CN116866920A

CN116866920A - Network environment arrangement method and system based on personal wifi

Info

Publication number: CN116866920A
Application number: CN202311024170.9A
Authority: CN
Inventors: 杨健; 李中杰; 李治健
Original assignee: Guangdong Little Wolf Star Iot Co ltd
Current assignee: Guangdong Little Wolf Star Iot Co ltd
Priority date: 2023-08-15
Filing date: 2023-08-15
Publication date: 2023-10-10

Abstract

The invention provides a network environment arrangement method and a system based on carry-on wifi, which are applied to the technical field of network security; according to the invention, when a visitor pre-executes sensitive operation without permission, the personal wifi can trigger an alarm and apply an interference sniffing tool to identify specific sniffing activities of the visitor, so that appointed service and an open port are forbidden, IDPS tool monitoring is deployed, network scanning activities are prevented, validity of network connection is fixedly verified by using a public certificate, operability of the personal wifi is guaranteed by referring to preset physical layer safety measures, potential safety threat is found, the network is protected from attack, and confidentiality and compliance of the personal wifi are ensured.

Description

Network environment arrangement method and system based on personal wifi

Technical Field

The invention relates to the technical field of network security, in particular to a network environment arrangement method and system based on carry-on wifi.

Background

The personal wifi is equipment which can convert wired, 2G, 3G and 4G networks or Internet connection on a computer into wifi signals, can meet the network dependence requirements of business and tourists of business and travel mobile offices, and can be rented by many people living in the wild or playing abroad at present, thereby meeting the network requirements of the people.

The current personal wifi equipment probably has the security risk, if do not carry out effectual safety arrangement to the wifi equipment, lawless persons are very likely to utilize the network connection of personal wifi, steal personal information and even carry out malicious activity, so how to carry out the network encryption security setting of more one deck to the personal wifi equipment, be the problem that the present three-dimensional needs to be solved.

Disclosure of Invention

The invention aims to solve the problem of how to carry out deeper network encryption security setting on a personal wifi device, and provides a network environment arrangement method and system based on the personal wifi.

The invention adopts the following technical means for solving the technical problems:

the invention provides a network environment arrangement method based on personal wifi, which comprises the following steps:

identifying a connection request initiated by a visitor to a preset personal wifi, and capturing a visitor login log in real time through the personal wifi;

judging whether the visitor login log can pass through a preset RBAC access control;

if yes, monitoring a log to be accessed of the visitor, meanwhile, carrying out log audit on the log to be accessed, regularly tracking the access place of the visitor according to a preset period, and limiting the management behavior of the visitor on a preset sensitive log based on the access permission pre-authorized for the visitor, wherein the management behavior specifically comprises accessing the sensitive log, reading the sensitive log, writing the sensitive log and executing log resources;

Judging whether the visitor is detected to execute pre-recorded sensitive operations, wherein the sensitive operations specifically comprise network sniffing, network scanning and man-in-the-middle attack;

if the detection is carried out, an interference sniffing tool is used for identifying the specific sniffing activity of the visitor, a specified service and an open port in a preset time period are forbidden, an IDPS tool is deployed for monitoring and preventing network scanning activity, the validity of network connection is fixedly verified by using a public certificate, and the operability of the carry-on wifi is ensured by referring to a preset physical layer security measure, wherein the physical layer security measure specifically comprises the use of controlled physical network connection, the limitation of physical access authority and the use of physical encryption equipment.

Further, before the step of identifying the specific sniffing activity of the visitor by using the interference sniffing tool and disabling the designated service and the open port in the preset time period, the method further comprises:

encapsulating the output flow of the portable wifi by using a preset network tunnel, and protecting a sensitive log output by the portable wifi by using end-to-end encryption;

judging whether the sensitive log can be accessed when being transmitted in the network tunnel;

If so, generating a symmetrical encryption key based on a preset symmetrical encryption algorithm, encrypting the sensitive log by using the symmetrical encryption algorithm and the symmetrical encryption key, dividing the sensitive log into data blocks with average quantity, and encrypting each data block by using the symmetrical encryption key.

Further, the step of defining the management behavior of the visitor to the preset sensitive log based on the pre-authorized accessibility right of the visitor includes:

performing authority verification on the visitor by adopting a zero knowledge proof protocol, and simultaneously processing a sensitive log by adopting an anonymization technology;

judging whether the visitor accesses the sensitive log or not;

if yes, the visitor is required to carry out multi-factor identity verification, the sensitive log is subjected to data processing by using a secure multiparty computing protocol, and a computing result after the visitor participates in the protocol is generated based on a protocol design preset by the secure multiparty computing protocol.

Further, the step of using the public certificate to fixedly verify the validity of the network connection and referring to a preset physical layer security measure to ensure the operability of the portable wifi includes:

After acquiring network connection provided by the personal wifi based on a public server, receiving a server certificate provided by the public server, and extracting information content of the server certificate, wherein the information content specifically comprises a public key and an issuing organization;

judging whether the information content is tampered after detecting sensitive operation;

if yes, responding to the warning initiated by the public server to the portable wifi, and generating the position change of the portable wifi in real time by applying a preset RFID tag.

Further, the step of identifying the visitor log of the visitor initiated by the visitor to the preset personal wifi, and capturing the visitor log in real time through the personal wifi includes:

tracking login-related events of the visitor, wherein the login-related events specifically comprise a client connection event, an identity verification event and a session establishment event;

judging whether the address information of the visitor changes when the personal wifi writes in the login related event, wherein the address information specifically comprises an IP address and an MAC address;

if yes, filtering and extracting the captured login log to generate pre-recorded information about the visitor, wherein the pre-recorded information specifically comprises a user name/identity, a login timestamp, a requested URL and resource, an access type, an error and an abnormal event.

Further, before the step of monitoring the log to be accessed of the visitor and simultaneously performing log audit on the log to be accessed, the method further includes:

recording the access time length of the visitor to the detected abnormal access point;

judging whether the access time length is longer than a preset time length or not;

if yes, the visitor is listed as a user to be monitored, alarm information is triggered and sent to a network administrator who establishes the portable wifi, and risk assessment is carried out on the visitor, wherein the risk assessment specifically comprises analysis of historical behaviors, access characteristic information and access identity information of the visitor.

Further, before the step of identifying the connection request initiated by the visitor to the preset personal wifi and capturing the visitor log in real time through the personal wifi, the method further comprises:

acquiring the access connection quantity of the portable wifi;

judging whether the access connection quantity is larger than the monitoring quantity of a network manager or not;

if yes, a temporary authorized identity is given to the connected visitor, the visitor reporting the temporary authorized identity is listed as a safe connection user, and the visitor not reporting the temporary authorized identity is listed as an unknown connection user.

The invention also provides a network environment arrangement system based on the portable wifi, which comprises:

the identification module is used for identifying a connection request initiated by a visitor to a preset personal wifi, and capturing a visitor login log in real time through the personal wifi;

the judging module is used for judging whether the visitor login log can pass through the preset RBAC access control;

the execution module is used for monitoring the log to be accessed of the visitor, simultaneously carrying out log audit on the log to be accessed, regularly tracking the access place of the visitor according to a preset period, and limiting the management behavior of the visitor on the preset sensitive log based on the access permission pre-authorized for the visitor, wherein the management behavior specifically comprises accessing the sensitive log, reading the sensitive log, writing the sensitive log and executing log resources;

the second judging module is used for judging whether the visitor is detected to execute the pre-recorded sensitive operation, wherein the sensitive operation specifically comprises network sniffing, network scanning and man-in-the-middle attack;

and the second execution module is used for applying an interference sniffing tool to identify specific sniffing activities of the visitor, disabling specified services and open ports in a preset time period, deploying an IDPS tool to monitor and prevent network scanning activities, fixedly verifying the validity of network connection by using a public certificate, and referring to a preset physical layer security measure to ensure the operability of the personal wifi, wherein the physical layer security measure specifically comprises the use of controlled physical network connection, the limitation of physical access rights and the use of physical encryption equipment.

Further, the method further comprises the following steps:

the packaging module is used for packaging the output flow of the portable wifi by applying a preset network tunnel and protecting the sensitive log output by the portable wifi by using end-to-end encryption;

the third judging module is used for judging whether the sensitive log can be accessed when being transmitted in the network tunnel;

and the third execution module is used for generating a symmetrical encryption key based on a preset symmetrical encryption algorithm, encrypting the sensitive log by using the symmetrical encryption algorithm and the symmetrical encryption key, dividing the sensitive log into data blocks with average number, and encrypting each data block by using the symmetrical encryption key.

Further, the execution module further includes:

the verification unit is used for verifying the authority of the visitor by adopting a zero knowledge proof protocol and processing the sensitive log by applying an anonymization technology;

the judging unit is used for judging whether the visitor accesses the sensitive log or not;

and the execution unit is used for requiring the visitor to carry out multi-factor identity verification, carrying out data processing on the sensitive log by using a secure multiparty computing protocol, and generating a computing result after the visitor participates in the protocol based on a protocol design preset by the secure multiparty computing protocol.

The invention provides a network environment arrangement method and a system based on personal wifi, which have the following beneficial effects:

according to the invention, when a visitor pre-executes sensitive operation without permission, the personal wifi can trigger an alarm and apply an interference sniffing tool to identify specific sniffing activities of the visitor, so that appointed service and an open port are forbidden, IDPS tool monitoring is deployed, network scanning activities are prevented, validity of network connection is fixedly verified by using a public certificate, operability of the personal wifi is guaranteed by referring to preset physical layer safety measures, potential safety threat is found, the network is protected from attack, and confidentiality and compliance of the personal wifi are ensured.

Drawings

FIG. 1 is a schematic flow chart of an embodiment of a network environment arrangement method based on personal wifi of the present invention;

fig. 2 is a block diagram illustrating an embodiment of a network environment layout system based on a personal wifi according to the present invention.

Detailed Description

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present invention, as the achievement, functional features, and advantages of the present invention are further described with reference to the embodiments, with reference to the accompanying drawings.

The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1, a method for arranging network environments based on personal wifi according to an embodiment of the invention includes:

s1: identifying a connection request initiated by a visitor to a preset personal wifi, and capturing a visitor login log in real time through the personal wifi;

s2: judging whether the visitor login log can pass through a preset RBAC access control;

s3: if yes, monitoring a log to be accessed of the visitor, meanwhile, carrying out log audit on the log to be accessed, regularly tracking the access place of the visitor according to a preset period, and limiting the management behavior of the visitor on a preset sensitive log based on the access permission pre-authorized for the visitor, wherein the management behavior specifically comprises accessing the sensitive log, reading the sensitive log, writing the sensitive log and executing log resources;

S4: judging whether the visitor is detected to execute pre-recorded sensitive operations, wherein the sensitive operations specifically comprise network sniffing, network scanning and man-in-the-middle attack;

s5: if the detection is carried out, an interference sniffing tool is used for identifying the specific sniffing activity of the visitor, a specified service and an open port in a preset time period are forbidden, an IDPS tool is deployed for monitoring and preventing network scanning activity, the validity of network connection is fixedly verified by using a public certificate, and the operability of the carry-on wifi is ensured by referring to a preset physical layer security measure, wherein the physical layer security measure specifically comprises the use of controlled physical network connection, the limitation of physical access authority and the use of physical encryption equipment.

In this embodiment, the system captures, in real time, a visitor log recorded by a personal wifi by identifying a connection request initiated by the visitor to the preset personal wifi, and then determines whether the visitor log can pass RBAC access control preset by the personal wifi to execute a corresponding step; for example, when the system determines that the log of the visitor cannot pass through the pre-set RBAC access control, the system considers that the visitor has threat to the security of the personal wifi, and the visitor is required to remove the threat factors of the visitor, including installing or running any hacking tool, attack tool or other software with malicious purposes; for example, when the system determines that the visitor logging log can pass the pre-set RBAC access control, the system monitors the logs to be accessed of the visitor at the moment, carries out log audit on the logs to be accessed, tracks the access place of the visitor according to the pre-set regular time period, and limits the management actions of the visitor on the pre-set sensitive log of the personal wifi based on the pre-authorized access right of the personal wifi, wherein the management actions comprise accessing the sensitive log, reading the sensitive log, writing the sensitive log and executing log resources, because if the visitor is not a network administrator, the management actions of the visitor on the sensitive log are likely to leak sensitive information, lead to data tampering, misdeleting or data loss and damage the audit trail; the system executes the corresponding steps by judging whether the visitor is detected to execute the pre-recorded sensitive operation during the connection period; for example, when the system determines that the visitor is not performing a sensitive operation, the system may use behavior analysis techniques to detect an abnormal behavior pattern of the visitor, including identifying unusual access patterns, abnormal data transfer behavior, a large number of login attempts, through which potentially sensitive operations may be identified; for example, when the system determines that the visitor performs the sensitive operation, the system may apply an interference sniffing tool to identify specific sniffing activities of the visitor, disable specified services and open ports within a preset time period, deploy an IDPS tool to monitor and prevent network scanning activities, use a public certificate to fixedly verify validity of network connection, and reference preset physical layer security measures to ensure operability of the personal wifi.

It should be noted that roles are based on access control (RBAC), which is an access control model that manages access rights based on the roles and responsibilities of users, by assigning users to different roles and assigning appropriate rights to each Role, RBAC can ensure that only authorized users can access and operate specific logs or resources.

The specific process of log audit comprises the following steps:

enabling a log recording function and ensuring that the portable Wi-Fi equipment is correctly configured to record relevant visitor log data; the method comprises a device connection event, an identity verification event, an access behavior and an abnormal event; storing the collected log data in a secure location; the log data may be optionally stored in a local device, a secure log server or a dedicated log management system; the integrity and confidentiality of log data are ensured; analyzing and filtering the collected log data by using a log analysis tool or script; help extract critical visitor information, behavioral patterns, anomalies, etc., and identify potential security issues; identifying and correlating the identity of the visitor in the log data; including user authentication information, IP address, MAC address, etc.; through visitor identification, the activities of a specific visitor can be tracked and analyzed; using log data analysis techniques to detect abnormal access behavior and potential security threats; including identifying abnormal login attempts, unauthorized access, and abnormal data transmissions; performing time line analysis on the log data of the visitor to know the behavior and activity sequence of the visitor; helping to identify chains of events related to the visitor, and associations between events; generating an exception report and triggering an alarm to indicate a potential security problem or abnormal activity; by an automated log analysis tool or monitoring system, and sending notifications to the relevant personnel.

