CN111600857A - Account number maintenance system of data center - Google Patents
Account number maintenance system of data center Download PDFInfo
- Publication number
- CN111600857A CN111600857A CN202010366173.0A CN202010366173A CN111600857A CN 111600857 A CN111600857 A CN 111600857A CN 202010366173 A CN202010366173 A CN 202010366173A CN 111600857 A CN111600857 A CN 111600857A
- Authority
- CN
- China
- Prior art keywords
- account
- data
- server
- data center
- accounts
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012423 maintenance Methods 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 claims abstract description 21
- 230000002159 abnormal effect Effects 0.000 claims description 83
- 230000008569 process Effects 0.000 claims description 9
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 2
- 238000001514 detection method Methods 0.000 abstract description 7
- 230000005540 biological transmission Effects 0.000 abstract description 6
- 238000011156 evaluation Methods 0.000 abstract 1
- 239000010410 layer Substances 0.000 description 39
- 230000006399 behavior Effects 0.000 description 35
- 206010000117 Abnormal behaviour Diseases 0.000 description 33
- 230000008859 change Effects 0.000 description 21
- 238000004458 analytical method Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 11
- 238000007726 management method Methods 0.000 description 11
- 238000004519 manufacturing process Methods 0.000 description 10
- 238000012550 audit Methods 0.000 description 8
- 238000013480 data collection Methods 0.000 description 8
- 238000007405 data analysis Methods 0.000 description 7
- 238000013475 authorization Methods 0.000 description 3
- 230000009977 dual effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013515 script Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- YHVACWACSOJLSJ-UHFFFAOYSA-N n-methyl-n-(1-oxo-1-phenylpropan-2-yl)nitrous amide Chemical compound O=NN(C)C(C)C(=O)C1=CC=CC=C1 YHVACWACSOJLSJ-UHFFFAOYSA-N 0.000 description 2
- 231100000279 safety data Toxicity 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000009960 carding Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 239000011229 interlayer Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
A data center account number maintenance system comprises a data acquisition unit, wherein the data acquisition unit logs in a server regularly, searches the storage positions of account numbers in an operating system of the server and then acquires all account numbers on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time. Has the advantages that: account data can be comprehensively collected, all server accounts existing in a data center can be obtained, and comprehensive risk evaluation can be performed on the accounts; the account password is directly obtained from the operating system, and all asset types of the data center are compatible through various password detection modes. An account password configuration strategy is preset in the data acquisition unit; the API is used for realizing data transmission, the data acquisition device is in seamless linkage with the bastion machine, the data acquisition device is rapidly integrated with the bastion machine or other servers in a plug-in mode, and the method and the system can be suitable for a super-large-scale account management scene.
Description
Technical Field
The invention relates to the field of information security, in particular to a data center account maintenance system.
Background
This section is for convenience only to understand the content of the present invention and should not be taken as prior art.
Depending on the users to which the network is directed, the network can be divided into an extranet (internet) and an intranet (local area network). The intranet may be divided into an office network and a production network. Network behaviors of office networking are relatively developed, and viruses and network intrusion events are easy to occur. If the office user and the production user are in the same network, the virus and the intrusion event which occur in the office network can be rapidly transmitted to the production network without obstacles, and great threat is brought to the production safety. Thus, office and production networks are also required to be isolated. The production network is also referred to as a data center. The data center includes computing resources, storage resources, network resources, and the like.
Common attack behaviors include: 1. password intrusion means logging in to a destination device by using accounts and passwords of some legal users and then carrying out attack activities. The premise of this method is that the account number of a legal user on the device must be obtained first, and then the password of the legal user must be decoded. 2. Trojan horses, often disguised as utility programs or games that entice the user to open them, leave them on the computer once they have opened attachments to these emails or executed them, and hide a program in their own computer system that can silently execute when the windows is started. 3. WWW spoofing, an accessing web page has been tampered with by a hacker, and the information on the web page is spurious! For example, the hacker rewrites the URL of the web page to be browsed by the user to point to the hacker's own server, and actually makes a request to the hacker server when the user browses the target web page. 4. When an attacker breaks through one device, the device is often used as a foundation to attack other devices. They can attempt to hack other devices within the same network using network monitoring methods; other devices can also be attacked through IP spoofing and device trust relationships. 5. Network monitoring is an operating mode of a device, in which the device can receive all information transmitted on the same physical channel by the network segment, regardless of the senders and receivers of the information.
However, the risk monitoring or early warning is only for the user, or the target device alarms individually, and all the early warnings are information with a single dimension. For example: and (4) alarming by the user: the XX account number is abnormal; or the target device alarms: and XX equipment is abnormal. The information of a single dimension cannot know whether the abnormal alarm is caused by the attack or the false alarm is caused only by temporarily changing the operation rule.
The existing abnormal recognition can be used for alarming abnormal events aiming at account numbers or target equipment independently. The abnormal event alarming mechanism is a single-dimension abnormal event which is identified by judging on the basis of a fixed rule in a single data dimension. The problems with this abnormal event alert mechanism are: 1. the fixed rule is rigid and cannot be advanced with time. If a certain account logs in the data center in an invalid period, the account gives an abnormal event alarm. However, it is possible that the account needs to enter the data center by a temporary work task, and the workflow engine has already approved the allowed operation, but the allowed operation is not a fixed rule, so the account with the legal allowed operation logs in the data center in an effective period specified by the non-fixed rule, and the account dimension gives an alarm for an account abnormal event. 2. The alarm is only carried out from a single dimension, and abnormal events of the single dimension cannot form abnormal behaviors or attack behaviors. If an account sends an account abnormal event, but the abnormal information is only the account abnormal, there is no way to obtain information of other dimensions associated with the account. The problems caused by these reasons are mainly: 1. the false alarm rate is high, 2, abnormal events of single dimensionality alarm, except the information of the dimensionality, no information of other dimensionalities exists, so that whether the abnormal events are caused by the attack behaviors cannot be judged, and the reference value of the abnormal event alarm is low. The false alarm rate is high, and the reference value of alarm is not high, so that operation and maintenance personnel habitually ignore abnormal event alarm, and the alarm is similar to a nominal alarm.
Disclosure of Invention
The invention regards the model entering the data center as comprising a terminal and a server, wherein the terminal represents a user, and the server represents the assets of the data center.
During conventional operation and maintenance operations, workers log in the server of the data center by using respective server accounts to perform work. The number of the service ends of the data center is huge, and each service end has at least one account, so that the number of the accounts entering the service end is huge and cannot be managed. In addition, the operation after the staff enters the server cannot be monitored, and the operation and maintenance safety events frequently occur due to misoperation, illegal operation and the like of the staff, and the reasons are difficult to find.
And the terminal is allowed to enter the server side for operation after identity authentication. However, the number of the service terminals is very large, and each service terminal has a respective account and password; therefore, the data volume of the account-password is also huge, and an account management scheme is developed at the same time.
The current account management scheme in information security generally manages the access of a terminal to a server, and records and monitors an operation log after the terminal logs in the server. The account management scheme has the following problems: the number of the account numbers is huge, and an operation and maintenance department cannot master all the account numbers of the server, so that unique channel control from the terminal to the server cannot be realized.
A data center account number maintenance system is characterized in that: the account maintenance system comprises a data acquisition unit, wherein the data acquisition unit logs in a server regularly, searches the storage positions of accounts in an operating system of the server and then acquires all the accounts on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time.
Preferably, the data collector searches the account storage position of the operating system to obtain all accounts capable of logging in the operating system.
Preferably, the data collector obtains an operating system account of the server, remotely logs in the server by using the operating system account, detects the process of the operating system after logging in, corresponds to the application by the process, searches the account of the application to store files, and obtains all accounts of each application on the operating system.
Preferably, the attribute information of the account is acquired when the account is acquired, and the attribute information of the account includes the last login time of the account, account permissions, identity information corresponding to the account, the number of the account, the account creation time, the account ID, the expiration time of the account, and the account source.
Preferably, comparing the latest login time of the account with a preset time threshold, and regarding the account exceeding the preset time threshold as a zombie account; and/or comparing the account authority with the account authority acquired last time, and if the authority content changes, determining the account as an unauthorized account; and/or identifying identity information corresponding to the account, and if the identity information is null, determining the account as a ghost account; if the identity information is not null, comparing the identity information with the identity information acquired last time, and if the identity information changes, regarding the identity information as a risk account; zombie account numbers, override account numbers, ghost account numbers and risk account numbers all belong to account number abnormal events;
and/or judging whether the number of the currently obtained accounts is equal to the number of the accounts obtained last time, and if the number of the currently obtained accounts is larger than the number of the accounts obtained last time, regarding the newly added accounts as account abnormal events; and if the number of the currently obtained accounts is less than that of the last obtained accounts, acquiring the deleted accounts, and regarding account deletion as an account abnormal event and the like. The account abnormal event is probably caused by an attack behavior or misoperation, and the abnormal event triggers risk reminding.
Preferably, the password is obtained using the SDK; alternatively, the password is obtained using an automated plug-in.
Preferably, for each collected account data, the expiration time of the account is screened, the account reaching the expiration time is deleted, and a new account and a password thereof are generated.
Preferably, an account security baseline is preset in the data collector, the account security baseline includes data updated last time, and if the data collected by the data collector at present changes from the account security baseline, the changed data is marked as an account abnormal event.
When an operating system and application software are installed, a special file, a database and the like for storing a login account (account password) and operation authority owned by the account are provided in the operating system. When account maintenance is carried out, after the data acquisition unit remotely logs in an operating system of a server, a storage file of an account is automatically detected, an account password and an operation authority of the account are found from the storage file, and the account password and the operation authority are collected into the data acquisition unit. Generally, the password stored in the file may be an encrypted ciphertext, so that when account maintenance is performed, the password of the account is automatically changed to obtain a usable account.
Through continuous data acquisition, all account numbers, namely passwords, recorded by the server can be obtained, and the account numbers are combed. In addition, the password is automatically modified after the account number of the server is obtained, the automatic generation rule of the password is pre-configured in the data acquisition unit, the automatically generated password naturally conforms to various password rules, and the problem of weak password is solved easily. The data acquisition unit can acquire all account numbers-passwords of the server side through continuous acquisition, and automatically and easily solve the problem that the account numbers are not changed for a long time. The account password configuration strategy is preset in the data acquisition unit.
The method for maintaining the data center account number has the following advantages: 1. the account data can be comprehensively collected, and all server accounts existing in the data center can be obtained. 2. The data can be comprehensively collected, and the account number is comprehensively evaluated for risk; the account password is directly obtained from the operating system, and all asset types of the data center are compatible through various password detection modes. 3. The account password configuration strategy is preset in the data acquisition unit, and can comprise an encryption algorithm to realize automatic encryption of the password, or can be combined with the current hardware information to support hardware encryption. 4. The API is used for realizing data transmission, the data acquisition device is in seamless linkage with the bastion machine, the data acquisition device is rapidly integrated with the bastion machine or other servers in a plug-in mode, and the method and the system can be suitable for a super-large-scale account management scene.
Drawings
Fig. 1 is a schematic diagram of a terminal (user) accessing a service end of a service data center through a bastion machine.
Figure 2 is a schematic diagram of the bastion machine interacting with a third party platform.
Figure 3 is a schematic diagram of four deployment modes of the bastion machine.
FIG. 4 is a schematic diagram of data collected by the Agent-free data collection method.
FIG. 5 is a block diagram of a framework for a station in asset data.
FIG. 6 is a data collection diagram of a station in asset data.
FIG. 7 is a block diagram of data collection for stations in asset data.
FIG. 8 is a block diagram of a security system for data center operations and maintenance.
FIG. 9 is a schematic diagram of a card account of the account maintenance system.
Figure 10 is a schematic diagram of the account maintenance system interacting with the bastion machine.
FIG. 11 is a block diagram of an anomaly identification system.
Detailed Description
Abnormal behavior
The abnormal behavior in the present invention refers to an operation behavior that is not consistent with the content of the white list, and includes, but is not limited to, an abnormal behavior caused by an attack of a hacker, an abnormal behavior caused by an incorrect operation of an internal operation and maintenance worker, and the like.
Gateway
It is known that walking from one room to another necessarily passes through a door. Likewise, a messaging gateway is sent from one network to another. Furthermore, a "gateway" must be passed through, which is the gateway. As the name implies, a Gateway (Gateway) is a "Gateway" that connects one network to another, i.e., a network Gateway. The gateway in the invention refers to a door entering a data center.
Workflow engine
The workflow engine is used for determining information transfer routing, content level and other core solutions which have determination effects on each application system according to different roles, division of labor and conditions. The workflow engine of the invention can complete the examination and approval and authorization of the worksheet of the operation and maintenance personnel, and the content of the worksheet comprises the service end which the terminal (who) logs in the corresponding service end with a certain identity account number and the work (operation authority).
Service terminal
The server is a targeted service program, and the main expression form is mainly 'window program' and 'console'. The server is generally built under operating systems such as Linux, Unix and Windows. The service end in the invention refers to all equipment service programs of the data center, including but not limited to: hosts (including virtual machines), network resources, the Web, applications, middleware, and databases.
Server account
The server account refers to an account-password for logging in the server, and each server account corresponds to a corresponding authority (operation authority).
Fortress machine
The fort machine is used as an operation and maintenance operation gateway of a data center; an identity account, a server account and a matching relation between the identity account and the server account are arranged in the bastion machine; the bastion machine is provided with an identity authentication module, the bastion machine matches the account numbers of the service ends with the terminal through the identity authentication terminal, each account number of the service end has respective operation authority, the bastion machine establishes connection between the terminal and the service end according to the operation authority, and the operation of the terminal on the service end forms an operation log to be stored in the bastion machine.
The bastion machine is used as a unique channel for entering the data center during operation and maintenance, the fact that the bastion machine enters the data center through the bastion machine is considered to be legal, and the fact that the bastion machine does not enter the data center through the bastion machine is considered to be illegal. The bastion machine realizes the automatic matching of the terminal (responsible person) and the server, and solves the problems of huge account number and difficult management. Identity authentication realizes identity determination of the terminal, and knows who is who, namely who is going to enter a server of the data center. That is, the fort machine realizes two confirmations of the identity of the person: 1. the person responsible for the access belongs to the collection of persons who are allowed access, and 2, the person who applies for the access is the principal. So, solved the fuzzy problem of identity, if the discovery problem, can directly trace back to people.
The bastion machine automatically matches the account number of the server side with the terminal, access control of the terminal entering a data center is achieved, and the problem of unauthorized access is solved by determining where you can go. The account number of the server side is bound with the operation authority, the operation authority represents what you can do, the instruction can be accurately obtained, and the problems of violation and misoperation are solved. All operations of the terminal on the server side are stored in the bastion machine in the form of logs, and the problem that the logs are difficult to trace is solved.
Further, the service account refers to an account-password that can access the service, each service account has its own operation right, and the content of the operation right includes time allowed to perform an operation, the service allowed to access and the operation allowed to be performed.
The operation authority can be an inherent rule pre-configured in the bastion machine or a rule allowed after the approval of the production side. Intrinsic rules include, but are not limited to, network security laws, registration protection requirements, marketing enterprise specifications, industry regulatory requirements, operation and maintenance security requirements, and the like.
In some embodiments, the operation authority can be input into the bastion machine at regular time or in real time through a flexible authorization strategy on the basis of the inherent rule. And the fortress machine is connected with the workflow engine, and the work sheet passing the approval in the workflow engine is used as the operation authority to be input into the fortress machine.
And the bastion machine carries out data transmission through an API (application programming interface). The bastion machine is connected with an office platform of a production party so as to obtain a list of persons allowed to enter the data center, asset records of the data center, network information and the like.
The bastion machine comprises a character host protocol module, a graph host protocol module, a file transmission protocol module, a database protocol module and an application release protocol module. Different protocol modules are used for being compatible with different brands, different operating systems, different applications and the like.
The server side comprises a host, a network device, a web server, an application, middleware and a database. The server is also called an asset.
The mode that the terminal visits the bastion machine comprises the following steps: the bastion machine is directly connected with the bastion machine through webpage access, or through mobile terminal APP access, or through an operation and maintenance tool; or local access.
In some embodiments, the identity authentication module implements identity authentication using a two-factor authentication mechanism.
The operation authority initiatives of the server account are authorized based on user attributes, and the user attributes comprise a user name, a mailbox and/or an authentication mode; and/or the operation authority of the server account is initiated based on the server attribute, wherein the server attribute comprises an asset name, an IP address, an asset type and/or a responsible person.
Comparing the operation authority in the bastion machine with the operation day left by the terminal after the bastion machine accesses the service end (asset) to realize audit; the audit includes character operation audit, graphic operation audit, file transmission audit, database operation audit, and/or log retrieval. That is, the audit is classified according to data types, such as graphic data, file transfer amount, database files, and the like.
The bastion machine adopts a data warehousing technology to carry out data management, adopts a big data index technology to carry out data retrieval, and adopts a Spring Boot modularization technology to carry out task construction and scheduling. The tasks include character protocol processing, graphic protocol processing, authorization data processing, and the like.
In some embodiments, the deployment mode of the bastion machine is a dual-machine deployment mode of the host machine and the standby machine, and the dual machines share the virtual IP.
In some embodiments, the bastion machine is deployed in a manner that each bastion machine serves as a cluster node and the cluster node can be laterally expanded, and all the cluster nodes share the virtual IP.
In some embodiments, the deployment mode of the bastion machine is a multi-site deployment mode, each site is deployed in a dual machine mode, the dual machines share a virtual IP, or the cluster nodes are deployed, the cluster nodes share the virtual IP, or a single machine deployment mode, and a single machine uses an actual IP.
In some embodiments, the bastion machine is deployed in a mode that cluster nodes are classified according to service types, and a plurality of cluster nodes are combined to form a complete bastion machine function. For example, the cluster nodes include a Master HA, a Worker node, an ES big data index cluster and a storage cluster.
Agents-free data acquisition method
A data acquisition method of a data center is characterized in that a data acquisition unit is arranged in the data center, an initial server account is input to the data acquisition unit, and the data acquisition unit logs in a server at regular time by using the server account to acquire data.
In some embodiments, the data collector enters the server to collect data, and performs the following operations: the data acquisition device remotely logs in an operating system of the target device, detects a file where the target information is located in the operating system of the service device, acquires the target information in the file, and acquires the target information into a storage module of the data acquisition device.
A data configuration module is arranged in the data acquisition unit, and a configuration rule of data is preset in the data configuration module; when the data acquisition device acquires the data, the target information is acquired to form configuration data according to the configuration rule, and the configuration data is used as the output of the data configuration module.
Data acquisition unit
A data acquisition unit of a data center is a server side of the data center and is provided with an automatic data acquisition module, and the data acquisition unit enters a target server side to search and acquire target data in a remote login mode through a server side account.
The automated data collection module includes, but is not limited to, an application, a plug-in or script, and the like.
The operation and maintenance department of the producer is used as a manager of the data center and has an account number for entering the operating system of the server. Preferably, the server account is configured in the data collector, and the data collector performs data collection according to the configured server by logging in the data center in batches at regular time. For example, the data collector (IP address) logs in the server a with the account a for data collection at XX, logs in the server B with the account B for data collection, and logs in the server C with the account C for data collection … …. The data acquisition of the scheme is the configuration data full acquisition. Currently, a single acquisition can configure 500 and more servers for data acquisition.
In some embodiments, the data collector enters the server to collect data, and performs the following operations: the data acquisition device remotely logs in an operating system of the target device, detects a file where the target information is located in the operating system of the service device, acquires the target information in the file, and acquires the target information into a storage module of the data acquisition device.
A data configuration module is arranged in the data acquisition unit, and a configuration rule of data is preset in the data configuration module; when the data acquisition device acquires the data, the target information is acquired to form configuration data according to the configuration rule, and the configuration data is used as the output of the data configuration module.
The data acquisition unit is responsible for actively searching target data and outputting data of various brands and various types of service ends in the data center in a uniform format, so that the aims of actively acquiring the data and converting the data of different types and then outputting the data are fulfilled.
In some embodiments, the data center has the aforementioned bastion machine, the server account initialized in the data collector is from the bastion machine, and the data collector is independent of the bastion machine.
And acquiring data from the dimension of the assets to a data center by using a bastion machine, and comprehensively carding the online assets. And in the operation and maintenance record of the producer, records of all equipment of the data center are provided, and the equipment record contains an account password for logging in the equipment. In the data center construction, a producer registers each purchased device and sets an initial login account number (account password). However, after the data center is put into use, although the devices are not changed, the data in the devices and the attributes of the devices are changed at any time. For example, when registering a device, the device a registers a device ID, an account (password of an incoming account), and an attribute of the device a as a host. However, after being put into use, device a is reinstalled, and its property is changed to the Web server. For example, the properties of the device a are not changed, but the production data of the host is also changing, and so on.
The data collected by the bastion machine timing login server side comprises port data, process data, account data, application data, hardware data, patch information, network data, software data, server side log data, login data of the server side, interface data and the like. Of course, the data that the bastion machine can collect from the server is not limited to the above example, and may be other data that the server has.
The assets are found and the asset attributes are found by collecting data from the data center, and the aim of comprehensively combing the online assets is further fulfilled. And (4) regularly acquiring and combing to ensure that the asset records change along with the change of the data, so as to construct a comprehensive and complete asset information base.
Account maintenance system
And the terminal is allowed to enter the server side for operation after identity authentication. However, the number of the service terminals is very large, and each service terminal has a respective account and password; therefore, the data volume of the account-password is also huge, and an account management scheme is developed at the same time.
The current account management scheme in information security generally manages the access of a terminal to a server, and records and monitors an operation log after the terminal logs in the server. The account management scheme has the following problems: the number of the account numbers is huge, and an operation and maintenance department cannot master all the account numbers of the server, so that unique channel control from the terminal to the server cannot be realized.
A data center account number maintenance system comprises a data acquisition unit, wherein the data acquisition unit searches the storage positions of account numbers in an operating system of a server at regular time and then acquires all account numbers on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time.
When the operating system and the application software are installed, a special file for storing a login account (an account password) and operation authority owned by the account is provided in the operating system. When account maintenance is carried out, after the data acquisition unit remotely logs in an operating system of a server, a storage file of an account is automatically detected, an account password and an operation authority of the account are found from the storage file, and the account password and the operation authority are collected into the data acquisition unit. Generally, the password stored in the file may be an encrypted ciphertext, so that when account maintenance is performed, the password of the account is automatically changed to obtain a usable account.
Through continuous data acquisition, all account numbers, namely passwords, recorded by the server can be obtained, and the account numbers are combed. In addition, the password is automatically modified after the account number of the server is obtained, the automatic generation rule of the password is pre-configured in the data acquisition unit, the automatically generated password naturally conforms to various password rules, and the problem of weak password is solved easily. The data acquisition unit can acquire all account numbers-passwords of the server side through continuous acquisition, and automatically and easily solve the problem that the account numbers are not changed for a long time. An account password configuration strategy is preset in the data acquisition unit, and automatic encryption is realized by adopting the prior art.
The data acquisition unit searches the account storage position of the operating system to acquire all accounts capable of logging in the operating system. The data acquisition unit acquires an operating system account of the server, remotely logs in the server by the operating system account, detects the process of the operating system after logging in, corresponds the application by the process, searches the applied account for storing files, and acquires all accounts of each application on the operating system.
Acquiring attribute information of an account when the account is acquired, wherein the attribute information of the account comprises the last login time of the account, account permission, identity information corresponding to the account, account quantity, account creation time, account ID, account expiration time and account source; and comparing the current account attribute information with the account attribute information acquired last time, and if the account attribute information changes, regarding the change as an account abnormal event. The account number-password and the attribute information of the account number belong to the content of the server account number.
The data acquisition unit is provided with a search module, and the abnormal time of the account is classified according to the account attribute information, and the abnormal events of the account are classified and counted.
Comparing the latest login time of the account with a preset time threshold, and regarding the account exceeding the preset time threshold as a zombie account; and/or comparing the account authority with the account authority acquired last time, and if the authority content changes, determining the account as an unauthorized account; and/or identifying identity information corresponding to the account, and if the identity information is null, determining the account as a ghost account; if the identity information is not null, comparing the identity information with the identity information acquired last time, and if the identity information changes, regarding the identity information as a risk account; zombie account numbers, override account numbers, ghost account numbers and risk account numbers all belong to account number abnormal events;
and/or judging whether the number of the currently obtained accounts is equal to the number of the accounts obtained last time, and if the number of the currently obtained accounts is larger than the number of the accounts obtained last time, regarding the newly added accounts as account abnormal events; and if the number of the currently obtained accounts is less than that of the last obtained accounts, acquiring the deleted accounts, and regarding account deletion as an account abnormal event and the like. The account abnormal event is probably caused by an attack behavior or misoperation, and the abnormal event triggers risk reminding.
Obtaining a password using the SDK; alternatively, the password is obtained using an automated plug-in.
And screening the expiration time of the account for the account data acquired each time, deleting the account reaching the expiration time, and generating a new account and a password thereof. And generating a new account-password according to an account password configuration strategy. Thus, account life cycle management and a secret can be realized.
The data center for carrying out account maintenance by using the data collector is provided with a bastion machine, the account of the data collector which automatically logs in the server for the first time comes from the bastion machine, and the account record of the server collected by the data collector every time is input into the bastion machine.
An account safety baseline is preset in the data acquisition unit and comprises data updated last time, and if the data acquired by the data acquisition unit at the current time is changed from the account safety baseline, the changed data is marked as an account abnormal event.
The method for maintaining the data center account number has the following advantages: 1. the account data can be comprehensively collected, and all server accounts existing in the data center can be obtained. 2. The data can be comprehensively collected, and the account number is comprehensively evaluated for risk; the account password is directly obtained from the operating system, and all asset types of the data center are compatible through various password detection modes. 3. The account password configuration strategy is preset in the data acquisition unit, and can comprise an encryption algorithm to realize automatic encryption of the password, or can be combined with the current hardware information to support hardware encryption. 4. The API is used for realizing data transmission, the data acquisition device is in seamless linkage with the bastion machine, the data acquisition device is rapidly integrated with the bastion machine or other servers in a plug-in mode, and the method and the system can be suitable for a super-large-scale account management scene.
The server, the network equipment, the database, the safety equipment, the middleware and the like are assets of the data center, and the asset accounts are difficult to comb due to the large quantity, multiple types, multiple brands and quick change of the asset equipment; the assets are various and scattered in risk, the security department is not a data producer and a data center builder, and is used as a technical department of a data producer and a data center builder to pay attention to IT efficiency and not to pay attention to IT security; the security department focuses on IT security, but not on IT efficiency; the safety department cannot obtain the asset safety data, the asset risk is difficult to identify, and the industry safety rule is difficult to realize.
Asset data middling platform
In order to solve the problems of unclear assets, unknown risks and opaque rectification, the invention provides an asset data center station which has low interference on data production and can obtain complete asset safety data of a data center.
An asset data center of a data center, comprising: the acquisition layer searches and acquires target data from the server at regular time; target data are input into a data layer, and the data layer stores the target data in a classified manner; the asset data middle desk is preset with a data configuration rule, target data of the data layer are configured and then output, the application layer comprises a plurality of display modules, and the display modules of the application layer are transversely expanded.
The acquisition layer actively searches for the target data from the server, that is, the acquisition layer searches for the target data first and then performs data acquisition. Instead of passively receiving the data of the server. And the acquired data is classified and stored and configured in a data center platform in a data format, and the configured data is input into a remote analysis platform or displayed by each display module of an application layer of the data center platform.
The manner of acquiring data from the server by the acquisition layer includes but is not limited to: the method comprises the steps of collecting data by using a script, collecting data by using an instruction set, collecting data by using an Agent loaded on a server, collecting data by using a JMX mode, collecting data by using a JDBC mode, and acquiring data by using an API (application program interface).
The acquisition layer logs in an operating system for data search and acquisition through a server account at regular time; and a server account set is configured in the acquisition layer, and the acquisition layer automatically acquires data at regular time.
The data center is provided with the bastion machine, and the service end account set of the acquisition layer comes from the bastion machine. Preferably, the data center is provided with the account maintenance system, the service side account set acquired by the account maintenance system each time is synchronized with the bastion machine, and the service side account of the bastion machine is synchronized with the data center.
The data center station is provided with a detection module, wherein the detection module comprises an SNMP scanning tool, an NMAP network connection end scanning tool, a ping discovery tool, a host ARP cache discovery tool and a local area network ARP scanning discovery tool; and/or probe process discovery applications. The detection module is used for discovering new assets of the data center.
Snmp based auto discovery of hosts within a network. The NMAP scans the open network connection end of the data center and detects unregistered servers in the working environment. Ping is used to discover remote servers that are remotely connected to the currently logged-on server. And finding out the IP address of the host accessing the current service end by inquiring the ARP cache of the host. And (4) utilizing the local area network ARP to scan and discover all hosts in the local area network.
This is because the data producers and equipment builders of a data center are the technical sector, not the security sector, which cannot know the current assets of the data center in time. Therefore, when or before the asset data acquisition is carried out, the asset detection is carried out on the data center, the assets existing in the network are found, and the completeness of the asset account book is ensured by checking missing and filling. After detecting the new assets, the server account of the assets is obtained through manual addition of the server account of the assets or other ways such as an account maintenance system.
Data collected by the collection layer includes, but is not limited to: account information, port information, process information, patch information, file information, network information, software information, version information, operating system configuration, application service configuration, account configuration, network device configuration, security device configuration, middleware configuration, database configuration, business information, hardware information, operating system information, kernel information, disk partitions, and the like.
The server is logged in at regular time by the server account number, data are automatically collected in batches, scripts do not need to be implanted into the equipment or agents do not need to be installed, and the influence on the service is reduced to the minimum. Only the target data to be acquired is configured on the acquisition layer, one-time acquisition of the multidimensional data can be realized, the acquisition efficiency is high, and frequent acquisition is not needed.
In some embodiments, the asset data center configures a security baseline, where the security baseline is the last acquired data and/or the risk point rules; after each data acquisition, comparing the current data with the safety baseline, and taking the changed data as an abnormal event; for example, in the asset data, port 1 was closed in the last data; however, in the current data, if the port 1 is opened, the port 1 has data change and is marked as an abnormal event. For another example, in the account data, there is no account X in the last data. However, if an account X appears in the current data, that is, if an account X is newly added, the account X is a data change and is marked as an abnormal event. The abnormal event is probably caused by an attack or misoperation, and the abnormal event triggers a risk reminder.
For example, the account number should contain numbers, letters and symbols, but if the account number Y has only numbers, the account number Y is marked as an abnormal event. For example, if the server X should not be logged in on weekends, but the server X is logged in on weekends, the server X logged in on weekends is marked as an abnormal event. The risk point rules may be industry rules, such as rules for determining weak password accounts, zombie accounts that do not log in for a long time, and the like. The risk point rule may also be a legal provision.
Abnormal behavior recognition system
The bastion machine realizes identity authentication, access control, authority control and operation audit when operation and maintenance personnel enter the data center, and the account maintenance system can automatically collect all server accounts of the data center, so that the bastion machine is used as a unique channel for entering the operation and maintenance of the data center on an equipment and host layer. The asset data center can acquire asset information at regular time, comb and acquire complete asset information of the data center, find abnormal events on assets and realize risk early warning of asset dimensionality. However, the exceptional events are single-dimensional events, and the exceptional events need to be associated with people to form behaviors. In the fifth aspect of the invention, the bastion machine, the account maintenance system and the asset data center are used as data sources, the white list is established based on the bastion machine, the abnormal behavior of people is identified by using the abnormal event trigger and the white list, and the abnormal behavior identification system reduces the abnormal false alarm rate.
The abnormal behavior identification system comprises a data acquisition layer and a behavior analysis engine, wherein the data acquisition layer is used for acquiring all authorized behavior data, all server account numbers of a data center, asset data and changes of the asset data; establishing a white list by using authorized behavior data, taking the change of the asset data as an abnormal event, summarizing the data of the data acquisition layer in a behavior analysis engine, comparing each abnormal event with the white list by the behavior analysis engine, judging whether the content of the abnormal event belongs to the white list, and if not, marking the abnormal event as an abnormal behavior; the behavior analysis engine only alarms on abnormal behavior.
The scheme divides human behaviors into the following basic elements: person (a person in charge), time (at what time, time period), place (where, i.e. the device), thing (what was done, i.e. the operating instructions). And the information of the person includes: operator and account password. Therefore, to see the abnormal behavior of people in a data center, the following needs to be included: which operator uses which set of account password (person) to enter which server (place) to execute which operation instruction (thing) at what time (time).
The data for the account dimension includes: what account number (indeed information about the person operating the person) changes at what time (time) on which server (site). Therefore, the information of the operator is lost in the data of the account dimension, that is, the operation performed by which natural person cannot be seen, so that whether the worker works normally (normal behavior) or a hacker (non-worker) attacks cannot be identified.
The data for the asset dimension includes: what device data changes at what time (time) on which server(s). Thus, data for the asset dimension is missing information for a person.
The authorized actions include: a person in charge is allowed to log in a certain device (place) for operation (at what time (time) a certain group of account passwords (people) are). The allowed operation has the basic elements of human, time, place and thing behaviors. However, the allowed operation is a pre-configured rule, the allowed operation is an explicit rule, and only dynamically updated or supplemented, and the attack behavior is not considered to occur in the industry due to the dynamic change of the allowed operation. Data changes (abnormal event triggers) in account dimensions and/or asset dimensions may be due to aggressive behavior. Therefore, the invention uses the allowed operation (configured rule) as the white list, and compares the data of the account dimension, the data of the asset dimension and the white list with each other to realize the splicing of the basic elements of the behaviors, thereby achieving the purpose of identifying the abnormal behaviors based on people.
Preferably, the data acquisition layer comprises the bastion machine, an account maintenance system and an asset data center station, and the operation authority and the operation log in the bastion machine belong to authorized behaviors.
The bastion machine realizes the uniqueness of the operation and maintenance channel, and the asset data center station realizes the integrity of the asset data of the data center, so that the bastion machine has all authorized behavior information and establishes a white list, and the asset data center station can discover all data changes of an asset end and trigger abnormal event alarm; and the behavior analysis engine confirms information in the white list aiming at the abnormal event alarm and judges whether unauthorized abnormal behaviors exist or not.
The operation log records the operation instruction actually occurred in detail. The allowed operations are allowed to do and do not necessarily actually occur. The operation log is actually generated, and the operation instruction and the allowed operation complement each other to perfect the content of the white list.
The account maintenance system collects all server accounts in the data center, is connected with the bastion machine and updates the server accounts in the bastion machine, and the server accounts belong to a white list.
The asset data center station obtains complete and comprehensive asset information of the data center, and identifies abnormal events after data acquisition each time.
Behavior analysis engine
The behavior analysis engine is packaged as an independent module and can be transplanted to any platform, system or whole scheme. The behavior analysis engine comprises an input interface for acquiring data, an engine kernel for analyzing the data, and an output interface for outputting the data. The output interface may be connected directly to the application APP or to another data engine, such as a search engine.
In some embodiments, the behavior analysis engine determines, for each abnormal event, whether the abnormal event has identity authentication information, if so, determines whether the identity authentication information belongs to a white list, and if not, determines that the abnormal event is an abnormal behavior. Whether the person is authenticated or not refers to whether the abnormal event has the stage of authentication or not. For example, the behavior splicing data corresponding to the abnormal event is as follows: if person A1 is responsible for logging in server D1, but person A does not belong to the set of people in the white list allowed to log in the list of people in server D1, the abnormal event is considered as abnormal behavior. That is, the server side of the data center that an unauthorized person logs in is an abnormal behavior.
In some embodiments, if the abnormal event passes through the identity authentication of the bastion machine, the server account corresponding to the abnormal event is obtained, whether the server account of the abnormal event belongs to the white list or not is judged, and if not, the abnormal event is regarded as an abnormal behavior. For example, the person responsible for the abnormal event is an abnormal behavior if the person responsible for the abnormal event a1 enters the server D1 at time T1 through account B1, and the person responsible for the abnormal event belongs to a person allowed to enter the white list at time T1 after the identity authentication, but account B1 does not belong to the account set entering the server D1 at time T1 in the white list. Using an unauthorized server account is an abnormal behavior.
In some embodiments, when determining whether the server account belongs to a white list, first obtaining an account-password of the server account, and if the account-password of the server account does not belong to the white list, determining that the server account is an abnormal behavior; if the account-password of the server account belongs to the white list, whether the actual use time of the account is consistent with the operation authority of the server account is judged, and if not, the abnormal behavior is considered.
That is, when determining whether the account of the server belongs to the white list, first, it is determined whether the account-password entered into the server is recorded in the bastion machine, and if a new account-password appears, it is determined that an abnormal behavior appears. The reason is that all the behaviors authorized by the bastion machine to enter the data center are recorded according to the access control function of the bastion machine, and if no corresponding record exists in the bastion machine, the current login behavior is not authorized by the bastion machine and belongs to illegal operation, namely abnormal behavior.
When the account number-password of the server account number belongs to a white list, whether the login time is within the permission time is judged, based on the permission control function of the bastion machine, the bastion machine only establishes an access channel within the permission range, and if the actual operation information is not in accordance with the operation permission, the current login behavior is not authorized by the bastion machine and belongs to illegal operation, namely abnormal behavior.
In some embodiments, if the abnormal event is authenticated by the bastion machine and is logged in within an allowed time by using a server account in a white list, whether an operation instruction corresponding to the abnormal event belongs to the white list is judged, and if not, the abnormal event is regarded as abnormal behavior. The operation log of the bastion machine is used for comparing the white list content of the operation instruction. The nature of an exception event is a data change that is caused by an operation instruction. If the operation log does not have a corresponding operation instruction, based on the auditing function of the bastion machine, the current operation is known not to be authorized by the bastion machine, possibly enters from a leak, and is an abnormal behavior.
Starting with an abnormal event of account dimensionality, finding the abnormal event of the account by a data collector of the account dimensionality, extracting the time and the server side of the abnormal event, searching whether a right matched with the event occurrence time and the server side exists in a white list, if yes, judging whether an operation instruction is recorded in the right, if so, judging whether the operation instruction can cause data change corresponding to the abnormal event, if the operation instruction corresponds to the data change, judging the operation instruction to be a normal behavior, and if the operation instruction does not correspond to the data change, judging the operation instruction to be an abnormal behavior; and if the authority matched with the event occurrence time and the server side does not exist, the abnormal behavior is considered.
If no operation instruction is recorded in the authority, searching an operation log of the authority before and after the event occurrence time, extracting the operation instruction from the operation log, judging whether the operation instruction in the log can cause account change corresponding to the account abnormal event, if the operation instruction corresponds to the account change, considering the operation log as a normal behavior, and if the operation instruction does not correspond to the account change, considering the operation log as an abnormal behavior.
Starting with an asset dimension abnormal event, finding the asset dimension abnormal event by an asset dimension data collector, extracting the asset abnormal event occurrence time and a server, searching whether a right matched with the event occurrence time and the server exists in a white list, if so, judging whether an operation instruction is recorded in the right, if so, judging whether the operation instruction can cause data change corresponding to the abnormal event, if the operation instruction corresponds to the asset state change, judging the operation instruction to be a normal behavior, and if the operation instruction does not correspond to the asset state change, judging the operation instruction to be an abnormal behavior; and if the authority matched with the event occurrence time and the server side does not exist, the abnormal behavior is considered.
If no operation instruction is recorded in the authority, searching an operation log of the authority before and after the event occurrence time, extracting the operation instruction from the operation log, judging whether the operation instruction in the log can cause the asset state change corresponding to the asset abnormal event, if the operation instruction corresponds to the asset state change, considering the operation log as a normal behavior, and if the operation instruction does not correspond to the asset state change, considering the operation log as an abnormal behavior.
Operation and maintenance safety system
The system comprises a data acquisition layer, a data analysis layer and an application layer; the data acquisition layer comprises a data acquisition device and a bastion machine which are transversely expanded, and data acquired by the data acquisition layer is collected in the data analysis layer; the data analysis layer comprises transversely extended analysis engines, and all analysis engines share data from the data acquisition layer; the application layer comprises a horizontally expanded application module, and the result of the data analysis layer is shown by the corresponding application.
According to the operation and maintenance system, a traditional data acquisition device corresponds to one analysis module and then corresponds to a chimney type structure of a display module, the chimney type structure is divided into a data acquisition layer, the data analysis layer and an application layer are longitudinally overlapped in an interlayer mode, the layer is transversely expanded, all display modules share the structure of the data analysis layer and the data acquisition layer, timely and flexibly expansion can be achieved according to user requirements, and the acquisition efficiency, the analysis efficiency and the display efficiency are improved.
The data acquisition layer comprises but is not limited to a bastion machine, an account number maintenance system, an asset data center station and the like.
The data analysis layer includes, but is not limited to, the behavior analysis engine, the search engine, the task management engine, and the like.
The embodiments described in this specification are merely illustrative of implementations of the inventive concept and the scope of the present invention should not be considered limited to the specific forms set forth in the embodiments but rather by the equivalents thereof as may occur to those skilled in the art upon consideration of the present inventive concept.
Claims (8)
1. A data center account number maintenance system is characterized in that: the account maintenance system comprises a data acquisition unit, wherein the data acquisition unit logs in a server regularly, searches the storage positions of accounts in an operating system of the server and then acquires all the accounts on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time.
2. The data center account maintenance system of claim 1, wherein: the data acquisition unit searches the account storage position of the operating system to acquire all accounts capable of logging in the operating system.
3. The account maintenance system of the data center according to claim 1, wherein the data collector obtains an operating system account of the server, the data collector remotely logs in the server by using the operating system account, after logging in, detects a process of the operating system, corresponds to an application by the process, searches an account storage file of the application, and obtains all accounts of each application on the operating system.
4. The data center account maintenance system of claim 1, wherein: the method comprises the steps of obtaining attribute information of an account when the account is obtained, wherein the attribute information of the account comprises the last login time of the account, account permission, identity information corresponding to the account, account quantity, account creating time, account ID, account expiration time and account source.
5. The data center account maintenance system of claim 1, wherein: comparing the latest login time of the account with a preset time threshold, and regarding the account exceeding the preset time threshold as a zombie account; and/or comparing the account authority with the account authority acquired last time, and if the authority content changes, determining the account as an unauthorized account; and/or identifying identity information corresponding to the account, and if the identity information is null, determining the account as a ghost account; if the identity information is not null, comparing the identity information with the identity information acquired last time, and if the identity information changes, regarding the identity information as a risk account; zombie account numbers, override account numbers, ghost account numbers and risk account numbers all belong to account number abnormal events;
and/or judging whether the number of the currently obtained accounts is equal to the number of the accounts obtained last time, and if the number of the currently obtained accounts is larger than the number of the accounts obtained last time, regarding the newly added accounts as account abnormal events; if the number of the currently obtained accounts is smaller than that of the last obtained accounts, acquiring a deleted account, and taking account deletion as an account abnormal event and the like;
the account abnormal event is probably caused by an attack behavior or misoperation, and the abnormal event triggers risk reminding.
6. The data center account maintenance system of claim 1, wherein: obtaining a password using the SDK; alternatively, the password is obtained using an automated plug-in.
7. The data center account maintenance system of claim 1, wherein: and screening the expiration time of the account for the account data acquired each time, deleting the account reaching the expiration time, and generating a new account and a password thereof.
8. The data center account maintenance system of claim 1, wherein: an account safety baseline is preset in the data acquisition unit and comprises data updated last time, and if the data acquired by the data acquisition unit at the current time is changed from the account safety baseline, the changed data is marked as an account abnormal event.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010154373X | 2020-03-07 | ||
| CN202010154373 | 2020-03-07 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111600857A true CN111600857A (en) | 2020-08-28 |
Family
ID=72111931
Family Applications (5)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010368081.6A Pending CN111586032A (en) | 2020-03-07 | 2020-04-30 | Fortress machine |
| CN202010366173.0A Pending CN111600857A (en) | 2020-03-07 | 2020-04-30 | Account number maintenance system of data center |
| CN202010366136.XA Active CN111600856B (en) | 2020-03-07 | 2020-04-30 | Safety system of operation and maintenance of data center |
| CN202010368084.XA Pending CN111586033A (en) | 2020-03-07 | 2020-04-30 | Asset data middle platform of data center |
| CN202010546291.XA Pending CN112039834A (en) | 2020-03-07 | 2020-06-15 | Data acquisition method and data acquisition system of data center |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010368081.6A Pending CN111586032A (en) | 2020-03-07 | 2020-04-30 | Fortress machine |
Family Applications After (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010366136.XA Active CN111600856B (en) | 2020-03-07 | 2020-04-30 | Safety system of operation and maintenance of data center |
| CN202010368084.XA Pending CN111586033A (en) | 2020-03-07 | 2020-04-30 | Asset data middle platform of data center |
| CN202010546291.XA Pending CN112039834A (en) | 2020-03-07 | 2020-06-15 | Data acquisition method and data acquisition system of data center |
Country Status (1)
| Country | Link |
|---|---|
| CN (5) | CN111586032A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115795439A (en) * | 2023-01-18 | 2023-03-14 | 北京景安云信科技有限公司 | Automatic resource encryption system based on safe fort machine |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112838951B (en) * | 2020-12-31 | 2023-05-16 | 恒安嘉新(北京)科技股份公司 | Operation and maintenance method, device and system of terminal equipment and storage medium |
| CN113157685A (en) * | 2021-05-17 | 2021-07-23 | 杭州小鱼互动科技有限公司 | Information acquisition port for intelligent data center |
| CN113282474A (en) * | 2021-05-31 | 2021-08-20 | 长沙市到家悠享家政服务有限公司 | User behavior monitoring method, system, equipment and medium based on bastion machine |
| CN113411409B (en) * | 2021-08-19 | 2021-11-16 | 国网上海市电力公司 | Remote operation and maintenance traceability system of intelligent internet of things gateway |
| CN114374691A (en) * | 2021-09-29 | 2022-04-19 | 中远海运科技股份有限公司 | Cloud host and cloud fort machine oriented method for realizing automatic encryption with fault-tolerant mechanism |
| CN114244604B (en) * | 2021-12-16 | 2024-03-29 | 杭州乒乓智能技术有限公司 | Integrated authority management method and system suitable for fort machine, electronic equipment and readable storage medium |
| CN114020444B (en) * | 2022-01-05 | 2022-05-10 | 阿里云计算有限公司 | Calling system and method for resource service application in enterprise digital middle station |
| CN114567468B (en) * | 2022-02-18 | 2024-02-27 | 北京圣博润高新技术股份有限公司 | Fort machine login method, fort machine login device, fort machine login equipment and storage medium |
| CN114978677A (en) * | 2022-05-20 | 2022-08-30 | 中国电信股份有限公司 | Asset access control method, device, electronic equipment and computer readable medium |
| CN115150199B (en) * | 2022-09-02 | 2023-01-31 | 北京中安星云软件技术有限公司 | Database operation and maintenance client account management and control method, system, equipment and medium |
| CN115695044A (en) * | 2022-11-29 | 2023-02-03 | 贵州电网有限责任公司 | IT asset safety control platform and management method |
| CN115904012A (en) * | 2023-01-06 | 2023-04-04 | 山东中网云安智能科技有限公司 | Portable intelligent classification encrypts fort machine system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102456015A (en) * | 2010-10-25 | 2012-05-16 | 中国移动通信集团河南有限公司 | Method, system and device for managing account number information in database |
| US20140289829A1 (en) * | 2012-03-20 | 2014-09-25 | Guangdong Electronics Industry Institute Ltd | Computer account management system and realizing method thereof |
| CN105844142A (en) * | 2016-03-16 | 2016-08-10 | 上海新炬网络信息技术有限公司 | Safe centralized management and control method of database account |
| CN106506153A (en) * | 2016-11-28 | 2017-03-15 | 浙江齐治科技股份有限公司 | One kind changes decryption method, device and fort machine automatically |
| WO2018040729A1 (en) * | 2016-08-29 | 2018-03-08 | 广州小鹏汽车科技有限公司 | Application account information management and control method and system for vehicle-mounted system |
| CN109120506A (en) * | 2018-07-02 | 2019-01-01 | 湖北衣谷电子商务有限公司 | A kind of detection processing method and system for account number of leaving unused in social networks |
| CN109492376A (en) * | 2018-11-07 | 2019-03-19 | 浙江齐治科技股份有限公司 | Control method, device and the fort machine of equipment access authority |
| CN110598423A (en) * | 2019-08-05 | 2019-12-20 | 杭州安恒信息技术股份有限公司 | Database account management method |
Family Cites Families (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060053075A1 (en) * | 2001-11-26 | 2006-03-09 | Aaron Roth | System and method for tracking asset usage and performance |
| ATE451780T1 (en) * | 2007-09-28 | 2009-12-15 | Zimory Gmbh | METHOD AND SYSTEM FOR AUTOMATIC REMOTE PROVISION OF A SERVER VIA VIRTUAL DEVICE APPLICATIONS |
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| CN103646093A (en) * | 2013-12-18 | 2014-03-19 | 北京博雅立方科技有限公司 | Data processing method and platform for search engines |
| CN104463492B (en) * | 2014-12-23 | 2017-12-26 | 国家电网公司 | A kind of operation management method of power system cloud emulation platform |
| US10375071B1 (en) * | 2015-12-16 | 2019-08-06 | Jpmorgan Chase Bank, N.A. | Access control system and method |
| CN108256703A (en) * | 2016-12-28 | 2018-07-06 | 卓望数码技术(深圳)有限公司 | For automating the task scheduling index collection device and method of operational system |
| CN107070692A (en) * | 2017-01-16 | 2017-08-18 | 中国联合网络通信有限公司广东省分公司 | A kind of cloud platform monitoring service system analyzed based on big data and method |
| CN107395651A (en) * | 2017-09-07 | 2017-11-24 | 赛尔网络有限公司 | Service system and information processing method |
| CN107609987A (en) * | 2017-09-19 | 2018-01-19 | 广西电网有限责任公司电力科学研究院 | A kind of intelligent power transformation operational system of equipment oriented owner |
| CN107943668B (en) * | 2017-12-15 | 2019-02-26 | 江苏神威云数据科技有限公司 | Computer server cluster log monitoring method and monitor supervision platform |
| CN108416225A (en) * | 2018-03-14 | 2018-08-17 | 深圳市网域科技股份有限公司 | Data Audit method, apparatus, computer equipment and storage medium |
| CN110351228A (en) * | 2018-04-04 | 2019-10-18 | 阿里巴巴集团控股有限公司 | Remote entry method, device and system |
| CN108737425B (en) * | 2018-05-24 | 2021-06-08 | 北京凌云信安科技有限公司 | Vulnerability management system based on multi-engine vulnerability scanning correlation analysis |
| CN110569179A (en) * | 2018-06-06 | 2019-12-13 | 富晋精密工业(晋城)有限公司 | Data acquisition system and data acquisition method |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN108876152A (en) * | 2018-06-21 | 2018-11-23 | 王飞 | A kind of big data security baseline inspection method |
| CN108960456A (en) * | 2018-08-14 | 2018-12-07 | 东华软件股份公司 | Private clound secure, integral operation platform |
| CN109167799A (en) * | 2018-11-06 | 2019-01-08 | 北京华顺信安科技有限公司 | A kind of vulnerability monitoring detection system for intelligent network information system |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
| CN109889381B (en) * | 2019-02-18 | 2022-03-18 | 国家计算机网络与信息安全管理中心 | Automatic configuration management method and device based on fort machine |
| CN110719276B (en) * | 2019-09-30 | 2021-12-24 | 北京网瑞达科技有限公司 | Network equipment safety access system based on cache password and working method thereof |
| CN110826887A (en) * | 2019-10-29 | 2020-02-21 | 深圳供电局有限公司 | Intelligent operation and maintenance management system and method based on big data |
-
2020
- 2020-04-30 CN CN202010368081.6A patent/CN111586032A/en active Pending
- 2020-04-30 CN CN202010366173.0A patent/CN111600857A/en active Pending
- 2020-04-30 CN CN202010366136.XA patent/CN111600856B/en active Active
- 2020-04-30 CN CN202010368084.XA patent/CN111586033A/en active Pending
- 2020-06-15 CN CN202010546291.XA patent/CN112039834A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102456015A (en) * | 2010-10-25 | 2012-05-16 | 中国移动通信集团河南有限公司 | Method, system and device for managing account number information in database |
| US20140289829A1 (en) * | 2012-03-20 | 2014-09-25 | Guangdong Electronics Industry Institute Ltd | Computer account management system and realizing method thereof |
| CN105844142A (en) * | 2016-03-16 | 2016-08-10 | 上海新炬网络信息技术有限公司 | Safe centralized management and control method of database account |
| WO2018040729A1 (en) * | 2016-08-29 | 2018-03-08 | 广州小鹏汽车科技有限公司 | Application account information management and control method and system for vehicle-mounted system |
| CN106506153A (en) * | 2016-11-28 | 2017-03-15 | 浙江齐治科技股份有限公司 | One kind changes decryption method, device and fort machine automatically |
| CN109120506A (en) * | 2018-07-02 | 2019-01-01 | 湖北衣谷电子商务有限公司 | A kind of detection processing method and system for account number of leaving unused in social networks |
| CN109492376A (en) * | 2018-11-07 | 2019-03-19 | 浙江齐治科技股份有限公司 | Control method, device and the fort machine of equipment access authority |
| CN110598423A (en) * | 2019-08-05 | 2019-12-20 | 杭州安恒信息技术股份有限公司 | Database account management method |
Non-Patent Citations (1)
| Title |
|---|
| 章思宇等: "统一身份认证日志集中管理与账号风险检测", 《东南大学学报(自然科学版)》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115795439A (en) * | 2023-01-18 | 2023-03-14 | 北京景安云信科技有限公司 | Automatic resource encryption system based on safe fort machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111600856A (en) | 2020-08-28 |
| CN111586033A (en) | 2020-08-25 |
| CN111586032A (en) | 2020-08-25 |
| CN112039834A (en) | 2020-12-04 |
| CN111600856B (en) | 2023-03-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111600856B (en) | Safety system of operation and maintenance of data center | |
| CN101610264B (en) | Firewall system, safety service platform and firewall system management method | |
| CN103563302B (en) | Networked asset information management | |
| CN106411562B (en) | Electric power information network safety linkage defense method and system | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| US20190044961A1 (en) | System and methods for computer network security involving user confirmation of network connections | |
| JP6408395B2 (en) | Blacklist management method | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN102906756A (en) | Security threat detection associated with security events and actor category model | |
| JP2022037896A (en) | Automation method for responding to threat | |
| CN111274276A (en) | Operation auditing method and device, electronic equipment and computer-readable storage medium | |
| CN111353151A (en) | Vulnerability detection method and device for network application | |
| CN103078771B (en) | Based on Botnet distributed collaborative detection system and the method for P2P | |
| CN110933064A (en) | Method and system for determining user behavior track | |
| Kumazaki et al. | Incident Response Support System for Multi-Located Network by Correlation Analysis of Individual Events | |
| Asaka et al. | Local attack detection and intrusion route tracing | |
| KR102449417B1 (en) | Location information-based firewall system | |
| Pan et al. | Novel Blockchain-Based Privacy Protection for Smart Home | |
| Liu et al. | Research on Different Levels of Early Warning Systems for Power Internet Application Business | |
| CN113572778A (en) | Method for detecting illegal network intrusion | |
| Findley | BIFROST: A Statistical Analysis Framework for Detecting Insider Threat Activities on Cyber Systems | |
| CN117097491A (en) | Access control method and device, storage medium, and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200828 |