CN112769825B - Network security guarantee method, system and computer storage medium - Google Patents
Network security guarantee method, system and computer storage medium Download PDFInfo
- Publication number
- CN112769825B CN112769825B CN202110022048.2A CN202110022048A CN112769825B CN 112769825 B CN112769825 B CN 112769825B CN 202110022048 A CN202110022048 A CN 202110022048A CN 112769825 B CN112769825 B CN 112769825B
- Authority
- CN
- China
- Prior art keywords
- safety
- security
- management
- control platform
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
Abstract
The invention relates to a network security guarantee method and system and a computer storage medium. The method comprises the following steps: s1, deploying each safety component and each safety management and control platform in a distributed mode; s2, each safety component collects the service information of the service object and reports the operation log and the service information to a safety management and control platform; the safety management and control platform carries out risk assessment on the business object according to the business information; and S3, the safety management and control platform preprocesses the resources related to the determined risk event based on the risk evaluation result, generates a safety strategy based on the preprocessing result according to a preset rule and issues the safety strategy to the safety component so as to cooperatively control the safety component to cooperatively execute the safety strategy. The invention can comprehensively slice resources required by risk protection and form a uniform security strategy by comprehensively reconstructing fine-grained information of the network, so that the whole defense process can achieve continuous evolution.
Description
Technical Field
The present invention relates to the field of network information security technologies, and in particular, to a network security guaranteeing method, system, and computer storage medium.
Background
At present, under heterogeneous network communication environment, the composition of the national railway ticket system is increasingly complex, and particularly in spring transportation, holidays and other high peak periods, the railway ticket system can face high concurrency of access of different users; meanwhile, passenger ticket transportation organizations require that single ticket selling generally does not exceed a specified time, and the system has extremely high real-time performance; in addition, railway ticketing requires real-name regulations, and requires a plurality of convenient ticketing methods such as internet to be opened, so that railway ticket systems face increasingly severe network security threats.
Aiming at a large-scale service system such as a national railway ticket system, while the requirement of rapid service increase is met, in order to guarantee the safety of a network, the service system needs to perform safety protection on the evaluated risk, currently, single-point safety components are generally adopted to respectively perform independent protection on the network risk, the protection emphasis points are different, the fine-grained information related to the risk cannot be comprehensively analyzed and evaluated from the global perspective, so that the defense strength cannot be deepened, a control mechanism which can perform centralized management on a plurality of independent single-point safety components and uniformly issue a safety strategy does not exist, so that each safety component lacks the cooperative linkage property, the safety strategy cannot be continuously executed and optimized, a continuously evolving safety defense process is formed, the evaluated risk cannot be tracked and processed in real time and comprehensively, the protection capability of each safety device cannot be effectively exerted, so that the comprehensive and accurate safety function cannot be exerted in the actual large-scale complex service system, and the overall, comprehensive and deep safety protection capability cannot be provided for the network.
Therefore, with diversification of network environments and complexity of services, a network security guarantee method capable of comprehensively analyzing and evaluating risk-related fine-grained information from a global perspective to form a uniform security policy and enabling the whole defense process to achieve continuous evolution is urgently needed.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present invention is to provide a network security assurance method and system that can comprehensively analyze and evaluate fine-grained information related to a risk from a global perspective, comprehensively slice resources required for risk protection, and comprehensively reconstruct the fine-grained information of a network to form a unified security policy, so that the whole defense process can achieve continuous evolution.
In a first aspect, a technical solution adopted by an embodiment of the present invention to solve the technical problem is: a network security guarantee method is constructed, and comprises the following steps:
s1, collecting service information of a service object by a plurality of distributed safety components, and reporting an operation log of the safety components and the service information to a safety management and control platform;
s2, the safety management and control platform carries out risk assessment on the business object according to the business information;
s3, the safety management and control platform preprocesses the resources related to the determined risk event based on a risk assessment result;
and S4, the safety management and control platform generates a safety strategy according to a preset rule based on a preprocessing result and sends the safety strategy to the safety component so as to control the safety component to cooperatively execute the safety strategy.
In the network security ensuring method according to the embodiment of the present invention, the step S3 further includes:
s31, the safety management and control platform comprehensively slices the computing resources, the storage resources and the network resources related to the risk event based on the risk assessment result;
and S32, the safety management and control platform constructs a full-switching network on the basis of the comprehensive slicing, and comprehensively reconstructs the influence tree and the risk chain of the risk event through the full-switching network.
In the method for guaranteeing network security according to the embodiment of the present invention, the step S4 further includes:
s41, the safety management and control platform generates a safety strategy according to a preset rule based on the influence tree and the risk chain, wherein the preset rule is a network safety model constructed based on a PDRR model;
and S42, the safety management and control platform issues the safety strategy to the safety component to cooperatively control the safety component to cooperatively execute the safety strategy.
In the network security ensuring method according to the embodiment of the present invention, the step S42 further includes:
s421, the security management and control platform controls the CIA state machine to perform state conversion according to the risk assessment result by using an operation mechanism of the CIA state machine so as to issue the security policy to the security component;
and S422, the safety component carries out safety protection on the risk event according to the safety strategy. In the network security ensuring method according to the embodiment of the present invention, the step S31 further includes:
s311, the safety management and control platform distributes different computing tasks related to the risk event to different computing nodes;
s312, the safety management and control platform takes the storage space required by the different computing tasks as different storage objects and stores the different storage objects into different object storage devices;
s313, the security management and control platform performs network virtualization on the different computing tasks, and selects virtual machines and physical resources required by the different computing tasks according to the communication service types.
In the network security ensuring method according to the embodiment of the present invention, the step S32 further includes:
s321, the security management and control platform constructs a full-switching network on the basis of comprehensive slicing;
s322, the security management and control platform performs template extraction on the characteristics of the risk event, and reconstructs a risk chain corresponding to the risk event by using the full-switching network according to the obtained characteristics;
and S323, the safety management and control platform utilizes the full-switching network to reconstruct an influence tree corresponding to the risk event according to the influence of the risk event on different business processes.
In the network security assurance method according to the embodiment of the present invention, the performing, by the security management and control platform, an automatic closed-loop security management and control according to a PDRR model process includes:
a planning stage, wherein in the planning stage, the safety management and control platform carries out centralized threat intelligence analysis and event risk assessment;
a detection stage, in which the security management and control platform collects and detects various service information reported by the security component in a centralized manner to obtain a detection result of a service state;
a response stage, wherein in the response stage, the safety management and control platform carries out safety management and control based on a Markov decision process according to a detection result;
a recovery stage, in which the security management and control platform performs risk degradation and recovery processing of the system;
the response phase further comprises: according to the detection result, request response behaviors with different properties are controlled in a distinguishing mode to form a resource allocation scheme; generating a security policy based on a Markov decision process and the resource allocation scheme, and distributing the security policy to each security component; the safety component automatically performs corresponding processing according to a safety strategy;
the recovery stage further comprises the step that the safety management and control platform adopts a brain-like calculation module to carry out self-adaptive processing based on a time division control model or an air division control model so as to execute wind direction degradation of the system; and the safety management and control platform carries out recovery and reconstruction on the key service system and the data based on starting an emergency backup and recovery mechanism.
In the network security ensuring method according to the embodiment of the present invention, the step S1 further includes:
s11, the safety component collects the service information in real time according to a training mechanism or a configured collection period;
and S12, the safety component caches and encrypts the operation log and the service information of the safety component and reports the operation log and the service information to the safety management and control platform in real time.
In the network security ensuring method according to the embodiment of the present invention, the security component includes a network controller, a core controller, a host security agent module and a firewall; the safety management and control platform comprises a safety management module, a safety monitoring and auditing module, a configuration management module, a situation perception module, a continuous safety evolution module and a safety management control communication assembly; the safety component and the safety management and control platform communicate through the safety management control communication component.
In a second aspect, another technical solution adopted by an embodiment of the present invention to solve the technical problem is to construct a network security assurance system, which includes a plurality of security components and a security management and control platform for managing each of the security components, where the security components and the security management and control platform communicate with each other through the security management control communication component, and the security management and control platform stores a computer program, and the computer program is executed by a processor on the security management and control platform to implement the network security assurance method according to any one of the above-mentioned first aspect.
In a third aspect, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a computer, the network security assurance method is performed as described in any implementation manner of the first aspect.
In the network security assurance system according to the embodiment of the present invention, the security component includes a network controller, a core controller, a host security agent module, and a firewall; the safety management and control platform comprises a safety management module, a safety monitoring and auditing module, a configuration management module, a situation perception module, a continuous safety evolution module and a safety management control communication assembly; the safety component and the safety management and control platform communicate through the safety management control communication component.
In the network security assurance system according to the embodiment of the present invention, the firewall includes a controllable firewall and a controllable application firewall.
By implementing the network security guarantee method and the network security guarantee system, resources required by risk protection can be comprehensively sliced, and a uniform security strategy is formed by comprehensively reconstructing fine-grained information of a network, so that the whole defense process can be continuously evolved.
Drawings
The invention will be further described with reference to the following drawings and examples, in which:
fig. 1 is a flowchart of a first preferred embodiment of a network security assurance method provided by the present invention;
FIG. 2 is a flowchart of step S3 of the network security assurance method according to the preferred embodiment of the present invention;
FIG. 3 is a diagram illustrating a network security defense process according to a preferred embodiment of the network security assurance method provided in the present invention;
FIG. 4 is a flowchart of step S4 of the network security assurance method according to the preferred embodiment of the present invention;
fig. 5 is a schematic structural diagram of a preferred embodiment of the network security and guarantee system provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention adopts a distributed management idea and a private security management control protocol, based on a PKI system and a brain-like computing module, performs centralized management by a security management and control platform, receives service information reported by security components such as a network management and control device, a host management and control device, a core management and control device, a host security agent, a firewall, a security communication module and the like which are deployed in a distributed manner, comprehensively slices and reconstructs the service information to obtain fine-grained resources of a service, comprehensively and comprehensively analyzes the obtained fine-grained resources to further obtain a risk assessment result of the service, then generates a security policy by using a preset rule and sends the security policy to the security components, and controls the security components to automatically perform handling and blocking on a security event in a linkage manner to reduce the risk of the security event to an acceptable degree. The purposes of distributed deployment, centralized management and control, automation and intelligent safety management and control are achieved, and the requirement of high-reliability high-efficiency continuous safe operation of a complex business system is met.
Fig. 1 is a flowchart of a network security assurance method according to a first preferred embodiment of the present invention. In step S1, a plurality of different security components and a security management and control platform that manages each security component are deployed in a distributed manner.
In a preferred embodiment of the present invention, the security component may include, for example, a network manager, a core manager, a host security agent module, a firewall, etc., and the firewall may further include a manageable firewall, a manageable application firewall (cloud), etc.
The network management controller can be used for monitoring and comparing the configuration, port state, flow and running state of the network equipment according to the security reference configuration of the network equipment, sending a security event if the comparison is inconsistent, monitoring the access of the terminal in the network in real time, blocking the access of a non-authentication terminal, generating an alarm and reporting, and preventing illegal inline connection.
The core management controller is used for being responsible for security monitoring and auditing of a core service domain and an access database, and comprises security conditions such as user operation records, service application, monitoring processes and the like. Preferably, the core hypervisor captures data packets of the whole network by adopting a monitoring system aiming at protocol analysis and a bypass monitoring mode, and is used for some large database systems such as Sybase to transmit data by adopting a TDS protocol, and is responsible for security monitoring and auditing of a core service domain and access databases, including security conditions such as user operation records, service applications, monitoring processes and the like, records operations of all users on the core database at different time periods by analyzing interactive data between the users and a database server, and provides detailed data for data recovery and positioning illegal operations in the future.
The host management and control device is centrally managed by the security management and control platform, receives the security strategy of the security management and control platform, instantiates the security strategy according to the managed host type, realizes the decentralized control of the host, monitors and compares the user, the configuration file, the process, the service and the interface of the host according to the security benchmark configuration of the host, and sends the security event if the comparison is inconsistent.
The controllable firewall has the functions of partition area, boundary protection and access control; the system can be used for forming a safety barrier between an internal network and an untrusted outside according to safety rules set by a system administrator, implementing perfect safety setting and transmission control through a safe and efficient kernel, preventing potential intrusion damage, integrating safety technologies such as a content filtering function, an intrusion protection function, an anti-virus function, a VPN function, a flow control function, a user management function, a role authentication function and the like into a whole, comprehensively supporting functions such as QoS (quality of service), high Availability (HA), log audit and the like, realizing intrusion detection and virus protection, helping a user to master the whole network information security situation in real time, and timely early warning and emergency disposal on an outbreak network information security event.
The controllable application firewall (cloud) can further increase functions of intrusion detection, an anti-virus engine, application identification and control, WEB application protection and the like on the basis of the firewall, supports cloud deployment and forms a fireproof cloud.
The host security agent module is used for authenticating and authorizing the identity of a host user, acquiring the state, reporting data and the like.
The safety management and control platform mainly provides safety basic services such as passwords and the like based on a PKI system, is supported by strong computing power provided by a brain-like computing module, adopts a PDRR (plant data radio resource ratio) model and fuses a PDCA (packet data channel) cycle mode to realize self-adaptive comprehensive detection, analysis, identification, response and management control, and has automatic and intelligent safety detection and identification capabilities, wherein the safety management and control platform mainly comprises a safety management module, a safety monitoring and auditing module, a configuration management module, a situation awareness module and a continuous safety evolution module, preferably, the safety management module has the functions of label management, authorization management, safety domain management, safety baseline management, strategy management, monitoring management, response management and the like, and the PKI system provides various functions such as password service, safety authentication and the like required by a safety system based on a national cryptographic algorithm.
The configuration management module is used for carrying out unified centralized configuration and management on managed and controlled objects (safety components, network equipment and the like), and has the functions of user management, asset management, topology management, upgrading management and the like. Preferably, in a preferred embodiment of the present invention, when the network security assurance method of the present invention is applied to a railway ticket system, it may mainly provide a method for managing and monitoring the operation condition of the railway ticket security system to an end user in a visual graphical interface and an intuitive manner, and provide a security management and system management operation interface for the user to configure and manage security components, such as issuing firewall (cloud) rules and issuing firewall (cloud) black and white lists. The configuration management module can be further used for supporting automatic scanning of the system, discovering the online running safety component and monitoring the state of the node of the safety component; the method provides management to users, performs identity authentication and authorization operation to an identity card, authorizes the users to be high-level administrators, has a topological graph of an authority management system, can perform initialization operation to a part center and a region center, creates a safety component node in the topological graph, and the like.
The safety monitoring and auditing module has the functions of safety event monitoring, safety state monitoring and conformity inspection, safety auditing strategy management, risk management and the like. The method can be used for performing safety audit and risk analysis on the operation condition of each safety component, and performing responsibility audit and emergency recovery on the components.
The situation awareness module has the functions of asset security, risk, attack and threat situation awareness, is used for acquiring various data reported by security components, such as a network controller, a core controller and a host controller, relates to various threat data generated, processed, transmitted and stored by a third party, and is used for carrying out data fusion, data cleaning, data mining, feature extraction, dynamic response and prediction and machine learning on the full-essential-element information of an ISO system structure of physics, network, system, application and the like, automatically learning, modeling and analyzing the data to form a rule, and carrying out network situation assessment, network threat assessment and network situation prediction on a network space by utilizing the rule, so as to construct a visual, known, manageable, controllable, traceable and early-warning on the security situation awareness platform of the security situation of the network space, thereby constructing a security situation awareness platform which is multi-level, multi-angle, multi-granularity, complete and detailed and is based on the elements such as human, machine, object and thing resources, space ranges, incidence relations and the like.
The continuous safety evolution module has the functions of safety arrangement, treatment and recovery. The system is used for organizing the security application, flexibly calling a corresponding security policy according to the behavior of an attacker, and further quickly, stably and consistently preparing security response capability; and configuring, controlling and managing the resources and operation of the system, wherein the configuration comprises user identity, system resource configuration, system loading and starting, exception handling of system operation, data and equipment backup and recovery and the like.
In the preferred embodiment of the invention, with the large-scale and complex business of the business system, the business is rapidly increased, meanwhile, in order to guarantee the network security, the risk of the business system evaluation needs to be comprehensively protected in real time, and the invention needs a brain-like computing system to provide strong computing power support. Furthermore, due to the number of the work flows and the flow states of the business system and the complexity of conversion, in order to achieve the real-time detection and filtering effects and not to interfere with the operation of the system business, a large computational force platform is required for support. Therefore, in a preferred embodiment of the present invention, the security management and control platform includes a brain-like computing module, and the brain-like computing module adopts a parallel computing hypercube architecture system integrating computing, storage and communication. The method is characterized in that a basic parallel brain neuron computing unit is realized based on a stable Hopfield neural network structure without self-feedback, a full-grid decentralized advanced computing system is realized under the support of a customized operating system, an SDN full-switching network and a big data elastic storage network, super computing capacity is achieved, elastic expansion of computing nodes and resources is supported, deployment and installation are convenient, and great computing power is provided for a plurality of operation sequence state records of massive users to be tracked, and an operation tree is constructed through analysis and matching.
In a further preferred embodiment of the invention, the safety component and the safety management and control platform communicate via a safety communication system comprising a safety communication module and a safety isolation and information exchange module.
In a preferred embodiment of the present invention, the deployment of the security management and control platform includes deploying the security management and control platform in a security management center, performing comprehensive analysis, detection and risk assessment on the service information reported by the distributed deployed security components by the security management and control platform, preprocessing the assessed risk events to generate a uniform security policy, and issuing the uniform security policy to each refined security component, and controlling each security component to continuously execute and optimize the security policy in a linkage manner.
In a preferred embodiment of the present invention, the deploying of the security component includes deploying various security components that can be managed and controlled by the security management and control platform in a distributed manner in the managed and controlled service object system according to the importance of the service and the requirements and targets of security guarantee, detecting the service objects managed by the different security components, and reporting the collected different service information to the security management and control platform.
In a preferred embodiment of the present invention, the security component may include, for example, a network hypervisor, a core hypervisor, a host security agent module, a firewall, and the like. The firewall may further include a manageable firewall, a manageable application firewall (cloud), and the like.
In step S2, the security component collects service information of a service object, and reports its own operation log and the collected service information to the security management and control platform, and the security management and control platform performs risk assessment on the service object according to the service information.
In a preferred embodiment of the present invention, each security component actively collects service information of a network switch, a router, a service computing environment host, a server, a database, etc. managed by each security component according to a round-robin training mechanism or a configured collection cycle, caches an operation log of the security component and the collected service information, encrypts the operation log and the collected service information by a security communication module, and reports the encrypted service information to the security management and control platform in real time, wherein the service information includes, but is not limited to, an operating system, a log, software and hardware configuration, vulnerabilities, security labels, states, performances, user role authorities, operations, application workflows, service chains, attack chains, etc. of a service object, and the states include states of each state machine of a service workflow. For example, the host security agent module mainly collects identity, authority class information and the like of a host user, the firewall mainly collects access control class information such as network region boundary, security marks and the like, the host controller mainly collects host user, configuration file, process, service, interface, performance, vulnerability and state class information, the core controller mainly collects database user operation and service application class information, the network controller mainly collects user, configuration, port and flow class information of network equipment, and the fire prevention cloud further increases collection and detection of intrusion class and virus class information, so that collected and identified service information comprehensively covers the content of an OSI7 layer, and a foundation is provided for comprehensive risk assessment and protection of a subsequent security management and control platform.
And then, the security management and control platform realizes comprehensive identification and detection of seven layers of Open System Interconnection Reference models (OSI) of users, processes, files, base tables, protocols, operation instructions, parameters, codes, system calls, signals and the like on the service information based on the object and host marks of user role authorities in the service information so as to finish risk assessment.
Preferably, the safety component caches and encrypts the own operation log and the collected service information through the safety management control communication component and reports the encrypted operation log and the collected service information to the safety management and control platform in real time, so that confidentiality, authenticity and non-repudiation of transmitted data are guaranteed, the credibility of the evaluated data is guaranteed, and the safety management and control platform can carry out comprehensive detection and risk evaluation on the credible data.
In step S3, the security management and control platform preprocesses the resource related to the determined risk event based on the risk assessment result, generates a security policy according to a preset rule based on the preprocessing result, and issues the security policy to the security component to cooperatively control the security component to cooperatively execute the security policy.
In the step, according to the result of risk assessment, computing resources, storage resources, network resources and the like related to a risk event are comprehensively sliced, a full-switching network is established on the basis of the comprehensive slicing, an influence tree and a risk chain of the risk event are comprehensively reconstructed through the full-switching network, a security policy corresponding to the risk event is generated according to a network security model established by a PDRR model, the CIA state machine is controlled to perform state conversion according to the risk assessment result by utilizing an operation mechanism of the CIA state machine, so that the security policy is issued to each security component, the security components perform the security policy in a coordinated linkage manner, and the security policy is continuously executed and optimized, so that a novel network security guarantee system of a continuous dynamic evolution defense process is formed.
Fig. 2 is a flowchart of a preferred embodiment of step S3 of the network security assurance method of the present invention. As shown in fig. 2, in step S31, the security management and control platform comprehensively slices the computing resources, storage resources and network resources involved in the risk event based on the risk assessment result. Preferably, the step S31 further includes: the security management and control platform distributes different computing tasks involved in the risk event to different computing nodes to complete comprehensive slicing of the computing resources; the security management and control platform takes the storage space required by the different computing tasks as different storage objects, and stores the different storage objects into different object storage devices to complete the comprehensive slicing of the storage resources; and the safety management and control platform carries out network virtualization on the different computing tasks, and selects virtual machines and physical resources required by the different computing tasks according to the communication service type so as to complete comprehensive slicing of the network resources.
In a preferred embodiment of the invention, the computation, storage, network, etc. involved in the protection risk event can be fully sliced. According to the comprehensive risk assessment result, the computational resources involved in the protection risk event are subjected to nodularization and fine-grained by utilizing a brain-like computing principle, and different computational tasks involved in the risk event are dynamically distributed to different computational nodes, so that the comprehensive slicing of the computational resources is realized; the storage space required by different computing tasks is used as different storage objects, different storage objects are respectively stored in different object storage devices in a distributed memory cloud mode based on the stored objects, and dynamic elastic expansion and contraction of storage nodes and global data sharing are achieved; based on Network Function Virtualization (NFV) technology, network resources involved in different computing tasks are recombined, and a required virtual machine and physical resources are selected for a specific communication service type, so that a demand for flexible service assembly is met.
In step S32, the security management and control platform constructs a full-switched network on the basis of the full slice, and reconstructs the influence tree and the risk chain of the risk event through the full-switched network.
In a preferred embodiment of the present invention, the step S32 further includes the security management and control platform building a full-switched network on a fully sliced basis, where the full-switched network is capable of networking a virtual network and supporting multiple data transmission communications; the security management and control platform extracts the template of the characteristics of the risk event, and reconstructs a risk chain corresponding to the risk event by using the full-switching network according to the obtained characteristics; and the safety management and control platform utilizes the full-switching network to reconstruct an influence tree corresponding to the risk event according to the influence of the risk event on different business processes.
In the preferred embodiment of the present invention, the impact tree and risk chain are reconstructed comprehensively based on the full switching network on the basis of the full slicing. Firstly, extracting a characteristic template of a behavior process of an occurred risk event, and reconstructing a risk chain corresponding to the risk event according to the obtained behavior characteristic. And then, reconstructing an influence tree corresponding to the risk event according to the influence degree of the operation behaviors of different services in the risk event on the service system.
Fig. 4 is a flowchart of step S4 of the network security assurance method according to the preferred embodiment of the present invention. As shown in fig. 4, in step S41, the security management and control platform generates a security policy according to the preset rule based on the influence tree and the risk chain. The preset rule is a network security model constructed based on a PDRR model. In the step, based on the reconstructed influence tree and risk chain, the risk event is analyzed according to the PDRR model and by fusing the PDCA cycle model, and then a fine-grained security strategy is generated.
The safety management and control platform carries out automatic closed-loop safety control according to the PDRR model process and comprises the following steps.
1. And in the planning (P) stage, the safety management and control platform performs centralized threat intelligence analysis and safety event risk assessment, and generates a CIA safety state machine and a safety management and control state machine according to the CIA requirement, the safety management and control requirement and a target.
In the preferred embodiment of the invention, in the planning stage, the business baseline definition is mainly developed, the whole network elements such as people, system components, environment interaction and the like are concerned, and an asset distribution set, a function authority set, an operation behavior set, a vulnerability library, a virus library, an attack library, a security target, a security requirement, a security policy and a security model are brought into the protection planning; and carrying out fine-grained multi-dimensional security baseline definition on the evaluation object based on the security control requirement, namely modeling a normal business workflow by big data, and constructing a CIA security state machine and a security management and control state machine based on the normal business workflow.
The CIA security state machine and the security management and control state machine are respectively located on a security layer and a management and control layer of the whole service system. The CIA security state mainly describes the state and conversion relation of the network security attribute, and the security management and control state mainly describes the state and conversion relation related to the security management control. The CIA security state machine represents the state and conversion relation of five attributes of network security Confidentiality (Integrity), availability (Availability), authenticity (Authentication) and Non-Repudiation (Non-Repudiation). Each security attribute is also a state machine, relating to the internal state and the transition relationship of each attribute. The safety management and control state machine represents the state machine conversion relation of the PDRR model and the PDCA cycle model. Each step of the PDRR is a state machine, and the state machines form a P state machine, a D state machine, an R state machine and an R state machine, and have conversion relations. The whole PDRR state mechanism is a sub-state machine of the PDCA state machine, and a large-cycle PDCA state machine is formed according to the relation of the sub-state machines.
According to five attributes of network security; confidentiality (Confidentiality), integrity (Integrity), availability (Availability), authenticity (Authentication), non-Repudiation (Non-Repudiation) (Integrity, confidentiality, availability, controllability and Non-Repudiation of information systems; 5 basic elements of information security: confidentiality, integrity, availability, controllability, auditability), and the CIA security state machine describes the state and the mutual conversion relationship. And the CIA safety state machine is arranged in the middle layer of the overall state machine, receives a safety control instruction of the upper layer of safety management and control state machine, and then controls the operation of the next layer of service state machine in a linkage manner according to the state conversion relation.
2. A detection (D) stage, wherein in the detection stage, the safety management and control platform collects service information reported by the safety component in a centralized manner, wherein the service information comprises information of various safety states and safety state machines; and generating the business state machine based on the business workflow and all the state machine transfer operation behaviors. In the preferred embodiment of the invention, holographic element detection is mainly developed, and data fusion decision combining active and passive modes such as a service flow, vulnerability and attack threat is developed by facing to elements such as identity authority, domain name port, message protocol, coding format and data flow, so as to realize threat information analysis; the method is oriented to information assets and system services defined by levels, develops consistency response detection, and supports confidentiality protection, namely uplink and downlink comprehensive content detection.
In the preferred embodiment of the present invention, the service state machine is located in the service layer, which represents the state machine relationship of each service of the application system, and the state association and the transition condition between different services of the application system constitute the whole service state machine. Each service is also a state machine, relating to the state and transition conditions of the content of the service itself.
3. And in the response stage, the safety management and control platform performs safety management and control based on a Markov decision process according to a detection result. In the preferred embodiment of the invention, in the response stage, the request response behaviors with different properties are controlled differently according to the detection result to form a more effective resource allocation scheme, a security policy is generated based on the Markov decision process and the resource allocation scheme, and is distributed to each security component, and the security components automatically perform corresponding processing according to the security policy. The processing can further comprise releasing normal behaviors, locking abnormal behaviors or side-inducing suspicious behaviors, and supports security control at each level of application, core, boundary, aggregation and the like.
4. A recovery (R) phase in which the security management and control platform performs risk degradation and recovery processing of the system. In the preferred embodiment of the invention, in the recovery stage, measures such as risk degradation and restart are carried out through risk bearing and conversion, flexible scheduling and expansion of computing resources, network resources and storage resources are supported, an emergency backup and recovery mechanism is started, a key service system and data such as files, databases and operating systems are recovered and rebuilt, and the system is recovered to a normal state, namely, the global load optimization and the system second-level recovery are realized.
In step S42, the security management and control platform issues the security policy to each security component to cooperatively control the security components to cooperatively execute the security policy.
Preferably, the step S42 further includes: and the security management and control platform controls the CIA state machine to carry out state conversion according to the risk evaluation result by utilizing an operation mechanism of the CIA state machine so as to issue the security policy to each security component.
And then, each safety component takes the safety strategy as a basis for defending risks, and ensures the interaction of the process and the engineering process to form a network safety defense process with continuous evolution and dynamic spiral approximation according to the risk process based on a system safety engineering capacity maturity model.
In the preferred embodiment of the invention, under the protection of a uniform security policy, the security management and control platform issues linkage control to each security component to automatically execute the security policy, and continuously executes and optimizes the security policy. Based on a system Security engineering capability Maturity Model (SSE-CMM), a hierarchical Security engineering process which is iterated in a gradual and spiral ascending mode and continuously approaches to a Security target is formed according to the interaction of a risk process, a guarantee process and an engineering process. Finally, as shown in fig. 3, a schematic diagram of a new network security defense process with continuous evolution and continuous dynamic spiral approximation is formed.
The network security guarantee method of the invention has the following beneficial effects: (1) The method comprises the steps that calculation and network resources required by the evaluated risk protection are dynamically and finely scheduled through a safety management and control platform, storage resources required by the risk protection are reasonably divided by deploying a distributed memory cloud mode, the resources required by the risk protection are comprehensively sliced from the whole, and therefore the effective operation of the risk protection process is guaranteed from the overall view; (2) On the basis of comprehensively slicing resources required by risk protection, a safety management and control platform comprehensively reconstructs fine-grained information of a network based on a constructed fully-switched network, so that a generated safety strategy is more accurate and effective, deep safety defense is achieved, and the defense effect is more obvious; (3) The safety management and control platform is deployed in the safety management center, the safety management and control platform carries out centralized management on the safety components which are deployed in a distributed mode, carries out real-time and comprehensive risk assessment on the safety events reported by the safety components, unifies the safety strategies, and issues the safety strategies to the safety components in real time, so that the safety components use the received safety strategies as the basis for defending risks, the aim of continuously executing and optimizing the safety strategies by controlling the safety components in a linkage mode is achieved, a continuously evolving safety defending process is formed, the defending capability of the safety components is effectively exerted, and the safety defending requirement of complex services is met.
Fig. 5 is a schematic block diagram of a first preferred embodiment of the network security and assurance system of the present invention.
As shown in fig. 5, the network security assurance system includes a plurality of security elements 100 and a security management and control platform 200 for managing each security element 100, where the security elements 100 include a network manager 110, a core manager 120, a host manager 130, a host security agent module 140, and a firewall 150. The security management and control platform comprises a security management module 210, a security monitoring and auditing module 220, a configuration management module 230, a situation awareness module 240, a persistent security evolution module 250, a security management control communication component 260 and a brain-like computing module 270.
Preferably, the security component 100 and the security management and control platform 200 may communicate via a security management control communication component 260. The security management and control platform 200 stores thereon a computer program, which when executed by a processor on the security management and control platform 200 implements the network security assurance method as described in fig. 1 or 2.
The network security guarantee system adopts a distributed management idea and a private security management control protocol, is based on a PKI system and a brain-like computing module, is centrally managed by a security management and control platform, receives service information reported by security components such as a network management and control device, a host management and control device, a core management and control device, a host security agent, a firewall, a security communication module and the like which are deployed in a distributed manner, comprehensively slices and reconstructs the service information to obtain fine-grained resources of the service, comprehensively and comprehensively analyzes the obtained fine-grained resources to obtain a risk assessment result of the service, then generates a security policy by using a preset rule, and transmits the security policy to a security component, and controls the security component to handle and block security events in a linkage manner to reduce the risk of the security events to an acceptable degree. The purposes of distributed deployment, centralized management and control, automation and intelligent safety management and control are achieved, and the requirement of high-reliability high-efficiency continuous safe operation of a complex business system is met.
Those skilled in the art will appreciate that the network security system described above may be constructed based on the teachings of the network security method shown in fig. 1-4. Based on the teachings of the present invention, those skilled in the art can implement the network security system, and will not be described again here.
The network security guarantee system has the following beneficial effects: (1) The method comprises the steps that calculation and network resources required by the evaluated risk protection are dynamically and finely scheduled through a safety management and control platform, storage resources required by the risk protection are reasonably divided by deploying a distributed memory cloud mode, the resources required by the risk protection are comprehensively sliced from the whole, and therefore the effective operation of the risk protection process is guaranteed from the overall view; (2) On the basis of comprehensively slicing resources required by risk protection, a safety management and control platform comprehensively reconstructs fine-grained information of a network based on a constructed fully-switched network, so that a generated safety strategy is more accurate and effective, deep safety defense is achieved, and the defense effect is more obvious; (3) The safety management and control platform is deployed in the safety management center, the safety management and control platform carries out centralized management on the safety components which are deployed in a distributed mode, carries out real-time and comprehensive risk assessment on safety events reported by the safety components, unifies the safety strategies, and issues the safety strategies to the safety components in real time, so that the safety components use the received safety strategies as basis for defending risks, the aim of continuously executing and optimizing the safety strategies by controlling the safety components in a linkage mode is achieved, a continuous and evolving safety defending process is formed, the protecting capability of the safety components is effectively exerted, and the safety protecting requirement of complex services is met.
Accordingly, the present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods of the present invention is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention may also be implemented by a computer program product, comprising all the features enabling the implementation of the methods described herein, when loaded in a computer system. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) Conversion to other languages, codes or symbols; b) Reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A network security guarantee method is characterized by comprising the following steps:
s1, collecting service information of a service object by a plurality of distributed safety components, and reporting an operation log of the safety components and the service information to a safety management and control platform;
s2, the safety management and control platform carries out risk assessment on the business object according to the business information;
s3, the safety management and control platform preprocesses the resources related to the determined risk event based on a risk assessment result;
s4, the safety management and control platform generates a safety strategy according to a preprocessing result and a preset rule and sends the safety strategy to the safety component so as to cooperatively control the safety component to cooperatively execute the safety strategy;
the step S3 further includes:
s31, the safety management and control platform comprehensively slices the computing resources, the storage resources and the network resources related to the risk event based on the risk assessment result;
s32, the security management and control platform constructs a full-switching network on the basis of the comprehensive slicing, and an influence tree and a risk chain of the risk event are comprehensively reconstructed through the full-switching network;
the step S31 further includes:
s311, the safety management and control platform distributes different computing tasks related to the risk event to different computing nodes so as to complete comprehensive slicing of the computing resources;
s312, the security management and control platform takes the storage space required by the different computing tasks as different storage objects, and stores the different storage objects into different object storage devices to complete the comprehensive slicing of the storage resources;
s313, the security management and control platform carries out network virtualization on the different computing tasks, and virtual machines and physical resources required by the different computing tasks are selected according to the communication service types so as to complete comprehensive slicing of the network resources.
2. The network security assurance method of claim 1, wherein the step S4 further comprises:
s41, the safety management and control platform generates a safety strategy according to a preset rule based on the influence tree and the risk chain, wherein the preset rule is a network safety model constructed based on a PDRR (plant configuration reporting radio) model;
and S42, the safety management and control platform issues the safety strategy to the safety component so as to control the safety component to cooperatively execute the safety strategy.
3. The network security assurance method according to claim 2, wherein the step S42 further comprises:
s421, the security management and control platform controls the CIA state machine to perform state conversion according to the risk assessment result by using an operation mechanism of the CIA state machine so as to issue the security policy to the security component;
and S422, the safety component carries out safety protection on the risk event according to the safety strategy.
4. The network security assurance method according to claim 3, wherein the step S32 further comprises:
s321, the security management and control platform constructs a full-switching network on the basis of comprehensive slicing;
s322, the security management and control platform performs template extraction on the characteristics of the risk event, and reconstructs a risk chain corresponding to the risk event by using the full-switching network according to the obtained characteristics;
and S323, the safety management and control platform utilizes the full-switching network to reconstruct an influence tree corresponding to the risk event according to the influence of the risk event on different business processes.
5. The network security assurance method according to any one of claims 1 to 4, wherein the step S1 further comprises:
s11, the safety component collects the service information in real time according to a training mechanism or a configured collection period;
and S12, the safety component caches and encrypts the operation log and the service information of the safety component and reports the operation log and the service information to the safety management and control platform in real time.
6. A network security assurance system, comprising a plurality of security elements, a security management and control platform managing the security elements, the security management and control platform having stored thereon a computer program which, when executed by a processor on the security management and control platform, implements the network security assurance method according to any one of claims 1 to 5.
7. The network security assurance system of claim 6, wherein the security components comprise a network hypervisor, a core hypervisor, a host security agent module, and a firewall; the safety management and control platform comprises a safety management module, a safety monitoring and auditing module, a configuration management module, a situation perception module, a continuous safety evolution module and a safety management control communication assembly; the safety component and the safety management and control platform communicate through the safety management control communication component.
8. A computer storage medium storing a computer program, the computer program comprising program instructions that, when executed by a processor, cause the processor to perform the network security assurance method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110022048.2A CN112769825B (en) | 2021-01-07 | 2021-01-07 | Network security guarantee method, system and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110022048.2A CN112769825B (en) | 2021-01-07 | 2021-01-07 | Network security guarantee method, system and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112769825A CN112769825A (en) | 2021-05-07 |
| CN112769825B true CN112769825B (en) | 2023-02-21 |
Family
ID=75700949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110022048.2A Active CN112769825B (en) | 2021-01-07 | 2021-01-07 | Network security guarantee method, system and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112769825B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407949A (en) * | 2021-06-29 | 2021-09-17 | 恒安嘉新(北京)科技股份公司 | Information security monitoring system, method, equipment and storage medium |
| CN113240116B (en) * | 2021-07-12 | 2021-11-19 | 深圳市永达电子信息股份有限公司 | Wisdom fire prevention cloud system based on class brain platform |
| CN113239239A (en) * | 2021-07-12 | 2021-08-10 | 深圳市永达电子信息股份有限公司 | Network security equipment knowledge fusion method, device, system and storage medium |
| CN113254946A (en) * | 2021-07-12 | 2021-08-13 | 深圳市永达电子信息股份有限公司 | Brain-like computing platform and manageable control vulnerability scanning system |
| CN113347209B (en) * | 2021-07-30 | 2021-11-26 | 深圳市永达电子信息股份有限公司 | Service behavior analysis method, system, equipment and storage medium based on state machine |
| CN113691627B (en) * | 2021-08-25 | 2022-09-27 | 杭州安恒信息技术股份有限公司 | Control method, device, equipment and medium for SOAR linkage equipment |
| CN114760107A (en) * | 2022-03-23 | 2022-07-15 | 中国建设银行股份有限公司 | Defense scheme selection method based on network evaluation and related equipment |
| CN114679333A (en) * | 2022-04-19 | 2022-06-28 | 深圳市永达电子信息股份有限公司 | Dual security decision method based on function and network and computer readable storage medium |
| CN114629728B (en) * | 2022-05-11 | 2022-09-09 | 深圳市永达电子信息股份有限公司 | Network attack tracking method and device based on Kalman filtering |
| CN114745139B (en) * | 2022-06-08 | 2022-10-28 | 深圳市永达电子信息股份有限公司 | Network behavior detection method and device based on brain-like memory |
| CN115664846B (en) * | 2022-12-08 | 2023-07-04 | 深圳市永达电子信息股份有限公司 | Network security management and control system and method |
| CN116866090B (en) * | 2023-09-05 | 2023-11-28 | 长扬科技(北京)股份有限公司 | Network security management system and network security management method of industrial control network |
| CN117097565B (en) * | 2023-10-18 | 2023-12-29 | 山东源鲁信息科技有限公司 | Method for constructing policy model based on service system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN104901838A (en) * | 2015-06-23 | 2015-09-09 | 中国电建集团成都勘测设计研究院有限公司 | Enterprise network safety event management system and method thereof |
| CN105915535A (en) * | 2016-05-24 | 2016-08-31 | 北京朋创天地科技有限公司 | Virtual resource access control method based on user identity |
| CN111885040A (en) * | 2020-07-17 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Distributed network situation perception method, system, server and node equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11012466B2 (en) * | 2016-07-13 | 2021-05-18 | Indrasoft, Inc. | Computerized system and method for providing cybersecurity detection and response functionality |
| CN107465696A (en) * | 2017-07-03 | 2017-12-12 | 南京骏腾信息技术有限公司 | Security risk intellectuality management-control method based on SaaS cloud service patterns |
| CN108696531A (en) * | 2018-06-08 | 2018-10-23 | 武汉思普崚技术有限公司 | A kind of security strategy adaptive analysis and big data Visualization Platform system |
| US20200329072A1 (en) * | 2019-04-11 | 2020-10-15 | Level 3 Communications, Llc | System and method for utilization of threat data for network security |
-
2021
- 2021-01-07 CN CN202110022048.2A patent/CN112769825B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN104901838A (en) * | 2015-06-23 | 2015-09-09 | 中国电建集团成都勘测设计研究院有限公司 | Enterprise network safety event management system and method thereof |
| CN105915535A (en) * | 2016-05-24 | 2016-08-31 | 北京朋创天地科技有限公司 | Virtual resource access control method based on user identity |
| CN111885040A (en) * | 2020-07-17 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Distributed network situation perception method, system, server and node equipment |
Non-Patent Citations (2)
| Title |
|---|
| 信息系统信息安全风险管理方法研究;陈光;《中国博士学位论文全文数据库信息科技辑》;20070515;全文 * |
| 运营商IP网安全管理平台SOC的设计与工程实现;赖睿;《中国优秀硕士学位论文全文数据库 (信息科技辑)》;20130815;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112769825A (en) | 2021-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112769825B (en) | Network security guarantee method, system and computer storage medium | |
| CN112866219B (en) | Safety management and control method and system | |
| Zhou et al. | A unified architectural approach for cyberattack-resilient industrial control systems | |
| Sharma et al. | Distblocknet: A distributed blockchains-based secure sdn architecture for iot networks | |
| Stakhanova et al. | A taxonomy of intrusion response systems | |
| CN112766672A (en) | Network security guarantee method and system based on comprehensive evaluation | |
| CN109587174B (en) | Collaborative defense method and system for network protection | |
| US20190260786A1 (en) | Artificial intelligence controller orchestrating network components for a cyber threat defense | |
| US11606368B2 (en) | Threat control method and system | |
| CN112887268B (en) | Network security guarantee method and system based on comprehensive detection and identification | |
| Lakhno et al. | Development of the intelligent decision-making support system to manage cyber protection at the object of informatization | |
| Vieira et al. | Autonomic intrusion detection and response using big data | |
| CN110033174A (en) | A kind of industrial information efficient public security system building method | |
| Wang et al. | A centralized HIDS framework for private cloud | |
| Sharma et al. | Survey of intrusion detection techniques and architectures in cloud computing | |
| Hasan et al. | Artificial intelligence empowered cyber threat detection and protection for power utilities | |
| Toumi et al. | Cooperative trust framework for cloud computing based on mobile agents | |
| Toker et al. | Mitre ics attack simulation and detection on ethercat based drinking water system | |
| Mahmoud et al. | Cloud control systems: analysis, design and estimation | |
| CN112866220B (en) | Safety management and control method and system based on CIA state machine | |
| Siqueira et al. | A fault tolerance mechanism for network intrusion detection system based on intelligent agents (NIDIA) | |
| Chouhan et al. | Intrusion Response Systems: Past, Present and Future | |
| CN111338297B (en) | Industrial control safety framework system based on industrial cloud | |
| Jiang et al. | Anomaly Detection and Access Control for Cloud-Edge Collaboration Networks. | |
| D’Antonio et al. | Increasing security and protection through infrastructure resilience: the INSPIRE project |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |