CN114978697A - Network information system endogenous security defense method, device, equipment and medium - Google Patents
Network information system endogenous security defense method, device, equipment and medium Download PDFInfo
- Publication number
- CN114978697A CN114978697A CN202210569664.4A CN202210569664A CN114978697A CN 114978697 A CN114978697 A CN 114978697A CN 202210569664 A CN202210569664 A CN 202210569664A CN 114978697 A CN114978697 A CN 114978697A
- Authority
- CN
- China
- Prior art keywords
- trusted virtual
- target
- virtual machine
- security
- network information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application discloses a method, a device, equipment and a medium for endogenous security defense of a network information system, and relates to the technical field of network security. The method comprises the following steps: acquiring a target service request aiming at a network information system; determining a target service type corresponding to the target service request, and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are created in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; different security defense services are carried in different trusted virtual machines; and processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize endogenous security defense of the network information system. By the technical scheme, an endogenous security system of the network information system can be established to realize endogenous security defense of the network information system.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for security defense in a network information system.
Background
At present, in the face of ever-changing network threats, network security has evolved into an 'endogenous security' era, and self-adaptive, autonomous and self-growing security capabilities are continuously grown from an information system by means of aggregation. In China, the academic and industrial circles also start the research enthusiasm of endogenous security technologies, and emerge novel security technologies such as 3.0 trusted computing, mimicry security, dynamic active defense, zero trust and the like.
Currently, network information systems in many industry fields such as civil aviation, railway passenger transportation, hotels and the like have a trend of service flexibility and openness, which inevitably leads to the problems of fuzzification of system security boundaries and dispersion of traditional security protection capability. In summary, how to establish an endogenous security system of a network information system to achieve endogenous security defense of the network information system under limited resources needs to be further solved.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method, an apparatus, a device and a medium for endogenous security defense of a network information system, which can establish an endogenous security system of the network information system to achieve endogenous security defense of the network information system under limited resources. The specific scheme is as follows:
in a first aspect, the present application discloses a method for endogenous security defense of a network information system, comprising:
acquiring a target service request aiming at a network information system;
determining a target service type corresponding to the target service request, and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are created in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted base software and a host machine safety mechanism on a trusted host machine system; different security defense services are carried in different trusted virtual machines;
and processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize endogenous security defense of the network information system.
Optionally, the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance includes:
and if the target service type is dynamic authentication facing to the identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines which are created in a trusted virtual environment in advance.
Optionally, if the target service type is dynamic authentication facing an identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines created in a trusted virtual environment in advance, where the determining includes:
if the user corresponding to the dynamic authentication service request is an uncontrolled terminal user, determining a trusted virtual machine, which is a trusted virtual machine of an uncontrolled terminal access authentication service and is pre-deployed with fused physical information, as a target trusted virtual machine from trusted virtual machines which are pre-created in a trusted virtual environment, and individually allocating a corresponding trusted virtual machine to the uncontrolled terminal user;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
and processing the service corresponding to the dynamic authentication service request by using the uncontrolled terminal access authentication service in the target trusted virtual machine, and residing the data and access operation of the uncontrolled terminal user by using the trusted virtual machine corresponding to the uncontrolled terminal user, and if the uncontrolled terminal user is found to have abnormal or illegal behaviors, interrupting the access of the uncontrolled terminal user by suspending or closing the trusted virtual machine corresponding to the uncontrolled terminal user so as to realize the safe access authentication of the uncontrolled terminal user and the network information system.
Optionally, when the target service type is dynamic authentication facing an identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines created in a trusted virtual environment in advance, where the determining includes:
if the user corresponding to the dynamic authentication service request is a controlled terminal user, determining a trusted virtual machine with a security time forensics mechanism deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
generating a corresponding public and private key pair based on a unique identifier pre-inserted into a trusted module of the controlled terminal, and performing security state verification of the controlled terminal based on the public and private key pair;
and monitoring and forensics are carried out on the security event of the controlled terminal by utilizing a security time forensics mechanism in the target trusted virtual machine so as to realize the security access authentication of the controlled terminal user and the network information system.
Optionally, the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance includes:
if the target service type is software-defined security resource management, determining a trusted virtual machine with security resource management service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
separating security resource management software and hardware by using the target trusted virtual machine through a virtualization technology, and pooling security capacity resources in the network information system to obtain pooled virtualized security capacity resources;
and partitioning and recombining the virtualized security capability resource according to the system security protection requirement corresponding to the target service as required so as to realize the security capability resource management of the network information system.
Optionally, the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance includes:
if the target service type is dynamic access control, determining a trusted virtual machine with dynamic access control service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
and carrying out precise dynamic access control on the preset dimensionality of the access request in the target service by using the target trusted virtual machine, and adapting a corresponding access control strategy according to the change of the attribute in the preset dimensionality so as to realize the safe access and control of the access subject and the accessed service resource.
Optionally, the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance includes:
if the target service type is attack detection and protection, determining a trusted virtual machine with attack detection and protection service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
performing bypass mirror image collection on the service resource application layer flow of the network information system by using a data probe pre-installed inside the target trusted virtual machine to obtain corresponding collected data;
identifying an illegal access subject with abnormal entity behaviors from corresponding access subjects and access objects based on the collected data and a preset security log based on traffic deep analysis;
and prohibiting the access behavior of the illegal access subject based on port hiding and access control rules so as to realize illegal attack defense of the network information system.
In a second aspect, the present application discloses an endogenous security defense apparatus of a network information system, comprising:
the service request acquisition module is used for acquiring a target service request aiming at the network information system;
the trusted virtual machine determining module is used for determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are established in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; different security defense services are carried in different trusted virtual machines;
and the service request security processing module is used for processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize the endogenous security defense of the network information system.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the network information system endogenous security defense method disclosed in the foregoing disclosure.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the steps of the network information system endogenous security defense method disclosed in the foregoing disclosure.
When the method and the system carry out endogenous security defense of the network information system, a target service request aiming at the network information system is firstly obtained; determining a target service type corresponding to the target service request, and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are created in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; different security defense services are carried in different trusted virtual machines; and processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize endogenous security defense of the network information system. Therefore, in the application, the trusted virtual environment is obtained by deploying the trusted basic software and the host security mechanism on the trusted host system, and a plurality of trusted virtual machines are preset in the trusted virtual environment and deploy corresponding security defense services for the trusted virtual machines; when a target service request aiming at a network information system is obtained, a target credible virtual machine corresponding to the target service type is determined from the credible virtual machines according to the target service type corresponding to the target service request. Therefore, when a target service request aiming at the network information system is obtained, the preset trusted virtual machine is arranged and scheduled by the trusted virtual environment, so that the target service request is further completed by the target virtual machine in the network information system endogenous security defense, the security design is fused with the network design based on the trusted computing and the virtual machine, the integration of the network information system service function and the security is realized, the target service request is processed by the preset trusted virtual machine instead of being directly accessed into the network information system, the overall planning level of the network information system is improved, unknown security threat is facilitated, and a multi-service request integrated network information system endogenous security system is simultaneously established to realize the network information system endogenous security defense under limited resources. In conclusion, the network information system endogenous security system can be established to realize the network information system endogenous security defense under limited resources.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a network information system endogenous security defense method provided in the present application;
FIG. 2 is a schematic diagram of an endogenous security infrastructure provided by the present application;
fig. 3 is a schematic diagram of an endogenous security defense architecture of a network information system based on a trusted computing and a virtual machine according to the present application;
fig. 4 is a flowchart of a specific network information system endogenous security defense method provided in the present application;
fig. 5 is a flowchart of a specific network information system endogenous security defense method provided in the present application;
fig. 6 is a schematic diagram of trusted dynamic authentication for identity principal provided in the present application;
fig. 7 is a flowchart of a specific network information system endogenous security defense method provided in the present application;
fig. 8 is a flowchart of a specific network information system endogenous security defense method provided in the present application;
fig. 9 is a flowchart of a specific network information system endogenous security defense method provided in the present application;
FIG. 10 is a schematic diagram of dynamic access and attack detection provided herein;
fig. 11 is a schematic structural diagram of an endogenous security defense apparatus of a network information system according to the present application;
fig. 12 is a block diagram of an electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Currently, network information systems in many industry fields such as civil aviation, railway passenger transportation, hotels and the like have a trend of service flexibility and openness, which inevitably leads to the problems of fuzzification of system security boundaries and dispersion of traditional security protection capability. Therefore, the network information system endogenous security defense method can establish a network information system endogenous security system to realize network information system endogenous security defense under limited resources.
The embodiment of the invention discloses a network information system endogenous security defense method, which is shown in figure 1 and comprises the following steps:
step S11: a target service request for a network information system is obtained.
In this embodiment, a target service request for a network information system is obtained, where the target service request includes, but is not limited to, identity-subject-oriented airborne trusted dynamic authentication and zero-trust-based airborne dynamic access control and attack detection, and the target service request for the network information system is obtained, so that the target service request is subsequently and securely processed through a service processing service in a trusted virtual machine created in a trusted virtual environment in advance.
Step S12: determining a target service type corresponding to the target service request, and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are created in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; and different security defense services are carried in different trusted virtual machines.
In this embodiment, the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system. Before the request for obtaining the target service is carried out, the method further comprises the following steps: and constructing an endogenous security basic framework of the network information system based on trusted computing. Specifically, as shown in fig. 2, the endogenous security infrastructure deploys trusted basic software and a host security mechanism on a trusted host system by taking a chip, a storage card, a high-speed board card and the like as physical trusted roots in physical forms, so as to construct a trusted virtual environment; virtualizing a plurality of virtual trusted roots from the physical trusted root by using a virtualization technology, realizing key generation, key distribution, key protection and the like related to a trusted virtual machine in the trusted virtual environment based on the virtual trusted roots, and deploying business service processing modules corresponding to different business types in a preset trusted virtual machine so as to complete different types of security defense services; meanwhile, safety management and scheduling of a preset trusted virtual machine are realized through the trusted virtual environment, a trust chain is transmitted to the virtual machine level, so that integrity protection and virtualization safety defense of hardware and software are realized, and a dynamic safety strategy which can adapt to resource sharing of the virtualization environment as required is realized in the safety management and scheduling of the trusted virtual machine.
In this embodiment, the target service type corresponding to the target service request includes, but is not limited to, dynamic access control, attack detection and protection, software-defined security resource management, uncontrolled terminal authentication, and controlled terminal authentication service. As shown in fig. 3, when the target service request is obtained and the target service type is determined, the preset trusted virtual machine is arranged and scheduled by a trusted virtual environment in an endogenous security basic framework of the network information system constructed based on trusted computing, and a target trusted virtual machine corresponding to the target service type is determined, so that a service corresponding to the target service request is processed by the target trusted virtual machine in a subsequent process.
Step S13: and processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize endogenous security defense of the network information system.
In this embodiment, a security defense service in the target trusted virtual machine is used to process a service corresponding to the target service request, so as to implement an endogenous security defense of the network information system. According to the technical scheme, the security design and the network design are fused by taking trusted computing and a virtual machine as technical means, the function and the security of a network information system are integrated, an endogenous security protection mechanism integrating access authentication, flow management and resource control is established, the problems that the network information system in many industrial fields such as civil aviation, railway passenger transport, hotels and the like is scattered and incomplete after the security capability of the network information system under the development trend that the openness and the flexibility are continuously increased are solved, and the aims of identity security, data security and service security are achieved.
As can be seen, in this embodiment, a trusted virtual environment is obtained by deploying trusted base software and a host security mechanism on a trusted host system, and a plurality of trusted virtual machines are preset in the trusted virtual environment and deploy corresponding security defense services for the trusted virtual machines; when a target service request aiming at a network information system is obtained, a target credible virtual machine corresponding to the target service type is determined from the credible virtual machines according to the target service type corresponding to the target service request. Therefore, when a target service request aiming at the network information system is obtained, the preset trusted virtual machine is arranged and scheduled by the trusted virtual environment, so that the target service request is further completed by the target virtual machine in the network information system endogenous security defense, the security design is fused with the network design based on the trusted computing and the virtual machine, the integration of the network information system service function and the security is realized, the target service request is processed by the preset trusted virtual machine instead of being directly accessed into the network information system, the overall planning level of the network information system is improved, unknown security threat is facilitated, and a multi-service request integrated network information system endogenous security system is simultaneously established to realize the network information system endogenous security defense under limited resources. In conclusion, the network information system endogenous security system can be established to realize the network information system endogenous security defense under limited resources.
Referring to fig. 4, an embodiment of the present invention discloses a specific network information system endogenous security defense method, and compared with the previous embodiment, the present embodiment further explains and optimizes the technical solution.
Step S21: a target service request for a network information system is obtained.
Step S22: and if the target service type is the dynamic authentication of the uncontrolled terminal user, determining a target trusted virtual machine corresponding to the dynamic authentication of the uncontrolled terminal user from trusted virtual machines which are created in a trusted virtual environment in advance.
Specifically, if the user corresponding to the dynamic authentication service request is an uncontrolled terminal user, a trusted virtual machine, in which an uncontrolled terminal accessing authentication service is deployed in advance, is determined from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine, and a corresponding trusted virtual machine is separately allocated to the uncontrolled terminal user. It can be understood that, aiming at the problem that the existing simple authentication mode of accessing the user uncontrolled terminal to the wireless network is easy to counterfeit identity and further attacks the network and even penetrates to an information system, the user uncontrolled terminal access authentication service fusing physical information is deployed in the trusted virtual machine in advance, and simultaneously, the corresponding trusted virtual machine is independently allocated to each access user, so that the corresponding target trusted virtual machine is used for performing dynamic authentication on the non-central control terminal user subsequently.
Step S23: and processing the service corresponding to the target service request by using the dynamic authentication service of the uncontrolled terminal user in the target trusted virtual machine so as to realize the secure access authentication of the uncontrolled terminal user and the network information system.
And processing the service corresponding to the dynamic authentication service request by using the non-controlled terminal access authentication service in the target trusted virtual machine, residing the data and access operation of the non-controlled terminal user by using the trusted virtual machine corresponding to the non-controlled terminal user, further connecting a background service system and service resources, and interrupting the access of the non-controlled terminal user by suspending or closing the trusted virtual machine corresponding to the non-controlled terminal user if the non-controlled terminal user is found to have abnormal or illegal behaviors, so as to realize the secure access authentication of the non-controlled terminal user and the network information system.
Therefore, in this embodiment, the service corresponding to the target service request is processed through the dynamic authentication service of the uncontrolled terminal user in the target trusted virtual machine, and the identity security and behavior security of the access user are ensured in a mode of authentication before access, so that the overall planning level of the system and the capability of dealing with possible location security threats are improved.
Referring to fig. 5, an embodiment of the present invention discloses a specific network information system endogenous security defense method, and compared with the previous embodiment, the present embodiment further explains and optimizes the technical solution.
Step S31: a target service request for a network information system is obtained.
Step S32: and if the target service type is the dynamic authentication of the controlled terminal user, determining a target trusted virtual machine corresponding to the dynamic authentication of the controlled terminal user from trusted virtual machines which are created in a trusted virtual environment in advance.
Specifically, if the user corresponding to the dynamic authentication service request is a controlled terminal user, a trusted virtual machine in which a secure time forensics mechanism is deployed in advance is determined from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine.
Step S33: and processing the service corresponding to the target service request by using the dynamic authentication service of the controlled terminal user in the target trusted virtual machine so as to realize the secure access authentication of the controlled terminal user and the network information system.
Specifically, a corresponding public and private key pair is generated based on a unique identifier pre-inserted into a trusted module of the controlled terminal, and the security state verification of the controlled terminal is carried out based on the public and private key pair; and when the controlled terminal user is connected with a background service system and service resources, monitoring and obtaining evidence of the security event of the controlled terminal by using a security time evidence obtaining mechanism in the target trusted virtual machine so as to realize the security access authentication of the controlled terminal user and the network information system. As shown in fig. 6, when the identity subject is a controlled terminal, trusted description of the identity of the controlled terminal, the identity of the owner of the terminal, and the identity of the user of the terminal, i.e., the state information of the controlled terminal, is realized by pre-inserting a trusted module of the user terminal, and monitoring, evidence obtaining, and auditing of terminal security events are realized by the target trusted virtual machine.
Therefore, in this embodiment, the security event of the controlled terminal is monitored and forensics performed by the trusted virtual machine with the security time forensics mechanism deployed in advance, so as to ensure data security and service security of the network information system.
Referring to fig. 7, an embodiment of the present invention discloses a specific network information system endogenous security defense method, and compared with the previous embodiment, the present embodiment further explains and optimizes the technical solution.
Step S41: and acquiring a target service request aiming at the network information system.
Step S42: and if the target service type is software-defined security resource management, determining a target trusted virtual machine corresponding to the software-defined security resource management from trusted virtual machines which are created in a trusted virtual environment in advance.
Specifically, if the target service type is software-defined secure resource management, determining, from trusted virtual machines created in a trusted virtual environment in advance, a trusted virtual machine in which a secure resource management service is deployed in advance as a target trusted virtual machine.
Step S43: and processing the service corresponding to the target service request by using the security resource management service defined by the software in the target trusted virtual machine so as to realize the security capability resource management of the network information system.
Specifically, the target trusted virtual machine is used for separating security resource management software from hardware through a virtualization technology and pooling security capability resources in the network information system to obtain pooled virtualized security capability resources; and partitioning and recombining the virtualized security capability resource according to the system security protection requirement corresponding to the target service as required so as to realize the security capability resource management of the network information system.
As can be seen, in this embodiment, the secure resources in the network information system are managed by the trusted virtual machine that deploys the secure resource management service in advance, so that the virtualized security capability resources are split and recombined as needed, thereby implementing secure resource management of the network information system.
Referring to fig. 8, an embodiment of the present invention discloses a specific network information system endogenous security defense method, and compared with the previous embodiment, the present embodiment further explains and optimizes the technical solution.
Step S51: a target service request for a network information system is obtained.
Step S52: and if the target service type is dynamic access control, determining a target trusted virtual machine corresponding to the dynamic access control from trusted virtual machines which are created in a trusted virtual environment in advance.
Specifically, if the target service type is dynamic access control, determining a trusted virtual machine, in which dynamic access control service is deployed in advance, as a target trusted virtual machine from trusted virtual machines created in a trusted virtual environment in advance.
Step S53: and processing the service corresponding to the target service request by using the dynamic access control service in the target trusted virtual machine so as to realize the safe access and control of the access subject and the accessed service resource.
Specifically, the target trusted virtual machine is used for performing precise dynamic access control on a preset dimension of an access request in the target service, and a corresponding access control strategy is adapted according to the change of the attribute in the preset dimension, so that the secure access and control of an access subject and an accessed service resource are realized. That is, when accessing an object such as a service resource, etc., an access subject such as a user terminal in various services provided by a network information system needs to implement precise dynamic access control with respect to dimensions such as different identity attributes, different authority attributes, different access resource minimum granularity authorization, etc., and secure access and management and control of the access subject and the accessed service resource are achieved by adapting an access control policy according to changes of various attributes.
Therefore, in the embodiment, the precise dynamic access control is realized for the dimensionalities of different identity attributes, different authority attributes, different access resource minimum granularity authorization and the like of the access subject and the access object, and the safety access and the control of the service resources of the airborne access subject and the access object are achieved by adapting the access control strategy according to the change of various attributes.
Referring to fig. 9, an embodiment of the present invention discloses a specific network information system endogenous security defense method, and compared with the previous embodiment, the present embodiment further explains and optimizes the technical solution.
Step S61: a target service request for a network information system is obtained.
Step S62: and if the target service type is attack detection and protection, determining a target trusted virtual machine corresponding to the attack detection and protection from trusted virtual machines which are created in a trusted virtual environment in advance.
Specifically, if the target service type is attack detection and protection, determining a trusted virtual machine, in which attack detection and protection services are deployed in advance, as a target trusted virtual machine from trusted virtual machines created in a trusted virtual environment in advance.
Step S63: and processing the service corresponding to the target service request by using the attack detection and protection service in the target trusted virtual machine so as to realize illegal attack defense of the network information system.
Specifically, a data probe pre-installed inside the target trusted virtual machine is utilized to perform bypass mirror image collection on the traffic resource application layer flow of the network information system, so as to obtain corresponding collected data; identifying an illegal access subject with abnormal entity behaviors from corresponding access subjects and access objects based on the collected data and a preset security log based on traffic deep analysis; and prohibiting the access behavior of the illegal access subject based on port hiding and access control rules so as to realize illegal attack defense of the network information system. A schematic diagram of dynamic access control and attack detection is shown in fig. 10, when the target service type is attack detection and protection, by using a data probe to perform bypass mirror image collection and deep reduction on service resource application layer traffic, where the bypass mirror image collection is bypass deployment without affecting backbone networks and resources, the deep reduction is analysis and reduction supporting a service-specific protocol, a security log based on traffic deep analysis performs entity behavior analysis on access subjects such as users and access objects such as service resources, defines compliance behavior rules, and identifies abnormal behaviors of users and service resources, thereby discovering malicious behaviors originated from inside and risk behaviors caused by accidents, and implementing security management of an application layer. Based on port hiding and refined access control, only the flow of a legal user is allowed to pass through, and illegal or untrusted users are prevented from collecting information, utilizing bugs and initiating attacks in an intranet through high-risk ports, so that the effects of service resource isolation and application protection are achieved.
Therefore, in the embodiment, the probe is used for performing bypass mirror image collection, deep restoration, dynamic port hiding and the like on the system application layer flow, so that the purposes of service resource isolation and application protection are achieved, and the system safety protection effect is improved.
Referring to fig. 11, an embodiment of the present application discloses an apparatus for protecting security in a network information system, including:
a service request obtaining module 11, configured to obtain a target service request for a network information system;
a trusted virtual machine determining module 12, configured to determine a target service type corresponding to the target service request, and determine a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; different security defense services are carried in different trusted virtual machines;
and a service request security processing module 13, configured to process a service corresponding to the target service request by using a security defense service in the target trusted virtual machine, so as to implement an endogenous security defense of the network information system.
In this embodiment, a trusted virtual environment is obtained by deploying trusted basic software and a host security mechanism on a trusted host system, and a plurality of trusted virtual machines are preset in the trusted virtual environment and deploy corresponding security defense services for the trusted virtual machines; when a target service request aiming at a network information system is obtained, a target credible virtual machine corresponding to the target service type is determined from the credible virtual machines according to the target service type corresponding to the target service request. Therefore, when a target service request aiming at the network information system is obtained, the preset trusted virtual machine is arranged and scheduled by the trusted virtual environment, so that the target service request is further completed by the target virtual machine in the network information system endogenous security defense, the security design is fused with the network design based on the trusted computing and the virtual machine, the integration of the network information system service function and the security is realized, the target service request is processed by the preset trusted virtual machine instead of being directly accessed into the network information system, the overall planning level of the network information system is improved, unknown security threat is facilitated, and a multi-service request integrated network information system endogenous security system is simultaneously established to realize the network information system endogenous security defense under limited resources. In conclusion, the network information system endogenous security system can be established to realize the network information system endogenous security defense under limited resources.
In some specific embodiments, the trusted virtual machine determining module 12 is specifically configured to: and if the target service type is dynamic authentication facing to the identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines which are created in a trusted virtual environment in advance.
In some specific embodiments, the trusted virtual machine determining module 12 is specifically configured to: if the user corresponding to the dynamic authentication service request is an uncontrolled terminal user, determining a trusted virtual machine, which is a trusted virtual machine of an uncontrolled terminal access authentication service and is pre-deployed with fused physical information, as a target trusted virtual machine from trusted virtual machines which are pre-created in a trusted virtual environment, and individually allocating a corresponding trusted virtual machine to the uncontrolled terminal user;
correspondingly, the service request security processing module 13 is specifically configured to: and processing the service corresponding to the dynamic authentication service request by using the uncontrolled terminal access authentication service in the target trusted virtual machine, and residing the data and access operation of the uncontrolled terminal user by using the trusted virtual machine corresponding to the uncontrolled terminal user, and if the uncontrolled terminal user is found to have abnormal or illegal behaviors, interrupting the access of the uncontrolled terminal user by suspending or closing the trusted virtual machine corresponding to the uncontrolled terminal user so as to realize the safe access authentication of the uncontrolled terminal user and the network information system.
In some specific embodiments, the trusted virtual machine determining module 12 is specifically configured to: if the user corresponding to the dynamic authentication service request is a controlled terminal user, determining a trusted virtual machine with a security time forensics mechanism deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the service request security processing module 13 specifically includes:
the security state verification unit is used for generating a corresponding public and private key pair based on a unique identifier which is inserted into a trusted module of the controlled terminal in advance and performing security state verification of the controlled terminal based on the public and private key pair;
and the monitoring and evidence obtaining unit is used for monitoring and obtaining evidence of the security event of the controlled terminal by utilizing a security time evidence obtaining mechanism in the target trusted virtual machine so as to realize the security access authentication of the controlled terminal user and the network information system.
In some specific embodiments, the trusted virtual machine determining module 12 is specifically configured to: if the target service type is software-defined security resource management, determining a trusted virtual machine with security resource management service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the service request security processing module 13 specifically includes:
the resource pooling unit is used for separating security resource management software from hardware by using the target trusted virtual machine through a virtualization technology and pooling security capability resources in the network information system to obtain pooled virtualized security capability resources;
and the resource division and recombination unit is used for carrying out division and recombination on the virtualized safety capacity resource as required according to the system safety protection requirement corresponding to the target service so as to realize the safety capacity resource management of the network information system.
In some specific embodiments, the trusted virtual machine determining module 12 is specifically configured to: if the target service type is dynamic access control, determining a trusted virtual machine with dynamic access control service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the service request security processing module 13 is specifically configured to: and carrying out precision dynamic access control on a preset dimension of an access request in the target service by using the target trusted virtual machine, and adapting a corresponding access control strategy according to the change of the attribute in the preset dimension so as to realize the safe access and control of an access subject and an accessed service resource.
In some specific embodiments, the trusted virtual machine determining module 12 is specifically configured to: if the target service type is attack detection and protection, determining a trusted virtual machine with attack detection and protection service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the service request security processing module 13 specifically includes:
the data collection unit is used for carrying out bypass mirror image collection on the service resource application layer flow of the network information system by using a data probe pre-installed in the target trusted virtual machine to obtain corresponding collected data;
the data analysis unit is used for identifying an illegal access subject with abnormal entity behaviors from corresponding access subjects and access objects based on the collected data and a preset security log based on traffic deep analysis;
and the access control unit is used for forbidding the access behavior of the illegal access subject based on port hiding and access control rules so as to realize illegal attack defense of the network information system.
Fig. 12 shows an electronic device 20 according to an embodiment of the present application. The electronic device 20 may further include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein, the memory 22 is used for storing a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the network information system endogenous security defense method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is used to provide voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the memory 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage manner may be a transient storage manner or a permanent storage manner.
The operating system 221 is used for managing and controlling each hardware device on the electronic device 20, and the computer program 222 may be Windows Server, Netware, Unix, Linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the network information system endogenous security defense method disclosed in any of the foregoing embodiments and executed by the electronic device 20.
Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the method of endogenous security defense of a network information system as disclosed above. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the medium for defending the endogenous security of the network information system provided by the invention are described in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. An endogenous security defense method of a network information system is characterized by comprising the following steps:
acquiring a target service request aiming at a network information system;
determining a target service type corresponding to the target service request, and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are created in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; different security defense services are carried in different trusted virtual machines;
and processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize endogenous security defense of the network information system.
2. An endogenous security defense method of a network information system according to claim 1, wherein the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance comprises:
and if the target service type is dynamic authentication facing to the identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines which are created in a trusted virtual environment in advance.
3. An endogenous security defense method of a network information system according to claim 2, wherein if the target service type is dynamic authentication facing an identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines created in a trusted virtual environment in advance comprises:
if the user corresponding to the dynamic authentication service request is an uncontrolled terminal user, determining a trusted virtual machine, which is a trusted virtual machine of an uncontrolled terminal access authentication service and is pre-deployed with fused physical information, as a target trusted virtual machine from trusted virtual machines which are pre-created in a trusted virtual environment, and individually allocating a corresponding trusted virtual machine to the uncontrolled terminal user;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
and processing the service corresponding to the dynamic authentication service request by using the uncontrolled terminal access authentication service in the target trusted virtual machine, and residing the data and access operation of the uncontrolled terminal user by using the trusted virtual machine corresponding to the uncontrolled terminal user, and if the uncontrolled terminal user is found to have abnormal or illegal behaviors, interrupting the access of the uncontrolled terminal user by suspending or closing the trusted virtual machine corresponding to the uncontrolled terminal user so as to realize the safe access authentication of the uncontrolled terminal user and the network information system.
4. The method for protecting security in a network information system according to claim 2, wherein when the target service type is dynamic authentication for an identity subject, determining a target trusted virtual machine corresponding to the dynamic authentication from trusted virtual machines created in a trusted virtual environment in advance includes:
if the user corresponding to the dynamic authentication service request is a controlled terminal user, determining a trusted virtual machine with a security time forensics mechanism deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, a service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
generating a corresponding public and private key pair based on a unique identifier pre-inserted into a trusted module of the controlled terminal, and performing security state verification of the controlled terminal based on the public and private key pair;
and monitoring and obtaining evidence for the security event of the controlled terminal by using a security time evidence obtaining mechanism in the target trusted virtual machine so as to realize the security access authentication between the controlled terminal user and the network information system.
5. An endogenous security defense method of a network information system according to claim 1, wherein the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance comprises:
if the target service type is software-defined security resource management, determining a trusted virtual machine with security resource management service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, a service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
separating security resource management software and hardware by using the target trusted virtual machine through a virtualization technology, and pooling security capacity resources in the network information system to obtain pooled virtualized security capacity resources;
and partitioning and recombining the virtualized safety capacity resource according to the system safety protection requirement corresponding to the target service as required so as to realize the safety capacity resource management of the network information system.
6. An endogenous security defense method of a network information system according to claim 1, wherein the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance comprises:
if the target service type is dynamic access control, determining a trusted virtual machine with dynamic access control service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
and carrying out precise dynamic access control on the preset dimensionality of the access request in the target service by using the target trusted virtual machine, and adapting a corresponding access control strategy according to the change of the attribute in the preset dimensionality so as to realize the safe access and control of the access subject and the accessed service resource.
7. The method for protecting security in a network information system according to any one of claims 1 to 6, wherein the determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines created in a trusted virtual environment in advance includes:
if the target service type is attack detection and protection, determining a trusted virtual machine with attack detection and protection service deployed in advance from trusted virtual machines created in a trusted virtual environment in advance as a target trusted virtual machine;
correspondingly, the processing, by using the security defense service in the target trusted virtual machine, the service corresponding to the target service request to implement the endogenous security defense of the network information system includes:
performing bypass mirror image collection on the service resource application layer flow of the network information system by using a data probe pre-installed inside the target trusted virtual machine to obtain corresponding collected data;
identifying an illegal access subject with abnormal entity behaviors from corresponding access subjects and access objects based on the collected data and a preset security log based on traffic deep analysis;
and prohibiting the access behavior of the illegal access subject based on port hiding and access control rules so as to realize illegal attack defense of the network information system.
8. An endogenous security defense apparatus of a network information system, comprising:
the service request acquisition module is used for acquiring a target service request aiming at the network information system;
the trusted virtual machine determining module is used for determining a target service type corresponding to the target service request and determining a target trusted virtual machine corresponding to the target service type from trusted virtual machines which are established in a trusted virtual environment in advance; the trusted virtual environment is a virtualized environment obtained by deploying trusted basic software and a host security mechanism on a trusted host system; different security defense services are carried in different trusted virtual machines;
and the service request security processing module is used for processing the service corresponding to the target service request by using the security defense service in the target trusted virtual machine so as to realize the endogenous security defense of the network information system.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program for implementing the steps of the method for endogenous security defense of a network information system according to any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the steps of the method for endogenous security defense of a network information system according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210569664.4A CN114978697A (en) | 2022-05-24 | 2022-05-24 | Network information system endogenous security defense method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210569664.4A CN114978697A (en) | 2022-05-24 | 2022-05-24 | Network information system endogenous security defense method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114978697A true CN114978697A (en) | 2022-08-30 |
Family
ID=82955308
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210569664.4A Pending CN114978697A (en) | 2022-05-24 | 2022-05-24 | Network information system endogenous security defense method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114978697A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115871754A (en) * | 2023-03-08 | 2023-03-31 | 北京全路通信信号研究设计院集团有限公司 | Rail transit control signal system, detection method, device, equipment and medium |
| CN117667241A (en) * | 2024-02-01 | 2024-03-08 | 龙芯中科技术股份有限公司 | Device loading method and device, electronic device and storage medium |
| CN117667241B (en) * | 2024-02-01 | 2024-04-26 | 龙芯中科技术股份有限公司 | Device loading method and device, electronic device and storage medium |
-
2022
- 2022-05-24 CN CN202210569664.4A patent/CN114978697A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115871754A (en) * | 2023-03-08 | 2023-03-31 | 北京全路通信信号研究设计院集团有限公司 | Rail transit control signal system, detection method, device, equipment and medium |
| CN117667241A (en) * | 2024-02-01 | 2024-03-08 | 龙芯中科技术股份有限公司 | Device loading method and device, electronic device and storage medium |
| CN117667241B (en) * | 2024-02-01 | 2024-04-26 | 龙芯中科技术股份有限公司 | Device loading method and device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11582257B2 (en) | Prioritizing internet-accessible workloads for cyber security | |
| CN111819544B (en) | Pre-deployment security analyzer service for virtual computing resources | |
| CN109076063B (en) | Protecting dynamic and short-term virtual machine instances in a cloud environment | |
| CN113169975B (en) | Automatic generation of security rules for network micro-and nano-segments | |
| CN102724176A (en) | Intrusion detection system facing cloud calculating environment | |
| US20190166126A1 (en) | Actively identifying and neutralizing network hot spots | |
| EP3466014B1 (en) | Method and arrangement for configuring a secure domain in a network functions virtualization infrastructure | |
| CN110199283B (en) | System and method for authenticating platform trust in a network functions virtualization environment | |
| CN103684922A (en) | Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method | |
| Pattaranantakul et al. | Leveraging network functions virtualization orchestrators to achieve software-defined access control in the clouds | |
| CN114978697A (en) | Network information system endogenous security defense method, device, equipment and medium | |
| CN111083088B (en) | Cloud platform hierarchical management method and device based on multiple security domains | |
| CN112468476B (en) | Equipment management system and method for different types of terminals to access application | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| Zungur et al. | Borderpatrol: Securing byod using fine-grained contextual information | |
| CN111212077B (en) | Host access system and method | |
| CN112511562A (en) | Cross-network data transmission system based on one-way isolation all-in-one machine and cloud desktop technology | |
| CN111935195A (en) | Distributed system management method, device, storage medium and distributed management system | |
| Wu et al. | Public cloud security protection research | |
| CN112446029A (en) | Trusted computing platform | |
| Xu et al. | TIM: A trust insurance mechanism for network function virtualization based on trusted computing | |
| Bennasar et al. | State-of-The-Art of cloud computing cyber-security | |
| Musca et al. | Secure access to cloud resources | |
| Tupakula et al. | Trust enhanced security for tenant transactions in the cloud environment | |
| Varadharajan et al. | Techniques for Enhancing Security in Industrial Control Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |