CN114826880B - Data safety operation on-line monitoring system - Google Patents

Data safety operation on-line monitoring system Download PDF

Info

Publication number
CN114826880B
CN114826880B CN202210281677.1A CN202210281677A CN114826880B CN 114826880 B CN114826880 B CN 114826880B CN 202210281677 A CN202210281677 A CN 202210281677A CN 114826880 B CN114826880 B CN 114826880B
Authority
CN
China
Prior art keywords
module
unit
data
output end
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210281677.1A
Other languages
Chinese (zh)
Other versions
CN114826880A (en
Inventor
谢林江
杭菲璐
郭威
张振红
罗震宇
陈何雄
毛正雄
李寒箬
梅东晖
何映军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Yunnan Power Grid Co Ltd
Original Assignee
Information Center of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Yunnan Power Grid Co Ltd filed Critical Information Center of Yunnan Power Grid Co Ltd
Priority to CN202210281677.1A priority Critical patent/CN114826880B/en
Publication of CN114826880A publication Critical patent/CN114826880A/en
Application granted granted Critical
Publication of CN114826880B publication Critical patent/CN114826880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a system for online monitoring of data safety operation, wherein the method comprises a hardware device management system, the output end of the hardware device management system is connected with a safety communication management system, and the safety communication management system comprises a communication abnormal behavior monitoring module, a data risk analysis module and an identity recognition module. The communication abnormal behavior monitoring module provided by the invention can monitor any abnormal behavior in the data communication process in real time, and when abnormal information is acquired, the abnormal behavior can be quickly countered by the network counterattack module to convert the inferior role to attack the defender, and when the attack source receives the counterattack signal, the attack source firstly removes the attack instruction in order to avoid damaging the data of the attack source, so that time is provided for protecting the data of my party, the server terminal is enabled to quickly respond, the dynamic updating unit is activated, the updating work of the secret key is completed, and the forced stealing of the data is avoided.

Description

Data safety operation on-line monitoring system
Technical Field
The invention relates to the technical field of data security, in particular to a method and a system for online monitoring of data security operation.
Background
The definition of computer system security by the international organization for standardization (ISO) is: the security of techniques and management established and employed for data processing systems protects computer hardware, software, and data from being destroyed, altered, and compromised by accidental and malicious causes. The security of a computer network can thus be understood as: by adopting various technologies and management measures, the network system is enabled to normally operate, so that the availability, the integrity and the confidentiality of network data are ensured. Therefore, the purpose of establishing network security protection measures is to ensure that data transmitted and exchanged over the network does not undergo additions, modifications, losses, leaks, etc.
When an external attack is encountered, the existing data safety operation online monitoring system only singly protects own data, cannot acquire attack source information, and cannot guarantee data safety.
Disclosure of Invention
The invention aims to provide a method and a system for online monitoring of data safety operation, which are used for solving the problems that in the background technology, when an external attack is encountered, the online monitoring system for data safety operation only singly protects own data, cannot acquire attack source information and is difficult to ensure data safety.
In order to achieve the above purpose, the present invention provides the following technical solutions: a method and a system for online monitoring of data security operation comprise the following steps:
the system comprises a hardware device management system, wherein the output end of the hardware device management system is connected with a safety communication management system, the safety communication management system comprises a communication abnormal behavior monitoring module, a data risk analysis module and an identity recognition module, and the output end of the communication abnormal behavior monitoring module is connected with a behavior analysis module;
the communication abnormal behavior monitoring module is used for monitoring abnormal behaviors in a communication process;
the data risk analysis module is used for analyzing and evaluating the data operation risk in the server;
the behavior analysis module is used for carrying out abnormal analysis on behaviors in the communication process and screening out abnormal behaviors;
the identity recognition module is used for carrying out identity security authentication through a secret key;
the safety early warning module is connected with the output ends of the communication abnormal behavior monitoring module and the data risk analysis module;
the abnormal feedback module is arranged at the output end of the safety early warning module, and the output end of the abnormal feedback module is connected with a server response unit;
the safety early warning module is used for carrying out safety early warning on the server response unit;
the abnormal feedback module is used for feeding back abnormal behaviors and transmitting feedback results to the server response unit;
the server response unit is used for timely responding to the early warning information and the feedback information and encrypting the data information reversely through the identity recognition module;
the communication blocking module is connected with the output end of the behavior analysis module, the output end of the communication blocking module is connected with the virus interception module and the attack source capturing module, and the output end of the virus interception module is connected with the firewall filtering module;
the communication blocking module is used for blocking abnormal communication information and avoiding server data loss caused by abnormal signal accompanying data flowing into the intrusion server;
the virus interception module is used for intercepting virus Trojan;
the firewall filtering module is used for filtering abnormal information by a firewall;
the network impact module is connected with the output end of the attack source capturing module, the output end of the network impact module is connected with the identity drawing module, and the output end of the attack source capturing module is respectively connected with the server resource analysis unit, the flow monitoring control module and the phishing website identification module;
the server resource analysis unit can be used for analyzing the abnormal file, the account, the port and the service protocol;
the flow monitoring control module is used for locking abnormal communication flow, attack sources and attack targets;
the phishing website identification module is used for acquiring malicious file samples and phishing net-shaped URLs;
the identity drawing module can outline a complete attacker portrait based on the attack source information acquired by the network counterattack module and the attack source capturing module.
Preferably, the network counterattack module comprises an IP positioning unit, an ID tracking unit and a domain name resolution unit;
the IP positioning unit is used for carrying out server analysis on an IP port of an attack source to obtain attack source information;
the ID tracking unit is used for carrying out mailbox tracking on an ID account number of an attack source logging website to obtain the real name of the attack source;
the domain name resolution unit is used for resolving the domain name registered by the attack source background terminal to obtain domain name registration information;
the network counterattack module locates the attack source through the IP locating unit, the ID tracking unit and the domain name resolution unit, and utilizes the obtained IP account number, ID account number and domain name address to complete counterattack.
Preferably, the identity recognition module comprises an identifier interception unit, the output end of the identifier interception unit is connected with a dynamic updating unit, the output end of the dynamic updating unit is connected with a key synchronization unit, and the output end of the key synchronization unit is connected with a key recognition unit.
Preferably, the identifier intercepting unit is used for intercepting the identifier in the key number field;
the dynamic updating unit is used for dynamically updating the identifier in the key number field and forming a new key;
the key synchronization unit is used for synchronously updating the changed key information and storing the key information in the database so as to facilitate the subsequent identification;
the key identification unit is used for comparing and identifying the keys.
Preferably, the hardware device management system comprises a device data control module, wherein the input end of the device data control module is respectively connected with a CPU occupancy rate monitoring unit, a temperature monitoring unit and a memory occupancy rate monitoring unit, and the output end of the device data control module is connected with a device online debugging module;
the device data control module is used for controlling basic data of the server device;
the equipment online debugging module is used for clearing the duty ratio in the server, clearing redundant stored information and controlling the temperature of the server through the cooler.
Preferably, the CPU occupancy rate monitoring unit is configured to monitor the CPU occupancy rate of the server in real time;
the temperature monitoring unit is used for monitoring the temperature of the server equipment in real time;
the memory occupancy rate monitoring unit is used for monitoring the memory occupancy rate of the server in real time.
Preferably, the data risk analysis module comprises a database storage module, and the output end of the database storage module is connected with a data restoration module;
the database storage module is used for storing the source data information in a sample mode;
the data restoration module is used for carrying out data restoration on the lost source data information.
Preferably, the data risk analysis module comprises a risk model construction unit, the output end of the risk model construction unit is connected with a virtual platform construction unit, the output end of the virtual platform construction unit is connected with a risk assessment unit, the output end of the risk assessment unit is connected with a platform optimization unit, and the output end of the platform optimization unit is connected with a data encryption unit.
Preferably, the risk model building unit is used for building a risk model;
the virtual platform construction unit is used for constructing a virtual working platform consistent with the running environment of the server;
the risk assessment unit is used for performing risk assessment on the running result on the virtual platform;
the platform optimization unit is used for performing environment optimization on the server equipment aiming at risk assessment;
the data encryption unit is used for encrypting data.
A method for online monitoring of data security operation, comprising the steps of:
s1, a communication abnormal behavior monitoring module in a safety communication management system can monitor abnormal behaviors in a communication process in real time, and can rapidly block data through a communication blocking module to ensure safe operation of the data;
s2, after the communication blocking module is blocked, the attack source information can be quickly obtained through the attack source capturing module, attack source counterattack is carried out through the network counterattack module, the thought can be quickly converted after an intruder is found, countermeasures are carried out, and continuous attack of the intruder is avoided;
s3, after the attack source information is acquired, drawing out a complete image of the attacker by using an identity drawing module, and evaluating the attack category based on the image information;
and S4, after the attack is resisted, timely corresponding is carried out through a server response unit, and the identity key is updated through a dynamic updating unit in the identity drawing module, so that the data security is reinforced.
Compared with the prior art, the invention provides a method and a system for online monitoring of data safe operation, which have the following beneficial effects:
1. according to the invention, the basic information of the hardware equipment can be controlled through the equipment data control module, the CPU occupancy rate monitoring unit, the temperature monitoring unit and the memory occupancy rate monitoring unit which are connected with the equipment data control module can monitor the CPU occupancy rate of the server, the internal temperature of the server and the memory occupancy rate of the server in real time in sequence, when the occupancy rate and the temperature are higher, the equipment is debugged through the equipment online debugging module, so that the cooling and garbage cleaning work is achieved, and the data damage caused by abnormal dead halt of the server in the use process due to overhigh temperature or insufficient memory and the like is avoided;
2. the invention can monitor any abnormal behavior in the data communication process in real time through the communication abnormal behavior monitoring module, and when abnormal information is acquired, the network counterattack module can be used for counterattack to convert the inferior role so as to attack the defender, and when the attack source receives the counterattack signal, the attack source firstly removes the attack instruction in order to avoid damaging the data of the attack source, thus providing time for protecting the data of my party, enabling the server to quickly correspond, activating the dynamic updating unit and completing the updating work of the secret key, thereby avoiding forced stealing of the data;
3. according to the invention, the provided attack source capturing module can rapidly check the abnormal log, the network flow, the server address, the website gateway and the like from three aspects through the server resource analysis unit, the flow monitoring control module and the phishing website identification module to obtain attack source information, and meanwhile, the identity drawing module is used for acquiring the identity information of the attack source and drawing a detailed network portrait to clearly find the attack purpose, so that the data protection system of the my is enhanced and optimized in a targeted manner;
4. according to the invention, the data security risk can be evaluated through the set data risk analysis module, the model can be built through the risk model building unit, the built model is operated on the virtual platform built through the virtual platform building unit, and the risk evaluation is carried out through the risk evaluation unit according to the operation result, so that the data is optimized from the source, the data security is improved, the data source is stored by the database storage module additionally arranged in the data risk analysis module, and the data restoration module can restore the source data to avoid the data loss;
5. according to the invention, through the set identity recognition module, the identifier intercepting unit can be used for rapidly intercepting the effective identifier of the secret key in the communication data, after receiving the feedback signal transmitted by the abnormal feedback module, the secret key can be updated by the dynamic updating unit in time and is filled in the identifier of the data source, and meanwhile, the updated secret key is updated in the database by the secret key synchronizing unit, so that the secret key recognizing unit can be used for rapidly recognizing the updated secret key, and in the process, the dynamic updating unit is in a random updating state, so that the confidentiality is better, and the data leakage is not worry.
Drawings
FIG. 1 is a schematic diagram of the overall workflow structure of the present invention;
FIG. 2 is a schematic diagram of a workflow structure of the communication abnormal behavior monitoring module according to the present invention;
FIG. 3 is a schematic diagram of a workflow structure of a network counterattack module according to the present invention;
FIG. 4 is a schematic diagram of a workflow structure of an attack source capture module according to the present invention;
FIG. 5 is a schematic diagram of a workflow structure of the data risk analysis module of the present invention;
FIG. 6 is a schematic diagram of a workflow structure of an identity module according to the present invention.
In the figure: 1. a hardware device management system; 2. a secure communication management system; 3. a device data control module; 4. an equipment online debugging module; 5. a CPU occupancy rate monitoring unit; 6. a temperature monitoring unit; 7. a memory occupancy monitoring unit; 8. a communication abnormal behavior monitoring module; 9. a data risk analysis module; 10. a safety early warning module; 11. an anomaly feedback module; 12. a server response unit; 13. a behavior analysis module; 14. a communication blocking module; 15. a virus interception module; 16. a firewall filtering module; 17. an attack source capture module; 18. a network counterattack module; 1801. an IP positioning unit; 1802. an ID tracking unit; 1803. a domain name resolution unit; 19. an identity drawing module; 20. a server resource analysis unit; 21. a flow monitoring control module; 22. a phishing website identification module; 23. an identity recognition module; 24. a risk model building unit; 25. a virtual platform construction unit; 26. a risk assessment unit; 27. a platform optimizing unit; 28. a data encryption unit; 29. a database storage module; 30. a data restoration module; 31. an identifier interception unit; 32. a dynamic updating unit; 33. a key synchronization unit; 34. and a key identification unit.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1 and 2, a system for online monitoring of data security operations includes: the system comprises a hardware equipment management system 1, wherein the output end of the hardware equipment management system 1 is connected with a safety communication management system 2, the safety communication management system 2 comprises a communication abnormal behavior monitoring module 8, a data risk analysis module 9 and an identity recognition module 23, the output end of the communication abnormal behavior monitoring module 8 is connected with a behavior analysis module 13, and the communication abnormal behavior monitoring module 8 is used for monitoring abnormal behaviors in a communication process; the data risk analysis module 9 is used for analyzing and evaluating the running risk of the data in the server; the behavior analysis module 13 is used for carrying out abnormal analysis on behaviors in the communication process and screening out abnormal behaviors; the identity recognition module 23 is used for carrying out identity security authentication through a secret key; the device data control module 3 is connected to the output end of the hardware device management system 1, the input end of the device data control module 3 is respectively connected with the CPU occupancy rate monitoring unit 5, the temperature monitoring unit 6 and the memory occupancy rate monitoring unit 7, and the output end of the device data control module 3 is connected with the device online debugging module 4, wherein the device data control module 3 is used for controlling basic data of the server device; the equipment online debugging module 4 is used for clearing the space duty ratio in the server, clearing redundant stored information, controlling the temperature of the server through the cooler, and the CPU occupancy rate monitoring unit 5 is used for monitoring the CPU occupancy rate of the server in real time; the temperature monitoring unit 6 is used for monitoring the temperature of the server equipment in real time; the memory occupancy monitoring unit 7 is used for monitoring the memory occupancy of the server in real time, the basic information of the hardware equipment can be controlled through the set equipment data control module 3, the CPU occupancy monitoring unit 5, the temperature monitoring unit 6 and the memory occupancy monitoring unit 7 which are connected with the equipment data control module 3 can monitor the CPU occupancy of the server, the internal temperature of the server and the memory occupancy of the server in real time in sequence, when the occupancy and the temperature are higher, the equipment is debugged through the equipment online debugging module 4, so that the cooling and garbage removal work is achieved, the data damage caused by abnormal dead halt of the server in the use process due to overhigh temperature or insufficient memory and the like is avoided, and the safety early warning module 10 is connected to the output end of the communication abnormal behavior monitoring module 8 and the data risk analysis module 9 and can be used for carrying out safety early warning on the server; the abnormal feedback module 11 is arranged at the output end of the safety early warning module 10, and the output end of the abnormal feedback module 11 is connected with the server response unit 12, wherein the abnormal feedback module 11 is used for feeding back abnormal behaviors and transmitting feedback results to the server; the server response unit 12 is used for timely responding to the early warning information and the feedback information and encrypting the data information reversely through the identity recognition module 23; the communication blocking module 14 is connected to the output end of the behavior analysis module 13, the output end of the communication blocking module 14 is connected with the virus blocking module 15 and the attack source capturing module 17, and the output end of the virus blocking module 15 is connected with the firewall filtering module 16, wherein the communication blocking module 14 is used for blocking abnormal communication information, and the phenomenon that abnormal signals flow into an intrusion server along with data to cause server data loss is avoided; the virus interception module 15 is used for intercepting virus Trojan; the firewall filtering module 16 is configured to implement filtering of abnormal information by the firewall.
As shown in fig. 2, 3 and 4, a system for online monitoring of data security operations includes: the network counterattack module 18 comprises an IP positioning unit 1801, an ID tracking unit 1802 and a domain name resolution unit 1803, wherein the IP positioning unit 1801 is configured to perform server analysis on an IP port of an attack source to obtain attack source information; the ID tracking unit 1802 is configured to perform mailbox tracking on an ID account of an attack source logging website to obtain a real name of the attack source; the domain name resolution unit 1803 is used for resolving the domain name registered by the attack source background terminal to obtain domain name registration information; the network counterattack module 18 locates the attack source through the IP locating unit 1801, the ID tracking unit 1802 and the domain name resolution unit 1803, and utilizes the acquired IP account number, ID account number and domain name address to complete counterattack, any abnormal behavior in the data communication process can be monitored in real time through the set communication abnormal behavior monitoring module 8, and when abnormal information is acquired, counterattack can be performed through the network counterattack module 18 quickly, a disadvantaged role is converted to attack the defender, when the attack source receives a counterattack signal, the attack source firstly removes an attack instruction, so that time is provided for protecting the data in the my, the server side is enabled to quickly respond, the dynamic updating unit 32 is activated, and the updating work of the secret key is completed, so that the forced stealing of the data is avoided; the network counterattack module 18 is connected to the output end of the attack source capturing module 17, the output end of the network counterattack module 18 is connected with the identity drawing module 19, the output end of the attack source capturing module 17 is respectively connected with the server resource analysis unit 20, the flow monitoring control module 21 and the phishing website identification module 22, wherein the server resource analysis unit 20 can be used for analyzing abnormal files, account numbers, ports and service protocols; the flow monitoring control module 21 is used for locking abnormal communication flow, attack sources and attack targets; the phishing website identification module 22 is used for acquiring malicious file samples and phishing net-shaped URLs; the identity drawing module 19 can draw out a complete attacker portrait based on the attack source information acquired by the network counterattack module 18 and the attack source capturing module 17, and the attack source capturing module 17 can quickly check the exception log, the network flow, the server address, the website gateway and the like from three aspects through the server resource analysis unit 20, the flow monitoring control module 21 and the phishing website identification module 22 to acquire the attack source information, and meanwhile acquire the attack source identity information through the identity drawing module 19 and draw out a detailed network portrait to clearly understand the attack purpose, so that the my data protection system is reinforced and optimized in a targeted manner.
As shown in fig. 5 and 6, a system for online monitoring of data security operations includes: the identifier intercepting unit 31 is arranged at the output end of the identity recognition module 23, the output end of the identifier intercepting unit 31 is connected with the dynamic updating unit 32, the output end of the dynamic updating unit 32 is connected with the key synchronizing unit 33, the output end of the key synchronizing unit 33 is connected with the key recognition unit 34, and the identifier intercepting unit 31 is used for intercepting the identifier in the key number field; the dynamic updating unit 32 is configured to dynamically update the identifier in the key number field and form a new key; the key synchronization unit 33 is used for synchronously updating the changed key information, and storing the updated key information in a database, so that the subsequent identification is facilitated; the key identification unit 34 is used for comparing and identifying the key, through the identity identification module 23 arranged, the identifier interception unit 31 can quickly intercept the effective identifier of the key in the communication data, after receiving the feedback signal transmitted by the abnormal feedback module 11, the key can be updated by the dynamic updating unit 32 in time and added in the identifier of the data source, and the updated key can be updated in the database by the key synchronization unit 33, in the process, the key identification unit 34 can quickly identify the updated key, and in the process, the dynamic updating unit 32 is in a random updating state, so that confidentiality is better, the data leakage is not worry, the database storage module 29 is connected to the output end of the data risk analysis module 9, and the output end of the database storage module 29 is connected with the data restoration module 30, wherein the database storage module 29 is used for storing the sample of the source data information; the data repair module 30 is configured to perform data repair on the lost source data information; the risk model building unit 24 is connected to the output end of the data risk analysis module 9, the output end of the risk model building unit 24 is connected with the virtual platform building unit 25, the output end of the virtual platform building unit 25 is connected with the risk assessment unit 26, the output end of the risk assessment unit 26 is connected with the platform optimization unit 27, the output end of the platform optimization unit 27 is connected with the data encryption unit 28, and the risk model building unit 24 is used for building a risk model; the virtual platform construction unit 25 is used for constructing a virtual working platform consistent with the running environment of the server; the risk assessment unit 26 is used for performing risk assessment on the running result on the virtual platform; the platform optimization unit 27 is configured to perform environmental optimization on the server device for risk assessment; the data encryption unit 28 is used for encrypting data, the data security risk can be evaluated through the set data risk analysis module 9, the model building can be performed through the risk model building unit 24, the built model can be operated on a virtual platform built through the virtual platform building unit 25, the risk evaluation is performed through the risk evaluation unit 26 according to the operation result, so that the data is optimized from the source, the data security is improved, the database storage module 29 is additionally arranged in the data risk analysis module 9 to store a data source, and the data restoration module 30 can be used for restoring the source data to avoid data loss.
As shown in fig. 1, 2, 3, 4, 5 and 6, a method for online monitoring of data security operation includes the following steps:
s1, a communication abnormal behavior monitoring module 8 in a safety communication management system 2 can monitor abnormal behaviors in a communication process in real time, and can rapidly block data through a communication blocking module 14 to ensure safe operation of the data;
s2, after the communication blocking module 14 is blocked, attack source information can be quickly acquired through the attack source capturing module 17, attack source counterattack is performed through the network counterattack module 18, the thought can be quickly converted after an intruder is found, countermeasures are performed, and continuous attack of the intruder is avoided;
s3, after the attack source information is acquired, an identity drawing module 19 is used for outlining a complete attacker portrait, and the attack category is evaluated based on the portrait information;
and S4, after the attack is resisted, timely corresponding is carried out through the server response unit 12, and the identity key is updated through the dynamic updating unit 32 in the identity drawing module 19, so that the data security is reinforced.
Working principle: when the method and the system for monitoring the safe operation of the data are used, firstly, in order to ensure the normal operation of a server, hardware equipment can be managed through a hardware equipment management system 1, the safe communication management system 2 can manage software information, a device data control module 3 plays a role in central control, data detected by a CPU occupancy rate monitoring unit 5, a temperature monitoring unit 6 and a memory occupancy rate monitoring unit 7 can be summarized and analyzed in real time, a corresponding device online debugging module 4 is controlled to debug the device, the device online debugging module 4 can empty the memory and the CPU space ratio of the server, so that a good transmission environment is ensured in the transmission process of the data, the device online debugging module 4 can cool a server main body through a heat dissipation device, and data damage caused by abnormal dead halt of the server in the use process due to overhigh temperature is avoided; secondly, the secure communication management system 2 evaluates the risk of data transmission through the data risk analysis module 9, after the model is built up through the risk model building unit 24, a virtual platform which is the same as the memory of the server and has the same running environment and is built up through the virtual platform building unit 25 is operated on the virtual platform, the risk evaluation is performed through the risk evaluation unit 26 according to the operation result, the platform optimization unit 27 can perform system optimization on the data operation process according to the evaluation result, and the data encryption unit 28 can be used for encrypting the data; secondly, in the actual transmission process, any abnormal behavior in the data communication process is monitored in real time through a communication abnormal behavior monitoring module 8, attack source information is obtained through a server resource analysis unit 20, a flow monitoring control module 21 and a phishing website identification module 22, detailed information of an attacker is obtained through backward tracing through a network counterattack module 18, continuous attack of the attacker is avoided, a complete image of the attacker is outlined through an identity drawing module 19, the attack category is evaluated based on the image information, the intention of the attacker is obtained, and targeted optimization work is carried out; then, the safety early warning module 10 performs early warning work on the server, the abnormal feedback module 11 transmits the feedback result to the server response unit 12, and the server response unit 12 updates the identity key through the dynamic updating unit 32 to protect the data; finally, during the data running process, the effective identifier of the key in the communication data is intercepted rapidly through the identifier intercepting unit 31, and is identified through the key identifying unit 34, and after the identification fails, the key is updated through the dynamic updating unit 32, and is updated in the database again through the key synchronizing unit 33, so that secondary encryption is performed, and internal leakage of the data is avoided.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (9)

1. A system for online monitoring of data security operations, comprising:
the system comprises a hardware equipment management system (1), wherein the output end of the hardware equipment management system (1) is connected with a safety communication management system (2), the safety communication management system (2) comprises a communication abnormal behavior monitoring module (8), a data risk analysis module (9) and an identity recognition module (23), and the output end of the communication abnormal behavior monitoring module (8) is connected with a behavior analysis module (13);
the communication abnormal behavior monitoring module (8) is used for monitoring abnormal behaviors in a communication process;
the data risk analysis module (9) is used for analyzing and evaluating the data operation risk in the server;
the behavior analysis module (13) is used for carrying out abnormal analysis on behaviors in the communication process and screening out abnormal behaviors;
the identity recognition module (23) is used for carrying out identity security authentication through a secret key;
the safety early warning module (10) is connected with the output ends of the communication abnormal behavior monitoring module (8) and the data risk analysis module (9);
the abnormal feedback module (11) is arranged at the output end of the safety early warning module (10), and the output end of the abnormal feedback module (11) is connected with the server response unit (12);
the safety early warning module (10) is used for carrying out safety early warning on the server response unit (12);
the abnormal feedback module (11) is used for feeding back abnormal behaviors and transmitting feedback results to the server response unit (12);
the server response unit (12) is used for timely responding to the early warning information and the feedback information and encrypting the data information reversely through the identity recognition module (23);
the communication blocking module (14) is connected to the output end of the behavior analysis module (13), the output end of the communication blocking module (14) is connected with the virus interception module (15) and the attack source capturing module (17), and the output end of the virus interception module (15) is connected with the firewall filtering module (16);
the communication blocking module (14) is used for blocking abnormal communication information and avoiding server data loss caused by abnormal signal accompanying data flowing into the intrusion server;
the virus interception module (15) is used for intercepting virus Trojan;
the firewall filtering module (16) is used for filtering abnormal information by a firewall;
the network counterattack module (18) is connected to the output end of the attack source capturing module (17), the output end of the network counterattack module (18) is connected with the identity drawing module (19), and the output end of the attack source capturing module (17) is respectively connected with the server resource analysis unit (20), the flow monitoring control module (21) and the phishing website identification module (22);
the server resource analysis unit (20) can be used for analyzing abnormal files, account numbers, ports and service protocols;
the flow monitoring control module (21) is used for locking abnormal communication flow, an attack source and an attack target;
the phishing website identification module (22) is used for acquiring malicious file samples and phishing net-shaped URLs;
the identity drawing module (19) can outline a complete attacker portrait based on the attack source information acquired by the network counterattack module (18) and the attack source capturing module (17).
2. The system for online monitoring of data security operations of claim 1, wherein the network counterattack module (18) comprises an IP location unit (1801), an ID tracking unit (1802), and a domain name resolution unit (1803);
the IP positioning unit (1801) is used for carrying out server analysis on an IP port of an attack source to obtain attack source information;
the ID tracking unit (1802) is used for carrying out mailbox tracking on an ID account of an attack source logging website to obtain the real name of the attack source;
the domain name resolution unit (1803) is used for resolving the login domain name of the attack source background terminal to obtain domain name registration information;
the network counterattack module (18) locates the attack source through the IP locating unit (1801), the ID tracking unit (1802) and the domain name resolution unit (1803), and utilizes the obtained IP account number, ID account number and domain name address to complete counterattack.
3. A system for online monitoring of data security operations according to claim 1, characterized in that the identity recognition module (23) comprises an identifier interception unit (31), the output end of the identifier interception unit (31) is connected with a dynamic updating unit (32), the output end of the dynamic updating unit (32) is connected with a key synchronization unit (33), and the output end of the key synchronization unit (33) is connected with a key recognition unit (34).
4. A system for online monitoring of data security operations according to claim 3, characterized in that said identifier interception unit (31) is adapted to intercept the identifier in the key number field;
the dynamic updating unit (32) is used for dynamically updating the identifier in the key number field and forming a new key;
the key synchronization unit (33) is used for synchronously updating the changed key information, storing the changed key information in the database and facilitating subsequent identification;
the key identification unit (34) is used for comparing and identifying the keys.
5. The system for online monitoring of data safe operation according to claim 1, wherein the hardware device management system (1) comprises a device data control module (3), wherein the input end of the device data control module (3) is respectively connected with a CPU occupancy rate monitoring unit (5), a temperature monitoring unit (6) and a memory occupancy rate monitoring unit (7), and the output end of the device data control module (3) is connected with a device online debugging module (4);
the device data control module (3) is used for controlling basic data of the server device;
the equipment online debugging module (4) is used for clearing the duty ratio in the server, clearing redundant stored information and controlling the temperature of the server through the cooler.
6. The system for online monitoring of data security operation according to claim 5, wherein the CPU occupancy monitoring unit (5) is configured to monitor the server CPU occupancy in real time;
the temperature monitoring unit (6) is used for monitoring the temperature of the server equipment in real time;
the memory occupancy rate monitoring unit (7) is used for monitoring the memory occupancy rate of the server in real time.
7. The system for online monitoring of data security operations according to claim 1, wherein the data risk analysis module (9) comprises a database storage module (29), and a data restoration module (30) is connected to an output end of the database storage module (29);
wherein the database storage module (29) is used for storing source data information in a sample manner;
the data repair module (30) is used for repairing the lost source data information.
8. The system for online monitoring of data security operations according to claim 1, wherein the data risk analysis module (9) comprises a risk model building unit (24), wherein an output end of the risk model building unit (24) is connected with a virtual platform building unit (25), and an output end of the virtual platform building unit (25) is connected with a risk assessment unit (26), an output end of the risk assessment unit (26) is connected with a platform optimization unit (27), and an output end of the platform optimization unit (27) is connected with a data encryption unit (28).
9. A system for online monitoring of data security operations according to claim 8, characterized in that the risk model construction unit (24) is adapted to construct a risk model;
the virtual platform construction unit (25) is used for constructing a virtual working platform consistent with the running environment of the server;
the risk assessment unit (26) is used for performing risk assessment on the running result on the virtual platform;
the platform optimization unit (27) is configured to perform environmental optimization on the server device for risk assessment;
the data encryption unit (28) is used for encrypting data.
CN202210281677.1A 2022-03-21 2022-03-21 Data safety operation on-line monitoring system Active CN114826880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210281677.1A CN114826880B (en) 2022-03-21 2022-03-21 Data safety operation on-line monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210281677.1A CN114826880B (en) 2022-03-21 2022-03-21 Data safety operation on-line monitoring system

Publications (2)

Publication Number Publication Date
CN114826880A CN114826880A (en) 2022-07-29
CN114826880B true CN114826880B (en) 2023-09-12

Family

ID=82531286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210281677.1A Active CN114826880B (en) 2022-03-21 2022-03-21 Data safety operation on-line monitoring system

Country Status (1)

Country Link
CN (1) CN114826880B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132201B (en) * 2023-04-18 2023-09-29 云上广济(贵州)信息技术有限公司 Internet data safety monitoring system based on big data
CN116708157A (en) * 2023-08-07 2023-09-05 北京鹰速光电科技有限公司 Computer security operation and maintenance service system
CN117094021B (en) * 2023-10-11 2024-01-16 北京知宏科技有限公司 Electronic signature encryption protection system and method based on Internet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120074040A (en) * 2010-12-27 2012-07-05 한국전기연구원 Security system and its operating method for supervisory control and data acquisition system
WO2020107446A1 (en) * 2018-11-30 2020-06-04 北京比特大陆科技有限公司 Method and apparatus for obtaining attacker information, device, and storage medium
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111865960A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Network intrusion scene analysis processing method, system, terminal and storage medium
CN112383546A (en) * 2020-11-13 2021-02-19 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120074040A (en) * 2010-12-27 2012-07-05 한국전기연구원 Security system and its operating method for supervisory control and data acquisition system
WO2020107446A1 (en) * 2018-11-30 2020-06-04 北京比特大陆科技有限公司 Method and apparatus for obtaining attacker information, device, and storage medium
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111865960A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Network intrusion scene analysis processing method, system, terminal and storage medium
CN112383546A (en) * 2020-11-13 2021-02-19 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
动态防御技术在内网安全中的应用;杨一民等;自动化与仪器仪表(第11期);全文 *

Also Published As

Publication number Publication date
CN114826880A (en) 2022-07-29

Similar Documents

Publication Publication Date Title
CN114826880B (en) Data safety operation on-line monitoring system
CN110602046B (en) Data monitoring processing method and device, computer equipment and storage medium
US9661003B2 (en) System and method for forensic cyber adversary profiling, attribution and attack identification
KR20040042397A (en) Method and system for defensing distributed denial of service
CN111756702A (en) Data security protection method, device, equipment and storage medium
CN113364799B (en) Method and system for processing network threat behaviors
CN113037713B (en) Network attack resisting method, device, equipment and storage medium
CN113596028A (en) Method and device for handling network abnormal behaviors
CN113438249B (en) Attack tracing method based on strategy
CN113660296A (en) Method and device for detecting anti-attack performance of industrial control system and computer equipment
CN116132989B (en) Industrial Internet security situation awareness system and method
CN112787985B (en) Vulnerability processing method, management equipment and gateway equipment
CN112491883A (en) Method, device, electronic device and storage medium for detecting web attack
Suo et al. Research on the application of honeypot technology in intrusion detection system
CN117527412A (en) Data security monitoring method and device
CN111786986A (en) Numerical control system network intrusion prevention system and method
CN116962049B (en) Zero-day vulnerability attack prevention and control method and system for comprehensive monitoring and active defense
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
Binnar et al. Cyber forensic case study of waste water treatment plant
CN114189515B (en) SGX-based server cluster log acquisition method and device
CN113923035B (en) Dynamic application protection system and method based on attack load and attack behavior
CN115694928A (en) Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method
CN114679322A (en) Flow security auditing method, system and computer equipment
Ghaleb et al. A framework architecture for agentless cloud endpoint security monitoring
CN114024740A (en) Threat trapping method based on secret tag bait

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant