried out according to the user attribute or the environment attribute, and sets the operation type which can be carried out according to the operation attribute or the object attribute; the composite attribute access control list sets an accessible behavior according to the user attribute and the environment attribute, and sets an accessible operation type according to the operation attribute and the object attribute, for example, the operation type can be judged by using a regular expression form, or a combination behavior of a plurality of attributes can be set by a user with an administrator identity in a customized manner.
In addition, it should be noted that, in the defense phase, the loss of the data information of the network node caused by operations such as tampering, stealing, encrypting, being inaccessible and the like on the data information in the network should be reduced as much as possible. Therefore, in a complete network environment, when a user accesses a certain network node, the system server firstly checks whether the authority of the attribute information identified and/or extracted from the information when the user accesses the network node meets the attribute access authority and the attribute operation authority through the attribute access control list, and records the access path and the operation of the user in the form of network node log information; for the operation which does not meet the situation, the situation awareness system can process the alarm information in the network, the network node can take the measures of disconnecting access to check and process the fault in the network until the data transmission of the network node is recovered after the fault is solved, whether the network environment is safe and stable can be detected in real time, and the defense strategy aiming at the network attack of the network node is provided on the basis of ensuring the normal data transmission of the network structure.
As a preferred embodiment, further, an IP address of an access request made by a user may be collected, and when it is determined that the access or operation of the user does not meet the attribute access control rule, access or operation record information of the IP address is obtained, and trace tracing and/or trace security analysis is performed.
The IP address may be in a uniform address format provided by an IP protocol followed by the user, and the IP address may allocate a logical address to each network node in the network environment and the terminal device that the user applies for access, so that the situation awareness system tracks the access path of the user and tracks and traces the source of the network node when the network node is attacked by the network.
As a preferred embodiment, after a user makes an access request through an IP address, it is determined whether user attribute information and/or environment attribute information of the user conforms to an attribute access right.
And analyzing the user attribute information and/or the environment attribute information for the user access request meeting the attribute access authority, and allowing the user to access the data information of the network nodes meeting the same attribute access control rule by default for the network nodes meeting the same attribute access control rule. And setting the same attribute access authority for the data information belonging to the same information security level in different network nodes. And when the judgment is in accordance, establishing the communication connection between the network node and the user.
The communication connection is a communication link which is established between the network node and the user access request, the communication link is realized through a communication protocol which is established between the network node and the user access request, and both communication parties control data transmission.
As a preferred embodiment, the environment attribute information may be further stored in a situation awareness system, and labeled and traced.
Preferably, the alarm includes an emergency alarm and a non-emergency alarm, and when the alarm is determined to be an emergency alarm, the corresponding network node is subjected to security defense, the network access of the network node is disconnected, and the network environment where the network node is located is subjected to fault processing; and/or detecting the network node with the alarm periodically, and sending the log information of the network node to a situation awareness system for safety analysis.
The emergency alarm can alarm abnormal data which suddenly occurs in the alarm, wherein the abnormal data can be abnormal operation, abnormal behavior, abnormal numerical values and the like; preferably, the generated emergency alarm can be obtained after the situation awareness system analyzes based on the alarm data, and can provide a pointer for displaying abnormal data; the non-emergency alert refers to an alert condition other than an emergency alert.
The fault processing is used for troubleshooting faults occurring in a network environment and comprises the following steps: observing and describing fault phenomena, and collecting information which may generate fault reasons; analyzing the reasons of the faults and making a solution; and implementing the solutions one by one, and recording the troubleshooting process until the network is recovered to be normal.
In this embodiment, the log information of the network node refers to event records generated during operation of the network device, the system, the service program, and the like, wherein each row of the log records descriptions of related operations such as date, time, user, and action. The log information of the network node includes, but is not limited to, the following information:
the duration of the connection, whose value is in seconds, may be, for example, in the range: [0, 58329 ];
protocol types including but not limited to TCP, UDP, ICMP;
a network service type of the target host;
a connected normal or wrong state;
the number of bytes of data from the source host to the target host may range, for example, from: [0,1379963888 ];
the number of bytes of data from the target host to the source host may range, for example, from:
whether the connection is from the same host or not and whether the connection has the same port or not;
the number of erroneous segments, for example, may range from: [0,3];
the number of urgent packets, for example, may range from: [0,14].
The periodic detection may set a detection time or a detection time period, and the periodic detection may be the following items, including but not limited to:
the webpage is tamper-proof, the website directory is monitored in real time, the tampered files or directories are restored through backup, website information of an important system is prevented from being maliciously tampered, and the conditions of horse hanging, black chain, illegal implantation of terrorist threats and the like are prevented.
And the process abnormal behavior is used for detecting whether the behavior exceeding the normal execution flow exists in the assets.
And abnormal login is used for detecting abnormal login behavior on the server. The abnormal login may be an ECS illegal IP login, an ECS abnormal login after an ECS abnormal login, an execution of an abnormal sequence of instructions after an ECS login, etc.
And the sensitive file is tampered to detect whether malicious modification is carried out on the sensitive file in the server.
And the malicious process is used for detecting the server in real time and providing real-time warning for the detected virus file. Detectable sub-items include access to malicious IPs, mine excavation programs, self-mutated trojans, malicious programs, trojan programs, and the like.
And abnormal network connection, namely detecting the disconnection or abnormal network connection state of the network display. The abnormal network connection can be active connection of a malicious download source, access of a malicious domain name, mine pool communication behavior, suspicious network external connection, rebound Shell network external connection, Windows abnormal network connection, suspected intranet transverse attack, suspected sensitive port scanning behavior and the like.
And the abnormal account is used for detecting the illegal login account.
An application intrusion event to detect an act of intruding a server through application components of the system.
The virus detection can be used for actively defending against mainstream Lessovirus, DDoS Trojan horse, mining and Trojan horse programs, malicious programs, backdoor programs, worm viruses and other types.
Application threat detection to detect an act of intruding a server through a Web application.
And the malicious script is used for detecting whether the system function of the asset is attacked or tampered by the malicious script or not and giving an alarm for possible malicious script attack behaviors.
The threat intelligence is used for carrying out correlation analysis on access flow and logs by using a threat intelligence library, and identifying threat events which may occur, wherein the threat events mainly comprise intrusion behaviors which are not easy to directly find, such as malicious domain name access, malicious download source access, malicious IP access and the like.
The malicious network behaviors are abnormal network behaviors comprehensively judged through logs such as flow content and server behaviors and the like, and include abnormal network behaviors which are initiated outwards after an attacker invades a host through open network services or the host falls down.
The technical scheme is particularly suitable for the situation awareness defense system based on attribute access control to defend the network node when the network node is attacked by the network.
Other technical features are referred to in the previous embodiments and are not described herein.
Referring to fig. 3, an embodiment of the present invention further provides a situation awareness defense system S200 based on attribute access control, the system including:
the network node S201 is configured to send and receive data.
And the situation awareness system S202 periodically detects the network nodes with alarms, and performs security analysis on the log information of the network nodes.
And the system server S203 is connected with the network node and the situation awareness system.
Setting attribute access authority and attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; the attribute operation authority comprises the information security level of the data information which can be operated by the user; acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, judging whether the user accords with attribute access authority or not according to the user attribute information and/or the environment attribute information, and allowing the access request under the condition of judging that the user accords with the attribute access authority; acquiring operation information of a user on data information in a network node and operation object information of the operation, and sending the operation information and the operation object information to a situation awareness system; acquiring the information security level of the operation object through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user; and triggering an alarm under the condition of judging mismatching.
Other technical features are referred to in the previous embodiment and are not described in detail herein.
In the description above, the various components may be selectively and operatively combined in any number within the intended scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be interpreted as inclusive or open-ended, rather than exclusive or closed-ended, by default, unless explicitly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs unless defined otherwise. Common terms found in dictionaries should not be interpreted too ideally or too realistically in the context of related art documents unless the present disclosure expressly limits them to that.
While exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is by way of description of the preferred embodiments of the present disclosure only, and is not intended to limit the scope of the present disclosure in any way, which includes additional implementations in which functions may be performed out of the order of presentation or discussion. Any changes and modifications of the present invention based on the above disclosure will be within the scope of the appended claims.
Claims (10)
1. A situational awareness defense method based on attribute access control, the method comprising the steps of:
setting attribute access authority and attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; the attribute operation authority comprises the information security level of the data information which can be operated by the user;
acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, judging whether the user accords with attribute access authority or not according to the user attribute information and/or the environment attribute information, and allowing the access request under the condition of judging that the user accords with the attribute access authority; acquiring operation information of a user on data information in a network node and operation object information of the operation, and sending the operation information and the operation object information to a situation awareness system;
acquiring the information security level of the operation object through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user;
and triggering an alarm under the condition of judging mismatching.
2. The method according to claim 1, characterized in that, whether the information security level matches the attribute operation authority of the user is judged according to the operation attribute information and/or the object attribute information corresponding to the operation.
3. The method of claim 2, wherein the attribute access control rule comprises an attribute-based access control list; the access control list comprises attribute access authority information and attribute operation authority information;
the attribute access authority information is used for acquiring user attribute information and/or environment attribute information when a user accesses a network node, and judging whether the user attribute information and/or the environment attribute information are matched with attribute access authority;
and the attribute operation authority information is used for judging whether the operation information of the user in the accessed network node is matched with the attribute operation authority.
4. The method according to claim 3, wherein the access control list further comprises attribute priority information, and the attribute priority information is used for setting an access priority corresponding to a user attribute and/or an environment attribute, and setting an operation priority corresponding to an operation attribute and/or an object attribute;
when a plurality of users access the same data information of the same network node at the same time, the user attributes and/or the environment attributes of the users are subjected to priority ranking, and the access of the users with high priority is processed preferentially.
5. The method of claim 3, wherein the access control list comprises a single attribute access control list and a composite attribute access control list;
the single attribute access control list sets an accessible behavior according to a user attribute or an environment attribute, and sets an accessible operation behavior according to an operation attribute or an object attribute;
the composite attribute access control list sets an access behavior that can be performed according to the user attribute and the environment attribute, and sets an operation behavior that can be performed according to the operation attribute and the object attribute.
6. The method according to claim 1, wherein an IP address of an access request from a user is collected, and when it is determined that the access or operation of the user does not comply with the attribute access control rule, access or operation record information of the IP address is obtained, and trace tracing and/or trace security analysis is performed.
7. The method according to claim 6, wherein after the user makes an access request through the IP address, it is determined whether the user attribute information and/or the environment attribute information of the user conform to the attribute access right.
8. The method according to claim 1, further comprising the step of storing the environmental attribute information in a situational awareness system, and performing labeling and tracing.
9. The method according to claim 1, wherein the alarm includes an emergency alarm and a non-emergency alarm, and when the alarm is determined as an emergency alarm, the method performs security defense on a corresponding network node, disconnects network access of the network node, and performs fault handling on a network environment in which the network node is located;
and/or detecting the network node with the alarm periodically, and sending the log information of the network node to a situation awareness system for safety analysis.
10. A situational awareness defense system based on attribute access control, comprising:
a network node for transceiving data;
the situation awareness system is used for periodically detecting the network nodes with alarms and carrying out security analysis on the log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to set an attribute access authority and an attribute operation authority when a user accesses a network node based on a preset attribute access control rule, wherein the attribute access authority and the attribute operation authority are matched with the information security level of data information of the network node; the attribute operation authority comprises the information security level of the data information which can be operated by the user;
acquiring access request information triggered by the user aiming at the network node, identifying user attribute information and/or environment attribute information of the user, judging whether the user accords with attribute access authority or not according to the user attribute information and/or the environment attribute information, and allowing the access request under the condition of judging that the user accords with the attribute access authority; acquiring operation information of a user on data information in a network node and operation object information of the operation, and sending the operation information and the operation object information to a situation awareness system;
acquiring the information security level of the operation object through a situation awareness system, and judging whether the information security level is matched with the attribute operation authority of the user;
and triggering an alarm under the condition of judging mismatching.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110492998.1A CN113411297A (en) | 2021-05-07 | 2021-05-07 | Situation awareness defense method and system based on attribute access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110492998.1A CN113411297A (en) | 2021-05-07 | 2021-05-07 | Situation awareness defense method and system based on attribute access control |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113411297A true CN113411297A (en) | 2021-09-17 |
Family
ID=77678051
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110492998.1A Pending CN113411297A (en) | 2021-05-07 | 2021-05-07 | Situation awareness defense method and system based on attribute access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113411297A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001856A (en) * | 2022-07-18 | 2022-09-02 | 国网浙江省电力有限公司杭州供电公司 | Network security portrait and attack prediction method based on data processing |
| CN115664789A (en) * | 2022-10-21 | 2023-01-31 | 北京珞安科技有限责任公司 | Industrial firewall security assessment system and method |
| CN114039755B (en) * | 2021-10-29 | 2024-03-22 | 中国银联股份有限公司 | Authority control method and device, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330458A (en) * | 2008-07-22 | 2008-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Method, apparatus and system for controlling access authority of pickaback plane |
| CN102201935A (en) * | 2011-05-13 | 2011-09-28 | 大唐移动通信设备有限公司 | Access control method and device based on VIEW |
| CN107147665A (en) * | 2017-06-06 | 2017-09-08 | 西安电子科技大学 | Application process of the beam-based alignment model in industrial 4.0 system |
| CN107888589A (en) * | 2017-11-10 | 2018-04-06 | 恒宝股份有限公司 | A kind of method and its system for calling trusted application |
| CN110213108A (en) * | 2019-06-11 | 2019-09-06 | 四川久远国基科技有限公司 | A kind of network security situation awareness method for early warning and system |
| CN110445807A (en) * | 2019-08-23 | 2019-11-12 | 瑞森网安(福建)信息科技有限公司 | Network security situation sensing system and method |
| CN112328982A (en) * | 2020-10-28 | 2021-02-05 | 苏州三六零智能安全科技有限公司 | Data access control method, device, equipment and storage medium |
| CN112383550A (en) * | 2020-11-11 | 2021-02-19 | 郑州轻工业大学 | Dynamic authority access control method based on privacy protection |
-
2021
- 2021-05-07 CN CN202110492998.1A patent/CN113411297A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330458A (en) * | 2008-07-22 | 2008-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Method, apparatus and system for controlling access authority of pickaback plane |
| CN102201935A (en) * | 2011-05-13 | 2011-09-28 | 大唐移动通信设备有限公司 | Access control method and device based on VIEW |
| CN107147665A (en) * | 2017-06-06 | 2017-09-08 | 西安电子科技大学 | Application process of the beam-based alignment model in industrial 4.0 system |
| CN107888589A (en) * | 2017-11-10 | 2018-04-06 | 恒宝股份有限公司 | A kind of method and its system for calling trusted application |
| CN110213108A (en) * | 2019-06-11 | 2019-09-06 | 四川久远国基科技有限公司 | A kind of network security situation awareness method for early warning and system |
| CN110445807A (en) * | 2019-08-23 | 2019-11-12 | 瑞森网安(福建)信息科技有限公司 | Network security situation sensing system and method |
| CN112328982A (en) * | 2020-10-28 | 2021-02-05 | 苏州三六零智能安全科技有限公司 | Data access control method, device, equipment and storage medium |
| CN112383550A (en) * | 2020-11-11 | 2021-02-19 | 郑州轻工业大学 | Dynamic authority access control method based on privacy protection |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039755B (en) * | 2021-10-29 | 2024-03-22 | 中国银联股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN115001856A (en) * | 2022-07-18 | 2022-09-02 | 国网浙江省电力有限公司杭州供电公司 | Network security portrait and attack prediction method based on data processing |
| CN115001856B (en) * | 2022-07-18 | 2022-10-21 | 国网浙江省电力有限公司杭州供电公司 | Network security portrait and attack prediction method based on data processing |
| CN115664789A (en) * | 2022-10-21 | 2023-01-31 | 北京珞安科技有限责任公司 | Industrial firewall security assessment system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| KR101737726B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US10230750B2 (en) | Secure computing environment | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US9817969B2 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN113839935B (en) | Network situation awareness method, device and system | |
| Pradhan et al. | Intrusion detection system (IDS) and their types | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Khan et al. | Applying data mining techniques in cyber crimes | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Deng et al. | Lexical analysis for the webshell attacks | |
| Al Makdi et al. | Trusted security model for IDS using deep learning | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| CN115694928A (en) | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method | |
| Hatada et al. | Finding new varieties of malware with the classification of network behavior | |
| Arul et al. | Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud | |
| CN113141274A (en) | Method, system and storage medium for detecting sensitive data leakage in real time based on network hologram | |
| Jamar et al. | E-shield: Detection and prevention of website attacks | |
| Rajaallah et al. | Intrusion Detection Systems: To an Optimal Hybrid Intrusion Detection System | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| Ogwara et al. | Enhancing Data Security in the User Layer of Mobile Cloud Computing Environment: A Novel Approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 200441 11th floor, No.2, Lane 99, Changjiang South Road, Baoshan District, Shanghai Applicant after: SHANGHAI NIUDUN TECHNOLOGY Co.,Ltd. Address before: Floor 11, building A5, Lane 1688, Guoquan North Road, Yangpu District, Shanghai, 200433 Applicant before: SHANGHAI NIUDUN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210917 |
|
| RJ01 | Rejection of invention patent application after publication |