CN110324326B - Network data transmission control method and device based on service security marker - Google Patents

Network data transmission control method and device based on service security marker Download PDF

Info

Publication number
CN110324326B
CN110324326B CN201910536194.XA CN201910536194A CN110324326B CN 110324326 B CN110324326 B CN 110324326B CN 201910536194 A CN201910536194 A CN 201910536194A CN 110324326 B CN110324326 B CN 110324326B
Authority
CN
China
Prior art keywords
service
data packet
security
network
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910536194.XA
Other languages
Chinese (zh)
Other versions
CN110324326A (en
Inventor
于海波
李志谦
刘坤颖
祁峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910536194.XA priority Critical patent/CN110324326B/en
Publication of CN110324326A publication Critical patent/CN110324326A/en
Application granted granted Critical
Publication of CN110324326B publication Critical patent/CN110324326B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention provides a network data transmission control method and device based on a service security label, belonging to the field of network technology and computer information security.

Description

Network data transmission control method and device based on service security marker
Technical Field
The invention relates to a network data transmission control method, in particular to a method and a device for controlling network data transmission based on the service security attribute of a network data packet, and belongs to the field of network technology and computer information security.
Technical Field
At present, a traditional network data control method mainly uses network layer information such as quintuple, source and destination addresses, and packet characteristics to control a packet, cannot perform fine-grained control and audit on network data according to security requirements of a service layer, is difficult to implement routing control on different types of service data, is difficult to perform path control and exception discovery on a specific service data flow direction according to service application requirements, and cannot efficiently perform fine-grained control on different types of service data at a security domain boundary.
Disclosure of Invention
The invention aims to provide a network data transmission control method and device based on service security marks aiming at the fine-grained management and control requirements of network data.
In order to achieve the above object, the present invention adopts a network data transmission control method based on a service security label, which comprises the following steps:
step 1: configuring a mark control strategy of the network device, wherein the mark control strategy refers to a service safety mark definition related rule based on a network data packet so as to control network data;
step 2: when the network data packet passes through the network device, the network device identifies whether the data packet has a service safety mark, and if the data packet does not have the service safety mark, the data packet is logged or otherwise processed;
step 3: if the data packet carries the service security label, the network device carries out matching check on the service security label of the data packet according to the configured label control strategy, if the check is passed, the data packet is released, otherwise, the data packet is logged or otherwise processed.
Further, the service security label is a multi-element group M ═ C, G > containing multiple service security attributes, where C is a security level, G is a service security attribute set, and the service security attribute set G includes service category, workgroup, role, and environment requirements.
Further, the service security label includes a service security label m (r) of the information object<Cr,Gr>And a system object's business security label M (o) ═ m<Co,Go>The information object comprises data, and the system object comprises application, service and process.
Further, there are two relationships between m (o) and m (r): dominant versus incomparable; when C is presento≥CrAnd is
Figure BDA0002101236370000011
If M (o) is greater than or equal to M (r), M (o) and M (r) have a dominance relation, which represents that the system object can dominate the information object; if no dominance relation exists between M (o) and M (r), the two are in an incomparable relation, and the system object is represented as an information object without weight dominance.
Further, the tag control policy may be denoted as R ═ C, G >, where R is the tag control policy, and the equation represents the set of information objects that satisfy the specified attributes.
Further, configuring a label control policy R for a network device ss=<Cs,Gs>,RsThe service security label of a given information object is m(s) ═ m<Cs,Gs>If M(s) is not less than M (r), the mark matching check is passed; otherwise data match detectionThe inquiry can not pass.
Further, the other processing includes alarming, forwarding, discarding or ignoring, and the like.
In order to achieve the above object, the present invention further provides a network data transmission control device based on the service security label, which includes a label control policy management module and a label identification management control module;
the mark control strategy management module is used for configuring and managing a mark control strategy of the network device;
and the mark identification management and control module is used for identifying the service safety mark of the network data packet, performing matching check on the service safety mark of the data packet according to the mark control strategy, and performing release, log recording or other processing on the data packet according to the check result.
Further, in the tag identification management and control module, the other processing includes alarming, forwarding, discarding or ignoring, and the like.
Compared with the prior art, the invention has the following positive effects:
by identifying the service security attribute identification of the network data, understanding and implementing service-oriented fine-grained data management and control in a network layer become possible. The invention can make various related network devices (such as router, exchanger, etc.) and network security devices (firewall, security gateway, flow auditing system, IPS/IDS, etc.) perform high-efficiency fine-grained control on different types of data according to the service security attribute of the network data, for example, the invention can efficiently manage and control the routing forwarding of the data packet according to the service security attribute of the network data; port forwarding of the data packet is efficiently controlled according to the service security attribute of the network data; fine-grained control of different service data is realized at the boundary of a security domain according to the service security attribute of the network data; and performing service security audit and abnormal service behavior detection on the flow according to the service security attribute of the data in the network flow.
Drawings
Fig. 1 is a flow chart of a network data transmission control method based on a service security label.
Fig. 2 is a relationship diagram of a network data transmission control device module based on a service security label.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, and it should be understood that the embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention.
The present embodiment provides a network data transmission control method based on a service security label, fig. 1 is a flowchart thereof, and the network data transmission control method based on the service security label will be described with reference to fig. 1.
1. Business security marking and marking control strategy
The service security mark M is a multi-tuple containing a plurality of service security attributes, wherein M is equal to<C,G>. Wherein C is a security level; g is a plurality of service security attributes GiG ═ G1,g2,…gn},giAnd the service security attributes can be service types, work groups, roles, environment requirements and the like.
The service security label of information object (resource) such as data is recorded as M (r) ═ r<Cr,G>The service security label of a system object (subject) such as an application, a service, and a process is denoted as m (o) ═ m<Co,Go>. There are two relationships between the subject mark m (o) and the resource mark m (r): dominant versus incomparable. Marker M (o) dominating marker M (r) when Co≥CrAnd is
Figure BDA0002101236370000031
And M (o) ≧ M (r), meaning that the subject can dominate the object (resource). If there is no dominance relationship between M (o) and M (r), they are not comparable, and the subject has no weight on the object (resource).
Since the network data packet is an information object (resource), its service security label is defined by an attribute method. Therefore, the label control strategy for the network data packet is also defined by adopting an attribute method. The marking control strategy R may be expressed as R ═ R<C,G>A set of information objects that satisfy the specified attribute requirements is represented. Thus, rule RsOf specified information objectsThe service security label can also be recorded as M(s) ═ m<Cs,Gs>. When the strategy matching is checked, if M(s) ≧ M (R), the service security label of the data packet R satisfies the label control strategy rule Rs
According to the abstract definition method, a certain network device s can be configured with a mark control strategy Rs=<Cs,Gs>The label control strategy can be at least applied to the fields of route control, port forwarding control, packet filtering control, flow audit, anomaly detection and the like.
2. Forwarding route management and control
The network device can manage and control the forwarding route of the data packet based on the service security label, and the specific implementation mode is as follows:
(step 1): configuring a label control policy R for a network device n having a routing functionn=<Cn,Gn>Controlling the forwarding route of the data packet;
(step 2): when the data packet d passes through, identifying a service safety mark M (d) of the data packet, if the data packet does not have the service safety mark, recording a log or performing other processing on the data packet by the device, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and is determined according to the actual situation;
(step 3): device to data packet d business safety mark M (R) and configured mark control strategy RnMatching check is carried out, and if matching is successful, the matching is released; otherwise, the device records logs or performs other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to the actual situation;
the matching rule is as follows: if M (n) is more than or equal to M (d), the matching is successful, otherwise, the matching is unsuccessful.
3. Port forwarding management and control
The network device can carry out port forwarding control on the data packet based on the service safety mark, and the specific implementation mode is as follows:
(step 1): configuring a label control policy R for a relevant port i of a network device p having a port forwarding functionpi=<Cpi,Gpi>(wherein i ═ 1,2, …, N, N ∈ N), and perform port forwarding control;
(step 2): when data passes through the port i, a service safety mark M (d) of a data packet d is identified, if the data packet does not have the service safety mark, the device records logs or performs other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to actual conditions;
(step 3): device to data packet service safety mark M (d) and mark control strategy R configured by port ipiMatching check is carried out, and if matching is successful, the matching is released; otherwise, logging or performing other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to the actual situation;
the matching rule is as follows: if M (p)i) And if the matching is more than or equal to M (d), the matching is successful, otherwise, the matching is unsuccessful.
4. Bag filter management and control
The network device can perform filtering control on the data packet based on the service security label, and the specific implementation mode is as follows:
(step 1): configuring a label control policy R for a relevant port i of a network device f having a packet filtering functionfi=<Cfi,Gfi>(wherein i is 1,2, …, N, N belongs to N), and performing packet filtering control;
(step 2): when data passes through the port i, a service safety mark M (d) of a data packet d is identified, if the data packet does not have the service safety mark, the device records logs or performs other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to actual conditions;
(step 3): device to data packet service safety mark M (d) and mark control strategy R configured by port ifiMatching check is carried out, and if matching is successful, the matching is released; otherwise, logging or performing other processing on the data packet, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and the processing is determined according to the actual situation;
the matching rule is as follows: if M (f)i) More than or equal to M (d), the matching is successful, otherwise, the matching is not performedAnd (4) success.
5. Flow audit and anomaly detection
The network device can audit and detect abnormity of network flow based on the service safety mark, and the specific control rule is as follows:
(step 1): configuring label control strategy R aiming at network audit and intrusion detection type network equipment aa=<Ca,Ga>Network flow audit and abnormal detection are carried out;
(step 2): when the data passes, the device identifies the traffic safety label m (d) of packet d. If the data packet does not have the service safety mark, the device records the abnormity and logs the data packet or performs other processing, wherein the other processing comprises alarming, forwarding, discarding or ignoring and the like, and is determined according to the actual situation;
(step 3): device to data packet service safety mark M (d) and configured mark control strategy RaMatching check is carried out, and if matching is successful, the process is ended; otherwise, recording the exception and performing the specified purpose forwarding, discarding, alarming or ignoring on the data packet.
The matching rule is as follows: if M (a) is more than or equal to M (d), the matching is successful, otherwise, the matching is unsuccessful.
The embodiment also provides a network data transmission control device based on the service security label, which is used for implementing the method, and as shown in fig. 2, the network data transmission control device includes a label control policy management module and a label identification management and control module. The tag control policy management module is used to configure and manage a tag control policy of a network device. The mark identification management and control module is used for identifying the service safety mark of the network data packet, performing matching check on the service safety mark of the data packet according to a mark control strategy, and performing releasing, recording, alarming, forwarding, discarding or ignoring on the data packet according to a check result.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (7)

1. A network data transmission control method based on service security label, which identifies the service security label carried by the network data packet and controls the network data correspondingly according to the service security attribute information including the security level and the service category in the label, thereby realizing the fine-grained management and control of the data on the network level based on the security requirement of the service level, comprising the following steps:
configuring a mark control strategy of the network device, wherein the mark control strategy defines relevant rules for a service safety mark based on a network data packet so as to manage and control network data; service safety mark as multi-element group M =containing multiple service safety attributes<C,G>Wherein C is a security level, G is a service security attribute set, and the service security attribute set G comprises service categories, workgroups, roles and environment requirements; the service security marker comprises a service security marker M (of the information object)r)=<C r , G r >And a business security label M (of the system object)o)=<C o ,G o >The information object comprises data, and the system object comprises application, service and process;
when the network data packet passes through the network device, the network device identifies whether the data packet has a service safety mark, and if the data packet does not have the service safety mark, the data packet is logged or otherwise processed;
if the data packet carries the service security label, the network device carries out matching check on the service security label of the data packet according to the configured label control strategy, if the check is passed, the data packet is released, otherwise, the data packet is logged or otherwise processed.
2. The method of claim 1, wherein M: (Mo) And M: (r) There are two types of relationships between: dominant versus incomparable; when C is present o ≥ C r And G o ⊇G r Is denoted by M: (o)≥M(r) Then M is: (o) And M: (r) There is a dominant relationship between them,representing a system object disposable information object; if M: (o) And M: (r) If there is no dominance relationship between them, they are in an incomparable relationship, indicating that the system object has no dominance information object.
3. The method of claim 1, wherein the tag control policy is denoted as R = < C, G >, where R is the tag control policy, the equation representing the set of information objects that satisfy the specified attribute.
4. The method of claim 3, being a network devicesConfiguration flag control strategy R s =<C s , G s >,RsThe business security label of a given information object is M: (s)=<C s , G s >When C is present s ≥ C r And G s ⊇G r Is denoted by M: (s)≥M(r) If M: (s) ≧ M (r), indicating that the tag match check passed.
5. The method of claim 1, wherein the other processing comprises alerting, forwarding, dropping, or ignoring.
6. A network data transmission control device based on service security label, which identifies the service security label carried by the network data packet and controls the network data according to the service security attribute information including the security level and service category in the label, thus realizing the fine-grained management and control of the data in the network layer based on the security requirement of the service layer, comprising:
a tag control policy management module for configuring and managing a tag control policy of the network device;
a mark identification management and control module for identifying the service security mark of the network data packet, performing matching check on the service security mark of the data packet according to a mark control strategy, and releasing the data packet according to the check resultRecording logs or performing other processing; service safety mark as multi-element group M =containing multiple service safety attributes<C,G>Wherein C is a security level, G is a service security attribute set, and the service security attribute set G comprises service categories, workgroups, roles and environment requirements; the service security marker comprises a service security marker M (of the information object)r)=<C r , G r >And a business security label M (of the system object)o)=<C o ,G o >The information object comprises data, and the system object comprises application, service and process.
7. The apparatus of claim 6, wherein the other processing comprises alerting, forwarding, dropping, or ignoring.
CN201910536194.XA 2019-06-20 2019-06-20 Network data transmission control method and device based on service security marker Active CN110324326B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910536194.XA CN110324326B (en) 2019-06-20 2019-06-20 Network data transmission control method and device based on service security marker

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910536194.XA CN110324326B (en) 2019-06-20 2019-06-20 Network data transmission control method and device based on service security marker

Publications (2)

Publication Number Publication Date
CN110324326A CN110324326A (en) 2019-10-11
CN110324326B true CN110324326B (en) 2020-12-22

Family

ID=68119935

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910536194.XA Active CN110324326B (en) 2019-06-20 2019-06-20 Network data transmission control method and device based on service security marker

Country Status (1)

Country Link
CN (1) CN110324326B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188042A (en) * 2011-12-31 2013-07-03 重庆重邮信科通信技术有限公司 Matching method and matching accelerator of Internet protocol (IP) data package
CN105245543A (en) * 2015-10-28 2016-01-13 中国人民解放军国防科学技术大学 Operating system mandatory access control method based on security marker randomization
CN106101113A (en) * 2016-06-24 2016-11-09 中国科学院计算技术研究所 A kind of cloud computing data security annotation management method and system
CN109922044A (en) * 2019-01-25 2019-06-21 努比亚技术有限公司 Label, method for down loading, electronic equipment and the storage medium of application

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7240046B2 (en) * 2002-09-04 2007-07-03 International Business Machines Corporation Row-level security in a relational database management system
CN103647772A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out trusted access controlling on network data package
JP6536109B2 (en) * 2015-03-20 2019-07-03 アイシン・エィ・ダブリュ株式会社 Security management system and security management method
CN105357201B (en) * 2015-11-12 2019-04-16 中国科学院信息工程研究所 A kind of object cloud storage access control method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188042A (en) * 2011-12-31 2013-07-03 重庆重邮信科通信技术有限公司 Matching method and matching accelerator of Internet protocol (IP) data package
CN105245543A (en) * 2015-10-28 2016-01-13 中国人民解放军国防科学技术大学 Operating system mandatory access control method based on security marker randomization
CN106101113A (en) * 2016-06-24 2016-11-09 中国科学院计算技术研究所 A kind of cloud computing data security annotation management method and system
CN109922044A (en) * 2019-01-25 2019-06-21 努比亚技术有限公司 Label, method for down loading, electronic equipment and the storage medium of application

Also Published As

Publication number Publication date
CN110324326A (en) 2019-10-11

Similar Documents

Publication Publication Date Title
US11102223B2 (en) Multi-host threat tracking
CN107251513B (en) System and method for accurate assurance of malicious code detection
US8789135B1 (en) Scalable stateful firewall design in openflow based networks
US20160366187A1 (en) Dynamic data socket descriptor mirroring mechanism and use for security analytics
CN106817275B (en) System and method for automatically preventing and arranging strategy conflict
US8644309B2 (en) Quarantine device, quarantine method, and computer-readable storage medium
US8015604B1 (en) Hierarchical architecture in a network security system
US20150341380A1 (en) System and method for detecting abnormal behavior of control system
US11223643B2 (en) Managing a segmentation policy based on attack pattern detection
US20070280112A1 (en) System and method for controlling and tracking network content flow
US20070022468A1 (en) Packet transmission equipment and packet transmission system
CN105407099B (en) The verifying that Firewall Group is concentrated is shared
US11356483B2 (en) Protecting network-based services using deception in a segmented network environment
US9027120B1 (en) Hierarchical architecture in a network security system
CN110324326B (en) Network data transmission control method and device based on service security marker
CN102217248B (en) Distributed packet flow checks and process
CN1983955A (en) Method and system for monitoring illegal message
WO2016092834A1 (en) Communication monitoring system, degree-of-importance calculation device and calculation method thereof, presentation device, and recording medium in which computer program is stored
WO2019142348A1 (en) Network control device and network control method
JP4642707B2 (en) Packet control apparatus, packet control method, and packet control program
JP4095076B2 (en) Security management device, security management method, and security management program based on evaluation index calculation by security information exchange
CN110290128B (en) Network isolation and exchange control method and device based on service security label
Geer Behavior-based network security goes mainstream
JP2009005122A (en) Illegal access detection apparatus, and security management device and illegal access detection system using the device
TWI714969B (en) Packet forwarding method and device utilizing the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant