CN112866186A - Security level determination method and device - Google Patents

Security level determination method and device Download PDF

Info

Publication number
CN112866186A
CN112866186A CN201911194076.1A CN201911194076A CN112866186A CN 112866186 A CN112866186 A CN 112866186A CN 201911194076 A CN201911194076 A CN 201911194076A CN 112866186 A CN112866186 A CN 112866186A
Authority
CN
China
Prior art keywords
target
security level
preset
equipment
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911194076.1A
Other languages
Chinese (zh)
Other versions
CN112866186B (en
Inventor
柴烨
李燕
张一�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Mobile Communications Equipment Co Ltd
Original Assignee
Datang Mobile Communications Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Mobile Communications Equipment Co Ltd filed Critical Datang Mobile Communications Equipment Co Ltd
Priority to CN201911194076.1A priority Critical patent/CN112866186B/en
Publication of CN112866186A publication Critical patent/CN112866186A/en
Application granted granted Critical
Publication of CN112866186B publication Critical patent/CN112866186B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a security level determination method and device. The method comprises the following steps: acquiring monitoring information of target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB); and determining a target safety level corresponding to the target equipment according to the monitoring information. The embodiment of the invention solves the problem that in the prior art, because of the SNMP version, the network equipment based on the SNMP is difficult to coordinate the contradiction between safety and operation convenience.

Description

Security level determination method and device
Technical Field
The present invention relates to the field of mobile communications technologies, and in particular, to a security level determination method and apparatus.
Background
In a wireless communication system, a Simple Network Management Protocol (SNMP) is a Protocol for communication between Network Management software and Network devices, and is widely applied to Network devices of most manufacturers. SNMP introduced a number of protocol versions such as SNMPv1, SNMPv2c, and SNMPv 3; among them, the SNMP-v2c version is the most commonly applied scheme, and most of devices which nominally support SNMPv2 are actually implemented in this version. In particular, the security mechanism of SNMPv1 is based on Community Strings (Community Strings), with each interactive message being accompanied by a Community string that determines the legitimacy of the message. SNMPv2c is SNMPv2 based on the community, and the safety mechanism is also adopted.
SNMPv3 enhances Security, employs a User-Based Security Model (USM), primarily addresses content tampering and disguising, and prevents message flow modification and compromise. SNMPv1 and SNMPv2c are simple to implement but are poor in safety; SNMPv3 enhances security but is complex to implement, inefficient, and potentially subject to differences in manufacturer interpretation, sometimes creating interoperability compatibility issues.
Therefore, in the prior art, the network device based on the SNMP has difficulty in coordinating the contradiction between the safety and the operation convenience due to the SNMP version.
Disclosure of Invention
The embodiment of the invention provides a method and a device for determining a security level, which are used for solving the problem that in the prior art, because of the SNMP version, the contradiction between the security and the operation convenience is difficult to coordinate by SNMP-based network equipment.
In one aspect, an embodiment of the present invention provides a security level determining method, where the method includes:
acquiring monitoring information of target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
and determining a target safety level corresponding to the target equipment according to the monitoring information.
On the other hand, an embodiment of the present invention further provides a security level determining apparatus, where the apparatus includes:
the information monitoring module is used for acquiring monitoring information of the target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
and the level determining module is used for determining a target safety level corresponding to the target equipment according to the monitoring information.
In yet another aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the steps in the security level determination method as described above when executing the computer program.
In still another aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the security level determination method described above.
In the embodiment of the invention, monitoring information of target equipment is obtained; determining a target safety level corresponding to the target equipment according to the monitoring information; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment, the target equipment is matched with the corresponding target safety level according to the communication live situation by monitoring the communication message live situation between the target equipment and the target management equipment, and the target equipment is controlled to execute the target safety level, so that the communication safety level is automatically adjusted according to the communication live situation, the limitation of the SNMP protocol version is avoided, the communication safety is ensured, and the safety monitoring convenience is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a flowchart illustrating steps of a security level determination method according to an embodiment of the present invention;
FIG. 2 is a system architecture diagram of a first example of an embodiment of the present invention;
FIG. 3 is a flowchart of the steps of a first example of an embodiment of the present invention;
fig. 4 is a block diagram of a security level determination apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Referring to fig. 1, an embodiment of the present invention provides a security level determining method, where the method includes:
step 101, acquiring monitoring information of target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises the communication interface type of the target equipment, the SET type message source address of the SNMP and/or the safety level preset in the main system information block MIB.
In this step, the target device is a network side device, such as a base station, the target management device is an Operation and Maintenance Center (OMC), the communication packet between the target device and the target management device is monitored, and a preset key packet is obtained from the communication packet to obtain monitoring information.
The monitoring information may include a communication interface type, a SET type message source address of the SNMP, and/or a security level preset in the MIB.
Specifically, the communication interface type is a physical interface of the target device, different physical interfaces correspond to different network practice environments, and the communication interface type may be an optical fiber interface or an electrical interface; the optical fiber interface is a physical interface used for connecting an optical fiber cable; the principle is that light enters an optically thinner medium from an optically denser medium and is totally reflected. The electric port is a general name of various twisted-pair interfaces such as RJ45 and mainly refers to a copper cable which comprises a common network cable and a radio frequency coaxial cable and is used for processing electric signals; these ports are collectively referred to as electrical ports since they all use electricity as the carrier medium for information.
The SET type message of the SNMP is used for carrying out remote parameter configuration on network equipment, and comprises parameters such as equipment name, equipment attribute, equipment deletion or one equipment attribute validation/invalidation and the like; in the embodiment of the invention, in the process of communication between the target equipment and the target management equipment, the target management equipment (taking OMC as an example) extracts the log of the target equipment through an SET message; the source address of the SET type message is the network address of the target management device.
The security level preset in the Master Information Block (MIB) is a security level set in advance for the target device.
And step 102, determining a target safety level corresponding to the target equipment according to the monitoring information.
In this step, the parameter types and parameter values of different monitoring information correspond to different security levels; in the embodiment of the invention, different security levels are planned for the target equipment in advance according to the operating environment and the operating state of the target equipment, each security level corresponds to different security strategies, and different communication modes are adopted between the target equipment and the target management equipment under different security strategies.
Optionally, a corresponding relationship may be preset, where each security level corresponds to a respective monitoring information requirement, and the monitoring information requirement includes a parameter type and/or a parameter value of the monitoring information.
Further, after determining a target security level corresponding to the target device, acquiring a current security level of the target device, and determining whether the target security level is consistent with a currently actually executed security level, if not, setting the security level of the target device as the target security level; and if the current security level is consistent with the security level, the current security level is maintained, and the monitoring information of the target equipment is continuously acquired.
In the prior art, SNMP is based on a user security model, three pairs of encryption and authentication measures for SNMP messages need to be provided, parameters such as an encryption protocol, a key, authentication, encryption security level selection and the like need to be configured, so that on one hand, the operation is complicated, the working efficiency is reduced, and on the other hand, in actual use, a plurality of network managers do not know the meaning of configuration parameters, so that the configuration parameters are rarely modified or the configuration parameters are wrongly modified; in the embodiment of the invention, the corresponding target security level is matched according to the communication message live condition between the target equipment and the target management equipment, so that on one hand, the convenience of security configuration work is improved, and on the other hand, the configuration parameters are prevented from being modified by an operator by mistake. In addition, the security level determination method provided in the embodiment of the present invention determines the security level based on the communication live between the target device and the target management device, and is not limited by the SNMP protocol version.
In the embodiment of the invention, monitoring information of target equipment is obtained; determining a target safety level corresponding to the target equipment according to the monitoring information; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment, the corresponding target safety level is matched according to the communication live situation by monitoring the communication message live situation between the target equipment and the target management equipment, and the target equipment is controlled to execute the target safety level, so that the safety level of communication is automatically adjusted according to the communication live situation, the limitation of the SNMP protocol version is avoided, the communication safety is ensured, and the safety monitoring convenience is improved; the embodiment of the invention solves the problem that in the prior art, because of the SNMP version, the network equipment based on the SNMP is difficult to coordinate the contradiction between safety and operation convenience.
Optionally, in this embodiment of the present invention, if the monitoring information includes a communication interface type of the target device, the step of determining, according to the monitoring information, a target security level corresponding to the target device includes:
if the communication interface type of the target equipment is an electric interface, determining that the target safety level corresponding to the target equipment is a first preset level;
if the communication interface type of the target equipment is an optical fiber port, acquiring the equipment number of a local area network where the target equipment is located, and determining the target security level corresponding to the target equipment according to the equipment number.
When the interface uses an electrical interface, an Internet Protocol (IP) of a base station device (i.e., a target device) is a fixed value, an environment in which the base station device is located is a direct connection environment or a small local area network environment, and only one base station device exists in the two environments, so that the requirement on the security degree of the environment is low, and the target security level corresponding to the target device is determined to be a first preset level.
When the interface uses the optical fiber port, the IP of the base station device is non-fixed and may be allocated by a Dynamic Host Configuration Protocol (DHCP) server, in this case, the environment where the target device is located may have multiple network segments and multiple routing configurations, and the environment may have multiple target devices, so that further analysis and determination are required according to the device number of the local area network where the target device is located.
Optionally, the number of devices in the local area network where the target device is located is obtained, IP addresses accessible in the local area network where the target device is located may be obtained through an Internet Packet explorer (Packet Internet Groper, PING) command and a Tracert (Tracert) command, SNMP GET messages are sent to the IP addresses to query for "device information", and if a device exists, the device may be correctly responded.
Further, in this embodiment of the present invention, the step of determining the target security level corresponding to the target device according to the number of devices includes:
if the number of the devices is smaller than a first preset threshold value, determining that the target security level corresponding to the target device is a second preset level;
and if the number of the devices is greater than or equal to a first preset threshold value, determining that the target security level corresponding to the target device is a third preset level.
Optionally, the first preset threshold may be preset, for example, 5, 10, or another positive integer ", if the number of devices in the local area network where the target device is located is smaller than the first preset threshold, it is determined that the target security level corresponding to the target device is the second preset level, and for a small-scale local area network environment where a single device or a small number of devices are used, the environment generally adopted for a factory test, or a small-scale display scenario or a joint debugging scenario of a user.
If the number of the devices is greater than or equal to a first preset threshold value, the target security level corresponding to the target device is determined to be a third preset level, and the local area network environments of the devices are generally a test scene, a joint debugging scene and a bidding scene, so that the set security level is relatively higher.
It should be noted that, in the embodiment of the present invention, the security level is gradually increased from the first preset level to the nth preset level, that is, the second preset level is higher than the first preset level, the third preset level is higher than the second preset level, … …, and the nth preset level is higher than the N-1 preset level.
Optionally, in this embodiment of the present invention, if the monitoring information includes the source address of the SET type packet, the step of determining the target security level corresponding to the target device according to the monitoring information includes:
and if the number of source addresses of the SET type message is greater than a second preset threshold, determining that the target security level corresponding to the target equipment is a fourth preset level.
In this step, the source address of the SET type message is the network address of the target management device; the network Address may be an IP Address or a Media Access Control Address (MAC) Address, where the MAC Address is used to uniquely identify a network card in the network, and the MAC Address is unique to a base station device and an OMC device in the network.
The second preset threshold is a positive integer greater than or equal to 2; taking a second preset threshold as 2 as an example, if the number of source addresses of the SET type packet is greater than 2, the target device receives SET type packets of other devices besides being controlled by the target management device, and the other devices may be a network attack, so that it is determined that the target security level corresponding to the target device is a fourth preset level.
Optionally, in this embodiment of the present invention, if the monitoring information includes a security level preset in the MIB, the step of determining a target security level corresponding to the target device according to the monitoring information includes:
and if the preset security level in the MIB is a preset security level threshold, the target security level corresponding to the target device is a preset security level threshold.
In this step, if the security level preset in the MIB is set as a preset security level threshold, and the preset security level threshold is the highest security level threshold, the target security level is determined as the preset security level threshold.
Optionally, in an embodiment of the present invention, after step 102, the method further includes:
and if the target security level is different from the current security level of the target equipment, setting the security level of the target equipment as the target security level, and adjusting the security policy of the target equipment to be the security policy corresponding to the target security level.
In this step, when it is determined that a target security level is inconsistent with a currently actually executed security level, setting the security level of the target device to the target security level, and adjusting the security policy of the target device to a security policy corresponding to the target security level; optionally, each security level corresponds to a security policy, as a first example, as shown in table 1 below:
table 1:
Figure BDA0002294275840000071
Figure BDA0002294275840000081
in table 1, the direct connection policy is mostly used in a manufacturer internal debugging scenario, which has a requirement on a physical connection and is a relatively safe communication scenario. For simple and efficient use, the preferred negotiation uses the SNMPv2 protocol for communication, using a default community name and a protocol default port.
The special local area network strategy is mostly special for the special network, the physical partition is better, and the communication scene is safer. SNMPv2 protocol communication is preferably adopted, group names and ports can be adjusted, and configuration contents can be kept unchanged for a long time; the SNMPv3 can also be used for the convenience of use without authentication and encryption or the security level of authentication and encryption.
The local area network policy is less likely to be actively attacked in response to the increase of the network topology complexity, but may be affected by other systems in the same network or by a firewall, in which case there is a security risk but the risk is not high. The preferential negotiation uses SNMPv3 mode communication and adopts the authentication non-encryption level.
The existing network strategy deals with the existing network scene, and the risk of being attacked exists. The two communication parties (the target device and the target management device) are configured to use SNMPv3 to carry out authentication encryption transmission, and the two communication parties are configured to use new keys instead of using preset keys. And under the condition that the support of the SNMPv2 can be only ensured, configuring authentication related information in the alive message and simultaneously carrying out traffic monitoring.
And when the attack condition exists in the network, adopting high-security level processing and adopting an attack coping strategy. Using SNMPv3 to authenticate encryption security level communication, and updating keys periodically; and monitoring the flow, shielding the message from the specified source, and filtering the risk message.
As a second example, referring to fig. 2, fig. 2 shows a system applied to the security level determination method provided by the embodiment of the present invention, and mainly includes the following modules:
a target device and a target management device;
a security monitoring engine including an alarm;
a security policy adapter;
a policy distributor;
the safety monitoring engine is used for monitoring communication practice between the target equipment and the corresponding target management equipment to acquire monitoring information;
the security policy adapter determines a target security level according to the monitoring information and selects an applicable security policy;
the strategy distributor distributes the configuration information of the security strategy to the two communication parties, and the two parties use the new configuration information to work after adjusting the communication mode.
For example, the security monitoring engine monitors suspicious behaviors, on one hand, notifies the security policy adapter to improve the security level, and on the other hand, reports risks through an alarm to prompt network management personnel to pay attention to the processing. If the security monitoring engine judges the environment security, the security policy adapter can reduce the security level, inform both parties of simplifying the processing flow and reduce the system resource occupation.
Network management personnel can also directly preset visual security level through the MIB, and then the security policy adapter provides communication parameters matched with the equipment and the network management, so that technical details are shielded, and the technical requirements on personnel can be reduced.
Further, referring to fig. 3, the working process of the security monitoring engine is as shown in fig. 3, and mainly includes the following steps:
step 301, monitoring is practiced.
Monitoring the communication practice between the target equipment and the corresponding target management equipment;
step 302, analyzing information;
and analyzing the acquired information to determine the target safety level.
Step 303, matching the current security level;
if the current security level is matched, no adjustment is made, and if the security level needs to be increased or decreased, step 304 is executed to notify the security policy adapter to make security policy adjustment.
Step 305, judging whether the alarm condition is met.
If the abnormal condition is monitored, the step 306 of reporting the alarm is executed under the condition that the alarm condition is met.
In step 301, the monitoring dimension is designed according to a five-layer protocol architecture:
for a physical layer, monitoring hardware interfaces at the equipment side, and actually corresponding to different network practical environments by using different physical interfaces; for a data link layer, monitoring MAC addresses of both communication parties; for a network layer, monitoring IP addresses of two communication parties; for a transmission layer, monitoring ports of both communication parties; and for the application layer, detecting the protocol versions supported by the two parties, carrying out flow monitoring and monitoring the key message according to the service. The monitoring analysis module analyzes and judges the security level by analyzing the acquired monitoring information and combining the context of the operating environment, the service logic and the engineering habit. In order to obtain more accurate environment judgment, a communication detection module is used for carrying out route detection and judging the network environment; or sending a detection message to the suspicious source end, and judging whether a counterfeiting condition exists according to the subsequent communication process.
In the embodiment of the invention, monitoring information of target equipment is obtained; determining a target safety level corresponding to the target equipment according to the monitoring information; if the target security level is different from the current security level of the target device, setting the security level of the target device as the target security level; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment, the target equipment is matched with the corresponding target safety level according to the communication live situation by monitoring the communication message live situation between the target equipment and the target management equipment, and the target equipment is controlled to execute the target safety level, so that the communication safety level is automatically adjusted according to the communication live situation, the limitation of the SNMP protocol version is avoided, the communication safety is ensured, and the safety monitoring convenience is improved.
Having described the security level determination method according to the embodiment of the present invention, a security level determination apparatus according to the embodiment of the present invention will be described with reference to the accompanying drawings.
Referring to fig. 4, an embodiment of the present invention further provides a security level determining apparatus, where the apparatus includes:
an information monitoring module 401, configured to obtain monitoring information of a target device; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
a level determining module 402, configured to determine, according to the monitoring information, a target security level corresponding to the target device.
Optionally, in this embodiment of the present invention, the level determining module 402 includes:
the first determining submodule is used for determining that the target security level corresponding to the target equipment is a first preset level if the monitoring information comprises the communication interface type of the target equipment and the communication interface type of the target equipment is an electric port;
and the second determining submodule is used for acquiring the number of devices of a local area network where the target device is located and determining a target security level corresponding to the target device according to the number of the devices if the monitoring information comprises the communication interface type of the target device and the communication interface type of the target device is an optical fiber port.
Optionally, in this embodiment of the present invention, the second determining sub-module is configured to:
if the number of the devices is smaller than a first preset threshold value, determining that the target security level corresponding to the target device is a second preset level;
and if the number of the devices is greater than or equal to a first preset threshold value, determining that the target security level corresponding to the target device is a third preset level.
Optionally, in this embodiment of the present invention, the level determining module 402 includes:
and a third determining sub-module, configured to determine that the target security level corresponding to the target device is a fourth preset level if the monitoring information includes the source addresses of the SET type messages and the number of the source addresses of the SET type messages is greater than a second preset threshold.
Optionally, in this embodiment of the present invention, the level determining module 402 includes:
a fourth determining submodule, configured to determine that the target security level corresponding to the target device is a preset security level threshold if the monitoring information includes a preset security level in the MIB, and the preset security level in the MIB is a preset security level threshold.
Optionally, in an embodiment of the present invention, the apparatus includes:
and the adjusting module is used for setting the security level of the target equipment as the target security level and adjusting the security policy of the target equipment into the security policy corresponding to the target security level if the target security level is different from the current security level of the target equipment.
The security level determining apparatus provided in the embodiment of the present invention can implement each process implemented by the base station side in the method embodiments of fig. 1 to fig. 3, and is not described herein again to avoid repetition.
In the embodiment of the present invention, the information monitoring module 401 obtains monitoring information of a target device; according to the monitoring information, a level determining module 402 determines a target security level corresponding to the target device; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment, the corresponding target safety level is matched according to the communication live situation by monitoring the communication message live situation between the target equipment and the target management equipment, and the target equipment is controlled to execute the target safety level, so that the safety level of communication is automatically adjusted according to the communication live situation, the limitation of the SNMP protocol version is avoided, the communication safety is ensured, and the safety monitoring convenience is improved; the embodiment of the invention solves the problem that in the prior art, because of the SNMP version, the network equipment based on the SNMP is difficult to coordinate the contradiction between safety and operation convenience.
In another aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, a bus, and a computer program stored in the memory and executable on the processor, where the processor implements the steps in the security level determination method when executing the program.
For example, fig. 5 shows a schematic physical structure diagram of an electronic device.
As shown in fig. 5, the electronic device may include: a processor (processor)510, a communication Interface (Communications Interface)520, a memory (memory)530 and a communication bus 540, wherein the processor 510, the communication Interface 520 and the memory 530 communicate with each other via the communication bus 540. Processor 510 may call logic instructions in memory 530 to perform the following method:
acquiring monitoring information of target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
and determining a target safety level corresponding to the target equipment according to the monitoring information.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In still another aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the security level determination method provided in the foregoing embodiments, for example, including:
acquiring monitoring information of target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
and determining a target safety level corresponding to the target equipment according to the monitoring information.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (14)

1. A security level determination method, the method comprising:
acquiring monitoring information of target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
and determining a target safety level corresponding to the target equipment according to the monitoring information.
2. The method according to claim 1, wherein if the monitoring information includes a communication interface type of the target device, the step of determining the target security level corresponding to the target device according to the monitoring information includes:
if the communication interface type of the target equipment is an electric interface, determining that the target safety level corresponding to the target equipment is a first preset level;
if the communication interface type of the target equipment is an optical fiber port, acquiring the equipment number of a local area network where the target equipment is located, and determining the target security level corresponding to the target equipment according to the equipment number.
3. The method according to claim 2, wherein the step of determining the target security level corresponding to the target device according to the number of devices comprises:
if the number of the devices is smaller than a first preset threshold value, determining that the target security level corresponding to the target device is a second preset level;
and if the number of the devices is greater than or equal to a first preset threshold value, determining that the target security level corresponding to the target device is a third preset level.
4. The method according to claim 1, wherein if the monitoring information includes a source address of the SET type packet, the step of determining the target security level corresponding to the target device according to the monitoring information includes:
and if the number of source addresses of the SET type message is greater than a second preset threshold, determining that the target security level corresponding to the target equipment is a fourth preset level.
5. The method according to claim 1, wherein if the monitoring information includes a security level preset in the MIB, the step of determining a target security level corresponding to the target device according to the monitoring information includes:
and if the preset security level in the MIB is a preset security level threshold, the target security level corresponding to the target device is a preset security level threshold.
6. The method according to claim 1, wherein after the step of determining the target security level corresponding to the target device, the method comprises:
and if the target security level is different from the current security level of the target equipment, setting the security level of the target equipment as the target security level, and adjusting the security policy of the target equipment to be the security policy corresponding to the target security level.
7. A security level determination apparatus, characterized in that the apparatus comprises:
the information monitoring module is used for acquiring monitoring information of the target equipment; the monitoring information is acquired from communication information between the target equipment and the corresponding target management equipment; the monitoring information comprises a communication interface type of the target equipment, a SET type message source address of a Simple Network Management Protocol (SNMP) and/or a safety level preset in a main system information block (MIB);
and the level determining module is used for determining a target safety level corresponding to the target equipment according to the monitoring information.
8. The security level determination apparatus according to claim 7, wherein the level determination module comprises:
the first determining submodule is used for determining that the target security level corresponding to the target equipment is a first preset level if the monitoring information comprises the communication interface type of the target equipment and the communication interface type of the target equipment is an electric port;
and the second determining submodule is used for acquiring the number of devices of a local area network where the target device is located and determining a target security level corresponding to the target device according to the number of the devices if the monitoring information comprises the communication interface type of the target device and the communication interface type of the target device is an optical fiber port.
9. The security level determination apparatus of claim 8, wherein the second determination submodule is configured to:
if the number of the devices is smaller than a first preset threshold value, determining that the target security level corresponding to the target device is a second preset level;
and if the number of the devices is greater than or equal to a first preset threshold value, determining that the target security level corresponding to the target device is a third preset level.
10. The security level determination apparatus according to claim 7, wherein the level determination module comprises:
and a third determining sub-module, configured to determine that the target security level corresponding to the target device is a fourth preset level if the monitoring information includes the source addresses of the SET type messages and the number of the source addresses of the SET type messages is greater than a second preset threshold.
11. The security level determination apparatus according to claim 7, wherein the level determination module comprises:
a fourth determining submodule, configured to determine that the target security level corresponding to the target device is a preset security level threshold if the monitoring information includes a preset security level in the MIB, and the preset security level in the MIB is a preset security level threshold.
12. The security level determination apparatus according to claim 7, characterized in that the apparatus comprises:
and the adjusting module is used for setting the security level of the target equipment as the target security level and adjusting the security policy of the target equipment into the security policy corresponding to the target security level if the target security level is different from the current security level of the target equipment.
13. An electronic device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, characterized in that the computer program, when executed by the processor, implements the steps of the security level determination method according to any of claims 1 to 6.
14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the security level determination method according to any one of claims 1 to 6.
CN201911194076.1A 2019-11-28 2019-11-28 Security level determination method and device Active CN112866186B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911194076.1A CN112866186B (en) 2019-11-28 2019-11-28 Security level determination method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911194076.1A CN112866186B (en) 2019-11-28 2019-11-28 Security level determination method and device

Publications (2)

Publication Number Publication Date
CN112866186A true CN112866186A (en) 2021-05-28
CN112866186B CN112866186B (en) 2022-01-25

Family

ID=75995817

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911194076.1A Active CN112866186B (en) 2019-11-28 2019-11-28 Security level determination method and device

Country Status (1)

Country Link
CN (1) CN112866186B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116401714A (en) * 2023-05-26 2023-07-07 北京天融信网络安全技术有限公司 Security information acquisition method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101043361A (en) * 2006-06-16 2007-09-26 华为技术有限公司 Method and system for SNMP protocol based network management
US20090113035A1 (en) * 2007-10-30 2009-04-30 Canon Kabushiki Kaisha Network management apparatus and method
CN103236941A (en) * 2013-04-03 2013-08-07 华为技术有限公司 Link discovery method and device
CN103973679A (en) * 2014-04-29 2014-08-06 重庆邮电大学 Sensor network safety assessing system based on safety level
CN110505014A (en) * 2019-08-27 2019-11-26 Oppo广东移动通信有限公司 Data transfer control method and Related product

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101043361A (en) * 2006-06-16 2007-09-26 华为技术有限公司 Method and system for SNMP protocol based network management
US20090113035A1 (en) * 2007-10-30 2009-04-30 Canon Kabushiki Kaisha Network management apparatus and method
CN103236941A (en) * 2013-04-03 2013-08-07 华为技术有限公司 Link discovery method and device
CN103973679A (en) * 2014-04-29 2014-08-06 重庆邮电大学 Sensor network safety assessing system based on safety level
CN110505014A (en) * 2019-08-27 2019-11-26 Oppo广东移动通信有限公司 Data transfer control method and Related product

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116401714A (en) * 2023-05-26 2023-07-07 北京天融信网络安全技术有限公司 Security information acquisition method, device, equipment and medium
CN116401714B (en) * 2023-05-26 2023-09-26 北京天融信网络安全技术有限公司 Security information acquisition method, device, equipment and medium

Also Published As

Publication number Publication date
CN112866186B (en) 2022-01-25

Similar Documents

Publication Publication Date Title
US11595396B2 (en) Enhanced smart process control switch port lockdown
US11706246B2 (en) IOT device risk assessment and scoring
Sivanathan et al. Can we classify an iot device using tcp port scan?
US20220239687A1 (en) Security Vulnerability Defense Method and Device
US8230480B2 (en) Method and apparatus for network security based on device security status
US7606884B2 (en) SNMP firewall for network identification
US20200076683A1 (en) Dynamic Cloud-Based Provisioning of Branch-Based Networking Devices
CN108848145B (en) Method and system for accessing near-end network management of equipment through WEB agent and far-end network management
CN107888613B (en) Management system based on cloud platform
EP1571806A2 (en) Network management method and network managing server
CN101146044B (en) A method and device for constructing terminal topology
US9118588B2 (en) Virtual console-port management
CN112866186B (en) Security level determination method and device
CN115065495A (en) Honeypot network operation method, device, equipment and storage medium
CN115150209A (en) Data processing method, industrial control system, electronic device, and storage medium
CN112003853B (en) Network security emergency response system supporting ipv6
CN113055427B (en) Service-based server cluster access method and device
CN111866003B (en) Risk assessment method and device for terminal
KR100478910B1 (en) IP collision detection/ Interseption method thereof
KR20220070875A (en) Smart home network system based on sdn/nfv
CN115883256B (en) Data transmission method, device and storage medium based on encryption tunnel
CN115834525B (en) Terminal access method and device based on ARP control, electronic equipment and storage medium
CN114153182B (en) Industrial terminal safety protection system and method with self-adaptive process
CN114050959A (en) Remote security management method and device based on SNMP
CN117560203A (en) Cloud platform access control method and system based on micro-isolation technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant