CN109413642B - Terminal safety detection and monitoring systematization method - Google Patents

Abstract

The invention provides a systematic method for terminal safety detection and monitoring, which is characterized by comprising the following steps of: step S1: defining a security event detection item; step S2: establishing a terminal equipment baseline library, comprising: a port baseline and a process baseline; step S3: establishing a safety event handling plan library; step S4: detecting when accessing the network and generating a detection report; step S5: monitoring is carried out in the operation process of the terminal equipment, the collected data is compared with the base line to confirm whether safety event early warning is generated or not, and if the safety event early warning is generated, the disposal means is matched from the safety event disposal plan library according to the type of the safety event and is executed. The invention can realize the safety state of the monitoring terminal equipment; the early warning of the safety event and the safety event disposal scheme are realized; and compared with the post-treatment, the method is more timely in terms of timeliness.

Description

Terminal safety detection and monitoring systematization method

Technical Field

The invention relates to the field of information security, in particular to a terminal security detection and monitoring systematization method and device.

Background

With the continuous development and innovation of science and technology, terminal equipment suitable for various types of application scenes emerges, and meanwhile, a large number of small terminal equipment quickly occupy the family of users, and the provided functions are endlessly developed and become more fun in the life of the users.

However, the user often has good things and dangerous things, and all home terminal devices have a common environmental requirement for better serving the user, that is, the user must be connected to an internet network, such as a home intelligent gateway, an AP, a high-definition intelligent set-top box, a network camera, and the like, "physical-to-physical interconnection" brings convenience and avoids network security threats represented by network DDOS attack, background vulnerability intrusion, and information data hijacking, and equipment manufacturers pay more attention to the creative degree of functions, often neglect the security of the network and information, and cause the unmeasurable loss of the user.

Disclosure of Invention

The invention creatively provides a set of systematic terminal security detection and monitoring mechanism, a security management and control mechanism of a complete life cycle from terminal network access to terminal operation, because the security of the current user home terminal is in a practical blind area, the discovery of a security event can be discovered only from the declaration of a user, a large amount of facts show that the security event has a strong requirement on timeliness, and the practically adopted defense means is usually lagged (the security patch is released for upgrading), so that the user is easily damaged by the network security, and the real-time network security defense and monitoring have to be faced, and the problem has to be considered.

The invention realizes the network access detection and the periodic monitoring of the terminal equipment, promotes the running state of the terminal equipment to be white-boxed, monitors the running state of the terminal equipment, can adopt a big data analysis algorithm for analysis, and immediately takes event handling after the safety event is confirmed by finding out the possible safety abnormal events, thereby realizing the inhibition when the safety event has a certain seedling trend, and further avoiding the loss caused by the event.

In order to solve the problems of defects and shortcomings in the prior art, the invention specifically adopts the following technical scheme:

a terminal safety detection and monitoring systematization method is characterized by comprising the following steps:

step S1: defining a security event detection item;

step S2: establishing a terminal equipment baseline library, comprising: a port baseline and a process baseline;

step S3: establishing a safety event handling plan library;

step S4: detecting when accessing the network and generating a detection report;

step S5: monitoring is carried out in the operation process of the terminal equipment, the collected data is compared with the base line to confirm whether safety event early warning is generated or not, and if the safety event early warning is generated, the disposal means is matched from the safety event disposal plan library according to the type of the safety event and is executed.

Preferably, in step S1, the defined security event detection items include: SSH service status detection, TELNET service status detection, and port detection.

Preferably, in step S2, the establishing a terminal device baseline library specifically includes the following steps:

step S21: establishing a minimum dimension of terminal equipment classification: classifying the terminal equipment according to the equipment type, the terminal manufacturer and the terminal model, and then classifying the terminal equipment by taking the software version of the terminal equipment as the minimum classification dimension;

step S22: establishing a baseline classification: the establishment of the base line takes the safety requirement on the terminal equipment as a starting point, and comprises the following steps: a port baseline and a process baseline;

step S23: a device baseline library is formed.

Preferably, step S4 specifically includes the following steps:

step S41: starting an external auxiliary tool to simulate a network environment;

step S42: actively initiating a detection task to the terminal equipment;

step S43: the terminal equipment receives and executes the detection task, and reports the diagnosis result to the management platform;

step S44: comparing the diagnosis result with the baseline to generate a diagnosis conclusion;

step S45: and returning a diagnosis conclusion and generating a detection report.

Preferably, step S43 specifically includes the following steps:

step S431: after receiving the detection task message, the instruction interaction module issues a detection task to the terminal equipment;

step S432: a safety management plug-in of the terminal equipment receives and executes a detection task;

step S433: the security management plug-in of the terminal equipment configures and collects security data according to the detection task;

step S434: and the safety management plug-in of the terminal equipment reports the acquired safety data to a data receiving module of the management platform.

Preferably, step S5 specifically includes the following steps:

step S51: the terminal equipment starts to operate and simultaneously enters an operation detection period;

step S52: the terminal equipment actively pulls a timing safety monitoring acquisition task and a condition triggering monitoring acquisition task from the management platform;

step S53: the terminal equipment collects data and reports the data according to preset time for a timing safety monitoring collection task;

step S54: the terminal equipment monitors and collects data according to the triggering conditions of the collection task for condition triggering and reports the data;

step S55: after receiving the acquired data, the management platform transmits the data into a data analysis and monitoring module for analysis;

step S56: the data analysis and monitoring module compares the data with the base line in the base line library of the terminal equipment according to the equipment type, and if the data are found to be abnormal, the data confirmed to be abnormal fluctuation are sent to the safety event decision module to generate safety event early warning;

step S57: the security event decision module matches a handling means from a security event handling plan library according to the type of the security event;

step S58: the management platform is in linkage fit with the safety management plug-in of the terminal equipment to execute the safety event handling plan, so that the safety event is processed.

The invention and the preferred scheme thereof use terminal safety as an entry point, and a whole set of solution is provided from the monitoring of the network access detection of the terminal equipment during operation: the safety state of the terminal equipment can be monitored by relying on the linkage of the management platform and the terminal safety management plug-in, the management platform finds abnormal safety environment abnormal change from the running condition of the whole network terminal equipment in a data analysis mode, and the early warning of safety events and the safety event disposal scheme are realized; and compared with the post-treatment, the method is more timely in terms of timeliness.

Drawings

The invention is described in further detail below with reference to the following figures and detailed description:

fig. 1 is a schematic diagram of modules and a work flow adopted in the embodiment of the present invention.

Detailed Description

In order to make the features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail as follows:

the term is defined as:

1. baseline: a general term representing allowable environment, state criteria of the terminal device.

2. And (3) detection items: and checking items of the terminal equipment during network access or running.

3. And (3) timing safety monitoring and collecting tasks: and triggering safety monitoring data acquisition by taking time as a condition.

4. And (3) triggering, monitoring and acquiring tasks according to conditions: and triggering safety monitoring data acquisition under a specific condition.

5. Safety management plug-in of terminal equipment: the terminal safety monitoring and collecting and safety event processing functions are realized by installing and integrating the terminal equipment side.

As shown in fig. 1, the implementation of this embodiment is mainly based on a security management plug-in installed in a terminal device and a management platform, where the management platform mainly includes: the system comprises a safety event decision module, a data analysis and monitoring module, an instruction interaction module, a data receiving module and the like.

The embodiment is specifically realized by the following steps:

step S1: defining a security event detection item;

step S2: establishing a terminal equipment baseline library, comprising: a port baseline and a process baseline;

step S3: establishing a safety event handling plan library;

step S4: detecting when accessing the network and generating a detection report;

step S5: monitoring is carried out in the operation process of the terminal equipment, the collected data is compared with the base line to confirm whether safety event early warning is generated or not, and if the safety event early warning is generated, the disposal means is matched from the safety event disposal plan library according to the type of the safety event and is executed.

The terminal device baseline library, the security event handling plan library, and the security event detection items established through steps S1 through S3 are stored in the storage management module of the management platform.

In step S1, the defined security event detection items include: SSH service state detection, TELNET service state detection and port detection, and can also be based on the specific items of matching baseline collection self-defining safety detection items.

In step S2, the establishing a terminal device baseline library specifically includes the following steps:

step S21: establishing a minimum dimension of terminal equipment classification: classifying according to the equipment type, the terminal manufacturer and the terminal model, and then classifying the terminal equipment by taking the software version of the terminal equipment as the minimum classification dimension;

step S22: establishing a baseline classification: the establishment of the baseline is based on the security requirement of the terminal device, and generally includes: a port baseline and a process baseline; different terminals may have their own unique baselines to provide criteria for later detection and monitoring.

Step S23: a device baseline library is formed.

The specifically formed device baseline library may be as shown in the examples provided in table 1:

TABLE 1

In step S3, a safety event handling plan library is created by setting a set of diagnostic procedures according to the error set, i.e. a handling plan is preset for each type of safety event, and can be stored in the management platform as shown in the example provided in table 2:

TABLE 2

As shown in fig. 1, step S4 specifically includes the following steps:

step S41: starting an external auxiliary tool to simulate a network environment;

step S42: actively initiating a detection task to the terminal equipment;

step S43: the terminal equipment receives and executes the detection task, and reports the diagnosis result to the management platform;

step S44: comparing the diagnosis result with the baseline, and performing secondary processing to generate a diagnosis conclusion; part of simpler diagnosis results can be directly generated into a diagnosis conclusion without being compared with a baseline;

step S45: and returning a diagnosis conclusion and generating a detection report.

More specifically, step S43 specifically includes the following steps:

step S431: after receiving the detection task message, the instruction interaction module issues a detection task to the terminal equipment;

step S432: a safety management plug-in of the terminal equipment receives and executes a detection task;

step S433: the security management plug-in of the terminal equipment configures and collects security data according to the detection task;

step S434: and the safety management plug-in of the terminal equipment reports the acquired safety data to a data receiving module of the management platform.

As shown in fig. 1, step S5 specifically includes the following steps:

step S51: the terminal equipment starts to operate and simultaneously enters an operation detection period;

step S52: the terminal equipment actively pulls a timing safety monitoring acquisition task and a condition triggering monitoring acquisition task from the management platform;

step S53: the terminal equipment collects data and reports the data according to preset time for a timing safety monitoring collection task;

step S54: the terminal equipment monitors and collects data according to the triggering conditions of the collection task for condition triggering and reports the data;

step S55: after receiving the acquired data, the management platform transmits the data into a data analysis and monitoring module for analysis; part of the data is also subjected to preprocessing of cleaning according to rules, and irrelevant redundant data is screened out;

step S56: the data analysis and monitoring module compares the data with a base line in a base line library of the terminal equipment according to the defined equipment type, model and software version rule, and if the data are abnormal (including abnormal fluctuation), the data confirmed to be abnormal fluctuation are sent to the safety event decision module to generate safety event early warning;

step S57: the security event decision module matches a handling means from a security event handling plan library according to the type of the security event;

step S58: the management platform is in linkage fit with the safety management plug-in of the terminal equipment to execute the safety event handling plan, so that the safety event is processed. Wherein the processing of the security events is performed according to a preset priority or a sequence of human intervention.

The present invention is not limited to the above preferred embodiments, and any other various terminal security detection and monitoring system methods can be obtained according to the teaching of the present invention, and all equivalent changes and modifications made according to the claims of the present invention shall fall within the scope of the present invention.

Claims (3)

1. A terminal safety detection and monitoring systematization method is characterized by comprising the following steps:

step S1: defining a security event detection item;

step S2: establishing a terminal equipment baseline library, comprising: a port baseline and a process baseline;

step S3: establishing a safety event handling plan library;

step S4: detecting when accessing the network and generating a detection report;

step S5: monitoring in the running process of the terminal equipment, comparing the acquired data with a base line to determine whether safety event early warning is generated or not, and if the safety event early warning is generated, matching a disposal means from a safety event disposal plan library according to the type of the safety event and executing;

step S4 specifically includes the following steps:

step S41: starting an external auxiliary tool to simulate a network environment;

step S42: actively initiating a detection task to the terminal equipment;

step S43: the terminal equipment receives and executes the detection task, and reports the diagnosis result to the management platform;

step S44: comparing the diagnosis result with the baseline to generate a diagnosis conclusion;

step S45: returning a diagnosis conclusion and generating a detection report;

step S43 specifically includes the following steps:

step S431: after receiving the detection task message, the instruction interaction module issues a detection task to the terminal equipment;

step S432: a safety management plug-in of the terminal equipment receives and executes a detection task;

step S433: the security management plug-in of the terminal equipment configures and collects security data according to the detection task;

step S434: the security management plug-in of the terminal equipment reports the acquired security data to a data receiving module of the management platform;

step S5 specifically includes the following steps:

step S51: the terminal equipment starts to operate and simultaneously enters an operation detection period;

step S52: the terminal equipment actively pulls a timing safety monitoring acquisition task and a condition triggering monitoring acquisition task from the management platform;

step S53: the terminal equipment collects data and reports the data according to preset time for a timing safety monitoring collection task;

step S54: the terminal equipment monitors and collects data according to the triggering conditions of the collection task for condition triggering and reports the data;

step S55: after receiving the acquired data, the management platform transmits the data into a data analysis and monitoring module for analysis;

step S56: the data analysis and monitoring module compares the data with the base line in the base line library of the terminal equipment according to the equipment type, and if the data are found to be abnormal, the data confirmed to be abnormal fluctuation are sent to the safety event decision module to generate safety event early warning;

step S57: the security event decision module matches a handling means from a security event handling plan library according to the type of the security event;

step S58: the management platform is in linkage fit with the safety management plug-in of the terminal equipment to execute the safety event handling plan, so that the safety event is processed.

2. The terminal security detection and monitoring systematization method according to claim 1, wherein: in step S1, the defined security event detection items include: SSH service status detection, TELNET service status detection, and port detection.

3. The terminal security detection and monitoring systematization method according to claim 1, wherein: in step S2, the establishing a terminal device baseline library specifically includes the following steps:

step S21: establishing a minimum dimension of terminal equipment classification: classifying the terminal equipment according to the equipment type, the terminal manufacturer and the terminal model, and then classifying the terminal equipment by taking the software version of the terminal equipment as the minimum classification dimension;

step S22: establishing a baseline classification: the establishment of the base line takes the safety requirement on the terminal equipment as a starting point, and comprises the following steps: a port baseline and a process baseline;

step S23: a device baseline library is formed.

Images