CN116527299A - Network-based safety protection method and dynamic defense system - Google Patents
Network-based safety protection method and dynamic defense system Download PDFInfo
- Publication number
- CN116527299A CN116527299A CN202211722842.9A CN202211722842A CN116527299A CN 116527299 A CN116527299 A CN 116527299A CN 202211722842 A CN202211722842 A CN 202211722842A CN 116527299 A CN116527299 A CN 116527299A
- Authority
- CN
- China
- Prior art keywords
- network
- security
- user
- access
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000007123 defense Effects 0.000 title claims abstract description 13
- 230000007246 mechanism Effects 0.000 claims abstract description 11
- 238000011217 control strategy Methods 0.000 claims abstract description 9
- 238000005728 strengthening Methods 0.000 claims abstract description 9
- 238000011084 recovery Methods 0.000 claims abstract description 6
- 238000005516 engineering process Methods 0.000 claims description 16
- 238000007726 management method Methods 0.000 claims description 15
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000005192 partition Methods 0.000 abstract description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of computer network security, and discloses a network security protection method and a dynamic defense system, which comprises the following steps: strengthening facility management and establishing a sound safety management system; step two: strengthening an access control strategy; step three: establishing a perfect backup and recovery mechanism; step four: establishing a security management mechanism, according to the first step, further comprising: the invention relates to a network security protection method and a dynamic defense system based on which whether a user has access rights to resources is judged to obtain a first judgment result, when the first judgment result indicates that the user has the access rights to the resources, the physical partition where the resources are located is determined, an access control strategy is strengthened, data, files, passwords and control information in a network are protected, and backup protection is performed in real time.
Description
Technical Field
The invention relates to the technical field of computer network security, in particular to a network security protection method and a dynamic defense system.
Background
The network security technology is mainly used for preventing potential network security hidden trouble and preventing network resources from being attacked by malicious codes. A complete network system needs to protect, detect, respond and recover comprehensive application, and has a plurality of network attack protection forms, such as a security router, a firewall technology, disaster recovery and recovery, network survival and other technologies.
However, the current network security technology cannot achieve effective monitoring and early warning in terms of network detection early warning and network security situation awareness, the network attack means is invariable, and most network security protection systems have no autonomous learning ability to cope with complex and changeable emergencies, so we propose a network security protection method and a dynamic defense system.
Disclosure of Invention
The invention mainly solves the technical problems existing in the prior art and provides a network-based security protection method and a dynamic defense system.
In order to achieve the above purpose, the invention adopts the following technical scheme that the network-based security protection method comprises the following steps:
step one: strengthening facility management and establishing a sound safety management system;
step two: strengthening an access control strategy;
step three: establishing a perfect backup and recovery mechanism;
step four: and establishing a security management mechanism.
As a preference; according to step one, further comprising: the protection of hardware entities and communication lines such as computer systems, network servers, printers and the like from natural disasters, artificial damages and wire-bonding attacks is focused on; and verifying the identity and the use authority of the user, preventing the user from unauthorized operation, and ensuring the entity security of the computer network system.
As a preference; according to step two, further comprising: the access control is a main strategy for network security protection and protection, and the main task of the access control is to ensure that network resources are not illegally used and illegally accessed, and various security strategies must be mutually matched to truly play a role in protection, but the access control is one of the most important core strategies for ensuring network security.
As a preference; according to step two, further comprising:
1) An access control policy; further comprises: it provides a first layer of access control. At this layer, which users are allowed to log in to the network server and acquire network resources, the time of allowing the users to access the network and the work station where the users are allowed to access the network are controlled, and the access control of the network can be realized in three steps: identifying and verifying the user name; identifying and verifying a user password; the checking of the user account number, as long as any step is not passed in the three steps, the network administrator manages the account number use, the network access time and the mode of the common user except the refused user, and can control the user to log in to the network site and limit the number of the network workstations of the user;
2) A network authority control strategy; further comprises: the security protection measure is provided for illegal network operation, and users and user groups are endowed with certain authority and are divided into three types: special users (e.g., system administrators); a general user, a system administrator allocates operation authorities to the general user according to the actual needs of the general user; auditing users, responsible for the security control of the network and the auditing of the resource use condition;
3) Establishing security settings of a network server; further comprises: the security control of the network server comprises setting a password locking server console; setting a server login time limit and a time interval for illegal visitor detection and closing; the firewall technology is an application security technology based on the modern communication network technology and the information security technology, is increasingly applied to the interconnection environment of a private network and a public network, particularly to the access of an Internet network, is a separator and a limiter and an analyzer logically, effectively monitors any activity between an intranet and the Internet, and ensures the security of the intranet;
4) An information encryption strategy; further comprises: the purpose of information encryption is to protect data, files, passwords and control information in a network, and protect data transmitted on the network, the common method of network encryption comprises three types of line encryption, endpoint encryption and node encryption, and the purpose of line encryption is to protect the security of line information between network nodes; the purpose of endpoint encryption is to provide protection for the source end user to destination end user data; the purpose of node encryption is to provide protection for the transmission line between the source node and the destination node, and the user can select the encryption mode according to the network condition;
5) Attribute security control policies; further comprises: when files, directories and network equipment are used, a network system administrator should assign access attributes to the files, directories and the like, attribute security control can link the given attributes with the files, directories and network equipment of a network server, attribute security provides further security on the basis of authority security, resources on the network should mark a set of security attributes in advance, access authority of users to the network resources corresponds to an access control table for indicating the access capability of the users to the network resources, attribute setting can cover any assigned and effective authority of assigned trustees, and the attributes of the network can protect important directories and files, prevent users from deleting the directories and the files mistakenly, modifying and displaying the files and the like.
As a preference; according to step three, further comprising:
in order to prevent abnormal damage of the storage device, a disk fault-tolerant array consisting of hot-swapped SCSI hard disks can be adopted to perform real-time hot backup of the system in a RAID5 mode, and meanwhile, powerful database triggers and operation and update tasks for recovering important data are established, so that the important data can be recovered to the maximum extent under any conditions.
As a preference; according to step four, further comprising:
the security management mechanism is directly related to the security of a computer system, and consists of security, audit, system analysis, software and hardware, communication, security personnel and other related personnel.
A network-based security protection method and a dynamic defense system comprise the following steps:
the data acquisition module is used for acquiring access data of various service programs of a plurality of server instances;
the data processing analysis module is used for regularizing the collected access data;
the dynamic rule generation module is used for carrying out exception analysis on the regularized data and generating a safety rule;
and the backup safety management module adopts a disk fault-tolerant array formed by hot-plug SCSI hard disks to carry out real-time hot backup of the system in a RAID5 mode.
Advantageous effects
The invention provides a network-based safety protection method and a dynamic defense system. The beneficial effects are as follows:
the network-based security protection method and the dynamic defense system judge whether a user has access rights to resources or not, and obtain a first judgment result; when the first judgment result indicates that the user has access rights to the resources, determining a physical partition where the resources are located; and strengthening an access control strategy, protecting data, files, passwords and control information in the network, and carrying out backup protection in real time.
Detailed Description
In the following, the technical solutions in the embodiments of the present invention will be clearly and completely described in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Examples: a network-based security protection method and a dynamic defense system comprise the following steps:
step one: strengthening facility management and establishing a sound safety management system;
step two: strengthening an access control strategy;
step three: establishing a perfect backup and recovery mechanism;
step four: and establishing a security management mechanism.
According to step one, further comprising: the protection of hardware entities and communication lines such as computer systems, network servers, printers and the like from natural disasters, artificial damages and wire-bonding attacks is focused on; and verifying the identity and the use authority of the user, preventing the user from unauthorized operation, and ensuring the entity security of the computer network system.
According to step two, further comprising: the access control is a main strategy for network security protection and protection, and the main task of the access control is to ensure that network resources are not illegally used and illegally accessed, and various security strategies must be mutually matched to truly play a role in protection, but the access control is one of the most important core strategies for ensuring network security.
According to step two, further comprising:
1) An access control policy; further comprises: it provides a first layer of access control. At this layer, which users are allowed to log in to the network server and acquire network resources, the time of allowing the users to access the network and the work station where the users are allowed to access the network are controlled, and the access control of the network can be realized in three steps: identifying and verifying the user name; identifying and verifying a user password; checking the account number of the user, wherein in the three steps, as long as any step is not finished, the network administrator manages the account number use, the network access time and the network access mode of the common user except the refused user, and can control the user to log in to the network station and limit the number of the network stations of the user;
2) A network authority control strategy; further comprises: the security protection measure is provided for illegal network operation, and users and user groups are endowed with certain authority and are divided into three types: special users (e.g., system administrators); a general user, a system administrator allocates operation authorities to the general user according to the actual needs of the general user; auditing users, responsible for the security control of the network and the auditing of the resource use condition;
3) Establishing security settings of a network server; further comprises: the security control of the network server comprises setting a password locking server console; setting a server login time limit and a time interval for illegal visitor detection and closing; the firewall technology is an application security technology based on the modern communication network technology and the information security technology, is increasingly applied to the interconnection environment of a private network and a public network, particularly to the access of an Internet network, is a separator and a limiter and an analyzer logically, effectively monitors any activity between an intranet and the Internet, and ensures the security of the intranet;
4) An information encryption strategy; further comprises: the purpose of information encryption is to protect data, files, passwords and control information in a network, and protect data transmitted on the network, the common method of network encryption comprises three types of line encryption, endpoint encryption and node encryption, and the purpose of line encryption is to protect the security of line information between network nodes; the purpose of endpoint encryption is to provide protection for the source end user to destination end user data; the purpose of node encryption is to provide protection for the transmission line between the source node and the destination node, and the user can select the encryption mode according to the network condition;
5) Attribute security control policies; further comprises: when files, directories and network equipment are used, a network system administrator should assign access attributes to the files, directories and the like, attribute security control can link the given attributes with the files, directories and network equipment of a network server, attribute security provides further security on the basis of authority security, resources on the network should mark a set of security attributes in advance, access authority of users to the network resources corresponds to an access control table for indicating the access capability of the users to the network resources, attribute setting can cover any assigned and effective authority of assigned trustees, and the attributes of the network can protect important directories and files, prevent users from deleting the directories and the files mistakenly, modifying and displaying the files and the like.
According to step three, further comprising:
in order to prevent abnormal damage of the storage device, a disk fault-tolerant array consisting of hot-swapped SCSI hard disks can be adopted to perform real-time hot backup of the system in a RAID5 mode, and meanwhile, powerful database triggers and operation and update tasks for recovering important data are established, so that the important data can be recovered to the maximum extent under any conditions.
According to step four, further comprising:
the security management mechanism is directly related to the security of a computer system, and consists of security, audit, system analysis, software and hardware, communication, security personnel and other related personnel.
A network-based security protection method and a dynamic defense system comprise the following steps:
the data acquisition module is used for acquiring access data of various service programs of a plurality of server instances;
the data processing analysis module is used for regularizing the collected access data;
the dynamic rule generation module is used for carrying out exception analysis on the regularized data and generating a safety rule;
and the backup safety management module adopts a disk fault-tolerant array formed by hot-plug SCSI hard disks to carry out real-time hot backup of the system in a RAID5 mode.
The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (7)
1. A network-based safety protection method is characterized in that: the method comprises the following steps:
step one: strengthening facility management and establishing a sound safety management system;
step two: strengthening an access control strategy;
step three: establishing a perfect backup and recovery mechanism;
step four: and establishing a security management mechanism.
2. The network-based security protection method according to claim 1, wherein: according to step one, further comprising: the protection of hardware entities and communication lines such as computer systems, network servers, printers and the like from natural disasters, artificial damages and wire-bonding attacks is focused on; and verifying the identity and the use authority of the user, preventing the user from unauthorized operation, and ensuring the entity security of the computer network system.
3. The network-based security protection method according to claim 1, wherein: according to step two, further comprising: the access control is a main strategy for network security protection and protection, and the main task of the access control is to ensure that network resources are not illegally used and illegally accessed, and various security strategies must be mutually matched to truly play a role in protection, but the access control is one of the most important core strategies for ensuring network security.
4. The network-based security protection method according to claim 1, wherein: according to step two, further comprising:
1) An access control policy; further comprises: it provides a first layer of access control. At this layer, which users are allowed to log in to the network server and acquire network resources, the time of allowing the users to access the network and the work station where the users are allowed to access the network are controlled, and the access control of the network can be realized in three steps: identifying and verifying the user name; identifying and verifying a user password; checking the account number of the user, wherein in the three steps, as long as any step is not finished, the network administrator manages the account number use, the network access time and the network access mode of the common user except the refused user, and can control the user to log in to the network station and limit the number of the network stations of the user;
2) A network authority control strategy; further comprises: the security protection measure is provided for illegal network operation, and users and user groups are endowed with certain authority and are divided into three types: special users (e.g., system administrators); a general user, a system administrator allocates operation authorities to the general user according to the actual needs of the general user; auditing users, responsible for the security control of the network and the auditing of the resource use condition;
3) Establishing security settings of a network server; further comprises: the security control of the network server comprises setting a password locking server console; setting a server login time limit and a time interval for illegal visitor detection and closing; the firewall technology is an application security technology based on the modern communication network technology and the information security technology, is increasingly applied to the interconnection environment of a private network and a public network, particularly to the access of an Internet network, is a separator and a limiter and an analyzer logically, effectively monitors any activity between an intranet and the Internet, and ensures the security of the intranet;
4) An information encryption strategy; further comprises: the purpose of information encryption is to protect data, files, passwords and control information in a network, and protect data transmitted on the network, the common method of network encryption comprises three types of line encryption, endpoint encryption and node encryption, and the purpose of line encryption is to protect the security of line information between network nodes; the purpose of endpoint encryption is to provide protection for the source end user to destination end user data; the purpose of node encryption is to provide protection for the transmission line between the source node and the destination node, and the user can select the encryption mode according to the network condition;
5) Attribute security control policies; further comprises: when files, directories and network equipment are used, a network system administrator should assign access attributes to the files, directories and the like, attribute security control can link the given attributes with the files, directories and network equipment of a network server, attribute security provides further security on the basis of authority security, resources on the network should mark a set of security attributes in advance, access authority of users to the network resources corresponds to an access control table for indicating the access capability of the users to the network resources, attribute setting can cover any assigned and effective authority of assigned trustees, and the attributes of the network can protect important directories and files, prevent users from deleting the directories and the files mistakenly, modifying and displaying the files and the like.
5. The network-based security protection method according to claim 1, wherein: according to step three, further comprising:
in order to prevent abnormal damage of the storage device, a disk fault-tolerant array consisting of hot-swapped SCSI hard disks can be adopted to perform real-time hot backup of the system in a RAID5 mode, and meanwhile, powerful database triggers and operation and update tasks for recovering important data are established, so that the important data can be recovered to the maximum extent under any conditions.
6. The network-based security protection method according to claim 1, wherein: according to step four, further comprising:
the security management mechanism is directly related to the security of a computer system, and consists of security, audit, system analysis, software and hardware, communication, security personnel and other related personnel.
7. The network-based security protection method and dynamic defense system according to claim 1, wherein:
the data acquisition module is used for acquiring access data of various service programs of a plurality of server instances;
the data processing analysis module is used for regularizing the collected access data;
the dynamic rule generation module is used for carrying out exception analysis on the regularized data and generating a safety rule;
and the backup safety management module adopts a disk fault-tolerant array formed by hot-plug SCSI hard disks to carry out real-time hot backup of the system in a RAID5 mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211722842.9A CN116527299A (en) | 2022-12-30 | 2022-12-30 | Network-based safety protection method and dynamic defense system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211722842.9A CN116527299A (en) | 2022-12-30 | 2022-12-30 | Network-based safety protection method and dynamic defense system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116527299A true CN116527299A (en) | 2023-08-01 |
Family
ID=87394593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211722842.9A Pending CN116527299A (en) | 2022-12-30 | 2022-12-30 | Network-based safety protection method and dynamic defense system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116527299A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116974708A (en) * | 2023-09-25 | 2023-10-31 | 北京众图识人科技有限公司 | Service data processing system |
| CN117040946A (en) * | 2023-10-10 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Method and device for determining safety protection strategy |
-
2022
- 2022-12-30 CN CN202211722842.9A patent/CN116527299A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116974708A (en) * | 2023-09-25 | 2023-10-31 | 北京众图识人科技有限公司 | Service data processing system |
| CN117040946A (en) * | 2023-10-10 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Method and device for determining safety protection strategy |
| CN117040946B (en) * | 2023-10-10 | 2024-01-26 | 深圳安天网络安全技术有限公司 | Method and device for determining safety protection strategy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111784209B (en) | Asset visualization and safe operation management system | |
| Dhage et al. | Intrusion detection system in cloud computing environment | |
| Montesino et al. | Information security automation: how far can we go? | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| US7669239B2 (en) | Secure network system and associated method of use | |
| CN116527299A (en) | Network-based safety protection method and dynamic defense system | |
| WO2013052377A2 (en) | Secure integrated cyberspace security and situational awareness system | |
| CN105430000A (en) | Cloud computing security management system | |
| JP2022530288A (en) | How to prevent root-level access attacks and a measurable SLA security and compliance platform | |
| CN106603488A (en) | Safety system based on power grid statistical data searching method | |
| CN113407949A (en) | Information security monitoring system, method, equipment and storage medium | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN109150853A (en) | The intruding detection system and method for role-base access control | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Atieh | Assuring the Optimum Security Level for Network, Physical and Cloud Infrastructure | |
| Miloslavskaya et al. | Taxonomy for unsecure big data processing in security operations centers | |
| CN114915477A (en) | Information security protection system of computer network | |
| Wu | The problems in campus network information security and its solutions | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Guynes et al. | E-commerce/network security considerations | |
| US20230058569A1 (en) | Systems and methods for quantifying file access risk exposure by an endpoint in a network environment | |
| Kossakowski et al. | Responding to intrusions | |
| Miloslavskaya et al. | Taxonomy for unsecure digital information processing | |
| Yang et al. | Analysis of Computer Network Security and Prevention Technology | |
| Kowalski et al. | Improving Security Through Analysis of Log Files Intersections. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |