CN114257405B - Method, apparatus, computer device and storage medium for preventing illegal external connection - Google Patents
Method, apparatus, computer device and storage medium for preventing illegal external connection Download PDFInfo
- Publication number
- CN114257405B CN114257405B CN202111363328.6A CN202111363328A CN114257405B CN 114257405 B CN114257405 B CN 114257405B CN 202111363328 A CN202111363328 A CN 202111363328A CN 114257405 B CN114257405 B CN 114257405B
- Authority
- CN
- China
- Prior art keywords
- terminal
- external network
- connection
- external
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Abstract
The application relates to a method, a device, a computer device and a storage medium for preventing illegal external connection. The method comprises the following steps: after establishing connection with the internal local area network, monitoring an external network connection request of a terminal; according to the external network connection request, carrying out safety protection on the file stored in the terminal, and outputting an option for responding to external network connection; and receiving an operation responding to the option, and processing the external network connection request according to a preset strategy according to the operation. By adopting the method, the terminal can be effectively prevented from being illegally connected, different treatment can be carried out according to different illegally connected conditions, and the safety and convenience of the internal local area network are improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a computer device, and a storage medium for preventing illegal external connection.
Background
Conventionally, security defense concepts are limited to conventional gateway level (firewall, etc.), network boundary (vulnerability scanning, security audit, antivirus, IDS), etc., and important security facilities are concentrated in machine rooms and network entrances. In order to ensure the safe operation of the secret-related network, physical isolation is implemented between the secret-related network and the public information network, and the method is a main security measure adopted by the current secret-related network. Physical isolation can provide a security boundary between the confidential network and the public information network to establish a trusted and controllable internal security network, thereby reducing security threats from outside the network. However, the internal security of the network is still poor, and serious security threat exists in the internal local area network, and the threat is becoming a major problem for most network management personnel to face and need to be solved.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, apparatus, computer device, and storage medium capable of preventing illegal external connection of terminals of an internal local area network.
A method for preventing illegal external connection, applied to a terminal in an internal local area network, the method comprising:
after establishing connection with the internal local area network, monitoring an external network connection request of a terminal;
according to the external network connection request, carrying out safety protection on the file stored in the terminal, and outputting an option for responding to external network connection;
and receiving an operation responding to the option, and processing the external network connection request according to a preset strategy according to the operation.
In one embodiment, the security protection for the file stored in the terminal includes:
and carrying out encryption protection on the partition where the important file in the terminal is located, and simultaneously creating a sandbox in the terminal.
In one embodiment, the receiving, in response to the operation of the option, and processing the external network connection request according to a preset policy according to the operation includes:
receiving a first operation responding to the option, establishing connection with the external network, disconnecting the terminal from the internal local area network, and performing all operations in the sandbox in the process of connecting with the external network; wherein the first operation is used for accepting response to the external network connection request;
Receiving a second operation responding to the option, refusing the connection with the external network, adding the external network into a blacklist, and releasing the safety protection; wherein the second operation is for refusing the response to the external network connection request.
In one embodiment, after the connection to the external network is established and the connection between the terminal and the internal lan is disconnected in response to the first operation of the option, the method further includes:
monitoring and recording the process running in the sand box;
and if the behavior of reading the files outside the sandbox exists in the process in the sandbox is monitored, disconnecting the terminal from the external network.
In one embodiment, the outputting the option to respond to the external network connection includes:
outputting an option of accepting a response to the external network connection request, and outputting an option of rejecting a response to the external network connection request.
In one embodiment, the method further comprises:
when the terminal is accessed to external hardware equipment, scanning whether the hardware equipment carries preset identity information or not;
and if the hardware equipment does not carry the preset identity information, refusing to establish connection with the hardware equipment.
In one embodiment, the method further comprises:
if the hardware equipment carries preset identity information, allowing connection with the hardware equipment to be established;
monitoring a current running process of the terminal, and detecting whether an abnormal or sensitive behavior exists in the running process of the process;
if no abnormal or sensitive behavior exists, continuing to monitor the running process of the terminal;
and if abnormal or sensitive behaviors exist, stopping the process corresponding to the abnormal or sensitive behaviors.
In one embodiment, the process of preventing the abnormal or sensitive behavior from corresponding includes:
judging the hazard level of the abnormal or sensitive behavior; the hazard classes may include at least a high risk class, a medium risk class, and a low risk class;
if the hazard level is a high risk level, stopping the process, disconnecting the terminal from the internal local area network, and disconnecting the terminal from the hardware device;
if the hazard level is a risk level, stopping the process and disconnecting the terminal from the hardware device;
and if the hazard level is a low risk level, stopping the process, recording the abnormal request times of the process, and disconnecting the terminal from the hardware equipment when the times reach a preset value.
In one embodiment, the monitoring the current running process of the terminal includes:
and preferentially monitoring whether the process related to the hardware equipment has abnormal behavior or sensitive behavior in the running process.
In one embodiment, before said establishing a connection with said internal local area network, said method further comprises:
detecting whether a local area network to be connected is the internal local area network or not;
and if the local area network to be connected is the internal local area network, connecting with the internal local area network.
A system for preventing illegal external connection comprises a plurality of terminals and at least one server; the server is used for an internal local area network formed by the server and the terminal;
the terminal is used for establishing connection with the internal local area network and monitoring an external network connection request of the terminal; according to the external network connection request, carrying out safety protection on the file stored in the terminal, and outputting an option for responding to external network connection; and receiving an operation responding to the option, and processing the external network connection request according to a preset strategy according to the operation.
A computer device comprising a memory and a processor, said memory storing a computer program, characterized in that said processor, when executing said computer program, implements the steps of said method for preventing illegal external connection as described before.
A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method for preventing illegal external connection described above.
According to the method, the device, the computer equipment and the storage medium for preventing illegal external connection, the external network connection request of the terminal is monitored, the files stored in the terminal are protected in advance, the option for responding to the external network connection is output, the external network connection request is correspondingly processed according to different preset strategies after the operation responding to the option is received, the terminal is well protected in the process of connecting the terminal to the external network, the terminal can be protected in different degrees according to different operations responding to the option, illegal external connection of the terminal is effectively prevented, and the safety and convenience of an internal local area network are improved.
Drawings
FIG. 1 is a diagram of an application environment for an illegal external connection prevention method in one embodiment;
FIG. 2 is a flow chart of a method for preventing illegal external connection in one embodiment;
FIG. 3 is a flow chart of a method for preventing illegal external connection in one embodiment;
FIG. 4 is a flow chart of a method for preventing illegal external connection in another embodiment;
FIG. 5 is a flow chart of a method for preventing illegal external connection in another embodiment;
FIG. 6 is a flow chart of a method for preventing illegal external connection in another embodiment;
FIG. 7 is a block diagram of an embodiment of an illegal external connection prevention device;
FIG. 8 is a block diagram of an embodiment of an illegal external connection prevention device;
FIG. 9 is an internal block diagram of a terminal in one embodiment;
fig. 10 is an internal structural diagram of a server in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The method for preventing illegal external connection provided by the application can be applied to an application environment shown in figure 1. Wherein the terminal 102 communicates with the server 104 via a network. The terminals include terminals used by an administrator of the management end in the internal local area network and terminals used by ordinary staff of the client, the terminals 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers and other devices, and the number of the terminals 102 may be multiple, where at least two terminals are used by the administrator in the internal local area network. The server 104 may be implemented as a stand-alone server or a cluster of servers, and the specific number may be determined according to the networking size of the internal lan and the importance of the internal lan.
In one embodiment, as shown in fig. 2, a method for preventing illegal external connection is provided, and the method for preventing illegal external connection is described by taking the application of the method to the terminal 102 in fig. 1 as an example, and the method for preventing illegal external connection includes steps 202-206.
And 202, after establishing connection with the internal local area network, monitoring an external network connection request of the terminal.
After the terminal is connected to the internal local area network, the security program of the client of the terminal monitors whether the network connection state of the terminal is abnormal, and besides the connection state of the terminal and the internal local area network, the security program of the client monitors the external network connection request of the terminal, wherein the external network connection request carries information of the external network connection state. Wherein, the user can select real-time monitoring or periodic monitoring according to own needs.
The internal local area network is built in advance and consists of a server and a plurality of terminals. The internal local area network may implement functions such as file management, application sharing, printer sharing, scheduling within a workgroup, email and fax communication services. The external network is a network other than all internal local area networks, for example, an external mobile network, an external WiFi wireless network, etc. connected by a wire, with respect to the internal local area network. Correspondingly, the external network connection request may be a request for the terminal to connect to an external network. The external network connection status may include a connection manner (e.g., wired connection, wireless connection), a connection duration, a connection purpose, and the like.
And 204, according to the external network connection request, carrying out security protection on the file stored in the terminal, and outputting an option for responding to external network connection.
After the security program of the client or the management end monitors the external network connection request of the terminal, security protection measures are adopted for files stored in the terminal, especially important files, and a popup window at the front end of the terminal inquires whether a user selects to establish connection with the external network or not so as to instruct the security program of the terminal to further process the external network connection request. For example, the security program of the terminal pops up a prompt of "whether the current terminal is connected to the external network" according to the external network connection request, and displays options of "accept" and "reject" for the user to select.
And 206, receiving an operation responding to the option, and processing the external network connection request according to a preset strategy according to the operation.
After outputting an option for responding to the external network connection, inquiring whether a user selects to establish connection with the external network, receiving operation from the user responding to the option by the terminal, receiving the operation by a security program, and correspondingly processing the external network connection request according to different preset strategies aiming at different operations. The options are an accept option and a reject option, and the protection level of the preset strategy corresponding to the accept option to the terminal is higher than that of the preset strategy corresponding to the reject option to the terminal.
In the method for preventing illegal external connection, the external network connection request of the terminal is monitored, the files stored in the terminal are protected in advance, the option for responding to the external network connection is output, the external network connection request is correspondingly processed according to different preset strategies after the operation responding to the option is received, the terminal is well protected in the process of connecting the terminal to the external network, the terminal can be protected in different degrees according to different operations responding to the option, illegal external connection of the terminal is effectively prevented, and the safety and convenience of the internal local area network are improved.
In one embodiment, the security protection of the files stored in the terminal includes the step of performing encryption protection on the partition where the important files in the terminal are located, and creating a sandbox in the terminal.
The sandbox is a virtual space that provides an isolated environment for running programs, and is typically built for programs that are not trusted, destructive, or for which program intent cannot be determined. In the process of using the terminal, the user can sort and mark the files in the terminal, the files can be classified into important files and common files, the security program can take different protection measures for different types of files, and the protection measures can be set by the user independently. When the security program monitors the external network connection request of the terminal, multiple encryption protection can be carried out on the important files in the terminal, wherein the encryption mode and the decryption mode can be set independently by a user; for the common files, the security program can monitor the common files and can carry out one-time encryption protection on the common files in the terminal.
In the embodiment of the application, the security program of the terminal can encrypt and protect important files according to the external network connection request when the external network connection state is the normal request, so that the illegal external network or malicious operations such as stealing and falsifying important information in the terminal by malicious programs brought by the illegal external network can be prevented, a sand box can be created in the terminal to provide an isolation environment for programs in subsequent operation, the invasion of the illegal external network to the terminal is prevented, and the security of an internal local area network is effectively improved.
In one embodiment, as shown in fig. 3, the step 204 of outputting the option to respond to the external network connection includes outputting the option 302 to accept the response to the external network connection request and the option 304 to reject the response to the external network connection request.
The security program of the client may query, in a front-end popup window, whether the user selects to connect with the external network, where the options for responding to the external network connection include an "accept" option and a "reject" option, and when the user selects to connect with the external network, a first operation may be performed to select the "accept" option, thereby indicating that the security program allows the terminal to establish a connection with the external network; when the user selects to connect to the external network, a second operation may be performed to select a "reject" option, thereby indicating that the security program rejects the terminal to establish a connection with the external network.
Correspondingly, the receiving responds to the operation of the option, and processes the external network connection request according to the operation and a preset strategy, including steps 306 and 308:
step 306, receiving a first operation in response to the option, establishing a connection with the external network, disconnecting the terminal from the internal local area network, and performing all operations in the sandbox during the connection with the external network; wherein the first operation is for accepting a response to the external network connection request.
When the user implements the first operation to select the "accept" option, the security program receives the first operation, allows the terminal to be connected with the external network, and in order to ensure the security of the internal local area network, simultaneously disconnects the terminal from the internal local area network, and in the process of connecting with the external network, all operations are performed in a sand box created in advance.
Step 308, receiving a second operation responding to the option, refusing the connection with the external network, adding the external network into a blacklist, and releasing the safety protection; wherein the second operation is for refusing the response to the external network connection request.
After the user implements the second operation to select the reject option, the security program receives the second operation and rejects the connection between the terminal and the external network, and since the external network does not form security threat to the internal local area network, the partition where the important file in the terminal is located can be relieved from encryption protection, that is, decryption operation can be performed on the important file, so that the important file is normally stored in the terminal. In addition, the sandbox can be closed to release the security protection state, and the external network can be added into a blacklist, so that when the terminal requests to connect with the external network again, the security program can directly reject the external network to establish connection with the terminal.
Wherein steps 302-308 are all recorded by a security program at a center in the server; when the terminal is disconnected from the internal lan in step 306, the security program of the center in the server detects the event, and the security program of the center notifies the security program of the management end of the event, and then the security program of the management end notifies the management personnel at the front end to remind the management personnel of the front end of making corresponding protection measures.
In this embodiment, by outputting an option for responding to the external network connection and receiving a first operation and a second operation in response to the option, the security program of the terminal may perform different processes on the external network connection request according to a preset policy for the first operation and the second operation, and after the terminal establishes a connection with the external network, all operations are limited to be performed in a sandbox, so as to achieve a good isolation effect, and effectively avoid illegal intrusion of a malicious program or virus into the terminal.
In one embodiment, after the connection with the external network is established and the connection between the terminal and the internal lan is disconnected in response to the first operation of the option, the method further includes monitoring and recording a process running in the sandbox, and if it is monitored that the process in the sandbox has a behavior of reading a file outside the sandbox, disconnecting the connection between the terminal and the external network. Because the sand box is an independent space established for the external network, important files in the terminal can be effectively protected from being compromised, tampered or implanted with viruses, meanwhile, the abnormal or sensitive behavior of the external network can be timely monitored by monitoring the progress in the sand box in the process of connecting the terminal with the external network, so that staff can comprehensively and thoroughly check the terminal which is not connected with the internal local area network, the risk of potential hiding in the terminal system is avoided, other normal terminals are infected when the terminal is re-connected with the internal local area network, and the effect of guaranteeing the safety of the internal local area network at any time is achieved.
In one embodiment, as shown in FIG. 4, the method further comprises steps 402-404:
step 402, when the terminal accesses to an external hardware device, scanning whether the hardware device carries preset identity information.
The user may set preset identity information on a hardware device that is connected to the terminal and trusted, and the preset identity information may be carried by an identity chip, which may be installed on a connector of the hardware device to be connected to the terminal, for example. The connector can be a USB interface, a VGA interface, an RJ-45 interface and the like. When the hardware device is connected with the terminal, the security program of the terminal can recognize the preset identity information on the identity chip. The preset identity information may be used to characterize unique identity information of the hardware device, and specifically may be formed by at least one of a number, a letter, and a special symbol.
Step 404, if the hardware device does not carry the preset identity information, the connection with the hardware device is refused to be established.
If the hardware device does not carry the preset identity information, the hardware device is not trusted by the user or is at risk, and the security program can filter the hardware device and reject the connection between the terminal and the hardware device.
In the embodiment, the hardware equipment of the access terminal is subjected to identity recognition based on the preset identity information, so that the connection between the illegal hardware equipment and the terminal is effectively prevented, and the risk of intrusion of the system is avoided when the terminal is connected with the new hardware equipment.
In one embodiment, as shown in fig. 4, the method further includes steps 406-412,
step 406, if the hardware device carries preset identity information, allowing connection to be established with the hardware device.
If the hardware device carries the preset identity information, the hardware device is a device trusted by a user or a device allowed to be connected with the terminal by the user, and the terminal can be allowed to establish connection with the hardware device.
Step 408, monitoring the current running process of the terminal, and detecting whether the process has abnormal or sensitive behavior in the running process.
After the hardware device is connected with the terminal, a security program in the terminal monitors the running process in the terminal, wherein the security program can monitor the process related to the hardware device in the terminal preferentially to evaluate the security of the hardware device, and the security program can be instructed to further process the hardware device by detecting whether the process has abnormal or sensitive behaviors in the running process. The abnormal behavior can be the behavior of carrying virus and Trojan horse by the hardware equipment, accessing in an unauthorized area, network scanning and eavesdropping, and the sensitive behavior can be the behavior of financial transaction, abnormal time point access, and the like.
And step 410, if no abnormal or sensitive behavior exists, continuing to monitor the running process of the terminal.
And step 412, if abnormal or sensitive behaviors exist, stopping the process corresponding to the abnormal or sensitive behaviors.
When abnormal or sensitive behaviors are detected, the process is prevented, and the threat of the process to the network security of the terminal is avoided in time.
In this embodiment, the effect of effectively improving the security of the internal local area network and the terminal during actual operation is achieved by performing key monitoring on the process caused by the hardware device connected with the terminal.
In one embodiment, as shown in fig. 5, the process of preventing the exception or sensitive behavior from corresponding includes steps 502-508:
step 502, judging the hazard level of the abnormal or sensitive behavior; the hazard classes may include at least a high risk class, a medium risk class, and a low risk class.
When the security program of the terminal monitors that the current running process in the terminal has abnormal or sensitive behaviors in the running process, the security program can judge the hazard level of the abnormal or sensitive behaviors so as to instruct the security program to conduct grading coping treatment on the abnormal or sensitive behaviors. The risk level marks the security threat degree of the abnormal or sensitive behavior on the terminal, the higher the risk level is, the more seriously the security of the terminal is affected, the tighter the security program is required to take protective measures, and the level type of the risk level and the level judgment standard can be set independently by a user.
And step 504, if the hazard level is a high risk level, stopping the process, disconnecting the terminal from the internal local area network, and disconnecting the terminal from the hardware device.
When the hazard level related to the process is detected to be a high risk level, which indicates that the network security of the terminal is seriously threatened at the moment, the security program can prevent the process, disconnect the terminal from the internal local area network to avoid the threat of the process to the security of the internal local area network, and disconnect the terminal from the hardware equipment in time.
And step 506, if the hazard level is a risk level, stopping the process and disconnecting the terminal from the hardware device.
When the hazard level related to the process is the medium risk level, which indicates that the network security of the terminal is moderately threatened, but the threat to the internal local area network cannot be formed at the moment, the security program can stop the process and disconnect the terminal from the hardware device.
And step 508, if the hazard level is a low risk level, stopping the process, recording the abnormal request times of the process, and disconnecting the terminal from the hardware equipment when the abnormal request times reach a preset value.
When the damage level related to the process is monitored to be a low risk level, the network security of the terminal is threatened to a low degree at the moment, but the abnormal or sensitive behavior does not affect the security of the terminal or an internal local area network at the moment, the monitoring state is kept continuously, and after the abnormal request times of the process reach the preset times, the process of disconnecting the terminal from the hardware equipment is carried out. The preset value of the times can be set by a user independently, and the abnormal request can be a request for reading an important file in the terminal, a request for embedding a malicious program and the like.
The security program of the client records all the events of the steps 502-508 and sends the events to the server of the internal lan, and meanwhile, the server also sends the event records to the terminal of the management end, so that the manager knows which terminal in the internal lan has the defending event in time, and is convenient for the manager to make a countermeasure in time, thereby protecting the internal lan from intrusion.
In this embodiment, by performing key monitoring on a process running on a terminal, particularly on a process related to a hardware device connected to the terminal, whether the hardware device has an abnormal or sensitive behavior in a process of being connected to the terminal can be timely found, and by judging a hazard level of the abnormal or sensitive behavior of the process, the security program can be instructed to perform hierarchical coping processing on different hazard levels, thereby improving security of an internal local area network and convenience of preventing illegal external connection operation.
In one embodiment, before the connection with the internal lan is established, the method further includes a step of detecting whether the lan to be connected is the internal lan, and if the lan to be connected is the internal lan, connecting with the internal lan. Specifically, the security program of the terminal may send an HTTP connection request to a server of the lan to be connected, and refer to the received HTTP state value; if the HTTP status value indicates that the URL associated with the server to which access is requested is redirected during the process of connecting to the server, then the local area network to be connected is determined to be the target internal local area network.
In this embodiment, by performing identity judgment on the local area network before the terminal establishes connection with the local area network to be connected, connection between the terminal and the illegal external network can be prevented from the source, the security of the internal local area network is ensured, and the efficiency of the illegal external connection prevention method is improved.
In one embodiment, an illegal external connection detection method is provided, and is described by taking the application of the method to the terminal 102 and the server 104 in fig. 1 as an example, and the method includes the following steps 602-636:
In step 602, when the terminal requests access to the lan, the security program of the terminal automatically detects whether the lan is an internal lan.
Step 604, if the detection result is no, the security program of the terminal refuses the connection between the terminal and the local area network.
If the detection result is yes, the security procedure of the terminal allows the terminal to connect to the lan, step 606.
In step 608, the security program of the terminal monitors whether an external network connection request exists at the terminal.
Step 610, if the monitoring result is no, the security program of the terminal continues to maintain the monitored state in the background.
And step 612, if the monitoring result is yes, the security program encrypts and protects the partition where the important file in the terminal is located, and meanwhile creates a sandbox in the terminal.
At step 614, the security program asks the user if the external network is connected in the front end pop-up window of the terminal, e.g., the accept option and reject option may pop up for the user to select.
In step 616, if the user selects the "reject" option in step 614, the security program adds the external network to the blacklist, and removes the encryption protection from the partition where the important file in the terminal is located in step 612, and creates a protection state of the sandbox in the terminal.
If the user selects the accept option in step 614, the security program disconnects the terminal from the internal lan and all operations of the terminal during connection to the external network are performed in the sandbox.
Wherein the events of steps 614-618 are all recorded by a security program at the center in the server; when the terminal is disconnected from the internal lan in step 618, the security program of the center in the server detects the event, and the security program of the center notifies the security program of the management end of the event, and then the security program of the management end notifies the management personnel at the front end to remind the management personnel of the front end of making corresponding protection measures.
Step 620, when the terminal accesses to an external hardware device, the security program of the terminal scans whether the hardware device carries preset identity information.
Step 622, if the scan result is no, the security program refuses the terminal to establish a connection with the hardware device.
Step 624, if the scan result is yes, the security program allows the terminal to establish a connection with the hardware device.
In step 626, the security program monitors the current running process of the terminal, and monitors whether the process has abnormal or sensitive behavior in the running process. The safety program can monitor whether the process related to the hardware device has abnormal behavior or sensitive behavior in the running process preferentially.
And step 628, if the monitoring result is no, continuing to monitor the running process of the terminal.
Step 630, if the monitoring result is yes, judging the hazard level of the abnormal or sensitive behavior; the hazard classes may include at least a high risk class, a medium risk class, and a low risk class.
If the hazard level is a high risk level, the security program of the terminal will stop the process, disconnect the terminal from the internal lan, and disconnect the terminal from the hardware device, step 632.
In step 634, if the hazard level is a risk level, the security program of the terminal may stop the process and disconnect the terminal from the hardware device.
If the hazard level is a low risk level, the security program of the terminal will stop the process and record the abnormal request times of the process, and when the times reach a preset value, the connection between the terminal and the hardware device is disconnected.
The security program of the client records all the events of the steps 630-636 and sends the events to the server of the internal lan, and the server also sends the event records to the security program of the management end, so that the manager knows which terminal in the internal lan has the defending event in time, and is convenient for the manager to make a countermeasure in time, thereby protecting the internal lan from intrusion.
In this embodiment, the security program of the terminal may perform hierarchical processing on abnormal or sensitive behaviors of the terminal according to the hazard level, so as to achieve the effect of effectively improving the security and processing convenience when the internal local area network and the grid-connected terminal actually operate, and simultaneously may perform identity recognition on the hardware device of the access terminal, and perform key monitoring on the process caused by the hardware device, thereby avoiding the internal local area network from being illegally invaded, and improving the security of the internal local area network. It should be understood that, although the steps in the flowcharts of fig. 1-6 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in FIGS. 1-6 may include multiple steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the steps or stages in other steps or other steps.
In one embodiment, as shown in fig. 7, an apparatus for preventing illegal external connection is provided, comprising a monitoring module 702, a security protection module 704 and a receiving module 706, wherein,
the monitoring module 702 is configured to monitor an external network connection request of the terminal after the terminal establishes a connection with the internal local area network;
the secure protection module 704 is configured to secure a file stored in the terminal according to the external network connection request, and output an option for responding to external network connection;
and the receiving module 706 is configured to receive an operation in response to the option, and process the external network connection request according to a preset policy according to the operation.
According to the device for preventing illegal external connection, the external network connection request of the terminal is monitored, the files stored in the terminal are protected in advance, the option for responding to the external network connection is output, the external network connection request is correspondingly processed according to different preset strategies after the operation for responding to the option is received, the terminal is well protected in the process of connecting the terminal to the external network, the terminal can be protected in different degrees according to different operations for responding to the option, illegal external connection of the terminal is effectively prevented, and the safety and convenience of the internal local area network are improved.
In one embodiment, the security protection is performed on the file stored in the terminal according to the external network connection request, and an option for responding to the external network connection is output, where the security protection includes: and carrying out encryption protection on the partition where the important file in the terminal is located, and simultaneously creating a sandbox in the terminal. The secure protection module 704 is further configured to encrypt and protect a partition where the important file in the terminal is located, and create a sandbox in the terminal.
In this embodiment, the security protection module 704 performs encryption protection on the important file, so that malicious operations such as stealing and tampering on important information in the terminal by using an illegal external network or a malicious program brought by illegal external connection can be prevented, and a sandbox can be created in the terminal to provide an isolation environment for a program running subsequently, so that the intrusion of the illegal external network to the terminal is prevented, and the security of the internal local area network is effectively improved.
In one embodiment, the receiving is responsive to the operation of the option, and the processing the external network connection request according to a preset policy according to the operation includes receiving a first operation responsive to the option and receiving a second operation responsive to the option; the receiving module 706 is operable to receive a first operation responsive to the option and a second operation responsive to the option;
When the receiving module 706 receives a first operation in response to the option, the receiving module 706 is further configured to transmit the first operation information to the security program to instruct the security program to establish a connection with the external network, disconnect the terminal from the internal lan, and make all operations performed in the sandbox during the connection with the external network;
when the receiving module 706 receives a second operation in response to the option, the receiving module 706 is further configured to transmit the second operation information to the security program to instruct the security program to reject the connection with the external network, add the external network to a blacklist, and release the security protection.
In this embodiment, the receiving module 706 receives the first operation and the second operation and sends the first operation information or the second operation information to the security program, where the security program may perform different processes on the external network connection request according to a preset policy for the first operation and the second operation, and after the connection between the terminal and the external network is established, all operations are limited to be performed in the sandbox, so as to achieve a good isolation effect, and effectively avoid illegal intrusion of a malicious program or virus into the terminal.
In one embodiment, after the establishing a connection with the external network and disconnecting the terminal from the internal lan in response to the first operation of the option, the monitoring module 702 is further configured to:
monitoring and recording the process running in the sand box;
and if the process in the sandbox is monitored to have the action of reading the file outside the sandbox, sending the monitoring information to the security program to instruct the security program to disconnect the terminal from the external network.
In this embodiment, the monitoring module 702 monitors the process in the sandbox through the connection process between the terminal and the external network, and because the sandbox is an independent space established for the external network, the abnormal or sensitive behavior of the external network can be monitored in time, so that the security program is instructed to process the behavior in time, and the effect of guaranteeing the security of the internal local area network at any time is achieved.
In one embodiment, the outputting the option to respond to the external network connection includes outputting the option to accept the response to the external network connection request and the option to reject the response to the external network connection request. The secure protection module 704 is further configured to output an option to accept a response to the external network connection request and an option to reject a response to the external network connection request.
In one embodiment, as shown in fig. 8, the apparatus for preventing illegal external connection further comprises a scanning module 802 and a control connection module 804, wherein,
the scanning module 802 is configured to scan whether the hardware device carries preset identity information when the terminal accesses an external hardware device;
a control connection module 804, configured to refuse to establish connection with the hardware device when the hardware device does not carry preset identity information; and the system is also used for establishing connection with the hardware equipment when the hardware equipment carries preset identity information.
The monitoring module 702 is further configured to monitor a process currently operated by the terminal after the terminal establishes a connection with the hardware device, and detect whether an abnormal or sensitive behavior exists in the process during operation of the process; if no abnormal or sensitive behavior exists, continuing to monitor the running process of the terminal; and if abnormal or sensitive behaviors exist, sending the monitoring information to a safety program to instruct the safety program to prevent the process corresponding to the abnormal or sensitive behaviors.
In this embodiment, the monitoring module 702 performs identity recognition on the hardware device of the access terminal based on the preset identity information, and the control connection module 804 controls whether to connect hardware with the terminal according to the scan information, and meanwhile, the monitoring module 702 performs key monitoring on the process related to the hardware device, so as to achieve the effect of effectively improving the security of the internal local area network and the terminal during actual operation.
In one embodiment, as shown in fig. 8, the device for preventing illegal external connection further includes a judging module 806, configured to judge a hazard level of the abnormal or sensitive behavior, and send the judging result to a security program to instruct the security program to process the current process according to a preset policy. The judging module 806 may instruct the security program to perform a hierarchical coping process on different hazard levels by judging the hazard level of the abnormal or sensitive behavior of the process, thereby improving security of the internal lan and preventing convenience of illegal external connection operation.
In one embodiment, before the connection is established with the internal lan, the monitoring module 702 is further configured to detect whether the lan to be connected is the internal lan; if the lan to be connected is the internal lan, the control connection module 804 is further configured to connect with the internal lan.
In this embodiment, the monitoring module 702 performs identity judgment on the local area network before the terminal establishes connection with the local area network to be connected, so that the connection between the terminal and the illegal external network can be prevented from the source, the security of the internal local area network is ensured, and the efficiency of the illegal external connection prevention method is improved.
The above-mentioned specific limitation of the illegal external connection preventing device can be referred to the above limitation of the illegal external connection preventing method, and will not be described herein. The above-mentioned various modules in the device for preventing illegal external connection may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
Referring to fig. 1, in one embodiment, a system for preventing illegal external connection is provided, including a plurality of terminals 102, at least one server 104; the server is used for an internal local area network formed by the server and the terminal; the terminal is used for establishing connection with the internal local area network and monitoring an external network connection request of the terminal; according to the external network connection request, carrying out safety protection on the file stored in the terminal, and outputting an option for responding to external network connection; and receiving an operation responding to the option, and processing the external network connection request according to a preset strategy according to the operation.
The method for preventing illegal external connection comprises the steps of installing a security program of a management end in a terminal used by an administrator, installing a security program of a client end in a terminal used by a common staff and installing a security program of a center in the server, wherein the security programs of the center are arranged in order of authority levels, and the security program of the center is more than the security program of the management end and more than the security program of the client end.
In one embodiment, the server 104 is further configured to record the foregoing steps 302-308; when the terminal is disconnected from the internal lan in step 306, the security program of the center in the server detects the event, and the security program of the center notifies the security program of the management side of the event, the terminal 102 of the management end is further configured to receive the event record and notify the management personnel at the front end, so as to remind the management personnel at the front end of making corresponding protection measures.
In one embodiment, the security program in the center of the server 104 is further configured to receive all the event records in the foregoing steps 502-508 sent by the security program of the client 102, and send the event records to the security program of the terminal 102 of the management end, so that the manager knows which terminal in the internal lan has what kind of defending event occurs in time, so that the manager can make a countermeasure in time, and further protect the internal lan from intrusion.
According to the system for preventing illegal external connection, the external network connection request of the terminal is monitored, the files stored in the terminal are protected in advance, the option for responding to the external network connection is output, the external network connection request is correspondingly processed according to different preset strategies after the operation for responding to the option is received, the terminal is well protected in the process of being connected with the external network, different degrees of security protection processing can be carried out on the terminal according to different operations for responding to the option, illegal external connection of the terminal is effectively prevented, and the security and convenience of an internal local area network are improved.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 9. The computer device includes a processor, a memory, and a communication interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a method of preventing illegal external connection.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 10. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The nonvolatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of preventing illegal external connection.
It will be appreciated by persons skilled in the art that the structures shown in FIGS. 9-10 are block diagrams of the elements in association with aspects of the application and are not intended to limit the computer system to which the aspects of the application may be applied, and that a particular computer system may include more or less elements than those shown, or may be combined with certain elements, or may have different arrangements of elements.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Claims (11)
1. A method for preventing illegal external connection, applied to a terminal in an internal local area network, the method comprising:
after establishing connection with the internal local area network, monitoring an external network connection request of a terminal;
according to the external network connection request, encrypting and protecting the partition where the important file in the terminal is located, creating a sandbox in the terminal, and outputting an option for responding to external network connection;
receiving a first operation responding to the option, establishing connection with the external network, disconnecting the terminal from the internal local area network, and performing all operations in the sandbox in the process of connecting with the external network; wherein the first operation is used for accepting response to the external network connection request;
Receiving a second operation responding to the option, refusing the connection with the external network, adding the external network into a blacklist, and releasing the encryption protection; wherein the second operation is used for rejecting response to the external network connection request;
when the terminal is accessed to external hardware equipment, scanning whether the hardware equipment carries preset identity information or not;
if the hardware equipment carries the preset identity information, allowing connection with the hardware equipment to be established;
monitoring a current running process of the terminal, and detecting whether an abnormal or sensitive behavior exists in the running process of the process;
if abnormal or sensitive behaviors exist, stopping a process corresponding to the abnormal or sensitive behaviors; the process for preventing the abnormal or sensitive behavior from corresponding comprises the following steps:
judging the hazard level of the abnormal or sensitive behavior; the hazard classes include at least a high risk class, a medium risk class, and a low risk class;
and if the hazard level is a high risk level, stopping the process, disconnecting the terminal from the internal local area network, and disconnecting the terminal from the hardware equipment.
2. The method for preventing illegal external connection according to claim 1, wherein said receiving establishes a connection with said external network in response to a first operation of said option, and disconnects said terminal from said internal local area network, said method further comprising:
monitoring and recording the process running in the sand box;
and if the behavior of reading the files outside the sandbox exists in the process in the sandbox is monitored, disconnecting the terminal from the external network.
3. The method for preventing illegal external connection according to claim 1, wherein the outputting an option to respond to an external network connection includes:
outputting an option of accepting a response to the external network connection request, and outputting an option of rejecting a response to the external network connection request.
4. A method of preventing illegal external connection according to any of claims 1-3, wherein said method further comprises:
and if the hardware equipment does not carry the preset identity information, refusing to establish connection with the hardware equipment.
5. The method of preventing illegal external connection according to claim 1, wherein the method further comprises:
and if no abnormal or sensitive behavior exists, continuing to monitor the running process of the terminal.
6. The method of preventing illegal external connection according to claim 1, further comprising:
if the hazard level is the risk level, stopping the process and disconnecting the terminal from the hardware device;
and if the hazard level is the low risk level, stopping the process, recording the abnormal request times of the process, and disconnecting the terminal from the hardware equipment when the times reach a preset value.
7. The method for preventing illegal external connection according to claim 5, wherein the monitoring the current running process of the terminal comprises:
and preferentially monitoring whether the process related to the hardware equipment has abnormal behavior or sensitive behavior in the running process.
8. The method for preventing illegal external connection according to claim 1, wherein before said establishing connection with said internal local area network, said method further comprises:
detecting whether a local area network to be connected is the internal local area network or not;
and if the local area network to be connected is the internal local area network, connecting with the internal local area network.
9. A system for preventing illegal external connection, which is characterized by comprising a plurality of terminals and at least one server; the server is used for an internal local area network formed by the server and the terminal;
The terminal is used for establishing connection with the internal local area network and monitoring an external network connection request of the terminal; according to the external network connection request, encrypting and protecting the partition where the important file in the terminal is located, creating a sandbox in the terminal, and outputting an option for responding to external network connection; receiving a first operation responding to the option, establishing connection with the external network, disconnecting the terminal from the internal local area network, and performing all operations in the sandbox in the process of connecting with the external network; wherein the first operation is used for accepting response to the external network connection request; receiving a second operation responding to the option, refusing the connection with the external network, adding the external network into a blacklist, and releasing the encryption protection; wherein the second operation is used for rejecting response to the external network connection request; when the terminal is accessed to external hardware equipment, scanning whether the hardware equipment carries preset identity information or not; if the hardware equipment carries the preset identity information, allowing connection with the hardware equipment to be established; monitoring a current running process of the terminal, and detecting whether an abnormal or sensitive behavior exists in the running process of the process; if abnormal or sensitive behaviors exist, stopping a process corresponding to the abnormal or sensitive behaviors; the process for preventing the abnormal or sensitive behavior from corresponding comprises the following steps: judging the hazard level of the abnormal or sensitive behavior; the hazard classes include at least a high risk class, a medium risk class, and a low risk class; and if the hazard level is a high risk level, stopping the process, disconnecting the terminal from the internal local area network, and disconnecting the terminal from the hardware equipment.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 8 when the computer program is executed.
11. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111363328.6A CN114257405B (en) | 2021-11-17 | 2021-11-17 | Method, apparatus, computer device and storage medium for preventing illegal external connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111363328.6A CN114257405B (en) | 2021-11-17 | 2021-11-17 | Method, apparatus, computer device and storage medium for preventing illegal external connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114257405A CN114257405A (en) | 2022-03-29 |
| CN114257405B true CN114257405B (en) | 2023-10-03 |
Family
ID=80792690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111363328.6A Active CN114257405B (en) | 2021-11-17 | 2021-11-17 | Method, apparatus, computer device and storage medium for preventing illegal external connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257405B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065100A (en) * | 2011-01-04 | 2011-05-18 | 深信服网络科技(深圳)有限公司 | Terminal safety networking method and device |
| CN201854302U (en) * | 2010-11-09 | 2011-06-01 | 福州宙斯盾信息技术有限公司 | Active anti-disclosure based network security system |
| CN111385376A (en) * | 2020-02-24 | 2020-07-07 | 杭州迪普科技股份有限公司 | Illegal external connection monitoring method, device, system and equipment for terminal |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8646068B2 (en) * | 2009-10-13 | 2014-02-04 | Lenovo (Singapore) Pte. Ltd. | Home image content securely isolated from corporate IT |
-
2021
- 2021-11-17 CN CN202111363328.6A patent/CN114257405B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201854302U (en) * | 2010-11-09 | 2011-06-01 | 福州宙斯盾信息技术有限公司 | Active anti-disclosure based network security system |
| CN102065100A (en) * | 2011-01-04 | 2011-05-18 | 深信服网络科技(深圳)有限公司 | Terminal safety networking method and device |
| CN111385376A (en) * | 2020-02-24 | 2020-07-07 | 杭州迪普科技股份有限公司 | Illegal external connection monitoring method, device, system and equipment for terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114257405A (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766699B (en) | Operation behavior intercepting method and device, storage medium and electronic device | |
| US9680849B2 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US7818800B1 (en) | Method, system, and computer program product for blocking malicious program behaviors | |
| US20220210173A1 (en) | Contextual zero trust network access (ztna) based on dynamic security posture insights | |
| US20060026683A1 (en) | Intrusion protection system and method | |
| US20170244748A1 (en) | Secure computing environment | |
| CN115150208B (en) | Zero-trust-based Internet of things terminal secure access method and system | |
| US20100095365A1 (en) | Self-setting security system and method for guarding against unauthorized access to data and preventing malicious attacks | |
| US8341735B2 (en) | Method and arrangement for automatically controlling access between a computer and a communication network | |
| CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
| US20160335433A1 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| CN115314286A (en) | Safety guarantee system | |
| AL-Hawamleh | Predictions of cybersecurity experts on future cyber-attacks and related cybersecurity measures | |
| Basholli et al. | Possibility of protection against unauthorized interference in telecommunication systems | |
| JP2019075131A (en) | Method for monitoring file access, program, and system | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| WO2021217449A1 (en) | Malicious intrusion detection method, apparatus, and system, computing device, medium, and program | |
| CN114257405B (en) | Method, apparatus, computer device and storage medium for preventing illegal external connection | |
| KR101614809B1 (en) | Practice control system of endpoint application program and method for control the same | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Kumar | Intrusion detection and prevention system in enhancing security of cloud environment | |
| Mahlous | Threat Model and Risk Management for a Smart Home IoT System | |
| Ruha | Cybersecurity of computer networks | |
| Morinaga et al. | Cyber Attack Countermeasure Technologies Using Analysis of Communication and Logs in Internal Network | |
| US20230179586A1 (en) | Systems and methods for proactively upgrading low quality access credentials |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |