CN115277045A - IDC safety management system - Google Patents
IDC safety management system Download PDFInfo
- Publication number
- CN115277045A CN115277045A CN202210541450.6A CN202210541450A CN115277045A CN 115277045 A CN115277045 A CN 115277045A CN 202210541450 A CN202210541450 A CN 202210541450A CN 115277045 A CN115277045 A CN 115277045A
- Authority
- CN
- China
- Prior art keywords
- idc
- data
- information
- unit
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 claims abstract description 31
- 238000004458 analytical method Methods 0.000 claims abstract description 27
- 238000012544 monitoring process Methods 0.000 claims abstract description 9
- 230000006399 behavior Effects 0.000 claims description 30
- 238000001914 filtration Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 12
- 238000000605 extraction Methods 0.000 claims description 12
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000004140 cleaning Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 230000000903 blocking effect Effects 0.000 claims description 3
- 238000007670 refining Methods 0.000 claims description 3
- 206010027146 Melanoderma Diseases 0.000 claims 1
- 238000010276 construction Methods 0.000 claims 1
- 238000007781 pre-processing Methods 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 73
- 238000000034 method Methods 0.000 description 20
- 230000008569 process Effects 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000012550 audit Methods 0.000 description 4
- 230000001740 anti-invasion Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000018109 developmental process Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000005206 flow analysis Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The IDC security management system comprises a data acquisition module, a security management module, a terrorist-related information identification module and a system management module, wherein the data acquisition module is used for acquiring and encrypting data at an exit of an IDC machine room and outputting the encrypted IDC acquisition data; the safety management module is used for carrying out attack feature recognition, deep protocol analysis and flow abnormity detection on the IDC collected data, determining unsafe information in the IDC collected data, and monitoring, inquiring and preprocessing the unsafe information; the fear information identification module is used for identifying the fear information according to the IDC collected data and determining the information of the hidden danger in the IDC collected data; and the system management module is used for managing the IDC machine room according to the unsafe information. The invention improves the detection capability of the threat behavior and effectively avoids the occurrence of unsafe events.
Description
Technical Field
The invention relates to the technical field of internet, in particular to an IDC (Internet data center) safety management system.
Background
The IDC (Internet Data Center) is an application service platform with perfect management and perfection, which has perfect equipment (including high-speed Internet access bandwidth, high-performance local area network, safe and reliable computer room environment and the like), and is specialized. On the basis of the platform, the IDC service provider provides Internet basic platform services (server hosting, virtual host, mail caching, virtual mail and the like) and various value-added services (site renting services, domain name system services, load balancing systems, database systems, data backup services and the like) for the client.
With the rapid development of a network, the development of IDC services changes very rapidly, and there are various modes such as host storage, renting space, sharing a server to establish a website, a multi-server-constructed large website, a virtual machine, cloud storage, network site mirroring, crossing physical regions through a VPN, and the like, so that the IDC has many potential safety hazards (for example, various attacks and intrusions are received), and great challenges are brought to the safety problems of the IDC.
Disclosure of Invention
The invention mainly aims to provide an IDC (Internet data center) safety management system, and aims to provide an omnibearing IDC safety management system with higher safety level.
In order to achieve the above object, the present invention provides an IDC security management system, which includes:
the data acquisition module is used for acquiring and encrypting data at an IDC machine room outlet and outputting the encrypted IDC acquired data;
the safety management module is used for carrying out attack feature recognition, deep protocol analysis and flow abnormity detection on the IDC collected data so as to determine unsafe information in the IDC collected data; monitoring, filtering and intercepting the unsafe information;
the fear information identification module is used for identifying the fear information according to the IDC collected data and determining the information of the hidden danger related in the IDC collected data;
and the system management module is used for acquiring the unsafe information and/or the information about the fear hidden dangers, determining a target IDC machine room according to the unsafe information and/or the information about the fear hidden dangers, and managing the IDC machine room.
Optionally, the terrorism-related information identifying module includes:
the keyword extraction unit is used for extracting terrorist-related high-frequency keywords appearing in the IDC collected data and determining terrorist-related information in the IDC collected data according to the keywords;
the behavior feature identification unit is used for identifying the terrorist behavior information according to the terrorist information and determining a terrorist behavior track;
and the service characteristic identification unit is used for determining the information of the hidden dangers concerning terrorism according to the track of the behavior concerning terrorism.
Optionally, the keyword extraction unit includes:
the knowledge extraction unit is used for extracting knowledge from the IDC collected data to form knowledge data;
the knowledge storage unit is used for selecting, filtering, processing and refining the knowledge data meeting the preset conditions to form known knowledge data, and storing the known knowledge data according to preset rules;
and the knowledge inference unit is used for inferring implicit unknown knowledge data based on the stored known knowledge data and integrating the known knowledge data and the unknown knowledge data into the information about the hidden dangers.
Optionally, the security management module includes:
the attack characteristic identification unit is used for carrying out targeted attack characteristic identification on the IDC collected data based on a preset known attack library;
the depth protocol analysis unit is used for carrying out depth protocol analysis on the IDC collected data according to a preset depth protocol analysis algorithm;
and the flow abnormity detection unit is used for learning the normal flow of the system so as to set a reference flow value and detecting the IDC collected data based on the reference flow value.
Optionally, the flow anomaly detection unit includes:
the flow database updating module is used for updating flow data in the flow database by connecting with the Internet;
the flow prediction module is used for predicting the normal flow of the system according to the network environment, the operation of an account and the updated flow data and setting the normal flow as a reference flow value;
and the anomaly detection module is used for detecting whether the flow numerical value in the IDC collected data is abnormal or not based on the reference flow value.
Optionally, the data acquisition module comprises:
a storage unit;
the mirror image unit is used for collecting all data of an IDC machine room outlet and mirroring the data to the storage unit;
the encryption transmission unit is used for encrypting the data stored in the storage unit through a random key to obtain encrypted IDC collected data;
the encryption transmission unit is also used for encrypting the secret key and transmitting the encrypted encryption secret key to the safety management module.
Optionally, the encryption transmission unit includes:
the random number module is used for generating and outputting 32-bit random characters;
and the key generation module is used for generating a random key based on the random character and a preset key generation algorithm.
Optionally, the system further comprises an anti-fraud blackout identification module; the anti-fraud black product identification module specifically comprises:
the collecting unit is used for collecting black product data in the IDC collected data, and obtaining and outputting effective data related to the black product after cleaning;
the table building unit is used for building a black product classification table, and the black product classification table comprises a plurality of label data so as to determine a plurality of black product keywords corresponding to each label data;
the screening and identifying module is used for counting the matching degree of the effective data and the corresponding keywords of each tag data, so that black product information in the IDC collected data is screened and identified;
the system management module is further used for obtaining the black product information, determining a target IDC machine room according to the black product information, and managing the IDC machine room.
Optionally, the system management module includes:
the login management unit is used for initiating a login request by an account and detecting and blocking dangerous activities in the system;
the authority management unit is used for authenticating the account login request and checking the access authority of the account to determine the target access authority of the account;
and the access control unit is used for confirming the accessible equipment of the account and executable operation according to the target access authority and a preset control rule.
Optionally, the system comprises:
the log management module is used for managing, counting and auditing the operation behaviors of all login users to generate log data;
the system management module also comprises a log query unit, and the log query unit is used for querying the log data;
the log query unit is further used for generating recursive query authority according to authority of the account so that the account can conduct recursive query based on query results of the log data.
The invention provides an IDC (Internet data center) safety management system which comprises a data acquisition module, a safety management module, a terrorist information identification module and a system management module, wherein the data acquisition module is used for acquiring and encrypting data at an outlet of an IDC machine room and outputting the encrypted IDC acquired data; the safety management module is used for carrying out attack feature recognition, deep protocol analysis and flow anomaly detection on the IDC collected data so as to determine unsafe information in the IDC collected data; monitoring, filtering and intercepting unsafe information; the fear information identification module is used for identifying the fear information according to IDC collected data and determining the information of the hidden danger related in the IDC collected data; the system management module is used for acquiring the unsafe information and/or the information about the hidden dangers, determining a target IDC machine room according to the unsafe information and/or the information about the hidden dangers, and managing the IDC machine room. Therefore, the data acquisition module acquires the key IDC outlet data and sends the key IDC outlet data to the safety management module for analysis, the detection capability of threat behaviors is improved, the safety management module combines various databases to form antivirus, anti-invasion, flow analysis and flow cleaning analysis detection aiming at the behaviors of viruses, invasion, violation and the like, the accuracy is high, and unsafe events are effectively avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a block diagram of an embodiment of an IDC security management system of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
The reference numbers illustrate:
| reference numerals | Name (R) | Reference numerals | Name (R) |
| 10 | |
30 | Information identification |
| 20 | |
40 | System management module |
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that all directional indicators (such as up, down, left, right, front, back \8230;) in the embodiments of the present invention are only used to explain the relative positional relationship between the components, the motion situation, etc. in a specific posture (as shown in the attached drawings), and if the specific posture is changed, the directional indicator is changed accordingly.
The invention provides an IDC (Internet data center) safety management system, which comprises a data acquisition module 10, a safety management module 20, a terrorist-related information identification module 30 and a system management module 40 in one embodiment, and is shown in figure 1; the data acquisition module 10 is used for acquiring and encrypting data at an outlet of the IDC machine room and outputting the encrypted IDC acquired data; the safety management module 20 is configured to perform attack feature identification, deep protocol analysis, and abnormal flow detection on the IDC collected data to determine unsafe information in the IDC collected data; monitoring, filtering and intercepting the unsafe information; the fear information identification module 30 is configured to identify the fear information according to the IDC collected data, and determine the information of the hidden danger related to the IDC collected data; and the system management module is used for acquiring the unsafe information and/or the information about the fear hidden dangers, determining a target IDC machine room according to the unsafe information and/or the information about the fear hidden dangers, and managing the IDC machine room.
In this embodiment, the IDC security management system further includes an egress router and a core switch; the exit router is connected to the internet, the core switch is connected with the hosted server group, the core switch creates a server group mirror image through a mirror image port, and the data acquisition module 10 is deployed and used for acquiring machine room server data information of the mirror image, namely IDC machine room exit data.
The collection form of IDC computer lab export data can divide into initiative collection and passive collection according to the collection mode, also can divide into full collection and sampling collection according to gathering the real-time nature, specifically can set up according to comprehensive factors such as actual safety demand degree of depth and input cost.
The safety management module 20 is configured to perform safety analysis according to the IDC collected data to obtain a safety analysis result, that is, unsafe information in the IDC collected data, so as to detect, query, and process the unsafe information. The security analysis module comprises a basic data monitoring unit, an attack feature identification unit, a deep protocol analysis unit, a flow abnormity detection unit, a virus detection unit and a security processing unit.
The basic data detection unit is used for detecting basic resource information including IP section information, server information, IDC user information and the like, and effectively organizing the basic resource information together, so that a user can intuitively master information such as domain name number, total IP number, access full domain name number, unregistered network station number and the like in a computer room from a system.
The attack characteristic identification unit is used for realizing the detection of the known attack based on the known attack library. After the attack characteristics are known, the targeted characteristic attack filter can be formulated, the matching of corresponding data packets is realized based on the specific characteristic attack filter, and the formulated rule can be ensured to realize the accurate detection of the target attack. The server can be protected from being attacked, and other servers of the IDC machine room can be protected from being affected.
And the virus detection unit is used for preventing virus from threatening the stability of the IDC network and the security of the computer server and protecting the data information security of the user.
The core of the deep protocol analysis unit is a deep protocol analysis algorithm. Based on the introduction of the algorithm, accurate detection is made of any contradictory RFC-specified behavior. The protocol exception is highlighted by making corresponding evaluation on whether the behavior to be executed is defective or not and performing early discovery on violation of specified behavior, such as some less common overflow class attacks, attacks launched through a '0 day' vulnerability or flow attacks of a denial of service class and the like.
The flow abnormity detection unit is used for giving an early warning aiming at the flow which exceeds an expected standard and exists in the system based on the learning of normal flow. In general, the normal flow rate is set as a reference flow rate value, and the detection method is established based on this value. And comparing the corresponding data packet with a set reference flow value through an algorithm, wherein if the data packet is in a reference category interval, the data packet is in a normal flow. If the deviation is large, the system gives an early warning. The introduction of the mechanism can reasonably prevent worm viruses, distributed denial of service attacks, zero-day attacks, rogue traffic and the like.
The flow anomaly detection unit may specifically include: the system comprises a flow library updating module, a flow predicting module and an abnormality detecting module; the flow database updating module is used for updating the flow data in the flow database by connecting with the Internet; the flow prediction module is used for predicting the normal flow of the system according to the network environment, the operation of the account and the updated flow data and setting the normal flow as a reference flow value; the anomaly detection module is used for detecting whether the flow numerical value in the IDC collected data is abnormal or not based on the reference flow value.
The unsafe information comprises analysis results of a basic data detection unit, an attack feature identification unit, a deep protocol analysis unit and a flow abnormity detection unit, namely abnormal data such as illegal and violation data. The safety processing unit is used for carrying out preprocessing such as filtering and intercepting according to the unsafe information, so that the unsafe information is prevented from bringing potential safety hazards to user information, and the safety performance of the system is improved.
The security processing unit is further configured to generate an interception log, a filtering log, a monitoring log, and other operations according to the insecure information, specifically record information such as a registered domain name and an IP address corresponding to the insecure information, whether to process the information (whether processing has been executed or not), account information for executing processing operations, when to process the information, and report the information to the system management module 40.
The information about the hidden dangers related to the terrorist information output by the information identifying module 30 may also be input to the security processing unit in the security management module 20, so that the security processing unit may perform operations such as filtering and intercepting the unsafe information of the information related to the terrorist.
With the development of internet technology, the internet becomes an important means and channel for terrorist organization planning and inciting to implement terrorist activities. The method has the advantages of strong concealment and influence on the network terrorist information, rapid transmission, easy diffusion and difficult control, and the identification and discovery of the network terrorist information become a main means for preventing and attacking terrorist inundation from the source. The provision of the terrorist-related information identification module 30 can improve the capability of identifying terrorist-related information, thereby improving the security of the system.
Further, the user can query the monitoring log through the system management module 40 to know information such as illegal website directories, interception logs, filtering logs and the like, obtain the current state and disposal information of the corresponding website, and for the filtering logs, the user can selectively set interception rules and filtering rules according to own operation authority. The system management module 40 further includes a management unit, configured to perform shutdown, early warning, and other operations on the unsafe IDC room according to the unsafe information, so as to ensure the safety of the entire system.
In the embodiment, by arranging the data acquisition module 10, the security management module 20 and the system management module 40, the data acquisition module 10 is used for acquiring and encrypting data at an outlet of an IDC machine room and outputting the encrypted IDC acquired data; the safety management module 20 is configured to perform attack feature identification, deep protocol analysis and abnormal flow detection on the IDC collected data, determine unsafe information in the IDC collected data, and perform detection, query and preprocessing on the unsafe information; and the system management module 40 is used for managing the IDC machine room according to the unsafe information. Therefore, the data acquisition module 10 acquires the most effective and most critical IDC outlet data and sends the data to the security management module 20 for analysis, so that the detection capability of threat behaviors is improved, the security management module 20 combines various databases to form anti-virus, anti-invasion, flow analysis and flow cleaning analysis detection aiming at the behaviors of virus, invasion, violation and the like, the accuracy is high, and unsafe events are effectively avoided.
In an embodiment, specifically, the terrorist-related information identifying module 20 includes: the keyword extraction unit is used for extracting terrorist-related high-frequency keywords appearing in the IDC collected data and determining terrorist-related information in the IDC collected data according to the keywords; the behavior feature identification unit is used for identifying terrorist behavior information according to the terrorist information and determining a terrorist behavior track; and the service characteristic identification unit is used for determining unsafe information related to terrorism according to the terrorism related behavior track.
The keyword extraction unit may be set using a knowledge graph technique, including: the knowledge extraction unit is used for extracting knowledge from the IDC collected data to form knowledge data; the knowledge storage unit is used for selecting, filtering, processing and refining the knowledge data meeting the preset conditions to form known knowledge data, and storing the known knowledge data according to preset rules; and the knowledge inference unit is used for inferring implicit unknown knowledge data based on the stored known knowledge data and integrating the known knowledge data and the unknown knowledge data into the terrorist-related information.
The keyword extraction unit also comprises a knowledge representation unit, and the knowledge extraction unit forms knowledge (structured data) and stores the knowledge into a knowledge graph. The knowledge storage unit is used for storing the knowledge which meets the preset conditions according to a certain rule after the knowledge is selected, filtered, processed and refined, and the knowledge which meets the preset conditions is more convenient and quick for a demander to use, and the conditions such as content and structure of the knowledge are updated and recombined at any time. The knowledge reasoning unit is a process of deducing unknown knowledge on the basis of the existing knowledge, namely the known knowledge, and further excavates the implicit knowledge, thereby enriching and perfecting the terrorist-related information. The identification and discovery of the network terrorist-related information can be realized by inputting a large amount of structured or unstructured data containing terrorist-related information and irrelevant information, extracting knowledge elements such as entities, relations and attributes related to terrorism from the data through a knowledge extraction unit, integrating, disambiguating, processing, reasoning verification, updating and other steps of heterogeneous data of information from different information sources under the same frame specification through knowledge fusion, fusing data, information, methods, experiences and human ideas, forming high-quality terrorist-related unsafe information, improving the accuracy and integrity of identification of the terrorist-related information and improving the safety of a system.
The terrorism-related information identification module also comprises a terrorism-related keyword library, a behavior track characteristic library and a characteristic model library. The terrorist-related information identification module determines the unsafe information related to terrorist based on a terrorist-related information keyword library, a terrorist-related behavior track characteristic library and a service characteristic identification unit established based on a service scene by using a knowledge map technology, and further can be adjusted through a large amount of data verification so as to improve the identification effectiveness and accuracy of the terrorist-related information.
Further, the terrorist-related information identification module may further include a knowledge base updating unit; and the knowledge base updating unit is connected with the Internet to timely update and replace the data which are not in the keyword base and the behavior track characteristic base and are wrong. Therefore, the identification capability of the terrorist-related information identification module on the terrorist-related information can be continuously improved.
In one embodiment, the system management module 40 includes a login management unit, a right management unit, and an access control unit; the login management unit is used for initiating a login request by an account and detecting and blocking unsafe activities in the system; the authority management unit is used for authenticating the account login and checking the access authority of the account to determine the target access authority of the account; and the access control unit is used for confirming the accessible equipment of the account and executable operation according to the target access authority and a preset control rule.
In this embodiment, the login management unit comprises a bastion machine, and is used for identifying, recording, storing and analyzing unsafe behaviors in the system. The bastion machine is used for collecting and monitoring the system state, security events and network activities of each component in the network environment in real time by various technical means in order to ensure that the network and the data are not invaded and damaged by external and internal users under a specific network environment, so as to realize centralized alarming, timely processing and audit and responsibility determination. The barrier function is the work of a gatekeeper, all requests for network equipment and a server need to pass through the gate, so that the bastion function can intercept illegal access and malicious attack, block illegal commands, filter out all illegal access behaviors to target equipment, and audit and monitor misoperation and illegal operation of internal personnel so as to perform responsibility tracking afterwards.
After the login management unit is deployed, login requests of users can be uniformly initiated by the login bastion machine and are subjected to identity verification by the authentication management module in the authority management unit, and the authority management module in the authority management unit can perform authentication check on the access authority of an object initiating the login request; the access control module can give different access authorities to different login accounts according to a preset control rule, for example, an account can only access specific service servers but cannot access a core database server.
It can be understood that, as the IDC service develops, the number of network devices and servers (including virtual machines) increases, and behind this complex group of devices, operation and maintenance personnel from different backgrounds are present, the operation and maintenance management mode is generally chaotic, and a series of related parties such as a system administrator, an operation and maintenance personnel, a common user, a temporary user, and a third-party agent can log on, manage, and operate various devices in the system. In the process of daily operation and maintenance of network devices and servers, the following main problems often occur: a plurality of users use the same account to manage one device, and the method can cause that after a safety accident occurs, the actual users and responsible persons of the account are difficult to locate, and larger safety risks and hidden dangers exist; at present, a plurality of devices are managed by one user through a plurality of account numbers, which is common, because operation and maintenance personnel often need to manage a plurality of devices, the operation and maintenance personnel need to memorize a plurality of sets of account numbers and passwords and switch among a plurality of sets of host systems and network devices. The method also possibly causes the leakage of account number authority, and is difficult to find illegal operation behaviors and trace for evidence collection through the self audit of the system in time. With the application of the bastion machine, the problems can be effectively solved, and other problems such as access control, automation operation and the like can be effectively solved.
In an embodiment, the IDC security management system further includes a log management module, and the system management module 40 further includes a log query unit; the log management module is used for managing, counting and auditing the operation behaviors of all login users to generate log data; the system management module 40 further includes a log query unit, which is configured to query the log data; the log query unit is further used for generating recursive query authority according to authority of the account so that the account performs recursive query based on query results of the log data.
In this embodiment, the log management module can provide a log retrieval function based on conditions such as device alarm, time, IP address, event type, user identity, and the like, and can have functions of log backup, removal, and recovery. The query function for log management also has a function of recursive query, that is, the query condition is input again in the query result, so that a more detailed further query result can be obtained, and thus, managers can perform fine-grained analysis.
Specifically, the log management module comprises an access log management statistical unit, a log auditing unit and an operation and maintenance log management unit; the access log management unit collects and records the operation behaviors of all login users, such as login information, browsing information, access information, operation information and the like, and marks out operation results to form auditable data information, so that the sources can be traced when network information security events occur, for example, the activities of the users can be audited afterwards to find unauthorized access or provide assistance for problem analysis and positioning when a system fails.
The log auditing unit carries out scientific denoising processing on massive log information by using various informatization means and a big data frame, screens effective information from the massive log information, and carries out targeted analysis and evaluation on the information so as to discover potential network information security threats.
The log auditing unit can process various possible abnormalities of the system, monitor the running state of the system in real time, solve possible conditions and enable modules in the system to run smoothly under the regulation of the modules.
In one embodiment, the data acquisition module 10 includes a mirror unit, a storage unit and an encryption transmission unit; the mirror image unit is used for collecting all data of an IDC machine room outlet and mirroring the data to the storage unit; the storage unit is used for storing the mirrored data; the encryption transmission unit is used for encrypting the data stored in the storage unit through a secret key to obtain encrypted IDC acquisition data; the encryption transmission unit is further configured to encrypt the key and transmit the encrypted encryption key to the security management module 20.
In this embodiment, the encryption modes of the data and the key may be the same or different, and the encryption mode may be selected as needed. Correspondingly, a decryption unit is arranged in the security management module, the encryption key is firstly encrypted for decryption, and then the decrypted key is used for decrypting the encrypted IDC collected data. In the embodiment, the transmission safety of IDC acquired data is effectively improved through a two-stage encryption mode, so that the system safety is improved.
In one embodiment, the encryption transmission unit comprises a random number module and a key generation module; the random digital module is used for generating and outputting 32-bit random characters; and the key generation module is used for generating a random key based on the random character and a preset key generation algorithm.
In this embodiment, in order to prevent the encrypted IDC collected data from being decrypted, keys used in each encryption are different, a string of random string RandomPart with a length of 32 is generated by a random number module, the string of random string RandomPart is stored, a Key is generated based on the character and a user account Username before each encryption, a specific preset Key generation algorithm may be an MD5 secret algorithm, and a generation method of the Key is Key = MD5 (RandomPart + Username), and then the Key is used to encrypt a password. Because the Usernames of the account numbers are different, the Key is different, and therefore even if the passwords of the account numbers are the same, the encrypted results are different, and the encrypted results can be effectively cracked.
In one embodiment, the system further comprises a black product identification module; the black product identification module specifically comprises: the collecting unit is used for collecting black product data in the IDC collected data, and obtaining and outputting effective data related to the black product after cleaning; the table building unit is used for building a black product classification table, and the black product classification table comprises a plurality of label data so as to determine a plurality of black product keywords corresponding to each label data; the screening and identifying module is used for counting the matching degree of the effective data and the corresponding keywords of each tag data, so that black product information in the IDC collected data is screened and identified; the system management module is further used for obtaining the black product information, determining a target IDC machine room according to the black product information and managing the IDC machine room.
The collected black product data can comprise a user account, content details, a data source, a link address and a publication time lamp, wherein the content details comprise black product entity information or comprise a terminal identification number and/or a login IP address; the black product data can be cleaned by adopting a preset regular expression, and effective data related to black is extracted.
The black product classification table comprises a plurality of label data and a plurality of keywords corresponding to each label data; dividing words of the effective data and matching the words with keywords corresponding to the label data in a one-to-one correspondence manner; and counting the matching between the word segmentation of the effective data and the corresponding keyword of each label data, and screening the label data with the most matching number as the label data of the effective data.
The black product (i.e. network black product) refers to an illegal behavior which takes the internet as a medium and a network technology as a main means and brings potential threats (major potential safety hazards) to the safety of a computer information system, the management order of a network space and the like.
In this embodiment, through setting up black product identification module, can effectively improve the discernment accuracy of black product, take precautions against black product, improve system security.
The IDC information security management system can adapt to a transient network space environment, and form comprehensive and three-dimensional network information security protection capability including anti-virus, anti-invasion, flow analysis, flow cleaning, safe operation and maintenance management, log collection, audit and the like. Meanwhile, the safety protection capability can be converted into the safety service capability so as to meet the market requirement.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solution of the present invention essentially or contributing to the prior art can be embodied in the form of a software product, which is stored in a storage medium (e.g. ROM/RXM, magnetic disk, optical disk) as described above and includes several instructions for enabling a terminal device (e.g. a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structural changes made by using the contents of the present specification and the drawings, or any other related technical fields directly/indirectly applied to the present invention are included in the scope of the present invention.
Claims (10)
1. An IDC security management system, the system comprising:
the data acquisition module is used for acquiring and encrypting data at an IDC machine room outlet and outputting the encrypted IDC acquired data;
the safety management module is used for carrying out attack feature recognition, deep protocol analysis and flow abnormity detection on the IDC collected data so as to determine unsafe information in the IDC collected data; monitoring, filtering and intercepting the unsafe information;
the fear information identification module is used for identifying the fear information according to the IDC collected data and determining the information of the hidden danger in the IDC collected data;
and the system management module is used for acquiring the unsafe information and/or the information about the hidden dangers, determining a target IDC machine room according to the unsafe information and/or the information about the hidden dangers, and managing the IDC machine room.
2. The IDC security management system of claim 1, wherein the terrorist-related information identification module comprises:
the keyword extraction unit is used for extracting terrorist-related high-frequency keywords appearing in the IDC collected data and determining terrorist-related information in the IDC collected data according to the keywords;
the behavior feature identification unit is used for identifying the terrorist behavior information according to the terrorist information and determining a terrorist behavior track;
and the service characteristic identification unit is used for determining the information of the hidden danger involved according to the track of the terrorist involved behaviors.
3. The IDC security management system according to claim 2, wherein the keyword extraction unit comprises:
the knowledge extraction unit is used for extracting knowledge from the IDC collected data to form knowledge data;
the knowledge storage unit is used for selecting, filtering, processing and refining the knowledge data meeting the preset conditions to form known knowledge data, and storing the known knowledge data according to preset rules;
and the knowledge inference unit is used for inferring implicit unknown knowledge data based on the stored known knowledge data and integrating the known knowledge data and the unknown knowledge data into the information about the hidden dangers.
4. The IDC security management system of claim 1, wherein the security management module comprises:
the attack characteristic identification unit is used for carrying out targeted attack characteristic identification on the IDC collected data based on a preset known attack library;
the depth protocol analysis unit is used for carrying out depth protocol analysis on the IDC collected data according to a preset depth protocol analysis algorithm;
and the flow abnormity detection unit is used for learning the normal flow of the system so as to set a reference flow value and detecting the IDC collected data based on the reference flow value.
5. The IDC security management system of claim 4, wherein the traffic anomaly detection unit comprises:
the flow database updating module is used for updating flow data in the flow database by connecting with the Internet;
the flow prediction module is used for predicting the normal flow of the system according to the network environment, the operation of an account and the updated flow data and setting the normal flow as a reference flow value;
and the abnormity detection module is used for detecting whether the flow numerical value in the IDC collected data is abnormal or not based on the reference flow value.
6. The IDC security management system of claim 1, wherein the data acquisition module comprises:
a storage unit;
the mirror image unit is used for collecting all data of an IDC machine room outlet and mirroring the data to the storage unit;
the encryption transmission unit is used for encrypting the data stored in the storage unit through a random key to obtain encrypted IDC collected data;
the encryption transmission unit is also used for encrypting the secret key and transmitting the encrypted encryption secret key to the safety management module.
7. The IDC security management system of claim 6, wherein the encryption transmission unit comprises:
the random number module is used for generating and outputting 32-bit random characters;
and the key generation module is used for generating a random key based on the random character and a preset key generation algorithm.
8. The IDC security management system according to claim 1, wherein the system further comprises a black spot identification module; the black product identification module specifically comprises:
the collecting unit is used for collecting black product data in the IDC collected data, and obtaining and outputting effective data related to the black product after cleaning;
the table construction unit is used for constructing a black product classification table, and the black product classification table comprises a plurality of label data so as to determine a plurality of black product keywords corresponding to each label data;
the screening and identifying module is used for counting the matching degree of the effective data and the corresponding keywords of each tag data, so that black product information in the IDC collected data is screened and identified;
the system management module is further used for obtaining the black product information, determining a target IDC machine room according to the black product information and managing the IDC machine room.
9. IDC security management system according to anyone of the claims 1 to 8, characterized in that the system management module comprises:
the login management unit is used for initiating a login request by an account and detecting and blocking dangerous activities in the system;
the authority management unit is used for authenticating the account login request and checking the access authority of the account to determine the target access authority of the account;
and the access control unit is used for confirming the accessible equipment of the account and executable operation according to the target access authority and a preset control rule.
10. IDC security management system according to any of the claims 1 to 8, characterized in that the system comprises:
the log management module is used for managing, counting and auditing the operation behaviors of all login users to generate log data;
the system management module also comprises a log query unit, and the log query unit is used for querying the log data;
the log query unit is further used for generating recursive query authority according to the authority of the account so that the account performs recursive query based on a query result of the log data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210541450.6A CN115277045A (en) | 2022-05-17 | 2022-05-17 | IDC safety management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210541450.6A CN115277045A (en) | 2022-05-17 | 2022-05-17 | IDC safety management system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115277045A true CN115277045A (en) | 2022-11-01 |
Family
ID=83758744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210541450.6A Pending CN115277045A (en) | 2022-05-17 | 2022-05-17 | IDC safety management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277045A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104376237A (en) * | 2013-08-13 | 2015-02-25 | 中国科学院沈阳自动化研究所 | Safety control method and safety control system for information in production procedures |
| CN110149307A (en) * | 2019-04-03 | 2019-08-20 | 广东申立信息工程股份有限公司 | A kind of IDC safety management system |
| CN111193719A (en) * | 2019-12-14 | 2020-05-22 | 贵州电网有限责任公司 | Network intrusion protection system |
| US20200186569A1 (en) * | 2018-12-05 | 2020-06-11 | International Business Machines Corporation | Security Rule Generation Based on Cognitive and Industry Analysis |
| CN112769819A (en) * | 2021-01-05 | 2021-05-07 | 重庆邮电大学 | IDC information security system based on depth security |
| CN112769796A (en) * | 2020-12-30 | 2021-05-07 | 华北电力大学 | Cloud network side collaborative defense method and system based on end side edge computing |
| CN113065943A (en) * | 2021-03-02 | 2021-07-02 | 苏宁金融科技(南京)有限公司 | Anti-fraud black product entity identification method and system |
-
2022
- 2022-05-17 CN CN202210541450.6A patent/CN115277045A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104376237A (en) * | 2013-08-13 | 2015-02-25 | 中国科学院沈阳自动化研究所 | Safety control method and safety control system for information in production procedures |
| US20200186569A1 (en) * | 2018-12-05 | 2020-06-11 | International Business Machines Corporation | Security Rule Generation Based on Cognitive and Industry Analysis |
| CN110149307A (en) * | 2019-04-03 | 2019-08-20 | 广东申立信息工程股份有限公司 | A kind of IDC safety management system |
| CN111193719A (en) * | 2019-12-14 | 2020-05-22 | 贵州电网有限责任公司 | Network intrusion protection system |
| CN112769796A (en) * | 2020-12-30 | 2021-05-07 | 华北电力大学 | Cloud network side collaborative defense method and system based on end side edge computing |
| CN112769819A (en) * | 2021-01-05 | 2021-05-07 | 重庆邮电大学 | IDC information security system based on depth security |
| CN113065943A (en) * | 2021-03-02 | 2021-07-02 | 苏宁金融科技(南京)有限公司 | Anti-fraud black product entity identification method and system |
Non-Patent Citations (1)
| Title |
|---|
| 闫红丽: ""网络涉恐信息的识别发现与治理途径"", 《中国信息安全》, pages 26 - 29 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Navaz et al. | Entropy based anomaly detection system to prevent DDoS attacks in cloud | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| Mukherjee et al. | Network intrusion detection | |
| US7870598B2 (en) | Policy specification framework for insider intrusions | |
| US20060031938A1 (en) | Integrated emergency response system in information infrastructure and operating method therefor | |
| Mualfah et al. | Network forensics for detecting flooding attack on web server | |
| Beigh et al. | Intrusion Detection and Prevention System: Classification and Quick | |
| Pradhan et al. | Intrusion detection system (IDS) and their types | |
| KR20140035146A (en) | Apparatus and method for information security | |
| KR20170058140A (en) | An analysis system of security breach with analyzing a security event log and an analysis method thereof | |
| KR102295488B1 (en) | System and method for exponentiation of security element to analyze danger | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Xu et al. | Network security | |
| Beigh et al. | Intrusion detection and prevention system: issues and challenges | |
| Bortolameotti et al. | Headprint: detecting anomalous communications through header-based application fingerprinting | |
| Caesarano et al. | Network forensics for detecting SQL injection attacks using NIST method | |
| AlZoubi et al. | The effect of using honeypot network on system security | |
| Younus et al. | A Survey on Network Security Monitoring: Tools and Functionalities | |
| Saini et al. | Vulnerability and Attack Detection Techniques: Intrusion Detection System | |
| Badea et al. | Computer networks security based on the detection of user's behavior | |
| Cisco | Introduction | |
| CN115277045A (en) | IDC safety management system | |
| Hakkoymaz | Classifying Database Users for Intrusion Prediction and Detection in Data Security | |
| Raut | Log based intrusion detection system | |
| KR20210141198A (en) | Network security system that provides security optimization function of internal network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |