CN109151051B - Data security enhancement method in cloud computing environment - Google Patents
Data security enhancement method in cloud computing environment Download PDFInfo
- Publication number
- CN109151051B CN109151051B CN201811062368.5A CN201811062368A CN109151051B CN 109151051 B CN109151051 B CN 109151051B CN 201811062368 A CN201811062368 A CN 201811062368A CN 109151051 B CN109151051 B CN 109151051B
- Authority
- CN
- China
- Prior art keywords
- detection
- node
- access
- cloud computing
- computing environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
Landscapes
- Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for enhancing data security in a cloud computing environment, belonging to the technical field of electronic information security, which comprises the following steps: s1: detecting each node in the cloud computing environment; s2: removing and repairing a single unsafe node; s3: detecting the node combination on the basis of repaired nodes; s4: the combined unsafe node groups are removed and repaired, and the detection of the hardware and the software can be simultaneously carried out by detecting the hardware and transmitting data; by detecting a single node and detecting a detection node group, the range of a detection object can be enlarged, and the safety maintenance is enhanced; the same potential safety hazard can be avoided by storing the detection log; the single nodes are arranged in a permutation and combination mode, and the combination mode of each node can be detected.
Description
Technical Field
The invention relates to the technical field of electronic information security, in particular to a data security enhancement method in a cloud computing environment.
Background
Cloud computing security or cloud security refers to a collection of policies, techniques and controls for protecting cloud computing data, applications and related structures, and belongs to the sub-fields of computer security, network security, or more generally, information security.
The cloud computing safety can promote the innovative development of cloud computing, and is beneficial to solving the problems of scattered investment, repeated construction, excess capacity, uneven resource integration, lack of cooperation in construction and the like.
For example, chinese patent publication No. CN108197496A provides a method for enhancing data security in a cloud computing environment, which includes: the method comprises the steps of verifying data nodes in a public cloud computing environment, judging the credibility of the data nodes, establishing a trust relationship of collected information, uploading medical data at all positions of a network through a distributed system, carrying out uniform format conversion on the data collected from all the nodes, providing a basis for the construction of an integral trust environment, and constructing a medical data platform. The invention provides a data security enhancement method in a cloud computing environment, which effectively prevents a malicious destroyer from acquiring effective information of a medical data storage system, and greatly enhances the reliability of the medical data storage system; the fault tolerance rate and the computing intensity of the system are reduced in the data recovery process. The data security enhancement method is used for detecting single nodes, but generally, data transmission is carried out on transmission between the nodes, so that security problems between the nodes are easily missed.
Disclosure of Invention
The invention aims to provide a data security enhancement method in a cloud computing environment, so as to solve the problem that the security problem between nodes is easily missed because the transmission between common nodes also has data transmission, which is proposed in the background art.
In order to achieve the purpose, the invention provides the following technical scheme: a data security enhancement method in a cloud computing environment comprises the following specific steps:
s1: detecting each node in the cloud computing environment: verifying the hardware security of a single node in a cloud computing environment, transmitting a data stream by sampling the access of the single node, and detecting the security of the sampled access transmission data stream;
if the potential safety hazard exists in the hardware of a single node or the access transmission data stream, limiting the data access and transmission of the node, and performing corresponding repair through the step S2;
if the hardware of the single node and the access transmission data stream are detected to have no potential safety hazard, carrying out safety detection in the step S3;
s2: and (3) excluding a single unsafe node and repairing: according to the detection result of the step S1, the hardware of the node with the potential safety hazard is maintained or the potential safety hazard is solved by a replacement mode, and the data transmission is limited by setting a limit level for the access transmission data stream with the potential safety hazard;
s3: and combining and detecting the nodes on the basis of repaired: combining the nodes repaired in the step S2 and the nodes detected in the step S1 without potential safety hazards freely in a combination mode to form X detection node groups, and detecting the safety of the X detection node groups one by one;
if the potential safety hazard exists in the access transmission data stream of the detection node group, limiting the data access and transmission of the detection node group, and performing corresponding repair through the step S4;
if the detection node group does not have potential safety hazard with the hardware of the detection node group and the access transmission data stream, the detection is finished;
s4: and (3) excluding the combined unsafe node group and repairing: and prohibiting the detection node group from continuing data transmission access according to the detection of potential safety hazard in accessing the transmission data stream of the detection node group in the step S3, setting the detection node group as a target detection object, setting a data access restriction level for the detection node group, and prohibiting the access mode.
Preferably, the restriction level set in steps S2 and S4 is saved in the detection log.
Preferably, the combination of the node groups detected in step S3 is a permutation and combination.
Preferably, the security risk of accessing the transmission data stream includes leakage, modification, addition and loss of the data stream.
Preferably, the detection node group comprises a serial transmission node group consisting of at least two single nodes.
Preferably, the set data access restriction level includes a hardware data access level and a software data access level.
Compared with the prior art, the invention has the beneficial effects that: the data security enhancement method in the cloud computing environment has the following advantages:
1) the hardware and the software can be detected simultaneously by detecting the hardware and transmitting data;
2) by detecting a single node and detecting a detection node group, the range of a detection object can be enlarged, and the safety maintenance is enhanced;
3) the same potential safety hazard can be avoided by storing the detection log;
4) the single nodes are arranged in a permutation and combination mode, and the combination mode of each node can be detected.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The security detection of the node comprises the following six aspects:
firstly, user privacy:
checking whether the user password is stored locally, whether encrypted or not;
checking whether sensitive privacy information such as chat records, relationship chains, bank accounts and the like are encrypted;
checking whether system files and configuration files are stored in the external equipment in a plaintext mode;
part of the information needs to be stored in the external device, and whether the information is tampered before each use needs to be judged.
II, file authority:
the directory where the program is located is checked, and the authority of the program must be that other group members are not allowed to read and write.
Thirdly, network communication:
and checking whether sensitive information is encrypted in network transmission, wherein TLS or SSL is adopted for important data.
Fourthly, explaining and protecting in runtime:
for software embedded with an interpreter, checking whether XSS and SQL injection vulnerabilities exist;
and checking whether the URL spoofing vulnerability exists or not by using a program of webiew.
Fifthly, protecting component authority:
prohibiting the internal components of the program from being called by any third-party program;
if a component for external invocation is required, it should be checked whether the caller is signed with a restriction
Sixthly, upgrading:
checking whether the integrity and the legality of the upgrade package are verified or not, and avoiding hijacking of the upgrade package.
And when the access transmission data stream of the node is detected not to conform to any one or more of the six items, the data is considered unsafe.
Referring to fig. 1, the present invention provides a technical solution: a data security enhancement method in a cloud computing environment comprises the following specific steps:
s1: detecting each node in the cloud computing environment: verifying the hardware security of a single node in a cloud computing environment, sampling the access transmission data stream of the single node, and detecting the security of the sampled access transmission data stream (many security detection methods are used in the prior art, the technology is mature, and details are not described here);
if the potential safety hazard exists in the hardware of a single node or the access transmission data stream, limiting the data access and transmission of the node, and performing corresponding repair through the step S2;
if the hardware of the single node and the access transmission data stream are detected to have no potential safety hazard, carrying out safety detection in the step S3;
s2: and (3) excluding a single unsafe node and repairing: according to the detection result of the step S1, the hardware of the node with the potential safety hazard is maintained or the potential safety hazard is solved by a replacement mode, and the data transmission is limited by setting a limit level for the access transmission data stream with the potential safety hazard;
s3: and combining and detecting the nodes on the basis of repaired: combining the nodes repaired in the step S2 and the nodes detected in the step S1 without potential safety hazards freely in a manner of combining into X detection node groups, and detecting the safety of the X detection node groups one by one (the detection method here is the same as the detection method in the step S1), where the X detection node groups are regarded as X detected cells and detect the insides thereof;
setting a total of N single nodes, and taking M single nodes out of the N single nodes, wherein the number X of the detection node groups is N (N-1) (N-2.) the.
If the potential safety hazard exists in the access transmission data stream of the detection node group, limiting the data access and transmission of the detection node group, and performing corresponding repair through the step S4;
if the detection node group does not have potential safety hazard with the hardware of the detection node group and the access transmission data stream, the detection is finished;
s4: and (3) excluding the combined unsafe node group and repairing: and prohibiting the detection node group from continuing data transmission access according to the detection of potential safety hazard in accessing the transmission data stream of the detection node group in the step S3, setting the detection node group as a target detection object, setting a data access restriction level for the detection node group, and prohibiting the access mode.
The restriction level set in steps S2 and S4 is stored in a detection log, and when security detection is performed each time, a new security detection and maintenance is performed by using a previous detection log as a detection basis, a combination manner of detection node groups in step S3 is a permutation and combination manner, a security risk of accessing a transmission data stream includes leakage, modification, increase and loss of the data stream, the detection node group includes a serial transmission node group composed of at least two single nodes (usually, a serial transmission node group composed of two single nodes is used as a main detection node group), and the set data access restriction level includes a hardware data access level and a software data access level.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (6)
1. A data security enhancement method in a cloud computing environment is characterized by comprising the following steps: the method for enhancing the data security in the cloud computing environment comprises the following specific steps:
s1: detecting each node in the cloud computing environment: verifying the hardware security of a single node in a cloud computing environment, transmitting a data stream by sampling the access of the single node, and detecting the security of the sampled access transmission data stream;
if the potential safety hazard exists in the hardware of a single node or the access transmission data stream, limiting the data access and transmission of the node, and performing corresponding repair through the step S2;
if the hardware of the single node and the access transmission data stream are detected to have no potential safety hazard, carrying out safety detection in the step S3;
s2: and (3) excluding a single unsafe node and repairing: according to the detection result of the step S1, the hardware of the node with the potential safety hazard is maintained or the potential safety hazard is solved by a replacement mode, and the data transmission is limited by setting a limit level for the access transmission data stream with the potential safety hazard;
s3: and combining and detecting the nodes on the basis of repaired: arranging and combining the nodes repaired in the step S2 and the nodes detected to have no potential safety hazard in the step S1 into X detection node groups, and respectively detecting the safety of the X detection node groups one by one;
if the potential safety hazard exists in the access transmission data stream of the detection node group, limiting the data access and transmission of the detection node group, and performing corresponding repair through the step S4;
if the detection node group does not have potential safety hazard with the hardware of the detection node group and the access transmission data stream, the detection is finished;
s4: and (3) excluding the combined unsafe node group and repairing: and prohibiting the detection node group from continuing data transmission access according to the detection of potential safety hazard in accessing the transmission data stream of the detection node group in the step S3, setting the detection node group as a target detection object, setting a data access restriction level for the detection node group, and prohibiting the access mode.
2. The method for enhancing data security in the cloud computing environment according to claim 1, wherein: the restriction level set in steps S2 and S4 is saved in the detection log.
3. The method for enhancing data security in the cloud computing environment according to claim 1, wherein: in step S3, the combination mode of the node groups is detected as a permutation and combination mode.
4. The method for enhancing data security in the cloud computing environment according to claim 1, wherein: the security risks of accessing the transmission data stream include leakage, modification, addition and loss of the data stream.
5. The method for enhancing data security in the cloud computing environment according to claim 1, wherein: the detection node group comprises a serial transmission node group consisting of at least two single nodes.
6. The method for enhancing data security in the cloud computing environment according to claim 1, wherein: the set data access restriction level comprises a hardware data access level and a software data access level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811062368.5A CN109151051B (en) | 2018-09-12 | 2018-09-12 | Data security enhancement method in cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811062368.5A CN109151051B (en) | 2018-09-12 | 2018-09-12 | Data security enhancement method in cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109151051A CN109151051A (en) | 2019-01-04 |
| CN109151051B true CN109151051B (en) | 2020-12-08 |
Family
ID=64825018
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811062368.5A Expired - Fee Related CN109151051B (en) | 2018-09-12 | 2018-09-12 | Data security enhancement method in cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109151051B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110855793A (en) * | 2019-11-19 | 2020-02-28 | 南昌航空大学 | Distributed system consensus method |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
| CN101674300A (en) * | 2009-09-23 | 2010-03-17 | 南京邮电大学 | Trust evaluation method in computing environment without central network |
| CN103152436A (en) * | 2013-04-01 | 2013-06-12 | 无锡南理工科技发展有限公司 | P2P (peer-to-peer) internet trust cloud model computing method based on interest group |
| CN103901319A (en) * | 2014-03-03 | 2014-07-02 | 广州供电局有限公司 | Method for detecting transient voltage stability of power grid |
| CN106230982A (en) * | 2016-09-08 | 2016-12-14 | 哈尔滨工程大学 | A kind of dynamic self-adapting secure cloud storage method considering node reliability |
| CN106302533A (en) * | 2016-09-30 | 2017-01-04 | 广州特道信息科技有限公司 | Big data safety management system and method |
| CN106529342A (en) * | 2016-11-02 | 2017-03-22 | 深圳前海生生科技有限公司 | Virtual machine monitor dynamic integrity detection method based on security chip |
| CN107342975A (en) * | 2016-12-21 | 2017-11-10 | 安徽师范大学 | Trust computational methods based on domain division under insincere cloud environment |
-
2018
- 2018-09-12 CN CN201811062368.5A patent/CN109151051B/en not_active Expired - Fee Related
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
| CN101674300A (en) * | 2009-09-23 | 2010-03-17 | 南京邮电大学 | Trust evaluation method in computing environment without central network |
| CN103152436A (en) * | 2013-04-01 | 2013-06-12 | 无锡南理工科技发展有限公司 | P2P (peer-to-peer) internet trust cloud model computing method based on interest group |
| CN103901319A (en) * | 2014-03-03 | 2014-07-02 | 广州供电局有限公司 | Method for detecting transient voltage stability of power grid |
| CN106230982A (en) * | 2016-09-08 | 2016-12-14 | 哈尔滨工程大学 | A kind of dynamic self-adapting secure cloud storage method considering node reliability |
| CN106302533A (en) * | 2016-09-30 | 2017-01-04 | 广州特道信息科技有限公司 | Big data safety management system and method |
| CN106529342A (en) * | 2016-11-02 | 2017-03-22 | 深圳前海生生科技有限公司 | Virtual machine monitor dynamic integrity detection method based on security chip |
| CN107342975A (en) * | 2016-12-21 | 2017-11-10 | 安徽师范大学 | Trust computational methods based on domain division under insincere cloud environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109151051A (en) | 2019-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103051707A (en) | Dynamic user behavior-based cloud forensics method and dynamic user behavior-based cloud forensics system | |
| CN109462599B (en) | Honeypot management system | |
| CN105553940A (en) | Safety protection method based on big data processing platform | |
| CN102801717B (en) | Login validation method and system | |
| US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
| CN105430000A (en) | Cloud computing security management system | |
| CN113114647A (en) | Network security risk detection method and device, electronic equipment and storage medium | |
| CN107276986B (en) | Method, device and system for protecting website through machine learning | |
| CN114365128A (en) | Method and system for data self-protection | |
| RU2762528C1 (en) | Method for processing information security events prior to transmission for analysis | |
| CN202652255U (en) | SQL injection safety protection system | |
| CN110049028A (en) | Monitor method, apparatus, computer equipment and the storage medium of domain control administrator | |
| CN109151051B (en) | Data security enhancement method in cloud computing environment | |
| Alfarisi et al. | Risk assessment in fleet management system using OCTAVE allegro | |
| CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
| CN117640154A (en) | Defensive strategy generation method and device, storage medium and terminal | |
| CN116760572A (en) | Cloud security simulation detection method and system | |
| CN110611659A (en) | Method, device and system for protecting service essence of power monitoring system | |
| CN113489738B (en) | Method, device, equipment and medium for processing violations of broadband account | |
| Li et al. | Research on attack mechanism of network intrusion in industrial control system | |
| Yasmeen et al. | The critical analysis of E-Commerce web application vulnerabilities | |
| CN113076542A (en) | Test management system for trusted computing in artificial intelligence | |
| CN111859362A (en) | Multi-stage identity authentication method in mobile environment and electronic device | |
| CN111314307A (en) | Security defense method of internet of things system, internet of things system and storage medium | |
| Sun | A Security Reinforcement Method for Intranet Computer Terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201208 Termination date: 20210912 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |