CN111091204B - Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium - Google Patents
Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium Download PDFInfo
- Publication number
- CN111091204B CN111091204B CN201911287595.2A CN201911287595A CN111091204B CN 111091204 B CN111091204 B CN 111091204B CN 201911287595 A CN201911287595 A CN 201911287595A CN 111091204 B CN111091204 B CN 111091204B
- Authority
- CN
- China
- Prior art keywords
- maintenance
- state
- maintenance tool
- permission
- tool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/20—Administration of product repair or maintenance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention discloses an intelligent monitoring method and device for maintenance behaviors and a computer storage medium. The method comprises the following steps: closing a communication channel between the maintenance tool and the terminal equipment; acquiring identity information and judging whether the identity information accords with maintenance permission conditions; when the identity information accords with the maintenance permission condition, placing the maintenance tool in a permission state; adding the address data of the maintenance tool into an address white list, and opening a communication channel according to the address white list and preset authority data; maintaining the permission state of the maintenance tool in real time, and monitoring the record state and the maintenance authority state of the maintenance behavior of the maintenance tool in real time; judging whether the maintenance tool meets the control conditions in real time according to the maintenance permission state, the recording state and the maintenance authority state; and when the maintenance tool is in a state of not meeting the control condition, closing a communication channel between the maintenance tool and the terminal equipment. The method solves the technical problem of safe and intelligent management and control of the maintenance behavior in the process of maintaining the IT equipment.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an intelligent monitoring method and apparatus for maintenance behavior, and a computer readable storage medium.
Background
With the development of industry 3.0, the application range of the IT equipment with software is wider and wider, the Ethernet technology is mature, and the IT equipment connected to the Ethernet performs maintenance debugging, data downloading and other works through an Ethernet interface, so that the maintenance of the equipment is greatly facilitated, and however, because the IT equipment consists of software and hardware, the permission for the equipment maintenance needs to be strictly managed.
Maintenance personnel of different manufacturers do not want maintenance personnel of other manufacturers to easily access to the home equipment while maintaining the home equipment, so that maintenance authorities of the maintenance personnel of each manufacturer are required to be controlled when the maintenance personnel of each manufacturer maintain the home equipment, and the maintenance personnel can only maintain the equipment provided by the home;
in the system operation process, the operations such as maintenance and debugging data downloading are inevitably needed, and for equipment owners in the field, maintenance related personnel, maintenance behaviors and the like are required to be managed, and currently, a manual management mode is generally adopted, and maintenance technicians are required to fill in forms and the like for management; in the actual management process, deviation is unavoidable, the contents filled by maintenance technicians often do not match or are not comprehensive with the actual contents, and general maintenance personnel are unwilling to comprehensively reflect the contents maintained.
Therefore, the intelligent requirements of maintenance management are urgent, the technical problem of safe intelligent management and control of IT equipment maintenance is urgent to be solved, and the maintenance permission, maintenance authority and maintenance behavior of the IT equipment are comprehensively and effectively and intelligently managed and controlled;
(1) Method, system and equipment for user access security control, patent number: CN200710195102.3, the problem solved is: in a multi-service mode, the BNG can uniquely identify the user link through VLAN/QinQ, so that the BNG can implement security control on a single user link, and the technical problem of security intelligent management and control of IT equipment maintenance is not effectively solved;
(2) A terminal access security authentication method, patent number: 201610037094.9, which solves the problems: the security problem of the access terminal can not be accessed to the core network if the access terminal has the security problem, otherwise, the access to the core network can be realized, namely, the access of the terminal with potential safety hazard to the core network is stopped; the technical problem of safe and intelligent management and control of IT equipment maintenance is not effectively solved;
(3) Method, device and system for realizing secure access, patent number: CN201711045256.4, the problem solved is: a problem of supporting multiple VPN services isolated from each other on the same network infrastructure; the technical problem of safe and intelligent management and control of IT equipment maintenance is not effectively solved;
(4) A temporary terminal safety access control method and system, patent number: CN201710356047.5; the problems to be solved are: the comparison patent is that authentication is carried out after authentication is passed, communication is established between a reserved interface vlan and a standard vlan to be accessed by a temporary terminal, and authorization and authority control are carried out by adjusting the relationship between the vlan of the reserved interface of a core network and the target vlan; the comparison patent performs rough management and control technology on a maintenance tool accessed to a reserved interface of a core network based on a vlan isolation technology of a switch in the core network through a security module, belongs to vlan level authority management and control, fails to solve IP level authority management and control, does not manage and control the maintenance process of the maintenance tool, and fails to comprehensively manage and control comprehensive management and control of maintenance permission, authority permission and maintenance behavior; the comparison patent cannot be applied to the situations that all terminal equipment in a core network can communicate with all standard vlan and the core network is formed by an unmanaged switch in the same vlan and the vlan where the reserved interface is positioned, so that the transformation implementation difficulty is high and the implementation cost is high; therefore, the comparison patent does not effectively and comprehensively solve the technical problems of safety intelligent management and control of maintenance permission, permission and maintenance behavior management and control of IT equipment maintenance;
(5) Method, system and server for realizing secure access control, patent number: CN200810149348.1, which solves the problem of secure access control and authorization of terminal devices accessing to 802.1X switches; and it adopts the terminal equipment information encrypted by two-way encryption; the terminal safety control module issues a safety strategy, and the terminal safety control module is relied on, if the terminal does not have the safety control module, safety control cannot be achieved; the technical problem of safe and intelligent management and control of IT equipment maintenance is not effectively solved.
In summary, the technical problems of comprehensively, effectively and intelligently managing and controlling the maintenance permission, the maintenance authority and the maintenance behavior of the IT equipment cannot be solved so far.
Disclosure of Invention
The invention mainly aims to provide an intelligent monitoring method and device for maintenance behaviors and a computer readable storage medium, and aims to solve the technical problems of permission, authority and comprehensive control of the maintenance behaviors in the IT equipment maintenance process.
In order to achieve the above object, the present invention provides an intelligent monitoring method for maintenance behavior, comprising:
closing a communication channel between a maintenance tool and a terminal device so as to inhibit the maintenance tool from maintaining the terminal device;
acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition;
when the identity information accords with the maintenance permission condition, placing the maintenance permission state of the maintenance tool into a permission state;
when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance equipment to maintain the terminal equipment within the authority range;
when the maintenance tool is in a permission state, the permission state of the maintenance tool is maintained in real time, and the record state and the maintenance authority state of the maintenance behavior of the maintenance tool are monitored in real time;
judging whether the maintenance tool meets a control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state;
when the maintenance tool is in a state of not meeting the control condition, closing a communication channel between the maintenance tool and the terminal equipment;
the step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps:
when maintaining the permit state of the maintenance tool fails; or alternatively;
when the maintenance authority state is an override state; or alternatively;
and when the recording state is the unavailable state.
Preferably, the step of closing a communication channel between the maintenance tool and the terminal device specifically includes:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
Preferably, the step of closing a communication channel between the maintenance tool and the terminal device specifically includes:
and removing the addresses of the maintenance tools which do not meet the control requirements from the white list addresses.
Preferably, the step of maintaining the permission status of the maintenance tool in real time when the maintenance permission status of the maintenance tool is in the permission status specifically includes:
when the maintenance permission state of the maintenance tool is in the permission state, recording data of a maintenance data packet which is mutually transmitted with the maintenance tool in the permission state is acquired in real time so as to maintain the maintenance tool in the permission state.
Preferably, the step of determining whether the maintenance tool meets the control requirement in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state specifically includes:
generating a permission access list and an actual access list according to the permission data and the maintenance behavior respectively;
judging whether the number of times that the permission access list is an empty set is larger than M1 or not in the preset period; or;
in the preset period, judging whether the number of times that the actual access list is an empty set is larger than M2; or;
judging whether a difference set between the authority access list and the actual access list is an empty set or not;
the step when the maintenance authority state is an override state specifically includes:
when the number of times that the authority access list is an empty set is greater than M1; or;
when the number of times that the actual access list is an empty set is greater than M2; or;
when the difference set between the authority access list and the actual access list is an empty set.
Preferably, the step of determining whether the maintenance tool meets the control requirement in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state specifically includes:
recording the maintenance behavior as stored data;
judging whether the stored data is an empty set or not; or;
judging whether the number of times that the stored data are empty sets is larger than M3 or not in a preset period;
the step of when the recording state is the unavailable state specifically includes:
the stored data is an empty set; or;
and in a preset period, the number of times that the stored data is an empty set is larger than M3.
Preferably, before the step of closing the communication channel between the maintenance tool and the terminal device, the method further comprises:
initializing application data of a maintenance tool to provide a stable network address to the maintenance tool;
alternatively, after the step of closing the communication channel between the maintenance tool and the terminal device, the method further includes:
and acquiring the application initialization data of the maintenance tool through a link layer.
Preferably, before the acquiring the identity information of the maintenance tool and determining whether the identity information meets the authentication condition, the method further includes:
the maintenance tool periodically receives application data from the link layer.
In order to solve the technical problems, the invention also provides an intelligent monitoring device for maintenance actions, which comprises a tool interface connected with a maintenance tool, a network interface connected with a terminal device, a memory, a processor and a computer program stored in the memory, wherein the computer program is executed by the processor to realize the steps of the intelligent monitoring method for maintenance actions.
In order to solve the technical problem, the present invention further provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the steps of the intelligent monitoring method of maintenance behavior when being executed by a processor.
According to the intelligent monitoring method for the maintenance behavior, a communication channel between a maintenance tool and terminal equipment is closed, so that the maintenance tool is forbidden to maintain the terminal equipment; acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition; when the identity information accords with the maintenance permission condition, placing the maintenance permission state of the maintenance tool into a permission state; when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance equipment to maintain the terminal equipment within the authority range; when the maintenance tool is in a permission state, the permission state of the maintenance tool is maintained in real time, and the record state and the maintenance authority state of the maintenance behavior of the maintenance tool are monitored in real time; judging whether the maintenance tool meets a control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state; when the maintenance tool is in a state of not meeting the control condition, closing a communication channel between the maintenance tool and the terminal equipment; the step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps: when maintaining the permit state of the maintenance tool fails; or alternatively; when the maintenance authority state is an override state; or alternatively; and when the recording state is the unavailable state. Therefore, potential safety hazards such as illegal invasion, misoperation, unauthorized maintenance, malicious damage to equipment and systems and the like in the process of maintaining the IT equipment are eliminated, and the technical problem of safe and intelligent management and control of maintenance behaviors in the process of maintaining the IT equipment is solved.
Drawings
FIG. 1 is a schematic flow chart of a first embodiment of an intelligent monitoring method for maintenance behavior according to the present invention;
FIG. 2 is a schematic flow chart of S50 shown in FIG. 1;
FIG. 3 is a flowchart of a second embodiment of the intelligent monitoring method for maintenance behavior according to the present invention;
FIG. 4 is a schematic flow chart of a third embodiment of the intelligent monitoring method for maintenance behavior according to the present invention;
fig. 5 is a schematic diagram of an intelligent monitoring device for maintenance behavior according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides an intelligent monitoring method for maintenance behaviors.
First embodiment
In this embodiment, the terminal devices are communicatively connected to each other to form a core network.
The application scenario of this embodiment is that the reserved interface of the core network is a non-managed switch interface and all terminal devices in the core network are in the same subnet.
Alternatively, the reserved interface of the core network is a managed switch interface and the core network reserved interface is in the same virtual local area network (Virtual Local Area Network) as all terminal devices in the core network.
Referring to fig. 1, the intelligent monitoring method for maintenance behavior includes:
s10, closing a communication channel between a maintenance tool and terminal equipment so as to inhibit the maintenance tool from maintaining the terminal equipment;
specifically, the data exchange module is powered on; in a default state, a data exchange function between an interface connected to the core network reservation interface and an interface connected to the maintenance tool is in a closed state;
loading a direction-out mac white list only containing management mac addresses of the management control service, and starting a direction-out white list filtering function;
a data exchange function between an interface connected to the core network reservation interface and an interface connected to the maintenance tool is opened.
The method has the following effects: a runaway time window is prevented from occurring before power up to service initiation, resulting in unauthorized intrusion of the maintenance tool into the core network using the runaway time window.
S20, acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition;
s30, when the identity information accords with a maintenance permission condition, placing a maintenance permission state of the maintenance tool into a permission state;
when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance equipment to maintain the terminal equipment within the authority range;
specifically, if the TCP server is not created or the listening service is not started, the TCP server is created with the network address of the management and control service, and the listening service is started.
Establishing a TCP connection with the maintenance tool; receiving identity authentication data from the maintenance tool and preset authority data of the maintenance tool through the TCP connection;
obtaining a public key of the maintenance tool end; generating a random number; encrypting the random number by using the public key of the maintenance tool end to form a random number ciphertext; sending the random number ciphertext to the maintenance tool; receiving a random number digital signature sent by the maintenance tool; signing the random number digital signature by using the public key of the maintenance tool end;
if the signature verification result is successful, the identity authentication data is successfully authenticated, and a safe TCP connection between the management and control service and the maintenance tool is successfully constructed;
otherwise, the feedback result is failure; feeding back authentication maintenance permission results;
if the identity authentication data is authenticated, the result of authentication maintenance permission is permission maintenance, otherwise, the result of authentication maintenance permission is prohibition of maintenance.
Obtaining a mac address of the maintenance tool at which maintenance is permitted;
temporarily adding the mac address to a white list of outgoing directions mac of the data exchange service,
communication channels are opened between all maintenance tools currently obtaining maintenance permissions and all terminal devices that are available and only authorized to access.
S40, when the maintenance tool is in a permission state, maintaining the permission state of the maintenance tool in real time, and monitoring the record state and the maintenance authority state of the maintenance behavior of the maintenance tool in real time;
specifically, the real-time maintenance of the permission status of the maintenance tool may be that the maintenance tool sends a permission status maintenance data packet to the maintenance tool in real time. And sending a permission state maintenance data packet to the maintenance tool for continuously maintaining the safe TCP connection, and continuously detecting whether the safe TCP connection is disconnected.
Correspondingly, when the maintenance permission state of the maintenance tool is in the permission state, the step of maintaining the permission state of the maintenance tool in real time specifically includes:
when the maintenance permission state of the maintenance tool is in the permission state, recording data of a maintenance data packet which is mutually transmitted with the maintenance tool in the permission state is acquired in real time so as to maintain the maintenance tool in the permission state.
S50, judging whether the maintenance tool meets the control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state;
when the maintenance tool does not meet the control condition, closing a communication channel between the maintenance tool and the terminal equipment; i.e. the step S10 is entered again.
The step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps:
when maintaining the permit state of the maintenance tool fails; or alternatively;
when the maintenance authority state is an override state; or alternatively;
and when the recording state is the unavailable state.
Correspondingly, the step S50 specifically includes:
s501, judging whether the maintenance tool is successfully maintained in a permission state according to the maintenance permission state;
s502, judging whether the maintenance authority state of the maintenance tool is an override state according to the maintenance behavior and the authority data;
s503, judging whether the record state of the maintenance behavior of the maintenance tool is an unobtainable state according to the storage condition of the maintenance behavior.
In this embodiment, the step S501, the step S502, and the step S503 may occur simultaneously or may occur sequentially.
When and only one step condition is not satisfied, the process proceeds to the step S10 again.
In other embodiments, only one item may exist in the step S501, the step S502, and the step S503.
In this embodiment, the step S501 may specifically include:
s5011, in the period, acquiring record data of a mutual transmission permission state maintenance data packet with the maintenance tool to determine the state of the mutual transmission permission state maintenance data packet;
s5012, judging whether interrupt records of the maintenance data packet mutually transmitting the permission state maintenance data packet with the maintenance tool exist in the record data.
In this embodiment, the maintenance tool mutually sends record data of the permission status maintenance data packet to indicate a result of the secure TCP connection; the presence of an interrupt record for the maintenance tool mutually-issued permission state maintenance data packet indicates that the result of detecting the secure TCP connection is a disconnection, at which time the feedback continuously-maintained permission maintenance state result is a failure. And when the interrupt record of the maintenance data packet with the mutual permission state of the maintenance tool does not exist, the feedback result is successful.
In this embodiment, the step S502 specifically includes:
s5021, respectively generating a right access list and an actual access list according to the right data and the maintenance behavior;
in this embodiment, the actual access list may be an IP address list of a terminal device actually accessed by the maintenance tool end, and the permission access list may be an IP address list of a terminal device that the maintenance tool end has permission to access.
S5022, judging whether the number of times that the permission access list is an empty set is larger than M1 or not in the preset period; or alternatively;
the permission list is an empty set, which means that the permission access list is not acquired.
S5023, judging whether the number of times that the actual access list is an empty set is larger than M2 or not in the preset period; or alternatively;
the fact that the actual access list is an empty set means that the actual access list is not acquired.
S5024, judging whether the difference set between the authority access list and the actual access list is an empty set.
The fact that the difference set between the authority access list and the actual access list is not an empty set means that the actual access list contains a group of IP addresses of access terminals, and the group of IP addresses do not exist in the authority access list.
Specifically, M1 and M2 may be equal to 2.
Correspondingly, the step when the maintenance authority state is an override state specifically comprises the following steps:
when the number of times that the authority access list is an empty set is greater than M1; or;
when the number of times that the actual access list is an empty set is greater than M2; or;
when the difference set between the authority access list and the actual access list is an empty set.
In this embodiment, the step S5022, the step S5023 and the step S5024 may occur simultaneously or may occur sequentially.
When and only one step condition is not satisfied, the process proceeds to the step S10 again.
In other embodiments, only one item may exist in the step S5022, the step S5023 and the step S5024.
In this embodiment, the step S503 specifically includes: the method specifically comprises the following steps:
s5031, recording the maintenance action as storage data;
in this embodiment, the stored data may be a value of the maintenance behavior grabbing state;
in other implementations, the stored data may also be video data of the maintenance action;
s5032, judging whether the stored data is an empty set or not; or;
whether the stored data is empty or not means that the value of the maintenance behavior grabbing state indicates that the stored maintenance behavior data is not acquired and recorded currently.
Or, whether the stored data is empty or not means that the video data of the maintenance action does not exist.
S5033, judging whether the number of times that the stored data is empty is larger than M3 in a preset period.
In this embodiment, M3 may be equal to 2.
Correspondingly, the step of when the recording state is the unavailable state specifically includes:
the stored data is an empty set; or;
and in a preset period, the number of times that the stored data is an empty set is larger than M3.
In this embodiment, the step S5032 and the step S5033 may occur simultaneously or sequentially.
When and only one step condition is not satisfied, the process proceeds to the step S10 again.
In other embodiments, only one item may exist in the step S5032 and the step S5033.
In an embodiment, the step S10 may specifically include:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
In another embodiment, the step S10 may specifically include:
and removing the address data of the maintenance tool which does not meet the control requirement from the white list address.
In yet another embodiment, the step S10 may specifically include:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
And removing the address data of the maintenance tool which does not meet the control requirement from the white list address.
Second embodiment
Based on the intelligent monitoring method 100 for maintenance activities provided in the first embodiment of the present invention, the second embodiment of the present invention proposes another intelligent monitoring method 200 for maintenance activities, wherein steps S10 to S50 are the same as those in the first embodiment, and are not described in detail herein, and the difference is that:
prior to the step S10, the method 200 further includes:
s11, initializing application data of a maintenance tool to provide a stable network address for the maintenance tool;
specifically, the data exchange function is turned off;
acquiring subnet mask data, an authentication service IP address and an authentication service port number from a local storage medium;
judging whether the IP address and the subnet mask of the network adapter executing the authentication service are respectively the same as the IP address and the subnet mask of the authentication service in a local storage medium;
if the network addresses are different, setting the network addresses of the network adapters executing the authentication service, wherein the network addresses comprise the authentication service IP addresses and the subnet masks.
In the step of this embodiment, whether the IP address and the subnet mask of the network adapter executing the authentication service are respectively the same as the authentication service IP address and the subnet mask in the local storage medium is determined;
if the authentication service is different, setting a network address of a network adapter executing the authentication service, including the authentication service IP address, the authentication service port number and the subnet mask, so as to ensure that a stable authentication service network address is provided for a maintenance tool.
Between the step S10 and the step S20, the method further includes:
s21, the maintenance tool periodically receives application data from the link layer.
Specifically, continuously and periodically transmitting a link layer application data message to the maintenance tool;
digitally signing the application data using the private key;
packaging the application data with the digital signature;
encapsulating the application data with the digital signature into a custom Optional TLV conforming to the IEEE 802.3 organization, wherein TLV type is 127;
writing the tlv to an LLDP link layer data broadcast frame of the interface connected to the maintenance tool;
starting the interface connected to the maintenance tool to periodically and continuously send the LLDP link layer data broadcasting message;
the application data includes at least: an authentication service IP address, an authentication service port number, an IP address which the maintenance tool network adapter should configure, a subnet mask;
in the step of this embodiment, the maintenance tool may check the digital signature after receiving the data by encapsulating the application data into the data with the digital signature, so as to ensure that the interface accessed by the maintenance tool is correct;
the LLDP message connected to the interface of the maintenance tool is continuously sent to the maintenance tool, so that the maintenance tool can be ensured to quickly obtain relevant application data, repeated authentication work can not be caused by incorrect application data, and the maintenance efficiency and the user experience are effectively improved.
Third embodiment
Based on the intelligent monitoring method 100 for maintenance activities provided in the first embodiment of the present invention, another intelligent monitoring method 300 for maintenance activities is provided in the third embodiment of the present invention, and the steps S10 to S50 are the same as those in the first embodiment, and are not described in detail herein, and the difference is that:
between the step S10 and the step S20, the method 300 further includes:
s22, acquiring application initialization data of the maintenance tool through a connection layer.
Specifically, detecting and judging whether the maintenance tool exists, and if an interface connected to the maintenance tool is converted from a non-powered-on unavailable state to a powered-on available state, existence of the maintenance tool;
acquiring a link layer LLDP message sent by the maintenance tool;
extracting an Optional TLV with the TLV type of 127;
extracting application initialization data, wherein the application initialization data at least comprises: authentication server IP address, subnet mask;
judging whether the IP address and the subnet mask of the network adapter executing the authentication service are respectively the same as the acquired authentication service IP address and the subnet mask in the current LLDP message;
if the network addresses of the network adapters executing the authentication service are different, setting the network addresses of the network adapters executing the authentication service as the IP addresses of the authentication servers and the subnet masks;
in this embodiment, by controlling the maintenance permission, the maintenance authority and the maintenance behavior of the maintenance tool, the security and intelligent control strength of the maintenance behavior is improved, so that the purpose of overall control of the terminal equipment in the core network in the authority range can only be achieved by the maintenance tool which successfully passes identity authentication and successfully acquires the maintenance permission and successfully and continuously maintains the maintenance permission and only accesses the terminal equipment in the authority range and can normally acquire the maintenance behavior of the maintenance tool is achieved, the maintenance management cost is effectively reduced, and the security of the core network is improved.
Referring to fig. 5, the present invention also provides an intelligent monitoring device for maintenance behavior, where the intelligent monitoring device includes a tool interface connected to a maintenance tool, a network interface connected to a terminal device, a memory, a processor, and a computer program stored in the memory, where the computer program implements the steps of the intelligent monitoring method for maintenance behavior when executed by the processor.
It can be understood that in this embodiment, the tool interface is a reserved interface connected to the maintenance tool, and the network interface is a reserved interface connected to the core network.
The invention also provides a computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the intelligent monitoring method of maintenance behavior.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (9)
1. An intelligent monitoring method for maintenance behavior is characterized by comprising the following steps:
closing a communication channel between a maintenance tool and a terminal device so as to inhibit the maintenance tool from maintaining the terminal device;
acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition;
when the identity information accords with the maintenance permission condition, placing the maintenance permission state of the maintenance tool into a permission state;
when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance tool to maintain each terminal device in the authority range;
when the maintenance tool is in a permission state, the permission state of the maintenance tool is maintained in real time, and the record state and the maintenance authority state of the maintenance behavior of the maintenance tool are monitored in real time;
judging whether the maintenance tool meets a control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state;
when the maintenance tool is in a state of not meeting the control condition, closing a communication channel between the maintenance tool and the terminal equipment;
the step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps:
when maintaining the permit state of the maintenance tool fails; or alternatively;
when the maintenance authority state is an override state; or alternatively;
when the recording state is a state incapable of being acquired;
the step of judging whether the maintenance tool meets the control requirement in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state specifically comprises the following steps:
generating a permission access list and an actual access list according to the permission data and the maintenance behavior respectively;
judging whether the number of times that the permission access list is an empty set is larger than M1 or not in a preset period; or;
in a preset period, judging whether the number of times that the actual access list is an empty set is larger than M2; or;
judging whether a difference set between the authority access list and the actual access list is an empty set or not;
the step when the maintenance authority state is an override state specifically includes:
when the number of times that the authority access list is an empty set is greater than M1; or;
when the number of times that the actual access list is an empty set is greater than M2; or;
when the difference set between the authority access list and the actual access list is an empty set.
2. The intelligent monitoring method of maintenance activities according to claim 1, wherein the step of closing the communication channel between the maintenance tool and the terminal device comprises:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
3. The intelligent monitoring method of maintenance activities according to claim 1, wherein the step of closing the communication channel between the maintenance tool and the terminal device comprises:
and removing the addresses of the maintenance tools which do not meet the control requirements from the white list addresses.
4. The intelligent monitoring method for maintenance activities according to claim 1, wherein the step of maintaining the maintenance tool's permission status in real time when the maintenance tool's permission status is in the permission status comprises:
when the maintenance permission state of the maintenance tool is in the permission state, recording data of a maintenance data packet which is mutually transmitted with the maintenance tool in the permission state is acquired in real time so as to maintain the maintenance tool in the permission state.
5. The intelligent monitoring method for maintenance activities according to claim 1, wherein the step of determining whether the maintenance tool meets the control requirement in real time according to the maintenance permission status, the recording status of the maintenance activities and the maintenance authority status specifically comprises:
recording the maintenance behavior as stored data;
judging whether the stored data is an empty set or not; or;
judging whether the number of times that the stored data are empty sets is larger than M3 or not in a preset period;
the step of when the recording state is the unavailable state specifically includes:
the stored data is an empty set; or;
and in a preset period, the number of times that the stored data is an empty set is larger than M3.
6. The intelligent monitoring method of maintenance activities according to claim 1, wherein prior to the step of closing the communication channel between the maintenance tool and the terminal device, the method further comprises:
initializing application data of a maintenance tool to provide a stable network address to the maintenance tool;
alternatively, after the step of closing the communication channel between the maintenance tool and the terminal device, the method further includes:
and acquiring the application initialization data of the maintenance tool through a link layer.
7. The intelligent monitoring method for maintenance activities according to claim 6, wherein before obtaining identity information of the maintenance tool and determining whether the identity information meets an authentication condition, the method further comprises:
the maintenance tool periodically receives application data from the link layer.
8. An intelligent monitoring device for maintenance activities, characterized in that the intelligent monitoring device comprises a tool interface connected to a maintenance tool, a network interface connected to a terminal device, a memory, a processor and a computer program stored in the memory, which, when executed by the processor, implements the steps of the intelligent monitoring method for maintenance activities according to any of claims 1-7.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the intelligent monitoring method of maintenance actions according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911287595.2A CN111091204B (en) | 2019-12-14 | 2019-12-14 | Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911287595.2A CN111091204B (en) | 2019-12-14 | 2019-12-14 | Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111091204A CN111091204A (en) | 2020-05-01 |
| CN111091204B true CN111091204B (en) | 2023-07-18 |
Family
ID=70395513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911287595.2A Active CN111091204B (en) | 2019-12-14 | 2019-12-14 | Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111091204B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116527406B (en) * | 2023-07-03 | 2023-09-12 | 北京左江科技股份有限公司 | Multi-host security system and communication method based on FPGA |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109034412A (en) * | 2018-07-11 | 2018-12-18 | 云南电网有限责任公司电力科学研究院 | A kind of long-range approval apparatus and its method of shaft tower permission |
| CN109313657A (en) * | 2016-12-23 | 2019-02-05 | 塞路特股份有限公司 | For providing the method and system of additional information relevant to main information |
| CN110539308A (en) * | 2019-09-20 | 2019-12-06 | 华域汽车车身零件(上海)有限公司 | Robot intelligent maintenance prompt management method |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6339826B2 (en) * | 1998-05-05 | 2002-01-15 | International Business Machines Corp. | Client-server system for maintaining a user desktop consistent with server application user access permissions |
| US7680819B1 (en) * | 1999-11-12 | 2010-03-16 | Novell, Inc. | Managing digital identity information |
| KR100626969B1 (en) * | 2001-06-07 | 2006-09-20 | 콘텐트가드 홀딩즈 인코포레이티드 | Rights offering and granting |
| JP2006215590A (en) * | 2003-09-19 | 2006-08-17 | Hikari Hiyo | Communication method and communication system by initiative of addressee |
| CN101009559A (en) * | 2006-11-22 | 2007-08-01 | 李�杰 | Protection method for user account security |
| US8023820B2 (en) * | 2008-01-14 | 2011-09-20 | Tellabs Vienna, Inc. | Systems, apparatus, methods and computer program products for downloading and maintaining IP stream whitelists on optical network terminals |
| US20100313262A1 (en) * | 2009-06-03 | 2010-12-09 | Aruba Networks, Inc. | Provisioning remote access points |
| US8718372B2 (en) * | 2011-10-19 | 2014-05-06 | Crown Equipment Corporation | Identifying and evaluating possible horizontal and vertical lines intersecting potential pallet features |
| US9613190B2 (en) * | 2014-04-23 | 2017-04-04 | Intralinks, Inc. | Systems and methods of secure data exchange |
| US10643149B2 (en) * | 2015-10-22 | 2020-05-05 | Oracle International Corporation | Whitelist construction |
| US10721195B2 (en) * | 2016-01-26 | 2020-07-21 | ZapFraud, Inc. | Detection of business email compromise |
| CN105978871A (en) * | 2016-05-09 | 2016-09-28 | 北京航天数控系统有限公司 | Communication protection device for numerical control system |
| CN106506313B (en) * | 2016-11-25 | 2019-08-23 | 武汉长光科技有限公司 | A kind of cost effective method improving route bridging data forwarding performance |
| US10567485B2 (en) * | 2018-01-27 | 2020-02-18 | Vicente Alexei Mantrana-Exposito | Techniques for coordinating the sharing of content among applications |
-
2019
- 2019-12-14 CN CN201911287595.2A patent/CN111091204B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109313657A (en) * | 2016-12-23 | 2019-02-05 | 塞路特股份有限公司 | For providing the method and system of additional information relevant to main information |
| CN109034412A (en) * | 2018-07-11 | 2018-12-18 | 云南电网有限责任公司电力科学研究院 | A kind of long-range approval apparatus and its method of shaft tower permission |
| CN110539308A (en) * | 2019-09-20 | 2019-12-06 | 华域汽车车身零件(上海)有限公司 | Robot intelligent maintenance prompt management method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111091204A (en) | 2020-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2006004785A1 (en) | Systems and methods for enhanced electronic asset protection | |
| CN103236941A (en) | Link discovery method and device | |
| WO2006095438A1 (en) | Access control method, access control system, and packet communication apparatus | |
| CN105162787A (en) | Method and apparatus of external network terminal for accessing manufacture device or internal network terminal | |
| CN111918284B (en) | Safe communication method and system based on safe communication module | |
| CN114143068B (en) | Electric power internet of things gateway equipment container safety protection system and method thereof | |
| KR101992976B1 (en) | A remote access system using the SSH protocol and managing SSH authentication key securely | |
| CN106792684B (en) | Multi-protection wireless network safety protection system and protection method | |
| CN106789527A (en) | The method and system that a kind of private line network is accessed | |
| CN101877695A (en) | System and method for controlling access right | |
| US9088429B2 (en) | Method for operating, monitoring and/or configuring an automation system of a technical plant | |
| CN107749863B (en) | Method for network security isolation of information system | |
| CN102118353B (en) | Instruction security audit method of industrial internet remote maintenance system | |
| CN111091204B (en) | Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium | |
| CN108881127B (en) | Method and system for controlling remote access authority | |
| US20080052766A1 (en) | Method and a system for managing secure transmission | |
| CN103475491A (en) | Remote maintenance system which is logged in to safely without code and achieving method | |
| CN103763119A (en) | Telnet/SSH-based network terminal management method | |
| KR20090035192A (en) | Apparatus and method for firewall system integrated management | |
| CN113259347B (en) | Equipment safety system and equipment behavior management method in industrial Internet | |
| CN104618211A (en) | Tunnel based message processing method and headquarters gateway device | |
| CN113783722B (en) | Remote modification fixed value control method, device, computer equipment and storage medium | |
| CN103716178A (en) | Real-time reporting system network terminal management method | |
| KR100777537B1 (en) | platform system for management dispersed network systems and dispersion management method | |
| US9940116B2 (en) | System for performing remote services for a technical installation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20221101 Address after: Room 1010, No. 181, Zhongshe Road, Maogang Town, Songjiang District, Shanghai, 201600 Applicant after: Shuxing Technology (Shanghai) Co.,Ltd. Address before: Room 1804, Building 7, Quantangwan Community (Shun'an Court), No. 323 Tianxin Road, Shifeng District, Zhuzhou City, Hunan Province 412001 Applicant before: Zhuzhou Huina Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |