CN110324326B - Network data transmission control method and device based on service security marker - Google Patents
Network data transmission control method and device based on service security marker Download PDFInfo
- Publication number
- CN110324326B CN110324326B CN201910536194.XA CN201910536194A CN110324326B CN 110324326 B CN110324326 B CN 110324326B CN 201910536194 A CN201910536194 A CN 201910536194A CN 110324326 B CN110324326 B CN 110324326B
- Authority
- CN
- China
- Prior art keywords
- service
- data packet
- security
- network
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention provides a network data transmission control method and device based on a service security label, belonging to the field of network technology and computer information security.
Description
Technical Field
The invention relates to a network data transmission control method, in particular to a method and a device for controlling network data transmission based on the service security attribute of a network data packet, and belongs to the field of network technology and computer information security.
Technical Field
At present, a traditional network data control method mainly uses network layer information such as quintuple, source and destination addresses, and packet characteristics to control a packet, cannot perform fine-grained control and audit on network data according to security requirements of a service layer, is difficult to implement routing control on different types of service data, is difficult to perform path control and exception discovery on a specific service data flow direction according to service application requirements, and cannot efficiently perform fine-grained control on different types of service data at a security domain boundary.
Disclosure of Invention
The invention aims to provide a network data transmission control method and device based on service security marks aiming at the fine-grained management and control requirements of network data.
In order to achieve the above object, the present invention adopts a network data transmission control method based on a service security label, which comprises the following steps:
step 1: configuring a mark control strategy of the network device, wherein the mark control strategy refers to a service safety mark definition related rule based on a network data packet so as to control network data;
step 2: when the network data packet passes through the network device, the network device identifies whether the data packet has a service safety mark, and if the data packet does not have the service safety mark, the data packet is logged or otherwise processed;
step 3: if the data packet carries the service security label, the network device carries out matching check on the service security label of the data packet according to the configured label control strategy, if the check is passed, the data packet is released, otherwise, the data packet is logged or otherwise processed.
Further, the service security label is a multi-element group M ═ C, G > containing multiple service security attributes, where C is a security level, G is a service security attribute set, and the service security attribute set G includes service category, workgroup, role, and environment requirements.
Further, the service security label includes a service security label m (r) of the information object<Cr,Gr>And a system object's business security label M (o) ═ m<Co,Go>The information object comprises data, and the system object comprises application, service and process.
Further, there are two relationships between m (o) and m (r): dominant versus incomparable; when C is presento≥CrAnd isIf M (o) is greater than or equal to M (r), M (o) and M (r) have a dominance relation, which represents that the system object can dominate the information object; if no dominance relation exists between M (o) and M (r), the two are in an incomparable relation, and the system object is represented as an information object without weight dominance.
Further, the tag control policy may be denoted as R ═ C, G >, where R is the tag control policy, and the equation represents the set of information objects that satisfy the specified attributes.
Further, configuring a label control policy R for a network device ss=<Cs,Gs>,RsThe service security label of a given information object is m(s) ═ m<Cs,Gs>If M(s) is not less than M (r), the mark matching check is passed; otherwise data match detectionThe inquiry can not pass.
Further, the other processing includes alarming, forwarding, discarding or ignoring, and the like.
In order to achieve the above object, the present invention further provides a network data transmission control device based on the service security label, which includes a label control policy management module and a label identification management control module;
the mark control strategy management module is used for configuring and managing a mark control strategy of the network device;
and the mark identification management and control module is used for identifying the service safety mark of the network data packet, performing matching check on the service safety mark of the data packet according to the mark control strategy, and performing release, log recording or other processing on the data packet according to the check result.
Further, in the tag identification management and control module, the other processing includes alarming, forwarding, discarding or ignoring, and the like.
Compared with the prior art, the invention has the following positive effects:
by identifying the service security attribute identification of the network data, understanding and implementing service-oriented fine-grained data management and control in a network layer become possible. The invention can make various related network devices (such as router, exchanger, etc.) and network security devices (firewall, security gateway, flow auditing system, IPS/IDS, etc.) perform high-efficiency fine-grained control on different types of data according to the service security attribute of the network data, for example, the invention can efficiently manage and control the routing forwarding of the data packet according to the service security attribute of the network data; port forwarding of the data packet is efficiently controlled according to the service security attribute of the network data; fine-grained control of different service data is realized at the boundary of a security domain according to the service security attribute of the network data; and performing service security audit and abnormal service behavior detection on the flow according to the service security attribute of the data in the network flow.
Drawings
Fig. 1 is a flow chart of a network data transmission control method based on a service security label.
Fig. 2 is a relationship diagram of a network data transmission control device module based on a service security label.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, and it should be understood that the embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention.
The present embodiment provides a network data transmission control method based on a service security label, fig. 1 is a flowchart thereof, and the network data transmission control method based on the service security label will be described with reference to fig. 1.
1. Business security marking and marking control strategy
The service security mark M is a multi-tuple containing a plurality of service security attributes, wherein M is equal to<C,G>. Wherein C is a security level; g is a plurality of service security attributes GiG ═ G1,g2,…gn},giAnd the service security attributes can be service types, work groups, roles, environment requirements and the like.
The service security label of information object (resource) such as data is recorded as M (r) ═ r<Cr,G>The service security label of a system object (subject) such as an application, a service, and a process is denoted as m (o) ═ m<Co,Go>. There are two relationships between the subject mark m (o) and the resource mark m (r): dominant versus incomparable. Marker M (o) dominating marker M (r) when Co≥CrAnd isAnd M (o) ≧ M (r), meaning that the subject can dominate the object (resource). If there is no dominance relationship between M (o) and M (r), they are not comparable, and the subject has no weight on the object (resource).
Since the network data packet is an information object (resource), its service security label is defined by an attribute method. Therefore, the label control strategy for the network data packet is also defined by adopting an attribute method. The marking control strategy R may be expressed as R ═ R<C,G>A set of information objects that satisfy the specified attribute requirements is represented. Thus, rule RsOf specified information objectsThe service security label can also be recorded as M(s) ═ m<Cs,Gs>. When the strategy matching is checked, if M(s) ≧ M (R), the service security label of the data packet R satisfies the label control strategy rule Rs。
According to the abstract definition method, a certain network device s can be configured with a mark control strategy Rs=<Cs,Gs>The label control strategy can be at least applied to the fields of route control, port forwarding control, packet filtering control, flow audit, anomaly detection and the like.
2. Forwarding route management and control
The network device can manage and control the forwarding route of the data packet based on the service security label, and the specific implementation mode is as follows:
(step 1): configuring a label control policy R for a network device n having a routing functionn=<Cn,Gn>Controlling the forwarding route of the data packet;
(step 2): when the data packet d passes through, identifying a service safety mark M (d) of the data packet, if the data packet does not have the service safety mark, recording a log or performing other processing on the data packet by the device, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and is determined according to the actual situation;
(step 3): device to data packet d business safety mark M (R) and configured mark control strategy RnMatching check is carried out, and if matching is successful, the matching is released; otherwise, the device records logs or performs other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to the actual situation;
the matching rule is as follows: if M (n) is more than or equal to M (d), the matching is successful, otherwise, the matching is unsuccessful.
3. Port forwarding management and control
The network device can carry out port forwarding control on the data packet based on the service safety mark, and the specific implementation mode is as follows:
(step 1): configuring a label control policy R for a relevant port i of a network device p having a port forwarding functionpi=<Cpi,Gpi>(wherein i ═ 1,2, …, N, N ∈ N), and perform port forwarding control;
(step 2): when data passes through the port i, a service safety mark M (d) of a data packet d is identified, if the data packet does not have the service safety mark, the device records logs or performs other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to actual conditions;
(step 3): device to data packet service safety mark M (d) and mark control strategy R configured by port ipiMatching check is carried out, and if matching is successful, the matching is released; otherwise, logging or performing other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to the actual situation;
the matching rule is as follows: if M (p)i) And if the matching is more than or equal to M (d), the matching is successful, otherwise, the matching is unsuccessful.
4. Bag filter management and control
The network device can perform filtering control on the data packet based on the service security label, and the specific implementation mode is as follows:
(step 1): configuring a label control policy R for a relevant port i of a network device f having a packet filtering functionfi=<Cfi,Gfi>(wherein i is 1,2, …, N, N belongs to N), and performing packet filtering control;
(step 2): when data passes through the port i, a service safety mark M (d) of a data packet d is identified, if the data packet does not have the service safety mark, the device records logs or performs other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to actual conditions;
(step 3): device to data packet service safety mark M (d) and mark control strategy R configured by port ifiMatching check is carried out, and if matching is successful, the matching is released; otherwise, logging or performing other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to the actual situation;
the matching rule is as follows: if M (f)i) More than or equal to M (d), the matching is successful, otherwise, the matching is not performedAnd (4) success.
5. Flow audit and anomaly detection
The network device can audit and detect abnormity of network flow based on the service safety mark, and the specific control rule is as follows:
(step 1): configuring label control strategy R aiming at network audit and intrusion detection type network equipment aa=<Ca,Ga>Network flow audit and abnormal detection are carried out;
(step 2): when the data passes, the device identifies the traffic safety label m (d) of packet d. If the data packet does not have the service safety mark, the device records the abnormity and logs the data packet or performs other processing, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and is determined according to the actual situation;
(step 3): device to data packet service safety mark M (d) and configured mark control strategy RaMatching check is carried out, and if matching is successful, the process is ended; otherwise, recording the exception and performing the specified purpose forwarding, discarding, alarming or ignoring on the data packet.
The matching rule is as follows: if M (a) is more than or equal to M (d), the matching is successful, otherwise, the matching is unsuccessful.
The embodiment also provides a network data transmission control device based on the service security label, which is used for implementing the method, and as shown in fig. 2, the network data transmission control device includes a label control policy management module and a label identification management and control module. The tag control policy management module is used to configure and manage a tag control policy of a network device. The mark identification management and control module is used for identifying the service safety mark of the network data packet, performing matching check on the service safety mark of the data packet according to a mark control strategy, and performing releasing, recording, alarming, forwarding, discarding or ignoring on the data packet according to a check result.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (7)
1. A network data transmission control method based on service security label, which identifies the service security label carried by the network data packet and controls the network data correspondingly according to the service security attribute information including the security level and the service category in the label, thereby realizing the fine-grained management and control of the data on the network level based on the security requirement of the service level, comprising the following steps:
configuring a mark control strategy of the network device, wherein the mark control strategy defines relevant rules for a service safety mark based on a network data packet so as to manage and control network data; service safety mark as multi-element group M =containing multiple service safety attributes<C,G>Wherein C is a security level, G is a service security attribute set, and the service security attribute set G comprises service categories, workgroups, roles and environment requirements; the service security marker comprises a service security marker M (of the information object)r)=<C r , G r >And a business security label M (of the system object)o)=<C o ,G o >The information object comprises data, and the system object comprises application, service and process;
when the network data packet passes through the network device, the network device identifies whether the data packet has a service safety mark, and if the data packet does not have the service safety mark, the data packet is logged or otherwise processed;
if the data packet carries the service security label, the network device carries out matching check on the service security label of the data packet according to the configured label control strategy, if the check is passed, the data packet is released, otherwise, the data packet is logged or otherwise processed.
2. The method of claim 1, wherein M: (Mo) And M: (r) There are two types of relationships between: dominant versus incomparable; when C is present o ≥ C r And G o ⊇G r Is denoted by M: (o)≥M(r) Then M is: (o) And M: (r) There is a dominant relationship between them,representing a system object disposable information object; if M: (o) And M: (r) If there is no dominance relationship between them, they are in an incomparable relationship, indicating that the system object has no dominance information object.
3. The method of claim 1, wherein the tag control policy is denoted as R = < C, G >, where R is the tag control policy, the equation representing the set of information objects that satisfy the specified attribute.
4. The method of claim 3, being a network devicesConfiguration flag control strategy R s =<C s , G s >,RsThe business security label of a given information object is M: (s)=<C s , G s >When C is present s ≥ C r And G s ⊇G r Is denoted by M: (s)≥M(r) If M: (s) ≧ M (r), indicating that the tag match check passed.
5. The method of claim 1, wherein the other processing comprises alerting, forwarding, dropping, or ignoring.
6. A network data transmission control device based on service security label, which identifies the service security label carried by the network data packet and controls the network data according to the service security attribute information including the security level and service category in the label, thus realizing the fine-grained management and control of the data in the network layer based on the security requirement of the service layer, comprising:
a tag control policy management module for configuring and managing a tag control policy of the network device;
a mark identification management and control module for identifying the service security mark of the network data packet, performing matching check on the service security mark of the data packet according to a mark control strategy, and releasing the data packet according to the check resultRecording logs or performing other processing; service safety mark as multi-element group M =containing multiple service safety attributes<C,G>Wherein C is a security level, G is a service security attribute set, and the service security attribute set G comprises service categories, workgroups, roles and environment requirements; the service security marker comprises a service security marker M (of the information object)r)=<C r , G r >And a business security label M (of the system object)o)=<C o ,G o >The information object comprises data, and the system object comprises application, service and process.
7. The apparatus of claim 6, wherein the other processing comprises alerting, forwarding, dropping, or ignoring.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910536194.XA CN110324326B (en) | 2019-06-20 | 2019-06-20 | Network data transmission control method and device based on service security marker |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910536194.XA CN110324326B (en) | 2019-06-20 | 2019-06-20 | Network data transmission control method and device based on service security marker |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110324326A CN110324326A (en) | 2019-10-11 |
CN110324326B true CN110324326B (en) | 2020-12-22 |
Family
ID=68119935
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910536194.XA Active CN110324326B (en) | 2019-06-20 | 2019-06-20 | Network data transmission control method and device based on service security marker |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110324326B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103188042A (en) * | 2011-12-31 | 2013-07-03 | 重庆重邮信科通信技术有限公司 | Matching method and matching accelerator of Internet protocol (IP) data package |
CN105245543A (en) * | 2015-10-28 | 2016-01-13 | 中国人民解放军国防科学技术大学 | Operating system mandatory access control method based on security marker randomization |
CN106101113A (en) * | 2016-06-24 | 2016-11-09 | 中国科学院计算技术研究所 | A kind of cloud computing data security annotation management method and system |
CN109922044A (en) * | 2019-01-25 | 2019-06-21 | 努比亚技术有限公司 | Label, method for down loading, electronic equipment and the storage medium of application |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7240046B2 (en) * | 2002-09-04 | 2007-07-03 | International Business Machines Corporation | Row-level security in a relational database management system |
CN103647772A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Method for carrying out trusted access controlling on network data package |
JP6536109B2 (en) * | 2015-03-20 | 2019-07-03 | アイシン・エィ・ダブリュ株式会社 | Security management system and security management method |
CN105357201B (en) * | 2015-11-12 | 2019-04-16 | 中国科学院信息工程研究所 | A kind of object cloud storage access control method and system |
-
2019
- 2019-06-20 CN CN201910536194.XA patent/CN110324326B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103188042A (en) * | 2011-12-31 | 2013-07-03 | 重庆重邮信科通信技术有限公司 | Matching method and matching accelerator of Internet protocol (IP) data package |
CN105245543A (en) * | 2015-10-28 | 2016-01-13 | 中国人民解放军国防科学技术大学 | Operating system mandatory access control method based on security marker randomization |
CN106101113A (en) * | 2016-06-24 | 2016-11-09 | 中国科学院计算技术研究所 | A kind of cloud computing data security annotation management method and system |
CN109922044A (en) * | 2019-01-25 | 2019-06-21 | 努比亚技术有限公司 | Label, method for down loading, electronic equipment and the storage medium of application |
Also Published As
Publication number | Publication date |
---|---|
CN110324326A (en) | 2019-10-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11102223B2 (en) | Multi-host threat tracking | |
CN107251513B (en) | System and method for accurate assurance of malicious code detection | |
US8789135B1 (en) | Scalable stateful firewall design in openflow based networks | |
US20160366187A1 (en) | Dynamic data socket descriptor mirroring mechanism and use for security analytics | |
CN106817275B (en) | System and method for automatically preventing and arranging strategy conflict | |
US8644309B2 (en) | Quarantine device, quarantine method, and computer-readable storage medium | |
US8015604B1 (en) | Hierarchical architecture in a network security system | |
US20150341380A1 (en) | System and method for detecting abnormal behavior of control system | |
US11223643B2 (en) | Managing a segmentation policy based on attack pattern detection | |
US20070280112A1 (en) | System and method for controlling and tracking network content flow | |
US20070022468A1 (en) | Packet transmission equipment and packet transmission system | |
CN105407099B (en) | The verifying that Firewall Group is concentrated is shared | |
US11356483B2 (en) | Protecting network-based services using deception in a segmented network environment | |
US9027120B1 (en) | Hierarchical architecture in a network security system | |
CN110324326B (en) | Network data transmission control method and device based on service security marker | |
CN102217248B (en) | Distributed packet flow checks and process | |
CN1983955A (en) | Method and system for monitoring illegal message | |
WO2016092834A1 (en) | Communication monitoring system, degree-of-importance calculation device and calculation method thereof, presentation device, and recording medium in which computer program is stored | |
WO2019142348A1 (en) | Network control device and network control method | |
JP4642707B2 (en) | Packet control apparatus, packet control method, and packet control program | |
JP4095076B2 (en) | Security management device, security management method, and security management program based on evaluation index calculation by security information exchange | |
CN110290128B (en) | Network isolation and exchange control method and device based on service security label | |
Geer | Behavior-based network security goes mainstream | |
JP2009005122A (en) | Illegal access detection apparatus, and security management device and illegal access detection system using the device | |
TWI714969B (en) | Packet forwarding method and device utilizing the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |