CN113452718B - Active defense method and system for exclusive storage space - Google Patents
Active defense method and system for exclusive storage space Download PDFInfo
- Publication number
- CN113452718B CN113452718B CN202110767187.8A CN202110767187A CN113452718B CN 113452718 B CN113452718 B CN 113452718B CN 202110767187 A CN202110767187 A CN 202110767187A CN 113452718 B CN113452718 B CN 113452718B
- Authority
- CN
- China
- Prior art keywords
- authorization server
- list
- blacklist
- grey
- storage space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention relates to a method and a system for actively defending exclusive storage space, which comprises the steps of collecting environmental elements and information of a monitored object in an authorization server, and determining that the monitored object belongs to a white list, a black list or a grey list; when a monitoring object of the authorization server is started, the security verification result of the authorization server is carried out based on the monitoring object, the blacklist, the white list and the gray list which are respectively stored in the authorization server, the management terminal equipment and the storage equipment, and a preset protection strategy, and whether the authorization server is allowed to access the storage space is determined. The invention relates to a checking mechanism for multi-copy and multi-position storage of a black-white-grey list and a security policy, which effectively protects the list; meanwhile, a security verification mechanism of the authorization server, specific authorization application software on the server and the storage equipment is established; and the method can also support setting the authority of whether the protected storage area can be accessed to different application software deployed on the same server, thereby realizing classified and hierarchical protection of the service system.
Description
Technical Field
The invention relates to the technical field of information security, in particular to an active defense method and system for an exclusive storage space.
Background
Information security includes information service security and data security. Traditionally, a storage space is open to a server, and data security of a storage system depends on network security and data encryption for protection, but the technical means are not enough for protecting stored data, and can not effectively protect unknown virus, trojan horse or hacker means. With the importance of storage data security increasing, a new storage security technology that can support different security policies for specific storage devices and specific areas of storage devices is urgently needed.
Disclosure of Invention
The invention aims to solve the technical problem of providing an active defense method and system for a dedicated storage space aiming at the defects of the prior art.
The technical scheme for solving the technical problems is as follows:
a method of active defense of exclusive memory space, the method comprising:
before an authorization server is not accessed to the Internet, acquiring information of environmental elements and monitoring objects in the authorization server, wherein the monitoring objects comprise processes and programs;
determining that the monitored object belongs to a white list, a black list or a grey list according to the environmental elements, the information of the monitored object and a preset protection strategy, and respectively storing the black list, the white list, the grey list and the preset protection strategy in the authorization server, the management terminal device and the storage device;
after the authorization server accesses the internet, when the monitoring object of the authorization server is started, the security check result of the authorization server is performed based on the monitoring object, the blacklist, the white list and the gray list which are respectively stored in the authorization server, the management terminal device and the storage device, and the preset protection policy, and whether the authorization server is allowed to access the storage space is determined.
On the basis of the technical scheme, the invention can be further improved as follows.
Further, the determining that the monitored object belongs to a white list, a black list or a grey list according to the environmental element, the information of the monitored object and a preset protection policy specifically includes:
operating each application software of the authorization server through a self-learning mechanism according to the collected application software information, operating system information, IP (Internet protocol) granting address and MAC (media access control) address in the environment elements of the authorization server;
recording the process and the program started by the application software;
adding the process or the program to the blacklist or the grey list according to a preset security protection strategy;
and adding the processes or the programs in the grey list after the processes or the programs pass the examination into the white list.
Further, the storing the blacklist, the white list, the grey list and the preset protection policy into the authorization server, the management end device and the storage device respectively includes:
and making a plurality of copies of the white list, the grey list, the black list and the preset protection strategy, and storing the copies in the authorization server, the management terminal equipment and the storage equipment after determining that the creation time, the file size and the file content of each copy are consistent.
Further, when the monitoring object of the authorization server is started, determining whether to allow the authorization server to access a storage space based on a security check result of the monitoring object, the blacklist, the white list, the gray list, and the preset protection policy, which are respectively stored in the authorization server, the management device, and the storage device, specifically includes:
checking the size, updating time and content of each duplicate file stored in the blacklist, the white list and the grey list of the authorization server, the management terminal equipment and the storage equipment according to the monitoring object;
if the two copies are inconsistent, resetting the inconsistent copies by using a voting principle;
and judging whether the monitored object passes the verification or not according to the preset protection strategy, and determining whether the authorization server is allowed to access the storage space or not according to a judgment result.
Further, the checking, according to the monitoring object, whether the size, update time, and content of each copy file stored in the blacklist, the white list, and the gray list of the authorization server, the management device, and the storage device are completely consistent, and if not, resetting the inconsistent copy by using a voting principle specifically includes:
the first judgment is whether the first blacklist copy stored in the authorization server, the second blacklist copy stored in the management terminal equipment and the third blacklist copy stored in the storage equipment are consistent in file size, latest updating time and file content;
the second judgment is whether the first white list copy stored in the authorization server, the second white list copy stored in the management terminal equipment and the third white list copy stored in the storage equipment are consistent in file size, latest updating time and file content;
the third judgment is whether the first grey list copy stored in the authorization server, the second grey list copy stored in the management terminal equipment and the third grey list copy stored in the storage equipment are consistent in file size, latest updating time and file content;
if the results of the first judgment, the second judgment and/or the third judgment are inconsistent, updating the first blacklist and the third blacklist according to the second blacklist, updating the first white list and the third white list according to the second white list, and updating the first grey list and the third grey list according to the second grey list.
Further, the determining, according to the preset protection policy, whether the monitored object passes verification, and determining, according to a determination result, whether the authorization server is allowed to access the storage space specifically includes:
judging whether the monitored object belongs to the second blacklist, the second white list or the second grey list, and determining whether the monitored object passes verification according to the judgment result and the preset protection strategy;
if the monitoring object passes the verification, allowing the authorization server to access the storage space;
otherwise, the authorization server is not allowed to access the storage space.
The method has the beneficial effects that: the method comprises the steps that before an authorization server is not connected to the Internet, information of environmental elements and monitoring objects in the authorization server is collected, wherein the monitoring objects comprise processes and programs; determining that the monitored object belongs to a white list, a black list or a grey list according to the environment elements, the information of the monitored object and a preset protection strategy, and respectively storing the black list, the white list, the grey list and the preset protection strategy in the authorization server, the management terminal equipment and the storage equipment; after the authorization server accesses the internet, when the monitoring object of the authorization server is started, the security check result of the authorization server is performed based on the monitoring object, the blacklist, the white list and the gray list which are respectively stored in the authorization server, the management terminal device and the storage device, and the preset protection policy, and whether the authorization server is allowed to access the storage space is determined. The identity information is determined according to the software and hardware environment elements of the authorization server, and the identity information can be effectively prevented from being counterfeited and tampered due to the multi-factor characteristic, so that the security is more reliable; a black-white-grey list and a checking mechanism for multi-copy and multi-position storage of security policies are effectively protected; meanwhile, a security verification mechanism of the authorization server, specific authorization application software on the server and the storage equipment is established; besides preventing external illegal access, the data can also be prevented from being illegally stolen by internal super-authority personnel or storage equipment. In addition, the method can also support setting the authority of whether the protected storage area can be accessed to different application software deployed on the same server, and realize classified and hierarchical protection of the business system.
The invention also solves another technical scheme of the technical problems as follows:
an active defense system for exclusive storage space, the system comprising:
the system comprises a client, a management terminal device and a server, wherein the client is used for acquiring information of environmental elements and monitoring objects in an authorization server before the authorization server is not accessed to the Internet, and sending the information of the environmental elements and the monitoring objects to the management terminal device, wherein the monitoring objects comprise processes and programs;
the management terminal device is configured to determine that the monitored object belongs to a white list, a black list or a grey list according to the environment element, the information of the monitored object and a preset protection policy, and store the black list, the white list, the grey list and the preset protection policy in the authorization server, the management terminal device and the storage device, respectively;
the client is used for acquiring the monitoring object and sending the information of the monitoring object to the management terminal equipment when the monitoring object of the authorization server is started after the authorization server is accessed to the Internet;
the management terminal device is configured to perform a security check result on the authorization server based on the monitoring object, the blacklist, the white list, the grey list, and the preset protection policy, where the blacklist, the white list, the grey list, and the preset protection policy are respectively stored in the authorization server, the management terminal device, and the storage device, and determine whether to allow the authorization server to access a storage space.
Further, the client is specifically configured to collect application software information, operating system information, an IP address and an MAC address in the environment elements of the authorization server;
the management terminal device is specifically used for operating each application software of the authorization server through a self-learning mechanism according to the application software information, the operating system information, the authorized IP address and the MAC address in the environment elements;
recording the process and the program started by the application software;
adding the process or the program to the blacklist or the grey list according to a preset security protection strategy;
and adding the processes or the programs in the grey list after the processes or the programs pass the examination into the white list.
Further, the management end device is specifically configured to make multiple copies of the white list, the gray list, the black list, and the preset protection policy, and store the copies in the authorization server, the management end device, and the storage device after determining that the creation time, the file size, and the file content of each copy are consistent.
Further, the server is specifically configured to check, according to the monitoring object, whether sizes, update times, and contents of the respective copy files stored in the blacklist, the white list, and the gray list of the authorization server, the management device, and the storage device are completely consistent;
if the two copies are inconsistent, resetting the inconsistent copies by using a voting principle;
and judging whether the monitored object passes the verification or not according to the preset protection strategy, and determining whether the authorization server is allowed to access the storage space or not according to a judgment result.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention or in the description of the prior art will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart illustrating an active defense method for a dedicated memory space according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating an architecture of an active defense system for exclusive memory space according to another embodiment of the present invention;
FIG. 3 is a diagram illustrating verification of an active defense method for exclusive memory space according to another embodiment of the present invention;
fig. 4 is a schematic diagram illustrating an architecture of an active defense system for dedicated memory space according to another embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
As shown in fig. 1, an active defense method for dedicated memory space includes:
110. before an authorization server does not access the Internet, collecting information of environmental elements and monitoring objects in the authorization server, wherein the monitoring objects comprise processes and programs.
120. And determining that the monitored object belongs to a white list, a black list or a grey list according to the environment elements, the information of the monitored object and a preset protection strategy, and respectively storing the black list, the white list, the grey list and the preset protection strategy in the authorization server, the management terminal equipment and the storage equipment.
130. After the authorization server accesses the internet, when the monitoring object of the authorization server is started, the security check result of the authorization server is performed based on the monitoring object, the blacklist, the white list and the gray list which are respectively stored in the authorization server, the management terminal device and the storage device, and the preset protection policy, and whether the authorization server is allowed to access the storage space is determined.
Based on the foregoing embodiment, further, step 120 specifically includes:
and operating each application software of the authorization server through a self-learning mechanism according to the collected application software information, operating system information, authorized IP address and MAC address in the environment elements of the authorization server.
And recording the process and the program started by the application software.
And adding the process or the program into the blacklist or the grey list according to a preset security protection strategy.
And adding the processes or the programs in the grey list after the processes or the programs pass the examination into the white list.
Further, step 120 further specifically includes:
and making a plurality of copies of the white list, the grey list, the black list and the preset protection strategy, and storing the copies in the authorization server, the management terminal equipment and the storage equipment after determining that the creation time, the file size and the file content of each copy are consistent.
Further, step 130 specifically includes:
131. and checking whether the size, the updating time and the content of each duplicate file stored in the blacklist, the white list and the grey list of the authorization server, the management terminal equipment and the storage equipment are completely consistent or not according to the monitoring object.
132. And if the copy is inconsistent, resetting the inconsistent copy by using a voting principle.
133. And judging whether the monitored object passes the verification or not according to the preset protection strategy, and determining whether the authorization server is allowed to access the storage space or not according to a judgment result.
Further, step 131 specifically includes:
the first judgment is whether the first blacklist copy stored in the authorization server, the second blacklist copy stored in the management terminal equipment and the third blacklist copy stored in the storage equipment are consistent in file size, latest updating time and file content.
The second judgment is whether the first white list copy stored in the authorization server, the second white list copy stored in the management terminal equipment and the third white list copy stored in the storage equipment are consistent in file size, latest updating time and file content.
And the third judgment is whether the first grey list copy stored in the authorization server, the second grey list copy stored in the management terminal equipment and the third grey list copy stored in the storage equipment are consistent in file size, latest updating time and file content.
If the results of the first judgment, the second judgment and/or the third judgment are inconsistent, updating the first blacklist and the third blacklist according to the second blacklist, updating the first white list and the third white list according to the second white list, and updating the first grey list and the third grey list according to the second grey list.
It should be understood that the security policy files of black, white and grey lists stored in different positions are automatically checked, whether the size, the updating time and the content of each file are completely consistent is checked, and once one file is found to be inconsistent, a voting principle is immediately adopted, and a plurality of copies are reset by using most text contents. And after the verification, the specific storage space of the storage system can be accessed according to the security policy.
As shown in fig. 3, the verification method is as follows:
if the copies A1, A2 and A3 are completely consistent in file size, creation date and file content;
copies B1, B2, B3 were completely identical in file size, creation date, and file content;
copies C1, C2, C3 were completely consistent in file size, creation date, and file content;
then the system is normal and the storage accepts access per security policy.
If two of the copies A1, A2 and A3 are completely consistent, and the other copy is inconsistent, the A1 files are used for recreating the copies A1, A2 and A3; the same applies to other B1, B2, B3, C1, C2 and C3;
the system is then started and the store accepts access according to the security policy.
Further, step 133 specifically includes:
and judging whether the monitored object belongs to the second blacklist, the second white list or the second grey list, and determining whether the monitored object passes verification according to the judgment result and the preset protection strategy.
And if the monitoring object passes the verification, allowing the authorization server to access the storage space.
Otherwise, the authorization server is not allowed to access the storage space.
Based on the active defense method for the exclusive storage space provided by the embodiment, before an authorization server is not accessed to the internet, the information of environmental elements and monitoring objects in the authorization server is collected, wherein the monitoring objects comprise processes and programs; determining that the monitored object belongs to a white list, a black list or a grey list according to the environment elements, the information of the monitored object and a preset protection strategy, and respectively storing the black list, the white list, the grey list and the preset protection strategy in the authorization server, the management terminal equipment and the storage equipment; after the authorization server accesses the internet, when the monitoring object of the authorization server is started, the security check result of the authorization server is performed based on the monitoring object, the blacklist, the white list and the gray list which are respectively stored in the authorization server, the management terminal device and the storage device, and the preset protection policy, and whether the authorization server is allowed to access the storage space is determined. The identity information is determined according to the software and hardware environment elements of the authorization server, and the identity information can be effectively prevented from being counterfeited and tampered due to the multi-factor characteristic, so that the security is more reliable; a black-white-grey list and a checking mechanism for multi-copy and multi-position storage of security policies are effectively protected; meanwhile, a security verification mechanism of the authorization server, specific authorization application software on the server and the storage equipment is established; besides preventing external illegal access by virus such as Lessovirus, Trojan horse, hacker process and other malicious processes, internal super-authority personnel or storage equipment can also be prevented from losing and illegally stealing data. In addition, the method can also support the permission of setting whether the protected storage area can be accessed to different application software deployed on the same server, and realize classified and hierarchical protection of the service system.
As shown in fig. 2, an active defense system for dedicated memory space includes:
the system comprises a client, a management terminal device and a server, wherein the client is used for acquiring information of environmental elements and monitoring objects in an authorization server before the authorization server is not accessed to the Internet, and sending the information of the environmental elements and the monitoring objects to the management terminal device, wherein the monitoring objects comprise processes and programs;
the management end device is configured to determine, according to the environment element, the information of the monitored object, and a preset protection policy, that the monitored object belongs to a white list, a black list, or a gray list, and store the black list, the white list, the gray list, and the preset protection policy in the authorization server, the management end device, and the storage device, respectively, where the system in fig. 2 refers to a management end device, a management module, or a management system in this application document;
the client is used for acquiring the monitoring object and sending the information of the monitoring object to the management terminal equipment when the monitoring object of the authorization server is started after the authorization server is accessed to the Internet;
the management end device is configured to perform a security check result on the authorization server based on the monitoring object, the blacklist, the white list, the grey list, and the preset protection policy, where the blacklist, the white list, the grey list, and the preset protection policy are respectively stored in the authorization server, the management end device, and the storage device, and determine whether to allow the authorization server to access a storage space.
Further, the client is specifically configured to collect application software information, operating system information, an IP address and an MAC address in the environment elements of the authorization server;
the management terminal device is specifically used for operating each application software of the authorization server through a self-learning mechanism according to the application software information, the operating system information, the authorized IP address and the MAC address in the environment elements;
recording the process and the program started by the application software;
adding the process or the program to the blacklist or the grey list according to a preset safety protection strategy;
and adding the processes or the programs in the grey list after the processes or the programs pass the examination into the white list.
Further, the management end device is specifically configured to make multiple copies of the white list, the gray list, the black list, and the preset protection policy, and store the copies in the authorization server, the management end device, and the storage device after determining that the creation time, the file size, and the file content of each copy are consistent.
Further, the server is specifically configured to check, according to the monitoring object, whether sizes, update times, and contents of the respective copy files stored in the blacklist, the white list, and the gray list of the authorization server, the management device, and the storage device are completely consistent;
if the copy is inconsistent with the copy, resetting the inconsistent copy by using a voting principle;
and judging whether the monitored object passes the verification or not according to the preset protection strategy, and determining whether the authorization server is allowed to access the storage space or not according to a judgment result.
It should be understood that, in order to solve the problem of effectively protecting the storage system and the specific space of the storage system, the identity card verification mechanism is established in the embodiment, wherein the access to the specific storage space is based on multiple environmental factors of the server deployed by the authorized access application software. As shown in fig. 4, whether access to a particular memory space is allowed is determined according to a number of factors of the environment of the server of the authorization application including, but not limited to, the name and process of the authorization application software, the name and version of the operating system of the authorization server, the IP address of the authorization server, the MAC address of the authorization server, the particular client and its issued authentication signal, etc.; according to the credibility, a black list mechanism, a white list mechanism and a grey list mechanism are adopted, a client is deployed for a server of the authorized application, the client is used for collecting and monitoring environmental elements of the server, tracing the process source of application software, and adopting differentiation strategies of 'access permission', 'controlled access' and 'access prohibition'; meanwhile, the blacklist, the white list, the grey list and the security protection strategy are respectively stored in more than three different positions of the storage device and the authorized server in a multi-copy mode.
When the system is deployed, configuring the partitioned and regional information of the storage equipment, and setting the safety protection level and the protection strategy of different regions;
the client can be deployed at the authorization server, and is responsible for collecting the environmental elements of the authorization server, including but not limited to application software name and process, name and version of the authorization server operating system, authorization server IP address, authorization server MAC address, specific client attached to the system and the authentication signal sent by the specific client, monitoring the process for starting access, authorization server operating system command, and the like;
under the security environment without accessing the internet, starting a self-learning mechanism of the system, operating various functions of authorized application, recording a starting process and a triggered system process of the authorized application system by a special client deployed at an authorized server end, reporting the authorized application software and the starting process to a system management end, and generating a grey list; setting known dangerous processes or programs into a blacklist; and after learning is finished, auditing the gray list and configuring the gray list into a white list.
The management terminal device makes multiple copies of the white list, the grey list, the black list and the configured security policy, and ensures that the copies are simultaneously stored in three or more different positions such as a storage device and an authorization server after the creation time, the file size and the file content of each copy are consistent.
When the configuration is completed, the system can be put into operation.
In addition, when the authorization server is started, whether the client of the authorization server is started or not is checked firstly, and if the client of the authorization server is not started, an alarm is sent out and the operation is stopped.
In the above embodiments, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described or recited in any embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the above-described embodiments of the apparatus/terminal device are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium.
Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signal, telecommunications signal, and software distribution medium, etc. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media which may not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. An active defense method for a dedicated storage space, the method comprising:
before an authorization server is not accessed to the Internet, acquiring information of environmental elements and monitoring objects in the authorization server, wherein the monitoring objects comprise processes and programs;
determining that the monitored object belongs to a white list, a black list or a grey list according to the environment elements, the information of the monitored object and a preset protection strategy, and respectively storing the black list, the white list, the grey list and the preset protection strategy in the authorization server, the management terminal equipment and the storage equipment;
after the authorization server accesses the internet, when the monitoring object of the authorization server is started, the security check result of the authorization server is performed based on the monitoring object, the blacklist, the white list and the gray list which are respectively stored in the authorization server, the management terminal device and the storage device, and the preset protection policy, and whether the authorization server is allowed to access the storage space is determined.
2. The active defense method for the exclusive storage space according to claim 1, wherein the determining that the monitored object belongs to a white list, a black list or a grey list according to the environmental element, the information of the monitored object and a preset protection policy specifically includes:
operating each application software of the authorization server through a self-learning mechanism according to the collected application software information, operating system information, authorization IP address and MAC address in the environment elements of the authorization server;
recording the process and the program started by the application software;
adding the process or the program to the blacklist or the grey list according to a preset security protection strategy;
and adding the processes or the programs in the grey list after the processes or the programs pass the examination into the white list.
3. The active defense method for the exclusive storage space according to claim 1, wherein the storing the blacklist, the whitelist, the grey list and the preset protection policy in the authorization server, the management end device and the storage device respectively includes:
and making a plurality of copies of the white list, the grey list, the black list and the preset protection strategy, and storing the copies in the authorization server, the management terminal equipment and the storage equipment after determining that the creation time, the file size and the file content of each copy are consistent.
4. The active defense method for exclusive storage space according to claim 1, wherein when the monitoring object of the authorization server is started, determining whether to allow the authorization server to access the storage space based on security verification results of the monitoring object on the blacklist, the whitelist and the grey list respectively stored in the authorization server, the management device and the storage device, and the preset protection policy includes:
checking the size, updating time and content of each duplicate file stored in the blacklist, the white list and the grey list of the authorization server, the management terminal equipment and the storage equipment according to the monitoring object;
if the two copies are inconsistent, resetting the inconsistent copies by using a voting principle;
and judging whether the monitored object passes the verification or not according to the preset protection strategy, and determining whether the authorization server is allowed to access the storage space or not according to a judgment result.
5. The active defense method for exclusive storage space according to claim 4, wherein the checking, according to the monitoring object, whether the size, update time, and content of each copy file stored in the blacklist, the whitelist, and the grey list of the authorization server, the management end device, and the storage device are completely consistent, and if not, the resetting of the inconsistent copy is performed by using a voting principle, specifically including:
the first judgment is whether the first blacklist copy stored in the authorization server, the second blacklist copy stored in the management terminal equipment and the third blacklist copy stored in the storage equipment are consistent in file size, latest updating time and file content;
the second judgment is whether the first white list copy stored in the authorization server, the second white list copy stored in the management terminal equipment and the third white list copy stored in the storage equipment are consistent in file size, latest updating time and file content;
the third judgment is whether the first grey list copy stored in the authorization server, the second grey list copy stored in the management terminal equipment and the third grey list copy stored in the storage equipment are consistent in file size, latest updating time and file content;
if the results of the first judgment, the second judgment and/or the third judgment are inconsistent, updating the first blacklist and the third blacklist according to the second blacklist, updating the first white list and the third white list according to the second white list, and updating the first grey list and the third grey list according to the second grey list.
6. The active defense method for the exclusive storage space according to claim 5, wherein the determining whether the monitored object passes the verification according to the preset protection policy and determining whether the authorization server is allowed to access the storage space according to the determination result specifically includes:
judging whether the monitored object belongs to the second blacklist, the second white list or the second grey list, and determining whether the monitored object passes verification according to the judgment result and the preset protection strategy;
if the monitoring object passes the verification, allowing the authorization server to access the storage space;
otherwise, the authorization server is not allowed to access the storage space.
7. An active defense system for exclusive storage space, the system comprising:
the system comprises a client, a management terminal device and a server, wherein the client is used for acquiring information of environmental elements and monitoring objects in an authorization server before the authorization server is not accessed to the Internet, and sending the information of the environmental elements and the monitoring objects to the management terminal device, wherein the monitoring objects comprise processes and programs;
the management terminal device is configured to determine that the monitored object belongs to a white list, a black list or a grey list according to the environment element, the information of the monitored object and a preset protection policy, and store the black list, the white list, the grey list and the preset protection policy in the authorization server, the management terminal device and the storage device, respectively;
the client is used for acquiring the monitoring object and sending the information of the monitoring object to the management terminal equipment when the monitoring object of the authorization server is started after the authorization server is accessed to the Internet;
the management terminal device is configured to perform a security check result on the authorization server based on the monitoring object, the blacklist, the white list, the grey list, and the preset protection policy, where the blacklist, the white list, the grey list, and the preset protection policy are respectively stored in the authorization server, the management terminal device, and the storage device, and determine whether to allow the authorization server to access a storage space.
8. The active defense system for exclusive storage space of claim 7,
the client is specifically used for acquiring application software information, operating system information, an authorized IP address and an MAC address in the environment elements of the authorization server;
the management terminal device is specifically configured to operate each application software of the authorization server through a self-learning mechanism according to the application software information, the operating system information, the authorization IP address and the MAC address in the environment elements;
recording the process and the program started by the application software;
adding the process or the program to the blacklist or the grey list according to a preset security protection strategy;
and adding the processes or the programs in the grey list after the processes or the programs pass the examination into the white list.
9. The active defense system for exclusive storage space of claim 7,
the management terminal device is specifically configured to make multiple copies of the white list, the grey list, the black list, and the preset protection policy, and store the copies in the authorization server, the management terminal device, and the storage device after determining that creation time, file size, and file content of each copy are consistent.
10. The active defense system for exclusive storage space of claim 7,
the server is specifically configured to check, according to the monitoring object, the size, update time, and whether the content of each copy file stored in the blacklist, the white list, and the gray list of the authorization server, the management device, and the storage device are completely consistent;
if the two copies are inconsistent, resetting the inconsistent copies by using a voting principle;
and judging whether the monitored object passes the verification or not according to the preset protection strategy, and determining whether the authorization server is allowed to access the storage space or not according to a judgment result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110767187.8A CN113452718B (en) | 2021-07-07 | 2021-07-07 | Active defense method and system for exclusive storage space |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110767187.8A CN113452718B (en) | 2021-07-07 | 2021-07-07 | Active defense method and system for exclusive storage space |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113452718A CN113452718A (en) | 2021-09-28 |
| CN113452718B true CN113452718B (en) | 2022-07-01 |
Family
ID=77815299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110767187.8A Active CN113452718B (en) | 2021-07-07 | 2021-07-07 | Active defense method and system for exclusive storage space |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113452718B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078864A (en) * | 2010-08-18 | 2013-05-01 | 北京奇虎科技有限公司 | Active defense file repairing method based on cloud security |
| CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list based realization method for active defense of cloud host |
| CN105631334A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Application security detecting method and system |
| CN110008694A (en) * | 2019-04-15 | 2019-07-12 | 苏州浪潮智能科技有限公司 | A kind of application security control method, device, equipment and readable storage medium storing program for executing |
| CN110188543A (en) * | 2019-05-21 | 2019-08-30 | 北京威努特技术有限公司 | White list library, white list program library update method and industrial control system |
| CN110688653A (en) * | 2019-09-29 | 2020-01-14 | 北京可信华泰信息技术有限公司 | Client security protection method and device and terminal equipment |
-
2021
- 2021-07-07 CN CN202110767187.8A patent/CN113452718B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078864A (en) * | 2010-08-18 | 2013-05-01 | 北京奇虎科技有限公司 | Active defense file repairing method based on cloud security |
| CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list based realization method for active defense of cloud host |
| CN105631334A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Application security detecting method and system |
| CN110008694A (en) * | 2019-04-15 | 2019-07-12 | 苏州浪潮智能科技有限公司 | A kind of application security control method, device, equipment and readable storage medium storing program for executing |
| CN110188543A (en) * | 2019-05-21 | 2019-08-30 | 北京威努特技术有限公司 | White list library, white list program library update method and industrial control system |
| CN110688653A (en) * | 2019-09-29 | 2020-01-14 | 北京可信华泰信息技术有限公司 | Client security protection method and device and terminal equipment |
Non-Patent Citations (2)
| Title |
|---|
| 基于主动防御的高安全分布式存储系统研究;李宁波 等;《信息技术与信息化》;20180831(第8期);第183-188页 * |
| 白名单主动防御系统的设计与实现;汪锋等;《计算机工程与设计》;20110716(第07期);第33-36,105页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113452718A (en) | 2021-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110691064B (en) | Safety access protection and detection system for field operation terminal | |
| KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
| US20170278320A1 (en) | In-vehicle gateway device, storage control method, and computer program product | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| US20180176206A1 (en) | Dynamic Data Protection System | |
| CN109088848A (en) | A kind of intelligent network connection automobile information method for security protection | |
| CA2842741C (en) | Password audit system | |
| JP2007011556A (en) | Method for protecting secret file of security measure application | |
| CN112800397A (en) | Data asset protection method, system, electronic equipment and storage medium | |
| CN109361646A (en) | Network security monitoring and cognitive method in a kind of application of mobile interchange | |
| CN114925141B (en) | Cloud primary automation deployment management system and method based on block chain | |
| CN103856486A (en) | Large-scale network logical safety domain access control method | |
| CN101694683A (en) | Method for preventing Trojans ferrying via movable memories to steal files | |
| US20180176197A1 (en) | Dynamic Data Protection System | |
| CN112434270B (en) | Method and system for enhancing data security of computer system | |
| WO2019073720A1 (en) | File access monitoring method, program, and system | |
| CN113452718B (en) | Active defense method and system for exclusive storage space | |
| CN112182555A (en) | Weak password detection method, device, electronic apparatus, storage medium, and program | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| CN114036480B (en) | Security access control method and system for private application and readable storage medium | |
| Park et al. | Case study for defining security goals and requirements for automotive security parts using threat modeling | |
| CN115865468A (en) | Vulnerability defense method and related equipment | |
| CN115017480A (en) | Computer safety protection management and control system based on intelligent control | |
| CN112906027A (en) | Cloud computing data center access management method | |
| Alert | Advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211123 Address after: 100045 No.416, building 22, Sanlihe Third District, Xicheng District, Beijing Applicant after: He Xiaolin Address before: 100192 room 101-02, building 10, yard 1, Baosheng South Road, Haidian District, Beijing Applicant before: Beijing tailixin Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |