CN110290128B - Network isolation and exchange control method and device based on service security label - Google Patents

Network isolation and exchange control method and device based on service security label Download PDF

Info

Publication number
CN110290128B
CN110290128B CN201910536196.9A CN201910536196A CN110290128B CN 110290128 B CN110290128 B CN 110290128B CN 201910536196 A CN201910536196 A CN 201910536196A CN 110290128 B CN110290128 B CN 110290128B
Authority
CN
China
Prior art keywords
mark
data
service
control
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910536196.9A
Other languages
Chinese (zh)
Other versions
CN110290128A (en
Inventor
于海波
李志谦
刘坤颖
祁峰
孙永
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910536196.9A priority Critical patent/CN110290128B/en
Publication of CN110290128A publication Critical patent/CN110290128A/en
Application granted granted Critical
Publication of CN110290128B publication Critical patent/CN110290128B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network isolation and exchange control method and a device based on a service security marker, belonging to the technical field of networks.

Description

Network isolation and exchange control method and device based on service security label
Technical Field
The invention relates to a method and a device for carrying out network isolation switching control on data according to the service security attribute of the data, belonging to the technical field of networks.
Technical Field
When network isolation and data exchange are performed in a cross-network and cross-security domain scene, the traditional security isolation and information exchange systems such as unidirectional import and gatekeeper mainly improve the security of the inter-network exchange by stripping protocols and performing virus checking and killing, content filtering and checking and the like on the exchanged data, cannot perform fine-grained control on the data exchanged between networks based on the service security attribute of the data, and are difficult to prevent malicious codes from performing unauthorized exchange.
Disclosure of Invention
The invention aims to provide a network isolation and exchange control method and a network isolation and exchange control device based on service security marks aiming at the requirements of fine-grained isolation exchange and security control of data resources in cross-network and cross-domain environments.
In order to achieve the above object, the present invention adopts a network isolation and switching control method based on a service security label, which comprises the following steps:
step 1: respectively configuring a mark control strategy for a sending end and a receiving end, wherein the mark control strategy is a related matching rule defined based on a service security mark of data, and taking a corresponding control action on the data with a specific service security mark;
step 2: after receiving data to be imported, a sending end checks whether the data has a service security mark and carries out corresponding processing according to a mark control strategy configured by the sending end, and the method comprises the following steps: if the data does not carry a service safety mark and the mark control strategy configured at the sending end prohibits the introduction of the unmarked data, recording the log and carrying out corresponding processing; if the data does not carry the service safety mark and the mark control strategy configured at the sending end allows the unmarked data to be imported, automatically adding the appointed service safety mark to the formatted data block to be transmitted in one way and then executing the one-way transmission; if the data has the service safety mark, the service safety mark of the data is subjected to matching check, if the check is passed, the service safety mark of the data is added to a formatted data block to be transmitted in a one-way mode, and then the one-way transmission is executed, otherwise, a log is recorded and corresponding processing is carried out;
step 3: after receiving the formatted data block of unidirectional transmission, the receiving end checks whether the data block carries a service security mark and carries out corresponding processing according to a mark control strategy configured by the receiving end, including: if the data block does not have the service safety mark, recording the log and carrying out corresponding processing; and if the data block is provided with the safety mark, performing matching check on the service safety mark of the data block, if the check is passed, recovering the imported data based on the data block, otherwise, recording the log and performing corresponding processing.
Further, the service security label is a multi-element group M containing multiple service security attributes, where C is a security level, G is a service security attribute set, F is an operation control attribute set, the service security attribute set G includes service category, work group, role, and environment requirements, and the operation control attribute set F includes read-write control, print control, recording control, and copy control.
Further, the service security label includes a service security label m (r) of the information object<Cr,Gr,Fr>And a system object's business security label M (o) ═ m<Co,Go>The information object comprises data, and the system object comprises application, service and process.
Further, there are two relationships between m (o) and m (r): dominant versus incomparable; when C is presento≥CrAnd is
Figure BDA0002101236430000021
If M (o) is greater than or equal to M (r), M (o) and M (r) have a dominance relation, which represents that the system object can dominate the information object; if no dominance relation exists between M (o) and M (r), the two are in an incomparable relation, and the system object is represented as an information object without weight dominance.
Further, if
Figure BDA0002101236430000022
The subject should be according to FrThe included operation control attribute limits the corresponding operation to the resource.
Further, the tag control policy may be denoted as R ═ C, G >, where R is the tag control policy, and the equation represents the set of information objects that satisfy the specified attributes.
Further, configuring a mark control strategy R for a sending terminal ss=<Cs,Gs>,RsThe service security label of a given information object is m(s) ═ m<Cs,Gs>If M(s) is more than or equal to M (r), the matching check of the sending end is passed; configuring a corresponding mark control strategy R for a receiving end gg=<Cg,Gg>,RgThe service security label of the designated information object is M (g) ═ m<Cg,Gg>And if M (g) is more than or equal to M (r'), the matching check of the receiving end is passed.
Further, the corresponding processing includes alarming, discarding, forwarding or auditing.
In order to achieve the above object, the present invention further provides a network isolation and switching control device based on the service security label, which mainly comprises a sending end label control module and a receiving end label control module;
the sending end marks a management and control module: the system comprises a mark control strategy used for configuring a sending end mark control strategy, identifying a service safety mark of data led into the sending end, matching and checking the mark control strategy configured by the sending end, adding the service safety mark of the data into a formatted data block to be transmitted in one way according to a checking result, and then executing one-way transmission, or recording a log and performing corresponding processing on the data;
a receiving end mark management and control module: the system is used for configuring a receiving end mark control strategy, identifying the service safety mark of the receiving end formatted data block, performing matching check with the mark control strategy configured by the receiving end, recovering the imported data according to the check result, or recording the log of the data block and performing corresponding processing.
Further, in the receiving end mark management and control module, the corresponding processing includes alarming, discarding, forwarding or auditing.
Compared with the prior art, the invention has the following positive effects:
by correctly configuring a mark control strategy of a data transmission channel consisting of a sending end and a receiving end, the data transmitted in one direction can be subjected to fine-grained control based on the service security mark of the data, the security isolation and information exchange systems such as one-way import equipment and a gatekeeper are supported to perform fine-grained data control, and the network security is further improved. For example, by configuring the device, only data of specific service content can be allowed to be unidirectionally imported from the internet to the internal network; data of a low security level in the high-level security domain can also be supported to flow to the low-level security domain, but the data of the high security level is still forbidden to flow to the low-level security domain; the unmarked data or abnormal marked data sent by the malicious code can be found, and the disguised unauthorized service data can be prevented from flowing out in time.
Drawings
Fig. 1 is a flow chart of a network isolation and switching control method based on a service security label.
Fig. 2 is a relationship diagram (one-way import) of a network isolation and switching control device module based on a service security label.
Fig. 3 is a relationship diagram of a network isolation and switching control device module (bidirectional gatekeeper) based on a service security label.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, and it should be understood that the embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention.
Fig. 1 is a flowchart of a method for controlling network isolation and switching based on a service security label, and steps of the method are specifically described as follows.
1. Configuring tag control policies
The service security mark M is a multi-tuple containing a plurality of service security attributes, wherein M is equal to<C,G,F>. Wherein C is a security level; g is a plurality of service security attributes GiG ═ G1,g2,…gn},giThe service safety attributes can be service types, work groups, roles, environmental requirements and the like; f is an operation control attribute FjF ═ F1,f2,…fm},fjThe method can be used for operation attributes such as read-write control, printing control, burning control, copying control and the like.
Under the abstract definition, the service security label of an information object (resource) such as data is denoted as m (r) ═ r<Cr,Gr,Fr>The service security label of a system object (subject) such as an application, a service, and a process is denoted as m (o) ═ m<Co,Go>. There are two relationships between the subject mark m (o) and the resource mark m (r): dominant versus incomparable. Marker M (o) dominating marker M (r) when Co≥CrAnd is
Figure BDA0002101236430000031
And M (o) ≧ M (r), meaning that the subject can dominate the object (resource). If there is no dominance relationship between M (o) and M (r), they are not comparable, and the subject has no weight on the object (resource). If it is not
Figure BDA0002101236430000032
The subject should control attribute f according to the particular operation that the tag containsjAnd limiting the corresponding operation on the resource.
Since the information object (resource) and the system object (main body) service security label are both defined by the attribute method,therefore, the related label control strategy is also defined by adopting a similar attribute method. The marking control strategy R may be expressed as R ═ R<C,G>Indicating a set of information objects that satisfy the specified attributes. Thus, rule RsThe service security label of a given information object may also be denoted as m(s) ═ m(s) }<Cs,Gs>. When the strategy matching check is carried out, if M(s) ≧ M (R), the service security label of the information object R satisfies the label control strategy rule Rs
According to the abstract definition method, a mark control strategy R can be configured for a certain sending end ss=<Cs,Gs>Configuring corresponding mark control strategy R for corresponding receiving end gg=<Cg,Gg>。
2. Label-free data unidirectional transmission control
(step 1): when the sending end identifies that the imported data does not have the service safety mark, if the sending end forbids the import of the unmarked data, the sending end records the log and records the log to the data and executes corresponding processing actions such as alarming, discarding, forwarding or auditing and the like; if the transmitting end allows the unmarked data to be imported, and a specified service safety mark M is preset for the unmarked dataxAnd (4) switching to step2, otherwise, logging and executing corresponding processing actions such as alarming, discarding, forwarding or auditing on the data, and ending the process.
(step 2): the sending end adds the appointed business safety mark M for the formatted data block to be transmitted in one wayxAnd then transmits the data block to the receiving end in a single direction.
(step 3): the receiving end checks whether the data block carries a service safety mark, and if the data block carries the service safety mark, the step4 is carried in; if the service safety mark is not carried, the receiving end executes corresponding processing actions such as alarming, discarding, forwarding or auditing and the like on the data block, and records a log.
(step 4): the receiving end identifies and extracts the data block service security mark M (R') and controls the strategy R with the mark configured by the receiving endgMatching check is carried out, and if matching is successful, switching to step 5; if the matching is not successful, the receiving end pair data blockAnd executing corresponding processing actions such as alarming, discarding, forwarding or auditing and recording logs.
The matching rule is as follows: if M (g) is more than or equal to M (r'), matching is successful, otherwise, matching is unsuccessful.
(step 5): and the receiving end recovers the data and sends the data to a related system.
3. Control of unidirectional transmission of marked data
(step 1): the sending end identifies and extracts the service safety mark M (R) of the data and the mark control strategy R configured with the sending endsMatching check is carried out, and if matching is successful, step2 is carried out; and if the matching is unsuccessful, performing corresponding processing actions such as alarming, discarding, forwarding or auditing on the data, and recording a log.
The matching rule is as follows: if M(s) is more than or equal to M (r), the matching is successful, otherwise, the matching is unsuccessful.
(step 2): the sending end adds the service security mark M (r) of the data into the formatted data block to be transmitted in one way, and then transmits the data block in one way to the receiving end.
(step 3): the receiving end checks whether the data block carries a service safety mark, and if the data block carries the service safety mark, the step4 is carried in; if the service safety mark is not carried, corresponding processing actions such as alarming, discarding, forwarding or auditing are carried out on the data, and a log is recorded.
(step 4): the receiving end identifies and extracts the service security mark M (r') of the data block and controls the strategy g with the mark configured by the receiving endjAnd matching, if the matching is successful, transferring to step5, and if the matching is unsuccessful, performing corresponding processing actions such as alarming, discarding, forwarding or auditing on the data block, and recording a log.
The matching rule is as follows: if M (g) is more than or equal to M (r'), matching is successful, otherwise, matching is unsuccessful.
(step 5): and the receiving end recovers the data and sends the data to a related system.
The embodiment also provides a network isolation and exchange control device based on the service security label, which is used for implementing the method and comprises a sending end label control module and a receiving end label control module. The sending end mark control module is used for configuring a sending end mark control strategy, identifying a service safety mark of data imported to a sending end, matching and checking the service safety mark with the mark control strategy configured by the sending end, adding the service safety mark of the data to a formatted data block to be transmitted in a one-way mode according to a checking result, and then executing one-way transmission, or discarding, auditing or forwarding the data. The receiving end mark management and control module: the system is used for configuring a receiving end mark control strategy, identifying the service safety mark of the receiving end formatted data block, performing matching check with the mark control strategy configured by the receiving end, and recovering imported data or discarding, auditing or forwarding the data block according to a check result.
The device can realize data exchange control: the sending end and the receiving end of the device form a unidirectional data transmission channel in pairs, and the unidirectional data transmission channel can be used for unidirectional leading-in equipment to realize fine-grained control of unidirectional transmission data, as shown in fig. 2. The method can also be used for security isolation and information exchange equipment such as a network gate and the like, and fine-grained control is respectively performed on two unidirectional transmission channels in opposite directions, so that the security of network exchange is further improved, as shown in fig. 3.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (8)

1. A network isolation and exchange control method based on service security marks is used for controlling data at a sending end and a receiving end respectively according to service security attribute information including security level and service category in the marks by identifying service security marks carried by the data aiming at the requirements of fine-grained isolation exchange and security control of data resources under cross-network and cross-domain environments, and comprises the following steps:
configuring mark control strategy for transmitting end and receiving end, wherein the mark control strategy is service safety mark definition phase based on dataThe correlation matching rule is used for taking corresponding control action on the data with the specific service safety mark; the service security label is a multi-element group M containing multiple service security attributes<C,G,F>Wherein C is security level, G is service security attribute set, F is operation control attribute set, the service security attribute set G includes service category, work group, role, environment requirement, the operation control attribute set F includes read-write control, printing control, burning control, copy control; the service security label comprises a service security label M (r) of the information object<Cr,Gr,Fr>And a system object's business security label M (o) ═ m<Co,Go>The information object comprises data, and the system object comprises application, service and process; after receiving data to be imported, a sending end checks whether the data has a service security mark and carries out corresponding processing according to a mark control strategy configured by the sending end, and the method comprises the following steps: if the data does not carry a service safety mark and the mark control strategy configured at the sending end prohibits the introduction of the unmarked data, recording the log and carrying out corresponding processing; if the data does not carry the service safety mark and the mark control strategy configured at the sending end allows the unmarked data to be imported, automatically adding the appointed service safety mark to the formatted data block to be transmitted in one way and then executing the one-way transmission; if the data has the service safety mark, the service safety mark of the data is subjected to matching check, if the check is passed, the service safety mark of the data is added to a formatted data block to be transmitted in a one-way mode, and then the one-way transmission is executed, otherwise, a log is recorded and corresponding processing is carried out;
after receiving the formatted data block of unidirectional transmission, the receiving end checks whether the data block carries a service security mark and carries out corresponding processing according to a mark control strategy configured by the receiving end, including: if the data block does not have the service safety mark, recording the log and carrying out corresponding processing; and if the data block is provided with the safety mark, performing matching check on the service safety mark of the data block, if the check is passed, recovering the imported data based on the data block, otherwise, recording the log and performing corresponding processing.
2. The method of claim 1, wherein there are two relationships between m (o) and m (r): dominant versus incomparable; when C is presento≥CrAnd is
Figure FDA0002678108940000011
If M (o) is greater than or equal to M (r), M (o) and M (r) have a dominance relation, which represents that the system object can dominate the information object; if no dominance relation exists between M (o) and M (r), the two are in an incomparable relation, and the system object is represented as an information object without weight dominance.
3. The method of claim 1, wherein if, if
Figure FDA0002678108940000012
The subject should be according to FrThe included operation control attribute limits the corresponding operation to the resource.
4. The method of claim 1, wherein the tag control policy is denoted as R ═ < C, G >, where R is the tag control policy, the equation representing the set of information objects that satisfy the specified attributes.
5. The method of claim 4, wherein a tag control policy R is configured for a sender ss=<Cs,Gs>,RsThe service security label of a given information object is m(s) ═ m<Cs,Gs>If M(s) is more than or equal to M (r), the matching check of the sending end is passed; configuring a corresponding mark control strategy R for a receiving end gg=<Cg,Gg>,RgThe service security label of the designated information object is M (g) ═ m<Cg,Gg>And if M (g) is more than or equal to M (r'), the matching check of the receiving end is passed.
6. The method of claim 1, wherein the respective processing comprises alerting, discarding, forwarding, or auditing.
7. A network isolation and switching control device based on service security label, based on the method of claim 1, the device comprising:
the sending end mark control module is used for configuring a sending end mark control strategy, identifying a service safety mark of data led into a sending end, matching and checking the service safety mark with the mark control strategy configured by the sending end, adding the service safety mark of the data into a formatted data block to be transmitted in one direction according to a checking result, and then executing one-way transmission, or recording a log on the data and performing corresponding processing;
and the receiving end mark control module is used for configuring a receiving end mark control strategy, identifying the service safety mark of the receiving end formatted data block, performing matching check with the mark control strategy configured by the receiving end, recovering imported data according to a check result or recording a log of the data block and performing corresponding processing.
8. The apparatus of claim 7, in which the respective processing comprises alerting, discarding, forwarding, or auditing.
CN201910536196.9A 2019-06-20 2019-06-20 Network isolation and exchange control method and device based on service security label Active CN110290128B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910536196.9A CN110290128B (en) 2019-06-20 2019-06-20 Network isolation and exchange control method and device based on service security label

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910536196.9A CN110290128B (en) 2019-06-20 2019-06-20 Network isolation and exchange control method and device based on service security label

Publications (2)

Publication Number Publication Date
CN110290128A CN110290128A (en) 2019-09-27
CN110290128B true CN110290128B (en) 2021-02-19

Family

ID=68004356

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910536196.9A Active CN110290128B (en) 2019-06-20 2019-06-20 Network isolation and exchange control method and device based on service security label

Country Status (1)

Country Link
CN (1) CN110290128B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049851B (en) * 2019-12-24 2021-10-01 中国电子科技集团公司第五十四研究所 Multi-level and multi-dimensional linkage management and control system for cross-domain transmission service

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534300B (en) * 2009-04-17 2012-05-30 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN101876994B (en) * 2009-12-22 2012-02-15 中国科学院软件研究所 Establishing method for multi-layer optimized strategy evaluation engine and implementing method thereof
CN101860526B (en) * 2009-12-22 2012-10-03 中国航空工业集团公司第六三一研究所 Method for controlling multilevel access to integrated avionics system
CN102486819B (en) * 2010-12-01 2016-08-03 中铁信息工程集团有限公司 A kind of hardened system
CN102495989A (en) * 2011-12-21 2012-06-13 北京诺思恒信科技有限公司 Subject-label-based access control method and system
CN102904889B (en) * 2012-10-12 2016-09-07 北京可信华泰信息技术有限公司 Support the forced symmetric centralization system and method for cross-platform unified management
CN103166794A (en) * 2013-02-22 2013-06-19 中国人民解放军91655部队 Information security management method with integration security control function
CN103647772A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out trusted access controlling on network data package
CN105245543B (en) * 2015-10-28 2018-04-13 中国人民解放军国防科学技术大学 A kind of operating system forced access control method based on safety label randomization
CN107016289B (en) * 2017-02-15 2020-04-10 中国科学院信息工程研究所 Web operating system-based mobile thin terminal security model establishing method and device
CN107277023B (en) * 2017-06-28 2020-04-10 中国科学院信息工程研究所 Web-based mobile thin terminal access control method and system and thin terminal
CN108270782B (en) * 2018-01-15 2020-05-26 中国科学院信息工程研究所 Access control method and system based on security label
CN109117313B (en) * 2018-08-28 2022-03-18 成都信息工程大学 Vehicle intelligent security gateway with disaster isolation backup management and control mechanism and management and control method

Also Published As

Publication number Publication date
CN110290128A (en) 2019-09-27

Similar Documents

Publication Publication Date Title
US8233388B2 (en) System and method for controlling and tracking network content flow
US7958549B2 (en) Attack defending system and attack defending method
US5898823A (en) Network printer auto-detection method and system
US20070022468A1 (en) Packet transmission equipment and packet transmission system
CN102055674B (en) Internet protocol (IP) message as well as information processing method and device based on same
MY150011A (en) Software vulnerability exploitation shield
CN108111536B (en) Application-level secure cross-domain communication method and system
US20150089578A1 (en) Mitigating policy violations through textual redaction
CN110290128B (en) Network isolation and exchange control method and device based on service security label
CN103428032A (en) Attack positioning and assistant positioning device and method
CN112839083A (en) Data transmission method and device and readable storage medium
CN108833337A (en) A kind of data transmission system and method based on optic communication
CN103581156B (en) A kind of method of work of trustable network and trustable network
CN109660565A (en) A kind of isolation gap equipment and implementation method
Lamshöft et al. Assessment of hidden channel attacks: Targetting modbus/tcp
JP2009044665A (en) Program for controlling communication device, and communication device
CN105227540A (en) A kind of MTD guard system of event-triggered and method
Stevens et al. An implementation of an optical data diode
BR0107377A (en) Improvement introduced in a method for obtaining data and terminals for obtaining data through said method
WO2011081358A2 (en) Proxy-based security system for guaranteeing availability
CN114401103B (en) SMB remote transmission file detection method and device, electronic equipment and storage medium
CN113472736B (en) Method, device, equipment and readable medium for transmitting data of internal and external networks
CN115277262A (en) Unidirectional data transmission method, system, equipment and storage medium
TWI771523B (en) System and method for unidirectional transfer of file
CN110324326B (en) Network data transmission control method and device based on service security marker

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant