CN100586123C - A safe audit method based on role management and system thereof - Google Patents
A safe audit method based on role management and system thereof Download PDFInfo
- Publication number
- CN100586123C CN100586123C CN200610114101A CN200610114101A CN100586123C CN 100586123 C CN100586123 C CN 100586123C CN 200610114101 A CN200610114101 A CN 200610114101A CN 200610114101 A CN200610114101 A CN 200610114101A CN 100586123 C CN100586123 C CN 100586123C
- Authority
- CN
- China
- Prior art keywords
- user
- role
- access
- access rule
- definition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a network security audit system, and a security audit method based on role management. Wherein, the invention is characterized in that: based on detecting network data and the audit strategy of role, it audits the access on main body, protects the object, and records the TCP conversation based on the rules set by manager, to support following analysis. The invention can defines trust user, trust sub network and certificate user, and appoints the protected host and protected service, sets the access rule based on the application layer protocol, and sets angle based on the control need of resource access, packs the defined access rule into role, and appoints the angle to defined user.
Description
Technical field
The present invention relates to the key components of a kind of network security audit system (NSAS:Network Security Audit System) as one of important network security product---based on the method for auditing safely and the system of Role Management.
Background technology
NSAS is installed in the protected network segment, and it is monitored network interface card and is operated under the promiscuous mode, by real-time collection and the analysis to network data, can realize the visit of key business main frame in the user network environment is monitored, audits and protects.Narration for convenience at first provides several related notions here:
Main body: send the masters of accessing operation, access requirement, be often referred to user or user's process;
Object: the data of invoked program or desire access;
Protection main frame: moving important service in the user network environment, the server that need control its visit;
Rule set: a series of set of having stipulated the rule of principal access behavior;
Access control policy: whether a cover has the rule of access rights in order to determine main body to object.
The key technology of NSAS is to formulate flexible and complete access control policy, makes the user authority according to the rules to visit protected Internet resources, and according to access control policy user's behavior is audited.At present NSAS generally adopts the access control mechanisms (DAC:DiscretionaryAccess Control) from principal mode, it be according to the visitor and (or) identity of group is controlled the granted access to the object target under its.It is each user and the certain access rights of user's set of dispense by the system manager, in case visitor's identity obtains confirming that this user just has corresponding access limit to resource conservation.This method realizes simple, but has following limitation:
(1) empowerment management complexity, flexibility is low.The DAC model directly binds together subject and object, need specify access permission to every pair (main body, object) during mandate.After the quantity of subject and object reached the higher order of magnitude, mandate work is difficulty very like this.When main function changes, need carry out a large amount of mandate change work.
(2) be difficult to realize fine granularity access control to resource conservation.Fine-grained access control is meant on method, attribute or content level visit is authorized, for example for http protocol, the controls that conduct interviews such as keyword that comprise in the application layer order that fine granularity adopts when wanting to accomplish visit, the URL address of visit, the webpage.Mandate in the DAC model is directly to distribute to main body, and considerable fine granularity authority problem is not had general meaning in the reality because of it is unique, for this reason must be at the proprietary user's group of this authority structure, and this has just increased the workload of empowerment management.
Summary of the invention
The objective of the invention is to design a kind of method for auditing safely and system based on Role Management; it provides a Security Audit Strategy; this strategy is divided different roles according to the demand of access control to the user; access permission to object is encapsulated among the role; the user is assigned to the role; on role's basis, realize protection and visit audit, and good user's definable interface is provided, be convenient to developer and user's on-site maintenance Internet resources.
Method for auditing safely based on Role Management of the present invention; be on the basis of monitoring network; according to audit strategy the visit behavior of main body is audited; thereby reach the purpose that object is protected; and the regular record TCP session content of setting according to the keeper, so that forensics analysis afterwards.
This method comprises the steps:
(1) definition user: specify main body with access rights;
(2) definition protection main frame and service: the main frame of definition monitoring network segment domestic demand protection, and the service that needs monitoring and audit on this main frame are equivalent to object;
(3) definition access rule: according to different application layer protocols, fine-grained access rule is formulated in order based on application layer;
(4) definition role: specify the certain user can satisfy the operation of certain class access rule;
(5) the audit engine is monitored network data, and record TCP session content allows or interrupts visit to resource conservation according to strategy.
Operation to each step is elaborated below:
The definition user
User representative the main body of an addressable locked resource, any main body that can conduct interviews in monitor network all will at first be defined as the user with it, otherwise the audit engine will directly interrupt its access request.3 types user can be set:
1) trust the user: trust the user and be associated with static ip address, the user that for example can define the IP address and be 192.168.0.1 is the trust user.
2) trust subnet: trust subnet and be associated with the static ip address scope, for example can define the IP address is 192.168.0.0, and subnet mask is that the network segment of 255.255.255.0 is the trust subnet.
3) authenticated user: such user need will be blocked otherwise visit by the authentication of authentication center before the official visit business.The USB token of digital certificate that need adopt storage that the keeper signs and issues during authentication.
Definition protection main frame and service
Shielded object in the monitor network has been represented in protection main frame and service, and any resource that needs protection all will at first be defined as it protection main frame and protection service, otherwise the audit engine will be not to non-its conduct interviews control and security audit.
The protection main frame can be an independent address, is 192.168.0.10 as the IP address, and subnet mask is the single host of 255.255.255.255; Also can be a continuous subnet section, be 192.168.0.208 as the IP address, and subnet mask is the network segment of 255.255.255.240.The protection service is the service processes that moves on the protection main frame, and it is relevant with a specific port, for example defines the HTTP service for the protection service, then will be subjected to the protection of engine at the visit of 80 ports.
The definition access rule
Access rule has been specified the performance constraint of main object.For the operation behavior of the main body of more accurately auditing, support HTTP, FTP, TELNET, SMTP, POP3, MS SQL SERVER, SYBASE SQL SERVER, 9 kinds of agreements such as ORACLE, NETBIOS are formulated the fine granularity access rule based on the application layer protocol order.For example, comprise among the URL of regulation principal access/the news/ catalogue at http protocol definable rule; Perhaps, do not comprise the file of " * .doc " type during regulation main body deleted file at the File Transfer Protocol definition rule.
The definition role
The role is the mapping of the real-life identity of people in cyberspace, and it is user's set, is again the set of access control policy.It is made up of following two aspects:
1) access control policy: relevant with access rule, stipulated to meet the response mode of the operation of certain class access rule.For example defined rule 1 and rule 2, can generate strategy makes the visit to meeting rule 1 let pass, to meeting the visit blocking-up of rule 2.
2) user under: relevant with the user, stipulated which user can be by above-mentioned access control policy visit resource conservation.For example defined user 1 and user 2,, then needed to add user 1 to this role if only allow user 1 to carry out such visit.
Audit engine access control workflow
Parallel being linked in the protecting network of audit engine, its monitors and catches data on the network, and the data of visit resource conservation are carried out message reorganization, protocal analysis and event matches.On this basis, to the operation of the resource conservation control that conducts interviews, the operation of satisfying access control policy will be allowed to according to above-mentioned audit strategy based on Role Management, and other unauthorized access will in time be interrupted.The visible accompanying drawing 1 of idiographic flow.
A kind of safety auditing system based on Role Management, this system comprises a main frame, one or more terminal servers, data storage device, network interface card, and data input device and output device, this system comprises in addition:
The user definition unit defines a main body that allows the visit resource conservation, and it can be one and trust the user, trusts subnet or based on the strong authentication user of digital certificate; Protection main frame and service definition unit, shielded object in the definition monitoring network segment, it is made up of the service that moves on protection main frame and this main frame; The access rule definition unit can be formulated fine-grained access rule based on the application layer order; The role definition unit defines the operation which kind of type of access rule which user can satisfy; Audit engine access control unit is used for catching the original message of network, to packet recombinate, analysis and event matches, according to the rule of definition to the operation of the locked resource control that conducts interviews.
The advanced part of this method is:
1. can and serve the emphasis resource that clear and definite auditing system need be protected by the protection main frame.The audit engine is only paid close attention to the access request to defined service on the protection main frame, if certain main frame no longer needs protection, perhaps the visit to this main frame service no longer needs audit, it is deleted get final product from the tabulation of correspondence.
2. can formulate complete access control policy.Owing to realized separation between the subject and object, can formulate complexity and access control policy flexibly by the role.For example, regular a and regular b have been defined, by role 1 is assigned to user A for the user A and the user B that belong to same user's group, role 2 is assigned to user B, simultaneously regular a is distributed to role 1, regular b distributes to role 2, just can reach the purpose of the different control laws of similar user.
3. variation that can the rapid adjustment main function.For example variation having taken place when the function of user A, upgraded to advanced level user from the general user, only needed it is deleted from the role of general user's correspondence, adds among the role of advanced level user's correspondence and can finish transformation.
4. can realize fine-grained access control.On the basis of auditing access control unit protocol analysis, can formulate access control rule at the application layer order, thereby strengthen the audit dynamics.For example can stipulate user A when carrying out database manipulation,, can not operate the table that comprises " netids " keyword in the table name when the visit action is " a more new record (update) ".
Description of drawings
Fig. 1 auditable unit access control flow chart.
Embodiment
Access control rule is given an example:
Definition IP is that the main frame of 192.168.0.1 is the protection main frame, and its open FTP service is the protection service.Define three user: UserA, UserB and UserC, three users' address is 192.168.0.11~192.168.0.13.Then:
1) definition rule set RAdmin is management FTP service regulation collection, comprising upload file (put, mput), application layer orders such as (mkdir) creaties directory; Definition rule set RAccess wherein includes only and checks (ls), switches catalogue (cd), downloads application layer orders such as (get, mget) for visit FTP service regulation collection.
2) if allow the FTP on the UserA administrative protection main frame to serve, then add role RoleA under the FTP service, its policy definition is for allowing RAdmin, and its user is UserA.
3) if allow UserB and UserC as the FTP service on domestic consumer's visit protection main frame, then add role RoleB under the FTP service, its policy definition is for allowing RAccess, and its user is UserB, UserC.
4) if desired with the privilege-escalation of UserB, make it can manage the FTP service, then it is deleted from the user of RoleB, join among the user of RoleA.
5) forbid the visit of UserC if desired, then it is deleted from RoleB the FTP service.
The access control unit handling process
Access control unit need generate 3 chained lists when starting: at first read in all user definitions, preserve with user's chain; Read in all undefined roles of protection main frame, service and service then, preserve with role's chain of one 3 layers; At last set of strategies is resolved, all set of strategies are formed a tactful chain.
The processing procedure of access control unit can be with reference to Fig. 1.When monitoring an access request, access control unit is at first checked the source IP address of this request, and whether search it in user's chain is defined trusted users.If do not find this address, then originating end is the user of unauthenticated, and the audit engine will directly be blocked this visit.
If passed through user's examination, the audit engine will be according to the purpose IP and the destination interface of access request, and whether search this service in role's chain is shielded service.If do not find this service, explanation is that trusted users is visited non-protection service, and the audit engine will directly be let pass; Otherwise searching among the role of this service whether comprise this user in role's chain, if comprise then enter the next stage examination, otherwise is to trust the user capture unauthorized services, and the audit engine will directly be blocked this visit.
The audit engine carries out the message reorganization to packet, carries out event matches according to the particular content of operating.According to this role's role ID and rule ID, in tactful chained list, search response mode then, and response mode in accordance with regulations blocks, audits or report to the police to this operation, finish an audit process this operation.
Claims (3)
1. method for auditing safely based on Role Management, it is characterized in that: be on the basis of monitoring network, according to the visit behavior of main body being audited based on role's audit strategy, object is protected, and the regular record TCP session content of setting according to the keeper, so that forensics analysis afterwards;
This method comprises the steps:
(1) definition user: specify main body with access rights;
(2) definition protection main frame and service: the main frame of definition monitoring network segment domestic demand protection, and the service that needs monitoring and audit on this main frame, as protected object;
(3) definition access rule: according to different application layer protocols, fine-grained access rule is formulated in order based on application layer;
(4) definition role: according to defined access rule, regulation meets the response mode of the operation of certain class access rule, and has stipulated which user can be by described access rule visit resource conservation;
(5) the audit engine is monitored network data, record TCP session content, and according to the audit strategy based on the role, permission or interruption are to the visit of resource conservation.
2. a kind of method for auditing safely based on Role Management according to claim 1 is characterized in that: described role is made up of following two aspects:
(1) access control policy: relevant with access rule, stipulated to meet the response mode of the operation of certain class access rule;
(2) user under: relevant with the user, stipulated which user can be by above-mentioned access control policy visit resource conservation.
3. a kind of method for auditing safely based on Role Management according to claim 1 is characterized in that: HTTP, FTP, TELNET, SMTP, POP3, MS SQLSERVER, SYBASE SQL SERVER, ORACLE, 9 kinds of agreements of NETBIOS are formulated the fine granularity access rule based on the application layer protocol order.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610114101A CN100586123C (en) | 2006-10-27 | 2006-10-27 | A safe audit method based on role management and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610114101A CN100586123C (en) | 2006-10-27 | 2006-10-27 | A safe audit method based on role management and system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1953454A CN1953454A (en) | 2007-04-25 |
| CN100586123C true CN100586123C (en) | 2010-01-27 |
Family
ID=38059570
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610114101A Expired - Fee Related CN100586123C (en) | 2006-10-27 | 2006-10-27 | A safe audit method based on role management and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100586123C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109409842A (en) * | 2018-11-06 | 2019-03-01 | 中共四川天府新区成都纪律检查工作委员会 | Online audit system and method |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101426008B (en) * | 2007-10-30 | 2011-06-22 | 北京启明星辰信息技术股份有限公司 | Audit method and system based on back display |
| CN101534300B (en) * | 2009-04-17 | 2012-05-30 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
| CN103795726A (en) * | 2014-02-14 | 2014-05-14 | 浪潮通信信息系统有限公司 | Depth protection method for virtual data safety access |
| CN103929426B (en) * | 2014-04-22 | 2017-04-19 | 清华大学 | Access control method for applications in social cloud service system |
| US20200020425A1 (en) * | 2018-07-10 | 2020-01-16 | Koninklijke Philips N.V. | Method and apparatus for hybrid trust management for health records unit |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN114205118B (en) * | 2021-11-17 | 2023-10-27 | 南方电网数字电网研究院有限公司 | Data access control analysis method based on data security method category |
-
2006
- 2006-10-27 CN CN200610114101A patent/CN100586123C/en not_active Expired - Fee Related
Non-Patent Citations (4)
| Title |
|---|
| 信息网络中的认证、授权与审计方案. 袁中兰,温巧燕,杨义先.电子科学技术评论,第3期. 2005 |
| 信息网络中的认证、授权与审计方案. 袁中兰,温巧燕,杨义先.电子科学技术评论,第3期. 2005 * |
| 网络处理器平台下基于角色的分片审计研究. 高磊,张德运,李金库,李庆海.西安交通大学学报,第39卷第6期. 2005 |
| 网络处理器平台下基于角色的分片审计研究. 高磊,张德运,李金库,李庆海.西安交通大学学报,第39卷第6期. 2005 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109409842A (en) * | 2018-11-06 | 2019-03-01 | 中共四川天府新区成都纪律检查工作委员会 | Online audit system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1953454A (en) | 2007-04-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100586123C (en) | A safe audit method based on role management and system thereof | |
| US9049195B2 (en) | Cross-domain security for data vault | |
| US8769605B2 (en) | System and method for dynamically enforcing security policies on electronic files | |
| US7831570B2 (en) | Mandatory access control label security | |
| US7814076B2 (en) | Data vault | |
| US7814075B2 (en) | Dynamic auditing | |
| EP2866411A1 (en) | Method and system for detecting unauthorized access to and use of network resources with targeted analytics | |
| US20060248083A1 (en) | Mandatory access control base | |
| US20050011947A1 (en) | Protected content distribution system | |
| Viega | Building security requirements with CLASP | |
| US20050108526A1 (en) | Query server system security and privacy access profiles | |
| EP2370928B1 (en) | Access control | |
| US8095963B2 (en) | Securing resource stores with claims-based security | |
| US10148637B2 (en) | Secure authentication to provide mobile access to shared network resources | |
| WO2012027076A1 (en) | Method and system for database encryption | |
| CN103069767B (en) | Consigning authentication method | |
| Ahmed et al. | A Method for Eliciting Security Requirements from the Business Process Models. | |
| US20220334869A1 (en) | Distributed Attribute Based Access Control as means of Data Protection and Collaboration in Sensitive (Personal) Digital Record and Activity Trail Investigations | |
| US8977691B2 (en) | Implementation of an extranet server from within an intranet | |
| Batra et al. | Autonomous multilevel policy based security configuration in distributed database | |
| Tuztas | Where identity governance really belongs | |
| Haber et al. | Privileged Access Management (PAM) | |
| Yee et al. | An agent architecture for e-services privacy policy compliance | |
| Huawei Technologies Co., Ltd. | Database Security Fundamentals | |
| Ezziyyani et al. | Security techniques and specifications for the resources protection in mediation systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING QIMINGXINCHEN INFORMATION SECURITY TECHNOL |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100081 NO 188, NO.12, ZHONGGUANCUN SOUTH AVENUE, HAIDIAN DISTRICT, BEIJING CITY TO: 100193 QIMINGXINGCHEN BUILDING, BUILDING 21, ZHONGGUANCUN SOFTWARE PARK, NO.8, DONGBEIWANG WEST ROAD, HAIDIAN DISTRICT, BEIJING CITY |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100507 Address after: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Co-patentee after: Beijing Venusense Information Security Technology Co., Ltd. Patentee after: Beijing Venus Information Technology Co., Ltd. Address before: 100081 No. 12 South Avenue, Haidian District, Zhongguancun, No. 188, Beijing Patentee before: Beijing Venus Information Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100127 Termination date: 20151027 |
|
| EXPY | Termination of patent right or utility model |