CN105681276A - Sensitive information leakage active monitoring and responsibility confirmation method and device - Google Patents

Sensitive information leakage active monitoring and responsibility confirmation method and device Download PDF

Info

Publication number
CN105681276A
CN105681276A CN201510996755.6A CN201510996755A CN105681276A CN 105681276 A CN105681276 A CN 105681276A CN 201510996755 A CN201510996755 A CN 201510996755A CN 105681276 A CN105681276 A CN 105681276A
Authority
CN
China
Prior art keywords
access
strategy
visiting abroad
program
sensitive information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510996755.6A
Other languages
Chinese (zh)
Other versions
CN105681276B (en
Inventor
黄建东
王龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
YIYANG SAFETY TECHNOLOGY Co Ltd
Original Assignee
YIYANG SAFETY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by YIYANG SAFETY TECHNOLOGY Co Ltd filed Critical YIYANG SAFETY TECHNOLOGY Co Ltd
Priority to CN201510996755.6A priority Critical patent/CN105681276B/en
Publication of CN105681276A publication Critical patent/CN105681276A/en
Application granted granted Critical
Publication of CN105681276B publication Critical patent/CN105681276B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a sensitive information leakage active monitoring and responsibility confirmation method. The method comprises the steps: defining sensitive information and determining a device storing the sensitive information; according to the defined sensitive information, developing and managing a sensitive information access/external access strategy; performing a network flow data acquisition and preprocessing on the device storing the sensitive information; performing illegal access/external access recognition on the acquired flow data according to the sensitive information access strategy, and finding out a sensitive information exception access initiation program and a sensitive information exception external access receiving program; performing sensitive information leakage responsibility confirmation on the obtained illegal access/receiving program, and confirming an illegal access account and related personnel information. The invention further discloses a sensitive information leakage active monitoring and responsibility confirmation device. According to the sensitive information leakage active monitoring and responsibility confirmation method and device, by sensitive data access flow analysis, active analysis and control are performed on processes which possibly cause data leakage, so that recognition control and responsibility confirmation to sensitive information leakage of a customer due to any unknown attacks can be achieved.

Description

The actively monitoring of a kind of sensitive information leakage and confirmation of responsibility method and apparatus
Technical field
The present invention relates to sensitive information safety management field, particularly relate to a kind of sensitive information and access/reveal actively monitoring and confirmation of responsibility method and apparatus.
Background technology
Existing enterprise sensitive information all generally deposits in database server, host server, the equipment such as acquisition server, the method that the sensitive information of employing is leakage-preventing at present is mainly both for certain special scenes, such as DLP information leakage protection is by outgoing email process is identified control passively, DRM file encryption is that the data transmission procedure downloading to terminal machine is identified control etc., these technology are all based on the sensitive information entity generated and sensitive information condition code (such as someone name, telephone number) a kind of monitoring of carrying out, easily occur failing to judge and judging by accident, and for invading various viruses and the wooden horse of enterprise servers, the persistence sensitive information leakage that even unknown attack causes then cannot be carried out monitoring, more cannot be carried out the Liability Retroact of information leakage personnel and identification. a representative prior art framework as shown in Figure 1, the left side is the server zone of a representative communication enterprise charge system, wherein sensitive information is mostly present in database server, centre is the path of various access charge system server zone, and the right is the interface server of terminal or the third party enterprise accessing these server zones.
The shortcoming that analysis prior art reflects is as follows:
1. much enterprises all set up the account of centralization, certification, mandate and auditing system (4A platform) at present, and artificial access for enterprise's sensitive information (such as customer information etc.) has been realized in accessing control and audit preferably. But the access for enterprise's sensitive information has a big chunk to come from automated procedures or script, and the current industry of access for these type of automated procedures or script is also a lack of good control device.
2. a lot of enterprises all establish terminal management platform at present, but terminal management platform is capable of transmission and the control accessed mainly for the customer information in terminal and sensitive information, but the sensitive information for not circulated by terminal is monitored currently without the mechanism responded and protects.
3. enterprise most attention IT supports conjunction rule inspection and the security hardening of equipment at present, but also has substantial amounts of leak to cause cannot reinforce due to reasons such as application need, and this all gives the illegal programs such as various hacker, virus, wooden horse, anthelmintic with opportunity. These illegal programs utilize self distinctive attack means to set up illegal data access channel, and enterprise's sensitive information is illegally obtained; Part illegal program is hidden even with long-term, implements long-term, purposeful and sense of organization ground data theft for special object.
4. the actual client-aware message reference faced and business demand change through for many years, it is impossible to being accurately controlled, record and manage, it is hard to guard against to cause, occur that a problem blocks an access channel, whole leakage guard technology and management work passive.
5. the sensitive data of enterprise protects at present, and the condition code being mostly based on sensitive data is identified, and the sensitive data identification of feature based code is easy to situations such as judging by accident and fail to judge occur, causes that information leakage protection is not in place.
Summary of the invention
It is an object of the invention to provide the actively monitoring of a kind of sensitive information leakage and confirmation of responsibility method and apparatus, solve in prior art sensitive information due to some automated procedures or script and its place equipment and set up the information leakage problem that hidden data channel causes.
Motion of the present invention is analyzed in real time by the flowing of access data that sensitive data is produced time accessed or when sensitive data is sent out visiting abroad data, being actively discovered abnormal data access behavior, the suspect program initiated simultaneously for the behavior of access or script (include program/script name, start port, place host ip) are reviewed; After locking illegal program or script, the operation time of uploading of illegal program or script, the information such as personnel, startup personnel of uploading are confirmed. Identify the information such as the program of noting abnormalities or script, stiff wood be compacted with this and carry out the identity identification of person liable.
Whether hacker, unauthorized access, the access relation do not safeguarded for a long time, be likely to produce sensitive information leakage. Therefore, we do not go monitoring and feature identification from the reason revealed and motivation, but the main frame of sensitive data storage are monitored, the access process of monitor in real time sensitive data, identify unauthorized access, and look for and finally navigate to natural person.
The technical solution used in the present invention is as follows:
The actively monitoring of a kind of sensitive information leakage and confirmation of responsibility method, including step:
Sensitive data definition and management, and determine its stored equipment;
Sensitive data according to described definition, formulates and management sensitive information access/visiting abroad strategy;
The stored equipment of sensitive data is carried out Network Traffic Data Collection and pretreatment;
According to described sensitive information access strategy, the data on flows after described acquisition process being carried out unauthorized access/visiting abroad identification, the abnormal access finding out sensitive information initiates program and abnormal visiting abroad reception program;
Unauthorized access/reception program for described acquisition carries out sensitive information leakage confirmation of responsibility, it is determined that unauthorized access account and related personnel's information.
Further, described sensitive information access/visiting abroad strategy, including the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy of white list and blacklist; Sensitive information is normally accessed by miscellaneous equipment or the normal visiting abroad of sensitive information lists white list in the situation of miscellaneous equipment, sensitive information is piped off by the situation of miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment, lists access to be confirmed/visiting abroad situation in gray list.
Further, described unauthorized access/visiting abroad identification process is:
The unauthorized access of the Lawful access according to white list/visiting abroad strategy and blacklist/visiting abroad strategy, data on flows after described acquisition process is carried out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information; For cannot with the access in described white list strategy and blacklist strategy matching/visiting abroad situation, list gray list in, and gray list relative program information is carried out business with default regular traffic inventory again compare identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy; Abnormal program place device name described in record, the access/delivery time of visiting abroad data stream, modification time, startup time, form unauthorized access initiation program/illegal visiting abroad and receive program listing.
Further, described sensitive information leakage confirmation of responsibility process is:
Initiate program/illegal visiting abroad reception program listing according to described unauthorized access and find out the abnormal generation of program, amendment, operation time on the equipment of illegal program place, and review the account and related personnel's information that log in described equipment in these times, it is achieved sensitive information leakage confirmation of responsibility.
Further, described sensitive information access strategy, by access originator IP, access originator port, access purpose IP, access destination interface, visiting abroad source IP, visiting abroad source port, visiting abroad purpose IP, visiting abroad destination interface, access/visiting abroad flow, access/visiting abroad communications protocol, access/visiting abroad time, access/visiting abroad these factors of the frequency combination logic expression formula form.
Additionally, this programme also proposed the actively monitoring of a kind of sensitive information leakage and confirmation of responsibility device, including: sensitive data defines management module, access strategy management module, digital sampling and processing, unauthorized access identification and confirms module and unauthorized access confirmation of responsibility module with illegal program;
Described sensitive data definition management module, is used for defining and managing sensitive information and determine its stored equipment;
Described access strategy management module, the sensitive data according to sensitive data definition management module definition, formulate and management sensitive information access/visiting abroad strategy;
Described digital sampling and processing, carries out Network Traffic Data Collection and pretreatment to the stored equipment of sensitive data of sensitive data definition management module definition, exports and confirm module to unauthorized access identification with illegal program;
Described unauthorized access identification confirms module with illegal program, according to access strategy manage the sensitive information accesss/visiting abroad strategy of module output to after described acquisition process data on flows carry out unauthorized access/visiting abroad identification, the abnormal access finding out sensitive information initiates program and abnormal visiting abroad reception program;
For from unauthorized access identification and illegal program, described unauthorized access confirmation of responsibility module, confirms that unauthorized access/reception program that module obtains carries out sensitive information leakage confirmation of responsibility, it is determined that unauthorized access account and related personnel's information.
Further, described sensitive information access/visiting abroad strategy, described sensitive information access/visiting abroad strategy, including the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy of white list and blacklist; Sensitive information is normally accessed by miscellaneous equipment or the normal visiting abroad of sensitive information lists white list in the situation of miscellaneous equipment, sensitive information is piped off by the situation of miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment, lists access to be confirmed/visiting abroad situation in gray list.
Further, described sensitive information access strategy, by access originator IP, access originator port, access purpose IP, access destination interface, visiting abroad source IP, visiting abroad source port, visiting abroad purpose IP, visiting abroad destination interface, access/visiting abroad flow, access/visiting abroad communications protocol, access/visiting abroad time, access/visiting abroad these factors of the frequency combination logic expression formula form.
Further, described access strategy management module farther includes white list policy management element, blacklist policy management element and gray list administrative unit; White list policy management element is for setting up and manage the Lawful access/visiting abroad strategy of white list, including normally being accessed by miscellaneous equipment by sensitive information or the normal visiting abroad of sensitive information is to the situation of miscellaneous equipment; Blacklist policy management element is for setting up and manage the unauthorized access/visiting abroad strategy of blacklist, including by the sensitive information situation by miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment; Gray list administrative unit is for setting up and manage sensitive information access/visiting abroad situation to be confirmed.
Further, described unauthorized access identification and illegal program confirm that module is used for, the unauthorized access of the Lawful access according to white list/visiting abroad strategy and blacklist/visiting abroad strategy, described data acquisition module is obtained the data on flows gathered and carries out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information; For cannot with the access in described white list strategy and blacklist strategy matching/visiting abroad situation, list gray list in, and gray list relative program information is carried out business with default regular traffic inventory again compare identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy; Abnormal program place device name described in record, the access/delivery time of visiting abroad data stream, modification time, startup time, form unauthorized access initiation program/illegal visiting abroad and receive program listing output to unauthorized access confirmation of responsibility module.
Further, described unauthorized access identification and illegal program confirm that module farther includes strategy matching unit, screening confirmation unit and record unit; Strategy matching unit is for the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy according to white list and blacklist, described data acquisition module is obtained the data on flows gathered and carries out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information, pass to record unit; Screening confirmation unit is for listing gray list in the access in described white list strategy and blacklist strategy matching/visiting abroad situation, and gray list relative program information is carried out business with default regular traffic inventory again compare identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy exception program information is passed to record unit; Record unit, for recording described abnormal program place device name, the access/delivery time of visiting abroad data stream, modification time, startup time, forms unauthorized access and initiates program/illegal visiting abroad and receive program listing output to unauthorized access confirmation of responsibility module.
Further, described unauthorized access confirmation of responsibility module finds out the generation of illegal program on the equipment of illegal program place, amendment, operation time for initiating program/illegal visiting abroad reception program listing according to unauthorized access, and review the account and related personnel's information that log in described equipment in these times, it is achieved sensitive information leakage confirmation of responsibility.
The advance of the present invention program is, the not various information leakage mode of leak stopping passively, but by the analysis of sensitive data flowing of access, carrying out active analysis and control from the process being likely to result in leaking data, the client-aware information leakage that thus can realize that any unknown attack is produced is identified controlling and confirmation of responsibility.
Owing to this programme is that the relation accessed from sensitive information is started with, namely no matter access consciously or unconsciously is revealed or which kind of is attacked, all exist to set up from sensitive information server and connect the process conducted interviews, therefore this programme does not trigger from sensitive information condition code and reveals monitoring, thus stopping the possibility of the client-aware information leakage caused owing to condition code identification is inaccurate.
This programme can actively monitor the information leakage that any attack causes, due to be from attack target start with, rather than it is passive from eliminating server leak, server or terminal virus, wooden horse, anthelmintic, leak is started with, therefore, the advantage that the very first time finds and respond is possessed for information leakage.
This programme is started with from the port process that client-aware information service is set up access connection, the process that this port is used can be traced back to, the foundation of process, modification time thus tracing to the source further, and the account that the foundation of this process, amendment, startup adopt, can carry out confirmation of responsibility with this. And original technical scheme all cannot realize information leakage traces to the source and confirmation of responsibility.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is existing techniques in realizing framework.
Fig. 2 is the flow chart of sensitive information leakage actively monitoring and confirmation of responsibility method in the present invention.
Fig. 3 is two kinds of situation schematic diagrams that in the present invention, sensitive data accesses and reveals.
Fig. 4 is the normal access of sensitive data in the present invention, abnormal access and access case to be confirmed.
Fig. 5 is that in the present invention, the technology of sensitive information leakage actively monitoring and confirmation of responsibility device realizes structure chart.
Fig. 6 is a kind of implementation of access strategy management module in the present invention.
Fig. 7 is a kind of implementation that in the present invention, unauthorized access identification and illegal program confirm module.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is a part of embodiment of the present invention, rather than whole embodiments. Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
Sensitive resource includes sensitive assets and sensitive data, and sensitive assets refers to sensitive data place physical equipment; Sensitive data refers to the sensitive document or data table that comprise customer information or enterprise's high value information, such as customer information, client's call-information, clients fund information etc.
Embodiment one
Embodiments providing the actively monitoring of a kind of sensitive information leakage and confirmation of responsibility method, flow chart is as in figure 2 it is shown, comprise the following steps:
Step 101, sensitive data definition and management, and determine its stored equipment.
In order to ensure the comprehensive of sensitive data protective range and accuracy, need definition sensitive data, and determine its stored equipment, and regularly the sensitive resource set up is safeguarded, including formed to the interpolation of sensitive data, amendment, backup, authorization system administration services mechanism. The data access that sensitive assets is initiated, is the monitoring range to protect of the present invention. The purposes of sensitive data, expression format, security requirement wide variety, can also carry out the difference protection of classification for the protection of sensitive data.
Step 102, the sensitive data according to described definition, formulate and management sensitive information access/visiting abroad strategy.
As it is shown on figure 3, the access relation between sensitive data place equipment and external equipment will be divided into two kinds of situations, a kind of is sensitive data on external equipment actively access sensitive data equipment, and abnormal access can cause the leakage of sensitive data; Another kind is that sensitive data equipment actively actively accesses external equipment thus causing sensitive data visiting abroad in other words to external equipment transmission information, and the visiting abroad of exception is exactly the leakage of sensitive data. It is thus desirable to respectively both of these case is formulated sensitive information access/visiting abroad strategy respectively.
And the formation of access strategy is not stranghtforward, need a process progressively correcting adjustment, it it is circulation process repeatedly, and along with adjustment and the sensitive data of business demand play the adjustment of not same-action in different occasions, it is also required to sensitive information access/visiting abroad strategy adjust at any time, therefore, not only formulate sensitive information access/visiting abroad strategy, also want to manage sensitive information access/visiting abroad strategy, it is achieved by the Authorized operation of the management services such as demand interpolation, amendment, backup and these management.
Any routine access sensitive data, all comprise following access information, such as access originator address and port, access destination address and port, access time period, access frequency, access data traffic, access communications protocol etc., therefore can formulate the various rules that sensitive data is accessed and limit the access mode to sensitive data, it is thus possible to distinguish legal and illegal access, to ensure the safety of sensitive data. The security policies for variety classes sensitive data, the security policies for access originator and access purpose, the security policies for access data traffic etc. can be relatively accurately expressed by setting up the form of rule.
Step 103, carries out Network Traffic Data Collection and pretreatment to the stored equipment of sensitive data.
According to the acquisition strategies of customization, the upper network flow data of the convergence-level switch at the mode Real-time Collection operation system place of network traffics mirror image can be adopted, provide data basis for unauthorized access behavior analysis. Then, the data on flows for collecting carries out data prediction and protocal analysis etc., and what data prediction mainly included data picks weight, formatting and merger etc. Data are picked weight and are mainly filtered out the data of repetition and it is weeded out; Original irregular data are standardized by the formatting of data according to set consolidation form, form standardized data; Namely data are integrated by merger, form complete data.
Protocal analysis, based on OSI network model, carries out the analyzing and processing of packet the data transfer mode according to OSI network model respectively for Internet, transport layer and application layer, and upwards layer analysis storehouse carries out data transmission successively. After packet disassembles analysis the most at last, it is stored in the data structure of network access information. Data structure mainly includes content such as access originator address and port, access destination address and port, access time period, access frequency, access data traffic, accesses communications protocol etc.
Step 104, carries out unauthorized access/visiting abroad identification according to described sensitive information access strategy to the data on flows after described acquisition process, and the abnormal access finding out sensitive information initiates program and abnormal visiting abroad reception program.
According to sensitive data access policy, the collection data on flows that step 103 is obtained carries out strategy matching, finds out the access program meeting the unauthorized access sensitive data strategy that step 102 is formulated, and initiates program including abnormal access and abnormal visiting abroad receives program.
Step 105, the unauthorized access/reception program for described acquisition carries out sensitive information leakage confirmation of responsibility, it is determined that unauthorized access account and related personnel's information.
According to the abnormal access program that step 104 is found out, continue to follow the tracks of the equipment at place, it is determined that the login account of unauthorized access and related personnel's information.
Embodiment two
Being specially as follows further by the step 102 described in embodiment one, other steps no longer repeat.
Step 201, sensitive data definition and management, and determine its stored equipment;
Step 202: described sensitive information access/visiting abroad strategy, including the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy of white list and blacklist; Sensitive information is normally accessed by miscellaneous equipment or the normal visiting abroad of sensitive information lists white list in the situation of miscellaneous equipment, sensitive information is piped off by the situation of miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment, lists access to be confirmed/visiting abroad situation in gray list.
White list: the access relation legal normally confirmed via manager;
Blacklist: the abnormal access relation confirmed via manager;
Gray list (list unconfirmed): access relation to be confirmed.
As shown in Figure 4, sensitive information access/visiting abroad strategy is divided into two classes: include the Lawful access/visiting abroad strategy of white list and the unauthorized access/visiting abroad strategy of blacklist.
Sensitive information place server OracleDB1 is normally accessed by miscellaneous equipment Web1 or sensitive information place server OracleDB1 visiting abroad (transmission data) lists white list, relative strategy sequence number WL1 and WL2 in the situation of miscellaneous equipment InterfaceServer1; As shown in following table one, clearly record access source device title and access purpose device name; Situation about normally accessed sensitive information by miscellaneous equipment WL1 or the normal visiting abroad of sensitive information list white list in the situation WL2 of miscellaneous equipment.
Sensitive information place server OracleDB1 is piped off by the situation at miscellaneous equipment Device1 abnormal access or sensitive information place server OracleDB1 exception visiting abroad (transmission data) to miscellaneous equipment Device2, relative strategy sequence number BL1 and BL2; As shown in following table two, clearly record access source device title and access purpose device name; The situation BL2 of the sensitive information situation BL1 by miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment is piped off.
As shown in following table three; List access G1/ visiting abroad situation G2 to be confirmed in gray list.
It should be noted that these white lists, blacklist and gray list are mutually exclusive, independent mutually. Article one, access can not match two in white list, blacklist and gray list simultaneously. Gray list need to be adjusted into white list or blacklist after reality operational control inventory confirms.
Table one: white list strategy
Sequence number Access originator device name Access purpose device name
WL1 Web1 OracleDB1
WL2 OracleDB1 InterfaceServer1
……
Wherein: WL1 is the white list example of a source device Web1 server access sensitive information place purpose equipment OracleDB1 through allowing.
WL2 is a white list example allowing sensitive information place equipment OracleDB1 server actively visiting abroad (transmission summary information to) external equipment InterfaceSever1.
Table two: blacklist strategy
Sequence number Access originator device name Access purpose device name
BL1 Device1 OracleDB1
BL2 OracleDB1 Device2
……
Wherein: BL1 is a source device Device1 without permission blacklist example accessing sensitive information place purpose equipment OracleDB1.
BL2 is the blacklist example of a sensitive information place equipment OracleDB1 server actively visiting abroad without permission (transmission summary information to) external equipment Device2.
Table three: gray list
Sequence number Access originator device name Access purpose device name
G1 Device3 OracleDB1
G2 OracleDB1 Device 4
……
Step 203, carries out Network Traffic Data Collection and pretreatment to the stored equipment of sensitive data;
The data on flows form gathered includes being not limited to following information: access originator device name, access purpose device name, access originator IP, access purpose IP, access originator port, access destination interface, access protocal, access time. The data on flows collected can be carried out data prediction and protocal analysis.
Such as table four: collect the information of following access
Step 204, carries out unauthorized access/visiting abroad identification according to described sensitive information access strategy to the data on flows of described collection, and the abnormal access finding out sensitive information initiates program and abnormal visiting abroad reception program; The relevant informations such as the abnormal program place device name that record is described, form unauthorized access initiation program/illegal visiting abroad and receive program listing.
Step 204-1, unauthorized access/visiting abroad strategy according to the Lawful access/visiting abroad strategy of step 202 white list and blacklist, data on flows after acquisition process described in step 203 is carried out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information. For with the access in described white list strategy and blacklist strategy matching/visiting abroad situation, gray list cannot be listed in. And meet the access program of white list strategy that step 202 is formulated, including normally accessing initiation program and normal visiting abroad receives program, it is the access situation accounting for most ratio, need not pay close attention to.
In table four, the access of sequence number 1 has matched the sequence number WL1 white list strategy in table one, is a normal access, represents Web service and accesses an access of non-sensitive information database OracleDB1. The access of sequence number 2 has matched the sequence number BL1 blacklist strategy in table two, GC group connector equipment Device1 cannot access non-sensitive information database OracleDB1, but this access specification having occurred and that has people to have accessed non-sensitive information database OracleDB1 from terminal unit Device1, this is the access of an exception, so record this to access, insert unauthorized access and initiate program/illegal visiting abroad reception program listing. The access of sequence number 3 had not both matched blacklist also without matching white list, then recorded in gray list table, then just like following table five.
Table five: the renewal of gray list
Sequence number Access originator device name Access purpose device name
G1 Device3 OracleDB1
G2 OracleDB1 Device 4
G3 Device7 OracleDB1
……
Step 204-2, initiate program and abnormal visiting abroad receives program to find out abnormal access further from gray list, make further process, gray list relative program information is carried out business with default regular traffic inventory again and compares identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy.
Table six: the regular traffic inventory preset is exemplified below:
Remarks: regular traffic program listing uses for the traffic identification carrying out gray list, if regular traffic program, by in described gray list normally access/visiting abroad situation delete and list in white list strategy, if do not mated inside regular traffic program listing, then be directly entered blacklist.
Such as, in inquiry table five sequence number G1, Device3 accesses the OracleDB1 program adopted, it is fakealert.sh through looking into the program of employing, so carry out business with table six and compare identification, learn that this program is not in default regular traffic tablet menu, it is judged as illegal traffic to access, gray list information is increased to blacklist, delete record corresponding inside gray list simultaneously. In inquiry table five sequence number G3, Device7 accesses the OracleDB1 program adopted, it is that alert.sh enables 8082 ports and carries out data communication through looking into the program of employing, carry out business with table six and compare identification, learn that alert.sh is that regular traffic accesses by 8082 port communications, then in gray list, the access strategy of G3 inserts white list, deletes the respective record in gray list simultaneously.
Abnormal program place device name described in step 204-3, record, the access/delivery time of visiting abroad data stream, modification time, startup time, form unauthorized access initiation program/illegal visiting abroad and receive program listing.
Step 205, the unauthorized access/reception program for described acquisition carries out sensitive information leakage confirmation of responsibility, it is determined that unauthorized access account and related personnel's information.
According to the abnormal access program that step 204 is found out, continue to follow the tracks of the equipment at place, it is determined that the login account of unauthorized access and related personnel's information.
Such as, above-mentioned fakealert.sh program is abnormal access program, its place equipment Device3, then by device3 equipment performs system command, on Linux machine, such as use ls l order, the user profile of the establishment time of program, modification time, execution program can be found on the server that program performs, program starts situation to use ps-u pid order to check, thus finding the attributes such as the establishment of fakealert.sh program, access, execution, thus may determine that the account and related personnel's information that log on Device3.
Further, program/illegal visiting abroad reception program listing can be initiated according to described unauthorized access and find out the abnormal generation of program, amendment, operation time on the equipment of illegal program place, and review the account and related personnel's information that log in described equipment in these times, it is achieved sensitive information leakage confirmation of responsibility.
Embodiment three
Further, described sensitive information access strategy, by access originator IP, access originator port, access purpose IP, access destination interface, visiting abroad source IP, visiting abroad source port, visiting abroad purpose IP, visiting abroad destination interface, access/visiting abroad flow, access/visiting abroad communications protocol, access/visiting abroad time, access/visiting abroad these factors of the frequency combination logic expression formula form. The such as white list strategy/blacklist strategy shown in table seven.
Table seven: white list strategy/blacklist Policy Table's form is as follows:
It is above all element information tables that can arrange of strategy, as long as generally arranging source, target, port information.
Such as, the white list policy information of a customer data sensitive information access is as follows: [message subject: customer data; Source: terminal unit T; Target: customer profile data storehouse server DB; Access protocal: JDBC, 1521; The access time: working time; The frequency: 10000 times/day].
Represent: target (sensitive information place server DB1) is by source (maintenance terminal T, it is probably an IP section) by the access of JDBC agreement 1521 port, (early 8 are arrived 18:00 in evening, every day is less than 10000 secondary frequencies) it is all normal, the namely implication of White List service.
Embodiment four
The embodiment of the present invention additionally provides the actively monitoring of a kind of sensitive information leakage and confirmation of responsibility device, system structure Organization Chart is as it is shown in figure 5, include five modules: sensitive data definition management module M101, access strategy management module M102, digital sampling and processing M103, unauthorized access identification confirm module M104 and unauthorized access confirmation of responsibility module M105 with illegal program.
Described M101 is used for defining and managing sensitive information and determine its stored equipment; In order to ensure the comprehensive of sensitive data protective range and accuracy, need definition sensitive data, and determine its stored equipment, and regularly the sensitive resource set up is safeguarded, including formed to the interpolation of sensitive data, amendment, backup, authorization system administration services mechanism. The data access that sensitive assets is initiated, is the monitoring range to protect of the present invention. The purposes of sensitive data, expression format, security requirement wide variety, can also carry out the difference protection of classification for the protection of sensitive data.
M102, according to the M101 sensitive data defined, formulates and management sensitive information access/visiting abroad strategy;
The M101 stored equipment of the sensitive data defined is carried out Network Traffic Data Collection and pretreatment by M103, and output is to M104;
Data on flows after described M103 acquisition process is carried out unauthorized access/visiting abroad identification according to the M102 sensitive information access/visiting abroad strategy exported by M104, and the abnormal access finding out sensitive information initiates program and abnormal visiting abroad reception program;
M105 carries out sensitive information leakage confirmation of responsibility for the unauthorized access obtained from M104/reception program, it is determined that unauthorized access account and related personnel's information.
Embodiment five
As shown in Figure 6, access strategy therein management module M102 may further include again blacklist policy management element M1021, white list policy management element M1022, gray list administrative unit M1023.
Blacklist policy management element M1021 is for setting up and manage the unauthorized access/visiting abroad strategy of blacklist, including by the sensitive information situation by miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment; White list policy management element M1022 is for setting up and manage the Lawful access/visiting abroad strategy of white list, including normally being accessed by miscellaneous equipment by sensitive information or the normal visiting abroad of sensitive information is to the situation of miscellaneous equipment; Gray list administrative unit M1023 is for setting up and manage sensitive information access/visiting abroad situation to be confirmed, it is possible to continues to be confirmed to be blacklist, forwards M1021 to, it is also possible to continues to be confirmed to be white list, forward M1022 to.
Embodiment six
As it is shown in fig. 7, unauthorized access identification therein and illegal program confirm that module M104 again can strategy matching unit M1041, screening confirmation unit M1042 and record unit M1043 further.
Strategy matching unit M1041 is for the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy according to white list and blacklist, described data acquisition module is obtained the data on flows gathered and carries out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information, pass to record unit.
Confirmation unit M1042 is for listing gray list in the access in described white list strategy and blacklist strategy matching/visiting abroad situation in screening, and gray list relative program information is carried out business with default regular traffic inventory again compare identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy exception program information is passed to record unit.
Record unit M1043, for recording described abnormal program place device name, the access/delivery time of visiting abroad data stream, modification time, startup time, forms unauthorized access and initiates program/illegal visiting abroad and receive program listing output to unauthorized access confirmation of responsibility module
All state to some extent in the corresponding embodiment of preceding method with the realization of upper module, repeat no more.
Through the above description of the embodiments, those skilled in the art is it can be understood that can realize by hardware to the present invention, can also realize by the mode of the general hardware platform that software adds necessity, based on such understanding, technical scheme can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, including some instructions with so that a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in each embodiment of the present invention.
In a word, the foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention. All within the spirit and principles in the present invention, any amendment of making, equivalent replacement, improvement etc., should be included within protection scope of the present invention.
The above is only the preferred embodiment of the present invention; it should be pointed out that, for those skilled in the art, under the premise without departing from the principles of the invention; can also making some improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.

Claims (12)

1. a sensitive information leakage actively monitoring and confirmation of responsibility method, it is characterised in that include step:
Sensitive data definition and management, and determine its stored equipment;
Sensitive data according to described definition, formulates and management sensitive information access/visiting abroad strategy;
The stored equipment of sensitive data is carried out Network Traffic Data Collection and pretreatment;
According to described sensitive information access strategy, the data on flows after described acquisition process being carried out unauthorized access/visiting abroad identification, the abnormal access finding out sensitive information initiates program and abnormal visiting abroad reception program;
Unauthorized access/reception program for described acquisition carries out sensitive information leakage confirmation of responsibility, it is determined that unauthorized access account and related personnel's information.
2. method according to claim 1, it is characterised in that described sensitive information access/visiting abroad strategy, including the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy of white list and blacklist; Sensitive information is normally accessed by miscellaneous equipment or the normal visiting abroad of sensitive information lists white list in the situation of miscellaneous equipment, sensitive information is piped off by the situation of miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment, lists access to be confirmed/visiting abroad situation in gray list.
3. method according to claim 2, it is characterised in that described unauthorized access/visiting abroad identification process is:
The unauthorized access of the Lawful access according to white list/visiting abroad strategy and blacklist/visiting abroad strategy, data on flows after described acquisition process is carried out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information; For with the access in described white list strategy and blacklist strategy matching/visiting abroad situation, gray list cannot be listed in; With default regular traffic inventory, gray list relative program information being carried out business again and compares identification, if regular traffic program, described normal access/visiting abroad situation deleted from gray list and list white list strategy in, otherwise pipe off strategy; Abnormal program place device name described in record, the access/delivery time of visiting abroad data stream, modification time, startup time, form unauthorized access initiation program/illegal visiting abroad and receive program listing.
4. method according to claim 3, it is characterised in that described sensitive information leakage confirmation of responsibility process is:
Initiate program/illegal visiting abroad reception program listing according to described unauthorized access and find out the abnormal generation of program, amendment, operation time on the equipment of illegal program place, and review the account and related personnel's information that log in described equipment in these times, it is achieved sensitive information leakage confirmation of responsibility.
5. the method according to claim 3 or 4, it is characterized in that, described sensitive information access strategy, by access originator IP, access originator port, access purpose IP, access destination interface, visiting abroad source IP, visiting abroad source port, visiting abroad purpose IP, visiting abroad destination interface, access/visiting abroad flow, access/visiting abroad communications protocol, access/visiting abroad time, access/visiting abroad these factors of the frequency combination logic expression formula form.
6. a sensitive information leakage actively monitoring and confirmation of responsibility device, it is characterized in that, including sensitive data definition management module, access strategy management module, digital sampling and processing, unauthorized access identification and illegal program confirmation module and unauthorized access confirmation of responsibility module;
Described sensitive data definition management module, is used for defining and managing sensitive information and determine its stored equipment;
Described access strategy management module, the sensitive data according to sensitive data definition management module definition, formulate and management sensitive information access/visiting abroad strategy;
Described digital sampling and processing, carries out Network Traffic Data Collection and pretreatment to the stored equipment of sensitive data of sensitive data definition management module definition, exports and confirm module to unauthorized access identification with illegal program;
Described unauthorized access identification confirms module with illegal program, data on flows after described acquisition process is carried out unauthorized access/visiting abroad identification by the sensitive information access/visiting abroad strategy managing module output according to access strategy, and abnormal access initiation program and the abnormal visiting abroad of finding out sensitive information receive program;
For from unauthorized access identification and illegal program, described unauthorized access confirmation of responsibility module, confirms that unauthorized access/reception program that module obtains carries out sensitive information leakage confirmation of responsibility, it is determined that unauthorized access account and related personnel's information.
7. device according to claim 6, it is characterised in that described sensitive information access/visiting abroad strategy, including the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy of white list and blacklist; Sensitive information is normally accessed by miscellaneous equipment or the normal visiting abroad of sensitive information lists white list in the situation of miscellaneous equipment, sensitive information is piped off by the situation of miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment, lists access to be confirmed/visiting abroad situation in gray list.
8. device according to claim 6, it is characterized in that, described sensitive information access strategy, by access originator IP, access originator port, access purpose IP, access destination interface, visiting abroad source IP, visiting abroad source port, visiting abroad purpose IP, visiting abroad destination interface, access/visiting abroad flow, access/visiting abroad communications protocol, access/visiting abroad time, access/visiting abroad these factors of the frequency combination logic expression formula form.
9. the device according to claim 7,8, it is characterised in that described access strategy management module farther includes white list policy management element, blacklist policy management element and gray list administrative unit; White list policy management element is for setting up and manage the Lawful access/visiting abroad strategy of white list, including normally being accessed by miscellaneous equipment by sensitive information or the normal visiting abroad of sensitive information is to the situation of miscellaneous equipment; Blacklist policy management element is for setting up and manage the unauthorized access/visiting abroad strategy of blacklist, including by the sensitive information situation by miscellaneous equipment abnormal access or sensitive information exception visiting abroad to miscellaneous equipment; Gray list administrative unit is for setting up and manage sensitive information access/visiting abroad situation to be confirmed.
10. device according to claim 6, it is characterized in that, described unauthorized access identification and illegal program confirm that module is used for, the unauthorized access of the Lawful access according to white list/visiting abroad strategy and blacklist/visiting abroad strategy, described data acquisition module is obtained the data on flows gathered and carries out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information; For cannot with the access in described white list strategy and blacklist strategy matching/visiting abroad situation, list gray list in, and gray list relative program information is carried out business with default regular traffic inventory again compare identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy; Abnormal program place device name described in record, the access/delivery time of visiting abroad data stream, modification time, startup time, form unauthorized access initiation program/illegal visiting abroad and receive program listing output to unauthorized access confirmation of responsibility module.
11. device according to claim 10, it is characterised in that described unauthorized access identification and illegal program confirm that module farther includes strategy matching unit, screening confirmation unit and record unit; Strategy matching unit is for the unauthorized access/visiting abroad strategy of the Lawful access/visiting abroad strategy according to white list and blacklist, described data acquisition module is obtained the data on flows gathered and carries out strategy matching, when meeting the unauthorized access/visiting abroad strategy of blacklist, find out unauthorized access equipment and abnormal access thereon initiates program information, find out illicit reception equipment and abnormal visiting abroad thereon receives program information, pass to record unit; Screening confirmation unit is for listing gray list in the access in described white list strategy and blacklist strategy matching/visiting abroad situation, and gray list relative program information is carried out business with default regular traffic inventory again compare identification, if regular traffic program, described normal access/visiting abroad situation being deleted from gray list and list white list strategy in, otherwise pipe off strategy exception program information is passed to record unit; Record unit, for recording described abnormal program place device name, the access/delivery time of visiting abroad data stream, modification time, startup time, forms unauthorized access and initiates program/illegal visiting abroad and receive program listing output to unauthorized access confirmation of responsibility module.
12. device according to claim 6, it is characterized in that, described unauthorized access confirmation of responsibility module finds out the generation of illegal program on the equipment of illegal program place, amendment, operation time for initiating program/illegal visiting abroad reception program listing according to unauthorized access, and review the account and related personnel's information that log in described equipment in these times, it is achieved sensitive information leakage confirmation of responsibility.
CN201510996755.6A 2015-12-25 2015-12-25 A kind of sensitive information leakage actively monitoring and confirmation of responsibility method and apparatus Active CN105681276B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510996755.6A CN105681276B (en) 2015-12-25 2015-12-25 A kind of sensitive information leakage actively monitoring and confirmation of responsibility method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510996755.6A CN105681276B (en) 2015-12-25 2015-12-25 A kind of sensitive information leakage actively monitoring and confirmation of responsibility method and apparatus

Publications (2)

Publication Number Publication Date
CN105681276A true CN105681276A (en) 2016-06-15
CN105681276B CN105681276B (en) 2019-07-05

Family

ID=56297665

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510996755.6A Active CN105681276B (en) 2015-12-25 2015-12-25 A kind of sensitive information leakage actively monitoring and confirmation of responsibility method and apparatus

Country Status (1)

Country Link
CN (1) CN105681276B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107169361A (en) * 2017-06-15 2017-09-15 深信服科技股份有限公司 The detection method and system of a kind of leaking data
CN108270735A (en) * 2016-12-31 2018-07-10 中国移动通信集团陕西有限公司 A kind of data leakage prevention method and equipment
CN109684863A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Data leakage prevention method, device, equipment and storage medium
CN110049021A (en) * 2019-03-27 2019-07-23 中国电力科学研究院有限公司 Data of information system safety protecting method and system
CN110191004A (en) * 2019-06-18 2019-08-30 北京搜狐新媒体信息技术有限公司 A kind of port detecting method and system
CN110619205A (en) * 2019-08-29 2019-12-27 北京浪潮数据技术有限公司 Machine feature code processing method and device
CN110661776A (en) * 2019-07-29 2020-01-07 奇安信科技集团股份有限公司 Sensitive data tracing method, device, security gateway and system
CN111031035A (en) * 2019-12-12 2020-04-17 支付宝(杭州)信息技术有限公司 Sensitive data access behavior monitoring method and device
CN111291409A (en) * 2020-02-03 2020-06-16 支付宝(杭州)信息技术有限公司 Data monitoring method and device
CN111917718A (en) * 2020-06-24 2020-11-10 武汉绿色网络信息服务有限责任公司 Personal information leakage monitoring method and device
CN112702339A (en) * 2020-12-23 2021-04-23 中移(杭州)信息技术有限公司 Abnormal traffic monitoring and analyzing method and device based on deep migration learning
CN112926039A (en) * 2021-04-08 2021-06-08 深圳市优服信息技术有限公司 Computing device management software with high safety
CN115189937A (en) * 2022-07-06 2022-10-14 武汉极意网络科技有限公司 Security protection method and device for client data
CN117194179A (en) * 2023-11-08 2023-12-08 杭州星锐网讯科技有限公司 Index determination method and device, electronic equipment and storage medium
CN117336083A (en) * 2023-10-27 2024-01-02 河北赛克普泰计算机咨询服务有限公司 Communication method and system in network security level protection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777182A (en) * 2005-12-06 2006-05-24 南京邮电大学 Efficient safety tracing scheme based on flooding attack
CN101741570A (en) * 2008-11-14 2010-06-16 电子科技大学 Method for controlling reverse data connection based on honeynet
CN101873258A (en) * 2010-06-07 2010-10-27 清华大学 Probabilistic packet marking and attack source tracing method, system and device
US20130094500A1 (en) * 2011-10-13 2013-04-18 Rosemount Inc. Process installation network intrusion detection and prevention
CN103152323A (en) * 2013-01-29 2013-06-12 深圳市深信服电子科技有限公司 Method and system of controlling access behaviors of client network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777182A (en) * 2005-12-06 2006-05-24 南京邮电大学 Efficient safety tracing scheme based on flooding attack
CN101741570A (en) * 2008-11-14 2010-06-16 电子科技大学 Method for controlling reverse data connection based on honeynet
CN101873258A (en) * 2010-06-07 2010-10-27 清华大学 Probabilistic packet marking and attack source tracing method, system and device
US20130094500A1 (en) * 2011-10-13 2013-04-18 Rosemount Inc. Process installation network intrusion detection and prevention
CN103152323A (en) * 2013-01-29 2013-06-12 深圳市深信服电子科技有限公司 Method and system of controlling access behaviors of client network

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270735A (en) * 2016-12-31 2018-07-10 中国移动通信集团陕西有限公司 A kind of data leakage prevention method and equipment
CN107169361A (en) * 2017-06-15 2017-09-15 深信服科技股份有限公司 The detection method and system of a kind of leaking data
CN109684863A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Data leakage prevention method, device, equipment and storage medium
CN109684863B (en) * 2018-09-07 2024-01-19 平安科技(深圳)有限公司 Data leakage prevention method, device, equipment and storage medium
CN110049021A (en) * 2019-03-27 2019-07-23 中国电力科学研究院有限公司 Data of information system safety protecting method and system
CN110191004A (en) * 2019-06-18 2019-08-30 北京搜狐新媒体信息技术有限公司 A kind of port detecting method and system
CN110191004B (en) * 2019-06-18 2022-05-27 北京搜狐新媒体信息技术有限公司 Port detection method and system
CN110661776B (en) * 2019-07-29 2021-12-24 奇安信科技集团股份有限公司 Sensitive data tracing method, device, security gateway and system
CN110661776A (en) * 2019-07-29 2020-01-07 奇安信科技集团股份有限公司 Sensitive data tracing method, device, security gateway and system
CN110619205A (en) * 2019-08-29 2019-12-27 北京浪潮数据技术有限公司 Machine feature code processing method and device
CN111031035A (en) * 2019-12-12 2020-04-17 支付宝(杭州)信息技术有限公司 Sensitive data access behavior monitoring method and device
CN111031035B (en) * 2019-12-12 2022-04-19 支付宝(杭州)信息技术有限公司 Sensitive data access behavior monitoring method and device
CN111291409A (en) * 2020-02-03 2020-06-16 支付宝(杭州)信息技术有限公司 Data monitoring method and device
CN111291409B (en) * 2020-02-03 2022-12-20 支付宝(杭州)信息技术有限公司 Data monitoring method and device
CN111917718A (en) * 2020-06-24 2020-11-10 武汉绿色网络信息服务有限责任公司 Personal information leakage monitoring method and device
CN111917718B (en) * 2020-06-24 2023-04-07 武汉绿色网络信息服务有限责任公司 Personal information leakage monitoring method and device
CN112702339A (en) * 2020-12-23 2021-04-23 中移(杭州)信息技术有限公司 Abnormal traffic monitoring and analyzing method and device based on deep migration learning
CN112926039A (en) * 2021-04-08 2021-06-08 深圳市优服信息技术有限公司 Computing device management software with high safety
CN115189937A (en) * 2022-07-06 2022-10-14 武汉极意网络科技有限公司 Security protection method and device for client data
CN117336083A (en) * 2023-10-27 2024-01-02 河北赛克普泰计算机咨询服务有限公司 Communication method and system in network security level protection
CN117336083B (en) * 2023-10-27 2024-05-14 河北赛克普泰计算机咨询服务有限公司 Communication method and system in network security level protection
CN117194179A (en) * 2023-11-08 2023-12-08 杭州星锐网讯科技有限公司 Index determination method and device, electronic equipment and storage medium
CN117194179B (en) * 2023-11-08 2024-04-16 杭州星锐网讯科技有限公司 Index determination method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN105681276B (en) 2019-07-05

Similar Documents

Publication Publication Date Title
CN105681276A (en) Sensitive information leakage active monitoring and responsibility confirmation method and device
Johnson et al. Guide to cyber threat information sharing
US20150121461A1 (en) Method and system for detecting unauthorized access to and use of network resources with targeted analytics
CN103413088B (en) A kind of computer document operation safety auditing system
US11599659B2 (en) Documenting and annotating code activities
CN108965317B (en) Network data protection system
US8726335B2 (en) Consigning authentication method
US20240089260A1 (en) System and method for graduated deny list
US9467448B2 (en) Consigning authentication method
CN109600395A (en) A kind of device and implementation method of terminal network access control system
US20050038993A1 (en) Information security model
Proctor et al. The secured enterprise: Protecting your information assets
CN110958236A (en) Dynamic authorization method of operation and maintenance auditing system based on risk factor insight
JP2005156473A (en) Analysis system using network
US12021834B2 (en) Cumulative sum model for IP deny lists
US11601435B1 (en) System and method for graduated deny lists
CN114726617B (en) Device authentication method, device, computer device, storage medium, and program product
US20230353537A1 (en) Cumulative sum model for ip deny lists
KR100673137B1 (en) Security system and method in electronic document repository
Young et al. Incident response and SCADA
CN118096065A (en) Unified authorization management method, system and medium for information main body data
Glozshtejn et al. Analysis of the Main Security Threats of Videoconferencing Systems
CN116781357A (en) Method for improving data exchange safety
Treacy et al. Organizational Cybersecurity Post The Pandemic: An Exploration of Remote Working Risks and Mitigation Strategies
CN114189389A (en) Method for distributed firewall secure communication mechanism

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant