CN114978584A

CN114978584A - Network security protection safety method and system based on unit cell

Info

Publication number: CN114978584A
Application number: CN202210379961.2A
Authority: CN
Inventors: 刘泉银; 刘凯
Original assignee: SHENZHEN WEIYI TECHNOLOGY CO LTD
Current assignee: SHENZHEN WEIYI TECHNOLOGY CO LTD
Priority date: 2022-04-12
Filing date: 2022-04-12
Publication date: 2022-08-30

Abstract

A network safety protection safety method and system based on unit includes: the method and the system are characterized by comprising the steps of vulnerability scanning, baseline inspection, network and safety equipment inspection, full-flow threat analysis, intranet asset discovery, emergency response, emergency drilling, penetration testing, safety operation and maintenance, risk assessment, information system level protection assessment, internet threat detection and active response. By actively evaluating risks, the risk is prevented in the bud, the distributed scanning system can comprehensively evaluate the services once when the services are on line, meanwhile, the service change condition is monitored every day, the introduced new risk problem is analyzed, and the rapid perception of risk change is realized.

Description

Network security protection safety method and system based on unit cell

Technical Field

The present invention relates to network security protection, and in particular, to a method and system for network security protection based on a unit cell.

Background

When the network technology is spread in all corners of the society, the network security is randomly applied to all scenes, and the network can be attacked in different ways according to different environments, angles of attack are various, forms are variable, and means are different. The network security threat also has the characteristics of concealment, sporadic nature, destructiveness and the like. Most of the intranet has internet or logic isolation state, and after the network threat is triggered in the internet, the intranet faces the same network security threat.

With the continuous development of networks, the network attack means are continuously strengthened and changed, and the thought is also changed for a plurality of ends. The single network security device is not enough to achieve the security protection function, resulting in low efficiency and poor effect of network security protection.

Disclosure of Invention

Based on this, it is necessary to provide a security method for security protection of a unit-based network, which can improve security.

Meanwhile, the network security protection safety system based on the unit can improve the protection safety.

A security protection method for network based on unit includes:

scanning the vulnerability; determining a scheme, configuring a strategy, backing up a system, performing scanning, analyzing a result, scanning again, repairing a bug, performing secondary rechecking, scanning, detecting potential safety hazard and loophole of any one or more of network protocol, network service and network equipment according to the safety loophole knowledge base, analyzing and identifying the loophole which is possibly used by an intruder to illegally enter the network or illegally obtain the information asset, and remind that when receiving host scanning command or performing host scanning, data backup is performed on the host first, if the server is a dual-computer hot standby system, one of the host is scanned in one scanning session, adjusting a scanning object strategy for a host or network equipment with special requirements, adopting a single host scanning mode aiming at a certain system, scanning one IP each time, scanning the next IP after the scanning is finished, and adjusting the scanning time of equipment for scanning the production network segment to a time period which does not influence the service;

And (3) baseline checking: collecting login information of network equipment, safety equipment, an operating system, a database and middleware in a target information system, checking equipment configuration by logging in the target equipment, recording configuration information, performing configuration safety analysis, logging in the network equipment, the safety equipment, the operating system, the database and the middleware one by one according to the collected login information, testing the accuracy of login information collection and the permission condition of providing an account number, analyzing whether all safety configuration check contents can be covered or not, and forming a baseline check report;

checking the network and the safety equipment: checking the rationality of equipment management, account management, authentication and authorization, login modes, log audit, service port optimization, safety protection and safety strategies, wherein the rationality comprises checking an operating system, checking a database, checking a Web server and middleware;

full flow threat analysis: utilizing threat data information and acquired whole network flow to analyze, detect internal collapse host, external attack, internal violation and internal risk, analyze, judge and trace the event, and analyze asset information and related statistical data in the current network;

Discovering the intranet assets: combing the host assets and WEB server of the intranet information system, and dynamically managing the whole life cycle of the account of the intranet assets, comprising: discovering host asset service, Web service and displaying assets in a visual mode;

emergency response: monitoring security problems in a service system, tracing internet level attacks through big data analysis, analyzing reasons of security events, tracing event sources, classifying the security events, defending attacks through big data analysis and security threat information, finding unknown dangerous network behaviors and positioning attack sources;

emergency drilling: analyzing and judging, if judging as suspected computer virus outbreak event, judging whether the system problem exists, if the system problem exists, starting a system emergency plan, if the system problem does not exist, judging whether the system problem exists, executing a notification process, if the system problem does not exist, judging whether the system emergency plan has network transmission, if the system problem exists, judging whether the infected host needs to be isolated, if the host needs to be isolated, disconnecting the network connection, starting the system emergency plan, judging whether the antivirus measure needs to be executed, if the system emergency plan does not need to be isolated, directly judging whether the antivirus measure needs to be executed, if the system data needs to be executed, judging whether the system data can be damaged, if the system is damaged, executing the antivirus measure after system backup, if the system is not damaged, directly executing the antivirus measure, after the execution, judging whether the virus is cleaned completely, if the virus is judged not to need to make antivirus measures, directly judging whether the virus is cleaned completely, if the virus is judged to be cleaned completely, recovering the network connection of the isolated host, and executing a reporting process; if the virus still exists after the antivirus measure is executed, continuing to execute a new virus searching and killing measure until the virus is cleaned up;

The penetration test includes: web penetration test and advanced penetration test; and (3) Web penetration test: simulating a real security attack and discovering potential ways for a hacker to invade an information system, comprising: information collection, remote overflow, password guessing, local overflow, enterprise user side attack, man-in-the-middle attack, Web script and application testing; the advanced penetration test comprises: combining with the best information security practice, simulating targeted striking, taking the Internet-side assets or the internal untrusted/semi-trusted areas as penetration inlets, simulating hacker intranet attack to obtain the intranet highest authority or sensitive data for further penetration test, wherein the method comprises the steps of evaluating the external asset condition, searching an intranet access point, utilizing available intranet access points existing in the Internet assets, and deploying a springboard to perform intranet penetration on an internal network;

the safe operation and maintenance comprises the following steps: daily safe operation and maintenance, important moment safety guarantee and periodic safety inspection; the daily safe operation and maintenance comprises the following steps: optimizing a security strategy, operating and maintaining a security product and evaluating the security; the security policy optimization: whether the security control strategy plays a role or not and whether the security control strategy is reasonably checked and improved or not comprises the following steps: researching, making a scheme, optimizing a strategy and outputting a report; the operation and maintenance of the safety product comprises the following steps: monitoring equipment operation safety, auditing equipment operation safety, and updating equipment and strategy backup; the security assessment comprises: the security scanning evaluation is used for discovering security vulnerabilities existing in an information system in time, conducting vulnerability correction on Windows, Linux servers and security equipment, conducting security scanning on information assets in a non-service peak period according to application and in combination with a security vulnerability knowledge base, without using a scanning mode containing a denial of service type, stopping scanning immediately if a scanning system does not respond in the scanning process, analyzing the situation and determining reasons, restoring the system, and conducting scanning after adjusting a scanning strategy; the important moment safety guarantee comprises the following steps: the method comprises the steps of actively detecting assets exposed by a user on an extranet before a major holiday day to form an asset list, carrying out accurate vulnerability scanning according to asset discovery results, comprehensively checking specific vulnerabilities, informing major security events comprising one or more conditions of high-risk system vulnerabilities, high-risk worm viruses, severe invasion and attack, providing one or more information of event types, influence ranges, solutions and prevention schemes, carrying out comprehensive security check and security reinforcement on a major system, retesting security reinforcement results, and confirming that security problems are timely and effectively repaired; in holidays, real-time alarm monitoring and log analysis are carried out on a firewall, a Web application firewall, an IDS/IPS, load balancing, a webpage tamper-proofing system and a network security auditing system, anti-virus software and searching and killing records are monitored, states of an application system and a database system and a service platform are monitored and log analysis is carried out, investigation and analysis are carried out in time if one or more accidents in invasion are attacked or discovered, accident sources and reasons are traced and analyzed, a solution is provided according to the investigation reasons and the accident conditions, and accidents, accident analysis, a solution and a tracing scheme are recorded; the periodic security patrol comprises: periodic safety product inspection and periodic safety strategy optimization suggestions;

The risk assessment includes: network security evaluation, host security evaluation, application security evaluation, terminal security evaluation, data security evaluation, physical security evaluation, middleware security evaluation and management security evaluation; the network security assessment comprises: analyzing organized network topology architecture, security domain planning, VLAN division, network equipment configuration, security equipment configuration and security protection measures, performing security evaluation on a physical network structure, a logic network structure and network equipment, discovering the problems of security and network load of the network structure, the problems of security and anti-attack of the network equipment, evaluating the current security situation of the network, and discovering the problems of security, rationality and use efficiency; the host security assessment comprises: analyzing an operating system, an account number, authentication, authorization, network service, a system log, patch upgrade, virus protection and a local security policy, discovering security holes and potential safety hazards existing in system configuration and operation, and analyzing and evaluating according to a service application condition and a security baseline configuration condition, wherein the analysis and evaluation comprises identity authentication, access control, security audit, intrusion prevention, malicious code prevention and resource control; the application security assessment comprises: safety evaluation is carried out on the application system according to account number, authentication, authorization, audit, performance resources, backup recovery and penetration test of the application system, input verification, identity verification, authorization, configuration management, sensitive data, session management, encryption technology, abnormal management, audit and log recording and habit problems are detected, analyzed and input verification, identity verification, authorization, configuration management, sensitive data, session management, abnormal management, audit and log recording and habit problems are detected, and security vulnerabilities and potential safety hazards of the application system are searched; the terminal security assessment comprises: checking patches, account passwords, network services, virus protection and local security strategies, evaluating the security condition of the terminal according to patch upgrading, virus protection, account passwords, network services and local security strategies, and searching security holes and potential safety hazards of the terminal; the data security assessment comprises: detecting and analyzing database user name and password management, database access control, login authentication mode, data security, security vulnerability inspection, patch management and security audit of a database, performing main estimation on data security conditions according to confidentiality, integrity and availability of data, and searching for security vulnerabilities and potential safety hazards possibly existing in a data layer; the physical security assessment comprises: detecting and analyzing physical security boundaries, physical access control, detecting and analyzing security protection of offices, rooms and facilities, detecting and analyzing security protection of external and environmental threats, security area work control, delivery and delivery areas, equipment placement and protection, supporting equipment, cable laying security, equipment maintenance, asset movement, off-site equipment and asset security, safe disposal or reuse of equipment, unattended user equipment, desktop clearing and screen strategies, and evaluating the security of a network machine room according to the physical environment, access control, power supply, cable laying, equipment placement, label specification and machine room system of the machine room; the middleware security assessment comprises: detecting and analyzing a middleware user name and password management, middleware security audit, login authentication mode, communication confidentiality, resource control and an intrusion prevention strategy of the middleware, and evaluating whether the installation deployment and the realization of configuration parameters of the middleware meet the application operation security requirement or not; the management security assessment comprises: and evaluating the information safety management current situation according to safety organization, safety system, safety personnel, safety operation and maintenance, safety emergency and safety training, and searching possible potential safety hazards and missing points.

The information system level protection evaluation comprises the following steps: the method comprises the following steps of level protection gap assessment, safety guarantee system design, level protection assessment and information system soft modification, wherein the level protection gap assessment comprises the following processes: the method comprises the following steps of information collection and analysis, tool and form preparation, evaluation object determination, evaluation index determination, evaluation tool access point determination, evaluation content determination, evaluation instruction development, evaluation scheme compilation, evaluation preparation implementation, on-site evaluation and result recording, result confirmation and data return, single evaluation result judgment, single evaluation result summary analysis, overall evaluation, safety evaluation conclusion formation and evaluation report compilation; the safety guarantee system design comprises: the weakness and risk of the current network and the information system are analyzed through the information system level protection gap assessment, safety rectification is carried out, the topology design of corresponding products is completed, safety technical measures are implemented, and a safety management system is perfected; combining the evaluation result of the information system level protection gap, formulating an information security system framework according to the information security level protection requirement and the actual situation, wherein the information security system framework comprises: the system comprises a safety strategy, a safety technology system, an operation guarantee system and a safety organization and management system, wherein the safety strategy interacts with the safety technology system, the operation guarantee system and the safety organization and management system, the safety technology system, the operation guarantee system and the safety organization and management system are constructed under the guidance of the safety strategy, and all elements formulated in the safety strategy are converted into a technology implementation method and a management and operation guarantee means to implement the goal formulated in the safety strategy; the rating protection assessment comprises: the method comprises the following steps of testing and evaluating the safety level protection condition of an information system, including safety control evaluation for evaluating the implementation configuration condition of basic safety control required by information safety level protection in the information system and information system overall evaluation for evaluating and analyzing the overall safety of the information system, wherein the description of the safety control evaluation is organized in a working unit mode, the working unit comprises safety technology evaluation and safety management evaluation, and the safety technology evaluation comprises the following steps: the safety management evaluation comprises safety control evaluation in multiple aspects of safety management organization evaluation, safety management system evaluation, personnel safety system evaluation, system construction management evaluation and system operation and maintenance management evaluation; the information system soft modification comprises: analyzing weaknesses and risks of the current network and information system through a difference evaluation report of the level protection difference evaluation, wherein the weaknesses and risks comprise the weaknesses and risks of an operating system, a database and network security equipment, checking and reinforcing the operating system, the database and the network security equipment one by one according to the security configuration reinforcing standard of the equipment, and making related risk avoiding measures, wherein the related risk avoiding measures comprise operating system reinforcement, network/security equipment reinforcement, database reinforcement and information security management system establishment and improvement;

Internet threat detection and proactive responses include: risk assessment, real-time monitoring, tampering disposal and emergency countermeasure are provided for internet services, and safer guarantee is obtained again; the risk assessment comprises: evaluating exposed surfaces, vulnerability and content safety, taking the evaluated exposed surfaces, the vulnerability and the content safety as base lines, carrying out continuous recheck at regular intervals, monitoring asset changes at regular intervals, and continuously analyzing the risk condition introduced by the newly added assets; the real-time monitoring comprises the following steps: monitoring page tampering, 0day, web horses, black links, DNS, availability security events in real time and generating reports to inform users in time; the tamper handling includes: rapidly replacing the tampered site through DNS technology; the emergency countermeasure comprises: cloud emergency confrontation is carried out to guarantee sensitive data.

In a preferred embodiment, the login information includes: login mode, login account/password, and management host information; the baseline check further comprises: according to the best practice of baseline inspection on all levels of network equipment, safety equipment, an operating system, a database and middleware, configuration inspection is carried out on a target information system, the configuration condition of the current equipment is recorded, the current safety configuration condition is analyzed, the safety baseline is referred, the difference in the safety configuration aspect is found and recorded, and a baseline inspection report is formed according to the analysis condition of the whole difference of the baseline inspection and the current condition of the information system; the inspection operating system includes: basic information inspection, patch management, user account, password security, authority management, log and audit, system service port inspection, security protection and network protocol security; the inspection database: checking account security, checking database connection security, checking database security component configuration, checking log configuration, and checking communication protocol; the checking Web server and the middleware: the method comprises the following steps of managing application limit check, list check, file check outside a forbidden access Web directory, message body size of an http request, default port check, error level redirection, forbidden list display file, prevention of denial of service attack, useless files installed in a default mode, version number and hiding of sensitive information, account management, authentication authorization, log configuration, communication protocol, equipment and safety requirements.

In a preferred embodiment, the asset information and related statistics within the current network include: asset statistical information, attack plane statistical information, newly added asset information, asset change information, newly added attack plane information, attack plane change information and a newly added asset detailed list; the asset statistics include: counting the type proportion of the server according to the type of the asset server; the attack face statistical information comprises: statistical information of various open ports; the detailed list of the newly added assets comprises: one or more of an IP address of the asset, a server type, a server version, a status, a detected time; the detecting external attacks includes: anti-sequence attack detection, Web attack situation analysis and password blasting attack detection; the anti-sequence attack detection comprises the following steps: analyzing and discovering the number of anti-sequence attack behaviors of the internal service and the condition of each anti-sequence attack behavior; the anti-sequence attack case comprises the following steps: attack time, source IP, destination IP/port; the Web attack situation analysis analyzes the situation of attack on an internal server through flow analysis, the situation distribution of the Web integral attack type, the detailed information of each attack means and the attack result, and the attack result comprises the following steps: attack warning, attack trap and prompt; the attack means comprises: one or more of Webshell, black-product kitchen knife scanning, Web vulnerability scanning, Struts2 attack, uploading attack, sql injection attack, information leakage and newly added files of an application system; the password blasting attack detection is used for detecting the attack times of password blasting suffered by different servers every day, the types of services, the condition of mail exposure attack, the condition of remote management service blasting attack and the condition of database service blasting attack, wherein the attack conditions comprise: attack source IP, target IP, protocol, attack times within 60 seconds and blasting result; the detecting an internal violation includes: exposed surface detection, illegal external connection detection, malicious DNS analysis, ACL (access control list) carding, weak password detection, abnormal login detection and unconventional service analysis; the exposed surface detection analyzes the illegal attack surface information in the current network through big data analysis; the illegal attack plane information comprises: the method comprises the following steps of statistical information of an attack surface, newly added attack surface information, attack surface change information and attack surface information, wherein the attack surface statistical information comprises the following steps: statistical information of various open ports, wherein the information of the attack plane comprises: server IP, port, service type; the illegal external connection detection analysis environment comprises illegal external connection information, wherein the illegal external connection information comprises: the physical address of the target IP of the illegal external connection, the historical trend of the illegal external connection event, the detailed time of the illegal external connection event, any one or more information of the source IP, the target IP and the port; the malicious DNS analysis monitors and analyzes the DNS requested by an internal network through flow analysis, analyzes the credibility condition of the internal DNS in combination with threat intelligence, and finds out the request and detailed information of the malicious DNS existing inside, wherein the detailed information of the malicious DNS comprises: any one or more of request time, source IP, malicious domain name requested and physical address of the domain name; the ACL carding analyzes the access relations of all the existing IPs in the current network, including the access relations from a source IP to different ports of a target IP, analyzes the ACL control in the network and handles the internally unreasonable ACL; the weak password detection and analysis finds the state of the weak password of the internal server, reports the total number of the weak passwords, the passive counting and finding times, the dictionary matching and finding times and the active finding times, and detects and analyzes the information of the weak password of the mail service, the remote management service and the database service; the information of the mail service, the remote management service and the database service weak password comprises the following steps: affected account number, weak password, affected server, protocol, and detected time; the abnormal login detection comprises the following steps: detecting abnormal behavior of an internal server, comprising: the method comprises the following steps that abnormal detailed conditions, abnormal logging detailed conditions and non-working time logging detailed conditions of an internal server are logged in from the outside; the details of the external login internal server exception include: the IP of external login, IP home location, internal server IP, protocol and access time, wherein the detailed condition of abnormal login comprises the following steps: a user, a common login place, a remote login place and discovery time; the non-working time login details include: source IP, IP home, destination IP, protocol, access time; the irregular service analysis comprises: remote control service, proxy service, Regeory Tunnel service detection and discovery, HTTP proxy detection and discovery, SOCKS proxy detection and discovery, Teamview/IRC detection and discovery, analyzing the time of connecting service, the source IP of connecting service, the destination IP of connecting service and the service type; the event judging comprises the following steps: by finding out a trapping event, a WEB attack event and internal abnormal information, judging whether the event is a true malicious attack behavior or not by utilizing network penetration information and combining a cloud threat condition, and analyzing the reason of the event; the event tracing source is used for tracing and tracing the malicious attack event, and analyzing the physical position of an attacker, the behavior evidence retention of the attacker and the means commonly used by the attacker.

In a preferred embodiment, the host asset service discovery comprises: newly added assets, asset changes, newly added ports and port changes are scanned and found, an operating system, an IP address and a domain name are identified, and an asset information report is output; the Web service discovery comprises: analyzing and discovering a port, a Web server, a development language, partial preposed WAF information and Web service conditions; the emergency drill further comprises: a cyber attack event emergency drill, the cyber attack event emergency drill comprising: analyzing and judging, if judging as an external network website malicious attack event, positioning an attack source IP address according to a system log, a firewall log, a network flow analysis and a webpage tamper-proof system analysis, judging whether an attack source can be determined, if not, judging whether an attack source type can be determined, simultaneously judging whether one or more malicious attacks of tampering, SQL injection, XSS cross-site, trojan and illegal invasion are present according to the system security condition, if so, detecting whether the webpage tamper-proof system is tampered, if so, detecting the cause of the vulnerability, if not, detecting whether the IDS system detects the invasion, if so, verifying, if not, judging whether the attack source type can be determined, if so, judging whether the vulnerability can be recovered and repaired, if not, starting an emergency plan for the attack source type, if the bug can be recovered and repaired, recovering and repairing the bug, if the bug cannot be recovered and repaired, starting an emergency plan, after the bug is recovered and repaired, judging whether the attack continues, if the attack continues, determining an attack source, starting the emergency plan, if the attack does not continue, executing a notification flow, and if the attack source IP address or the attack path cannot be positioned, or the attack network path cannot be closed after analysis, starting the emergency plan (under the condition that the system is unavailable) and notifying.

In a preferred embodiment, the information collection of the Web penetration test includes: performing operating system type collection, network topology analysis, port scanning and service identification provided by a target system in one or more modes of host network scanning, port scanning, operation type judgment, application judgment, account scanning and configuration judgment; the password guessing utilizes brute force attacks and dictionaries to guess passwords; the Web script and application test comprises the following steps: injection, cross-site scripting attack, invalid identity authentication and session management, unsafe direct object reference, cross-site request forgery, security configuration error check, unsafe encrypted storage detection, no URL access restriction, insufficient protection of a transmission layer, and unverified redirection and forwarding detection; the injection: injecting an attack vulnerability, sending the data which is subjected to the attack and is not trusted as a part of a command or a query statement to an interpreter, and deceiving the interpreter to execute an unplanned command or access unauthorized data; the cross site scripting attack comprises the following steps: when the application program receives the data containing the incredible data, the application program sends the data to a web browser under the condition of not carrying out verification and escaping, and scripts are executed on the web browser to hijack user sessions, endanger websites or transfer users to malicious websites; the failed identity authentication and session management: the functions of the application program related to identity authentication and session management cannot be correctly realized, and passwords, keys, session tokens or other attacks and vulnerabilities are damaged to impersonate other user identities; the unsecure direct object reference: exposing references to internal implementation objects, generating unsafe direct object references, and controlling the references to access unauthorized data; the cross-site request forgery: utilizing a cross-site request forgery attack to force a browser of a login user to send a forged HTTP request to a Web application program with a vulnerability, and forcing the browser of the user to send a request to the application program with the vulnerability; the checking for security configuration errors: detecting whether the settings of defining, implementing and maintaining the safety configuration are carried out on an application program, a frame, an application program server, a Web server, a database server and a platform, and whether software is updated in time; the detecting unsecure encrypted storage: detecting whether the Web application program uses encryption measures or a Hash algorithm to protect sensitive data, and carrying out identity theft and credit card fraud crimes by using weak protection data; the unrestricted URL access: forging URL access hidden web pages; the detection of insufficient protection of the transmission layer: detecting whether the application program does not carry out identity authentication, whether encryption measures are taken, whether confidentiality and integrity measures for protecting sensitive network data exist, whether the application program adopts a weak algorithm, whether an expired or invalid certificate is used, or whether identity authentication, encryption measures or protection measures are correctly used; said detecting an unverified redirect and forward: detecting that the Web application redirects or forwards the user to other Web pages or websites, judging whether the destination page is verified by using the untrusted data, and redirecting the user to a phishing website or forwarding the user to an access unauthorized page.

In a preferred embodiment, said assessing external asset conditions, finding intranet access points comprises: judging whether a remote control vulnerability exists or not through information collection and analysis, if so, obtaining system authority, and generating a report after information collection and analysis; if the remote control vulnerability does not exist, judging whether a remote common vulnerability exists, if so, performing information collection and analysis, and then judging whether local common authority can be obtained, if not, generating a report, if so, performing information collection and analysis, then judging whether local extraction can be performed, and if not, generating a report; if the ontology extraction can be carried out, generating a report after information collection and analysis, and if the ontology extraction cannot be carried out, directly generating the report;

the utilizing of available intranet access points existing in the internet assets and deploying of the springboard machine to perform intranet penetration on the internal network comprises the following steps: the method comprises the steps of acquiring intranet basic information after confirming an intranet seepage asset range, carrying out port scanning on a system layer, carrying out system vulnerability verification and utilization seepage after known CVE vulnerability scanning, carrying out application platform information acquisition, version fingerprint data acquisition and conventional vulnerability scanning information acquisition on an application layer, carrying out application vulnerability verification and excavation seepage, then sorting out vulnerability data for comprehensive utilization, improving control authority, carrying out information interception, remote control and resource expansion, submitting a seepage test report and waiting for rechecking; the information collection analysis includes: baseline inspection and vulnerability scanning, wherein the baseline inspection comprises the following steps: performing baseline check on the system to discover security vulnerabilities and weak links of a server, network equipment and security equipment, and identifying, analyzing, repairing and checking discovered vulnerabilities; the vulnerability scanning comprises vulnerability scanning of the system, potential safety hazards and vulnerabilities existing in various information assets in a network protocol, a network service and network equipment are checked, and security vulnerability detection analysis is carried out on the network equipment to assist in correcting the vulnerabilities.

In a preferred embodiment, the investigation comprises: collecting security equipment, a network environment, operation and maintenance authority and existing security policy information, wherein the security equipment information comprises: the device comprises a device name, a device responsible person, a device manufacturer and model, a management address and mode, a physical address, device administrator information, a user name and password and a device white paper; the network environment information includes: network topological graph, server asset information, network equipment asset information and service system information; the operation and maintenance authority information comprises: operation and maintenance personnel authority and maintenance management address; the existing security policies include: an access control strategy, a security protection strategy and a behavior audit strategy; the formulation scheme comprises the following steps: performing gap analysis on the existing safety strategies according to the information collected by investigation and the actual safety requirements of users, finding the problems of strategy deletion, strategy redundancy and strategy non-abolishment, and making a scheme; the gap analysis of the existing security policies comprises: analyzing the service security requirements of users, analyzing the difference of the existing security strategies and the difference of the security strategies to analyze the overall situation; the analyzing the user service security requirements comprises: summarizing a business system, asset information and making safety protection strategy requirements; the analyzing existing security policy gaps includes: access control strategy gap analysis, safety protection strategy gap analysis and behavior audit strategy gap analysis; the policy optimization includes: optimizing an access control strategy, optimizing a safety protection strategy and optimizing a behavior audit strategy; the access control policy optimization comprises: the boundary access control device comprises: the access requirements of a business system are combed, an access control strategy is customized according to business, an original address, a destination address and service are defined, the number, date and applicant of a strategy starting order are indicated, a missing strategy is added, a coarse strategy is modified, and a redundant strategy is deleted; the operation and maintenance management equipment comprises: combing operation and maintenance personnel and maintenance requirement information, constructing or adjusting the operation and maintenance personnel according to a unit organization structure, defining personnel names and contact ways, creating or adjusting asset information according to a service responsibility unit, requiring defining asset IP addresses, bearing services and physical positions, and creating corresponding strategies according to different operation and maintenance personnel; the security protection policy optimization comprises: intrusion detection equipment and Web application firewalls; the intrusion detection device includes: combing basic information of a business system, creating an intrusion detection protection object according to the business system, defining assets and responsible personnel contained in the intrusion detection protection object, formulating an intrusion protection strategy which comprises an intrusion attack strategy, a Trojan virus strategy and an audit strategy, creating an intrusion protection strategy aiming at each business system, and optimizing the strategies according to the types of the assets, the operating system and the software business contained in the business system; the Web application firewall comprises: combing basic information of a business system, creating a Web application protection object according to the business system, defining contained assets and responsible personnel, and making a protection strategy, wherein the protection strategy comprises a Web malicious scanning protection strategy, an SQL injection protection strategy, an XSS attack protection strategy, a website horse hanging protection strategy, a stealing link protection strategy and a webpage tampering protection strategy; the behavior audit strategy optimization comprises the following steps: network security audit, database audit and internet behavior management; the network security audit comprises: basic information of a business system is sorted, a business access auditing strategy and a management and maintenance auditing strategy are created according to the business system, the business access auditing strategy audits all accessed network behaviors of the business system, and the management and maintenance auditing strategy designs all management and maintenance network behaviors of the business system; the database audit comprises: the method comprises the steps of carding business system information and database information, creating auditing strategies aiming at each database, wherein the auditing strategies comprise risk pointer auditing, abnormal login design, abnormal maintenance auditing and abnormal tool auditing, creating a business system object according to the business system information, creating report strategies according to different business systems, and generating an auditing report aiming at each business system; the internet behavior management comprises the following steps: combing terminal information, creating or adjusting a terminal user according to the organization structure of the unit where the terminal user is located, and creating an internet access behavior auditing strategy aiming at the user, wherein the internet access behavior auditing strategy comprises a mail auditing strategy, a website access auditing strategy, a communication chat auditing strategy, a posting auditing strategy and a keyword auditing strategy; the equipment operation safety monitoring comprises: monitoring network equipment, safety equipment and a host, setting alarm thresholds and alarm rules of various functional indexes, discovering abnormal running states of the equipment in time, giving different alarms to the monitored safety events according to different levels and types, starting a fault processing flow if judging that the equipment has a fault, and adjusting the alarm thresholds according to actual conditions; the monitoring network device includes: equipment hardware state is patrolled and examined, equipment software state is patrolled and examined, equipment performance state is patrolled and examined, security policy inspection and optimization, log inspection, equipment hardware state is patrolled and examined and is included: the method comprises the following steps of polling the running condition of equipment hardware, including polling the running condition of a power supply, a fan, a chassis, a board card, a flash card and a status lamp, polling the stability of a physical port, the wiring condition, a label and an identification condition, and polling the alarm information of the equipment hardware; the equipment software state inspection comprises the following steps: the system kernel operation state is inspected, and whether a new kernel upgrading program can be used is checked; the equipment performance state inspection comprises the following steps: checking the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the utilization rate of a network interface and the use condition of a Buffer; the security policy checking and optimization comprises: rechecking the correctness and effectiveness of the security strategy; the log checking includes: checking whether the log receiving is normal or not, whether the log needs to be processed fully or not, and collecting and analyzing the log; the monitoring safety device comprises: the method comprises the following steps of safety equipment hardware state inspection, safety equipment software state inspection, safety equipment performance state inspection, safety strategy optimization of safety equipment, safety equipment log inspection and rule base inspection of the safety equipment; the safety equipment hardware state inspection comprises the following steps: checking the running conditions of the safety equipment hardware, including the running conditions of a power supply, a fan, a chassis, a board card, a flash card and a status lamp, checking the stability of a physical port, and checking the connection condition, a label and an identification condition; the safety equipment software state inspection comprises the following steps: checking the running state of a system kernel, whether a new kernel upgrading program can be used or not, and the version upgrading condition of a software system; the safety equipment performance state inspection comprises the following steps: checking the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the utilization rate of a network interface and the use condition of a Buffer; the security policy optimization of the security device comprises: rechecking the correctness and effectiveness of the security strategy; the security device log check comprises: checking whether the log is normal or not, whether the log needs to be processed fully or not, and collecting and analyzing the log; the rule base check of the security device comprises: checking virus definition upgrading conditions, including checking virus wall definition upgrading conditions and checking IDS/IPS rule library upgrading conditions; the monitoring host comprises: the method comprises the following steps of host hardware state inspection, host operating system security inspection, host performance inspection, suspicious service process inspection and virus inspection; the host hardware state inspection comprises the following steps: checking the running conditions of the hardware of the host equipment, including the running conditions of a power supply, a fan, a chassis, a board card and a status lamp, checking the status of a network card, an IP address and a routing table, checking the running condition of a disk array, the display condition of a system fault lamp and a system hardware error report; the host operating system security check comprises: checking the software version condition of an operating system, checking the installation condition of one or more system patches in Windows series patches, Linux system patches and Unix series patches, checking and optimizing the security configuration of the operating system, checking and optimizing the account, security policy and service, analyzing system logs and checking the patch installation; the host performance check includes: checking the CPU utilization rate, the memory utilization rate, the switching area utilization rate, the disk occupation space and the I/O working condition; the suspicious service process check comprises: checking the name of the opening service, the necessity of opening the service and the condition of resource occupation of the service; the virus inspection comprises the following steps: checking the installation condition of client virus software, the upgrading condition of a virus definition library, the strategy distribution condition and the virus processing condition; the equipment operation safety audit comprises the following steps: by utilizing a security management platform, in combination with asset information, finding out the association relationship among data in information generated by network access logs, management behavior records, operation behavior records, product operation records, network flow and security monitoring, setting association analysis rules and filtering conditions, and mining network attack and operation fault information; the device and policy backup update comprises: performing safety protection through daily strategy configuration and equipment upgrading, optimizing strategies, and maintaining the strategies and configuration backups of safety products, including strategy configuration, strategy combing, equipment upgrading and backup recovery; the policy configuration comprises: analyzing the actual safety requirement and the safety product function of the service system according to the overall safety strategy, and configuring the safety strategy of the safety product according to a strategy configuration flow; the strategy combing comprises the following steps: regularly combing the strategy configuration of the safety product, combing the redundant strategy and the abandoned strategy, and deleting the strategy after confirmation; the equipment upgrading comprises: upgrading the software version, rule base and feature base of the safety product regularly, backing up the original system before upgrading, testing the upgrade package, checking the version update of the manufacturer regularly, and updating the operation record; the backup restoration includes: the configuration and the strategy of the product are backed up regularly, the backup content is stored in a special server, and the backup operation record is recorded, wherein the vulnerability correction comprises the following steps: repairing bugs of the server and the security equipment in a scanning range, and reinforcing application and database bugs; the periodic safety product inspection comprises the following steps: the work of periodically checking the safety condition of the safety product in the running process of the information safety product comprises equipment running safety monitoring, equipment running safety auditing, equipment and strategy backup updating, setting alarm threshold and alarm rule for CPU utilization rate, memory utilization rate, disk utilization rate and network interface connectivity of the safety product, monitoring in real time, confirming if abnormal operation state of the safety product is found, starting fault processing flow if product fault is confirmed, the alarm threshold value is adjusted according to the actual situation in the monitoring process to obtain the running state baseline of the safety product, according to the alarm rule, different alarms are carried out on the monitored safety events according to different levels and types, and alarm information is sent to a safety management platform, informing operation and maintenance personnel or inspection personnel through the safety management platform, and taking treatment measures according to the conditions of safety events; the security management platform is used for finding out the association relation among one or more data of network access logs, management behavior records, operation behavior records, product operation records and network flow by combining asset information, setting association analysis rules and filtering conditions and mining network attack and operation fault information; performing safety protection through strategy configuration and equipment upgrade, optimizing strategies, and performing daily inspection on strategies and configuration backups of safety products; the periodic security policy optimization recommendation includes: collecting security equipment, network environment, operation and maintenance authority and existing security policy information, implementing security product inspection, performing gap assessment and rectification suggestion on the existing security policy by combining with the actual service security requirement of a user, and performing policy optimization; the rectification proposal comprises: a security policy optimization suggestion, the security policy optimization suggestion comprising: an access control strategy optimization implementation method, a security protection strategy optimization implementation method and a behavior audit strategy optimization implementation method.

In a preferred embodiment, the security assessment of the network device comprises: checking the access control security of the network equipment, checking the security protection configuration of the network equipment and checking the strategy of the network equipment; the checking the access control security of the network device comprises: checking software version, equipment bugs and security problems; the checking the network device security protection configuration evaluation comprises: checking user security and system password security, performing log check, evaluating equipment access control security, equipment management security and network equipment service security, and evaluating through service application condition and security baseline configuration; the network device policy check comprises: evaluating the strategy configuration and the use condition of the existing network equipment and safety equipment, evaluating whether the strategy configuration meets the service requirement and ensuring the safety of the system; the identity authentication comprises: detecting and analyzing identity identification and authentication mechanism measures, password security management, account locking setting options and account security management and evaluating; the access control includes: detecting and analyzing default sharing setting, detecting, analyzing and evaluating privileged user management, file system security characteristics and network service security if the default sharing setting conforms to the minimum authorization principle, and evaluating; the security audit includes: detecting and analyzing system logs and auditing strategies and evaluating; the intrusion prevention includes: detecting and analyzing patch management and vulnerability risk and evaluating; the malicious code prevention includes: detecting and analyzing malicious code software management and evaluating; the resource control includes: detecting and analyzing a resource control strategy and evaluating; the potential safety hazards of the application system comprise: security function design, security vulnerabilities, vulnerabilities in security deployment; the detecting the analysis input validation comprises: detecting whether an application verifies all input data, whether all input data verifies length, scope, format, type, whether there are data dependent on user side verification code, whether an application trusts data written onto a Web page, whether all codes and system command content in user submitted data are filtered or converted, whether data is verified at an access point when data is transferred between different trust boundaries, detecting whether an application uses independent database accounts, assigns minimal library, table and field permissions, detecting whether unnecessary storage procedures are prohibited or deleted by the database, masking database error information, analyzing whether there is or may be unverified data written onto a Web page, generating SQL queries using unverified input SQL, increasing SQLInObjection threats using unsafe data access coding techniques, screening input data using deny methods rather than allow, One or more of making security decisions using an input file or URL or username, relying on client authentication; the detection analysis identity verification comprises: detecting whether a user name and a password are sent on an unprotected channel in a plaintext form, whether sensitive information has a special encryption method, whether a certificate is stored, if so, how to store and protect the user name and the password, whether a strong password is executed, what password strategy is executed, whether secondary authentication is added in identity authentication, whether a graphic verification code or a short message verification code is executed, how a certificate is verified, how a user subjected to identity verification is identified after login for the first time, whether identity verification certificate or identity verification cookie is transmitted on an unencrypted network link or whether certificate capture or session attack exists or not is analyzed, and whether unauthorized access caused by using a weak password and an account strategy exists or not; the detection analysis authorization comprises: detecting whether necessary behavior audit is performed, what access control is used at an entry point of an application program, whether the application program uses roles, if the roles are used, detecting whether granularity is fine enough for access control and audit purposes, detecting whether the application limits access to system resources, detecting whether to limit database access, authorizing the database, analyzing whether to use an unauthorized role and an account, whether to provide sufficient role granularity, and whether to limit system resources to a specific application program identity; the detection analysis configuration management comprises: detecting how to protect a remote management interface, how to protect configuration storage, whether sensitive configuration data is encrypted, whether to separate administrator privileges, whether to use a process and a service account with lowest privileges, whether to perform white list policy management on a management IP, whether to analyze whether plaintext storage configuration confidential information comprises a connection character string and a service account certificate, whether to protect the appearance of application configuration management comprises the management interface, whether to use an unauthorized process account and a service account, whether to delete a data directory and a fixed file name by an installation script, configure a file extension, and whether to set a directory authority improperly; the detecting and analyzing sensitive data comprises: detecting whether confidential information is stored in a permanent storage, how sensitive data is stored, whether the sensitive data is transmitted on a network or not, whether the sensitive data is disaster-prepared or not, analyzing whether the confidential information is saved when the confidential information is not required to be stored, whether the confidential information is stored in a plaintext form in a code or not, and whether the sensitive data is transmitted on the network in the plaintext form or not; the detection analysis session management comprises: detecting how to generate a session cookie, how to exchange a session identifier, how to protect session state across a network, how to protect session state to prevent session attacks, how to protect session state storage, whether an application limits the lifetime of a session, how an application uses session storage for authentication, whether to pass a session identifier over an unencrypted channel, whether to extend the lifetime of a session, whether to store in an unsecured session state, whether a session identifier is located in a query string; the detection analysis encryption technology comprises the following steps: detecting which algorithm and encryption technology are used, whether the application uses a user-defined encryption algorithm, how long and how to protect a secret key, how long the secret key is changed once, how to distribute the secret key, analyzing whether the user-defined encryption method is used, whether an error algorithm or a secret key with too short length is used, whether the secret key is not protected, and whether the same secret key is used for a prolonged time period; the detection analysis anomaly management comprises: detecting how the application processes error conditions, whether the exception is allowed to be propagated back to the client, whether the application displays too much information to the client, where the application records the detailed resources of the exception, whether log files are safe, whether all input parameters are verified, and whether the information displayed to the client is too much; the detection audit and logging includes: whether the application determines the main activity of auditing is detected, whether the application program of the application is audited across all layers and the server is detected, how to protect the log file is detected, whether login with auditing failure does not exist, whether the audit file is not protected, and whether auditing is performed across the application program layer and the server is analyzed; the detection and analysis habit problems comprise: detecting programming habits, analyzing whether a programmer likes to directly modify a program on a server, causing an editor to generate a plurality of backup files on the server, whether the files are likely to expose program codes, and analyzing whether the programmer stores sensitive information including database passwords in the files; the penetration test comprises: in the allowable and controllable range, adopting a controllable hacker intrusion method which does not cause irreparable loss to attack the network and the system, acquiring confidential information by the intrusion system, and forming a report according to the intrusion process and details; the patch inspection, the account password and the network service inspection are carried out through a vulnerability scanning tool; the checking of the virus protection is performed by a malicious code killing tool; the local strategy is checked by checking a local security strategy, checking a script and configuring a scanning tool; the detection analysis of the database user name and password management comprises the following steps: detecting and analyzing user permission setting, password strategy setting and management of redundant account numbers; the detection analysis of the database access control comprises: detecting and analyzing the control and communication security configuration of the access IP address; the detection analysis of the data security comprises the following steps: detecting and analyzing a storage mode and database backup of sensitive information; the security audit detection analysis of the database comprises the following steps: checking, analyzing and auditing a login log and an operation log; the detection analysis of the physical security boundary comprises: detecting and analyzing whether safety boundary protection is set to protect the safety of sensitive information, dangerous information and information processing facilities; the detection analysis of the physical access control comprises: detecting and analyzing whether the security area is protected by entrance control or not and whether access is allowed only by authorized personnel is ensured or not; the detection and analysis of the safety protection of the office, the room and the facility comprises the following steps: detecting and analyzing whether physical security measures are adopted in offices, rooms and facilities, wherein the detection and analysis of the security protection of the external and environmental threats comprises the following steps: detecting and analyzing whether a physical security measure is adopted to prevent natural disasters, malicious attacks or accidents; the detection analysis of the safe area work control comprises the following steps: detecting whether to design, apply physical protective measures and guidelines for secure enclave operations; the detection and analysis of the delivery and interface area comprises: detecting and analyzing whether the access points including the cross-connection area and other points where unauthorized persons enter the office place are controlled, isolated from the information processing facility and prevented from being accessed without authorization; the detection analysis of the device placement and protection includes: detecting and analyzing whether equipment is installed and protected, whether environmental threats and hazards are reduced or avoided, and whether unauthorized access is reduced or avoided; the detection analysis of the supportive device comprises: detecting and analyzing whether to protect the equipment and prevent the equipment from power failure or terminal caused by the failure of the support facility; the detection and analysis of the cabling safety comprises the following steps: detecting and analyzing whether to protect the power and communication cables for transmitting data or supporting information services and whether to prevent the power and communication cables from being intercepted or damaged; the detection analysis of the equipment maintenance comprises: detecting and analyzing whether the equipment is correctly protected or not and whether the continuous availability and integrity of the equipment are ensured or not; the detection analysis of the movement of the asset includes: detecting whether the analysis equipment, information and software cannot be brought out of the organization before authorization; the detection and analysis of the off-site equipment and asset security comprises: detecting and analyzing whether safety measures are adopted for assets outside the organization site or not, and whether different risks working outside the organization site are considered or not; the detection analysis of the safe disposal or reuse of the device comprises: detecting whether the analysis checks all items of the device containing the storage medium, whether it is ensured that any sensitive information and registered software has been deleted or written over securely before disposal; the detection and analysis of the unattended user equipment comprises: detecting and analyzing whether the unattended user equipment is protected or not; the detection and analysis of the desktop clearing and screen clearing strategy comprises the following steps: detecting and analyzing whether a strategy of emptying files and a movable storage medium on a desktop is adopted or not and whether a screen strategy of emptying an information processing facility is adopted or not; the detection analysis of the middleware username and password management comprises: detecting and analyzing user permission setting, password strategy setting and management of redundant account numbers; the detection analysis of the middleware security audit comprises the following steps: checking and analyzing log audit and operation log audit; the detection and analysis of the intrusion prevention strategy of the middleware comprises the following steps: detecting and analyzing SSL protection opening, default port modification and application server Socket quantity limitation.

In a preferred embodiment, the information collection analysis comprises: the method comprises the steps of retrieving policy files, rules and regulations and process management records, information system overall description files, information system detailed description files, information system safety protection level grading reports, safety requirement analysis reports, information system safety overall schemes, safety status evaluation reports, information system safety detailed design schemes, user guides, operation steps, network diagrams and configuration management documents, analyzing one or more kinds of data in basic information, management frames, network and equipment deployment, service types and characteristics, service data, user ranges and user types of the information system, carrying out comprehensive analysis and arrangement, analyzing the industry characteristics, administrative agencies, service ranges, geographic positions, background information, contact modes, organization and management structures, management strategies, department settings, the functions of departments at service operation terminals, positions, responsibilities, The method comprises the following steps of forming an information system basic condition analysis report by a physical environment, a network topology structure, a hardware equipment deployment condition, a range and a boundary, a service type and characteristics, a service flow and a service safety protection level; the determining the evaluation object comprises: detecting information of an information system, analyzing the whole unit information system and a related service system thereof, analyzing and identifying the whole structure of the information system and describing according to a basic condition analysis report of the information system, wherein the description content comprises an identification of the information system, a physical environment of the information system, a network topological structure of the information system and a connection condition of an external boundary of the information system, giving a network topological graph, identifying and describing the boundary of the information system, the description content comprises a boundary connection mode of the information system and other networks for external connection, the boundary connection mode comprises optical fibers, wireless and special lines, equipment for describing the boundary comprises one or more of a firewall, a router and a server, if shared equipment is arranged at the boundary connection position of the information system, the equipment is divided into the information systems with relatively higher grades, and the information systems without regional division are divided and described according to the actual condition of the information system, the description content comprises region division, main service application of each region, service flow, region boundary and connection condition between the regions, the information system nodes are described by taking the regions as clues, computer hardware equipment, network hardware equipment, communication lines and application system software in each region are described, and the connection condition between the nodes is explained, the computer hardware equipment comprises server equipment, client equipment, a printer and a memory, and the network hardware equipment comprises: switches, routers, adapters; the description contents are sorted, an evaluation information system is determined and described, the overall structure is firstly explained on the basis of the network topological structure of the information system in a general and fractional description mode, then the external boundary connection condition and the boundary main equipment are described, and then the network area composition, the service function and the related equipment nodes of the information system are described; analyzing each business system, analyzing the importance degree of the business system and related equipment and components thereof, determining an evaluation object, describing according to the class of the business system, wherein the description comprises a network, network equipment, a server, a host and an application system, and describing each class of evaluation object in a list mode, including the area to which the evaluation object belongs, equipment name, application, equipment information and a spot check description; the determining the evaluation index comprises the following steps: obtaining a grading result of the information system according to an information system basic condition analysis report, wherein the grading result comprises a service information safety protection grade and a system service safety protection grade, obtaining the combination condition of safety protection measures (an A system service assurance grade, an S service information safety grade and a G basic requirement grade) to be taken by the information system, selecting safety requirements of corresponding grades as evaluation indexes according to standards, and comprising three safety requirements of the ASG, respectively describing each service system, and the description content comprises the grading result and the index selection of the service system; the determining of the evaluation content comprises: determining unidirectional evaluation content and system evaluation content, analyzing an information system basic condition analysis report, an evaluation object, an evaluation index and an evaluation tool access point of an evaluation scheme, combining the evaluation index and the evaluation object, combining the evaluation object with an evaluation method, combining the evaluation indexes on all layers of surfaces to a specific evaluation object and explaining the evaluation method to form an evaluation implementation unit, describing individual evaluation implementation work content by combining the evaluation index and the evaluation object, compiling corresponding evaluation content according to the evaluation tool access point, wherein the unidirectional evaluation content comprises the evaluation index, the evaluation object, the evaluation method and the evaluation implementation, determining the system evaluation content according to the evaluation method of relevant standards by combining the actual condition and evaluation experience of an information system, and outputting the individual evaluation implementation and system evaluation implementation part of the evaluation scheme; the evaluation instruction development comprises the following steps: according to the access point of the test tool, the single evaluation implementation part and the system evaluation implementation part, describing a single evaluation object comprising the name, the IP address, the application and the manager of the evaluation object, determining evaluation activities comprising evaluation items, an evaluation method, operation steps and expected results according to the single evaluation implementation part and the system evaluation implementation part, and outputting an evaluation instruction book of an evaluation scheme; the evaluation item refers to the requirement of an evaluation object in a use case in the standard, and the evaluation method comprises the following steps: one or more of interviews, document retrieval viewing, configuration inspection, tool testing, field inspection viewing; each evaluation item corresponds to one or more evaluation methods; the operating steps include evaluating commands or steps executed in the activity, describing the testing equipment and the requirements of the tool including the model, specification and version of the tool if the tool is tested; the expected result comprises a result obtained under normal conditions according to the operation steps and obtained evidence; the compiling and evaluating scheme comprises the following steps: extracting a project source, the overall information construction condition of a unit where the information system is located and the connection condition between the information system and other systems of the unit according to the entrusted evaluation protocol and the basic condition analysis report of the information system, listing a standard according to which evaluation activities are carried out according to the level evaluation implementation requirement in the level protection process, estimating evaluation workload according to the entrusted evaluation protocol and the condition of the information system, and estimating according to the number of nodes to be detected and access points and test contents of tool test; compiling a specific evaluation plan according to evaluation experience and the scale of the information system, wherein the evaluation plan comprises personnel division and time arrangement, the evaluation avoids the business peak period of the information system, an evaluation scheme initial draft is formed according to the contents and the contents acquired by the task of the scheme compilation activity, and the evaluation scheme is output after evaluation and confirmation; the preparation evaluation implementation comprises: confirming resources required by evaluation, including cooperation personnel and evaluation conditions, and updating an evaluation plan or an evaluation program according to requirements; the field assessment and outcome records include: checking whether a system, a strategy and an operation procedure which are required to be provided and specified by a standard are complete or not, checking whether a complete system execution condition record exists or not, wherein the complete system execution condition record comprises a machine room in-out registration record, an electronic record and a use registration record of key equipment of a high-level system, auditing and analyzing a document, and checking the integrity of the document and the internal consistency of the document; checking whether the configurations of the application system, the host system, the database system and the network equipment are correct or not according to the evaluation result record, and whether the configurations are consistent with the documents, the related equipment and the components or not, and verifying the document audit content, including log audit; if the system receives the invalid command and can not complete the configuration check, performing error test; verifying the connection rules for the network connection; testing the system according to the evaluation scheme, wherein the testing comprises vulnerability scanning based on network detection and host audit, website vulnerability scanning, database vulnerability scanning, permeability testing, performance testing, intrusion detection and protocol analysis; according to the actual condition of the information system, judging the safety consciousness of personnel, service operation, management program and the safety condition of the system physical environment according to the behavior of the personnel, technical facilities and the physical environment state, judging whether the evaluation meets the safety requirement of a corresponding grade, recording the evaluation result of management safety evaluation, recording the evaluation result of network, host and application of technical safety evaluation, and recording the physical safety evaluation result of technical safety evaluation and the test result after tool evaluation; the result validation and data return comprises: summarizing an evaluation record, summarizing problems, evidences and evidence sources found in the evaluation, supplementing the contents which are missed and need to be further verified, and recording the summarization, the evidences and the evidence sources of the problems found in the evaluation; the single evaluation result judgment comprises the following steps: detecting each evaluation item, if the evaluation item is a suitable item, comparing a plurality of actually obtained evaluation results during evaluation implementation with expected evaluation results, respectively judging the conformity between each evaluation result and the expected result, obtaining the evaluation result of the evaluation implementation corresponding to each evaluation item, and judging whether the evaluation result conforms to the expected result; comprehensively judging the evaluation results of the evaluation items according to the judgment conditions of all the evaluation results, judging the evaluation results to be in accordance with, partially in accordance with or not in accordance with, and outputting single evaluation records and results; the single evaluation result summary analysis comprises the following steps: summarizing the single evaluation results of the corresponding evaluation indexes of different evaluation objects according to the levels, wherein the single evaluation results comprise the number of evaluation items and the number of items meeting the requirements; the overall evaluation comprises: aiming at the single evaluation item which is not or partially conformed to the evaluation object, analyzing whether other safety control related to the evaluation can generate an association relation with the single evaluation item and what association relation can be generated, and whether the effect generated by the association relation can make up the deficiency of the evaluation item; analyzing whether other evaluation objects of other layers related to the evaluation item can generate an incidence relation with the evaluation object and what incidence relation occurs, and whether the effect generated by the incidence relations can make up the deficiency of the evaluation item; analyzing whether other evaluation objects in other areas related to the evaluation item can generate incidence relations with the evaluation object, what incidence relations are generated, and whether the effects generated by the incidence relations can make up the deficiency of the evaluation item; the safety of the whole structure of the information system is analyzed from the safety angle, and the rationality of the whole safety precaution of the information system is analyzed from the system angle; outputting the overall evaluation result of the information system; the forming a safety assessment conclusion comprises: combining the single evaluation results and the overall evaluation results to summarize and analyze the single evaluation results of each evaluation object in physical safety, host safety and application safety levels again, and counting the conforming conditions; analyzing potential safety hazards and existing reasons brought to the information system by the unqualified evaluation items, and judging the influence on the integral protection capability of the information system; summarizing and analyzing results according to the single evaluation result, if the evaluation item which does not meet the requirement exists, judging that the information system does not meet the basic safety protection capability of the corresponding level, and if all the evaluation items meet the requirement, judging that the information system meets the basic safety protection capability of the corresponding level; outputting a grade evaluation conclusion; the compiling of the assessment report comprises: an improvement suggestion is provided from the system safety perspective aiming at the potential safety hazard of the information system, an evaluation report is compiled according to an evaluation scheme, single evaluation records and results, a single evaluation result summary analysis, an overall evaluation structure and a grade evaluation conclusion, corresponding evaluation reports are formed according to the number of the information systems, and a document list and single evaluation records of evaluation and the judgment condition of the single evaluation result of each evaluation item are provided; the evaluation report is evaluated and confirmed according to the evaluation protocol, the related documents, the evaluation original record and the auxiliary information, and an information system grade evaluation report is output; the security policy includes: draft design, review, implementation, training, deployment, monitoring, reinforcement, reevaluation and revision, and the timeliness and effectiveness of the safety strategy are ensured through management; the security technology system is the basis of an information system framework and comprises the following steps: the method comprises the steps that a comprehensive management platform of network security, host security, terminal security, application security, data security and security is adopted, and a complete security technology protection system with cooperation of all parts is established in a multilevel mode from network security protection, host system security protection, application security protection, terminal security protection and data security protection under the guidance of a security strategy; the security organization and management system is based on the overall security policy and is matched with the security technology system; the operation guarantee system comprises: safe operation and maintenance management, daily operation guarantee, safe emergency response and data system backup; the safe operation and maintenance management comprises the following steps: network security operation and maintenance management, host security operation and maintenance management and application security operation and maintenance management; the network security operation and maintenance management comprises the following steps: the method comprises the steps of carrying out unified operation authentication, authorization and audit on the whole network of a network system, carrying out equipment maintenance operation authentication on the network system by adopting a dynamic password, carrying out encryption transmission on an operation command, carrying out maintenance management on network equipment only by an authorized user, setting at least two levels of equipment operation authorities for an equipment administrator of the network system, setting the equipment operation authorities corresponding to the operation command, forbidding the management maintenance operation exceeding the authorities, and executing only authorized operation; the operation and maintenance operation of the network system needs to be audited, and the audit content comprises the following steps: the operation command, the operator and the operation time ensure that the authorized user performs authorized operation; the host safety operation and maintenance management comprises the following steps: the host system performs unified operation authentication, authorization and audit; the application security operation and maintenance management comprises the following steps: the application system performs unified operation authentication, authorization and audit; the data system backup comprises: the method comprises the steps that a backup strategy and a recovery target are made according to data backup requirements, the importance of a service system and recovery cost, data of a server, including an operating system, a database and files, are backed up periodically according to the backup strategy, a data backup medium of the system is stored in different places according to the importance degree of the data, the data backed up in different places at least comprises original data of all the service systems and static data necessary for a recovery system, the data recovery supports multiple platforms, and the whole system is recovered rapidly through a disaster recovery tape; the restoration target includes: a tolerable amount of data loss and a tolerable system recovery time; the physical security assessment comprises: the physical security setting corresponding to the information system is evaluated, and comprises the selection of the physical position, physical access control, theft and damage prevention, lightning protection, fire prevention, water and moisture prevention, static electricity prevention, temperature and humidity control, power supply and electromagnetic protection configuration; the network security assessment comprises: the method comprises the following steps of router/switch evaluation, anti-virus system evaluation, host system safety evaluation, application safety evaluation and data safety evaluation; the router/switch evaluation comprises: the router/switch is evaluated to deal with important operations, including network segment division of a safety domain of an evaluation structure, network access control, network safety audit, boundary integrity check and network equipment protection configuration; the anti-virus system assessment comprises: the evaluation antivirus system deals with important operations, including evaluation structure security and network segment division, network security audit, network current prevention, malicious code prevention and network equipment protection configuration; the host system security evaluation comprises: the method comprises the following steps that an evaluation operating system deals with important operations, including the use of an evaluation token, account authentication, password management, login limitation, identity identification and authentication, access control of a subject and an object, user authorization, security audit, alarm, monitoring, system protection, malicious code protection, residual information protection and resource control configuration; the operating system includes: windows system, LINUX operating system; the evaluation of the windows system comprises the steps of evaluating whether the account and the password are set to have enough strength, selecting or setting the account, selecting, forming and setting the password, evaluating the life cycle, evaluating whether the desktop application software has a legal source or not, setting a screen saver or not, evaluating the safety setting of a registry, SMP (Symmetric Multi-Processor Symmetric multiprocessor) service, RPC (Remote Procedure Call) service, installing safe latest patch antivirus software and distributing system resources; the evaluation of the LINUX operating system comprises the following steps: the method comprises the following steps of evaluating important operations of an operating system, including the use of a token, account authentication, password management, login limitation, identity identification and authentication, access control of a subject and an object, user authorization, security audit, alarm, monitoring, system protection, malicious code protection, residual information protection, resource control support version, local buffer overflow vulnerability, latest security patch installation, whether an irrelevant service is in an off state or not, account password, rootPATH environment variable, trust relationship with other hosts and system reinforced TCP/IP protocol stack configuration; the application security assessment comprises: checking and evaluating the identity and authentication of an application system, the access control of a subject and an object, user authorization, security audit, residual information protection and resource control; the data security assessment comprises: verifying the data integrity, the data confidentiality and the data backup of the application system; the operating system hardening includes: opening an operating system password strategy, forcing passwords to meet complexity requirements and replacing the passwords periodically, establishing an independent account for each administrator, modifying a default remote operation and maintenance port, adopting single user-level control on an administrator remote login address, setting an illegal login strategy and setting an auditing strategy; setting an important file authority control strategy and deleting unnecessary default sharing; disabling unnecessary services and ports, updating system vulnerability patches, and renaming a system default account; distributing authority according to the role of the management user, separating the authority of the management user, and granting the minimum authority required by the management user; separating the authority of privileged users of an operating system and a database system, limiting terminal login according to actual conditions, limiting the maximum or minimum use limit of a single user on system resources, detecting the service level of the system, alarming if the service level of the system is reduced to a preset minimum value, setting forced shutdown of a remote system, setting ownership of a taken file or object, setting login of the computer from local, setting access of the computer from a network, starting TCP/IP screening, starting a system firewall, starting SYN attack protection, starting a screen protection program, setting suspension time of a Microsoft network server, closing service, modifying an SNMP service password, closing an invalid starting item, and closing an automatic Windows playing function; the network/security device reinforcement comprises: renaming default accounts of the network equipment and the safety equipment, setting a password length and a strategy with higher intensity, setting an independent user account number for each equipment administrator by adopting single user-level control for a remote login address, canceling a telnet mode, setting a bandwidth allocation priority level, configuring access control of a port level, setting application layer filtering, setting network flow control, setting a login failure processing strategy, and adjusting and planning a network topology environment by adopting a safe remote management login mode comprising SSH (secure Shell); the database consolidation includes: checking the current configuration of a database, respectively reinforcing account numbers, authorization, passwords, logs, strategies and patches, distributing different account numbers for different administrators, deleting or locking invalid account numbers, limiting remote login of super administrators, minimizing authority, limiting the length and complexity of default passwords, limiting the generation period of the default passwords, limiting repeated use of the passwords, starting a log recording function, recording operations of users on equipment, recording system security events and database auditing strategies; the establishment and perfection of the information security management system comprises the following steps: according to the standard requirements, establishing a sound and implementing safety management system meeting the corresponding grade requirements, wherein the establishment and perfection of the information safety management system further comprises the following steps: implementing information safety responsibility, establishing an information safety work leader group, an information safety management department or an information safety responsibility part, defining information safety work, determining a safety post, implementing personnel, and defining an implementation leader mechanism, a responsibility department and personnel information safety responsibility; implementing a personnel safety management system, making a management system for personnel recording, leaving, checking and education training, implementing specific measures of the management system, and performing safety examination, training, checking and safety confidentiality education on safety station personnel; implementing a system construction management system, establishing an information system grading record, scheme design, product purchase and use, password use, software development, engineering implementation, acceptance and delivery, grade evaluation and a safety service management system, and determining work content, a work method, a work flow and work requirements; the method comprises the steps of implementing a system operation and maintenance management system, establishing a machine room environment safety, storage medium safety, equipment and facility safety, safety monitoring, network safety, system safety, malicious code prevention, password protection, backup and recovery and event handling management system, making an emergency plan and performing drilling regularly.

An entity-based network security system comprising:

a vulnerability scanning module; determining a scheme, configuring a strategy, backing up a system, performing scanning, analyzing a result, scanning again, repairing a bug, performing secondary rechecking, scanning, detecting potential safety hazard and loophole of any one or more of network protocol, network service and network equipment according to the knowledge base of safety loophole, analyzing and identifying loophole which may be used by invader to illegally enter network or illegally obtain information asset, and remind, when receiving host scanning command or performing host scanning, firstly performing data backup on the host, if the server is a dual-computer hot standby system, scanning one of the servers in one scanning session, adjusting a scanning object strategy for a host or network equipment with special requirements, adopting a single host scanning mode aiming at a certain system, scanning one IP each time, scanning the next IP after the scanning is finished, and adjusting the scanning time of equipment for scanning a production network segment to a time period without influencing service;

a baseline check module: collecting login information of network equipment, safety equipment, an operating system, a database and middleware in a target information system, checking equipment configuration by logging in the target equipment, recording configuration information, performing configuration safety analysis, logging in the network equipment, the safety equipment, the operating system, the database and the middleware one by one according to the collected login information, testing the accuracy of login information collection and the authority condition of an account number, analyzing whether all safety configuration check contents can be covered or not, and forming a baseline check report;

Checking the network and safety equipment module: checking the rationality of equipment management, account management, authentication and authorization, login modes, log audit, service port optimization, safety protection and safety strategies, wherein the rationality comprises a checking operation system unit, a checking database unit, a checking Web server and a middleware unit;

the full-flow threat analysis module: utilizing threat data information and acquired whole network flow to analyze, detect internal collapse host, external attack, internal violation and internal risk, analyze, judge and trace the event, and analyze asset information and related statistical data in the current network;

intranet asset discovery module: combing the host assets and WEB server of the intranet information system, and dynamically managing the whole life cycle of the account of the intranet assets, comprising: the system comprises a host asset service discovery unit, a Web service discovery unit and an asset visualization display unit;

an emergency response module: monitoring security problems in a service system, tracing internet level attacks through big data analysis, analyzing reasons of security events, tracing event sources, classifying the security events, defending attacks through big data analysis and security threat information, finding unknown dangerous network behaviors and positioning attack sources;

The emergency drilling module: analyzing and judging, if judging as suspected computer virus outbreak event, judging whether the system problem exists, if the system problem exists, starting a system emergency plan, if the system problem does not exist, judging whether the system problem exists, executing a notification process, if the system problem does not exist, judging whether the system emergency plan has network transmission, if the system problem exists, judging whether the infected host needs to be isolated, if the host needs to be isolated, disconnecting the network connection, starting the system emergency plan, judging whether the antivirus measure needs to be executed, if the system emergency plan does not need to be isolated, directly judging whether the antivirus measure needs to be executed, if the system data needs to be executed, judging whether the system data can be damaged, if the system is damaged, executing the antivirus measure after system backup, if the system is not damaged, directly executing the antivirus measure, after the execution, judging whether the virus is cleaned completely, if the virus is judged not to need to make antivirus measures, directly judging whether the virus is cleaned completely, if the virus is judged to be cleaned completely, recovering the network connection of the isolated host, and executing a reporting process; if the virus still exists after the virus killing measures are executed, new virus searching and killing measures are continuously executed until the virus is cleaned;

The penetration test module includes: a Web penetration testing unit and an advanced penetration testing unit; the Web penetration test unit: simulating a real security attack and discovering potential ways for a hacker to invade an information system, comprising: information collection, remote overflow, password guessing, local overflow, enterprise user side attack, man-in-the-middle attack, Web script and application testing; the advanced penetration test unit includes: combining with the best information security practice, simulating targeted striking, taking the Internet-side assets or the internal untrusted/semi-trusted areas as penetration inlets, simulating hacker intranet attack to obtain the intranet highest authority or sensitive data for further penetration test, wherein the method comprises the steps of evaluating the external asset condition, searching an intranet access point, utilizing available intranet access points existing in the Internet assets, and deploying a springboard to perform intranet penetration on an internal network;

the safe operation and maintenance module comprises: the system comprises a daily safety operation and maintenance unit, an important moment safety guarantee unit and a periodic safety inspection unit; the daily safe operation and maintenance unit comprises: optimizing a security strategy, operating and maintaining a security product and evaluating the security; the security policy optimization: whether the security control strategy plays a role or not and whether the security control strategy is reasonably checked and improved or not comprises the following steps: researching, making a scheme, optimizing a strategy and outputting a report; the operation and maintenance of the safety product comprises the following steps: monitoring equipment operation safety, auditing equipment operation safety, and updating equipment and strategy backup; the security assessment comprises: the security scanning evaluation is used for discovering security vulnerabilities existing in an information system in time, conducting vulnerability correction on Windows, Linux servers and security equipment, conducting security scanning on information assets in a non-service peak period according to application and in combination with a security vulnerability knowledge base, without using a scanning mode containing a denial of service type, stopping scanning immediately if a scanning system does not respond in the scanning process, analyzing the situation and determining reasons, restoring the system, and conducting scanning after adjusting a scanning strategy; the important moment safety guarantee unit comprises: the method comprises the steps of actively detecting assets exposed by a user on an extranet before a major holiday day to form an asset list, carrying out accurate vulnerability scanning according to asset discovery results, comprehensively checking specific vulnerabilities, informing major security events comprising one or more conditions of high-risk system vulnerabilities, high-risk worm viruses, severe invasion and attack, providing one or more information of event types, influence ranges, solutions and prevention schemes, carrying out comprehensive security check and security reinforcement on a major system, retesting security reinforcement results, and confirming that security problems are timely and effectively repaired; in holidays, real-time alarm monitoring and log analysis are carried out on a firewall, a Web application firewall, an IDS/IPS, load balancing, a webpage tamper-proofing system and a network security auditing system, anti-virus software and searching and killing records are monitored, states of an application system and a database system and a service platform are monitored and log analysis is carried out, investigation and analysis are carried out in time if one or more accidents in invasion are attacked or discovered, accident sources and reasons are traced and analyzed, a solution is provided according to the investigation reasons and the accident conditions, and accidents, accident analysis, a solution and a tracing scheme are recorded; the periodic safety inspection unit comprises: periodic safety product inspection and periodic safety strategy optimization suggestions;

The risk assessment module includes: the system comprises a network security evaluation unit, a host security evaluation unit, an application security evaluation unit, a terminal security evaluation unit, a data security evaluation unit, a physical security evaluation unit, a middleware security evaluation unit and a management security evaluation unit; the network security evaluation unit comprises: analyzing organized network topology architecture, security domain planning, VLAN division, network equipment configuration, security equipment configuration and security protection measures, performing security evaluation on a physical network structure, a logic network structure and network equipment, discovering the problems of security and network load of the network structure, the problems of security and anti-attack of the network equipment, evaluating the current security situation of the network, and discovering the problems of security, rationality and use efficiency; the host security evaluation unit comprises: analyzing an operating system, an account number, authentication, authorization, network service, a system log, patch upgrade, virus protection and a local security policy, discovering security holes and potential safety hazards existing in system configuration and operation, and analyzing and evaluating according to a service application condition and a security baseline configuration condition, wherein the analysis and evaluation comprises identity authentication, access control, security audit, intrusion prevention, malicious code prevention and resource control; the application security evaluation unit comprises: performing security evaluation on the application system according to account number, authentication, authorization, audit, performance resource, backup recovery and penetration test of the application system, detecting, analyzing, inputting, verifying, identity verifying, authorization, configuration management, sensitive data, session management, encryption technology, exception management, audit, log recording and habit problems, and searching security vulnerability and potential safety hazard of the application system; the terminal security evaluation unit includes: checking patches, account passwords, network services, virus protection and local security strategies, evaluating the security condition of the terminal according to patch upgrading, virus protection, account passwords, network services and local security strategies, and searching security holes and potential safety hazards of the terminal; the data security evaluation unit comprises: detecting and analyzing database user name and password management, database access control, login authentication mode, data security, security vulnerability check, patch management and security audit of the database, performing main estimation on data security conditions according to confidentiality, integrity and availability of data, and searching security vulnerabilities and potential safety hazards possibly existing in a data layer; the physical security assessment unit includes: detecting and analyzing physical security boundaries, physical access control, detecting and analyzing security protection of offices, rooms and facilities, detecting and analyzing security protection of external and environmental threats, security region work control, delivery and handover areas, equipment placement and protection, supportive equipment, cable arrangement security, equipment maintenance, asset movement, off-site equipment and asset security, equipment security disposal or reuse, unattended user equipment, desktop emptying and screen strategies, and evaluating the security of a network machine room according to the physical environment, access control, power supply, cable arrangement, equipment arrangement, label specification and machine room system of the machine room; the middleware security evaluation unit comprises: detecting and analyzing a middleware user name and password management, middleware security audit, login authentication mode, communication confidentiality, resource control and an intrusion prevention strategy of the middleware, and evaluating whether the installation deployment and the realization of configuration parameters of the middleware meet the application operation security requirement or not; the management security evaluation unit includes: and evaluating the information safety management current situation according to safety organization, safety system, safety personnel, safety operation and maintenance, safety emergency and safety training, and searching possible potential safety hazards and missing points.

The information system grade protection evaluation module comprises: the system comprises a level protection gap evaluation unit, a safety guarantee system design unit, a level protection evaluation unit and an information system soft modification unit, wherein the level protection gap evaluation unit comprises the following processes: the method comprises the following steps of information collection and analysis, tool and form preparation, evaluation object determination, evaluation index determination, evaluation tool access point determination, evaluation content determination, evaluation instruction development, evaluation scheme compilation, evaluation preparation implementation, on-site evaluation and result recording, result confirmation and data return, single evaluation result judgment, single evaluation result summary analysis, overall evaluation, safety evaluation conclusion formation and evaluation report compilation; the safety guarantee system design unit comprises: the weakness and risk of the current network and the information system are analyzed through the information system level protection gap assessment, safety rectification is carried out, the topology design of corresponding products is completed, safety technical measures are implemented, and a safety management system is perfected; combining the evaluation result of the information system level protection gap, formulating an information security system framework according to the information security level protection requirement and the actual situation, wherein the information security system framework comprises: the system comprises a safety strategy, a safety technology system, an operation guarantee system and a safety organization and management system, wherein the safety strategy interacts with the safety technology system, the operation guarantee system and the safety organization and management system, the safety technology system, the operation guarantee system and the safety organization and management system are constructed under the guidance of the safety strategy, and all elements formulated in the safety strategy are converted into a technology implementation method and a management and operation guarantee means to implement the goal formulated in the safety strategy; the level protection evaluation unit includes: the method comprises the following steps of testing and evaluating the safety level protection condition of an information system, including safety control evaluation for evaluating the implementation configuration condition of basic safety control required by information safety level protection in the information system and information system overall evaluation for evaluating and analyzing the overall safety of the information system, wherein the description of the safety control evaluation is organized in a working unit mode, the working unit comprises safety technology evaluation and safety management evaluation, and the safety technology evaluation comprises the following steps: the safety management evaluation comprises safety control evaluation in multiple aspects of safety management organization evaluation, safety management system evaluation, personnel safety system evaluation, system construction management evaluation and system operation and maintenance management evaluation; the information system soft rectification unit comprises: analyzing weaknesses and risks of the current network and information system through a difference evaluation report of the level protection difference evaluation, wherein the weaknesses and risks comprise the weaknesses and risks of an operating system, a database and network security equipment, checking and reinforcing the operating system, the database and the network security equipment one by one according to the security configuration reinforcing standard of the equipment, and making related risk avoiding measures, wherein the related risk avoiding measures comprise operating system reinforcement, network/security equipment reinforcement, database reinforcement and information security management system establishment and improvement;

The internet threat detection and active response module comprises: risk assessment, real-time monitoring, tampering disposal and emergency countermeasure are provided for internet services, and safer guarantee is obtained again; the risk assessment comprises: evaluating exposed surfaces, vulnerability and content safety as a baseline, regularly and continuously rechecking, regularly monitoring asset changes, and continuously analyzing the risk condition introduced by newly added assets; the real-time monitoring comprises the following steps: monitoring page tampering, 0day, web horses, black links, DNS, availability security events in real time and generating reports to inform users in time; the tamper handling includes: rapidly replacing the tampered site through DNS technology; the emergency countermeasure comprises: cloud emergency confrontation guarantees sensitive data.

The network security protection security method and the system based on the unit cell use the cloud computing technology to fuse the evaluation module, the protection module, the monitoring module and the response module, build the self-adaptive security protection platform which is intelligently driven by multiple engines and goes deep into the hacker attack process around the service life cycle, help users to comprehensively manage the service security problem, and deliver the whole visible security service. By actively evaluating risks, the risk is prevented in the bud, the distributed scanning system can comprehensively evaluate the services once when the services are on line, meanwhile, the service change condition is monitored every day, the introduced new risk problem is analyzed, and the rapid perception of risk change is realized. The attack behavior is restored, the linkage protection is carried out, the complete WEB system safety protection based on the hacker attack process is carried out, the attack source is locked through global linkage by a threat intelligence sharing mechanism, and the occurrence of a second victim is effectively avoided. The method has the advantages that the attack trend is researched and judged on the online service risk, the attack-resisting and optimizing protection strategy is continuously resisted, the online real-time response is realized, the security event is timely handled, the user is comprehensively helped to manage the service security problem, and the service is guaranteed. By using intelligent technologies such as machine learning, safety big data and the like, threat information and hidden attacks are continuously mined, three engines of evaluation, protection and monitoring are operated in an integrated linkage mode, and by combining a distributed architecture, various attack threats can be quickly responded, and the protection function is continuously improved.

In the vulnerability scanning process, data backup work is done before host scanning is carried out, and only one of systems belonging to dual-computer hot standby is selected in one-time scanning session for scanning; adjusting the strategy of scanning objects for important hosts or network equipment with special requirements, not adopting a network segment scanning mode for a production system, but using a single host scanning mode for a certain system, only scanning one IP each time, and setting and scanning the next IP after the scanning is finished, so that the risk rate is reduced to the lowest; the time for scanning the production network segment is adjusted to a time period without influencing the service. And (4) maximizing a vulnerability scanning strategy, and effectively checking the latest security vulnerability on the target system. Vulnerability scanning influence is minimized, DDOS options are removed from scanning strategies, port scanning strategies are selected in a targeted mode according to data analysis provided by a client side, and normal operation of a target system is guaranteed. When the host with two hot standby machines exists in the scanning target, the two host machines are required to perform vulnerability scanning in different sessions. The scanning sequence is that the standby machine is scanned first, and then the host machine is scanned, so that the continuity of the service is ensured.

The vulnerability scanning can carry out scanning evaluation to search the security vulnerability with wide coverage on the evaluated target, particularly when the vulnerability of a large-range IP is checked, the evaluation environment is completely consistent with the online running environment of the evaluated object, and the network security problems and the network security threats existing in the host system and the network equipment can be reflected more truly. The security scanning, evaluating and scanning of the core server and important network equipment in the network, including the server, the switch, the firewall and the like, is used for detecting and analyzing security vulnerabilities of the network equipment, and reminding a security manager of vulnerabilities which are identified to be possibly used by an intruder for illegally entering the network or illegally obtaining information assets, so that security policies are completed in time, and security risks are reduced.

Through the security baseline check work, the security loopholes and weak links of IT equipment such as various servers, network equipment, safety equipment and the like are discovered, the discovered vulnerabilities are identified, analyzed, repaired and checked, high and medium risk hidden dangers of the IT equipment are eliminated and reduced, security events are prevented, the vulnerabilities of an information system are prevented from being illegally utilized, the security prevention capability of the information system is enhanced, and the sustainability of services is guaranteed.

The full-flow threat detection and analysis mainly utilizes threat data information, utilizes the acquired full-network flow and adopts an analysis model, and provides periodic detection, discovery and response services for key information security problems such as internal lost hosts, external attacks, internal violation, internal risks and the like. The capability of actively coping with security threats is improved, and the last firewall is constructed in the aspect of information security. The full-flow threat detection analysis can also assist in understanding internal business process access, and provides a necessary basis for developing security analysis, baseline of security data, deep excavation of security data and audit of security data by utilizing a big data analysis technology subsequently.

Emergency security incident emergency response, measures and actions taken quickly after a security threat incident occurs, restore the confidentiality, integrity and availability of the system the fastest, and prevent and reduce the severity impact from the security threat incident. And an internet level attack tracing service is provided by relying on a big data analysis technology, so that the stable operation of the system is ensured, and the safety of a service system is maintained. The classification of the security event level and the response mode are preset, and the in-place response service can be quickly and accurately guaranteed. And monitoring and finding safety problems occurring in the service system in time so as to respond to the safety events in time, accurately positioning the problems in response to the safety events, troubleshooting in time and replying to the service. Make full use of safe big data resource and security threat information, have and promote unknown threat perception and defense ability, novel attacks such as effective defense APT realize early quick discovery unknown threat's network action, attack source carries out accurate positioning.

Penetration testing employs various means to simulate real security attacks and thereby discover potential ways for hackers to invade information systems. The advanced penetration test is combined with international and domestic information security to establish the best security practice, the targeted attack of advanced hackers is simulated, the internet-side assets or internal untrusted/semi-trusted areas are used as penetration inlets, the purpose of simulating intranet attack of the hackers to obtain the highest management authority or sensitive data of the internal network is further realized, the effectiveness and the security analysis capability of the current overall security situation of the enterprise are comprehensively evaluated, corresponding correction and reinforcement suggestions are provided according to the test results, the users are assisted to complete the correction and reinforcement implementation, and the security levels of the internet-side service system of the users and the internal overall network are improved.

The system online safety evaluation is an important link in the life cycle of an application system, a safety detection scheme before the system is online is formulated on the basis of application system construction planning and current situation full investigation, detection work is carried out according to the information system platform construction condition and the safety detection scheme before the system is online, thorough and comprehensive safety weakness evaluation is carried out, and potential safety loopholes are found. Through detection work before online, all assets covered by the application system are confirmed and identified again, compliance analysis of implementation conditions of application system level protection construction measures is completed, and all safety measures and management systems implemented by application system level protection are subjected to comprehensive risk assessment to clarify residual risks; and performing gap analysis according to the risk assessment result, the pre-online detection result and the compliance analysis result, and providing a safety improvement suggestion to ensure the pre-online safety of the new system.

The safety strategy optimization analyzes and adjusts the field safety equipment, the network environment, the operation and maintenance authority and the existing strategy to ensure the high-efficiency use of the safety strategy, and the operation and maintenance service of the safety product performs the work of safety product state monitoring, safety event alarm monitoring, safety product upgrading and updating version and rule base, strategy backup and the like to ensure the safe and high-efficiency operation of the equipment; the security assessment service periodically assesses the basic equipment through analysis, finds out the existing problems and vulnerabilities, and provides a solution for optimization and improvement.

In order to ensure the safety of customers in major holidays, safety guarantee is designed to cover monitoring early warning, safety testing, event discovery and the like of three important links of the prior, the middle and the subsequent days and to run through the whole process of early warning, protection, monitoring and response. The method has the advantages that the continuous safety of the client information system is guaranteed, risks are reduced before influences occur, and problems are timely found and solved after events occur.

Risk is the possibility of something with a destructive power occurring. Risk management is the process of identifying, assessing, and reducing risks to an acceptable level, and implementing the right mechanisms to maintain this level of risk. Risk analysis is a method of identifying risks and the losses that they may cause, and thereby adjusting safety precautions. With the continuous development of networks and information systems of any enterprise, the functions of the networks and the information systems are increasingly enhanced, and the whole business is greatly influenced by the weak points, threats and potential risks, so that the enterprise can adopt a scientific method of 'risk management' for the safety management of the networks and the information systems, the safety work is prevented in advance, and the safety guarantee level and the safety capacity of customers are improved.

Based on the requirements of network safe operation and service safety guarantee, scientific network operation guarantee is established, safety problems in related network services are deeply excavated, the network safe operation and event response speed are comprehensively guaranteed through safe monitoring and safe operation and maintenance, the defects of the network in the prior art are found out through safety service, a safety technology protection system is promoted, the safety technology protection measures are really brought into full play, the safe operation of a network complex rule is finally guaranteed, and data safety is realized.

The Internet threat detection and the active response provide continuous risk assessment, real-time monitoring, tampering treatment and emergency countermeasure service, so that a user can obtain safer guarantee again.

Drawings

FIG. 1 is a diagram of an information security architecture according to an embodiment of the present invention;

fig. 2 is a schematic diagram of the information system security level protection evaluation according to an embodiment of the invention.

Detailed Description

The network security protection and safety method based on the unit cell of the embodiment of the invention comprises the following steps:

scanning the vulnerability; determining a scheme, configuring a strategy, backing up a system, performing scanning, analyzing a result, scanning again, repairing a bug, performing secondary rechecking, scanning, detecting potential safety hazard and loophole of any one or more of network protocol, network service and network equipment according to the safety loophole knowledge base, analyzing and identifying the loophole which is possibly used by an intruder to illegally enter the network or illegally obtain the information asset, and remind, when receiving host scanning command or performing host scanning, firstly performing data backup on the host, if the server is a dual-computer hot standby system, scanning one of the servers in one scanning session, adjusting a scanning object strategy for a host or network equipment with special requirements, adopting a single host scanning mode aiming at a certain system, scanning one IP each time, scanning the next IP after the scanning is finished, and adjusting the scanning time of equipment for scanning a production network segment to a time period without influencing service;

And (3) baseline checking: collecting login information of network equipment, safety equipment, an operating system, a database and middleware in a target information system, checking equipment configuration by logging in the target equipment, recording configuration information, performing configuration safety analysis, logging in the network equipment, the safety equipment, the operating system, the database and the middleware one by one according to the collected login information, testing the accuracy of login information collection and the authority condition of an account number, analyzing whether all safety configuration check contents can be covered or not, and forming a baseline check report;

checking the network and the safety equipment: checking equipment management (such as console), ssh (Secure Shell protocol), management IP, AAA (Authentication, Authorization, Accounting), etc.), account management, Authentication Authorization, login method, log audit, service port optimization, security protection (such as SNMP (simple network management protocol), protocol encryption, address spoofing, etc.), security policy rationality, including checking an operating system, checking a database, checking a Web (World Wide Web global Wide area network, also called World Wide Web) server, middleware;

full flow threat analysis: utilizing threat data information and collected whole network flow to analyze, detecting an internal collapse host, external attack, internal violation and internal risk, analyzing, researching and judging events, tracing, and analyzing asset information and related statistical data in the current network;

Discovering the intranet assets: combing the host assets and WEB servers of the intranet information system, and dynamically managing the whole life cycle of the accounts of the intranet assets, comprising: discovering host asset service, Web service and displaying assets in a visual mode;

emergency drilling: analyzing and judging, if judging as suspected computer virus outbreak event, judging whether the system problem exists, if the system problem exists, starting a system emergency plan, if the system problem does not exist, judging whether the system problem exists, executing a notification process, if the system problem does not exist, judging whether the system emergency plan has network transmission, if the system problem exists, judging whether the infected host needs to be isolated, if the host needs to be isolated, disconnecting the network connection, starting the system emergency plan, judging whether the antivirus measure needs to be executed, if the system emergency plan does not need to be isolated, directly judging whether the antivirus measure needs to be executed, if the system data needs to be executed, judging whether the system data can be damaged, if the system is damaged, executing the antivirus measure after system backup, if the system is not damaged, directly executing the antivirus measure, after the execution, judging whether the virus is cleaned completely, if the virus is judged not to need to make antivirus measures, directly judging whether the virus is cleaned completely, if the virus is judged to be cleaned completely, recovering the network connection of the isolated host, and executing a reporting process; if the virus still exists after the virus killing measures are executed, new virus searching and killing measures are continuously executed until the virus is cleaned;

The penetration test includes: web penetration test, advanced penetration test. And (3) Web penetration test: simulating a real security attack and discovering potential paths for hackers to invade the information system, including: information collection, remote overflow, password guessing, local overflow, enterprise user side attack, man-in-the-middle attack, Web script and application testing. Advanced penetration testing includes: combining with the best information security practice, simulating targeted striking, taking the Internet-side assets or the internal untrusted/semi-trusted areas as penetration inlets, simulating hacker intranet attack to obtain the intranet highest authority or sensitive data for further penetration test, wherein the method comprises the steps of evaluating the external asset condition, searching an intranet access point, utilizing available intranet access points existing in the Internet assets, and deploying a springboard to perform intranet penetration on an internal network;

the safe operation and maintenance comprises the following steps: daily safe operation and maintenance, important moment safety guarantee and periodic safety inspection;

the daily safe operation and maintenance comprises the following steps: optimizing a security strategy, operating and maintaining a security product and evaluating the security;

optimizing a security policy: whether the security control strategy plays a role or not and whether the security control strategy is reasonably checked and improved or not comprises the following steps: researching, making a scheme, optimizing a strategy and outputting a report;

The operation and maintenance of the safety product comprises the following steps: monitoring equipment operation safety, auditing equipment operation safety, and updating equipment and strategy backup;

the security assessment includes: the security scanning evaluation is used for discovering security vulnerabilities existing in an information system in time, conducting vulnerability correction on Windows, Linux servers and security equipment, conducting security scanning on information assets in a non-service peak period according to application and in combination with a security vulnerability knowledge base, without using a scanning mode containing a denial of service type, stopping scanning immediately if a scanning system does not respond in the scanning process, analyzing the situation and determining reasons, restoring the system, and conducting scanning after adjusting a scanning strategy;

the important moment safety guarantee comprises the following steps: the method comprises the steps of actively detecting assets exposed by a user on an extranet before a major holiday day to form an asset list, carrying out accurate vulnerability scanning according to asset discovery results, comprehensively checking specific vulnerabilities, informing major security events comprising one or more conditions of high-risk system vulnerabilities, high-risk worm viruses, severe invasion and attack, providing one or more information of event types, influence ranges, solutions and prevention schemes, carrying out comprehensive security check and security reinforcement on a major system, retesting security reinforcement results, and confirming that security problems are timely and effectively repaired; in holidays, real-time alarm monitoring and log analysis are carried out on a firewall, a Web application firewall, an IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems), a load balancing system, a webpage tamper-proofing system and a network security auditing system, antivirus software and log analysis are monitored, the state of an application system and a database system and a service platform are monitored and log analysis are carried out, if one or more accidents in the Intrusion are attacked or discovered, investigation, analysis, tracing and analysis are carried out in time, the source and reason of the accident are analyzed, a solution is provided according to the cause of the investigation and the accident condition, and the accident, the analysis, the solution and the tracing scheme are recorded;

The periodic safety inspection comprises the following steps: periodic safety product inspection and periodic safety strategy optimization suggestions;

the risk assessment includes: network security evaluation, host security evaluation, application security evaluation, terminal security evaluation, data security evaluation, physical security evaluation, middleware security evaluation and management security evaluation;

the network security assessment comprises the following steps: analyzing organized network topology architecture, security domain planning, VLAN division, network equipment configuration, security equipment configuration and security protection measures, performing security evaluation on a physical network structure, a logic network structure and network equipment, discovering the problems of security and network load of the network structure, the problems of security and anti-attack of the network equipment, evaluating the current security situation of the network, and discovering the problems of security, rationality and use efficiency;

the host security assessment comprises: analyzing an operating system, an account number, authentication, authorization, network service, system logs, patch upgrade, virus protection and local security strategies, discovering security loopholes and potential safety hazards existing in system configuration and operation, and analyzing and evaluating according to service application conditions and security baseline configuration conditions, wherein the analysis and evaluation comprises identity authentication, access control, security audit, intrusion prevention, malicious code prevention and resource control;

Applying the security assessment includes: performing security evaluation on the application system according to account number, authentication, authorization, audit, performance resource, backup recovery and penetration test of the application system, detecting, analyzing, inputting, verifying, identity verifying, authorization, configuration management, sensitive data, session management, encryption technology, exception management, audit, log recording and habit problems, and searching security vulnerability and potential safety hazard of the application system;

the terminal security evaluation comprises the following steps: checking patches, account passwords, network services, virus protection and local security strategies, evaluating the security condition of the terminal according to patch upgrading, virus protection, account passwords, network services and local security strategies, and searching security holes and potential safety hazards of the terminal;

the data security assessment comprises: detecting and analyzing database user name and password management, database access control, login authentication mode, data security, security vulnerability inspection, patch management and security audit of a database, performing main estimation on data security conditions according to confidentiality, integrity and availability of data, and searching for security vulnerabilities and potential safety hazards possibly existing in a data layer;

the physical security assessment includes: detecting and analyzing physical security boundaries, physical access control, detecting and analyzing security protection of offices, rooms and facilities, detecting and analyzing security protection of external and environmental threats, security region work control, delivery and handover areas, equipment placement and protection, supportive equipment, cable arrangement security, equipment maintenance, asset movement, off-site equipment and asset security, equipment security disposal or reuse, unattended user equipment, desktop emptying and screen strategies, and evaluating the security of a network machine room according to the physical environment, access control, power supply, cable arrangement, equipment arrangement, label specification and machine room system of the machine room;

The middleware security assessment comprises: detecting and analyzing the middleware user name and password management, the middleware security audit, the login authentication mode, the communication confidentiality, the resource control and the intrusion prevention strategy of the middleware, and evaluating whether the installation deployment and the configuration parameter realization of the middleware meet the application operation security requirement;

managing security assessments includes: and evaluating the information safety management status quo according to safety organization, safety system, safety personnel, safety operation and maintenance, safety emergency and safety training, and searching possible potential safety hazards and missing points.

The information system level protection evaluation comprises the following steps: level protection gap evaluation, safety guarantee system design, level protection evaluation and information system soft rectification;

the grade protection gap assessment comprises the following processes: information collection and analysis, tool and form preparation, evaluation object determination, evaluation index determination, evaluation tool access point determination, evaluation content determination, evaluation instruction development, evaluation scheme compilation, evaluation implementation preparation, on-site evaluation and result recording, result confirmation and data return, single evaluation result judgment, single evaluation result summary analysis, overall evaluation, safety evaluation conclusion formation and evaluation report compilation;

The design of the safety guarantee system comprises: the weaknesses and risks of the current network and the current information system are analyzed through the information system level protection gap evaluation, safety rectification is carried out, the topology design of corresponding products is completed, safety technical measures are implemented, and a safety management system is perfected; establishing an information security system framework according to the information security level protection requirement and the actual situation by combining the information system level protection gap evaluation result;

as shown in fig. 1, the information security architecture of the present embodiment includes: a security policy, a security technology system, an operation guarantee system, a security organization and management system;

the security policy interacts with a security technology system, an operation guarantee system and a security organization and management system,

a safety technology system, an operation guarantee system and a safety organization and management system are constructed under the guidance of a safety strategy, and all elements formulated in the safety strategy are converted into a technology implementation method and a management and operation guarantee means to realize the goal formulated in the safety strategy;

as shown in fig. 2, the rating protection evaluation of the present embodiment includes: the method comprises the following steps of testing and evaluating the safety level protection condition of an information system, including safety control evaluation for evaluating the implementation configuration condition of basic safety control required by information safety level protection in the information system and information system overall evaluation for evaluating and analyzing the overall safety of the information system, wherein the description of the safety control evaluation is organized in a working unit mode, the working unit comprises safety technology evaluation and safety management evaluation, and the safety technology evaluation comprises the following steps: physical security evaluation, network security evaluation, host system security evaluation, application security evaluation and data security evaluation; the safety management evaluation comprises the following steps: safety control evaluation in multiple aspects of safety management organization evaluation, safety management system evaluation, personnel safety system evaluation, system construction management evaluation and system operation and maintenance management evaluation;

The information system soft modification comprises: analyzing weaknesses and risks of the current network and information system through a difference evaluation report of the level protection difference evaluation, wherein the weaknesses and risks comprise the weaknesses and risks of an operating system, a database and network security equipment, checking and reinforcing the operating system, the database and the network security equipment one by one according to the security configuration reinforcing standard of the equipment, and making related risk avoiding measures, wherein the related risk avoiding measures comprise operating system reinforcement, network/security equipment reinforcement, database reinforcement and information security management system establishment and improvement;

internet threat detection and proactive responses include: risk assessment, real-time monitoring, tampering disposal and emergency countermeasure are provided for internet services, and safer guarantee is obtained again;

the risk assessment includes: evaluating exposed surfaces, vulnerability and content safety, taking the evaluated exposed surfaces, the vulnerability and the content safety as base lines, carrying out continuous recheck at regular intervals, monitoring asset changes at regular intervals, and continuously analyzing the risk condition introduced by the newly added assets;

the real-time monitoring comprises the following steps: monitoring page tampering, 0day (vulnerability information mastered or disclosed by a System manufacturer before knowing and releasing relevant patches), web horses, black links, DNS (Domain Name System), availability security events and generating reports to inform users in time;

The tamper handling includes: rapidly replacing the tampered site through DNS technology;

emergency confrontation includes: cloud emergency confrontation is carried out to guarantee sensitive data.

The vulnerability scanning evaluation of the embodiment mainly detects potential safety hazards and vulnerabilities of various information assets such as network protocols, network services, network equipment and the like according to a security vulnerability knowledge base. The scanning mode can adopt a tool to carry out network scanning. A security scanning evaluation tool is used for scanning a core server and important network equipment in a network, including a server, a switch, a firewall and the like, so that security loopholes of the network equipment are detected and analyzed, and a security manager is reminded of recognized loopholes which are possibly used by an intruder to illegally enter the network or illegally acquire information assets, so that security policies are completed in time, and security risks are reduced.

The policy selection before vulnerability scanning implementation of the embodiment follows the following principle: firstly, a vulnerability scanning strategy is maximized, and the latest security vulnerability on a target system is effectively checked. Vulnerability scanning influence is minimized, DDOS (Distributed denial of service attack) options are removed from a scanning strategy, a port scanning strategy is selected in a targeted mode according to data analysis provided by a client side, and normal operation of a target system is guaranteed. When the host with two hot standby machines exists in the scanning target, the two host machines are divided into different sessions to carry out vulnerability scanning. The scanning sequence is that the standby machine is scanned first, and then the host machine is scanned, so that the continuity of the service is ensured.

Further, the login information of this embodiment includes: login mode, login account/password, and management host information.

Further, the baseline check of the present embodiment further includes: according to the best practice of baseline check at each level of network equipment, safety equipment, an operating system, a database and middleware, configuration check is carried out on a target information system, the configuration condition of the current equipment is recorded, the current safety configuration condition is analyzed, the safety baseline is referred, the difference in the aspect of safety configuration is found and recorded, and a baseline check report is formed by combining the current condition of the information system according to the analysis condition of the overall difference of baseline check.

Further, the inspection operating system of the present embodiment includes: basic information inspection, patch management, user account, password security, authority management, log and audit, system service port inspection, security protection and network protocol security.

Further, the inspection database of the present embodiment: checking account security, checking database connection security, checking database security component configuration, checking log configuration, checking communication protocol.

Further, the inspection Web server, middleware of the present embodiment: the method comprises the following steps of managing application limit check, list check, file check outside a forbidden access Web directory, message body size of an http request, default port check, error level redirection, forbidden list display file, prevention of denial of service attack, useless files installed in a default mode, version number and hiding of sensitive information, account management, authentication authorization, log configuration, communication protocol, equipment and safety requirements.

The unit of this embodiment may be a company, an institution, a school, a public service organization, or an organization associated with a school, such as a school enterprise, a joint office, a group company, an associated company, such as a system sharing associated company, an upstream associated company, and a downstream associated company, as a unit for performing network security protection.

Further, the asset information and related statistical data in the current network of the present embodiment include: asset statistical information, attack face statistical information, newly added asset information, asset change information, newly added attack face information, attack face change information and a newly added asset detailed list.

Further, the asset statistics of the present embodiment include: and counting the type ratio of the server according to the server type of the asset.

Further, the attack surface statistical information of the embodiment includes: statistics of various open ports.

Further, the detailed list of the newly added assets of this embodiment includes: an IP address of the asset, a server type, a server version, a status, a detected time.

Further, the detecting external attacks of the present embodiment includes: anti-sequence attack detection, Web attack situation analysis and password blasting attack detection.

Further, the anti-sequence attack detection of the embodiment includes: the analysis finds the number of anti-sequence attack behaviors of the internal service and the condition of each anti-sequence attack behavior.

Further, the anti-sequence attack situation of the present embodiment includes: attack time, source IP, destination IP/port.

Further, the Web attack situation analysis of the embodiment analyzes the situation distribution of the whole Web attack type, the detailed information of each attack means and the attack result by analyzing the attack situation of the internal server through traffic.

Further, the attack result of this embodiment includes: and (5) attack warning, attack trapping and prompting.

Further, the attack means of the embodiment includes: the method comprises the following steps of Webshell (a code execution environment in the form of webpage files such as asp, php, jsp or cgi and used for website and server management), black-production kitchen knife scanning, Web vulnerability scanning, Struts2 (Web application framework based on MVC design mode) attack, uploading attack, sql (structured Query language) injection attack, information leakage and one or more of application system newly added files.

Further, the password blasting attack detection of the embodiment detects the number of times of attack of password blasting on different servers every day, the type of service, the condition of mail exposure attack, the condition of remote management service blasting attack and the condition of database service blasting attack.

Further, the attack situation of the present embodiment includes: attack source IP, destination IP, protocol, attack times within 60 seconds, and blasting result.

Further, the detecting internal violations of the present embodiment includes: exposed surface detection, illegal external connection detection, malicious DNS (Domain Name System) analysis, ACL (Access Control Lists) carding, weak password detection, abnormal login detection and unconventional service analysis.

Further, the exposed surface detection of the embodiment analyzes illegal attack surface information in the current network through big data analysis.

Further, the illegal attack plane information of the present embodiment includes: statistical information of the attack surface, newly added attack surface information, attack surface change information and attack surface information.

Further, the attack surface statistical information of the embodiment includes: statistics of various open ports. Further, the information of the attack plane of this embodiment includes: server IP, port, service type. Further, the illegal external connection detection of the present embodiment analyzes illegal external connection information in the environment. Further, the illegal external connection information of the embodiment includes: the method comprises the following steps of setting a destination IP physical address of the illegal external connection, a historical trend of the illegal external connection event, detailed time of the illegal external connection event, any one or more of a source IP, a destination IP and a port. Further, the malicious DNS analysis of the present embodiment monitors and analyzes DNS requested by an internal network through traffic analysis, and analyzes the reputation of the internal DNS in combination with threat intelligence, to find out a request and detailed information of the malicious DNS existing inside. Further, the detailed information of the malicious DNS of the present embodiment includes: request time, source IP, malicious domain name requested, physical address where domain name is located. Further, the ACL carding of the present embodiment analyzes the access relationships of all existing IPs in the current network, including the access relationships from the source IP to different ports of the destination IP, analyzes the ACL management and control in the network, and handles the internally unreasonable ACL.

Further, the weak password detection and analysis of the embodiment discovers the state of the weak password of the internal server, reports the total number of the weak passwords, the number of passive statistical discovery, the number of dictionary matching discovery and the number of active discovery, and detects and analyzes information of the weak password of the mail service, the remote management service and the database service.

Further, the information of the mail service, the remote management service, and the database service weak password of the embodiment includes: affected account number, weak password, affected server, protocol, and detected time.

Further, the abnormal login detection of the embodiment includes: detecting abnormal behavior of an internal server, comprising: abnormal details of external login and internal server, abnormal login details, and non-working time login details.

Further, the details of the exception of the external login internal server in this embodiment include: IP of external login, IP home, internal server IP, protocol, access time.

Further, the details of the abnormal login in this embodiment include: the method comprises the steps of user, common login place, remote login place and discovery time.

Further, the details of the non-working time login of the embodiment include: source IP, IP home, destination IP, protocol, access time.

Further, the irregular service analysis of the present embodiment includes: remote control service, proxy service, Regeory Tunnel service detection and discovery, HTTP (Hyper Text Transfer Protocol) proxy detection and discovery, SOCKS (Protocol for session over secure session exchange firewall secure session Transfer Protocol) proxy detection and discovery, teaview/IRC (professional remote connection tool/(Internet Relay Chat)) detection and discovery, analyzing time of connection service, source IP of connection service, destination IP of connection service, and service type.

Further, the event judging of the embodiment includes: by finding out attack and subsidence events, WEB attack events and internal abnormal information, judging whether the event property is a true malicious attack behavior by utilizing network penetration information and combining with cloud threat conditions, and analyzing the reason of event generation.

Further, the event tracing source of the embodiment tracks and traces the malicious attack event, and analyzes the physical location of the attacker, the behavior evidence retention of the attacker, and the means commonly used by the attacker.

Further, the host asset service discovery of the present embodiment includes: and scanning and finding newly added assets, asset change, newly added ports and port change, identifying an operating system, an IP address and a domain name, and outputting an asset information report.

Further, the Web service discovery of the present embodiment includes: analyzing and discovering ports, Web servers, development languages, partial front WAF information and Web service conditions. The asset visualization display asset information of the embodiment supports rapid retrieval and report export of asset information, and can output a web service information report.

Further, the emergency drill of this embodiment further includes: and performing emergency drilling on the network attack event.

Further, the network attack event emergency drilling of the embodiment includes: analyzing and judging, if judging as an external network website malicious attack event, positioning an attack source IP address according to a system log, a firewall log, a network flow analysis and a webpage tamper-proof system analysis, judging whether an attack source can be determined, if not, judging whether an attack source type can be determined, simultaneously judging whether one or more malicious attacks of tampering, SQL (Structured Query Language) injection, XSS (Cross Site Scripting) Cross-Site, Trojan and illegal intrusion are/is/are determined according to the system security condition, if so, detecting whether the webpage self-tampering system is tampered, if so, detecting the cause of the vulnerability, if not, detecting whether an IDS (intrusion detection system) system detects the intrusion, if so, verifying, if not, judging whether the attack source type can be determined, if the attack type can be determined, whether the vulnerability can be recovered and repaired is judged, if the attack source type cannot be determined, an emergency plan is started, if the vulnerability can be recovered and repaired is judged, the vulnerability is recovered and repaired, if the vulnerability cannot be recovered and repaired is judged, the emergency plan is started, whether the attack continues after the vulnerability is recovered and repaired is judged, if the attack continues to be judged, the attack source is determined, the emergency plan is started, if the attack does not continue to be judged, a notification flow is executed, if the IP address or the attack path of the attack source cannot be located, or the attack network path cannot be closed after analysis, the emergency plan (under the condition that the system is unavailable) is started and notified.

Further, the information collection of the Web penetration test of the present embodiment includes: performing operating system type collection, network topology analysis, port scanning and service identification provided by a target system in one or more modes of host network scanning, port scanning, operation type judgment, application judgment, account scanning and configuration judgment; the password guessing utilizes brute force attacks and dictionaries to make guesses about the password.

Further, the Web script and application test of the embodiment includes: injection, cross site scripting attack, failed identity authentication and session management, insecure direct object referencing, cross site request forgery, checking for security configuration errors, detecting insecure encrypted storage, not restricting URL access, detecting transport layer underprotection, detecting unverified redirection and forwarding. The implantation of the present embodiment comprises: and injecting an attack vulnerability, sending the data which is not trusted to attack to an interpreter as a part of a command or a query statement, and deceiving the interpreter to execute an unplanned command or access unauthorized data. The cross-site scripting attack of the embodiment comprises the following steps: when the application program receives the data containing the incredible data, the application program sends the data to a web browser under the condition of not carrying out verification and escaping, scripts are executed on the browser, and user sessions are hijacked, websites are damaged or users are transferred to malicious websites. The failed authentication and session management of the present embodiment includes: the functions of the application program related to the identity authentication and the session management can not be realized correctly, and passwords, keys, session tokens or other vulnerabilities can be damaged to pose as other user identities. The insecure direct object reference of the present embodiment includes: exposing references to internal implementation objects, generating insecure direct object references, and manipulating the references to access unauthorized data. The cross-site request forgery of the embodiment includes: the cross-site request forgery attack is utilized to force the browser of the login user to send a forged HTTP request to the Web application program with the vulnerability, and the browser of the user is forced to send the request to the application program with the vulnerability. Checking for security configuration errors for this embodiment: whether the setting of defining, implementing and maintaining the safety configuration is carried out on the application program, the framework, the application program server, the Web server, the database server and the platform or not and whether the software is updated in time or not is detected. The detecting of insecure encrypted storage of the present embodiment includes: whether the Web application program uses encryption measures or a Hash algorithm to protect sensitive data or not is detected, and identity theft and credit card fraud crimes are conducted by using weak protection data. The unrestricted URL access of the present embodiment includes: fake URLs access hidden web pages. The detecting of insufficient protection of the transport layer of the embodiment includes: whether the identity authentication is not carried out on the application program, whether encryption measures are adopted, whether confidentiality and integrity measures for protecting sensitive network data exist, whether the weak algorithm is adopted by the application program, whether an expired or invalid certificate is used, or whether the identity authentication, the encryption measures or the protection measures are correctly used is detected. The detecting of unverified redirections and forwards in this embodiment comprises: detecting that the Web application redirects or forwards the user to other Web pages or websites, judging whether the destination page is verified by using the untrusted data, and redirecting the user to a phishing website or forwarding the user to an access unauthorized page.

Further, the evaluating the external asset condition and searching for the intranet access point of the embodiment includes: judging whether a remote control vulnerability exists or not through information collection and analysis, if so, obtaining system authority, and generating a report after information collection and analysis; if the remote control vulnerability does not exist, judging whether a remote common vulnerability exists, if so, performing information collection and analysis, and then judging whether local common authority can be obtained, if not, generating a report, if so, performing information collection and analysis, then judging whether local extraction can be performed, and if not, generating a report; if the ontology extraction is possible, a report is generated after information collection and analysis, and if the ontology extraction is not possible, a report is generated directly. The intranet penetration of the intranet access point and the deployment of the springboard machine to the internal network by utilizing the internet assets in the embodiment comprises the following steps: the method comprises the steps of acquiring intranet basic information after confirming an intranet infiltration asset range, carrying out port scanning on a system layer, carrying out system vulnerability verification and infiltration utilization after known CVE vulnerability scanning, carrying out application platform information acquisition, version fingerprint data acquisition and conventional vulnerability scanning information acquisition on an application layer, carrying out application vulnerability verification and excavation infiltration, then finishing comprehensive utilization of vulnerability data, improving control authority, carrying out information interception, remote control and resource expansion, submitting an infiltration test report and waiting for rechecking.

The information collection and analysis of the present embodiment includes: baseline inspection, vulnerability scanning. The baseline check of the present embodiment includes: performing baseline inspection on the system to discover security vulnerabilities and weak links of a server, network equipment and security equipment, and identifying, analyzing, repairing and inspecting the discovered vulnerabilities; the vulnerability scanning comprises vulnerability scanning of the system, potential safety hazards and vulnerabilities existing in various information assets in a network protocol, a network service and network equipment are checked, and security vulnerability detection and analysis are carried out on the network equipment to assist in correcting the vulnerabilities.

Further, the investigation of the present embodiment includes: and collecting the security equipment, the network environment, the operation and maintenance authority and the existing security policy information. The security device information of this embodiment includes: equipment name, equipment responsible person, equipment manufacturer and model, management address and mode, physical address, equipment administrator information, user name and password, and equipment white paper. The network environment information of this embodiment includes: network topology graph, server asset information, network equipment asset information, service system information. The operation and maintenance authority information of this embodiment includes: operation and maintenance personnel authority and maintenance management address. The existing security policy of this embodiment includes: access control strategy, safety protection strategy and behavior audit strategy. The formulation scheme of the embodiment comprises the following steps: and performing gap analysis on the existing safety strategies according to the information collected by investigation and the actual safety requirements of the users, finding the problems of strategy deletion, strategy redundancy and strategy non-abolishment, and making a scheme. The gap analysis of the existing security policy in this embodiment includes: analyzing the service security requirements of users, analyzing the difference of the existing security policies and analyzing the overall situation of the security policy difference. Analyzing the user service security requirement of the embodiment includes: and summarizing the service system, the asset information and making a safety protection strategy requirement. Analyzing the existing security policy gaps of the present embodiment includes: access control strategy gap analysis, security protection strategy gap analysis and behavior audit strategy gap analysis. The policy optimization of the embodiment includes: the method comprises the following steps of access control strategy optimization, safety protection strategy optimization and behavior audit strategy optimization. The access control policy optimization of this embodiment includes: boundary access control equipment and operation and maintenance management equipment. The boundary access control device of the present embodiment includes: the access requirement of a business system is combed, an access control strategy is customized according to business, an original address, a destination address and service are definite, the number, the date and the applicant of a policy starting order are indicated, a missing strategy is added, a coarse strategy is modified, and a redundant strategy is deleted. The operation and maintenance management device of the embodiment comprises: combing the operation and maintenance personnel and the maintenance requirement information, constructing or adjusting the operation and maintenance personnel according to a unit organization structure, defining the names and contact ways of the personnel, creating or adjusting the asset information according to a service responsibility unit, requiring defining the IP address, the bearing service and the physical position of the asset, and creating corresponding strategies according to different operation and maintenance personnel. The security protection policy optimization of the embodiment includes: intrusion detection equipment, Web application firewall. The intrusion detection device of the present embodiment includes: the basic information of the business system is combed, an intrusion detection protection object is created according to the business system, the contained assets and responsible personnel are clarified, an intrusion protection strategy is formulated and comprises an intrusion attack strategy, a Trojan virus strategy and an audit strategy, the intrusion protection strategy is created aiming at each business system, and the strategy is optimized according to the asset type, the operating system type and the software business type contained in the business system. The Web application firewall of the embodiment includes: the basic information of the business system is combed, a Web application protection object is created according to the business system, the contained assets and responsible personnel are defined, and protection strategies are formulated, wherein the protection strategies comprise a Web malicious scanning protection strategy, an SQL injection protection strategy, an XSS attack protection strategy, a website horse hanging protection strategy, a hotlink protection strategy and a webpage tampering protection strategy. The behavior audit strategy optimization of the embodiment comprises the following steps: network security audit, database audit and internet behavior management. The network security audit of the present embodiment includes: the basic information of the business system is sorted, a business access auditing strategy and a management and maintenance auditing strategy are created according to the business system, the business access auditing strategy audits all accessed network behaviors of the business system, and the management and maintenance auditing strategy designs all management and maintenance network behaviors of the business system. The database audit of the present embodiment includes: the method comprises the steps of combing business system information and database information, creating auditing strategies aiming at each database, including danger pointer auditing, abnormal login design, abnormal maintenance auditing and abnormal tool auditing, creating business system objects according to the business system information, creating report strategies according to different business systems, and generating auditing reports aiming at each business system. The management of the internet behavior of this embodiment includes: and carding terminal information, creating or adjusting a terminal user according to the organization structure of the unit where the terminal user is located, and creating an internet access behavior auditing strategy aiming at the user, wherein the internet access behavior auditing strategy comprises a mail auditing strategy, a website access auditing strategy, a communication chat auditing strategy, a posting auditing strategy and a keyword auditing strategy.

The equipment operation safety monitoring of this embodiment includes: monitoring network equipment, safety equipment and a host, setting alarm threshold values and alarm rules of various functional indexes, discovering abnormal running states of the equipment in time, giving different alarms to the monitored safety events according to different levels and types, starting a fault processing flow if judging that the equipment has a fault, and adjusting the alarm threshold values according to actual conditions. The monitoring network device of the embodiment includes: equipment hardware state inspection, equipment software state inspection, equipment performance state inspection, security policy inspection and optimization and log inspection. The hardware state inspection of the equipment of the embodiment comprises the following steps: the patrol inspection of the running condition of the equipment hardware comprises patrol inspection of the running condition of a power supply, a fan, a case, a board card, a flash card and a status lamp, patrol inspection of the stability inspection, the wiring condition, the label condition and the identification condition of a physical port and inspection of equipment hardware alarm information. The equipment software state inspection of the embodiment comprises the following steps: and (5) polling the running condition of the system kernel and checking whether a new kernel upgrading program can be used. The equipment performance state inspection of the embodiment comprises the following steps: and checking the utilization rate of the CPU, the utilization rate of the memory, the utilization rate of the network interface and the use condition of the Buffer. The security policy checking and optimizing of the embodiment includes: and checking the correctness and the effectiveness of the security policy. The log check of the present embodiment includes: checking whether the log is received normally, whether the log needs to be processed fully, and collecting and analyzing the log. The monitoring safety device of the embodiment comprises: the method comprises the following steps of safety equipment hardware state inspection, safety equipment software state inspection, safety equipment performance state inspection, safety strategy optimization of safety equipment, safety equipment log inspection and rule base inspection of the safety equipment. The safety equipment hardware state inspection of the embodiment comprises the following steps: the running condition of the hardware of the safety equipment is checked, the running condition comprises the running states of a power supply, a fan, a case, a board card, a flash card and a status lamp, the stability of a physical port is checked, and the connection condition, the label condition and the identification condition are checked. The safety equipment software state inspection of the embodiment comprises the following steps: checking the running state of the system kernel, whether a new kernel upgrading program can be used or not, and the version upgrading condition of the software system. The safety equipment performance state inspection of the embodiment comprises the following steps: and checking the utilization rate of the CPU, the utilization rate of the memory, the utilization rate of the network interface and the use condition of the Buffer. The security policy optimization of the security device of the embodiment includes: and checking the correctness and the effectiveness of the security policy. The security device log check of the present embodiment includes: checking whether the log is normal or not, whether the log needs full log processing or not, and collecting and analyzing the log. The rule base check of the security device of this embodiment includes: and checking the upgrading condition of the virus definition, including checking the upgrading condition of the anti-virus wall definition and checking the upgrading condition of an IDS/IPS rule base. The monitoring host of this embodiment includes: the method comprises the following steps of host hardware state inspection, host operating system security inspection, host performance inspection, suspicious service process inspection and virus inspection. The host hardware state inspection of the embodiment comprises the following steps: checking the running state of the hardware of the host equipment, including the running states of a power supply, a fan, a chassis, a board card and a status lamp, checking the state of the network card, an IP address and a routing table, checking the running state of a disk array, the display condition of a system fault lamp and a system hardware error report. The security check of the host operating system in this embodiment includes: checking the software version condition of an operating system, checking the installation condition of one or more system patches in Windows series patches, Linux system patches and Unix series patches, checking and optimizing the security configuration of the operating system, checking and optimizing the security configuration including accounts, security policies and services, analyzing system logs and checking patch installation. The host performance check of the present embodiment includes: and checking the CPU utilization rate, the memory utilization rate, the exchange area utilization rate, the disk occupation space and the I/O working condition. The suspicious service process check of this embodiment includes: and checking the name of the opened service, the necessity of opening the service and the condition of resource occupation of the service. The virus inspection of the present embodiment includes: and checking the installation condition of client virus software, the upgrading condition of a virus definition library, the strategy distribution condition and the virus processing condition. The equipment operation safety audit of the embodiment comprises the following steps: and (3) by utilizing a safety management platform and combining asset information, finding out the association relation among data in the information generated by network access logs, management behavior records, operation behavior records, product operation records, network flow and safety monitoring, setting association analysis rules and filtering conditions, and mining network attack and operation fault information. The device and policy backup update of the embodiment includes: the method comprises the steps of performing safety protection through daily strategy configuration and equipment upgrading, optimizing strategies, and maintaining the strategies and configuration backups of safety products, including strategy configuration, strategy combing, equipment upgrading and backup recovery. The policy configuration of this embodiment includes: and analyzing the actual safety requirement and the safety product function of the service system according to the overall safety strategy, and configuring the safety strategy of the safety product according to the strategy configuration flow. The strategy combing of the embodiment comprises the following steps: and (4) combing the strategy configuration of the safety product regularly, combing the redundant strategy and the abandoned strategy, and deleting the strategy after confirmation. The equipment upgrading of the embodiment comprises the following steps: the software version, rule base and feature base of the safety product are upgraded regularly, the original system is backed up before upgrading, the upgrade package is tested, the version update of a manufacturer is checked regularly, and the operation record is updated for record. The backup restoration of the present embodiment includes: and backing up the configuration and the strategy of the product regularly, storing the backup content in a special server, and recording the backup operation. The vulnerability rectification of the embodiment includes: and repairing bugs of the server and the security equipment in the scanning range, and reinforcing bugs of the application and the database.

The periodic safety product inspection of this embodiment includes: the work of periodically checking the safety condition of the safety product in the running process of the information safety product comprises equipment running safety monitoring, equipment running safety audit, equipment and strategy backup updating, setting alarm threshold and alarm rule for CPU utilization rate, memory utilization rate, disk utilization rate and network interface connectivity of the safety product, monitoring in real time, confirming if abnormal running state of the safety product is found, starting fault processing flow if product fault is confirmed, the alarm threshold value is adjusted according to the actual situation in the monitoring process to obtain the running state baseline of the safety product, according to the alarm rule, different alarms are carried out on the monitored safety events according to different levels and types, and alarm information is sent to a safety management platform, informing operation and maintenance personnel or inspection personnel through the safety management platform, and taking treatment measures according to the condition of a safety event; the security management platform is used for finding out the association relation among one or more data of network access logs, management behavior records, operation behavior records, product operation records and network flow by combining asset information, setting association analysis rules and filtering conditions and mining network attack and operation fault information; safety protection is carried out through strategy configuration and equipment upgrading, strategy optimization is carried out, and daily inspection is carried out on strategies and configuration backups of safety products. The periodic security policy optimization recommendation of the embodiment includes: collecting security equipment, network environment, operation and maintenance authority and existing security policy information, implementing security product inspection, performing difference evaluation and rectification suggestion on the existing security policy by combining with the actual service security requirement of a user, and performing policy optimization; the rectification proposal comprises: a security policy optimization suggestion, the security policy optimization suggestion comprising: an access control strategy optimization implementation method, a security protection strategy optimization implementation method and a behavior audit strategy optimization implementation method.

Further, the security evaluation of the network device of the embodiment includes: checking the access control security of the network equipment, checking the security protection configuration of the network equipment and checking the strategy of the network equipment. The checking the access control security of the network device of the embodiment includes: and checking software version, equipment bugs and security problems. The checking of the network device security protection configuration evaluation of the embodiment includes: checking user safety and system password safety, performing log check, evaluating equipment access control safety, equipment management safety and network equipment service safety, and evaluating through service application condition and safety baseline configuration. The network device policy check of this embodiment includes: and evaluating the policy configuration and the use condition of the existing network equipment and safety equipment, evaluating whether the policy configuration meets the service requirement and ensuring the safety of the system. The identity authentication of the embodiment includes: detecting and analyzing identity identification and authentication mechanism measures, password security management, account locking setting options, account security management and evaluation; the access control includes: detecting, analyzing and evaluating the privilege user management, the file system security characteristic and the network service security and evaluating whether the default sharing setting is in accordance with the minimum authorization principle; the security audit includes: and detecting and analyzing system logs and auditing strategies and evaluating. The intrusion prevention of the present embodiment includes: and detecting, analyzing and evaluating patch management and vulnerability risks. The malicious code prevention of the present embodiment includes: and detecting, analyzing and evaluating malicious code software management. The resource control of the embodiment includes: and detecting and analyzing the resource control strategy and evaluating. The potential safety hazard of the application system of the embodiment includes: security function design, security vulnerabilities, vulnerabilities in security deployment. The detection analysis input verification of the present embodiment includes: detecting whether an application verifies all input data, whether all input data verifies length, range, format, type, whether there are data dependent on user side verification code, whether an application trusts data written onto a Web page, whether all codes and system command content in user submitted data are filtered or converted, whether data is verified at an access point when data is transferred between different trust boundaries, detecting whether an application uses an independent database account, assigns minimal library, table and field permissions, detecting whether a database prohibits or deletes unnecessary stored procedures, whether database error information is masked, analyzing whether there is or may be unverified data written onto a Web page, generating SQL queries using unverified input SQL queries, adding sqnjecton (SQL injection) threats, generating SQL injection threats, generating a Web page, and generating a Web page, Using a deny method instead of all to filter input, using an input file or URL (Uniform Resource Locator) or username to make security decisions, relying on one or more of client authentication. The detection analysis authentication of the embodiment includes: detecting whether a user name and a password are sent on an unprotected channel in a plaintext form, whether sensitive information has a special encryption method, whether certificates are stored, if so, how to store and protect the information, whether strong passwords are executed, what password strategy is executed, whether secondary authentication is added in identity authentication, whether graphic verification codes or short message verification codes are executed, how credentials are verified, how users subjected to identity verification are identified after login for the first time, analyzing whether identity verification credentials or identity verification cookies are transmitted on an unencrypted network link or whether existence or possible existence exists, causing credential capture or session attack, and whether unauthorized access caused by using the weak passwords and the account strategy exists. The detection analysis authorization of the embodiment includes: detecting whether necessary behavioral auditing has been performed, what access control has been used at an application entry point, whether the application uses roles, if roles are used, detecting whether granularity is fine enough for access control and auditing purposes, detecting whether the application restricts access to system resources, detecting whether database access is restricted, how the database is authorized, analyzing whether unauthorized roles and accounts are used, whether sufficient role granularity is provided, whether system resources are restricted to specific application identities. The detection analysis configuration management of the present embodiment includes: detecting how to protect a remote management interface, how to protect configuration storage, whether sensitive configuration data is encrypted, whether to separate administrator privileges, whether to use a process and a service account with the lowest privileges, whether to carry out white list policy management on a management IP, whether to analyze whether plaintext storage configuration secret information comprises a connection character string and a service account certificate, whether to protect the appearance of application configuration management comprises a management interface, whether to use an unauthorized process account and a service account, whether to delete a data directory and a file name by an installation script, whether to configure a file extension, and whether to analyze whether directory authority is improperly set. The detection and analysis of sensitive data of the present embodiment includes: detecting whether confidential information is stored in permanent storage, how sensitive data is stored, whether sensitive data is transmitted over a network, whether sensitive data is disaster-backed, analyzing whether confidential information is saved when not needed, storing confidential information in a code in a plaintext form, and transmitting sensitive data over a network in a plaintext form. The detection analysis session management of the embodiment includes: detecting how to generate a session cookie, how to exchange a session identifier, how to protect session state across a network, how to protect session state against session attacks, how to protect session state storage, whether an application limits the lifetime of a session, how an application authenticates with session storage, analyzing whether to pass a session identifier over an unencrypted channel, whether to extend the lifetime of a session, whether to store in unsecured session state, whether a session identifier is located in a query string. The detection analysis encryption technology of the embodiment includes: detecting which algorithm and encryption technology are used, whether the application uses a user-defined encryption algorithm, how long and how to protect the secret key, how long the secret key is changed once, how to distribute the secret key, analyzing whether the user-defined encryption method is used, whether an error algorithm or a secret key with too short length is used, whether the secret key is not protected, and whether the same secret key is used for a prolonged time period. The detection analysis abnormality management of the present embodiment includes: detecting how the application handles error conditions, whether exceptions are allowed to propagate back to the client, whether the application displays too much information to the client, where the application records detailed resources of the exceptions, whether log files are safe, whether analysis verifies all input parameters, whether the information displayed to the client is too much. The detection audit and log record of the embodiment includes: whether the application determines the main activity of auditing is detected, whether the application program of the application is audited across all layers and the server is detected, how to protect the log file is detected, whether logging fails in auditing is analyzed, whether the audit file is protected is analyzed, and whether auditing is performed across the application program layer and the server is analyzed. The detection and analysis habit problems of the embodiment include: the method includes detecting programming habits, analyzing whether a programmer prefers to modify a program directly on a server, causing an editor to generate a plurality of backup files on the server, whether the files may expose program code, and analyzing whether the programmer stores sensitive information, including database passwords, in the files. The penetration test of the present example included: in the allowable and controllable range, a controllable hacker intrusion method which does not cause irreparable loss is adopted to attack the network and the system, the intrusion system obtains confidential information, and a report is formed according to the intrusion process and the details. The patch check, account password and network service check of the embodiment can be performed through a vulnerability scanning tool. The checking of the virus protection may be performed by a malicious code killing tool. The local policy is checked by a visual local security policy, a check script, a configuration scan tool. The detection analysis of the database user name and password management comprises the following steps: detecting and analyzing user permission setting, password strategy setting and management of redundant account numbers. The detection and analysis of the database access control of the embodiment includes: and detecting and analyzing the control and communication security configuration of the access IP address. The data security detection and analysis of the embodiment includes: and detecting and analyzing a storage mode of the sensitive information and database backup. The security audit detection analysis of the database of the embodiment comprises the following steps: and detecting, analyzing and auditing the log and the operation log. The detection and analysis of the physical security boundary of the embodiment includes: whether safety boundary protection is set or not is detected and analyzed, wherein the safety boundary protection comprises the safety of sensitive information, dangerous information and information processing facilities. The detection analysis of the physical access control of the embodiment includes: it is checked whether the security area is protected by access control or not, and whether it is ensured that only authorized persons are allowed access. The detection and analysis of the safety protection of offices, rooms and facilities comprises the following steps: and detecting and analyzing whether physical safety measures are adopted in offices, rooms and facilities. The detection and analysis of the security of external and environmental threats includes: and detecting and analyzing whether physical safety measures are adopted to prevent natural disasters, malicious attacks or accidents. The detection analysis of the safe area work control comprises the following steps: detection analyzes whether to design, apply physical protection measures and guidelines for secure enclave operations. The detection and analysis of the delivery and interface area includes: whether the access point including the cross-connection area and other points where unauthorized persons enter the office are controlled, whether the access point is isolated from the information processing facility, and whether unauthorized access is avoided is detected and analyzed. The detection and analysis of the device placement and protection includes: detection and analysis of whether equipment is installed and protected, whether environmental threats and hazards are reduced or avoided, and whether unauthorized access is reduced or avoided. The detection analysis of the supporting device comprises: the detection analyzes whether to protect the device, protect the device from power failures or terminations due to failures of the support facilities. The detection and analysis of the cabling safety comprises the following steps: whether the power and communication cables for transmitting data or supporting information services are protected or not and whether the power and communication cables are prevented from being intercepted or damaged or not are detected and analyzed. The detection analysis of the equipment maintenance comprises the following steps: whether the equipment is correctly protected or not is detected and analyzed, and whether the continuous availability and integrity of the equipment are ensured or not is detected and analyzed. The detection analysis of the movement of the asset includes: and detecting whether the analysis equipment, information and software cannot be taken out of the organization before authorization. The detection and analysis of the security of the off-site equipment and assets comprises: whether security measures are adopted for the assets outside the organization site or not and whether different risks working outside the organization site are considered or not are detected and analyzed. The detection analysis of the safe disposal or reuse of the device includes: a detection analysis checks whether all items of the device containing the storage medium are checked, whether it is ensured that any sensitive information and registration software has been deleted or written securely over before disposal. The detection and analysis of the unattended user equipment comprises the following steps: and detecting and analyzing whether the unattended user equipment has protection. The detection and analysis of the desktop clearing and screen clearing strategy comprises the following steps: and detecting and analyzing whether a strategy of emptying files and a movable storage medium on the desktop is adopted or not and whether a screen strategy of emptying the information processing facility is adopted or not. The detection analysis of the middleware username and password management comprises: detecting and analyzing user permission setting, password strategy setting and management of redundant account numbers. The detection analysis of the middleware security audit comprises the following steps: and detecting, analyzing and auditing the log and the operation log. The detection analysis of the intrusion prevention strategy of the middleware comprises the following steps: detecting and analyzing SSL protection opening, default port modification and application server Socket quantity limitation.

Further, the information collection and analysis of the present embodiment includes: the method comprises the steps of retrieving policy files, rules and regulations and process management records, information system overall description files, information system detailed description files, information system safety protection level grading reports, safety requirement analysis reports, information system safety overall schemes, safety status evaluation reports, information system safety detailed design schemes, user guides, operation steps, network diagrams and configuration management documents, analyzing one or more kinds of data in basic information, management frames, network and equipment deployment, service types and characteristics, service data, user ranges and user types of the information system, carrying out comprehensive analysis and arrangement, analyzing the industry characteristics, administrative agencies, service ranges, geographic positions, background information, contact modes, organization and management structures, management strategies, department settings, the functions of departments at service operation terminals, positions, responsibilities, The method comprises the following steps of forming a basic condition analysis report of an information system by a physical environment, a network topology structure, a hardware equipment deployment condition, a range and a boundary, a service type and characteristics, a service flow and a service safety protection level.

The determination of the evaluation object in the present embodiment includes: detecting information of an information system, analyzing the whole unit information system and a related service system thereof, analyzing and reporting an analysis report according to basic conditions of the information system to identify and describe the whole structure of the information system, wherein the description content comprises identification of the information system, physical environment of the information system, network topology of the information system and connection condition of an external boundary of the information system, giving a network topology map, identifying and describing the boundary of the information system, the description content comprises a boundary connection mode of the information system and other networks for external connection, the boundary connection mode comprises optical fibers, wireless and special lines, equipment for describing the boundary comprises one or more of a firewall, a router and a server, if shared equipment is arranged at the boundary connection position of the information system, the equipment is divided into information systems with relatively higher grades, and the information systems which are not subjected to regional division are divided and described according to the actual conditions of the information system, the description content comprises region division, main service application of each region, service flow, region boundary and connection condition between the region division and the main service application, the information system nodes are described by taking the regions as clues, computer hardware equipment, network hardware equipment, communication lines and application system software in each region are described, and the connection condition between the nodes is explained. The computer hardware equipment comprises server equipment, client equipment, a printer and a memory. The network hardware device includes: switches, routers, adapters; the description contents are sorted, an evaluation information system is determined and described, the overall structure is firstly explained on the basis of the network topological structure of the information system in a general and fractional description mode, then the external boundary connection condition and the boundary main equipment are described, and then the network area composition, the service function and the related equipment nodes of the information system are described; analyzing each service system, analyzing the importance degree of the service system and related equipment and components thereof, determining an evaluation object, describing according to the type of the service system, wherein the evaluation object comprises a network, network equipment, a server, a host and an application system, and describing each type of evaluation object in a list mode, including the area to which the evaluation object belongs, equipment name, application, equipment information and a spot check description. Determining the evaluation index comprises: obtaining a grading result of the information system according to an information system basic condition analysis report, wherein the grading result comprises a service information safety protection grade and a system service safety protection grade, obtaining the combination condition of safety protection measures (an A system service assurance grade, an S service information safety grade and a G basic requirement grade) to be taken by the information system, selecting safety requirements of corresponding grades as evaluation indexes according to standards, and comprising three safety requirements of the ASG, respectively describing each service system, and the description content comprises the grading result and the index selection of the service system. Determining the evaluation content comprises: determining unidirectional evaluation content and system evaluation content, analyzing an information system basic condition analysis report, an evaluation object of an evaluation scheme, an evaluation index and an evaluation tool access point, combining the evaluation index and the evaluation object, combining the evaluation object with an evaluation method, combining the evaluation indexes on all layers of surfaces to a specific evaluation object and explaining the evaluation method to form an evaluation implementation unit, describing single evaluation implementation work content by combining the evaluation index and the evaluation object, compiling corresponding evaluation content according to the evaluation tool access point, wherein the unidirectional evaluation content comprises the evaluation index, the evaluation object, the evaluation method and the evaluation implementation, determining the system evaluation content according to the evaluation method of relevant standards and the actual condition and evaluation experience of the information system, and outputting the single evaluation implementation and system evaluation implementation part of the evaluation scheme. The development of the evaluation instruction comprises the following steps: according to the access point of the test tool, the single evaluation implementation part and the system evaluation implementation part, describing a single evaluation object comprising the name, the IP address, the application and the manager of the evaluation object, determining evaluation activities comprising evaluation items, an evaluation method, operation steps and expected results according to the single evaluation implementation part and the system evaluation implementation part, and outputting an evaluation instruction book of an evaluation scheme; the evaluation item refers to the requirement of an evaluation object in a use case in the standard, and the evaluation method comprises the following steps: one or more of interviews, document retrieval viewing, configuration inspection, tool testing, field inspection viewing; each evaluation item corresponds to one or more evaluation methods. The operating steps include evaluating commands or steps performed in the activity, describing the test equipment and tool requirements including model, specification, version of the tool if it is involved in the testing of the tool. The expected results include results normally obtained and evidence obtained in accordance with the operational procedure. The compiling and evaluating scheme comprises the following steps: analyzing and reporting an extracted project source, the overall information construction condition of a unit where the information system is located and the connection condition between the unit and other systems of the unit according to a commission evaluation protocol and the basic condition of the information system, listing standards according to which evaluation activities are carried out according to a level evaluation implementation requirement in a level protection process, estimating evaluation workload according to the commission evaluation protocol and the condition of the information system, and estimating according to the number of nodes to be detected and access points and test contents of tool test; and compiling a specific evaluation plan according to the evaluation experience and the scale of the information system, wherein the evaluation plan comprises the labor division and time arrangement of personnel, the business peak period of the information system is avoided in the evaluation, an initial draft of the evaluation scheme is formed according to the contents and the contents acquired by the tasks of the scheme compiling activities, and the evaluation scheme is output after evaluation and confirmation.

Preparation of the evaluation implementation included: and (4) confirming resources required by evaluation, including cooperation personnel and evaluation conditions, and updating an evaluation plan or an evaluation program according to requirements. The field evaluation and result recording includes: checking whether a system, a strategy and an operation procedure which are required to be provided and specified by a standard are complete or not, checking whether a complete system execution condition record exists or not, wherein the complete system execution condition record comprises a machine room in-out registration record, an electronic record and a use registration record of key equipment of a high-level system, auditing and analyzing a document, and checking the integrity of the document and the internal consistency of the document; checking whether the configurations of the application system, the host system, the database system and the network equipment are correct or not according to the evaluation result record, and whether the configurations are consistent with the documents, the related equipment and the components or not, and verifying the document audit content, including log audit; if the system receives the invalid command and can not complete the configuration check, carrying out error test; verifying the connection rules for the network connection; testing the system according to the evaluation scheme, wherein the testing comprises vulnerability scanning based on network detection and host audit, website vulnerability scanning, database vulnerability scanning, permeability testing, performance testing, intrusion detection and protocol analysis; the method comprises the steps of judging safety consciousness of personnel, business operation, management programs and safety conditions of system physical environments according to actual conditions of an information system, judging whether evaluation reaches safety requirements of corresponding levels, recording evaluation results of management safety evaluation, recording network, host and application evaluation results of technical safety evaluation, and recording physical safety evaluation results of technical safety evaluation and test results after tool evaluation. The result validation and data return includes: summarizing the evaluation records, summarizing the problems, evidences and evidence sources found in the evaluation, supplementing the contents which are missed and need to be further verified, and recording the summarization, the evidences and the evidence sources of the problems found in the evaluation. The judgment of the single evaluation result comprises the following steps: detecting each evaluation item, if the evaluation item is a suitable item, comparing a plurality of evaluation results actually obtained in the evaluation implementation with expected evaluation results, respectively judging the conformity between each evaluation result and the expected result, obtaining the evaluation result of the evaluation implementation corresponding to each evaluation item, and judging whether the evaluation results are in conformity or not; and comprehensively judging the evaluation results of the evaluation items according to the judgment conditions of all the evaluation results, judging the evaluation results to be in accordance with, partially in accordance with or not in accordance with, and outputting single evaluation records and results. The single evaluation result summary analysis comprises the following steps: and summarizing the single evaluation results of the evaluation indexes corresponding to different evaluation objects according to the levels, wherein the single evaluation results comprise the number of evaluation items and the number of items meeting the requirements. The overall evaluation comprises: aiming at the single evaluation item which is not or partially conformed to the evaluation object, analyzing whether other safety control related to the evaluation can generate an association relation with the single evaluation item and what association relation can be generated, and whether the effect generated by the association relation can make up the deficiency of the evaluation item; analyzing whether other evaluation objects of other layers related to the evaluation item can generate an incidence relation with the evaluation object and what incidence relation occurs, and whether the effect generated by the incidence relations can make up the deficiency of the evaluation item; analyzing whether other evaluation objects in other areas related to the evaluation item can generate incidence relations with the evaluation object, what incidence relations are generated, and whether the effects generated by the incidence relations can make up the deficiency of the evaluation item; the safety of the whole structure of the information system is analyzed from the safety angle, and the rationality of the whole safety precaution of the information system is analyzed from the system angle; and outputting the overall evaluation result of the information system. Forming a safety assessment conclusion includes: combining the single evaluation results and the overall evaluation results to summarize and analyze the single evaluation results of each evaluation object in physical safety, host safety and application safety levels again, and counting the conforming conditions; analyzing potential safety hazards and existing reasons brought to the information system by the unqualified evaluation items, and judging the influence on the integral protection capability of the information system; summarizing and analyzing results according to the single evaluation result, if the evaluation item which does not meet the requirement exists, judging that the information system does not meet the basic safety protection capability of the corresponding level, and if all the evaluation items meet the requirement, judging that the information system meets the basic safety protection capability of the corresponding level; and outputting a grade evaluation conclusion. Compiling the evaluation report comprises: an improvement suggestion is provided from the system safety perspective aiming at the potential safety hazard of the information system, an evaluation report is compiled according to an evaluation scheme, single evaluation records and results, single evaluation result summary analysis, an overall evaluation structure and a grade evaluation conclusion, corresponding evaluation reports are formed according to the number of the information systems, and a document list and single evaluation records of evaluation and the judgment condition of the single evaluation result of each evaluation item are provided; and (4) evaluating and confirming the evaluation report according to the evaluation protocol, the related documents, the evaluation original record and the auxiliary information, and outputting the information system grade evaluation report. The security policy includes: draft design, review, implementation, training, deployment, monitoring, reinforcement, reevaluation and revision, and the timeliness and the effectiveness of the safety strategy are ensured through management. The security technology system is the basis of an information system framework and comprises the following steps: the comprehensive management platform for network security, host security, terminal security, application security, data security and security takes a security policy as guidance, and sets up a complete security technology protection system with each part coordinated from the aspects of network security protection, host system security protection, application security protection, terminal security protection and data security protection. The security organization and management system is based on the overall security policy and interworks with the security technology system. The operation guarantee system comprises: safe operation and maintenance management, daily operation guarantee, safe emergency response and data system backup. The safe operation and maintenance management comprises the following steps: network security operation and maintenance management, host security operation and maintenance management and application security operation and maintenance management. The network security operation and maintenance management comprises the following steps: the method comprises the steps of carrying out unified operation authentication, authorization and audit on the whole network of a network system, carrying out equipment maintenance operation authentication on the network system by adopting a dynamic password, carrying out encryption transmission on an operation command, carrying out maintenance management on network equipment only by an authorized user, setting at least two levels of equipment operation authorities for an equipment administrator of the network system, setting the equipment operation authorities corresponding to the operation command, forbidding the management maintenance operation exceeding the authorities, and executing only authorized operation; the operation and maintenance operation of the network system needs to be audited, and the audit content comprises: and operating commands, operators and operating time to ensure authorized operation of authorized users.

Further, the host security operation and maintenance management of this embodiment includes: the host system performs unified operation authentication, authorization and audit. The application security operation and maintenance management comprises the following steps: the application system performs unified operation authentication, authorization and audit. The data system backup comprises the following steps: the method comprises the steps of making a backup strategy and a recovery target according to data backup requirements, the importance of a service system and recovery cost, regularly backing up data of a server according to the backup strategy, wherein the data comprise an operating system, a database and files, a data backup medium of the system is stored in different places according to the importance degree of the data, the data backed up in different places at least comprise original data of all the service systems and static data necessary for the recovery system, the data recovery supports multiple platforms, and the whole system is quickly recovered through a disaster recovery tape. Restoring the target includes: tolerable amount of data loss and tolerable system recovery time. The physical security assessment comprises: and the physical safety setting corresponding to the information system comprises selection of physical position for evaluation, physical access control, theft and damage prevention, lightning protection, fire prevention, water and moisture prevention, static electricity prevention, temperature and humidity control, power supply and electromagnetic protection configuration. The network security evaluation comprises the following steps: router/switch evaluation, antivirus system evaluation, host system security evaluation, application security evaluation, and data security evaluation. The router/switch evaluation includes: the router/switch is evaluated to important operations including network segment division of a security domain of an evaluation structure, network access control, network security audit, boundary integrity check and network equipment protection configuration. The anti-virus system evaluation comprises the following steps: the evaluation antivirus system deals with important operations, including evaluation structure security and network segment division, network security audit, network current prevention, malicious code prevention and network equipment protection configuration. The host system safety evaluation comprises the following steps: the evaluation operating system deals with important operations, including the use of an evaluation token, account authentication, password management, login limitation, identity identification and authentication, access control of a subject and an object, user authorization, security audit, alarm, monitoring, system protection, malicious code protection, residual information protection and resource control configuration. The operating system includes: windows system and LINUX operating system. The evaluation of the windows system comprises the steps of evaluating whether the account and the password are set to have enough strength, selecting or setting the account, selecting or setting the password, forming the password, testing the life cycle, evaluating whether the desktop application software has a legal source or not, setting the screen saver or not, evaluating the safety setting of a registry, SMP (Symmetric Multi-Processor architecture) service, RPC (Remote Procedure Call) service, installing safety latest patch antivirus software and distributing system resources. The evaluation of the LINUX operating system includes: the important operations to be handled by the evaluation operating system comprise the use of an evaluation token, account authentication, password management, login limitation, identity identification and authentication, access control of subjects and objects, user authorization, security audit, alarm, monitoring, system protection, malicious code protection, residual information protection, resource control supported version, local buffer overflow vulnerability, latest security patch installation, whether an unrelated service is in an off state or not, account password, RootPATH (path of root file system on NFS server) environment variable, trust relationship with other hosts, and system reinforced TCP/IP protocol stack configuration. The application safety assessment comprises: and checking and evaluating the identity and authentication of an application system, the access control of a subject and an object, user authorization, security audit, residual information protection and resource control. The data security assessment comprises: and checking the data integrity, the data confidentiality and the data backup of the application system.

The network security construction of the embodiment includes: the method comprises the steps of safety isolation of an external boundary, boundary protection of an internal safety domain, protection inside the safety domain, network performance protection and network access control.

The secure isolation of the outer boundary includes: the boundary protection of the regional external Internet and external units realizes safe access control and intrusion defense, prevents unauthorized access from the outside, detects and blocks detection and attack behaviors to the network, and ensures safe logic isolation of the boundary.

The boundary protection of the internal security domain comprises: the method realizes safe access control and intrusion prevention, prevents unauthorized access from users/services in a low security domain, detects and blocks detection and attack behaviors to a regional application system network, and ensures safe logic isolation of boundaries.

The protection inside the security domain comprises: the users/services with the same security domain need to adopt means such as VLAN (Virtual Local Area Network), access control, MPLS-VPN (Multiprotocol Label Switching-Virtual Local Area Network), and integrated security technology of Network devices to realize secure access of internal users/services. The application system network adopts VLAN or firewall technology to realize the safety isolation of different application systems, follows the minimum access principle, ensures the safety access between the application systems, avoids the unlimited access between the internal systems, and prevents the internal safety event from diffusing in the mode of springboard. The firewall for internal security access control may be shared with the firewall at the network boundary of the regional application system.

The network performance protection comprises the following steps: for the statistical analysis functions of network flow, application access and the like, the technologies of NetFlow, Netstream, Sflow and the like are adopted to realize the acquisition, analysis, monitoring, recording and auditing of the network flow and the network access. The system has the capability of protecting network performance, prevents malicious software of the PC terminal and the user behavior which does not meet the requirement from abusing the network resources, and ensures the reasonable use of the network resources and the normal access of the user to the internal application system.

The network access control comprises: the comprehensive network access control of the user PC is realized, the comprehensive integration with a PKI/CA (public key basic structure/certificate authority) certificate system of a unit company is realized, only authorized users can access the network, and a unified authentication system for unit whole network access and application system access is formed. The network access control mode is preferably a central centralized authentication mode. The integration with the technical requirements of terminal safety is realized, and only the PC terminal which meets the terminal safety standard can access the network, so that the end point safety is ensured.

The operating system hardening of the present embodiment includes: opening an operating system password strategy, forcing passwords to meet complexity requirements and replacing the passwords periodically, establishing an independent account for each administrator, modifying a default remote operation and maintenance port, adopting single user-level control on an administrator remote login address, setting an illegal login strategy and setting an auditing strategy; setting an important file authority control strategy and deleting unnecessary default sharing; disabling unnecessary services and ports, updating system vulnerability patches, and renaming system default accounts; distributing authority according to the role of the management user, separating the authority of the management user, and granting the minimum authority required by the management user; separating the authority of privileged users of an operating system and a database system, limiting terminal login according to actual conditions, limiting the maximum or minimum use limit of a single user on system resources, detecting the service level of the system, alarming if the service level of the system is reduced to a preset minimum value, setting a forced shutdown of a remote system, setting the ownership of a taken file or object, setting a forced shutdown of a remote system, logging in the computer from a local, setting an access to the computer from a network, starting a Transmission Control Protocol/Internet Protocol (TCP/IP) to screen and start a system firewall, starting SYN (Synchronize Sequence number) attack protection, starting a screen protection program, setting the suspension time of a Microsoft network server, closing service, modifying SNMP service passwords, closing invalid starting items and closing Windows automatic playing functions.

The network/security device reinforcement of the present embodiment includes: renaming default accounts of the network equipment and the safety equipment, setting a password length and a strategy with higher intensity, adopting single user level control for a remote login address, setting an independent user account for each equipment administrator, canceling a telnet mode, adopting a safe remote management login mode comprising SSH, canceling default useless service or protocol, setting a bandwidth allocation priority level, configuring port level access control, setting application layer filtering, setting network flow control, setting a login failure processing strategy, and adjusting and planning a network topology environment; the database reinforcement comprises: checking the current configuration of a database, respectively reinforcing account numbers, authorization, passwords, logs, strategies and patches, distributing different account numbers for different administrators, deleting or locking invalid account numbers, limiting remote login of super administrators, minimizing authority, limiting length and complexity of default passwords, limiting generation period of default passwords, limiting repeated use of passwords, starting a log recording function, recording operation of users on equipment, recording system security events and database auditing strategies.

The establishment and perfection of the information security management system comprises the following steps: and according to the standard requirements, establishing a sound and implementing a safety management system meeting the corresponding grade requirements.

The establishment and perfection of the information security management system of the embodiment further comprises: implementing information safety responsibility, establishing an information safety work leader group, an information safety management department or an information safety responsibility part, defining information safety work, determining a safety post, implementing personnel, and defining an implementation leader mechanism, a responsibility department and personnel information safety responsibility; implementing a personnel safety management system, making a management system for personnel recording, leaving, checking and education training, implementing specific measures of the management system, and performing safety examination, training, checking and safety confidentiality education on safety station personnel; implementing a system construction management system, establishing an information system grading record, scheme design, product purchase and use, password use, software development, engineering implementation, acceptance and delivery, grade evaluation and a safety service management system, and determining work content, a work method, a work flow and work requirements; the method comprises the steps of implementing a system operation and maintenance management system, establishing a computer room environment safety, storage medium safety, equipment and facility safety, safety monitoring, network safety, system safety, malicious code prevention, password protection, backup and recovery and event handling management system, formulating an emergency plan and performing drilling regularly.

The implementation can make corresponding system, strategy, operation procedures and the like according to GB/T22239-2008.

The criteria of this embodiment may include, but are not limited to, the following: ISO31000 risk management standard, ISO27001:2013 information security management system, GB-T20984-, GB/T18336-.

The scanning strategy of this implementation includes: WEB vulnerability scanning, system vulnerability scanning, weak password scanning, special high-risk vulnerability scanning (such as MS17-010, log4j2 vulnerability) and the like. A particular vulnerability knowledge base may also be selected to generate a specific policy. The IP, domain name, port, vulnerability template, concurrency number and the like can be edited. A template scanning strategy can be selected; and performing PoC (PoC of concentrate) or vulnerability retesting on the target system to check whether the target system has a security vulnerability. The method adopts non-use FuZZ scanning to reduce scanning influence; the scan may set the port range according to the setting or need.

The vulnerabilities of this embodiment include, but are not limited to: SQL injection vulnerabilities, XSS vulnerabilities, weak passwords, arbitrary file upload vulnerabilities, directory traversal vulnerabilities, arbitrary command execution vulnerabilities, sensitive information leakage, and the like. All the above vulnerabilities belong to vulnerability; different vulnerabilities have different repair or configuration modes, such as: the key to solving the SQL injection vulnerability is to strictly check all data possibly input by users and use the minimum authority principle for database configuration. The problem that the file uploading loophole needs to be strictly limited and checked is solved, the uploading of the file with malicious codes is forbidden, the execution permission of a related directory is limited, and webshell attack is prevented. Misconfiguration includes, but is not limited to: there is a default account number, default share not closed, startup not closed, etc. Configurations loosely include, but are not limited to: unrestricted telnet idle off time, unrestricted telnet IP address, etc.

The logic test in penetration test of the present embodiment includes, but is not limited to: 1. and (3) registration: one is malicious registration and the other is account traversal; 2. logging in: one case is that the login interface can be directly blasted without a verification code, the second case is that the verification code exists but can be bypassed, and the third case is that the third party account login can be bypassed; 3. and (3) override: the problem of horizontal overrides occurs in the same role, and the system only verifies the role of accessing the data, does not subdivide users in the role, and does not subdivide subsets of the data because of the lack of a user-to-data correspondence. Horizontal rights management, also referred to as "data-based access control", is caused by the system's lack of access control at a data level; the vertical privilege problem occurs in different roles, generally speaking, a high privilege role can access resources of a low privilege role, and a low privilege role is prohibited from accessing resources of the high privilege role. If a user who belongs to the low-authority role can obtain the capability of the low-authority role through some methods, a vertical override vulnerability occurs; 4. trading: orders can be maliciously modified, such as modifying purchase quantities and unit prices to form a logical hole for the total of the ultra-low prices.

The network security protection and safety system based on the unit cell of the embodiment of the invention comprises:

a vulnerability scanning module; determining a scheme, configuring a strategy, backing up a system, performing scanning, analyzing a result, scanning again, repairing a bug, performing secondary rechecking, scanning, detecting potential safety hazard and loophole of any one or more of network protocol, network service and network equipment according to the knowledge base of safety loophole, analyzing and identifying loophole which may be used by invader to illegally enter network or illegally obtain information asset, and remind, when receiving host scanning command or performing host scanning, firstly performing data backup on the host, if the server is a dual-computer hot standby system, scanning one of the servers in one scanning session, adjusting a scanning object strategy for a host or network equipment with special requirements, adopting a single host scanning mode aiming at a certain system, scanning one IP each time, scanning the next IP after the scanning is finished, and adjusting the scanning time of equipment for scanning the production network segment to a time period which does not influence the service;

Checking the network and safety equipment module: checking equipment management (such as console), ssh (Secure Shell protocol), management IP, AAA (Authentication, Authorization, Accounting), etc.), account management, Authentication Authorization, login method, log audit, service port optimization, security protection (such as SNMP (simple network management protocol), protocol encryption, address spoofing, etc.), security policy rationality, including checking an operating system unit, checking a database unit, checking a Web (World Wide Web global Wide area network, also called World Wide Web) server, middleware unit;

the full-flow threat analysis module: utilizing threat data information and collected whole network flow to analyze, detecting an internal collapse host, external attack, internal violation and internal risk, analyzing, researching and judging events, tracing, and analyzing asset information and related statistical data in the current network;

intranet asset discovery module: combing the host assets and WEB servers of the intranet information system, and dynamically managing the whole life cycle of the accounts of the intranet assets, comprising: the system comprises a host asset service discovery unit, a Web service discovery unit and an asset visualization display unit;

the emergency drilling module: analyzing and judging, if judging as suspected computer virus outbreak event, judging whether the system problem exists, if the system problem exists, starting a system emergency plan, if the system problem does not exist, judging whether the system problem exists, executing a notification process, if the system problem does not exist, judging whether the system emergency plan has network transmission, if the system problem exists, judging whether the infected host needs to be isolated, if the host needs to be isolated, disconnecting the network connection, starting the system emergency plan, judging whether the antivirus measure needs to be executed, if the system emergency plan does not need to be isolated, directly judging whether the antivirus measure needs to be executed, if the system data needs to be executed, judging whether the system data can be damaged, if the system is damaged, executing the antivirus measure after system backup, if the system is not damaged, directly executing the antivirus measure, after the execution, judging whether the virus is cleaned completely, if the virus is judged not to need to make antivirus measures, directly judging whether the virus is cleaned completely, if the virus is judged to be cleaned completely, recovering the network connection of the isolated host, and executing a reporting process; if the virus still exists after the antivirus measure is executed, continuing to execute a new virus searching and killing measure until the virus is cleaned up;

The penetration testing module includes: a Web penetration test unit and an advanced penetration test unit. Web penetration test unit: simulating a real security attack and discovering potential ways for a hacker to invade an information system, comprising: information collection, remote spillover, password guessing, local spillover, enterprise user side attacks, man-in-the-middle attacks, Web scripting, and application testing. The advanced penetration test unit comprises: combining with the best information security practice, simulating targeted striking, taking the Internet-side assets or the internal untrusted/semi-trusted areas as penetration inlets, simulating hacker intranet attack to obtain the intranet highest authority or sensitive data for further penetration test, wherein the method comprises the steps of evaluating the external asset condition, searching an intranet access point, utilizing available intranet access points existing in the Internet assets, and deploying a springboard to perform intranet penetration on an internal network;

the safe operation and maintenance module comprises: the system comprises a daily safety operation and maintenance unit, an important moment safety guarantee unit and a periodic safety inspection unit;

the daily safe operation and maintenance unit comprises: optimizing a security strategy, operating and maintaining a security product and evaluating the security;

the important moment safety guarantee unit comprises: actively detecting assets exposed by a user on an external network before a major holiday to form an asset list, carrying out accurate vulnerability scanning according to asset discovery results, comprehensively checking specific vulnerabilities, notifying major security events of one or more conditions including high-risk system vulnerabilities, high-risk worm viruses, severe invasion and attack, providing one or more information of event types, influence ranges, solutions and prevention schemes, carrying out comprehensive security inspection and security reinforcement on a major system, retesting security reinforcement results, and confirming that security problems are timely and effectively repaired; in holidays, real-time alarm monitoring and log analysis are carried out on a firewall, a Web application firewall, an IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems), a load balancing system, a webpage tamper-proofing system and a network security auditing system, antivirus software and log analysis are monitored, the state of an application system and a database system and a service platform are monitored and log analysis are carried out, if one or more accidents in the Intrusion are attacked or discovered, investigation, analysis, tracing and analysis are carried out in time, the source and reason of the accident are analyzed, a solution is provided according to the cause of the investigation and the accident condition, and the accident, the analysis, the solution and the tracing scheme are recorded;

The periodic safety inspection unit comprises: periodic safety product inspection and periodic safety strategy optimization suggestions;

the risk assessment module includes: the system comprises a network security evaluation unit, a host security evaluation unit, an application security evaluation unit, a terminal security evaluation unit, a data security evaluation unit, a physical security evaluation unit, a middleware security evaluation unit and a management security evaluation unit;

the network security evaluation unit comprises: analyzing organized network topology architecture, security domain planning, VLAN division, network equipment configuration, security equipment configuration and security protection measures, performing security evaluation on a physical network structure, a logic network structure and network equipment, discovering the problems of security and network load of the network structure, the problems of security and anti-attack of the network equipment, evaluating the current security situation of the network, and discovering the problems of security, rationality and use efficiency;

the host security evaluation unit includes: analyzing an operating system, an account number, authentication, authorization, network service, a system log, patch upgrade, virus protection and a local security policy, discovering security holes and potential safety hazards existing in system configuration and operation, and analyzing and evaluating according to a service application condition and a security baseline configuration condition, wherein the analysis and evaluation comprises identity authentication, access control, security audit, intrusion prevention, malicious code prevention and resource control;

Applying the security assessment includes: safety evaluation is carried out on the application system according to account number, authentication, authorization, audit, performance resources, backup recovery and penetration test of the application system, input verification, identity verification, authorization, configuration management, sensitive data, session management, encryption technology, abnormal management, audit and log recording and habit problems are detected, analyzed and input verification, identity verification, authorization, configuration management, sensitive data, session management, abnormal management, audit and log recording and habit problems are detected, and security vulnerabilities and potential safety hazards of the application system are searched;

the terminal security evaluation unit includes: checking patches, account passwords, network services, virus protection and local security strategies, evaluating the security condition of the terminal according to patch upgrading, virus protection, account passwords, network services and local security strategies, and searching security holes and potential safety hazards of the terminal;

the data security evaluation unit comprises: detecting and analyzing database user name and password management, database access control, login authentication mode, data security, security vulnerability inspection, patch management and security audit of a database, performing main estimation on data security conditions according to confidentiality, integrity and availability of data, and searching for security vulnerabilities and potential safety hazards possibly existing in a data layer;

the physical security evaluation unit includes: detecting and analyzing physical security boundaries, physical access control, detecting and analyzing security protection of offices, rooms and facilities, detecting and analyzing security protection of external and environmental threats, security area work control, delivery and delivery areas, equipment placement and protection, supporting equipment, cable laying security, equipment maintenance, asset movement, off-site equipment and asset security, safe disposal or reuse of equipment, unattended user equipment, desktop clearing and screen strategies, and evaluating the security of a network machine room according to the physical environment, access control, power supply, cable laying, equipment placement, label specification and machine room system of the machine room;

The middleware security evaluation unit includes: detecting and analyzing a middleware user name and password management, middleware security audit, login authentication mode, communication confidentiality, resource control and an intrusion prevention strategy of the middleware, and evaluating whether the installation deployment and the realization of configuration parameters of the middleware meet the application operation security requirement or not;

the management security evaluation unit includes: and evaluating the information safety management current situation according to safety organization, safety system, safety personnel, safety operation and maintenance, safety emergency and safety training, and searching possible potential safety hazards and missing points.

The information system grade protection evaluation module comprises: the system comprises a grade protection gap evaluation unit, a safety guarantee system design unit, a grade protection evaluation unit and an information system soft modification unit;

the grade protection gap assessment unit comprises the following processes: information collection and analysis, tool and form preparation, evaluation object determination, evaluation index determination, evaluation tool access point determination, evaluation content determination, evaluation instruction development, evaluation scheme compilation, evaluation implementation preparation, on-site evaluation and result recording, result confirmation and data return, single evaluation result judgment, single evaluation result summary analysis, overall evaluation, safety evaluation conclusion formation and evaluation report compilation;

The safety guarantee system design unit comprises: analyzing weaknesses and risks of the current network and the current information system through an information system level protection gap evaluation unit, performing safety rectification, completing the topology design of corresponding products, implementing safety technical measures and perfecting a safety management system; combining the results of the information system level protection gap evaluation unit, formulating an information security system framework according to the information security level protection requirements and the actual situation;

the information security architecture framework comprises: a security policy, a security technology system, an operation guarantee system, a security organization and management system;

the security policy and the security technology system, the operation security system, the security organization and the management system interact with each other,

the grade protection evaluation unit comprises: the method comprises the following steps of testing and evaluating the safety level protection condition of an information system, including safety control evaluation for evaluating the implementation configuration condition of basic safety control required by information safety level protection in the information system and information system overall evaluation for evaluating and analyzing the overall safety of the information system, wherein the description of the safety control evaluation is organized in a working unit mode, the working unit comprises safety technology evaluation and safety management evaluation, and the safety technology evaluation comprises the following steps: physical security evaluation, network security evaluation, host system security evaluation, application security evaluation and data security evaluation; the safety management evaluation comprises the following steps: safety control evaluation in multiple aspects of safety management organization evaluation, safety management system evaluation, personnel safety system evaluation, system construction management evaluation and system operation and maintenance management evaluation;

The information system soft modification unit includes: analyzing the weaknesses and risks of the current network and information system through a difference evaluation report of a grade protection difference evaluation unit, wherein the weaknesses and risks comprise the weaknesses and risks of an operating system, a database and network security equipment, checking and reinforcing the operating system, the database and the network security equipment one by one according to the security configuration reinforcing standard of the equipment, and making related risk avoiding measures, wherein the related risk avoiding measures comprise operating system reinforcing, network/security equipment reinforcing, database reinforcing and information security management system establishing and improving;

the internet threat detection and active response module comprises: risk assessment, real-time monitoring, tampering disposal and emergency countermeasure are provided for internet services, and safer guarantee is obtained again;

the risk assessment includes: evaluating exposed surfaces, vulnerability and content safety as a baseline, regularly and continuously rechecking, regularly monitoring asset changes, and continuously analyzing the risk condition introduced by newly added assets;

emergency confrontation includes: cloud emergency confrontation guarantees sensitive data.

Further, the baseline checking module of the embodiment further includes: according to the best practice of baseline inspection on all levels of network equipment, safety equipment, an operating system, a database and middleware, configuration inspection is carried out on a target information system, the configuration condition of the current equipment is recorded, the current safety configuration condition is analyzed, the safety baseline is referred, the difference in the safety configuration aspect is found and recorded, and a baseline inspection report is formed according to the analysis condition of the whole difference of the baseline inspection and the current condition of the information system.

Further, the inspection operating system unit of the present embodiment includes: basic information inspection, patch management, user account, password security, authority management, log and audit, system service port inspection, security protection and network protocol security.

Further, the inspection database unit of the present embodiment: checking account security, checking database connection security, checking database security component configuration, checking log configuration, checking communication protocol.

Further, the inspection Web server, middleware unit of the present embodiment: the method comprises the following steps of managing application limit check, list check, file check outside a forbidden access Web directory, message body size of an http request, default port check, error level redirection, forbidden list display file, prevention of denial of service attack, useless files installed in a default mode, version number and hiding of sensitive information, account management, authentication authorization, log configuration, communication protocol, equipment and safety requirements.

Further, the asset information and related statistics in the current network of the present embodiment include: asset statistical information, attack plane statistical information, newly added asset information, asset change information, newly added attack plane information, attack plane change information, and a newly added asset detailed list.

Further, the illegal external connection detection of the present embodiment analyzes illegal external connection information in the environment.

Further, the malicious DNS analysis of the present embodiment monitors and analyzes DNS requested by an internal network through traffic analysis, and analyzes the reputation of the internal DNS in combination with threat intelligence, to find out a request and detailed information of the malicious DNS existing inside.

Further, the ACL carding of the present embodiment analyzes the access relationships of all existing IPs in the current network, including the access relationships from the source IP to different ports of the destination IP, analyzes the ACL management and control in the network, and handles the internally unreasonable ACL.

Further, the event judging of the present embodiment includes: by finding out attack and subsidence events, WEB attack events and internal abnormal information, judging whether the event property is a true malicious attack behavior by utilizing network penetration information and combining with cloud threat conditions, and analyzing the reason of event generation.

Further, the host asset service discovery unit of the present embodiment includes: and scanning and finding newly added assets, asset change, newly added ports and port change, identifying an operating system, an IP address and a domain name, and outputting an asset information report.

Further, the Web service discovery unit of the present embodiment includes: analyzing and discovering ports, Web servers, development languages, partial front WAF information and Web service conditions. The asset visualization display unit of the embodiment visually displays asset information, supports quick retrieval and report export of the asset information, and can output a web service information report.

Further, the emergency drilling module of this embodiment still includes: and a network attack event emergency drilling unit.

Further, the network attack event emergency drilling unit of the embodiment includes: analyzing and judging, if judging as an external network website malicious attack event, positioning an attack source IP address according to a system log, a firewall log, a network flow analysis and a webpage tamper-proof system analysis, judging whether an attack source can be determined, if not, judging whether an attack source type can be determined, simultaneously judging whether one or more malicious attacks of tampering, SQL (Structured Query Language) injection, XSS (Cross Site Scripting) Cross-Site, Trojan and illegal intrusion are/is/are determined according to the system security condition, if so, detecting whether the webpage self-tampering system is tampered, if so, detecting the cause of the vulnerability, if not, detecting whether an IDS (intrusion detection system) system detects the intrusion, if so, verifying, if not, judging whether the attack source type can be determined, if the attack type can be determined, whether the vulnerability can be recovered and repaired is judged, if the attack source type cannot be determined, an emergency plan is started, if the vulnerability can be recovered and repaired is judged, the vulnerability is recovered and repaired, if the vulnerability cannot be recovered and repaired is judged, the emergency plan is started, whether the attack continues after the vulnerability is recovered and repaired is judged, if the attack continues to be judged, the attack source is determined, the emergency plan is started, if the attack does not continue to be judged, a notification flow is executed, if the IP address or the attack path of the attack source cannot be located, or the attack network path cannot be closed after analysis, the emergency plan (under the condition that the system is unavailable) is started and notified.

Further, the information collection in the Web penetration test unit of the present embodiment includes: the method comprises the following steps of carrying out operation system type collection, network topology analysis, port scanning and service identification provided by a target system in one or more modes of host network scanning, port scanning, operation type judgment, application judgment, account scanning and configuration judgment. Password guessing utilizes brute force attacks and dictionaries to make guesses about passwords.

Further, the Web script and application test of the embodiment includes: injection, cross site scripting attack, failed identity authentication and session management, insecure direct object referencing, cross site request forgery, checking for security configuration errors, detecting insecure encrypted storage, not restricting URL access, detecting transport layer underprotection, detecting unverified redirection and forwarding.

The information collection and analysis of the present embodiment includes: baseline checking and vulnerability scanning. The baseline check of the present embodiment includes: and performing baseline inspection on the system to discover security vulnerabilities and weak links of the server, the network equipment and the security equipment, and identifying, analyzing, repairing and inspecting the discovered vulnerabilities.

The vulnerability scanning comprises vulnerability scanning of the system, potential safety hazards and vulnerabilities existing in various information assets in a network protocol, a network service and network equipment are checked, and security vulnerability detection and analysis are carried out on the network equipment to assist in correcting the vulnerabilities.

Further, the information collection and analysis in the level protection gap assessment unit of the present embodiment includes: the method comprises the steps of retrieving policy files, rules and regulations and process management records, information system overall description files, information system detailed description files, information system safety protection level grading reports, safety requirement analysis reports, information system safety overall schemes, safety status evaluation reports, information system safety detailed design schemes, user guides, operation steps, network diagrams and configuration management documents, analyzing one or more kinds of data in basic information, management frames, network and equipment deployment, service types and characteristics, service data, user ranges and user types of the information system, carrying out comprehensive analysis and arrangement, analyzing the industry characteristics, administrative agencies, service ranges, geographic positions, background information, contact modes, organization and management structures, management strategies, department settings, the functions of departments at service operation terminals, positions, responsibilities, The method comprises the following steps of forming a basic condition analysis report of an information system by a physical environment, a network topology structure, a hardware equipment deployment condition, a range and a boundary, a service type and characteristics, a service flow and a service safety protection level.

The security technology system is the basis of an information system framework and comprises the following steps: the comprehensive management platform for network security, host security, terminal security, application security, data security and security takes a security policy as guidance, and sets up a complete security technology protection system with each part cooperating from the aspects of network security protection, host system security protection, application security protection, terminal security protection and data security protection. The security organization and management system is based on the overall security policy and interworks with the security technology system.

The operation guarantee system comprises: safe operation and maintenance management, daily operation guarantee, safe emergency response and data system backup.

In light of the foregoing description of the preferred embodiments according to the present application, it is to be understood that various changes and modifications may be made without departing from the spirit and scope of the invention. The technical scope of the present application is not limited to the contents of the specification, and must be determined according to the scope of the claims.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Claims

1. A network security protection security method based on units is characterized by comprising the following steps:

scanning the vulnerability; determining a scheme, configuring a strategy, backing up a system, performing scanning, analyzing a result, scanning again, repairing a bug, performing secondary rechecking, scanning, detecting potential safety hazard and loophole of any one or more of network protocol, network service and network equipment according to the knowledge base of safety loophole, analyzing and identifying loophole which may be used by invader to illegally enter network or illegally obtain information asset, and remind, when receiving host scanning command or performing host scanning, firstly performing data backup on the host, if the server is a dual-computer hot standby system, scanning one of the servers in one scanning session, adjusting a scanning object strategy for a host or network equipment with special requirements, adopting a single host scanning mode aiming at a certain system, scanning one IP each time, scanning the next IP after the scanning is finished, and adjusting the scanning time of equipment for scanning the production network segment to a time period which does not influence the service;

checking the network and the safety equipment: checking equipment management, account management, authentication and authorization, a login mode, log audit, service port optimization, safety protection and safety strategy rationality, wherein the checking comprises checking an operating system, checking a database, checking a Web server and middleware;

and (3) full-flow threat analysis: utilizing threat data information and collected whole network flow to analyze, detecting an internal collapse host, external attack, internal violation and internal risk, analyzing, researching and judging events, tracing, and analyzing asset information and related statistical data in the current network; discovering the intranet assets: combing the host assets and WEB server of the intranet information system, and dynamically managing the whole life cycle of the account of the intranet assets, comprising: discovering host asset service, Web service and displaying assets in a visual mode;

Emergency response: monitoring security problems in a service system, tracing internet level attacks through big data analysis, analyzing reasons of security events, tracing event sources, classifying the security events, defending attacks through big data analysis and security threat information, finding unknown dangerous network behaviors and positioning attack sources; emergency drilling: analyzing and judging, if judging as suspected computer virus outbreak event, judging whether the system problem exists, if the system problem exists, starting a system emergency plan, if the system problem does not exist, judging whether the system problem exists, executing a notification process, if the system problem does not exist, judging whether the system emergency plan has network transmission, if the system problem exists, judging whether the infected host needs to be isolated, if the host needs to be isolated, disconnecting the network connection, starting the system emergency plan, judging whether the antivirus measure needs to be executed, if the system emergency plan does not need to be isolated, directly judging whether the antivirus measure needs to be executed, if the system data needs to be executed, judging whether the system data can be damaged, if the system is damaged, executing the antivirus measure after system backup, if the system is not damaged, directly executing the antivirus measure, after the execution, judging whether the virus is cleaned completely, if the virus is judged not to need to make antivirus measures, directly judging whether the virus is cleaned completely, if the virus is judged to be cleaned completely, recovering the network connection of the isolated host, and executing a reporting process; if the virus still exists after the antivirus measure is executed, continuing to execute a new virus searching and killing measure until the virus is cleaned up;

the safe operation and maintenance comprises the following steps: daily safe operation and maintenance, important moment safety guarantee and periodic safety inspection; the daily safe operation and maintenance comprises the following steps: optimizing a security strategy, operating and maintaining a security product and evaluating the security; the security policy optimization: whether the security control strategy plays a role or not and whether the security control strategy is reasonably checked and improved or not comprises the following steps: researching, making a scheme, optimizing a strategy and outputting a report; the operation and maintenance of the safety product comprises the following steps: monitoring equipment operation safety, auditing equipment operation safety, and updating equipment and strategy backup; the security assessment comprises: the security scanning evaluation is used for discovering security vulnerabilities existing in an information system in time, conducting vulnerability correction on Windows, Linux servers and security equipment, conducting security scanning on information assets in a non-service peak period according to application and in combination with a security vulnerability knowledge base, without using a scanning mode containing a denial of service type, stopping scanning immediately if a scanning system does not respond in the scanning process, analyzing the situation and determining reasons, restoring the system, and conducting scanning after adjusting a scanning strategy; the important moment safety guarantee comprises the following steps: actively detecting assets exposed by a user on an external network before a major holiday to form an asset list, carrying out accurate vulnerability scanning according to asset discovery results, comprehensively checking specific vulnerabilities, notifying major security events of one or more conditions including high-risk system vulnerabilities, high-risk worm viruses, severe invasion and attack, providing one or more information of event types, influence ranges, solutions and prevention schemes, carrying out comprehensive security inspection and security reinforcement on a major system, retesting security reinforcement results, and confirming that security problems are timely and effectively repaired; in holidays, real-time alarm monitoring and log analysis are carried out on a firewall, a Web application firewall, an IDS/IPS, load balancing, a webpage tamper-proofing system and a network security audit system, anti-virus software and checking and killing records are monitored, states of an application system and a database system and a service platform are monitored and log analysis are carried out, investigation and analysis are carried out in time if one or more accidents in the attack or invasion are found, accident sources and reasons are traced and analyzed, a solution is provided according to the investigation reasons and the accident conditions, and accidents, accident analysis, solution and tracing schemes are recorded; the periodic security patrol comprises: periodic safety product inspection and periodic safety strategy optimization suggestions;

The risk assessment includes: network security evaluation, host security evaluation, application security evaluation, terminal security evaluation, data security evaluation, physical security evaluation, middleware security evaluation and management security evaluation; the network security assessment comprises: analyzing organized network topology architecture, security domain planning, VLAN division, network equipment configuration, security equipment configuration and security protection measures, performing security evaluation on a physical network structure, a logic network structure and network equipment, discovering the problems of security and network load of the network structure, the problems of security and anti-attack of the network equipment, evaluating the current security situation of the network, and discovering the problems of security, rationality and use efficiency; the host security assessment comprises: analyzing an operating system, an account number, authentication, authorization, network service, a system log, patch upgrade, virus protection and a local security policy, discovering security holes and potential safety hazards existing in system configuration and operation, and analyzing and evaluating according to a service application condition and a security baseline configuration condition, wherein the analysis and evaluation comprises identity authentication, access control, security audit, intrusion prevention, malicious code prevention and resource control; the application security assessment comprises: safety evaluation is carried out on the application system according to account number, authentication, authorization, audit, performance resources, backup recovery and penetration test of the application system, input verification, identity verification, authorization, configuration management, sensitive data, session management, encryption technology, abnormal management, audit and log recording and habit problems are detected, analyzed and input verification, identity verification, authorization, configuration management, sensitive data, session management, abnormal management, audit and log recording and habit problems are detected, and security vulnerabilities and potential safety hazards of the application system are searched; the terminal security assessment comprises: checking patches, account passwords, network services, virus protection and local security strategies, evaluating the security condition of the terminal according to patch upgrading, virus protection, account passwords, network services and local security strategies, and searching security holes and potential safety hazards of the terminal; the data security assessment comprises: detecting and analyzing database user name and password management, database access control, login authentication mode, data security, security vulnerability inspection, patch management and security audit of a database, performing main estimation on data security conditions according to confidentiality, integrity and availability of data, and searching for security vulnerabilities and potential safety hazards possibly existing in a data layer; the physical security assessment comprises: detecting and analyzing physical security boundaries, physical access control, detecting and analyzing security protection of offices, rooms and facilities, detecting and analyzing security protection of external and environmental threats, security region work control, delivery and handover areas, equipment placement and protection, supportive equipment, cable arrangement security, equipment maintenance, asset movement, off-site equipment and asset security, equipment security disposal or reuse, unattended user equipment, desktop emptying and screen strategies, and evaluating the security of a network machine room according to the physical environment, access control, power supply, cable arrangement, equipment arrangement, label specification and machine room system of the machine room; the middleware security assessment includes: detecting and analyzing a middleware user name and password management, middleware security audit, login authentication mode, communication confidentiality, resource control and an intrusion prevention strategy of the middleware, and evaluating whether the installation deployment and the realization of configuration parameters of the middleware meet the application operation security requirement or not; the management security assessment comprises: evaluating the information safety management status according to safety organization, safety system, safety personnel, safety operation and maintenance, safety emergency and safety training, and searching possible potential safety hazards and missing points;

Internet threat detection and proactive responses include: risk assessment, real-time monitoring, tampering disposal and emergency countermeasure are provided for internet services, and safer guarantee is obtained again; the risk assessment includes: evaluating exposed surfaces, vulnerability and content safety as a baseline, regularly and continuously rechecking, regularly monitoring asset changes, and continuously analyzing the risk condition introduced by newly added assets; the real-time monitoring comprises the following steps: monitoring page tampering, 0day, web horses, black links, DNS, availability security events in real time and generating reports to inform users in time; the tamper handling includes: rapidly replacing the tampered site through DNS technology; the emergency countermeasure comprises: cloud emergency confrontation is carried out to guarantee sensitive data.

2. The method of claim 1, wherein the login information comprises: login mode, login account/password, and management host information; the baseline check further comprises: according to the best practice of baseline inspection on all levels of network equipment, safety equipment, an operating system, a database and middleware, configuration inspection is carried out on a target information system, the configuration condition of the current equipment is recorded, the current safety configuration condition is analyzed, the safety baseline is referred, the difference in the safety configuration aspect is found and recorded, and a baseline inspection report is formed according to the analysis condition of the whole difference of the baseline inspection and the current condition of the information system; the inspection operating system includes: basic information inspection, patch management, user account, password security, authority management, log and audit, system service port inspection, security protection and network protocol security; the inspection database: checking account security, checking database connection security, checking database security component configuration, checking log configuration, and checking communication protocol; the checking Web server and the middleware: the method comprises the following steps of managing application limit check, list check, file check outside a forbidden access Web directory, message body size of an http request, default port check, error level redirection, forbidden list display file, prevention of denial of service attack, useless files installed in a default mode, version number and hiding of sensitive information, account management, authentication authorization, log configuration, communication protocol, equipment and safety requirements.

3. The method of claim 1, wherein the asset information and associated statistics within the current network comprises: asset statistical information, attack surface statistical information, newly increased asset information, asset change information, newly increased attack surface information, attack surface change information and newly increased asset detailed lists; the asset statistics include: counting the type proportion of the server according to the type of the asset server; the attack face statistical information comprises: statistical information of various open ports; the detailed list of the newly added assets comprises: one or more of an IP address of the asset, a server type, a server version, a status, a detected time; the detecting external attacks includes: anti-sequence attack detection, Web attack situation analysis and password blasting attack detection; the anti-sequence attack detection comprises the following steps: analyzing and discovering the number of anti-sequence attack behaviors of the internal service and the condition of each anti-sequence attack behavior; the anti-sequence attack case comprises the following steps: attack time, source IP, destination IP/port; the Web attack situation analysis analyzes the situation of attack on an internal server through flow analysis, the situation distribution of the Web integral attack type, the detailed information of each attack means and the attack result, and the attack result comprises the following steps: attack warning, attack trap and prompt; the attack means comprises: one or more of Webshell, black-product kitchen knife scanning, Web vulnerability scanning, Struts2 attack, uploading attack, sql injection attack, information leakage and newly added files of an application system; the password blasting attack detection is used for detecting the attack times of password blasting suffered by different servers every day, the types of services, the condition of mail exposure attack, the condition of remote management service blasting attack and the condition of database service blasting attack, wherein the attack conditions comprise: attack source IP, target IP, protocol, attack times within 60 seconds and blasting result; the detecting an internal violation includes: exposed surface detection, illegal external connection detection, malicious DNS analysis, ACL carding, weak password detection, abnormal login detection and unconventional service analysis; the exposed surface detection analyzes illegal attack surface information in the current network through big data analysis; the illegal attack plane information comprises: the statistical information of the attack surface, newly added attack surface information, attack surface change information and attack surface information, wherein the attack surface statistical information comprises the following steps: statistical information of various open ports, wherein the information of the attack plane comprises: server IP, port, service type; the illegal external connection detection analysis environment comprises illegal external connection information, wherein the illegal external connection information comprises: the method comprises the following steps that any one or more of a target IP physical address of an illegal external connection, a historical trend of an illegal external connection event, detailed time of the illegal external connection event, a source IP, a target IP and a port are obtained; the malicious DNS analysis monitors and analyzes the DNS requested by an internal network through flow analysis, analyzes the credibility condition of the internal DNS in combination with threat intelligence, and finds out the request and detailed information of the malicious DNS existing inside, wherein the detailed information of the malicious DNS comprises: any one or more of request time, source IP, malicious domain name of the request and physical address of the domain name; the ACL carding analyzes the access relations of all the existing IPs in the current network, including the access relations from a source IP to different ports of a target IP, analyzes the ACL control in the network and handles the internally unreasonable ACL; the weak password detection analysis finds the state of the weak password of the internal server, reports the total number of the weak passwords, the passive statistics and discovery times, the dictionary matching and discovery times and the active discovery times, and detects and analyzes information of the weak password of the mail service, the remote management service and the database service; the information of the mail service, the remote management service and the database service weak password comprises the following information: affected account numbers, weak passwords, affected servers, protocols, and detected times; the abnormal login detection comprises the following steps: detecting abnormal behavior of an internal server, comprising: the method comprises the following steps that abnormal detailed conditions, abnormal logging detailed conditions and non-working time logging detailed conditions of an internal server are logged in from the outside; the details of the external login internal server exception include: the IP of external login, IP home location, internal server IP, protocol and access time, wherein the detailed conditions of abnormal login comprise: a user, a common login place, a remote login place and discovery time; the non-working time login details include: source IP, IP home, destination IP, protocol, access time; the irregular service analysis includes: the method comprises the steps of remotely controlling service, proxy service, Regeory Tunnel service detection and discovery, HTTP proxy detection and discovery, SOCKS proxy detection and discovery, Teamview/IRC detection and discovery, and analyzing the time of connecting service, the source IP of connecting service, the target IP of connecting service and the service type; the event judging comprises the following steps: by finding out a trapping event, a WEB attack event and internal abnormal information, judging whether the event is a true malicious attack behavior or not by utilizing network penetration information and combining a cloud threat condition, and analyzing the reason of the event; the event tracing source is used for tracing and tracing the malicious attack event, and analyzing the physical position of an attacker, the behavior evidence retention of the attacker and the means commonly used by the attacker.

4. The network defense security method of claim 1, wherein the host asset service discovery comprises: newly added assets, asset changes, newly added ports and port changes are scanned and found, an operating system, an IP address and a domain name are identified, and an asset information report is output; the Web service discovery comprises: analyzing and discovering a port, a Web server, a development language, partial preposed WAF information and Web service conditions; the emergency drill further comprises: the network attack event emergency drilling comprises the following steps: analyzing and judging, if judging as an external network website malicious attack event, positioning an attack source IP address according to a system log, a firewall log, a network flow analysis and a webpage tamper-proof system analysis, judging whether an attack source can be determined, if not, judging whether an attack source type can be determined, simultaneously judging whether one or more malicious attacks of tampering, SQL injection, XSS cross-site, trojan and illegal invasion are present according to the system security condition, if so, detecting whether the webpage tamper-proof system is tampered, if so, detecting the cause of the vulnerability, if not, detecting whether the IDS system detects the invasion, if so, verifying, if not, judging whether the attack source type can be determined, if so, judging whether the vulnerability can be recovered and repaired, if not, starting an emergency plan for the attack source type, if the bug can be recovered and repaired, recovering and repairing the bug, if the bug cannot be recovered and repaired, starting an emergency plan, after the bug is recovered and repaired, judging whether the attack continues, if the attack continues, determining an attack source, starting the emergency plan, if the attack does not continue, executing a notification flow, and if the attack source IP address or the attack path cannot be positioned, or the attack network path cannot be closed after analysis, starting the emergency plan (under the condition that the system is unavailable) and notifying.

5. The network defense security method of claim 1, wherein the information collection of the Web penetration test comprises: performing operating system type collection, network topology analysis, port scanning and service identification provided by a target system in one or more modes of host network scanning, port scanning, operation type judgment, application judgment, account scanning and configuration judgment; the password guessing utilizes brute force attacks and dictionaries to guess passwords; the Web script and application test comprises the following steps: injection, cross-site scripting attack, invalid identity authentication and session management, unsafe direct object reference, cross-site request forgery, safety configuration error checking, unsafe encryption storage detection, URL access restriction, insufficient protection of a transmission layer, and unverified redirection and forwarding detection; the injection: injecting an attack vulnerability, sending the data which is subjected to the attack and is not trusted as a part of a command or a query statement to an interpreter, and deceiving the interpreter to execute an unplanned command or access unauthorized data; the cross site scripting attack comprises the following steps: when the application program receives the data containing the incredible data, the application program sends the data to a web browser under the condition of not carrying out verification and escape, and scripts are executed on the web browser to hijack user sessions, endanger websites or transfer users to malicious websites; the failed identity authentication and session management: the functions of the application program related to identity authentication and session management cannot be correctly realized, and passwords, keys, session tokens or other attacks and vulnerabilities are damaged to impersonate other user identities; the unsecure direct object reference: exposing the reference to the internal implementation object, generating unsafe direct object reference, and controlling the reference to access unauthorized data; the cross-site request forgery: utilizing a cross-site request forgery attack to force a browser of a login user to send a forged HTTP request to a Web application program with a vulnerability, and forcing the browser of the user to send a request to the application program with the vulnerability; the checking for security configuration errors: detecting whether the settings of defining, implementing and maintaining the safety configuration are carried out on an application program, a frame, an application program server, a Web server, a database server and a platform, and whether software is updated in time; the detecting unsecure encrypted storage: detecting whether the Web application program uses encryption measures or a Hash algorithm to protect sensitive data, and carrying out identity theft and credit card fraud crimes by using weak protection data; the unrestricted URL access: forging URL access hidden web pages; the detection of insufficient protection of the transmission layer: detecting whether the application program does not carry out identity authentication, whether encryption measures are taken, whether confidentiality and integrity measures for protecting sensitive network data exist, whether the application program adopts a weak algorithm, whether an expired or invalid certificate is used, or whether identity authentication, encryption measures or protection measures are correctly used; said detecting an unverified redirect and forward: detecting that the Web application redirects or forwards the user to other Web pages or websites, judging whether the destination page is verified by using the untrusted data, and redirecting the user to a phishing website or forwarding the user to an access unauthorized page.

6. The method of claim 1, wherein evaluating the status of the external assets and finding an intranet access point comprises: judging whether a remote control vulnerability exists or not through information collection and analysis, if so, obtaining system authority, and generating a report after information collection and analysis; if the remote control vulnerability does not exist, judging whether a remote common vulnerability exists, if so, performing information collection and analysis, and then judging whether local common authority can be obtained, if not, generating a report, if so, performing information collection and analysis, then judging whether local extraction can be performed, and if not, generating a report; if the ontology extraction can be carried out, generating a report after information collection and analysis, and if the ontology extraction cannot be carried out, directly generating the report;

the utilizing of available intranet access points existing in the internet assets and deploying of the springboard machine to perform intranet penetration on the internal network comprises the following steps: the method comprises the steps of acquiring intranet basic information after confirming an intranet seepage asset range, carrying out port scanning on a system layer, carrying out system vulnerability verification and utilization seepage after known CVE vulnerability scanning, carrying out application platform information acquisition, version fingerprint data acquisition and conventional vulnerability scanning information acquisition on an application layer, carrying out application vulnerability verification and excavation seepage, then sorting out vulnerability data for comprehensive utilization, improving control authority, carrying out information interception, remote control and resource expansion, submitting a seepage test report and waiting for rechecking; the information collection analysis includes: baseline inspection and vulnerability scanning, wherein the baseline inspection comprises the following steps: performing baseline inspection on the system to discover security vulnerabilities and weak links of a server, network equipment and security equipment, and identifying, analyzing, repairing and inspecting the discovered vulnerabilities; the vulnerability scanning comprises vulnerability scanning of the system, potential safety hazards and vulnerabilities existing in various information assets in a network protocol, a network service and network equipment are checked, and security vulnerability detection analysis is carried out on the network equipment to assist in correcting the vulnerabilities.

7. The method of any one of claims 1 to 6, wherein the investigation comprises: collecting security equipment, a network environment, operation and maintenance authority and existing security policy information, wherein the security equipment information comprises: the device comprises a device name, a device responsible person, a device manufacturer and model, a management address and mode, a physical address, device administrator information, a user name and password and a device white paper; the network environment information includes: network topological graph, server asset information, network equipment asset information and service system information; the operation and maintenance authority information comprises: operation and maintenance personnel authority and maintenance management address; the existing security policies include: an access control strategy, a security protection strategy and a behavior audit strategy; the formulation scheme comprises the following steps: performing gap analysis on the existing safety strategies according to the information collected by investigation and the actual safety requirements of users, finding the problems of strategy deletion, strategy redundancy and strategy non-abolishment, and making a scheme; the gap analysis of the existing security policies comprises: analyzing the service security requirements of users, analyzing the difference of the existing security strategies and the difference of the security strategies to analyze the overall situation; the analyzing the user service security requirements comprises: summarizing a business system, asset information and making safety protection strategy requirements; the analyzing existing security policy gaps includes: access control strategy gap analysis, safety protection strategy gap analysis and behavior audit strategy gap analysis; the policy optimization includes: optimizing an access control strategy, optimizing a safety protection strategy and optimizing a behavior audit strategy; the access control policy optimization comprises: the boundary access control device comprises: the access requirements of a business system are combed, an access control strategy is customized according to business, an original address, a destination address and service are defined, the number, date and applicant of a strategy starting order are indicated, a missing strategy is added, a coarse strategy is modified, and a redundant strategy is deleted; the operation and maintenance management equipment comprises: combing operation and maintenance personnel and maintenance requirement information, constructing or adjusting the operation and maintenance personnel according to a unit organization structure, defining personnel names and contact ways, creating or adjusting asset information according to a service responsibility unit, requiring defining asset IP addresses, bearing services and physical positions, and creating corresponding strategies according to different operation and maintenance personnel; the security protection policy optimization comprises: intrusion detection equipment and Web application firewalls; the intrusion detection device includes: combing basic information of a service system, creating an intrusion detection protection object according to the service system, defining assets and responsible personnel contained in the intrusion detection protection object, formulating an intrusion protection strategy, wherein the intrusion protection strategy comprises an intrusion attack strategy, a Trojan virus strategy and an audit strategy, creating an intrusion protection strategy for each service system, and optimizing the strategies according to the types of the assets, the operating system and the software service contained in the service system; the Web application firewall comprises: combing basic information of a business system, creating a Web application protection object according to the business system, defining contained assets and responsible personnel, and making a protection strategy, wherein the protection strategy comprises a Web malicious scanning protection strategy, an SQL injection protection strategy, an XSS attack protection strategy, a website horse hanging protection strategy, a stealing link protection strategy and a webpage tampering protection strategy; the behavior audit strategy optimization comprises the following steps: network security audit, database audit and internet behavior management; the network security audit comprises: combing basic information of a business system, creating a business access auditing strategy and a management maintenance auditing strategy according to the business system, wherein the business access auditing strategy audits all accessed network behaviors of the business system, and the management maintenance auditing strategy designs all management maintenance network behaviors of the business system; the database audit comprises: the method comprises the steps of carding business system information and database information, creating auditing strategies aiming at each database, wherein the auditing strategies comprise risk pointer auditing, abnormal login design, abnormal maintenance auditing and abnormal tool auditing, creating a business system object according to the business system information, creating report strategies according to different business systems, and generating an auditing report aiming at each business system; the internet behavior management comprises the following steps: combing terminal information, creating or adjusting a terminal user according to the organization structure of the unit where the terminal user is located, and creating an internet access behavior audit strategy aiming at the user, wherein the audit strategy comprises a mail audit strategy, a website access audit strategy, a communication chat audit strategy, a posting audit strategy and a keyword audit strategy; the equipment operation safety monitoring comprises: monitoring network equipment, safety equipment and a host, setting alarm threshold values and alarm rules of various functional indexes, discovering abnormal running states of the equipment in time, carrying out different alarms on monitored safety events according to different grades and types, starting a fault processing flow if judging that the equipment is in fault, and adjusting the alarm threshold values according to actual conditions; the monitoring network device includes: equipment hardware state is patrolled and examined, equipment software state is patrolled and examined, equipment performance state is patrolled and examined, security policy inspection and optimization, log inspection, equipment hardware state is patrolled and examined and is included: the method comprises the following steps of polling the running condition of equipment hardware, namely polling the running condition of a power supply, a fan, a chassis, a board card, a flash card and a status lamp, polling the stability of a physical port, the connection condition, a label and an identification condition, and polling the alarm information of the equipment hardware; the equipment software state inspection comprises the following steps: the system kernel operation state is inspected, and whether a new kernel upgrading program can be used is checked; the equipment performance state inspection comprises the following steps: checking the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the utilization rate of a network interface and the use condition of a Buffer; the security policy checking and optimization comprises: rechecking the correctness and the effectiveness of the security strategy; the log checking comprises: checking whether log receiving is normal or not, whether the log needs to be processed fully or not, and collecting and analyzing the log; the monitoring safety device comprises: the method comprises the following steps of safety equipment hardware state inspection, safety equipment software state inspection, safety equipment performance state inspection, safety strategy optimization of safety equipment, safety equipment log inspection and rule base inspection of the safety equipment; the safety equipment hardware state inspection comprises the following steps: checking the running conditions of the safety equipment hardware, including the running conditions of a power supply, a fan, a chassis, a board card, a flash card and a status lamp, checking the stability of a physical port, and checking the connection condition, the label condition and the identification condition; the safety equipment software state inspection comprises the following steps: checking the running state of a system kernel, whether a new kernel upgrading program can be used or not, and the version upgrading condition of a software system; safety device performance status patrols and examines includes: checking the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the utilization rate of a network interface and the use condition of a Buffer; the security policy optimization of the security device comprises: rechecking the correctness and effectiveness of the security strategy; the security device log check comprises: checking whether the log is normal or not, whether the log needs to be processed fully or not, and collecting and analyzing the log; the rule base check of the security device comprises: checking virus definition upgrading conditions, including checking virus wall definition upgrading conditions and checking IDS/IPS rule library upgrading conditions; the monitoring host comprises: the method comprises the following steps of host hardware state inspection, host operating system security inspection, host performance inspection, suspicious service process inspection and virus inspection; the host hardware state inspection comprises the following steps: checking the running conditions of the hardware of the host equipment, including the running conditions of a power supply, a fan, a chassis, a board card and a status lamp, checking the status of a network card, an IP address and a routing table, checking the running condition of a disk array, the display condition of a system fault lamp and a system hardware error report; the host operating system security check comprises: checking the software version condition of an operating system, checking the installation condition of one or more system patches in Windows series patches, Linux system patches and Unix series patches, checking and optimizing the security configuration of the operating system, checking and optimizing the security configuration including accounts, security policies and services, analyzing system logs, and checking patch installation; the host performance check includes: checking the CPU utilization rate, the memory utilization rate, the switching area utilization rate, the disk occupation space and the I/O working condition; the suspicious service process check comprises: checking the name of the opening service, the necessity of opening the service and the condition of resource occupation of the service; the virus inspection comprises the following steps: checking the installation condition of client virus software, the upgrading condition of a virus definition library, the strategy distribution condition and the virus processing condition; the equipment operation safety audit comprises the following steps: by utilizing a security management platform and combining asset information, finding out an association relation among data in information generated by network access logs, management behavior records, operation behavior records, product operation records, network flow and security monitoring, setting association analysis rules and filtering conditions, and mining network attack and operation fault information; the device and policy backup update comprises: performing safety protection through daily strategy configuration and equipment upgrading, optimizing strategies, and maintaining the strategies and configuration backups of safety products, including strategy configuration, strategy combing, equipment upgrading and backup recovery; the policy configuration comprises: analyzing the actual safety requirement and the safety product function of the service system according to the overall safety strategy, and configuring the safety strategy of the safety product according to a strategy configuration flow; the strategy combing comprises the following steps: regularly combing the strategy configuration of the safety product, combing the redundant strategy and the abandoned strategy, and deleting the strategy after confirmation; the equipment upgrading comprises: upgrading the software version, the rule base and the feature base of the safety product regularly, backing up the original system before upgrading, testing an upgrade package, checking the version update of a manufacturer regularly, and updating an operation record for filing; the backup restoration includes: the configuration and the strategy of the product are backed up regularly, the backup content is stored in a special server, and the backup operation record is recorded, wherein the vulnerability correction comprises the following steps: repairing bugs of servers and security equipment in a scanning range, and reinforcing application and database bugs; the periodic safety product inspection comprises the following steps: the work of periodically checking the safety condition of the safety product in the running process of the information safety product comprises equipment running safety monitoring, equipment running safety auditing, equipment and strategy backup updating, setting alarm threshold and alarm rule for CPU utilization rate, memory utilization rate, disk utilization rate and network interface connectivity of the safety product, monitoring in real time, confirming if abnormal operation state of the safety product is found, starting fault processing flow if product fault is confirmed, the alarm threshold value is adjusted according to the actual situation in the monitoring process to obtain the running state baseline of the safety product, according to the alarm rule, different alarms are carried out on the monitored safety events according to different levels and types, and alarm information is sent to a safety management platform, informing operation and maintenance personnel or inspection personnel through the safety management platform, and taking treatment measures according to the conditions of safety events; the security management platform is used for finding out the association relation among one or more data of network access logs, management behavior records, operation behavior records, product operation records and network flow by combining asset information, setting association analysis rules and filtering conditions and mining network attack and operation fault information; performing safety protection through strategy configuration and equipment upgrade, optimizing strategies, and performing daily inspection on strategies and configuration backups of safety products; the periodic security policy optimization recommendation includes: collecting security equipment, network environment, operation and maintenance authority and existing security policy information, implementing security product inspection, performing difference evaluation and rectification suggestion on the existing security policy by combining with the actual service security requirement of a user, and performing policy optimization; the rectification proposal comprises: a security policy optimization suggestion, the security policy optimization suggestion comprising: an access control strategy optimization implementation method, a security protection strategy optimization implementation method and a behavior audit strategy optimization implementation method.

8. The method of any one of claims 1 to 6, wherein the security evaluation of the network device comprises: checking the access control security of the network equipment, checking the security protection configuration of the network equipment and checking the strategy of the network equipment; the checking the access control security of the network device comprises: checking software version, equipment loopholes and safety problems; the checking the network device security protection configuration evaluation comprises: checking user security and system password security, performing log check, evaluating equipment access control security, equipment management security and network equipment service security, and evaluating through service application condition and security baseline configuration; the network device policy check comprises: evaluating the strategy configuration and the use condition of the existing network equipment and safety equipment, evaluating whether the strategy configuration meets the service requirement and ensuring the safety of the system; the identity authentication comprises: detecting and analyzing identity identification and authentication mechanism measures, password security management, account locking setting options and account security management and evaluating; the access control includes: detecting, analyzing and evaluating the privilege user management, the file system security characteristic and the network service security and evaluating whether the default sharing setting is in accordance with the minimum authorization principle; the security audit comprises: detecting and analyzing system logs and an auditing strategy and evaluating; the intrusion prevention includes: detecting and analyzing patch management and vulnerability risk and evaluating; the malicious code prevention includes: detecting and analyzing malicious code software management and evaluating; the resource control includes: detecting and analyzing a resource control strategy and evaluating; the potential safety hazards of the application system comprise: security function design, security vulnerabilities, vulnerabilities in security deployment; the detection analysis input validation includes: detecting whether an application verifies all input data, whether all input data verifies length, scope, format, type, whether there are data dependent on user side verification code, whether an application trusts data written onto a Web page, whether all codes and system command content in user submitted data are filtered or converted, whether data is verified at an access point when data is transferred between different trust boundaries, detecting whether an application uses independent database accounts, assigns minimal library, table and field permissions, detecting whether unnecessary storage procedures are prohibited or deleted by the database, masking database error information, analyzing whether there is or may be unverified data written onto a Web page, generating SQL queries using unverified input SQL, increasing SQLInObjection threats using unsafe data access coding techniques, screening input data using deny methods rather than allow, One or more of making security decisions using an input file or URL or username, relying on client authentication; the detection analysis identity verification comprises: detecting whether a user name and a password are sent on an unprotected channel in a plaintext form, whether sensitive information has a special encryption method, whether a certificate is stored, if so, how to store and protect the user name and the password, whether a strong password is executed, what password strategy is executed, whether secondary authentication is added in identity authentication, whether a graphic verification code or a short message verification code is executed, how a certificate is verified, how a user subjected to identity verification is identified after login for the first time, whether identity verification certificate or identity verification cookie is transmitted on an unencrypted network link or whether certificate capture or session attack exists or not is analyzed, and whether unauthorized access caused by using a weak password and an account strategy exists or not; the detection analysis authorization comprises: detecting whether necessary behavior audit is performed, what access control is used at an entry point of an application program, whether the application program uses roles, if the roles are used, detecting whether granularity is fine enough for access control and audit purposes, detecting whether the application limits access to system resources, detecting whether to limit database access, authorizing the database, analyzing whether to use an unauthorized role and an account, whether to provide sufficient role granularity, and whether to limit system resources to a specific application program identity; the detection analysis configuration management comprises: detecting how to protect a remote management interface, how to protect configuration storage, whether sensitive configuration data is encrypted, whether to separate administrator privileges, whether to use a process and a service account with lowest privileges, whether to perform white list policy management on a management IP, whether to analyze whether plaintext storage configuration confidential information comprises a connection character string and a service account certificate, whether to protect the appearance of application configuration management comprises the management interface, whether to use an unauthorized process account and a service account, whether to delete a data directory and a fixed file name by an installation script, configure a file extension, and whether to set a directory authority improperly; the detecting and analyzing sensitive data comprises: detecting whether confidential information is stored in a permanent storage, how sensitive data is stored, whether the sensitive data is transmitted on a network or not, whether the sensitive data is disaster-prepared or not, analyzing whether the confidential information is saved when the confidential information is not required to be stored, whether the confidential information is stored in a plaintext form in a code or not, and whether the sensitive data is transmitted on the network in the plaintext form or not; the detection analysis session management comprises: detecting how to generate a session cookie, how to exchange a session identifier, how to protect session state across a network, how to protect session state to prevent session attacks, how to protect session state storage, whether an application limits the lifetime of a session, how an application uses session storage for authentication, whether to pass a session identifier over an unencrypted channel, whether to extend the lifetime of a session, whether to store in an unsecured session state, whether a session identifier is located in a query string; the detection analysis encryption technology comprises the following steps: detecting which algorithm and encryption technology are used, whether the application uses a user-defined encryption algorithm, how long the secret key is, how to protect the secret key, how long the secret key is changed once, how to distribute the secret key, analyzing whether the user-defined encryption method is used, whether an error algorithm or a secret key with too short length is used, whether the secret key is not protected, and whether the same secret key is used for a prolonged time period; the detection analysis anomaly management comprises: detecting how the application processes error conditions, whether the exception is allowed to be propagated back to the client, whether the application displays too much information to the client, where the application records the detailed resources of the exception, whether log files are safe, whether all input parameters are verified, and whether the information displayed to the client is too much; the detection audit and logging includes: whether the application determines the main activity of auditing is detected, whether the application program of the application is audited across all layers and the server is detected, how to protect the log file is detected, whether login with auditing failure does not exist, whether the audit file is not protected, and whether auditing is performed across the application program layer and the server is analyzed; the detection and analysis habit problems comprise: detecting programming habits, analyzing whether a programmer likes to directly modify programs on a server, causing an editor to generate a plurality of backup files on the server, whether the files are possible to expose program codes, and analyzing whether the programmer stores sensitive information including database passwords in the files; the penetration test comprises: in the allowable and controllable range, adopting a controllable hacker intrusion method which does not cause irreparable loss to attack the network and the system, acquiring confidential information by the intrusion system, and forming a report according to the intrusion process and details; the patch inspection, the account password and the network service inspection are carried out through a vulnerability scanning tool; the checking of the virus protection is performed by a malicious code killing tool; the local strategy is checked by checking a local security strategy, checking a script and configuring a scanning tool; the detection analysis of the database user name and password management comprises the following steps: detecting and analyzing user permission setting, password strategy setting and management of redundant account numbers; the detection analysis of the database access control comprises: detecting and analyzing the control and communication security configuration of the access IP address; the detection analysis of the data security comprises: detecting and analyzing a storage mode and database backup of sensitive information; the security audit detection analysis of the database comprises the following steps: checking and analyzing log audit and operation log audit; the detection analysis of the physical security boundary comprises: detecting and analyzing whether safety boundary protection is set to protect the safety of sensitive information, dangerous information and information processing facilities; the detection analysis of the physical access control comprises: detecting and analyzing whether the security area is protected by entrance control or not and whether access is allowed only by authorized personnel is ensured or not; the detection and analysis of the safety protection of the office, the room and the facility comprises the following steps: detecting and analyzing whether physical security measures are adopted in offices, rooms and facilities, wherein the detection and analysis of the security protection of the external and environmental threats comprises the following steps: detecting and analyzing whether physical safety measures are adopted to prevent natural disasters, malicious attacks or accidents; the detection analysis of the safe area work control comprises the following steps: detecting whether the analysis designs, applies physical protection measures and guidelines for secure enclave operations; the detection and analysis of the delivery and interface area comprises: detecting and analyzing whether the access points including the cross-connection area and other points where unauthorized persons enter the office place are controlled, isolated from the information processing facility and prevented from being accessed without authorization; the detection analysis of the device placement and protection includes: detecting and analyzing whether equipment is installed and protected, whether environmental threats and hazards are reduced or avoided, and whether unauthorized access is reduced or avoided; the detection analysis of the supportive device comprises: detecting and analyzing whether to protect the equipment or not, and whether to prevent the equipment from power failure or terminal caused by the failure of the supporting facilities; the detection and analysis of the cabling safety comprises the following steps: detecting and analyzing whether to protect the power and communication cables for transmitting data or supporting information services and whether to prevent the power and communication cables from being intercepted or damaged; the detection analysis of the equipment maintenance comprises: detecting and analyzing whether the equipment is correctly protected or not and whether the continuous availability and integrity of the equipment are ensured or not; the detection analysis of the movement of the asset includes: detecting whether the analysis equipment, information and software cannot be brought out of the organization before authorization; the detection and analysis of the off-site equipment and asset security comprises: detecting and analyzing whether safety measures are adopted for the assets outside the organization site or not, and whether different risks working outside the organization site are considered or not; the detection analysis of the safe disposal or reuse of the device comprises: detecting whether an analysis checks all items of the device containing the storage medium, whether it is ensured that any sensitive information and registration software has been deleted or written over securely before disposal; the detection and analysis of the unattended user equipment comprises: detecting and analyzing whether the unattended user equipment is protected or not; the detection and analysis of the desktop clearing and screen clearing strategy comprises the following steps: detecting and analyzing whether a strategy of emptying files and a movable storage medium on a desktop and a screen strategy of emptying an information processing facility are adopted or not; the detection analysis of the middleware user name and password management comprises the following steps: detecting and analyzing user permission setting, password strategy setting and management of redundant account numbers; the detection analysis of the middleware security audit comprises the following steps: checking, analyzing and auditing a login log and an operation log; the detection and analysis of the intrusion prevention strategy of the middleware comprises the following steps: detecting and analyzing SSL protection opening, default port modification and application server Socket quantity limitation.

9. The method of any one of claims 1 to 6, wherein the information collection and analysis comprises: the method comprises the steps of retrieving policy files, rules and regulations and process management records, information system overall description files, information system detailed description files, information system safety protection level grading reports, safety requirement analysis reports, information system safety overall schemes, safety status evaluation reports, information system safety detailed design schemes, user guides, operation steps, network diagrams and configuration management documents, analyzing one or more kinds of data in basic information, management frames, network and equipment deployment, service types and characteristics, service data, user ranges and user types of the information system, carrying out comprehensive analysis and arrangement, analyzing the industry characteristics, administrative agencies, service ranges, geographic positions, background information, contact modes, organization and management structures, management strategies, department settings, the functions of departments at service operation terminals, positions, responsibilities, The method comprises the following steps of forming an information system basic condition analysis report by a physical environment, a network topology structure, a hardware equipment deployment condition, a range and a boundary, a service type and characteristics, a service flow and a service safety protection level; the determining the evaluation object comprises: detecting information of an information system, analyzing the whole unit information system and a related service system thereof, analyzing and identifying the whole structure of the information system and describing according to a basic condition analysis report of the information system, wherein the description content comprises an identification of the information system, a physical environment of the information system, a network topological structure of the information system and a connection condition of an external boundary of the information system, giving a network topological graph, identifying and describing the boundary of the information system, the description content comprises a boundary connection mode of the information system and other networks for external connection, the boundary connection mode comprises optical fibers, wireless and special lines, equipment for describing the boundary comprises one or more of a firewall, a router and a server, if shared equipment is arranged at the boundary connection position of the information system, the equipment is divided into the information systems with relatively higher grades, and the information systems without regional division are divided and described according to the actual condition of the information system, the description content comprises region division, main service application of each region, service flow, region boundary and connection condition between the regions, the information system nodes are described by taking the regions as clues, computer hardware equipment, network hardware equipment, communication lines and application system software in each region are described, and the connection condition between the nodes is explained, the computer hardware equipment comprises server equipment, client equipment, a printer and a memory, and the network hardware equipment comprises: switches, routers, adapters; the description contents are sorted, an evaluation information system is determined and described, the overall structure is firstly explained on the basis of the network topological structure of the information system in a general and fractional description mode, then the external boundary connection condition and the boundary main equipment are described, and then the network area composition, the service function and the related equipment nodes of the information system are described; analyzing each business system, analyzing the importance degree of the business system and related equipment and components thereof, determining an evaluation object, describing according to the class of the business system, wherein the description comprises a network, network equipment, a server, a host and an application system, and describing each class of evaluation object in a list mode, including the area to which the evaluation object belongs, equipment name, application, equipment information and a spot check description; the determining the evaluation index comprises the following steps: obtaining a grading result of the information system according to an information system basic condition analysis report, wherein the grading result comprises a business information safety protection grade and a system service safety protection grade, obtaining the ASG (A system service assurance grade, S business information safety grade and G basic requirement grade) combination condition of safety protection measures which should be taken by the information system, selecting safety requirements of corresponding grades as evaluation indexes according to standards, and comprising three safety requirements of the ASG, respectively describing each business system, wherein the description content comprises the grading result and index selection of the business system; the determining of the evaluation content comprises: determining unidirectional evaluation content and system evaluation content, analyzing an information system basic condition analysis report, an evaluation object of an evaluation scheme, an evaluation index and an evaluation tool access point, combining the evaluation index and the evaluation object, combining the evaluation object with an evaluation method, combining the evaluation indexes on all layers of surfaces to a specific evaluation object and explaining the evaluation method to form an evaluation implementation unit, describing single evaluation implementation work content by combining the evaluation index and the evaluation object, compiling corresponding evaluation content according to the evaluation tool access point, wherein the unidirectional evaluation content comprises the evaluation index, the evaluation object, the evaluation method and the evaluation implementation, determining the system evaluation content according to the evaluation method of relevant standards and the actual condition and evaluation experience of the information system, and outputting the single evaluation implementation and system evaluation implementation part of the evaluation scheme; the evaluation instruction development comprises the following steps: according to the access point of the test tool, the single evaluation implementation part and the system evaluation implementation part, describing a single evaluation object comprising the name, the IP address, the application and the manager of the evaluation object, determining evaluation activities comprising evaluation items, an evaluation method, operation steps and expected results according to the single evaluation implementation part and the system evaluation implementation part, and outputting an evaluation instruction book of an evaluation scheme; the evaluation item refers to the requirement of an evaluation object in a use case in the standard, and the evaluation method comprises the following steps: one or more of interviews, document retrieval viewing, configuration inspection, tool testing, field inspection viewing; each evaluation item corresponds to one or more evaluation methods; the operating steps include evaluating commands or steps executed in the activity, describing the testing equipment and the requirements of the tool including the model, specification and version of the tool if the tool is tested; the expected result comprises a result obtained under normal conditions according to the operation steps and obtained evidence; the compiling and evaluating scheme comprises the following steps: extracting a project source, the overall information construction condition of a unit where the information system is located and the connection condition between the information system and other systems of the unit according to the entrusted evaluation protocol and the basic condition analysis report of the information system, listing a standard according to which evaluation activities are carried out according to the level evaluation implementation requirement in the level protection process, estimating evaluation workload according to the entrusted evaluation protocol and the condition of the information system, and estimating according to the number of nodes to be detected and access points and test contents of tool test; compiling a specific evaluation plan according to evaluation experience and the scale of the information system, wherein the evaluation plan comprises personnel division and time arrangement, the evaluation avoids the business peak time of the information system, an evaluation scheme initial draft is formed according to the contents and the contents acquired by the tasks of the scheme compiling activities, and the evaluation scheme is output after evaluation and confirmation; the preparation evaluation implementation comprises: confirming that resources required by the evaluation comprise cooperation personnel and evaluation conditions, and updating an evaluation plan or an evaluation program according to requirements; the field assessment and outcome records include: checking whether a system, a strategy and an operation procedure which are required to be provided and specified by a standard are complete or not, checking whether a complete system execution condition record exists or not, wherein the complete system execution condition record comprises a machine room in-out registration record, an electronic record and a use registration record of key equipment of a high-level system, auditing and analyzing a document, and checking the integrity of the document and the internal consistency of the document; checking whether the configurations of the application system, the host system, the database system and the network equipment are correct or not according to the evaluation result record, and whether the configurations are consistent with the documents, the related equipment and the components or not, and verifying the document audit content, including log audit; if the system receives the invalid command and can not complete the configuration check, carrying out error test; verifying the connection rules for the network connection; testing the system according to the evaluation scheme, wherein the testing comprises vulnerability scanning based on network detection and host audit, website vulnerability scanning, database vulnerability scanning, permeability testing, performance testing, intrusion detection and protocol analysis; according to the actual condition of the information system, judging the safety consciousness of personnel, service operation, management program and the safety condition of the system physical environment according to the behavior of the personnel, technical facilities and the physical environment state, judging whether the evaluation meets the safety requirement of a corresponding grade, recording the evaluation result of management safety evaluation, recording the evaluation result of network, host and application of technical safety evaluation, and recording the physical safety evaluation result of technical safety evaluation and the test result after tool evaluation; the result validation and data reduction comprises: summarizing an evaluation record, summarizing problems, evidences and evidence sources found in the evaluation, supplementing the contents which are missed and need to be further verified, and recording the summarization, the evidences and the evidence sources of the problems found in the evaluation; the single evaluation result judgment comprises the following steps: detecting each evaluation item, if the evaluation item is a suitable item, comparing a plurality of evaluation results actually obtained in the evaluation implementation with expected evaluation results, respectively judging the conformity between each evaluation result and the expected result, obtaining the evaluation result of the evaluation implementation corresponding to each evaluation item, and judging whether the evaluation results are in conformity or not; comprehensively judging the evaluation results of the evaluation items according to the judgment conditions of all the evaluation results, judging the evaluation results to be in line with, partially in line with or not in line with, and outputting single evaluation records and results; the single evaluation result summary analysis comprises the following steps: respectively summarizing the single evaluation results of the corresponding evaluation indexes of different evaluation objects according to the levels, wherein the single evaluation results comprise the number of evaluation items and the number of items meeting the requirements; the overall evaluation comprises: aiming at the single evaluation item which is not or partially conformed to the evaluation object, analyzing whether other safety control related to the evaluation can generate an association relation with the single evaluation item and what association relation can be generated, and whether the effect generated by the association relation can make up the deficiency of the evaluation item; analyzing whether the other evaluation objects on other layers related to the evaluation item can generate an association relationship with the evaluation object and what association relationship occurs, and whether the effects generated by the association relationships can make up the deficiency of the evaluation item; analyzing whether other evaluation objects in other areas related to the evaluation item can generate incidence relation with the evaluation item, what incidence relation occurs, and whether the effects generated by the incidence relation can make up the deficiency of the evaluation item; the safety of the whole structure of the information system is analyzed from the safety angle, and the rationality of the whole safety precaution of the information system is analyzed from the system angle; outputting the overall evaluation result of the information system; the forming a safety assessment conclusion comprises: combining the single evaluation result and the overall evaluation result to summarize and analyze the single evaluation results of each evaluation object in the physical safety, the host safety and the application safety level again, and counting the conforming conditions; analyzing potential safety hazards and existing reasons brought to the information system by the unqualified evaluation items, and judging the influence on the integral protection capability of the information system; the result of the summary analysis is carried out according to the single evaluation result, if the evaluation item which does not meet the requirement exists, the information system is judged to not meet the basic safety protection capability of the corresponding grade, and if all the evaluation items meet the requirement, the information system is judged to meet the basic safety protection capability of the corresponding grade; outputting a grade evaluation conclusion; the compiling of the assessment report comprises: an improvement suggestion is provided from the system safety perspective aiming at the potential safety hazard of the information system, an evaluation report is compiled according to an evaluation scheme, single evaluation records and results, single evaluation result summary analysis, an overall evaluation structure and a grade evaluation conclusion, corresponding evaluation reports are formed according to the number of the information systems, and a document list and single evaluation records of evaluation and the judgment condition of the single evaluation result of each evaluation item are provided; the evaluation report is evaluated and confirmed according to the evaluation protocol, the related documents, the evaluation original record and the auxiliary information, and an information system grade evaluation report is output; the security policy includes: draft design, review, implementation, training, deployment, monitoring, reinforcement, reevaluation and revision, and the timeliness and effectiveness of the safety strategy are ensured through management; the security technology system is the basis of an information system framework and comprises the following steps: the method comprises the steps that a comprehensive management platform for network security, host security, terminal security, application security, data security and security is provided, a complete security technology protection system with each part coordinated is established by taking a security strategy as guidance and starting from network security protection, host system security protection, application security protection, terminal security protection and data security protection in a multi-level mode; the security organization and management system is based on an overall security policy and interworks with the security technology system; the operation guarantee system comprises: safe operation and maintenance management, daily operation guarantee, safe emergency response and data system backup; the safety operation and maintenance management comprises the following steps: network security operation and maintenance management, host security operation and maintenance management and application security operation and maintenance management; the network security operation and maintenance management comprises the following steps: the method comprises the steps of carrying out unified operation authentication, authorization and audit on the whole network of a network system, carrying out equipment maintenance operation authentication on the network system by adopting a dynamic password, carrying out encryption transmission on an operation command, carrying out maintenance management on network equipment only by an authorized user, setting at least two levels of equipment operation authorities for an equipment administrator of the network system, setting corresponding to the operation command, forbidding the management and maintenance operation of exceeding the authorities, and executing only authorized operation; the operation and maintenance operation of the network system needs to be audited, and the audit content comprises: operating commands, operators and operating time to ensure authorized users to perform authorized operation; the host security operation and maintenance management comprises the following steps: the host system performs unified operation authentication, authorization and audit; the application security operation and maintenance management comprises the following steps: the application system performs unified operation authentication, authorization and audit; the data system backup comprises: the method comprises the steps that a backup strategy and a recovery target are made according to data backup requirements, the importance of a service system and recovery cost, data of a server, including an operating system, a database and files, are backed up periodically according to the backup strategy, a data backup medium of the system is stored in different places according to the importance degree of the data, the data backed up in different places at least comprises original data of all the service systems and static data necessary for a recovery system, the data recovery supports multiple platforms, and the whole system is recovered rapidly through a disaster recovery tape; the restoration target includes: tolerable amount of data loss and tolerable system recovery time; the physical security assessment comprises: the physical security setting corresponding to the information system is evaluated, and comprises the selection of an evaluation physical position, physical access control, theft and damage prevention, lightning protection, fire prevention, water and moisture prevention, static electricity prevention, temperature and humidity control, power supply and electromagnetic protection configuration; the network security assessment comprises: the method comprises the following steps of router/switch evaluation, anti-virus system evaluation, host system safety evaluation, application safety evaluation and data safety evaluation; the router/switch evaluation comprises: the method comprises the following steps that an evaluation router/switch deals with important operations including evaluation structure security domain network segment division, network access control, network security audit, boundary integrity check and network equipment protection configuration; the anti-virus system assessment comprises: the evaluation antivirus system deals with important operations, including evaluation structure security and network segment division, network security audit, network current prevention, malicious code prevention and network equipment protection configuration; the host system security evaluation comprises: the method comprises the following steps that an evaluation operating system deals with important operations, including the use of an evaluation token, account authentication, password management, login limitation, identity identification and authentication, access control of a subject and an object, user authorization, security audit, alarm, monitoring, system protection, malicious code protection, residual information protection and resource control configuration; the operating system includes: windows system, LINUX operating system; the evaluation of the windows system comprises the steps of evaluating whether the account and the password are set to have enough strength, selecting or setting the account, selecting, forming and setting the password, evaluating the life cycle, evaluating whether the desktop application software has a legal source or not, setting a screen saver or not, evaluating the safety setting of a registry, SMP (Symmetric Multi-Processor Symmetric multiprocessor) service, RPC (Remote Procedure Call) service, installing safe latest patch antivirus software and distributing system resources; the evaluation of the LINUX operating system comprises the following steps: the method comprises the following steps of evaluating important operations of an operating system, including the use of a token, account authentication, password management, login limitation, identity identification and authentication, access control of a subject and an object, user authorization, security audit, alarm, monitoring, system protection, malicious code protection, residual information protection, resource control support version, local buffer overflow vulnerability, latest security patch installation, whether an irrelevant service is in an off state or not, account password, rootPATH environment variable, trust relationship with other hosts and system reinforced TCP/IP protocol stack configuration; the application security assessment comprises: checking and evaluating the identity and authentication of an application system, the access control of a subject and an object, user authorization, security audit, residual information protection and resource control; the data security assessment comprises: the data integrity, the data confidentiality and the data backup of the application system are checked; the operating system hardening includes: opening an operating system password strategy, forcing passwords to meet complexity requirements and replacing the passwords periodically, establishing an independent account for each administrator, modifying a default remote operation and maintenance port, adopting single user-level control on an administrator remote login address, setting an illegal login strategy and setting an auditing strategy; setting an important file authority control strategy and deleting unnecessary default sharing; disabling unnecessary services and ports, updating system vulnerability patches, and renaming a system default account; distributing authority according to the role of the management user, separating the authority of the management user, and granting the minimum authority required by the management user; separating the authority of privileged users of an operating system and a database system, limiting terminal login according to actual conditions, limiting the maximum or minimum use limit of a single user on system resources, detecting the service level of the system, alarming if the service level of the system is reduced to a preset minimum value, setting forced shutdown of a remote system, setting ownership of a taken file or object, setting login to a computer from local, setting access to the computer from a network, starting TCP/IP screening, starting a system firewall, starting SYN attack protection, starting a screen protection program, setting suspension time of a Microsoft network server, closing service, modifying SNMP service passwords, closing invalid starting items and closing an automatic Windows playing function; the network/security device reinforcement comprises: renaming default accounts of the network equipment and the safety equipment, setting a password length and a strategy with higher intensity, setting an independent user account number for each equipment administrator by adopting single user-level control for a remote login address, canceling a telnet mode, setting a bandwidth allocation priority level, configuring access control of a port level, setting application layer filtering, setting network flow control, setting a login failure processing strategy, and adjusting and planning a network topology environment by adopting a safe remote management login mode comprising SSH (secure Shell); the database reinforcement comprises: checking the current configuration of a database, respectively reinforcing account numbers, authorization, passwords, logs, strategies and patches, distributing different account numbers for different administrators, deleting or locking invalid account numbers, limiting remote login of super administrators, minimizing authority, limiting the length and complexity of default passwords, limiting the generation period of the default passwords, limiting repeated use of the passwords, starting a log recording function, recording operations of users on equipment, recording system security events and database auditing strategies; the establishment and perfection of the information security management system comprises the following steps: according to the standard requirements, establishing a sound and implementing safety management system meeting the corresponding grade requirements, wherein the establishment and perfection of the information safety management system further comprises the following steps: implementing information safety responsibility, establishing an information safety work leader group, an information safety management department or an information safety responsibility part, defining information safety work, determining a safety post, implementing personnel, and defining an implementation leader mechanism, a responsibility department and personnel information safety responsibility; implementing a personnel safety management system, making a management system for personnel recording, leaving, checking and education training, implementing specific measures of the management system, and performing safety examination, training, checking and safety confidentiality education on safety station personnel; the method comprises the following steps of implementing a system construction management system, establishing an information system level-setting record, scheme design, product purchase use, password use, software development, engineering implementation, acceptance and delivery, level evaluation and a safety service management system, and determining work content, a work method, a work flow and work requirements; the method comprises the steps of implementing a system operation and maintenance management system, establishing a computer room environment safety, storage medium safety, equipment and facility safety, safety monitoring, network safety, system safety, malicious code prevention, password protection, backup and recovery and event handling management system, formulating an emergency plan and performing drilling regularly.

10. An entity-based network security system, comprising: a vulnerability scanning module; determining a scheme, configuring a strategy, backing up a system, performing scanning, analyzing a result, scanning again, repairing a bug, performing secondary rechecking, scanning, detecting potential safety hazard and loophole of any one or more of network protocol, network service and network equipment according to the knowledge base of safety loophole, analyzing and identifying loophole which may be used by invader to illegally enter network or illegally obtain information asset, and remind that when receiving host scanning command or performing host scanning, data backup is performed on the host first, if the server is a dual-computer hot standby system, one of the host is scanned in one scanning session, adjusting a scanning object strategy for a host or network equipment with special requirements, adopting a single host scanning mode aiming at a certain system, scanning one IP each time, scanning the next IP after the scanning is finished, and adjusting the scanning time of equipment for scanning the production network segment to a time period which does not influence the service;

a baseline check module: collecting login information of network equipment, safety equipment, an operating system, a database and middleware in a target information system, checking equipment configuration by logging in the target equipment, recording configuration information, performing configuration safety analysis, logging in the network equipment, the safety equipment, the operating system, the database and the middleware one by one according to the collected login information, testing the accuracy of login information collection and the permission condition of providing an account number, analyzing whether all safety configuration check contents can be covered or not, and forming a baseline check report;

the full-flow threat analysis module: utilizing threat data information and collected whole network flow to analyze, detecting an internal collapse host, external attack, internal violation and internal risk, analyzing, researching and judging events, tracing, and analyzing asset information and related statistical data in the current network; an intranet asset discovery module: combing the host assets and WEB servers of the intranet information system, and dynamically managing the whole life cycle of the accounts of the intranet assets, comprising: the system comprises a host asset service discovery unit, a Web service discovery unit and an asset visualization display unit;

an emergency response module: monitoring security problems in a service system, tracing internet level attacks through big data analysis, analyzing reasons of security events, tracing event sources, classifying the security events, defending attacks through big data analysis and security threat information, finding unknown dangerous network behaviors and positioning attack sources; the emergency drilling module: analyzing and judging, if judging as suspected computer virus outbreak event, judging whether the system problem exists, if the system problem exists, starting a system emergency plan, if the system problem does not exist, judging whether the system problem exists, executing a notification process, if the system problem does not exist, judging whether the system emergency plan has network transmission, if the system problem exists, judging whether the infected host needs to be isolated, if the host needs to be isolated, disconnecting the network connection, starting the system emergency plan, judging whether the antivirus measure needs to be executed, if the system emergency plan does not need to be isolated, directly judging whether the antivirus measure needs to be executed, if the system data needs to be executed, judging whether the system data can be damaged, if the system is damaged, executing the antivirus measure after system backup, if the system is not damaged, directly executing the antivirus measure, after the execution, judging whether the virus is cleaned completely, if the virus is judged not to need to make antivirus measures, directly judging whether the virus is cleaned completely, if the virus is judged to be cleaned completely, recovering the network connection of the isolated host, and executing a reporting process; if the virus still exists after the antivirus measure is executed, continuing to execute a new virus searching and killing measure until the virus is cleaned up;

the safe operation and maintenance module comprises: a daily safety operation and maintenance unit, an important moment safety guarantee unit and a periodic safety inspection unit; the daily safety operation and maintenance unit comprises: optimizing a safety strategy, operating and maintaining a safety product and evaluating safety; the security policy optimization: whether the security control strategy plays a role or not and whether the security control strategy is reasonably checked and improved or not comprises the following steps: researching, making a scheme, optimizing a strategy and outputting a report; the operation and maintenance of the safety product comprises the following steps: monitoring equipment operation safety, auditing equipment operation safety, and updating equipment and strategy backup; the security assessment comprises: the security scanning evaluation is used for discovering security vulnerabilities existing in an information system in time, conducting vulnerability correction on Windows, Linux servers and security equipment, conducting security scanning on information assets in a non-service peak period according to application and in combination with a security vulnerability knowledge base, without using a scanning mode containing a denial of service type, stopping scanning immediately if a scanning system does not respond in the scanning process, analyzing the situation and determining reasons, restoring the system, and conducting scanning after adjusting a scanning strategy; the important moment safety guarantee unit comprises: actively detecting assets exposed by a user on an external network before a major holiday to form an asset list, carrying out accurate vulnerability scanning according to asset discovery results, comprehensively checking specific vulnerabilities, notifying major security events of one or more conditions including high-risk system vulnerabilities, high-risk worm viruses, severe invasion and attack, providing one or more information of event types, influence ranges, solutions and prevention schemes, carrying out comprehensive security inspection and security reinforcement on a major system, retesting security reinforcement results, and confirming that security problems are timely and effectively repaired; in holidays, real-time alarm monitoring and log analysis are carried out on a firewall, a Web application firewall, an IDS/IPS, load balancing, a webpage tamper-proofing system and a network security audit system, anti-virus software and checking and killing records are monitored, states of an application system and a database system and a service platform are monitored and log analysis are carried out, investigation and analysis are carried out in time if one or more accidents in the attack or invasion are found, accident sources and reasons are traced and analyzed, a solution is provided according to the investigation reasons and the accident conditions, and accidents, accident analysis, solution and tracing schemes are recorded; the periodic safety inspection unit comprises: periodic safety product inspection and periodic safety strategy optimization suggestions;

The risk assessment module includes: the system comprises a network security evaluation unit, a host security evaluation unit, an application security evaluation unit, a terminal security evaluation unit, a data security evaluation unit, a physical security evaluation unit, a middleware security evaluation unit and a management security evaluation unit; the network security evaluation unit comprises: analyzing the organized network topology architecture, security domain planning, VLAN division, network equipment configuration, security equipment configuration and security protection measures, and performing security evaluation on a physical network structure, a logical network structure and network equipment to find the problems of security and network load of the network structure, the problems of security and anti-attack of the network equipment, evaluate the current security situation of the network and find the problems of security, rationality and use efficiency; the host security evaluation unit includes: analyzing an operating system, an account number, authentication, authorization, network service, a system log, patch upgrade, virus protection and a local security policy, discovering security holes and potential safety hazards existing in system configuration and operation, and analyzing and evaluating according to a service application condition and a security baseline configuration condition, wherein the analysis and evaluation comprises identity authentication, access control, security audit, intrusion prevention, malicious code prevention and resource control; the application security evaluation unit comprises: safety evaluation is carried out on the application system according to account number, authentication, authorization, audit, performance resources, backup recovery and penetration test of the application system, input verification, identity verification, authorization, configuration management, sensitive data, session management, encryption technology, abnormal management, audit and log recording and habit problems are detected, analyzed and input verification, identity verification, authorization, configuration management, sensitive data, session management, abnormal management, audit and log recording and habit problems are detected, and security vulnerabilities and potential safety hazards of the application system are searched; the terminal security evaluation unit includes: checking patches, account passwords, network services, virus protection and local security strategies, evaluating the security condition of the terminal according to patch upgrading, virus protection, account passwords, network services and local security strategies, and searching security holes and potential safety hazards of the terminal; the data security evaluation unit comprises: detecting and analyzing database user name and password management, database access control, login authentication mode, data security, security vulnerability inspection, patch management and security audit of a database, performing main estimation on data security conditions according to confidentiality, integrity and availability of data, and searching for security vulnerabilities and potential safety hazards possibly existing in a data layer; the physical security assessment unit includes: detecting and analyzing physical security boundaries, physical access control, detecting and analyzing security protection of offices, rooms and facilities, detecting and analyzing security protection of external and environmental threats, security area work control, delivery and delivery areas, equipment placement and protection, supporting equipment, cable laying security, equipment maintenance, asset movement, off-site equipment and asset security, safe disposal or reuse of equipment, unattended user equipment, desktop clearing and screen strategies, and evaluating the security of a network machine room according to the physical environment, access control, power supply, cable laying, equipment placement, label specification and machine room system of the machine room; the middleware security evaluation unit includes: detecting and analyzing a middleware user name and password management, middleware security audit, login authentication mode, communication confidentiality, resource control and an intrusion prevention strategy of the middleware, and evaluating whether the installation deployment and the realization of configuration parameters of the middleware meet the application operation security requirement or not; the management security evaluation unit includes: evaluating the information safety management status according to safety organization, safety system, safety personnel, safety operation and maintenance, safety emergency and safety training, and searching possible potential safety hazards and missing points;

The information system grade protection evaluation module comprises: the system comprises a level protection gap evaluation unit, a safety guarantee system design unit, a level protection evaluation unit and an information system soft modification unit, wherein the level protection gap evaluation unit comprises the following processes: information collection and analysis, tool and form preparation, evaluation object determination, evaluation index determination, evaluation tool access point determination, evaluation content determination, evaluation instruction development, evaluation scheme compilation, evaluation implementation preparation, on-site evaluation and result recording, result confirmation and data return, single evaluation result judgment, single evaluation result summary analysis, overall evaluation, safety evaluation conclusion formation and evaluation report compilation; the safety guarantee system design unit comprises: the weakness and risk of the current network and the information system are analyzed through the information system level protection gap assessment, safety rectification is carried out, the topology design of corresponding products is completed, safety technical measures are implemented, and a safety management system is perfected; combining the evaluation result of the information system level protection gap, formulating an information security system framework according to the information security level protection requirement and the actual situation, wherein the information security system framework comprises: the system comprises a safety strategy, a safety technology system, an operation guarantee system and a safety organization and management system, wherein the safety strategy interacts with the safety technology system, the operation guarantee system and the safety organization and management system, the safety technology system, the operation guarantee system and the safety organization and management system are constructed under the guidance of the safety strategy, and all elements formulated in the safety strategy are converted into a technology implementation method and a management and operation guarantee means to implement the goal formulated in the safety strategy; the level protection evaluation unit includes: the method comprises the following steps of testing and evaluating the safety level protection condition of an information system, including safety control evaluation for evaluating the implementation configuration condition of basic safety control required by information safety level protection in the information system and information system overall evaluation for evaluating and analyzing the overall safety of the information system, wherein the description of the safety control evaluation is organized in a working unit mode, the working unit comprises safety technology evaluation and safety management evaluation, and the safety technology evaluation comprises the following steps: the safety management evaluation comprises safety control evaluation in multiple aspects of safety management organization evaluation, safety management system evaluation, personnel safety system evaluation, system construction management evaluation and system operation and maintenance management evaluation; the information system soft rectification unit comprises: analyzing weaknesses and risks of the current network and information system through a difference evaluation report of the level protection difference evaluation, wherein the weaknesses and risks comprise the weaknesses and risks of an operating system, a database and network security equipment, checking and reinforcing the operating system, the database and the network security equipment one by one according to the security configuration reinforcing standard of the equipment, and making related risk avoiding measures, wherein the related risk avoiding measures comprise operating system reinforcement, network/security equipment reinforcement, database reinforcement and information security management system establishment and improvement;

The internet threat detection and active response module comprises: risk assessment, real-time monitoring, tampering disposal and emergency countermeasure are provided for internet services, and safer guarantee is obtained again; the risk assessment comprises: evaluating exposed surfaces, vulnerability and content safety as a baseline, regularly and continuously rechecking, regularly monitoring asset changes, and continuously analyzing the risk condition introduced by newly added assets; the real-time monitoring comprises the following steps: monitoring page tampering, 0day, web horses, black links, DNS, availability security events in real time and generating reports to inform users in time; the tamper handling includes: rapidly replacing the tampered site through DNS technology; the emergency countermeasure comprises: cloud emergency confrontation is carried out to guarantee sensitive data.