The behavior analysis technology specifically comprises:

firstly, establishing a baseline of normal behavior; establishing a benchmark by collecting and analyzing typical behaviors of visitors, and describing a normal behavior mode; indicators including access mode, access time, amount of data transfer, login attempts; detecting a behavioral pattern that does not correspond to the established baseline; when the behavior of the visitor deviates significantly from the normal mode, it can be regarded as abnormal behavior; continuously monitoring the behavior of the visitor and comparing with the established baseline; by monitoring and analyzing network traffic, log data and the like in real time, abnormal behaviors can be timely identified, and the abnormal behaviors are not only dependent on static baselines; defining indexes and rules of abnormal behaviors; this may include a large number of login attempts, illegitimate access requests, unusual amounts of data transfer, access to unauthorized resources, etc.; different abnormal indexes can be set according to actual conditions and safety requirements; comprehensively analyzing by combining a plurality of behavior indexes and context information; for example, by combining the factors of access time, geographic position and access mode, comprehensively judging whether abnormal behaviors exist; when abnormal behavior is detected, an alarm is triggered and corresponding response measures are taken; including sending notifications, blocking access, logging detail, notifying security teams; continuously improving behavioral analysis models and rules to accommodate new threats and behavioral patterns; behavior analysis strategies are periodically reviewed and updated to maintain sensitivity to newly emerging abnormal behavior.

The process of identifying a specific sniffing activity using an interference sniffing tool is exemplified as follows:

detecting frequency interference: applying frequency interference techniques to disrupt the frequency range used by the sniffing tool; this may prevent the sniffing device from correctly receiving Wi-Fi signals, thereby interfering with its sniffing activity;

misleading the data packet: generating a large number of forged data packets, and confusing analysis of the sniffing tool; these fake data packets can simulate normal Wi-Fi communication, so that it is difficult for sniffing tools to accurately distinguish between real data traffic and sniffing behavior;

encrypted communication: the Wi-Fi communication is protected by using an encryption technology so as to prevent a sniffing tool from intercepting and reading the content of the data packet; an encryption protocol such as WPA2 or WPA3 is adopted to ensure that the communication between the visitor and the carry-on Wi-Fi is safe;

signal interference: disturbing the receiving capability of the sniffing device with the interfering signal; by sending an interference signal to a specific frequency or using a device such as a Wi-Fi sprinkler (Wi-Fi Jammer);

detecting intrusion behavior: deploying an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) to detect sniffing activity; network traffic and abnormal behavior can be monitored and alarms can be issued according to known sniffing tool characteristics or behavior patterns;

Access control is implemented: limiting the authority and the access range of the visitor by using an access control mechanism; by implementing Access Control Lists (ACLs) or other authentication and authorization mechanisms, the visitor's ability can be restricted and the risk of sniffing activities reduced.

Designated services and open ports, as exemplified below:

UPnP service: universal plug and play (UPnP) services may cause devices to automatically open and manage ports, possibly resulting in security risks; it is therefore proposed to shut down UPnP services to prevent unauthorized devices or applications from opening ports;

remote management service: if the portable Wi-Fi device has a remote management function, please ensure that the function is turned off or is properly access controlled; the remote management service may enable unauthorized visitors to access and manage the devices, thereby increasing security risks;

telnet service: telnet is an unsafe remote access protocol, and is easy to be attacked by network and revealed by information; it is therefore recommended to close the Telnet service to prevent unauthorized visitors from accessing the portable Wi-Fi device via the Telnet protocol.

The specific process of deploying the IDPS tool to monitor and control network scanning is as follows:

selecting an appropriate IDPS tool and ensuring that the tool is compatible with the network environment; performing necessary configuration and setting, including network monitoring interfaces, rules and policies; the IDPS tool monitors network traffic and monitors incoming and outgoing data in real time; the network traffic can be monitored to include IP data packets, message header information and protocol types; the IDPS tool uses predefined rules and signatures to analyze and compare traffic flowing through the network; known attack patterns and malicious behaviors can be identified, including network scanning, port scanning and exploit utilization; when the IDPS tool detects possible network scanning activities, it triggers an alarm and generates a corresponding security event record; the alarm can be in the form of a real-time notice, mail, short message to alert a network administrator; according to predefined policies and rules, the IDPS tool may take automatic or manual response measures; including blocking traffic from malicious source IP, updating firewall rules, and notifying relevant personnel.

In this embodiment, before step S5 of identifying the specific sniffing activity of the visitor by using the interference sniffing tool and disabling the designated service and the open port in the preset time period, the method further includes:

s501: encapsulating the output flow of the portable wifi by using a preset network tunnel, and protecting a sensitive log output by the portable wifi by using end-to-end encryption;

s502: judging whether the sensitive log can be accessed when being transmitted in the network tunnel;

s503: if so, generating a symmetrical encryption key based on a preset symmetrical encryption algorithm, encrypting the sensitive log by using the symmetrical encryption algorithm and the symmetrical encryption key, dividing the sensitive log into data blocks with average quantity, and encrypting each data block by using the symmetrical encryption key.

In this embodiment, the system encapsulates the flow that the portable wifi is still outputting at present by applying the preset network tunnel, and uses end-to-end encryption to protect the sensitive log that the portable wifi has outputted, and meanwhile, judges whether the sensitive log can be accessed by the visitor when transmitting in the network tunnel, so as to execute the corresponding steps; for example, when the system determines that the sensitive log cannot be accessed at the time of transmission, that is, the security representing the network tunnel is sufficient to be hacked by other visitors; for example, when the system determines that the sensitive log can be accessed during transmission, the system generates a symmetric encryption key for the sensitive log based on a preset symmetric encryption algorithm, encrypts the sensitive log by using the symmetric encryption algorithm and the symmetric encryption key, and encrypts each data block by using the symmetric encryption key after dividing the sensitive log into data blocks with average numbers.

It should be noted that end-to-end encryption is a security mechanism for protecting the sensitive log, ensuring that only authorized users can access and decrypt the log content, and by generating a key pair for encryption and decryption, the key pair is typically handled by a network administrator, including a public key and a private key, the public key is used to encrypt the log, and the private key is used to decrypt the log, i.e., when the sensitive log enters the network tunnel, only the network administrator can access the sensitive log at this time;

the process of encrypting the sensitive log by using the symmetric encryption algorithm and the symmetric encryption key comprises the following steps:

selecting an AES symmetric encryption algorithm to generate a symmetric key for encryption and decryption; the symmetric key is the same key used to encrypt and decrypt data; ensuring that a key of sufficient strength and randomness is generated; encrypting the sensitive log to be protected by using the selected symmetric encryption algorithm and the generated symmetric key; taking the log as input, and encrypting and converting the log by using an encryption algorithm and a secret key to generate an encrypted ciphertext; storing the encrypted log in a safe position or transmitting the encrypted log through a safe transmission channel; since the data is encrypted, even if it is stolen during storage or transmission, it is impossible to directly access the sensitive content; when the encrypted log needs to be accessed and checked, the same symmetric key is used for decryption; only authorized users possess the symmetric key and use the key to decrypt the encrypted log.

The encryption process for each data block after the sensitive log is divided into the data blocks specifically comprises the following steps:

dividing data blocks: dividing the sensitive log into an average number of data blocks according to a logic relationship, wherein the data blocks can be defined according to the needs and are generally divided according to the structure, the time stamp or other logic identifications of the log; generating a symmetric key for encryption for each data block; a random number generator may be used to generate a key of sufficient strength and randomness; encrypting each data block by using a corresponding key; the data block and the secret key can be encrypted and converted by using a selected symmetric encryption algorithm AES to generate encrypted ciphertext; storing the encrypted data block in a safe position or transmitting the encrypted data block through a safe transmission channel; confidentiality of ciphertext is ensured, and an unauthorized visitor is prevented from obtaining sensitive information; recording the symmetric key used by each data block at a moderate location; using an encryption key management system or other security means to ensure confidentiality and association of keys; when a specific data block needs to be accessed and checked, decrypting the ciphertext by using a corresponding key; only authorized users have the corresponding key and use the key to decrypt the ciphertext, the security and flexibility of the data can be enhanced by dividing the sensitive log into data blocks and independently encrypting each data block, even if one of the data blocks is leaked or attacked, the other data blocks remain confidential, and in addition, the access to the log content can be better controlled and managed by using an independent key for each data block.

In this embodiment, the step S3 of defining the management behavior of the visitor on the preset sensitive log based on the pre-authorized accessibility to the visitor includes:

s31: performing authority verification on the visitor by adopting a zero knowledge proof protocol, and simultaneously processing a sensitive log by adopting an anonymization technology;

s32: judging whether the visitor accesses the sensitive log or not;

s33: if yes, the visitor is required to carry out multi-factor identity verification, the sensitive log is subjected to data processing by using a secure multiparty computing protocol, and a computing result after the visitor participates in the protocol is generated based on a protocol design preset by the secure multiparty computing protocol.

In the embodiment, the system performs authority verification on the visitor by adopting a zero knowledge proof protocol, processes the sensitive log by applying an anonymization technology, and then judges whether the visitor accesses the sensitive log or not so as to execute corresponding steps; for example, when the system determines that the visitor does not access the sensitive log, the system gives the visitor a corresponding permission setting in the personal wifi according to the verification permission of the visitor; for example, when the system determines that the visitor needs to access the sensitive log, the system may require the visitor to perform multi-factor authentication at this time, perform data processing on the sensitive log by using a secure multiparty computing protocol, and generate a computing result after the visitor participates in the protocol based on a preset protocol design.

It should be noted that, the verification process of the zero knowledge proof protocol specifically includes:

the visitor wishes to verify his rights to the portable Wi-Fi while maintaining anonymity to the visitor's identity and sensitive information; in the process, the visitor generates a zero knowledge proof to prove that the visitor has legal authority without revealing specific identity and sensitive information; an interaction process for proving between the visitor and the portable Wi-Fi; the method comprises the steps of involving a multi-round challenge response protocol, wherein a visitor generates corresponding responses according to challenges and transmits the responses to a portable Wi-Fi for verification; the portable Wi-Fi uses pre-shared access right information as a reference to verify zero knowledge proof of a visitor; involves comparing the visitor's response with the expected result to determine if it is authenticated; in the process, the portable Wi-Fi does not need to know the specific identity or authority details of the visitor; if the zero knowledge of the visitor proves successful verification, the portable Wi-Fi authorizes the visitor to access the network resource; at this time, the portable Wi-Fi knows that the visitor has legal rights, but cannot learn the specific identity and sensitive information of the visitor.

The specific process of generating the calculation result of the visitor participation protocol by using the secure multiparty calculation protocol is as follows:

Determining a required cooperation mode between the computing task and the participant; including defining a calculation target, input data, and a form of output result; each participant (including network administrators and visitors of the carry-on Wi-Fi) prepares own input data and selects a secure multiparty computing protocol; the choice of protocol depends on the nature of the computational task and the security requirements; establishing a secure communication connection between participants, and carrying out an initialization step of a protocol; generating and exchanging keys and negotiating protocol parameters; in order to protect the privacy of the input data, the participants encrypt their own input data before performing the computation; using a symmetric encryption algorithm; the participants execute the calculation tasks according to the rules of the secure multiparty calculation protocol; involves interactions and communications between participants to complete the computing process; after the calculation is completed, the participants use a protocol definition method to synthesize respective calculation results into final output results; may be an operation that encrypts, splits, or combines the results; if the calculation result needs to be decrypted to obtain a plaintext form, the participant can decrypt the output result by using the corresponding decryption key; according to the requirements of the protocol, the participant needs to verify the result so as to ensure the correctness and safety of the calculation; methods including comparison results or proof of verification using zero knowledge; after the calculation is completed, the participants can clear and destroy the temporary data, keys and communication connections used to ensure security and privacy protection.

In this embodiment, the step S5 of fixedly verifying the validity of the network connection by using the public certificate and guaranteeing the operability of the portable wifi by referring to the preset physical layer security measures includes:

s51: after acquiring network connection provided by the personal wifi based on a public server, receiving a server certificate provided by the public server, and extracting information content of the server certificate, wherein the information content specifically comprises a public key and an issuing organization;

s52: judging whether the information content is tampered after detecting sensitive operation;

s53: if yes, responding to the warning initiated by the public server to the portable wifi, and generating the position change of the portable wifi in real time by applying a preset RFID tag.

In this embodiment, after obtaining a network connection service provided to a personal wifi based on a public server, the system receives a server certificate provided by a public service period, extracts information contents contained in the server certificate, and then determines whether the information contents are tampered after detecting a sensitive operation, so as to execute corresponding steps; for example, when the system determines that the information content has not been tampered with, the system verifies the validity of the server certificate, ensures that the public certificate in use is issued by a trusted Certificate Authority (CA), verifies the validity of the certificate by verifying its digital signature and the trust chain of the authority, and if the content of the certificate has been tampered with, its digital signature will be invalid or not pass verification; for example, when the system judges that the information content is tampered, the system can respond to the public server at the moment to warn that the personal wifi is separated from the main control right of the network manager, and meanwhile, the public service period can use the RFID tag to track the position change of the personal wifi in real time, so that the network manager can be helped to record the information such as the attribute, the position and the state of the personal wifi, and the network manager can be helped to manage and track the personal wifi better.

In this embodiment, the step S1 of identifying the connection request initiated by the visitor to the preset personal wifi, and capturing the log of the visitor login in real time through the personal wifi includes:

s11: tracking login-related events of the visitor, wherein the login-related events specifically comprise a client connection event, an identity verification event and a session establishment event;

s12: judging whether the address information of the visitor changes when the personal wifi writes in the login related event, wherein the address information specifically comprises an IP address and an MAC address;

s13: if yes, filtering and extracting the captured login log to generate pre-recorded information about the visitor, wherein the pre-recorded information specifically comprises a user name/identity, a login timestamp, a requested URL and resource, an access type, an error and an abnormal event.

In this embodiment, the system tracks the login related events of the visitor, and determines whether the address information of the visitor changes when the login related events are written in by the personal wifi, so as to execute the corresponding steps; for example, when the system detects that the address information of the visitor is not changed, the system releases the visitor to enter a control network of the personal wifi and gives the visitor corresponding network service; for example, when the system detects that the address information of the visitor changes, the system ensures that the log recording function of the portable Wi-Fi device is enabled and performs appropriate configuration, including selecting a required log level and a storage location of a designated log file, identifying an event related to the visitor login in the log recording of the portable Wi-Fi device, including a client connection event, an authentication event, a session establishment event, defining an appropriate login log format to record related information of the visitor, including an IP address, a MAC address, a user name, and a login timestamp of the visitor, setting a real-time monitoring mechanism to capture and record the login event, implementing the capturing of the login event by monitoring the change of a log file of the device in real time, or using a special monitoring tool or software, filtering and extracting the captured login log using a log analysis tool or script, and screening the login event of a specific user, a time range, or other key attributes according to requirements; secure storage and protection of log-in logs, including storing logs in secure servers or dedicated log management systems, and taking appropriate access control and encryption measures to prevent unauthorized access.

In this embodiment, before step S3 of monitoring the log to be accessed of the visitor and performing log audit on the log to be accessed, the method further includes:

s301: recording the access time length of the visitor to the detected abnormal access point;

s302: judging whether the access time length is longer than a preset time length or not;

s303: if yes, the visitor is listed as a user to be monitored, alarm information is triggered and sent to a network administrator who establishes the portable wifi, and risk assessment is carried out on the visitor, wherein the risk assessment specifically comprises analysis of historical behaviors, access characteristic information and access identity information of the visitor.

In this embodiment, after the system identifies that the visitor accesses the abnormal access point, the system records the access time length of the visitor to the abnormal access point, and then judges whether the access time length is greater than a preset time length so as to execute the corresponding steps; for example, when the system determines that the access duration is less than the preset duration, the system considers that the visitor is mistakenly entering the abnormal access location, and does not intentionally make an event with the abnormal access location, which is unfavorable to the carry-on wifi; for example, when the system determines that the access time period is longer than the preset time period, the system will list the visitor as the user to be monitored at the same time, trigger the alarm of the personal wifi to notify the network administrator, and perform risk assessment on the visitor through the network administrator.

It should be noted that, the specific process of risk assessment includes:

collecting visitor information: the network administrator needs to collect basic information about the visitor, including name, contact, affiliated organization or company, etc.; such information may be used for authentication and subsequent communication with the visitor;

access purpose and rights validation: knowing the access purpose and the required authority of the visitor; the access purpose may be to obtain a specific resource or execute a specific task, and the authority determines the operation range that the visitor can access and execute;

and (3) identity authentication: performing identity verification to ensure that the identity of the visitor is true and effective; authentication may be performed in a variety of ways, including credential-based authentication (e.g., user name and password) or biometric identification;

access history review: reviewing historical access records and behavior of the visitor; including previously accessed resources, frequencies, time periods, etc.; review of the historical access records helps to assess the trustworthiness and behavioral patterns of the visitor;

risk assessment and grading: evaluating and grading risks of visitors based on the information and the history of the visitors; factors including the identity of the visitor, rights requirements, access purposes, historical behavior are considered; defining proper access control strategies and limits according to the risk level;

Authorization and access control: determining authorization and access control strategies required by the visitor based on the risk assessment result; including assigning specific rights, restricting access time, and devices; ensuring that only authorized visitors are able to obtain the required resources and adhere to security policies and guidelines.

In this embodiment, before step S1 of identifying a connection request initiated by a visitor to a preset personal wifi and capturing a log of the visitor login in real time through the personal wifi, the method further includes:

s101: acquiring the access connection quantity of the portable wifi;

s102: judging whether the access connection quantity is larger than the monitoring quantity of a network manager or not;

s103: if yes, a temporary authorized identity is given to the connected visitor, the visitor reporting the temporary authorized identity is listed as a safe connection user, and the visitor not reporting the temporary authorized identity is listed as an unknown connection user.

In this embodiment, the system acquires the access connection amount of the personal wifi, and then determines whether the access connection amount is greater than the monitorable amount of the network administrator, so as to execute the corresponding steps; for example, when the system determines that the access connection amount is not greater than the monitorable amount of the network administrator, the system considers that the personal wifi is currently in the normal connection state, and does not need to re-identify the connected visitor identity; for example, when the system determines that the access connection quantity is greater than the monitorable quantity of the network administrator, the system gives temporary authorized identities to connected visitors, lists visitors with self-reported temporary authorized identities as safe connection users, lists visitors without reported temporary authorized identities as unknown connection users, sets reporting time for the unknown connection users, and if the unknown connection users still do not complete reporting within the reporting time, the network administrator can forcibly disconnect the unknown connection users from the portable wifi so as to avoid unnecessary network attack on the portable wifi.

Referring to fig. 2, a system for arranging network environments based on personal wifi according to an embodiment of the invention includes:

the identification module 10 is used for identifying a connection request initiated by a visitor to a preset personal wifi, and capturing a visitor login log in real time through the personal wifi;

a judging module 20, configured to judge whether the visitor log can pass through a preset RBAC access control;

the execution module 30 is configured to monitor a log to be accessed of the visitor, perform log audit on the log to be accessed at the same time, regularly track an access location of the visitor according to a preset period, and limit management actions of the visitor on a preset sensitive log based on an access right pre-authorized for the visitor, where the management actions specifically include accessing the sensitive log, reading the sensitive log, writing the sensitive log and executing log resources;

a second judging module 40, configured to judge whether the visitor is detected to perform a pre-recorded sensitive operation, where the sensitive operation specifically includes network sniffing, network scanning, and man-in-the-middle attack;

the second execution module 50 is configured to, if detected, apply an interference sniffing tool to identify a specific sniffing activity of the visitor, disable a specified service and an open port within a preset time period, deploy an IDPS tool to monitor and prevent network scanning activity, use a public certificate to fixedly verify validity of a network connection, and reference a preset physical layer security measure to ensure operability of the personal wifi, wherein the physical layer security measure specifically includes using a controlled physical network connection, limiting physical access rights, and using a physical encryption device.

In this embodiment, the identification module 10 captures, in real time, a visitor log recorded by a personal wifi by identifying a connection request initiated by a visitor to the preset personal wifi, and then the judgment module 20 judges whether the visitor log can pass the RBAC access control preset by the personal wifi to execute the corresponding steps; for example, when the system determines that the log of the visitor cannot pass through the pre-set RBAC access control, the system considers that the visitor has threat to the security of the personal wifi, and the visitor is required to remove the threat factors of the visitor, including installing or running any hacking tool, attack tool or other software with malicious purposes; for example, when the system determines that the visitor logging log can pass the pre-set RBAC access control, at this time, the execution module 30 monitors the logs to be accessed of the visitor, and performs log audit on the logs to be accessed, tracks the access location of the visitor according to the pre-set regular time period, and defines the management actions of the visitor on the sensitive log pre-set by the personal wifi based on the pre-authorized access right of the visitor by the personal wifi, wherein the management actions include accessing the sensitive log, reading the sensitive log, writing the sensitive log and executing log resources, because if the visitor is not a network administrator, the management actions of the visitor on the sensitive log are likely to leak sensitive information, lead to data tampering, erroneous deletion or data loss and damage audit tracks; the second judging module 40 judges whether the visitor is detected to execute the pre-recorded sensitive operation during the connection period to execute the corresponding steps; for example, when the system determines that the visitor is not performing a sensitive operation, the system may use behavior analysis techniques to detect an abnormal behavior pattern of the visitor, including identifying unusual access patterns, abnormal data transfer behavior, a large number of login attempts, through which potentially sensitive operations may be identified; for example, when the system determines that the visitor performs the sensitive operation, the second execution module 50 may apply the interference sniffing tool to identify the specific sniffing activity of the visitor, disable the specified service and the open port in the preset time period, deploy the IDPS tool to monitor and prevent the network scanning activity, use the public certificate to fixedly verify the validity of the network connection, and reference the preset physical layer security measures to ensure the operability of the portable wifi.

In this embodiment, further comprising:

In this embodiment, the execution module further includes:

In this embodiment, the second execution module further includes:

the acquisition unit is used for receiving a server certificate provided by a public server after acquiring the network connection provided by the public server by the personal wifi, and extracting information content of the server certificate, wherein the information content specifically comprises a public key and an issuing mechanism;

the second judging unit is used for judging whether the information content is tampered after detecting sensitive operation;

the second execution unit is used for responding to the warning initiated by the public server to the portable wifi and generating the position change of the portable wifi in real time by applying a preset RFID tag.

In this embodiment, the identification module further includes:

the system comprises a tracking unit, a storage unit and a processing unit, wherein the tracking unit is used for tracking login related events of the visitor, and the login related events specifically comprise a client connection event, an identity verification event and a session establishment event;

the third judging unit is used for judging whether the address information of the visitor changes when the personal wifi writes in the login related event, wherein the address information specifically comprises an IP address and an MAC address;

and the third execution unit is used for filtering and extracting the captured login log and generating pre-recorded information about the visitor, wherein the pre-recorded information specifically comprises a user name/identity, a login timestamp, a requested URL and resource, an access type, an error and an abnormal event.

In this embodiment, further comprising:

the recording module is used for recording the access time length of the visitor to the detected abnormal access point;

a fourth judging module, configured to judge whether the access duration is greater than a preset duration;

and the fourth execution module is used for listing the visitor as a user to be monitored, triggering alarm information and sending the alarm information to a network administrator establishing the personal wifi, and carrying out risk assessment on the visitor, wherein the risk assessment specifically comprises analysis of historical behaviors, access characteristic information and access identity information of the visitor.

In this embodiment, further comprising:

the acquisition module is used for acquiring the access connection quantity of the portable wifi;

a fifth judging module, configured to judge whether the access connection amount is greater than a monitoring amount of a network administrator;

and the fifth execution module is used for giving a temporary authorized identity to the connected visitor, listing the visitor from which the temporary authorized identity is reported as a safe connection user, and listing the visitor from which the temporary authorized identity is not reported as an unknown connection user.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims

1. The network environment arrangement method based on the portable wifi is characterized by comprising the following steps:

2. The method for arranging network environment based on carry-on wifi according to claim 1, wherein before the step of disabling the specified service and open port in the preset period of time, the step of applying an interference sniffing tool to identify a specific sniffing activity of the visitor further comprises:

3. The method for arranging network environments based on carry-on wifi according to claim 1, wherein the step of defining the management behavior of the visitor to a preset sensitive log based on the access right pre-authorized for the visitor includes:

judging whether the visitor accesses the sensitive log or not;

4. The network environment arrangement method based on the carry-on wifi according to claim 1, wherein the step of fixedly verifying the validity of the network connection by using the public certificate and guaranteeing the operability of the carry-on wifi by referring to a preset physical layer security measure includes:

5. The network environment arrangement method based on the carry-on wifi according to claim 1, wherein the step of identifying the connection request initiated by the visitor to the preset carry-on wifi and capturing the visitor log in real time through the carry-on wifi includes:

6. The method for arranging network environment based on personal wifi according to claim 1, wherein before the step of monitoring the log to be accessed of the visitor and simultaneously performing log audit on the log to be accessed, further comprises:

7. The network environment arrangement method based on the carry-on wifi according to claim 1, wherein before the step of identifying the connection request initiated by the visitor to the preset carry-on wifi and logging in the log by the visitor captured in real time by the carry-on wifi, further comprises:

acquiring the access connection quantity of the portable wifi;

8. The network environment arrangement system based on the carry-on wifi is characterized by comprising:

9. The on-the-fly wifi-based network environment placement system of claim 8, further comprising:

10. The on-the-fly wifi-based network environment placement system of claim 8, wherein the execution module further comprises: