CN116248298A - Cloud security service integrated security defense system and method based on saas - Google Patents

Cloud security service integrated security defense system and method based on saas Download PDF

Info

Publication number
CN116248298A
CN116248298A CN202211101414.4A CN202211101414A CN116248298A CN 116248298 A CN116248298 A CN 116248298A CN 202211101414 A CN202211101414 A CN 202211101414A CN 116248298 A CN116248298 A CN 116248298A
Authority
CN
China
Prior art keywords
module
data
threat
output end
input end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211101414.4A
Other languages
Chinese (zh)
Inventor
冯国聪
邓子杰
黄清水
邹洪
张佳发
吕华辉
樊凯
明哲
余芸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Southern Power Grid Digital Grid Research Institute Co Ltd
Priority to CN202211101414.4A priority Critical patent/CN116248298A/en
Publication of CN116248298A publication Critical patent/CN116248298A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses a cloud security service integrated security defense system and method based on saas, comprising a terminal agent module, an information transmission module, a data acquisition module, a security analysis module, an alarm response module and a defense processing module, wherein the output end of the terminal agent module controls the input end of the connected information transmission module.

Description

Cloud security service integrated security defense system and method based on saas
Technical Field
The invention relates to the technical field of security defense systems, in particular to a saas-based cloud security service integrated security defense system and a saas-based cloud security service integrated security defense method.
Background
With the increasing demand of people on computer systems, network information security is more important, the functions of the computer systems are increasingly perfect, the running speed of the computer is continuously improved, the system is more and more complex, the system is more and more large in scale, so that any hidden defects and errors can possibly cause huge loss, in order to ensure the information security in personal equipment, the corresponding security defense system is generally required to be added to carry out security management on a terminal, but the construction period of the security management system is long, professional security personnel are required to be arranged to carry out system management work after the security management system is independently added, the management and maintenance cost of the system is increased, meanwhile, the existing security management system is lack of monitoring and management on the data transmission process, the data leakage or loss is easily caused in the transmission process, the security performance of the system is influenced, the system is mostly simple in function, only abnormal or loophole can not be repaired, the security of the system cannot be traced back and the sampling record is difficult to eliminate from the threat source, and the practicality of the system is influenced.
Disclosure of Invention
The invention aims to provide a saas-based cloud security service integrated security defense system and a saas-based cloud security service integrated security defense method, which are used for solving the problems in the background technology.
In order to achieve the above purpose, the present invention provides the following technical solutions: the cloud security service integrated security defense system based on saas comprises a terminal agent module, an information transmission module, a data acquisition module, a security analysis module, an alarm response module and a defense processing module, wherein the output end of the terminal agent module is used for controlling the input end of the connected information transmission module, the input end of the terminal agent module is used for controlling the output end of the connected defense processing module, the input end of the defense processing module is used for controlling the output end of the connected information transmission module, the output end of the information transmission module is used for controlling the input end of the connected data acquisition module, the output end of the data acquisition module is used for controlling the input end of the connected security analysis module, the output end of the security analysis module is used for controlling the input end of the connected alarm response module, and the output end of the alarm response module is used for controlling the input end of the connected information transmission module.
Preferably, the terminal agent module is composed of a login management module, a management record module, an operation monitoring module, a periodic inspection module, a security report module and a data exchange module, wherein the output end of the login management module is controlled to be connected with the input end of the management record module, the output end of the management record module is controlled to be connected with the input end of the security report module, and the input end of the security report module is controlled to be connected with the output end of the data exchange module.
Preferably, the output end of the management record module is respectively in control connection with the input ends of the operation monitoring module, the periodic inspection module and the data exchange module, and the output ends of the operation monitoring module, the periodic inspection module and the data exchange module are respectively in control connection with the input end of the management record module.
Preferably, the information transmission module is composed of a data arrangement module, a data encryption module, a transmission monitoring module, a decryption recovery module, an abnormal recording module and a safety regulation module, wherein the output end of the data arrangement module is in control connection with the input end of the data encryption module, the output end of the data encryption module is in control connection with the input end of the transmission monitoring module, the output end of the transmission monitoring module is respectively in control connection with the input ends of the decryption recovery module, the abnormal recording module and the safety regulation module, the output end of the safety regulation module is in control connection with the input end of the transmission monitoring module, and the output end of the abnormal recording module is in control connection with the input end of the decryption recovery module.
Preferably, the data acquisition module is composed of a data receiving module, a threat analysis module, a data grading module and a data output module, wherein the output end of the data receiving module is respectively connected with the input ends of the threat analysis module and the data grading module in a control mode, the output end of the threat analysis module is connected with the input end of the data grading module in a control mode, and the output end of the data grading module is connected with the input end of the data output module in a control mode.
Preferably, the safety analysis module comprises an analysis receiving module, an comparison analysis module, an extraction and calling module, a big data module and an abnormal output module, wherein the output end of the analysis receiving module is in control connection with the input end of the comparison analysis module, the output end of the comparison analysis module is in control connection with the input end of the abnormal output module, the input end of the comparison analysis module is in control connection with the output end of the extraction and calling module, and the input end of the extraction and calling module is in control connection with the output end of the big data module.
Preferably, the alarm response module comprises a report receiving module, a log generating module, an alarm processing module and an alarm storage module, wherein the output end of the report receiving module is controlled to be connected with the input end of the log generating module, and the output end of the log generating module is respectively controlled to be connected with the input ends of the alarm processing module and the alarm storage module.
Preferably, the defense processing module is composed of an alarm receiving module, a scheme decision module, a rule preparation module, an abnormality repair module, a frame isolation module, a evidence collection recording module and a tracing positioning module, wherein the output end of the alarm receiving module is controlled to be connected with the input end of the scheme decision module, the output end of the scheme decision module is respectively controlled to be connected with the input ends of the rule preparation module, the abnormality repair module and the frame isolation module, the output end of the frame isolation module is respectively controlled to be connected with the input ends of the evidence collection recording module and the tracing positioning module, and the output ends of the evidence collection recording module and the tracing positioning module are respectively controlled to be connected with the input end of the scheme decision module.
A cloud security service integrated security defense method based on saas comprises the following steps: step one, monitoring records; step two, uploading data; thirdly, safety analysis; step four, defending response;
firstly, a user installs a terminal agent module and a defense processing module in a using terminal to connect the user terminal with a cloud service platform based on saas cloud security service, the user can log in and manage a management account in a log-in management module in the terminal agent module, a management recording module manages the user terminal in the using process, an operation monitoring module reads and records all operation processes in the terminal and transmits the recorded historical operation processes to a log-in management module, a periodic inspection module detects all data and applications in the terminal and transmits the detection result and the acquired static sample of periodic inspection to the log-in management module, the log-in management module transmits the recorded historical operation processes and detection result to a security reporting module, the security reporting module stores the recorded historical operation processes and detection result, and a data exchange module transmits the recorded historical operation processes, detection result and acquired static sample to a data transmission module;
in the second step, the data sorting module in the information transmission module transmits the received historical operation process, the detection result and the acquired static sample to the data encryption module for encryption processing, then the data encryption module transmits the encrypted data to the transmission monitoring module, the transmission monitoring module transmits the encrypted data to the cloud service platform, the transmission monitoring module monitors the transmission process and respectively transmits the transmission process to the abnormal recording module and the safety regulation module, the abnormal recording module records and acquires the abnormal condition occurring in the transmission process and acquires the abnormal sample, then the abnormal condition and the acquired abnormal sample are transmitted to the decryption recovery module, the safety regulation module analyzes the transmission process and controls the transmission process and interruption according to the analysis result, after the encrypted data is transmitted to the cloud platform, the decryption recovery module decodes and recovers the encrypted data, restores the encrypted data to the historical operation process, the detection result and the acquired static sample of the terminal, and simultaneously combines the abnormal condition and the acquired abnormal sample in the transmission process to form a data packet, and the decryption recovery module transmits the data packet to the data acquisition module;
the third step is that the data receiving module receives the data packet transmitted by the decryption restoration module, extracts the sample from the data packet and transmits the extracted tea to the threat analysis module, the threat analysis module analyzes the properties of the sample and makes a threat rating, then transmits the threat rating to the data grading module, meanwhile, the data receiving module transmits the data packet to the data grading module, then the data receiving module carries out grading treatment on the data in the data packet according to the threat rating, the grading treatment defines the treatment priority, then the data output module transmits the graded data packet to the analysis receiving module in the security analysis module, the analysis receiving module transmits the graded data packet to the comparison analysis module, and meanwhile, the extraction and calling module extracts a big data model from the big data module and transmits the big data model to the comparison analysis module, then the comparison analysis module carries out threat identification on the graded data packet in combination with the big data model, sorts the threat event and marks the sample, and then the comparison analysis module transmits the threat event and the threat sample to the alarm response module;
in the fourth step, the report receiving module receives the threat event and the threat sample, and transmits the threat event and the threat sample to the log generating module, the log generating module generates a threat detailed record, the log generating module transmits the threat detailed record to the alarm storing module for storage, the log generating module simultaneously sends an alarm indication to the alarm receiving module, the threat event and the threat sample are transmitted to the alarm receiving module, the alarm receiving module sends an alarm prompt, the information transmitting module simultaneously transmits the threat event and the threat sample to the defense processing module, the alarm receiving module then transmits the threat event and the threat sample to the scheme decision module, the scheme decision module analyzes the threat event and formulates a processing scheme, the scheme decision module respectively transmits the processing scheme to the rule servicing module and the abnormal repairing module, the rule servicing module adjusts the management rule in the user terminal according to the processing scheme, the abnormal repairing module processes the abnormal condition in the user terminal according to the processing scheme, the scheme decision module simultaneously transmits the sample to the frame isolated module for sample isolation, the evidence obtaining module then carries out sample isolation on the threat record, the evidence obtaining module carries out evidence tracing on the rule of the threat event and the threat sample, the source tracing module records and the source of the threat sample, and the source tracing and the source of the threat sample is recorded by the tracing module.
Compared with the prior art, the invention has the beneficial effects that: according to the cloud security service integrated security defense system and method based on saas, the user terminal is connected with the cloud service platform through the terminal proxy module, security protection is provided for the user terminal through the cloud security service based on saas, the construction period of the system is short, meanwhile, maintenance and management of the system are not required to be carried out by collocating security management staff, so that the management and maintenance cost of the system is reduced, the data transmission process is monitored and managed through the set information transmission module, data leakage or loss in the transmission process is avoided, the security performance of the system is guaranteed, evidence collection record and source tracing positioning are carried out on the acquired threat sample through the set defense processing module, the potential safety hazard of the system is eliminated from the threat source, and the practicability of the system is improved.
Drawings
FIG. 1 is a system flow diagram of the present invention;
FIG. 2 is a system frame diagram of the present invention;
FIG. 3 is a flow chart of the method of the present invention;
in the figure: 1. a terminal agent module; 2. an information transmission module; 3. a data acquisition module; 4. a security analysis module; 5. an alarm response module; 6. a defense processing module; 11. logging in a management module; 12. a management record module; 13. an operation monitoring module; 14. a periodic inspection module; 15. a security reporting module; 16. a data exchange module; 21. a data arrangement module; 22. a data encryption module; 23. a transmission monitoring module; 24. a decryption restoration module; 25. an anomaly recording module; 26. a safety regulation module; 31. a data receiving module; 32. a threat analysis module; 33. a data classification module; 34. a data output module; 41. an analysis receiving module; 42. an comparison analysis module; 43. extracting a calling module; 44. a big data module; 45. an abnormal output module; 51. a report receiving module; 52. a log generation module; 53. an alarm processing module; 54. an alarm storage module; 61. an alarm receiving module; 62. a scheme decision module; 63. a rule preparation module; 64. an abnormality repair module; 65. a frame isolation module; 66. a evidence obtaining recording module; 67. and a tracing positioning module.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1-2, an embodiment of the present invention is provided: the cloud security service integrated security defense system based on saas comprises a terminal agent module 1, an information transmission module 2, a data acquisition module 3, a security analysis module 4, an alarm response module 5 and a defense processing module 6, wherein the output end of the terminal agent module 1 controls the input end of the connected information transmission module 2, the input end of the terminal agent module 1 controls the output end of the connected defense processing module 6, the input end of the defense processing module 6 controls the output end of the connected information transmission module 2, the output end of the information transmission module 2 controls the input end of the connected data acquisition module 3, the output end of the data acquisition module 3 controls the input end of the connected security analysis module 4, the output end of the security analysis module 4 controls the input end of the connected alarm response module 5, the output end of the alarm response module 5 controls the input end of the connected information transmission module 2, the terminal agent module 1 is composed of a login management module 11, a management recording module 12, an operation monitoring module 13, a periodic inspection module 14, a security reporting module 15 and a data exchange module 16, wherein the output end of the login management module 11 is controlled to be connected with the input end of the management recording module 12, the output end of the management recording module 12 is controlled to be connected with the input end of the security reporting module 15, the input end of the security reporting module 15 is controlled to be connected with the output end of the data exchange module 16, the security reporting module 15 is used for periodically providing security defense detection reports, the use experience of a user is facilitated to be improved, the output end of the management recording module 12 is respectively controlled to be connected with the input ends of the operation monitoring module 13, the periodic inspection module 14 and the data exchange module 16, and the operation monitoring module 13, the output ends of the regular inspection module 14 and the data exchange module 16 are respectively connected with the input end control of the management record module 12, the data exchange module 16 is used for being beneficial to uploading data in users to a cloud service platform, the information transmission module 2 consists of a data arrangement module 21, a data encryption module 22, a transmission monitoring module 23, a decryption recovery module 24, an anomaly record module 25 and a safety regulation module 26, the output end control of the data arrangement module 21 is connected with the input end of the data encryption module 22, the output end control of the data encryption module 22 is connected with the input end of the transmission monitoring module 23, the output end control of the transmission monitoring module 23 is respectively connected with the input ends of the decryption recovery module 24, the anomaly record module 25 and the safety regulation module 26, the output end control of the safety regulation module 26 is connected with the input end of the transmission monitoring module 23, the output end of the anomaly recording module 25 is controlled to be connected with the input end of the decryption restoration module 24, the transmitted data is encrypted by the set data encryption module 22, information leakage is prevented, the data acquisition module 3 is composed of a data receiving module 31, a threat analysis module 32, a data grading module 33 and a data output module 34, the output end of the data receiving module 31 is controlled to be connected with the input end of the threat analysis module 32 and the input end of the data grading module 33 respectively, the output end of the threat analysis module 32 is controlled to be connected with the input end of the data grading module 33, the output end of the data grading module 33 is controlled to be connected with the input end of the data output module 34, the set threat analysis module 32 is used for analyzing the properties of a sample and making threat grading, and the security analysis module 4 is composed of an analysis receiving module 41, a comparison analysis module 42, an extraction calling module 43, the big data module 44 and the abnormal output module 45 are composed, the output end of the analysis receiving module 41 is controlled and connected with the input end of the comparison analysis module 42, the output end of the comparison analysis module 42 is controlled and connected with the input end of the abnormal output module 45, the input end of the comparison analysis module 42 is controlled and connected with the output end of the extraction calling module 43, the input end of the extraction calling module 43 is controlled and connected with the output end of the big data module 44, the big data module 44 is favorably regulated through the extraction calling module 43, thereby the response speed of the system is improved, the alarm response module 5 is composed of a report receiving module 51, a log generating module 52, an alarm processing module 53 and an alarm storage module 54, the output end of the report receiving module 51 is controlled and connected with the input end of the log generating module 52, the output end of the alarm processing module 53 and the alarm storage module 54 are respectively controlled and connected, the defense processing module 6 is favorable for storing and recording the logs generated by the log generating module 52 through the alarm receiving module 61, the scheme decision-taking module 62, the rule-making module 63, the frame 65, the frame 66 and the frame 66 are respectively connected with the output end of the decision-taking module 66 and the control module 67, and the output end of the frame 66 are respectively connected with the decision-taking module 67, and the input end of the decision-making module 66 and the control module 67, and the output module 67 are respectively connected with the input end of the decision-taking module and the control module 67, the source of threat samples is positioned by using the set tracing positioning module 67, so that the practicability of the system is improved.
Referring to fig. 3, an embodiment of the present invention is provided: a cloud security service integrated security defense method based on saas comprises the following steps: step one, monitoring records; step two, uploading data; thirdly, safety analysis; step four, defending response;
in the first step, firstly, a user installs a terminal proxy module 1 and a defense processing module 6 in a using terminal, connects the user terminal with a cloud service platform based on saas cloud security service, the user can log in and manage a management account in a log-in management module 11 in the terminal proxy module 1, a management record module 12 manages the user terminal in the using process, an operation monitoring module 13 reads and records all operation processes in the terminal, and transmits the recorded historical operation processes to a log-in management module 11, a periodic inspection module 14 detects all data and applications in the terminal, and transmits a detection result and an acquired static sample of periodic inspection to the log-in management module 11, then the log-in management module 11 transmits the recorded historical operation processes and detection results to a security report module 15, the security report module 15 stores the recorded historical operation processes and detection results, and the recorded historical operation processes, detection results and the acquired static sample transmission data exchange module 16, and the data exchange module 16 transmits the recorded static operation processes and detection results to the information acquisition module 2;
in the second step, the data sorting module 21 in the information transmission module 2 transmits the received historical operation process, the detection result and the collected static sample to the data encryption module 22 for encryption processing, then the data encryption module 22 transmits the encrypted data to the transmission monitoring module 23, the transmission monitoring module 23 transmits the encrypted data to the cloud service platform, the transmission monitoring module 23 monitors the transmission process and transmits the transmission process to the anomaly recording module 25 and the safety regulation module 26 respectively, the anomaly recording module 25 records and collects the anomaly condition occurring in the transmission process and collects the anomaly sample, then the anomaly condition and the collected anomaly sample is transmitted to the decryption restoration module 24, the safety regulation module 26 analyzes the transmission process and controls the transmission process and interruption according to the analysis result, after the encrypted data is transmitted to the cloud platform, the decryption restoration module 24 decodes and restores the encrypted data, restores the encrypted data to the historical operation process, the detection result and the collected static sample of the terminal, and simultaneously combines the anomaly condition and the collected anomaly sample in the transmission process to form a data packet, and the decryption restoration module 24 restores the data packet to the data module 3;
in the third step, the data receiving module 31 receives the data packet transmitted by the decryption restoration module 24, extracts the samples in the data packet, transmits the extracted tea to the threat analysis module 32, analyzes the properties of the samples by the threat analysis module 32, makes threat rating, then transmits the threat rating to the data grading module 33, simultaneously the data receiving module 31 transmits the data packet to the data grading module 33, then the data receiving module 31 carries out grading treatment on the data in the data packet according to the threat rating, defines the treatment priority according to the grading treatment, then the data output module 34 transmits the graded data packet to the analysis receiving module 41 in the security analysis module 4, then the analysis receiving module 41 transmits the graded data packet to the comparison analysis module 42, simultaneously the extraction calling module 43 invokes a big data model from the big data module 44, and transmits the big data model to the comparison analysis module 42, then the comparison analysis module 42 carries out threat identification on the graded data packet in combination with the big data model, sorts the threat event and marks the threat sample, and then the comparison analysis module 42 transmits the threat event to the alarm response module 5 to the samples;
in the fourth step, the report receiving module 51 receives the threat event and the threat sample, the report receiving module 51 transmits the threat event and the threat sample to the log generating module 52, the log generating module 52 generates a threat detailed record, the log generating module 52 transmits the threat detailed record to the alarm storing module 54 for storage, the log generating module 52 sends an alarm indication to the alarm receiving module 61, the alarm receiving module 61 sends an alarm prompt, the intelligence transmitting module 2 transmits the threat event and the threat sample to the defense processing module 6, the alarm receiving module 61 transmits the threat event and the threat sample to the scheme deciding module 62, the scheme deciding module 62 analyzes the threat event, the scheme deciding module 62 decides the processing scheme, the rule deciding module 62 respectively transmits the processing scheme to the rule preparing module 63 and the exception repairing module 64, the rule preparing module 63 adjusts the management rule in the user terminal according to the processing scheme, the exception repairing module 64 processes the exception condition in the user terminal according to the processing scheme, the decision making module 62 transmits the threat event and the threat sample to the frame isolation module 65, the rule acquiring module takes the rule acquiring module 66 records the source of the threat sample, the source of the violation record is located by the rule acquiring module 67, and the source of the threat sample is located by the source of the stored sample.
Based on the above, the invention has the advantages that when the system is used, the user terminal is connected with the cloud service platform through the terminal proxy module 1, the cloud security service based on saas provides security protection for the user terminal, the construction period of the security defense system is shortened, meanwhile, the system is not required to be maintained and managed by collocation security management personnel, the management and maintenance cost of the system is reduced, the transmission process of data is monitored and managed through the arranged information transmission module 2, meanwhile, the abnormal phenomenon in the transmission process is recorded through the abnormal recording module 25, the data leakage or loss in the transmission process is avoided, the security performance of the system is ensured, the evidence obtaining recording and the tracing positioning are carried out on the acquired threat samples through the arranged defense processing module 6, the potential safety hazard of the system is eliminated from the threat source, and the practicability of the system is improved.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (9)

1. The utility model provides a cloud security service integration security defense system based on saas, includes terminal agent module (1), intelligence transmission module (2), data acquisition module (3), security analysis module (4), alarm response module (5) and defense processing module (6), its characterized in that: the output end of the terminal agent module (1) controls the input end of the connected information transmission module (2), the input end of the terminal agent module (1) controls the output end of the connection defense processing module (6), the input end of the defense processing module (6) controls the output end of the connection information transmission module (2), the output end of the information transmission module (2) controls the input end of the connection data acquisition module (3), the output end of the data acquisition module (3) controls the input end of the connection security analysis module (4), the output end of the security analysis module (4) controls the input end of the connection alarm response module (5), and the output end of the alarm response module (5) controls the input end of the connection information transmission module (2).
2. The saas-based cloud security service integrated security defense system of claim 1, wherein: the terminal agent module (1) is composed of a login management module (11), a management recording module (12), an operation monitoring module (13), a periodic inspection module (14), a safety reporting module (15) and a data exchange module (16), wherein the output end of the login management module (11) is controlled to be connected with the input end of the management recording module (12), the output end of the management recording module (12) is controlled to be connected with the input end of the safety reporting module (15), and the input end of the safety reporting module (15) is controlled to be connected with the output end of the data exchange module (16).
3. The saas-based cloud security service integrated security defense system of claim 2, wherein: the output end of the management record module (12) is respectively in control connection with the input ends of the operation monitoring module (13), the periodic inspection module (14) and the data exchange module (16), and the output ends of the operation monitoring module (13), the periodic inspection module (14) and the data exchange module (16) are respectively in control connection with the input end of the management record module (12).
4. The saas-based cloud security service integrated security defense system of claim 1, wherein: the information transmission module (2) is composed of a data arrangement module (21), a data encryption module (22), a transmission monitoring module (23), a decryption recovery module (24), an abnormal recording module (25) and a safety regulation module (26), wherein the output end of the data arrangement module (21) is controlled to be connected with the input end of the data encryption module (22), the output end of the data encryption module (22) is controlled to be connected with the input end of the transmission monitoring module (23), the output end of the transmission monitoring module (23) is respectively controlled to be connected with the input ends of the decryption recovery module (24), the abnormal recording module (25) and the safety regulation module (26), the output end of the safety regulation module (26) is controlled to be connected with the input end of the decryption recovery module (24).
5. The saas-based cloud security service integrated security defense system of claim 1, wherein: the data acquisition module (3) is composed of a data receiving module (31), a threat analysis module (32), a data grading module (33) and a data output module (34), wherein the output end of the data receiving module (31) is respectively connected with the input end of the threat analysis module (32) and the input end of the data grading module (33), the output end of the threat analysis module (32) is connected with the input end of the data grading module (33), and the output end of the data grading module (33) is connected with the input end of the data output module (34).
6. The saas-based cloud security service integrated security defense system of claim 1, wherein: the safety analysis module (4) is composed of an analysis receiving module (41), an comparison analysis module (42), an extraction and calling module (43), a big data module (44) and an abnormal output module (45), wherein the output end of the analysis receiving module (41) is in control connection with the input end of the comparison analysis module (42), the output end of the comparison analysis module (42) is in control connection with the input end of the abnormal output module (45), the input end of the comparison analysis module (42) is in control connection with the output end of the extraction and calling module (43), and the input end of the extraction and calling module (43) is in control connection with the output end of the big data module (44).
7. The saas-based cloud security service integrated security defense system of claim 1, wherein: the alarm response module (5) is composed of a report receiving module (51), a log generating module (52), an alarm processing module (53) and an alarm storage module (54), wherein the output end of the report receiving module (51) is controlled to be connected with the input end of the log generating module (52), and the output end of the log generating module (52) is respectively controlled to be connected with the input ends of the alarm processing module (53) and the alarm storage module (54).
8. The saas-based cloud security service integrated security defense system of claim 1, wherein: the defense processing module (6) is composed of an alarm receiving module (61), a scheme decision module (62), a rule repair module (63), an abnormality repair module (64), a frame isolation module (65), a evidence collection recording module (66) and a tracing positioning module (67), wherein the output end of the alarm receiving module (61) is controlled to be connected with the input end of the scheme decision module (62), the output end of the scheme decision module (62) is respectively controlled to be connected with the input ends of the rule repair module (63), the abnormality repair module (64) and the frame isolation module (65), the output end of the frame isolation module (65) is respectively controlled to be connected with the input ends of the evidence collection recording module (66) and the tracing positioning module (67), and the output ends of the evidence collection recording module (66) and the tracing positioning module (67) are respectively connected with the input end of the scheme decision module (62).
9. A cloud security service integrated security defense method based on saas comprises the following steps: step one, monitoring records; step two, uploading data; thirdly, safety analysis; step four, defending response; the method is characterized in that:
in the first step, firstly, a user installs a terminal agent module (1) and a defense processing module (6) in a using terminal, the user terminal and a cloud service platform are connected based on cloud security service of saas, the user can log in and manage a management account in a log-in management module (11) in the terminal agent module (1), a management record module (12) carries out management operation on the user terminal in the using process, an operation monitoring module (13) reads and records all operation processes in the terminal, the recorded historical operation processes are transmitted to the log-in management module (11), a regular inspection module (14) detects all data and applications in the terminal, a regular inspection result and an acquired static sample are transmitted to the log-in management module (11), the recorded historical operation processes and detection results are transmitted to a security report module (15), the recorded historical operation processes and detection results are stored by the security report module (15), and the recorded static operation processes and detection results are simultaneously transmitted to a static inspection module (16) by the management module (11), and the data acquisition module (16) are exchanged, and the data acquisition results are transmitted to the static sample collection module (2);
in the second step, the data arrangement module (21) in the information transmission module (2) carries out encryption processing on the received historical operation process, the detection result and the collected static sample, then the data encryption module (22) carries out encryption processing on the encrypted data, the transmission monitoring module (23) carries out encryption data transmission on a cloud service platform, the transmission monitoring module (23) carries out monitoring on the transmission process, the transmission process is respectively transmitted to the abnormal recording module (25) and the safety regulation module (26), the abnormal recording module (25) records and collects the abnormal condition which occurs in the transmission process and collects the abnormal sample, then the abnormal condition and the collected abnormal sample are transmitted to the decryption restoration module (24), the safety regulation module (26) carries out analysis on the transmission process according to the analysis result, the decryption restoration module (24) carries out decoding on the encrypted data after the encrypted data is transmitted to the cloud platform, the encrypted data is restored to the historical operation process of the terminal, the detection result and the collected static sample are simultaneously restored to the data after the encrypted data is transmitted to the cloud platform, and the collected by the decryption restoration module (24) carries out decryption processing on the abnormal condition and the collected data by the collected data and the collected by the data collection module (3);
in the third step, the data receiving module (31) receives the data packet transmitted by the decryption restoration module (24), samples in the data packet are extracted and transmitted to the threat analysis module (32), the threat analysis module (32) analyzes the properties of the samples and makes threat rating, the threat rating is transmitted to the data grading module (33), the data receiving module (31) transmits the data packet to the data grading module (33), the data in the data packet is graded according to the threat rating, the grading process defines the priority of the process according to the grading process, the graded data packet is transmitted to the analysis receiving module (41) in the security analysis module (4) by the data output module (34), the graded data packet is transmitted to the comparison analysis module (42), the extraction calling module (43) is used for calling a large data model from the large data module (44), the large data model is transmitted to the comparison analysis module (42), the large data model is combined with the threat event comparison analysis module (42), the threat event data is identified by the comparison analysis module and the threat event comparison module (42), and the threat event comparison module is responded to the sample comparison module (5);
in the fourth step, the report receiving module (51) receives the threat event and the threat sample, and transmits the threat event and the threat sample to the log generating module (52), the log generating module (52) generates a threat detailed record, the log generating module (52) transmits the threat detailed record to the alarm storing module (54) for storage, the log generating module (52) simultaneously transmits an alarm indication to the alarm receiving module (61) simultaneously, the alarm receiving module (61) simultaneously transmits the threat event and the threat sample to the alarm receiving module (61), the alarm receiving module (61) simultaneously transmits the threat event and the threat sample to the defense processing module (6) simultaneously, the alarm receiving module (61) transmits the threat event and the threat sample to the scheme deciding module (62), the scheme deciding module (62) analyzes the threat event, and makes a processing scheme, the scheme deciding module (62) respectively transmits the processing scheme to the rule setting module (63) and the exception repairing module (64), the rule setting module (63) simultaneously isolates the threat event and the threat sample from the user terminal according to the processing scheme, the user terminal management module (64) and the exception repairing module (65) performs the exception handling module (65) according to the processing scheme, then, the evidence collection and recording module (66) collects evidence of the illegal behaviors of the threat sample, the tracing and positioning module (67) tracks the threat and positions the source of the sample, and the management and recording module (12) stores and records the source of the threat sample and the illegal behaviors.
CN202211101414.4A 2022-09-09 2022-09-09 Cloud security service integrated security defense system and method based on saas Pending CN116248298A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211101414.4A CN116248298A (en) 2022-09-09 2022-09-09 Cloud security service integrated security defense system and method based on saas

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211101414.4A CN116248298A (en) 2022-09-09 2022-09-09 Cloud security service integrated security defense system and method based on saas

Publications (1)

Publication Number Publication Date
CN116248298A true CN116248298A (en) 2023-06-09

Family

ID=86626515

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211101414.4A Pending CN116248298A (en) 2022-09-09 2022-09-09 Cloud security service integrated security defense system and method based on saas

Country Status (1)

Country Link
CN (1) CN116248298A (en)

Similar Documents

Publication Publication Date Title
CN108763957B (en) Database security audit system, method and server
CN110008713B (en) Industrial control system vulnerability detection method and system
CN108964995A (en) Log correlation analysis method based on time shaft event
CN105262210A (en) System and method for analysis and early warning of substation network security
CN115150589A (en) Video monitoring operation and maintenance management system for coal mine enterprise
CN112598368A (en) Sewage treatment online supervision platform
CN104574219A (en) System and method for monitoring and early warning of operation conditions of power grid service information system
CN116738163A (en) Energy consumption monitoring management system and method based on rule engine
CN116030943A (en) Big data intelligent operation and maintenance control system and method
CN117220917A (en) Network real-time monitoring method based on cloud computing
CN105739408A (en) Business monitoring method used for power scheduling system and business monitoring system
CN116248298A (en) Cloud security service integrated security defense system and method based on saas
CN116628722A (en) Financial data safety management processing system
CN116614258A (en) Network danger prediction model of security situation awareness system
CN112866231B (en) Information security operation remote situation awareness system
CN114880670A (en) Terminal safety data index visualization system
CN108616383A (en) A kind of network and the security process of information manage system
CN113869758A (en) Intelligent two-ticket management and operation site risk early warning system
CN113946822A (en) Security risk monitoring method, system, computer device and storage medium
CN113691390A (en) Cloud-end-coordinated edge node alarm system and method
CN111200315B (en) Transformer substation monitoring background fault diagnosis system and method
CN105930968A (en) Passenger line construction risk control and early warning system
CN109800132A (en) A kind of software development monitoring device and method
CN111146863A (en) Power safety detection method for transformer substation
CN108090980A (en) Special equipment operating personnel's supervisory systems based on internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination