CN114826880A - Method and system for online monitoring of data safe operation - Google Patents

Method and system for online monitoring of data safe operation Download PDF

Info

Publication number
CN114826880A
CN114826880A CN202210281677.1A CN202210281677A CN114826880A CN 114826880 A CN114826880 A CN 114826880A CN 202210281677 A CN202210281677 A CN 202210281677A CN 114826880 A CN114826880 A CN 114826880A
Authority
CN
China
Prior art keywords
module
unit
data
output end
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210281677.1A
Other languages
Chinese (zh)
Other versions
CN114826880B (en
Inventor
谢林江
杭菲璐
郭威
张振红
罗震宇
陈何雄
毛正雄
李寒箬
梅东晖
何映军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Yunnan Power Grid Co Ltd
Original Assignee
Information Center of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Yunnan Power Grid Co Ltd filed Critical Information Center of Yunnan Power Grid Co Ltd
Priority to CN202210281677.1A priority Critical patent/CN114826880B/en
Publication of CN114826880A publication Critical patent/CN114826880A/en
Application granted granted Critical
Publication of CN114826880B publication Critical patent/CN114826880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a system for monitoring data safe operation on line, which comprise a hardware equipment management system, wherein the output end of the hardware equipment management system is connected with a safe communication management system, and the safe communication management system comprises a communication abnormal behavior monitoring module, a data risk analysis module and an identity identification module. The communication abnormal behavior monitoring module can monitor any abnormal behavior in the data communication process in real time, when abnormal information is obtained, counterattack can be rapidly carried out through the network counterattack module, the inferior role is converted, and the attack source is attacked, after receiving the counterattack signal, in order to avoid the data damage of the attack source, the attack source end firstly removes the attack instruction, so that time is provided for data protection of the client, the server end rapidly corresponds, the dynamic updating unit is activated, the updating work of the secret key is completed, and the data is prevented from being forcibly stolen.

Description

Method and system for online monitoring of data safe operation
Technical Field
The invention relates to the technical field of data security, in particular to a method and a system for online monitoring of data security operation.
Background
The international organization for standardization (ISO) definition of computer system security is: technical and administrative security protections established and employed for data processing systems protect computer hardware, software, and data from being damaged, altered, and revealed by casual and malicious causes. The security of a computer network can thus be understood as: by adopting various technologies and management measures, the network system can normally operate, thereby ensuring the availability, integrity and confidentiality of network data. Therefore, the purpose of establishing network security measures is to ensure that data transmitted and exchanged over the network is not subject to increase, modification, loss, leakage, and the like.
When an existing online monitoring system for safe data operation encounters external attack, only data of the existing online monitoring system is protected singly, attack source information cannot be obtained, and data safety is difficult to guarantee.
Disclosure of Invention
The invention aims to provide a method and a system for online monitoring of data safe operation, which aim to solve the problems that the prior art provides an online monitoring system for data safe operation, which only singly protects own data when encountering external attack, cannot acquire attack source information and is difficult to ensure data safety.
In order to achieve the purpose, the invention provides the following technical scheme: a method and a system for online monitoring of data safe operation comprise:
the safety communication management system comprises a communication abnormal behavior monitoring module, a data risk analysis module and an identity recognition module, wherein the output end of the communication abnormal behavior monitoring module is connected with a behavior analysis module;
the communication abnormal behavior monitoring module is used for monitoring abnormal behaviors in a communication process;
the data risk analysis module is used for analyzing and evaluating the data operation risk in the server;
the behavior analysis module is used for carrying out abnormal analysis on behaviors in the communication process and screening out abnormal behaviors;
the identity identification module is used for identity security authentication through a secret key;
the safety early warning module is connected with the output ends of the communication abnormal behavior monitoring module and the data risk analysis module and can be used for carrying out safety early warning on the server;
the abnormal feedback module is arranged at the output end of the safety early warning module, and the output end of the abnormal feedback module is connected with a server response unit;
the abnormal feedback module is used for feeding back the abnormal behavior and transmitting a feedback result to the server;
the server response unit is used for responding the early warning information and the feedback information in time and reversely encrypting the data information through the identity recognition module;
the communication blocking module is connected to the output end of the behavior analysis module, the output end of the communication blocking module is connected with a virus interception module and an attack source capture module, and the output end of the virus interception module is connected with a firewall filtering module;
the communication blocking module is used for blocking abnormal communication information, and avoiding server data loss caused by abnormal signals flowing into an invading server along with data;
the virus interception module is used for intercepting virus Trojan horse;
the firewall filtering module is used for filtering abnormal information by a firewall;
the network counterattack module is connected with the output end of the attack source capturing module, the output end of the network counterattack module is connected with an identity drawing module, and the output end of the attack source capturing module is respectively connected with a server resource analysis unit, a flow monitoring control module and a phishing website identification module;
the server resource analysis unit can be used for analyzing abnormal files, accounts, ports and service protocols;
the flow monitoring control module is used for locking abnormal communication flow, an attack source and an attack target;
the phishing website identification module is used for acquiring a malicious file sample and a phishing netted URL;
the identity drawing module can draw out the finished attacker portrait based on the attack source information acquired by the network counterattack module and the attack source capturing module.
Preferably, the network counterattack module comprises an IP positioning unit, an ID tracking unit and a domain name resolution unit;
the IP positioning unit is used for carrying out server analysis on an IP port of an attack source to obtain attack source information;
the ID tracking unit is used for carrying out mailbox tracing on an ID account of an attack source login website to obtain a real name of an attack source;
the domain name resolution unit is used for resolving a login domain name of an attack source background terminal to obtain domain name registration information;
the network counterattack module locates an attack source through the IP locating unit, the ID tracking unit and the domain name resolution unit and finishes counterattack by using the obtained IP account, the obtained ID account and the obtained domain name address.
Preferably, the identity module is further provided with:
and the identifier intercepting unit is arranged at the output end of the identity identification module, the output end of the identifier intercepting unit is connected with the dynamic updating unit, the output end of the dynamic updating unit is connected with the key synchronization unit, and the output end of the key synchronization unit is connected with the key identification unit.
Preferably, the identifier intercepting unit is used for intercepting the identifier in the key number field;
the dynamic updating unit is used for dynamically updating the identifier in the key number field and forming a new key;
the key synchronization unit is used for synchronously updating the changed key information, and storing the key information in a database for subsequent identification;
the key identification unit is used for comparing and identifying the key.
Preferably, the hardware device management system is further provided with:
the device data control module is connected to the output end of the hardware device management system, the input end of the device data control module is respectively connected with a CPU occupancy rate monitoring unit, a temperature monitoring unit and a memory occupancy rate monitoring unit, and the output end of the device data control module is connected with a device online debugging module;
the device data control module is used for controlling basic data of the server device;
the device online debugging module is used for clearing the space occupation ratio in the server, clearing redundant storage information and controlling the temperature of the server through the cooler.
Preferably, the CPU occupancy monitoring unit is configured to monitor the CPU occupancy of the server in real time;
the temperature monitoring unit is used for monitoring the temperature of the server equipment in real time;
the memory occupancy rate monitoring unit is used for monitoring the memory occupancy rate of the server in real time.
Preferably, the data risk analysis module is further provided with:
the database storage module is connected to the output end of the data risk analysis module, and the output end of the database storage module is connected with the data restoration module;
the database storage module is used for performing sample storage on source data information;
and the data repair module is used for performing data repair on the lost source data information.
Preferably, the data risk analysis module is further provided with:
the risk model building unit is connected to the output end of the data risk analysis module, the output end of the risk model building unit is connected with the virtual platform building unit, the output end of the virtual platform building unit is connected with the risk evaluation unit, the output end of the risk evaluation unit is connected with the platform optimization unit, and the output end of the platform optimization unit is connected with the data encryption unit.
Preferably, the risk model building unit is used for building a risk model;
the virtual platform construction unit is used for constructing a virtual working platform consistent with the running environment of the server;
the risk assessment unit is used for performing risk assessment on the operation result on the virtual platform;
the platform optimization unit is used for carrying out environment optimization on the server equipment aiming at risk assessment;
the data encryption unit is used for encrypting data.
A method for monitoring data safe operation on line comprises the following steps:
s1, the abnormal communication behavior monitoring module in the safety communication management system can monitor the abnormal behavior in the communication process in real time, and can quickly block data through the communication blocking module to ensure the safe operation of the data;
s2, after the communication blocking module is blocked, attack source information can be rapidly acquired through the attack source capturing module, attack source counterattack is carried out through the network counterattack module, thought can be rapidly converted after an intruder is found, countermeasures are carried out, and the intruder is prevented from continuously attacking;
s3, after the attack source information is acquired, using an identity drawing module to draw a complete attacker portrait and evaluating the attack category based on the portrait information;
and S4, after the attack is resisted, timely corresponding is carried out through the server response unit, the identity key is updated through the dynamic updating unit in the identity drawing module, and the data security is reinforced.
Compared with the prior art, the invention provides a method and a system for monitoring data safe operation on line, which have the following beneficial effects:
1. the basic information of the hardware equipment can be controlled by the arranged equipment data control module, the CPU occupancy rate monitoring unit, the temperature monitoring unit and the memory occupancy rate monitoring unit which are connected with the equipment data control module can sequentially monitor the CPU occupancy rate of the server, the internal temperature of the server and the memory occupancy rate of the server in real time, and when the occupancy rate and the temperature are higher, the equipment is debugged by the equipment online debugging module to achieve the work of cooling and garbage removal, so that the data damage caused by abnormal crash of the server in the use process due to overhigh temperature, insufficient memory and the like is avoided;
2. the invention can monitor any abnormal behavior in the data communication process in real time through the set communication abnormal behavior monitoring module, and when abnormal information is obtained, the network counterattack module can quickly carry out counterattack to convert a disadvantaged role so as to attack the agent;
3. according to the invention, the set attack source capturing module can rapidly check abnormal logs, network flow, server addresses, website gateways and the like from three aspects through the server resource analysis unit, the flow monitoring control module and the phishing website identification module to obtain attack source information, and meanwhile, the identity information of the attack source is obtained through the identity drawing module and a detailed network portrait is drawn to clearly draw the attack purpose, so that the data protection system of our party is reinforced and optimized in a targeted manner;
4. according to the invention, the data security risk can be evaluated through the arranged data risk analysis module, model building can be carried out through the risk model building unit, the built model is operated on the virtual platform built through the virtual platform building unit, and risk evaluation is carried out through the risk evaluation unit according to the operation result, so that data is optimized from the source, the data security is improved, the database storage module is additionally arranged in the data risk analysis module to store a data source, and the data restoration module can be used for restoring source data to avoid data loss;
5. the invention can quickly intercept the effective identifier of the key in the communication data through the arranged identity identification module, the key can be updated through the dynamic updating unit in time after the feedback signal transmitted by the abnormal feedback module is received, the updated key is added into the identifier of the data source, and the updated key is updated in the database through the key synchronization unit, and the key identification unit can quickly identify the updated key.
Drawings
FIG. 1 is a schematic diagram of the overall workflow structure of the present invention;
FIG. 2 is a schematic diagram of a workflow structure of a communication abnormal behavior monitoring module according to the present invention;
FIG. 3 is a schematic diagram of the workflow structure of the network counterattack module according to the present invention;
FIG. 4 is a schematic diagram of the workflow structure of the attack source capturing module according to the present invention;
FIG. 5 is a schematic diagram of a workflow structure of a data risk analysis module according to the present invention;
fig. 6 is a schematic view of the work flow structure of the identity recognition module of the present invention.
In the figure: 1. a hardware device management system; 2. a secure communications management system; 3. a device data control module; 4. an equipment online debugging module; 5. a CPU occupancy rate monitoring unit; 6. a temperature monitoring unit; 7. a memory occupancy rate monitoring unit; 8. a communication abnormal behavior monitoring module; 9. a data risk analysis module; 10. a safety early warning module; 11. an anomaly feedback module; 12. a server response unit; 13. a behavior analysis module; 14. a communication blocking module; 15. a virus interception module; 16. a firewall filtering module; 17. an attack source capturing module; 18. a network counterattack module; 1801. an IP positioning unit; 1802. an ID tracking unit; 1803. a domain name resolution unit; 19. an identity drawing module; 20. a server resource analysis unit; 21. a flow monitoring control module; 22. a phishing website identification module; 23. an identity recognition module; 24. a risk model building unit; 25. a virtual platform construction unit; 26. a risk assessment unit; 27. a platform optimization unit; 28. a data encryption unit; 29. a database storage module; 30. a data recovery module; 31. an identifier intercepting unit; 32. a dynamic update unit; 33. a key synchronization unit; 34. a key identification unit.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1 and fig. 2, a system for online monitoring of data security operation includes: the hardware equipment management system 1 is characterized in that the output end of the hardware equipment management system 1 is connected with a safety communication management system 2, the safety communication management system 2 comprises a communication abnormal behavior monitoring module 8, a data risk analysis module 9 and an identity recognition module 23, the output end of the communication abnormal behavior monitoring module 8 is connected with a behavior analysis module 13, and the communication abnormal behavior monitoring module 8 is used for monitoring abnormal behaviors in the communication process; the data risk analysis module 9 is used for analyzing and evaluating the data operation risk in the server; the behavior analysis module 13 is used for performing abnormal analysis on behaviors in the communication process and screening out abnormal behaviors; the identity identification module 23 is used for identity security authentication through a secret key; the device data control module 3 is connected to the output end of the hardware device management system 1, the input end of the device data control module 3 is respectively connected with a CPU occupancy rate monitoring unit 5, a temperature monitoring unit 6 and a memory occupancy rate monitoring unit 7, and the output end of the device data control module 3 is connected with a device online debugging module 4, wherein the device data control module 3 is used for controlling basic data of server devices; the device online debugging module 4 is used for clearing the space occupation ratio in the server, clearing redundant storage information and controlling the temperature of the server through a cooler, and the CPU occupancy rate monitoring unit 5 is used for monitoring the CPU occupancy rate of the server in real time; the temperature monitoring unit 6 is used for monitoring the temperature of the server equipment in real time; the memory occupancy rate monitoring unit 7 is used for monitoring the server memory occupancy rate in real time, and can control the basic information of the hardware equipment through the arranged equipment data control module 3, the CPU occupancy rate monitoring unit 5, the temperature monitoring unit 6 and the memory occupancy rate monitoring unit 7 which are connected with the equipment data control module 3 can sequentially monitor the CPU occupancy rate of the server, the internal temperature of the server and the memory occupancy rate of the server in real time, the equipment is debugged through the equipment on-line debugging module 4 to achieve the work of temperature reduction and garbage removal, thereby avoiding data damage caused by abnormal crash of the server in the using process due to overhigh temperature or insufficient memory and the like, and the safety early warning module 10, the system is connected with the output ends of the communication abnormal behavior monitoring module 8 and the data risk analysis module 9, and can be used for carrying out safety early warning on the server; the abnormal feedback module 11 is arranged at the output end of the safety early warning module 10, and the output end of the abnormal feedback module 11 is connected with the server response unit 12, wherein the abnormal feedback module 11 is used for feeding back abnormal behaviors and transmitting a feedback result to the server; the server response unit 12 is configured to respond to the early warning information and the feedback information in time, and encrypt the data information reversely through the identity recognition module 23; the communication blocking module 14 is connected to the output end of the behavior analysis module 13, the output end of the communication blocking module 14 is connected with the virus interception module 15 and the attack source capture module 17, and the output end of the virus interception module 15 is connected with the firewall filtering module 16, wherein the communication blocking module 14 is used for blocking abnormal communication information and avoiding abnormal signals from entering a server along with data to cause server data loss; the virus interception module 15 is used for intercepting virus trojans; the firewall filtering module 16 is used for filtering the abnormal information by the firewall.
As shown in fig. 2, 3 and 4, a system for online monitoring of data security operation includes: the network counterattack module 18 includes an IP positioning unit 1801, an ID tracking unit 1802, and a domain name resolution unit 1803, where the IP positioning unit 1801 is configured to perform server analysis on an IP port of an attack source to obtain attack source information; the ID tracking unit 1802 is used for performing mailbox tracing on an ID account of an attack source login website to obtain a real name of the attack source; the domain name resolution unit 1803 is configured to resolve a login domain name of the attack source background terminal to obtain domain name registration information; the network counterattack module 18 locates the attack source through the IP locating unit 1801, the ID tracking unit 1802 and the domain name resolution unit 1803, and completes counterattack by using the acquired IP account, ID account and domain name address, any abnormal behavior in the data communication process can be monitored in real time through the set communication abnormal behavior monitoring module 8, and when abnormal information is acquired, counterattack can be quickly performed through the network counterattack module 18 to convert a disadvantaged role to attack a gatekeeper, after the attack source end receives a counterattack signal, in order to avoid damage of data of the attack source end, the attack source end will firstly remove an attack instruction, which provides time for data protection of our party, so that the server end quickly corresponds, the dynamic updating unit 32 is activated, and update work of a secret key is completed, thereby avoiding data being forcibly stolen; the system comprises a network counterattack module 18, an identity drawing module 19, a server resource analysis unit 20, a flow monitoring control module 21 and a phishing website identification module 22, wherein the network counterattack module 18 is connected to the output end of an attack source capturing module 17, the output end of the network counterattack module 18 is connected with the identity drawing module 19, and the output end of the attack source capturing module 17 is respectively connected with the server resource analysis unit 20, the flow monitoring control module 21 and the phishing website identification module 22, wherein the server resource analysis unit 20 can be used for analyzing abnormal files, accounts, ports and service protocols; the flow monitoring control module 21 is used for locking the abnormal communication flow, the attack source and the attack target; the phishing website identification module 22 is used for acquiring malicious file samples and phishing netted URLs; the identity drawing module 19 can draw a finished attacker portrait based on attack source information acquired by the network counterattack module 18 and the attack source capture module 17, the set attack source capture module 17 can rapidly check abnormal logs, network traffic, server addresses, website gateways and the like from three aspects through the server resource analysis unit 20, the traffic monitoring control module 21 and the phishing website identification module 22 to acquire attack source information, and meanwhile, the identity drawing module 19 acquires the attack source identity information and draws a detailed network portrait to clearly define the attack purpose, so that the data protection system of the client is reinforced and optimized in a targeted manner.
As shown in fig. 5 and 6, a system for online monitoring of data security operation includes: the identifier intercepting unit 31 is arranged at the output end of the identity identification module 23, the output end of the identifier intercepting unit 31 is connected with the dynamic updating unit 32, the output end of the dynamic updating unit 32 is connected with the key synchronizing unit 33, the output end of the key synchronizing unit 33 is connected with the key identifying unit 34, and the identifier intercepting unit 31 is used for intercepting identifiers in a key number field; the dynamic updating unit 32 is configured to dynamically update the identifier in the key number field and form a new key; the key synchronization unit 33 is configured to perform synchronous update on the changed key information, and store the updated key information in a database, so as to facilitate subsequent identification; the key identification unit 34 is used for comparing and identifying the key, the identifier intercepting unit 31 can quickly intercept the effective identifier of the key in the communication data through the arranged identity identification module 23, the key can be updated through the dynamic updating unit 32 in time and is added into the identifier of the data source after receiving the feedback signal transmitted by the abnormal feedback module 11, and the updated key is updated in the database through the key synchronization unit 33, the key identification unit 34 can quickly identify the updated key, in the process, the security is better because the dynamic updating unit 32 is in a random updating state, data leakage is not worried about, the database storage module 29 is connected with the output end of the data risk analysis module 9, the output end of the database storage module 29 is connected with the data repair module 30, wherein, the database storage module 29 is used for performing sample storage on the source data information; the data recovery module 30 is configured to perform data recovery on the lost source data information; the risk model building unit 24 is connected to the output end of the data risk analysis module 9, the output end of the risk model building unit 24 is connected with the virtual platform building unit 25, the output end of the virtual platform building unit 25 is connected with the risk evaluation unit 26, the output end of the risk evaluation unit 26 is connected with the platform optimization unit 27, the output end of the platform optimization unit 27 is connected with the data encryption unit 28, and the risk model building unit 24 is used for building a risk model; the virtual platform construction unit 25 is used for constructing a virtual working platform consistent with the server operation environment; the risk assessment unit 26 is used for performing risk assessment on the operation result on the virtual platform; the platform optimization unit 27 is configured to perform environment optimization on the server device for risk assessment; the data encryption unit 28 is used for encrypting data, data security risks can be evaluated through the set data risk analysis module 9, model building can be conducted through the risk model building unit 24, the built model can be operated on a virtual platform built through the virtual platform building unit 25, risk evaluation can be conducted through the risk evaluation unit 26 according to operation results, data are optimized from the source, data security is improved, a database storage module 29 is additionally arranged in the data risk analysis module 9 to store data sources, source data can be repaired through the data repair module 30, and data loss is avoided.
As shown in fig. 1, fig. 2, fig. 3, fig. 4, fig. 5 and fig. 6, a method for online monitoring of data security operation includes the following steps:
s1, the abnormal communication behavior monitoring module 8 in the safety communication management system 2 can monitor the abnormal behavior in the communication process in real time, and can quickly block the data through the communication blocking module 14 to ensure the safe operation of the data;
s2, after the communication blocking module 14 is blocked, attack source information can be rapidly acquired through the attack source capturing module 17, attack source counterattack is carried out through the network counterattack module 18, thought can be rapidly converted after an intruder is found, counterattack is carried out, and the intruder can be prevented from continuously attacking;
s3, after the attack source information is acquired, the identity drawing module 19 is used for drawing a complete attacker portrait and evaluating the attack category based on the portrait information;
and S4, after the attack is resisted, timely responding is carried out through the server response unit 12, the identity key is updated through the dynamic updating unit 32 in the identity drawing module 19, and the data security is reinforced.
The working principle is as follows: when the method and the system for online monitoring of data safe operation are used, firstly, in order to ensure the normal operation of the server, the hardware equipment can be managed by the hardware equipment management system 1, the safety communication management system 2 manages the software information, the equipment data control module 3 plays a role in central control, can collect and analyze the data detected by the CPU occupancy monitoring unit 5, the temperature monitoring unit 6 and the memory occupancy monitoring unit 7 in real time, and controls the corresponding device online debugging module 4 to debug the device, the device online debugging module 4 can clear the memory and CPU space ratio of the server, therefore, a good transmission environment of data in the transmission process is ensured, and the online debugging module 4 of the equipment can cool the server main body through the heat dissipation device, so that data damage caused by abnormal crash of the server in the use process due to overhigh temperature is avoided; secondly, the safety communication management system 2 evaluates the data transmission risk through the data risk analysis module 9, after the model is built and improved through the risk model building unit 24, a virtual platform which is the same as the server memory and the operation environment is built through the virtual platform building unit 25 and operates on the virtual platform, and carries out risk evaluation through the risk evaluation unit 26 according to the operation result, the platform optimization unit 27 can carry out system optimization on the data operation process according to the evaluation result and can encrypt the data through the data encryption unit 28; secondly, in the actual transmission process, any abnormal behavior in the data communication process is monitored in real time through the communication abnormal behavior monitoring module 8, attack source information is obtained through the server resource analysis unit 20, the flow monitoring control module 21 and the phishing website identification module 22, the detailed information of an attacker is obtained through reverse tracing of the network counterattack module 18, countermeasures are carried out, the continuous attack of the intruder is avoided, a complete attacker portrait is sketched out through the identity drawing module 19, the attack category is evaluated based on the portrait information, the intention of the attacker is obtained, and targeted optimization work is carried out; then, the safety early warning module 10 performs early warning work on the server, the abnormal feedback module 11 transmits a feedback result to the server response unit 12, and the server response unit 12 updates the identity key through the dynamic updating unit 32 to protect data; finally, in the data operation process, the effective identifier of the key in the communication data is intercepted quickly by the identifier intercepting unit 31 and is identified by the key identification unit 34, and after the identification fails, the key is updated by the dynamic updating unit 32, and is updated in the database again by the key synchronization unit 33 for secondary encryption, so that the internal leakage of the data is avoided.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. A system for online monitoring of safe operation of data is characterized by comprising:
the safety communication management system comprises a hardware equipment management system (1), wherein the output end of the hardware equipment management system (1) is connected with a safety communication management system (2), the safety communication management system (2) comprises a communication abnormal behavior monitoring module (8), a data risk analysis module (9) and an identity recognition module (23), and the output end of the communication abnormal behavior monitoring module (8) is connected with a behavior analysis module (13);
the communication abnormal behavior monitoring module (8) is used for monitoring abnormal behaviors in a communication process;
the data risk analysis module (9) is used for analyzing and evaluating the data operation risk in the server;
the behavior analysis module (13) is used for carrying out abnormal analysis on behaviors in the communication process and screening out abnormal behaviors;
the identity identification module (23) is used for identity security authentication through a secret key;
the safety early warning module (10) is connected with the output ends of the communication abnormal behavior monitoring module (8) and the data risk analysis module (9) and can be used for carrying out safety early warning on the server;
the abnormity feedback module (11) is arranged at the output end of the safety early warning module (10), and the output end of the abnormity feedback module (11) is connected with a server response unit (12);
the abnormal feedback module (11) is used for feeding back abnormal behaviors and transmitting feedback results to the server;
the server response unit (12) is used for responding to the early warning information and the feedback information in time and encrypting the data information reversely through the identity recognition module (23);
the communication blocking module (14) is connected to the output end of the behavior analysis module (13), the output end of the communication blocking module (14) is connected with a virus interception module (15) and an attack source capture module (17), and the output end of the virus interception module (15) is connected with a firewall filtering module (16);
the communication blocking module (14) is used for blocking abnormal communication information, and avoiding server data loss caused by abnormal signals flowing into an invading server along with data;
the virus interception module (15) is used for intercepting virus Trojan;
the firewall filtering module (16) is used for filtering abnormal information by a firewall;
the network counterattack system comprises a network counterattack module (18) connected to the output end of the attack source capturing module (17), an identity drawing module (19) connected to the output end of the network counterattack module (18), and a server resource analysis unit (20), a flow monitoring control module (21) and a phishing website identification module (22) respectively connected to the output end of the attack source capturing module (17);
the server resource analysis unit (20) can be used for analyzing abnormal files, accounts, ports and service protocols;
the flow monitoring control module (21) is used for locking abnormal communication flow, an attack source and an attack target;
the phishing website identification module (22) is used for acquiring a malicious file sample and a phishing netted URL;
the identity drawing module (19) can draw out the finished attacker portrait based on the attack source information acquired by the network counterattack module (18) and the attack source capturing module (17).
2. A system for online monitoring of data security operations according to claim 1, characterized in that the network counterattack module (18) comprises an IP location unit (1801), an ID tracking unit (1802) and a domain name resolution unit (1803);
the IP positioning unit (1801) is used for performing server analysis on an IP port of an attack source to obtain attack source information;
the ID tracking unit (1802) is used for carrying out mailbox tracing on an ID account of an attack source login website to obtain a real name of an attack source;
the domain name resolution unit (1803) is used for resolving a login domain name of an attack source background terminal to obtain domain name registration information;
the network counterattack module (18) locates an attack source through an IP locating unit (1801), an ID tracking unit (1802) and a domain name resolution unit (1803), and finishes counterattack by using the obtained IP account, the obtained ID account and the obtained domain name address.
3. The system for on-line monitoring of data security operation according to claim 1, wherein the identity module (23) is further provided with:
the identifier intercepting unit (31) is arranged at the output end of the identity identification module (23), the output end of the identifier intercepting unit (31) is connected with the dynamic updating unit (32), the output end of the dynamic updating unit (32) is connected with the key synchronizing unit (33), and the output end of the key synchronizing unit (33) is connected with the key identification unit (34).
4. A system for online monitoring of the safe operation of data according to claim 3, characterized in that the identifier intercepting unit (31) is adapted to intercept the identifier in the key number field;
the dynamic updating unit (32) is used for dynamically updating the identifier in the key number field and forming a new key;
the key synchronization unit (33) is used for synchronously updating the changed key information and storing the key information in a database so as to facilitate subsequent identification;
the key identification unit (34) is used for comparing and identifying keys.
5. The system for on-line monitoring of data safe operation according to claim 1, characterized in that the hardware device management system (1) is further provided with:
the device data control module (3) is connected to the output end of the hardware device management system (1), the input end of the device data control module (3) is respectively connected with a CPU occupancy rate monitoring unit (5), a temperature monitoring unit (6) and a memory occupancy rate monitoring unit (7), and the output end of the device data control module (3) is connected with a device online debugging module (4);
the device data control module (3) is used for controlling basic data of the server device;
the device online debugging module (4) is used for clearing the air occupation ratio in the server, clearing redundant storage information and controlling the temperature of the server through the cooler.
6. The system for on-line monitoring of data safe operation according to claim 5, characterized in that, the CPU occupancy monitoring unit (5) is used for real-time monitoring of the CPU occupancy of the server;
the temperature monitoring unit (6) is used for monitoring the temperature of the server equipment in real time;
the memory occupancy rate monitoring unit (7) is used for monitoring the memory occupancy rate of the server in real time.
7. The system for on-line monitoring of data safe operation according to claim 1, characterized in that the data risk analysis module (9) is further provided with:
the database storage module (29) is connected to the output end of the data risk analysis module (9), and the output end of the database storage module (29) is connected with the data restoration module (30);
wherein the database storage module (29) is used for performing sample storage on source data information;
the data repair module (30) is used for performing data repair on lost source data information.
8. The system for on-line monitoring of data safe operation according to claim 1, characterized in that the data risk analysis module (9) is further provided with:
the risk analysis system comprises a risk model building unit (24) connected to the output end of the data risk analysis module (9), wherein the output end of the risk model building unit (24) is connected with a virtual platform building unit (25), the output end of the virtual platform building unit (25) is connected with a risk evaluation unit (26), the output end of the risk evaluation unit (26) is connected with a platform optimization unit (27), and the output end of the platform optimization unit (27) is connected with a data encryption unit (28).
9. The system for online monitoring of data security operation according to claim 8, wherein the risk model building unit (24) is used for building a risk model;
the virtual platform construction unit (25) is used for constructing a virtual working platform consistent with the server operation environment;
the risk assessment unit (26) is used for performing risk assessment on the operation result on the virtual platform;
the platform optimization unit (27) is used for carrying out environment optimization on the server equipment for risk assessment;
the data encryption unit (28) is used for encrypting data.
10. A method for monitoring data safe operation on line is characterized by comprising the following steps:
s1, a communication abnormal behavior monitoring module (8) in the safety communication management system (2) can monitor abnormal behaviors in the communication process in real time, and can quickly block data through a communication blocking module (14) to ensure the safe operation of the data;
s2, after the communication blocking module (14) is blocked, attack source information can be rapidly acquired through the attack source capturing module (17), attack source counterattack is carried out through the network counterattack module (18), after an invader is found, thought can be rapidly converted, countermeasures can be carried out, and the continuous attack of the invader is avoided;
s3, after the attack source information is acquired, using an identity drawing module (19) to draw a complete attacker portrait and evaluating the attack category based on the portrait information;
and S4, after the attack is resisted, timely corresponding is carried out through the server response unit (12), and the identity key is updated through the dynamic updating unit (32) in the identity drawing module (19), so that the data security is reinforced.
CN202210281677.1A 2022-03-21 2022-03-21 Data safety operation on-line monitoring system Active CN114826880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210281677.1A CN114826880B (en) 2022-03-21 2022-03-21 Data safety operation on-line monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210281677.1A CN114826880B (en) 2022-03-21 2022-03-21 Data safety operation on-line monitoring system

Publications (2)

Publication Number Publication Date
CN114826880A true CN114826880A (en) 2022-07-29
CN114826880B CN114826880B (en) 2023-09-12

Family

ID=82531286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210281677.1A Active CN114826880B (en) 2022-03-21 2022-03-21 Data safety operation on-line monitoring system

Country Status (1)

Country Link
CN (1) CN114826880B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132201A (en) * 2023-04-18 2023-05-16 陕西汇天广科信息科技有限公司 Internet data safety monitoring system based on big data
CN116708157A (en) * 2023-08-07 2023-09-05 北京鹰速光电科技有限公司 Computer security operation and maintenance service system
CN117094021A (en) * 2023-10-11 2023-11-21 北京知宏科技有限公司 Electronic signature encryption protection system and method based on Internet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120074040A (en) * 2010-12-27 2012-07-05 한국전기연구원 Security system and its operating method for supervisory control and data acquisition system
WO2020107446A1 (en) * 2018-11-30 2020-06-04 北京比特大陆科技有限公司 Method and apparatus for obtaining attacker information, device, and storage medium
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111865960A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Network intrusion scene analysis processing method, system, terminal and storage medium
CN112383546A (en) * 2020-11-13 2021-02-19 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120074040A (en) * 2010-12-27 2012-07-05 한국전기연구원 Security system and its operating method for supervisory control and data acquisition system
WO2020107446A1 (en) * 2018-11-30 2020-06-04 北京比特大陆科技有限公司 Method and apparatus for obtaining attacker information, device, and storage medium
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111865960A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Network intrusion scene analysis processing method, system, terminal and storage medium
CN112383546A (en) * 2020-11-13 2021-02-19 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related device and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杨一民;王海;王毅;陈琳羽;: "动态防御技术在内网安全中的应用", 自动化与仪器仪表, no. 11 *
杨沛安等: "面向攻击识别的威胁情报画像分析", 计算机工程, vol. 46, no. 1, pages 1 - 2 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132201A (en) * 2023-04-18 2023-05-16 陕西汇天广科信息科技有限公司 Internet data safety monitoring system based on big data
CN116132201B (en) * 2023-04-18 2023-09-29 云上广济(贵州)信息技术有限公司 Internet data safety monitoring system based on big data
CN116708157A (en) * 2023-08-07 2023-09-05 北京鹰速光电科技有限公司 Computer security operation and maintenance service system
CN117094021A (en) * 2023-10-11 2023-11-21 北京知宏科技有限公司 Electronic signature encryption protection system and method based on Internet
CN117094021B (en) * 2023-10-11 2024-01-16 北京知宏科技有限公司 Electronic signature encryption protection system and method based on Internet

Also Published As

Publication number Publication date
CN114826880B (en) 2023-09-12

Similar Documents

Publication Publication Date Title
CN107454109B (en) Network privacy stealing behavior detection method based on HTTP traffic analysis
JP6894003B2 (en) Defense against APT attacks
CN110602046B (en) Data monitoring processing method and device, computer equipment and storage medium
CN103491108B (en) A kind of industrial control network security protection method and system
CN114826880B (en) Data safety operation on-line monitoring system
US20060190993A1 (en) Intrusion detection in networks
CN111628981B (en) Network security system and method capable of being linked with application system
JP2017523701A (en) How to detect attacks on work environments connected to a communications network
CN113438249B (en) Attack tracing method based on strategy
CN109787964B (en) Process behavior tracing device and method
CN113596028A (en) Method and device for handling network abnormal behaviors
CN116132989B (en) Industrial Internet security situation awareness system and method
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN113783886A (en) Intelligent operation and maintenance method and system for power grid based on intelligence and data
CN113364799A (en) Method and system for processing network threat behaviors
KR20220081145A (en) AI-based mysterious symptom intrusion detection and system
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN112491883A (en) Method, device, electronic device and storage medium for detecting web attack
CN112787985B (en) Vulnerability processing method, management equipment and gateway equipment
CN114050937B (en) Mailbox service unavailability processing method and device, electronic equipment and storage medium
CN114339767A (en) Signaling detection method and device, electronic equipment and storage medium
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
Asiri et al. Investigating usable indicators against cyber-attacks in industrial control systems
CN109600395A (en) A kind of device and implementation method of terminal network access control system
CN111049853A (en) Security authentication system based on computer network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant