CN114826760A - Network security analysis method based on boundary theory - Google Patents

Network security analysis method based on boundary theory Download PDF

Info

Publication number
CN114826760A
CN114826760A CN202210518912.2A CN202210518912A CN114826760A CN 114826760 A CN114826760 A CN 114826760A CN 202210518912 A CN202210518912 A CN 202210518912A CN 114826760 A CN114826760 A CN 114826760A
Authority
CN
China
Prior art keywords
data
level
network
private
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210518912.2A
Other languages
Chinese (zh)
Other versions
CN114826760B (en
Inventor
张树贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhutai Technology Co ltd
Original Assignee
Shenzhen Zhutai Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Zhutai Technology Co ltd filed Critical Shenzhen Zhutai Technology Co ltd
Priority to CN202210518912.2A priority Critical patent/CN114826760B/en
Publication of CN114826760A publication Critical patent/CN114826760A/en
Application granted granted Critical
Publication of CN114826760B publication Critical patent/CN114826760B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention is suitable for the technical field of network security, and provides a network security analysis method based on a boundary theory, which comprises the following steps: determining network areas of different levels according to the security levels of the networking equipment, wherein the network areas of the same level contain the networking equipment of the same security level, and network boundaries are arranged among the network areas of different levels; receiving a data transmission request, and judging the data transmission request; when the data transmission in the data transmission request does not need to cross a network boundary, safety detection is not carried out, and the data is directly transmitted; when data transmission in the data transmission request needs to cross a network boundary, performing virus security detection on data transmitted from a low-level network area to a high-level network area; privacy security detection is performed on data transmitted from a high-level network area to a low-level network area. According to the invention, the data is subjected to virus safety detection or privacy safety detection, so that the safety of the data is ensured, and the leakage of confidential data in an enterprise is avoided.

Description

Network security analysis method based on boundary theory
Technical Field
The invention relates to the technical field of network security, in particular to a network security analysis method based on a boundary theory.
Background
With the gradual maturity of the technology of the internet of things, the concept of object-object connection promotes a large number of novel applications, and the internet of things is widely applied to the fusion of networks through communication sensing technologies such as intelligent sensing, identification technology and pervasive computing, so that the network architecture as infrastructure is more complex, and the network boundary is more and more blurred physically. In addition, the technology of the internet of things is gradually popularized in modern factories, internet of things equipment in intelligent factories is basically connected through an intranet of an enterprise to avoid leakage of factory data, but interaction of the intranet and the intranet data is inevitable, so that the network security monitoring and defense situation is more and more severe. Therefore, it is necessary to provide a network security analysis method based on the boundary theory, so as to ensure the security of data in the transmission process of the internal and external networks.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a network security analysis method based on a boundary theory so as to solve the problems in the background technology.
The invention is realized in this way, a network security analysis method based on the boundary theory, the method includes the following steps:
determining network areas of different levels according to the security levels of the networking equipment, wherein the network areas of the same level contain the networking equipment of the same security level, and network boundaries are arranged among the network areas of different levels;
receiving a data transmission request, and judging the data transmission request;
when the data transmission in the data transmission request does not need to cross the network boundary, the data is directly transmitted without carrying out security detection;
when the data transmission in the data transmission request needs to cross the network boundary, performing virus security detection on the data transmitted from the low-level network area to the high-level network area; and carrying out privacy security detection on the data transmitted from the high-level network area to the low-level network area, and carrying out data transmission after the detection is passed.
As a further scheme of the invention: the security level of the networking equipment comprises a first level, a second level and a third level, wherein the first level networking equipment is extranet connecting equipment, the second level networking equipment is extranet connecting equipment, the third level networking equipment is intranet connecting equipment, all the first level networking equipment form a first level network area, all the second level networking equipment form a second level network area, and all the third level networking equipment form a third level network area.
As a further scheme of the invention: the step of performing privacy security detection on the data transmitted from the high-level network area to the low-level network area specifically includes:
setting a private database, wherein the private database comprises private data attributes and private data grades, data corresponding to the first-level private cannot be transmitted to the external network connection equipment, data corresponding to the second-level private cannot be transmitted to the internal and external network connection equipment, data generated by the networking equipment carries the data attributes, and the data attributes comprise generated equipment information and data types;
determining whether data transmitted from the high-level network area to the low-level network area belongs to a private data attribute;
when the private data attribute is belonged and the private data level is two-level, the detection is failed; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; the other condition is detected to pass.
As a further scheme of the invention: the step of detecting failure further comprises:
counting private data attributes corresponding to the data which are not detected to pass;
when the count number of the private data attributes reaches a preset value, generating information whether the private data attributes are removed or degraded, and sending the information whether the private data attributes are removed or degraded to an administrator account;
when a confirmation release instruction is received, deleting the private data attribute from a private database; and when receiving an acknowledgement downgrading instruction, downgrading the private data level from second level to first level.
As a further scheme of the invention: after the data generated by the networking device is transmitted, the data attribute is kept unchanged.
As a further scheme of the invention: the method further comprises the following steps: and uploading the private data attribute and the private data grade of the processed data to a private database, wherein the processed data is the data which is obtained by carrying out secondary processing on the data generated by the networking equipment.
As a further scheme of the invention: the method further comprises the following steps: when virus security detection is carried out on data transmitted from a low-level network area to a high-level network area, if the virus security detection is not passed, equipment information of networking equipment for transmitting the data is called, and the equipment information is transmitted to an administrator account.
As a further scheme of the invention: the method further comprises the following steps: when the privacy security detection is carried out on the data transmitted from the high-level network area to the low-level network area, if the privacy security detection is not passed, the equipment information of the networking equipment for transmitting the data is called, and the equipment information is transmitted to the administrator account.
Another object of the present invention is to provide a network security analysis system based on a boundary theory, the system comprising:
the network region division module is used for determining network regions of different levels according to the security levels of the networking equipment, the network regions of the same level contain the networking equipment of the same security level, and network boundaries are arranged among the network regions of different levels;
the data transmission judging module is used for receiving the data transmission request and judging the data transmission request;
the data direct transmission module is used for directly transmitting data without carrying out safety detection when the data transmission in the data transmission request does not need to cross a network boundary;
the data detection transmission module is used for carrying out virus safety detection on the data transmitted from the low-level network area to the high-level network area when the data transmission in the data transmission request needs to cross the network boundary; and carrying out privacy security detection on the data transmitted from the high-level network area to the low-level network area, and carrying out data transmission after the detection is passed.
As a further aspect of the present invention, the data detection transmission module includes:
the private database comprises private data attributes and private data grades, data corresponding to the first-level private cannot be transmitted to the external network connecting equipment, data corresponding to the second-level private cannot be transmitted to the internal and external network connecting equipment, data generated by the networking equipment carries the data attributes, and the data attributes comprise generated equipment information and data types;
a private data determination unit configured to determine whether or not data transmitted from the high-level network area to the low-level network area belongs to a private data attribute;
the private data detection unit is used for detecting whether the private data belongs to the private data attribute and the private data level is two levels or not; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; the other condition is detected to pass.
Compared with the prior art, the invention has the beneficial effects that:
in the invention, when the data transmission in the data transmission request does not need to cross the network boundary, the security detection is not carried out, and the data is directly transmitted, so that the efficiency of data transmission is ensured, and the internal data of an enterprise does not have the risk of leakage; when data transmission in the data transmission request needs to cross a network boundary, virus security detection is performed on data transmitted from a low-level network region to a high-level network region, for example, data is transmitted from a primary networking device to a secondary networking device, and viruses of an external network may be brought into an internal network system, so virus detection is required; the security detection of privacy is performed on data transmitted from a high-level network area to a low-level network area, for example, the data is transmitted from a secondary networking device to a primary networking device, which may cause leakage of confidential data inside an enterprise, so that the security detection of privacy is required, and after the detection is passed, the data transmission can be performed.
Drawings
Fig. 1 is a flowchart of a network security analysis method based on a boundary theory.
Fig. 2 is a flowchart of privacy security detection performed on data transmitted from a high-level network area to a low-level network area in a network security analysis method based on a boundary theory.
Fig. 3 is a flowchart of counting private data attributes corresponding to data that fails to pass detection in a network security analysis method based on a boundary theory.
Fig. 4 is a schematic structural diagram of a network security analysis system based on the boundary theory.
Fig. 5 is a schematic structural diagram of a data detection and transmission module in a network security analysis system based on a boundary theory.
Fig. 6 is a schematic structural diagram of a private data detection unit in a network security analysis system based on a boundary theory.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clear, the present invention is further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Specific implementations of the present invention are described in detail below with reference to specific embodiments.
As shown in fig. 1, an embodiment of the present invention provides a network security analysis method based on a boundary theory, where the method includes the following steps:
s100, determining network areas of different levels according to the security levels of the networking equipment, wherein the network areas of the same level contain the networking equipment with the same security level, and network boundaries exist among the network areas of different levels;
s200, receiving a data transmission request, and judging the data transmission request;
s300, when the data transmission in the data transmission request does not need to cross the network boundary, the security detection is not carried out, and the data is directly transmitted;
s400, when the data transmission in the data transmission request needs to cross the network boundary, performing virus security detection on the data transmitted from the low-level network area to the high-level network area; and carrying out privacy security detection on the data transmitted from the high-level network area to the low-level network area, and carrying out data transmission after the detection is passed.
It should be noted that, with the gradual maturity of the technology of the internet of things, the concept of object-object connection has promoted a large number of novel applications, and the internet of things is widely applied to the fusion of networks through communication sensing technologies such as intelligent sensing, identification technology and pervasive computing, which makes the network architecture as the infrastructure more complex and makes the network boundary more and more fuzzy in physics. In addition, the technology of the internet of things is gradually popularized in modern factories, internet of things equipment in intelligent factories is basically connected through an intranet of an enterprise to avoid leakage of factory data, but interaction of the intranet and the intranet data is inevitable, so that the network security monitoring and defense situation is more and more severe. The embodiment of the invention is used for guaranteeing the safety of data in the transmission process of the internal network and the external network.
In the embodiment of the invention, firstly, networking equipment in a modern factory needs to be classified, the security level of the networking equipment is divided into a first level, a second level and a third level, the first level networking equipment is external network connection equipment, namely equipment of an enterprise internal local area network is not used; the secondary networking equipment is internal and external network connecting equipment, the internal and external network connecting equipment is normally networked by using an internal local area network, and the internal and external network connecting equipment can be connected with an external network through a VPN (virtual private network), such as a working computer of an employee; the three-level networking equipment is intranet connection equipment, the intranet connection equipment is only communicated through an internal local area network and cannot be connected with an external network, for example, processing equipment, detection equipment and the like of a factory, the equipment can automatically identify, collect and generate data, all the first-level networking equipment form a first-level network area, all the second-level networking equipment form a second-level network area, all the third-level networking equipment form a third-level network area, namely, the same-level network area contains networking equipment with the same security level, network boundaries exist among the network areas with different levels, and when data transmission needs to occur among the networking equipment, a data transmission request needs to be sent; when the data transmission in the data transmission request does not need to cross a network boundary, safety detection is not carried out, and the data is directly transmitted to ensure the efficiency of data transmission, and at the moment, the internal data of the enterprise does not have the risk of leakage; when data transmission in the data transmission request needs to cross a network boundary, virus security detection is performed on data transmitted from a low-level network region to a high-level network region, for example, data is transmitted from a primary networking device to a secondary networking device, and viruses of an external network may be brought into an internal network system, so virus detection is required; the security detection of privacy is performed on data transmitted from a high-level network area to a low-level network area, for example, the data is transmitted from a secondary networking device to a primary networking device, which may cause leakage of confidential data inside an enterprise, so that the security detection of privacy is required, and after the detection is passed, the data transmission can be performed.
As shown in fig. 2, as a preferred embodiment of the present invention, the step of performing privacy security detection on data transmitted from a high-level network area to a low-level network area specifically includes:
s401, a private database is set, wherein the private database comprises private data attributes and private data grades, data corresponding to a first-level private cannot be transmitted to external network connection equipment, data corresponding to a second-level private cannot be transmitted to the internal and external network connection equipment, data generated by the networking equipment carries the data attributes, and the data attributes comprise generated equipment information and data types;
s402, judging whether the data transmitted from the high-level network area to the low-level network area belongs to private data attribute;
s403, when the attribute of the private data belongs to and the level of the private data is two levels, the detection is not passed; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; the other condition is detected to pass.
In the embodiment of the present invention, in order to ensure smooth proceeding of the security detection of the privacy, a private database needs to be established in advance, where the private database includes a private data attribute and a private data class, data corresponding to the first-level private cannot be transmitted to the external network connection device, data corresponding to the second-level private cannot be transmitted to the internal and external network connection devices, and further cannot be transmitted to the external network connection device, data generated by the networking device itself carries a data attribute, the data attribute includes generation device information and a data type, for example, surface quality data generated by the detection device automatically carries a data attribute, where the data attribute is: detecting device information and surface quality; then judging whether the data transmitted from the high-level network area to the low-level network area belongs to the private data attribute; when the private data belongs to the private data attribute and the private data level is two-level, the detection is failed and data transmission cannot be carried out; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; when the private data belongs to the private data attribute and the private data level is first level and the low-level network area is a second-level network area, the data transmission can be carried out after the detection is passed; when the private data is not detected, data transmission can be carried out. In addition, after the data generated by the networking device is transmitted, the data attribute remains unchanged, for example, the surface quality data is first-level private data, after the data is transmitted to the employee computer, the data attribute is still the detection device information and the surface quality, the corresponding level is still first-level private data, and the surface quality data cannot be transmitted to the external device by the employee computer. In addition, the private data attribute and the private data grade of the processing data can be uploaded to a private database, the processing data is data obtained by performing secondary processing on data generated by networking equipment, for example, a surface characteristic is obtained after processing is performed on the surface quality data by an employee computer, the surface characteristic belongs to the processing data, and if the employee thinks that the surface characteristic also has confidentiality, the surface characteristic can be manually added to the private database.
As shown in fig. 3, as a preferred embodiment of the present invention, the step of detecting failure further includes:
s4031, count the private data attribute corresponding to the data that is not detected;
s4032, when the number of the private data attributes reaches a preset value, generating information on whether the private data attributes are removed or degraded, and sending the information on whether the private data attributes are removed or degraded to an administrator account;
s4033, when receiving the confirmation release instruction, deleting the private data attribute from the private database; and when receiving an acknowledgement downgrading instruction, downgrading the private data level from second level to first level.
In the embodiment of the invention, private data attributes corresponding to data which cannot pass through private security detection need to be counted, when the counted number of the private data attributes reaches a preset value, the preset value is a preset fixed value, for example, a certain private data attribute is welding equipment information and welding temperature, and when the number of times of data which cannot pass through the private data attribute reaches the preset value, it indicates that an enterprise employee has a strong demand for transmitting the data; when the relevant personnel think that the privacy of the data can be removed, inputting a confirmation removal instruction, and deleting the private data attribute from a private database; and when the related personnel think that the data can be transmitted to the secondary networking equipment but can not be transmitted to the primary networking equipment, inputting a confirmation degradation instruction, and degrading the private data grade from the secondary to the primary, so that various private data can be adjusted in time to meet the requirements of enterprise employees.
As a preferred embodiment of the present invention, the method further comprises: when the virus security detection is carried out on the data transmitted from the low-level network area to the high-level network area, if the virus security detection is not passed, the equipment information of the networking equipment for transmitting the data is called, the equipment information is transmitted to the administrator account, and the administrator can inform relevant personnel to check the equipment as soon as possible.
As a preferred embodiment of the present invention, the method further comprises: when the privacy security detection is carried out on the data transmitted from the high-level network area to the low-level network area, if the privacy security detection is not passed, the equipment information of the networking equipment for transmitting the data is called, and the equipment information is transmitted to the administrator account number, so that the equipment and the user using the equipment can be conveniently and timely checked to determine whether the behavior of intentionally leaking the confidential data exists.
As shown in fig. 4, an embodiment of the present invention further provides a network security analysis system based on a boundary theory, where the system includes:
a network region division module 100, configured to determine network regions of different levels according to security levels of networking devices, where the network regions of the same level include networking devices of the same security level, and network boundaries exist between the network regions of different levels;
a data transmission determining module 200, configured to receive a data transmission request and determine the data transmission request;
the data direct transmission module 300 directly transmits data without performing security detection when data transmission in the data transmission request does not need to cross a network boundary;
a data detection transmission module 400, configured to perform virus security detection on data transmitted from a low-level network region to a high-level network region when data transmission in the data transmission request needs to cross a network boundary; and carrying out privacy security detection on the data transmitted from the high-level network area to the low-level network area, and carrying out data transmission after the detection is passed.
In the embodiment of the invention, firstly, networking equipment in a modern factory needs to be classified, the security level of the networking equipment is divided into a first level, a second level and a third level, the first level networking equipment is external network connection equipment, namely equipment of an enterprise internal local area network is not used; the secondary networking equipment is internal and external network connecting equipment, the internal and external network connecting equipment is normally networked by using an internal local area network, and the internal and external network connecting equipment can be connected with an external network through a VPN (virtual private network), such as a working computer of an employee; the three-level networking equipment is intranet connection equipment, the intranet connection equipment is only communicated through an internal local area network and cannot be connected with an external network, for example, processing equipment, detection equipment and the like of a factory, the equipment can automatically identify, collect and generate data, all the first-level networking equipment form a first-level network area, all the second-level networking equipment form a second-level network area, all the third-level networking equipment form a third-level network area, namely, the same-level network area contains networking equipment with the same security level, network boundaries exist among the network areas with different levels, and when data transmission needs to occur among the networking equipment, a data transmission request needs to be sent; when the data transmission in the data transmission request does not need to cross a network boundary, safety detection is not carried out, and the data is directly transmitted to ensure the efficiency of data transmission, and at the moment, the internal data of the enterprise does not have the risk of leakage; when data transmission in the data transmission request needs to cross a network boundary, virus security detection is performed on data transmitted from a low-level network region to a high-level network region, for example, data is transmitted from a primary networking device to a secondary networking device, and viruses of an external network may be brought into an internal network system, so virus detection is required; the security detection of privacy is performed on data transmitted from a high-level network area to a low-level network area, for example, the data is transmitted from a secondary networking device to a primary networking device, which may cause leakage of confidential data inside an enterprise, so that the security detection of privacy is required, and after the detection is passed, the data transmission can be performed.
As shown in fig. 5, as a preferred embodiment of the present invention, the data detection transmission module 400 includes:
the private database 401 comprises private data attributes and private data grades, data corresponding to the first-level private cannot be transmitted to the external network connection equipment, data corresponding to the second-level private cannot be transmitted to the internal and external network connection equipment, data generated by the networking equipment carries the data attributes, and the data attributes comprise generated equipment information and data types;
a private data determination unit 402 configured to determine whether or not data transmitted from the high-level network area to the low-level network area belongs to a private data attribute;
a private data detection unit 403, which, when the attribute of the private data is included and the level of the private data is two-level, does not detect the private data; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; the other condition is detected to pass.
In the embodiment of the present invention, in order to ensure smooth proceeding of the security detection of the privacy, a private database 401 needs to be established in advance, where the private database 401 includes a private data attribute and a private data class, data corresponding to a first-level private cannot be transmitted to the external network connection device, data corresponding to a second-level private cannot be transmitted to the internal and external network connection devices, and further cannot be transmitted to the external network connection device, data generated by the networking device itself all carries a data attribute, the data attribute includes generation device information and a data type, for example, surface quality data generated by the detection device automatically carries a data attribute, where the data attribute is: detecting device information and surface quality; then judging whether the data transmitted from the high-level network area to the low-level network area belongs to the private data attribute; when the private data belongs to the private data attribute and the private data level is two-level, the detection is failed and data transmission cannot be carried out; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; when the private data belongs to the private data attribute and the private data level is first level and the low-level network area is a second-level network area, the data transmission can be carried out after the detection is passed; when the private data is not detected, data transmission can be carried out.
As shown in fig. 3, as a preferred embodiment of the present invention, the private data detecting unit 403 further includes:
a private data counting subunit 4031, configured to count a private data attribute corresponding to the data that is not detected to pass;
the information generation subunit 4032, when the count number of the private data attributes reaches a preset value, generates information on whether the private data attributes are removed or degraded, and sends the information on whether the private data attributes are removed or degraded to the administrator account;
an information receiving subunit 4033 configured to delete the private data attribute from the private database 401 when receiving the confirmation release instruction; and when receiving an acknowledgement downgrading instruction, downgrading the private data level from second level to first level.
In the embodiment of the invention, private data attributes corresponding to data which cannot pass through private security detection need to be counted, when the counted number of the private data attributes reaches a preset value, the preset value is a preset fixed value, for example, a certain private data attribute is welding equipment information and welding temperature, and when the number of times of data which cannot pass through the private data attribute reaches the preset value, it indicates that an enterprise employee has a strong demand to transmit the data, whether the private data attribute is removed or degraded or not is generated, and the private data attribute is removed or degraded or not is sent to an administrator account; when the relevant personnel think that the privacy of the data can be removed, inputting a confirmation removal instruction, and deleting the private data attribute from a private database; and when the related personnel think that the data can be transmitted to the secondary networking equipment but can not be transmitted to the primary networking equipment, inputting a confirmation degradation instruction, and degrading the private data grade from the secondary to the primary, so that various private data can be adjusted in time to meet the requirements of enterprise employees.
The present invention has been described in detail with reference to the preferred embodiments thereof, and it should be understood that the invention is not limited thereto, but is intended to cover modifications, equivalents, and improvements within the spirit and scope of the present invention.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (8)

1. A network security analysis method based on boundary theory is characterized by comprising the following steps:
determining network areas of different levels according to the security levels of the networking equipment, wherein the network areas of the same level contain the networking equipment of the same security level, and network boundaries are arranged among the network areas of different levels;
receiving a data transmission request, and judging the data transmission request;
when the data transmission in the data transmission request does not need to cross the network boundary, the data is directly transmitted without carrying out security detection;
when the data transmission in the data transmission request needs to cross the network boundary, performing virus security detection on the data transmitted from the low-level network area to the high-level network area; and carrying out privacy security detection on the data transmitted from the high-level network area to the low-level network area, and carrying out data transmission after the detection is passed.
2. The network security analysis method according to claim 1, wherein the security levels of the networking devices include a first level, a second level and a third level, the first level networking device is an external network connection device, the second level networking device is an internal and external network connection device, the third level networking device is an internal network connection device, all the first level networking devices form a first level network region, all the second level networking devices form a second level network region, and all the third level networking devices form a third level network region.
3. The method for analyzing network security based on boundary theory as claimed in claim 2, wherein the step of performing privacy security detection on the data transmitted from the high-level network area to the low-level network area specifically comprises:
setting a private database, wherein the private database comprises private data attributes and private data grades, data corresponding to the first-level private cannot be transmitted to the external network connection equipment, data corresponding to the second-level private cannot be transmitted to the internal and external network connection equipment, data generated by the networking equipment carries the data attributes, and the data attributes comprise generated equipment information and data types;
determining whether data transmitted from the high-level network area to the low-level network area belongs to a private data attribute;
when the private data belongs to the private data attribute and the private data level is two-level, the detection is not passed; when the private data belongs to the private data attribute and the private data level is one level, and the low-level network area is a first-level network area, the detection is not passed; the other condition is detected to pass.
4. The network security analysis method based on the boundary theory as claimed in claim 3, wherein the step of detecting failure further comprises:
counting private data attributes corresponding to the data which are not detected to pass;
when the count number of the private data attributes reaches a preset value, generating information whether the private data attributes are removed or degraded, and sending the information whether the private data attributes are removed or degraded to an administrator account;
when a confirmation release instruction is received, deleting the private data attribute from a private database; and when receiving an acknowledgement downgrading instruction, downgrading the private data level from second level to first level.
5. The network security analysis method based on the boundary theory as claimed in claim 3, wherein the data attribute is kept unchanged after the data generated by the networking device is transmitted.
6. The network security analysis method based on the boundary theory as claimed in claim 3, wherein the method further comprises: and uploading the private data attribute and the private data grade of the processed data to a private database, wherein the processed data is the data which is obtained by carrying out secondary processing on the data generated by the networking equipment.
7. The network security analysis method based on the boundary theory as claimed in claim 1, wherein the method further comprises: when virus security detection is carried out on data transmitted from a low-level network area to a high-level network area, if the virus security detection is not passed, equipment information of networking equipment for transmitting the data is called, and the equipment information is transmitted to an administrator account.
8. The network security analysis method based on the boundary theory as claimed in claim 1, wherein the method further comprises: when the privacy security detection is carried out on the data transmitted from the high-level network area to the low-level network area, if the privacy security detection is not passed, the equipment information of the networking equipment for transmitting the data is called, and the equipment information is transmitted to the administrator account.
CN202210518912.2A 2022-05-12 2022-05-12 Network security analysis method based on boundary theory Active CN114826760B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210518912.2A CN114826760B (en) 2022-05-12 2022-05-12 Network security analysis method based on boundary theory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210518912.2A CN114826760B (en) 2022-05-12 2022-05-12 Network security analysis method based on boundary theory

Publications (2)

Publication Number Publication Date
CN114826760A true CN114826760A (en) 2022-07-29
CN114826760B CN114826760B (en) 2023-08-15

Family

ID=82512587

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210518912.2A Active CN114826760B (en) 2022-05-12 2022-05-12 Network security analysis method based on boundary theory

Country Status (1)

Country Link
CN (1) CN114826760B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488952A (en) * 2008-12-10 2009-07-22 华中科技大学 Mobile storage apparatus, data secured transmission method and system
RU2387086C1 (en) * 2008-11-21 2010-04-20 Российская Федерация в лице Министерства промышленности и торговли Российской Федерации (Минпромторг России) Method for providing information security of local area network at operation with external networks, and system for method's implementation
CN202906969U (en) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 Boundary safety transmission equipment base on unidirectional light technology and a communication system employing the equipment
CN103856486A (en) * 2014-02-28 2014-06-11 中国人民解放军91655部队 Large-scale network logical safety domain access control method
US20150281278A1 (en) * 2014-03-28 2015-10-01 Southern California Edison System For Securing Electric Power Grid Operations From Cyber-Attack
CN105282172A (en) * 2015-11-09 2016-01-27 珠海市鸿瑞软件技术有限公司 Uniprocessing system based on hardware data transformation technology and network security isolation method thereof
KR101792695B1 (en) * 2016-12-30 2017-11-02 이준엽 System for secure streaming and method thereof
CN108390778A (en) * 2018-02-10 2018-08-10 浙江财经大学 A kind of computer network security prior-warning device
CN110557378A (en) * 2019-08-02 2019-12-10 西安飞机工业(集团)有限责任公司 network boundary security isolation and information one-way transmission system and transmission method
CN111614639A (en) * 2020-05-09 2020-09-01 深圳市云盾科技有限公司 Network security analysis method based on boundary theory
CN112468494A (en) * 2020-11-26 2021-03-09 湖北航天信息技术有限公司 Intranet and extranet internet data transmission method and device
US20210297447A1 (en) * 2015-10-28 2021-09-23 Qomplx, Inc. Detecting and mitigating attacks using forged authentication objects within a domain

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2387086C1 (en) * 2008-11-21 2010-04-20 Российская Федерация в лице Министерства промышленности и торговли Российской Федерации (Минпромторг России) Method for providing information security of local area network at operation with external networks, and system for method's implementation
CN101488952A (en) * 2008-12-10 2009-07-22 华中科技大学 Mobile storage apparatus, data secured transmission method and system
CN202906969U (en) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 Boundary safety transmission equipment base on unidirectional light technology and a communication system employing the equipment
CN103856486A (en) * 2014-02-28 2014-06-11 中国人民解放军91655部队 Large-scale network logical safety domain access control method
US20150281278A1 (en) * 2014-03-28 2015-10-01 Southern California Edison System For Securing Electric Power Grid Operations From Cyber-Attack
US20210297447A1 (en) * 2015-10-28 2021-09-23 Qomplx, Inc. Detecting and mitigating attacks using forged authentication objects within a domain
CN105282172A (en) * 2015-11-09 2016-01-27 珠海市鸿瑞软件技术有限公司 Uniprocessing system based on hardware data transformation technology and network security isolation method thereof
KR101792695B1 (en) * 2016-12-30 2017-11-02 이준엽 System for secure streaming and method thereof
CN108390778A (en) * 2018-02-10 2018-08-10 浙江财经大学 A kind of computer network security prior-warning device
CN110557378A (en) * 2019-08-02 2019-12-10 西安飞机工业(集团)有限责任公司 network boundary security isolation and information one-way transmission system and transmission method
CN111614639A (en) * 2020-05-09 2020-09-01 深圳市云盾科技有限公司 Network security analysis method based on boundary theory
CN112468494A (en) * 2020-11-26 2021-03-09 湖北航天信息技术有限公司 Intranet and extranet internet data transmission method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHRISTIAN LEUPRECHT;DAVID B. SKILLICORN; VICTORIA E. TAIT: "Beyond the Castle Model of cyber-risk and cyber-security", 《GOVERNMENT INFORMATION QUARTERLY》, vol. 33, no. 2, pages 250 - 257, XP029599147, DOI: 10.1016/j.giq.2016.01.012 *
卢新: "云多租户数据安全隔离控制关键技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, pages 138 - 37 *

Also Published As

Publication number Publication date
CN114826760B (en) 2023-08-15

Similar Documents

Publication Publication Date Title
US20190036935A1 (en) Automated certification based on role
CN109462590B (en) Unknown protocol reverse analysis method based on fuzzy test
CN112560046B (en) Assessment method and device for business data security index
CN112766974A (en) Risk account identification method and device, computer equipment and storage medium
CN112511422B (en) Data transmission method, device, computer equipment and storage medium
CN111782456B (en) Anomaly detection method, device, computer equipment and storage medium
KR102501380B1 (en) Remote Fault Recovery System on Wireless Network
CN111510339A (en) Industrial Internet data monitoring method and device
CN112817828A (en) GTP monitoring method, device and equipment
CN111047263A (en) Storage goods control system based on Internet of things and block chain and goods control method thereof
CN114826760A (en) Network security analysis method based on boundary theory
CN116957764A (en) Account data processing method and device, electronic equipment and storage medium
CN115694844B (en) Internet of things terminal communication method and system based on cloud platform
CN115580519A (en) Fault diagnosis method and system for computer network
CN115102731A (en) Safety interaction method based on identity authentication of industrial Internet of things equipment
CN114691395A (en) Fault processing method and device, electronic equipment and storage medium
US20220130227A1 (en) Alarm control device and alarm control method
CN115189912B (en) Multiple alarm information system safety management system
CN116595512B (en) Third party server safety management system
CN111652323B (en) Water quality monitoring method, device and server
CN116644474A (en) Data security analysis method and related device
CN117648689B (en) Automatic response method for industrial control host safety event based on artificial intelligence
CN111865672B (en) Unified management method and system for multi-warehouse network platform
CN116055216A (en) Security detection method and system based on Internet of things
CN109358803B (en) Abnormal idle storage analysis method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant