CN118094497A - Mobile storage equipment safety management method based on authority allocation and cancellation - Google Patents
Mobile storage equipment safety management method based on authority allocation and cancellation Download PDFInfo
- Publication number
- CN118094497A CN118094497A CN202211505820.7A CN202211505820A CN118094497A CN 118094497 A CN118094497 A CN 118094497A CN 202211505820 A CN202211505820 A CN 202211505820A CN 118094497 A CN118094497 A CN 118094497A
- Authority
- CN
- China
- Prior art keywords
- mobile storage
- storage device
- authority
- management end
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 119
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000012790 confirmation Methods 0.000 claims abstract description 7
- 241000700605 Viruses Species 0.000 claims description 30
- 238000013475 authorization Methods 0.000 claims description 15
- 238000001514 detection method Methods 0.000 claims description 12
- 230000003993 interaction Effects 0.000 claims description 4
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a mobile storage equipment safety management method based on authority allocation and cancellation, which comprises the following steps: step 1: connecting management end hardware to a protected host; step 2: connecting the mobile storage device to management end hardware; step 3: the management end hardware detects whether a content information record file exists in the accessed mobile storage equipment; step 4: the management end hardware detects whether the accessed mobile storage equipment has an authority information record file or not; step 5: the management end hardware detects whether a content information record file in the accessed mobile storage equipment is matched with a current content file or not; step 6: the mobile storage device can be used in the authority range, and the authority confirmation process of the mobile storage device is finished. The invention improves the application safety of the mobile storage equipment, enlarges the application range and improves the convenience.
Description
Technical Field
The invention relates to the technical field of security management of nuclear power mobile storage equipment, in particular to a mobile storage equipment security management method based on authority allocation and cancellation.
Background
In the daily operation and maintenance process of the industrial control system, a large number of occasions exist where mobile storage equipment is required to transmit information or files, but the current use of the mobile storage equipment is not provided with a safety management system temporarily or is a manual management system, and when the mobile storage equipment is connected with a key host or a confidential host of the system, whether viruses are contained in the mobile storage equipment or whether suspicious files are contained in the mobile storage equipment or not depends on whether users or managers are consciously checked and killed before access. The management mode of the mobile storage device has larger potential safety hazard, and the file containing the potential safety hazard is possibly led into an industrial control system to cause system operation disorder, or key information files are tampered or stolen.
In addition, part of industrial control hosts have high probability of reducing the operation efficiency of the service system due to special service systems and even the operating systems cannot be compatible with the antivirus software because of the fact that the antivirus software is installed in the industrial control hosts.
Therefore, the traditional management means of the mobile storage device relies on a manual management system, virus checking and killing of the mobile storage device are performed manually by personnel, the use range and the behavior authority of the mobile storage device are not limited, the use process of the mobile storage device still has extremely high potential safety hazard in an industrial control system with extremely high requirements on system safety, and the safety of the mobile storage device accessed to an industrial control host is not effectively ensured.
Disclosure of Invention
The invention aims to provide a mobile storage equipment safety management method based on authority allocation and cancellation, which replaces the traditional manual mobile storage equipment management system, thereby ensuring that the content files of the mobile storage equipment are checked and killed by viruses before being accessed into an industrial control host, limiting the operation range of the files in the mobile storage equipment to be within the authority range set in advance, and avoiding the possibility of unauthorized operation.
In order to achieve the above object, the present invention provides the following technical solutions:
A mobile storage equipment safety management method based on authority allocation and cancellation includes the following steps:
step 1: connecting management end hardware to a protected host;
Step 2: connecting the mobile storage device to management end hardware;
step 3: the management end hardware detects whether a content information record file exists in the accessed mobile storage equipment;
step 4: the management end hardware detects whether the accessed mobile storage equipment has an authority information record file or not;
Step 5: the management end hardware detects whether a content information record file in the accessed mobile storage equipment is matched with a current content file or not;
Step 6: the mobile storage device can be used in the authority range, and the authority confirmation process of the mobile storage device is finished.
In step 3, if there is no content information record file, the process proceeds to step 42: the mobile storage equipment does not have any authority, and the authority confirmation process of the mobile storage equipment is finished.
In step 4, if no rights information record file exists, the process proceeds to step S52:
the user confirms whether the mobile storage equipment is to be authorized or not at the management end interface, if yes, the step S7 is entered: the management end hardware performs virus checking and killing on the mobile storage equipment; if not, the process proceeds to step S42.
In step 5, if the content information record file does not match the current content file, step 62 is entered: the management end hardware deletes the rights information record file in the mobile storage device, and proceeds to step S52.
Step 7 is followed by:
step S8: setting authority of the mobile storage device on a management end interface by a user;
step S9: the management end hardware authorizes the mobile storage equipment and records the current file in the mobile storage equipment;
step S10: the management end hardware stores the new authority information record file and the content information record file into the mobile storage device, and the step S6 is entered.
Further, the authority set in the management end comprises the application range of the mobile storage device, the read-write authority and the file black-and-white list.
Further, the management end is provided with a virus checking and killing function module, and virus scanning and checking and killing are carried out on the accessed mobile storage equipment according to the virus library.
Furthermore, the management end is provided with a permission granting function module, and permission can be granted to the mobile storage device accessed to the management end only after the virus checking and killing function module performs virus checking and killing, so that a permission characteristic information file corresponding to the permission is generated and stored in the mobile storage device.
Further, the management end is provided with a content recording function module, records the characteristics of the content files except the content information recording file while the mobile storage device is authorized, and stores the characteristic recording file in the mobile storage device.
Further, the management end is provided with a content detection function module, after the mobile storage device is accessed to the management end for the second time, whether the content data is the same as the last authorization is detected by comparing the characteristics of the current file contents except the content information record file in the mobile storage device with the characteristic record file stored in the mobile storage device by the content record function module of the management end when the mobile storage device is accessed last time.
Further, the management end is provided with an authorization detection function module, and after the mobile storage device is accessed to the management end, the authorization characteristic information file in the content recording function module in the mobile storage device is detected, so that the interaction between the mobile storage device and the protected host can only be performed in an authorization range.
Further, the management end is provided with an authorization cancellation function module, and the mobile storage device with the data change detected in the detection of the content detection function module automatically deletes the authority characteristic information file in the mobile storage device, so that the mobile storage device does not have any authority before being authorized again.
Compared with the prior art, the mobile storage equipment security management method based on authority allocation and cancellation has the following beneficial effects:
the invention improves the application safety of the mobile storage equipment, enlarges the application range and improves the convenience.
The invention effectively improves the management precision of the use of the mobile storage equipment in the industrial control environment and reduces the labor cost in management.
The invention greatly reduces the workload of the manager and also reduces the possibility that viruses are substituted into important equipment or important files are tampered/stolen because of management omission.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a flowchart of a mobile storage device security management method based on rights allocation and cancellation according to an embodiment of the present invention.
Detailed Description
Further details are provided below with reference to the specific embodiments.
As shown in fig. 1, the present invention provides a mobile storage device security management method based on rights allocation and cancellation, which specifically includes the following steps:
Step S1: connecting management end hardware to a protected host;
step S2: connecting the mobile storage device to management end hardware;
Step S3: the management end hardware detects whether the accessed mobile storage equipment has a content information record file or not, if yes, the step S41 is carried out, and if not, the step S42 is carried out;
Step S41: the management end hardware detects whether the accessed mobile storage equipment has an authority information record file or not, if yes, the step S51 is carried out, and if not, the step S52 is carried out;
Step S42: the mobile storage equipment does not have any authority, and the authority confirmation flow of the mobile storage equipment is ended;
Step S51: the management end hardware detects whether the accessed content information record file in the mobile storage device is matched with the current content file, if so, the step S61 is carried out, and if not, the step S62 is carried out;
Step S52: the user confirms whether the mobile storage equipment is to be authorized or not at the management end interface, if yes, the step S7 is carried out, and if not, the step S42 is carried out;
Step S61: the mobile storage device can be used in the authority range, and the authority confirmation flow of the mobile storage device is ended;
Step S62: the management end hardware deletes the authority information record file in the mobile storage device and enters step S52;
Step S7: the management end hardware performs virus checking and killing on the mobile storage equipment;
Step S8: the user sets the authority of the mobile storage device on the management terminal interface;
step S9: the management end hardware authorizes the mobile storage equipment and records the current file in the mobile storage equipment;
step S10: the management end hardware stores the new rights information record file and the content information record file in the mobile storage device, and proceeds to step S61.
The invention realizes safe and efficient industrial control mobile storage equipment management, takes recording file information in the mobile storage equipment as a core, gives the mobile storage equipment the minimum authority (including a host range capable of carrying out data interaction with the mobile storage equipment, read-write authority and file types allowed to be carried) necessary for completing the work according to the application occasion of the mobile storage equipment on the premise of ensuring virus searching and killing, records the file characteristics in the mobile storage equipment at the moment, detects whether the file in the mobile storage equipment changes compared with the last authorization according to the recorded file characteristics when the mobile storage equipment is accessed next time, and automatically cancels the authorization if the file changes, thereby realizing the safety guarantee of the content file of the mobile storage equipment and realizing the non-manual automatic management and control of the mobile storage equipment.
The invention comprises at least the following functions: the method comprises the steps of distributing rights (including but not limited to a using range of the mobile storage device, read-write rights and a file black-and-white list) for the mobile storage device, verifying rights when the mobile storage device is used, managing rights when the mobile storage device is used, recording file content characteristics of the mobile storage device, comparing file content characteristics of the mobile storage device, and checking and killing viruses of the mobile storage device.
Based on the use requirements of different industrial control scenes, the invention acquires the host list which needs to be protected when the mobile storage equipment is accessed, and lists the minimum authority which is necessary for completing the service when each mobile storage equipment is accessed on the host list.
The invention has a management end which is externally connected to the industrial control host to be protected in the form of independent physical equipment, and the management end can set the authority of the mobile storage equipment, wherein the authority range which can be set comprises, but is not limited to, the use range of the mobile storage equipment, the read-write authority and the file black-and-white list.
The management end is provided with a virus checking and killing function module, and the function is built in the management end and can perform virus scanning and checking and killing on the accessed mobile storage equipment according to the virus library.
The management end is provided with a permission granting function module, the function is built in the management end, permission can be granted to the mobile storage device accessed to the management end only after virus checking and killing of the virus checking and killing function module is completed, and a permission characteristic information file corresponding to the permission is generated and stored in the mobile storage device.
The management end is provided with a mobile storage device content recording function module, the function is built in the management end, and the mobile storage device can record the characteristics of the content files (except the content information recording files) while being authorized, and the characteristic recording files are stored in the mobile storage device. The rights feature information file and the content information record file are stored separately.
The management end is provided with a mobile storage device content detection function module, the function is built in the management end, and after the mobile storage device is accessed to the management end for the second time, whether the content data is the same as the last authorization time can be detected by comparing the characteristics of the current file content (except the content information record file) in the mobile storage device with the characteristic record file stored in the mobile storage device by the content record function module of the management end when the mobile storage device is accessed last time.
The management end is provided with an authorization detection function module for developing the mobile storage equipment, the function is built in the management end, and the authorization characteristic information file in the content recording function module in the mobile storage equipment can be detected after the mobile storage equipment is accessed to the management end, so that the interaction between the mobile storage equipment and the protected host can be only carried out in an authorization range.
The management end is provided with an authorization cancellation function module, the function is built in the management end, and the mobile storage device with the data change detected in the detection of the content detection function module automatically deletes the authority characteristic information file of the mobile storage device, so that the mobile storage device does not have any authority before being authorized again.
Therefore, the invention effectively improves the management precision of the use of the mobile storage equipment in the industrial control environment, and reduces the labor cost in management.
The design that the authorized file is required to be authorized after virus checking and killing is performed firstly ensures that the authorized file is a safe file without viruses, and the design that the authorized file is automatically deleted after the file in the USB flash disk is changed ensures that virus checking and killing is required to be performed again after each file change.
In the use process, only the authority grant step of the mobile storage equipment needs to be managed manually, compared with the manual management mode of the mobile storage equipment adopted in the current mainstream, the workload of a manager is greatly reduced, and the possibility that viruses are substituted into important equipment or important files are tampered/stolen due to management omission is also reduced.
In addition, the mobile storage equipment safety management tool based on authority allocation and cancellation of the invention has the following use flow:
(1) The tool has a use condition in which the management side hardware is connected to the protected host, and the mobile storage device is accessed to a management side hardware.
(2) The management end hardware automatically and sequentially checks whether the mobile storage device has a content information record file or not, whether the mobile storage device has an authority information record file or not, and whether the content file is matched with the content information record file or not. Wherein, matching refers to: if the new content information record file is generated by the content file in the current mobile storage device, the generated new content information record file is completely consistent with the current existing content information record file. If the result of any link is no, deleting the file if the file is recorded with the authority information, so that the file does not have any authority; if the content information record file is finally confirmed to be matched with the current content file, the content information record file can be used in the authority given in the last authorization.
(3) And entering a permission management interface, setting permissions required to be allocated to the mobile storage device for completing the service, including but not limited to the application range of the device on management end hardware, read-write permission, a file black-and-white list and clicking authorization.
(4) The management end hardware performs virus checking and killing on the mobile storage device, and after no virus or Trojan horse file exists in the mobile storage device, each authority set in the last step is granted, the internal file is recorded, and the content information record file and the authority information record file are stored in the mobile storage device.
(5) The mobile storage device can execute read-write operation within the authority range of the management end hardware, and uses files which do not belong to a blacklist.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. The mobile storage equipment safety management method based on authority allocation and cancellation is characterized by comprising the following steps:
step 1: connecting management end hardware to a protected host;
Step 2: connecting the mobile storage device to management end hardware;
step 3: the management end hardware detects whether a content information record file exists in the accessed mobile storage equipment;
step 4: the management end hardware detects whether the accessed mobile storage equipment has an authority information record file or not;
Step 5: the management end hardware detects whether a content information record file in the accessed mobile storage equipment is matched with a current content file or not;
Step 6: the mobile storage device can be used in the authority range, and the authority confirmation process of the mobile storage device is finished.
2. The method for managing security of mobile storage devices based on rights allocation and cancellation as claimed in claim 1, wherein in step 3, if there is no content information record file, step 42 is entered: the mobile storage equipment does not have any authority, and the authority confirmation process of the mobile storage equipment is finished.
3. The method for managing security of mobile storage devices based on rights allocation and cancellation as claimed in claim 2, wherein in step S4, if no rights information record file is present, the process proceeds to step S52:
the user confirms whether the mobile storage equipment is to be authorized or not at the management end interface, if yes, the step S7 is entered: the management end hardware performs virus checking and killing on the mobile storage equipment; if not, the process proceeds to step S42.
4. The method for managing security of mobile storage devices based on rights allocation and cancellation as claimed in claim 3, wherein in step 5, if the content information record file does not match the current content file, step 62 is entered: the management end hardware deletes the rights information record file in the mobile storage device, and proceeds to step S52.
5. The rights assignment and cancellation based mobile storage device security management method as claimed in claim 3, further comprising, after step 7:
step S8: setting authority of the mobile storage device on a management end interface by a user;
step S9: the management end hardware authorizes the mobile storage equipment and records the current file in the mobile storage equipment;
step S10: the management end hardware stores the new authority information record file and the content information record file into the mobile storage device, and the step S6 is entered.
6. The method for managing security of mobile storage devices based on permission assignment and cancellation according to claim 1, wherein the permissions set in the management end include a usage range of the mobile storage device, a read-write permission, and a black-and-white list of files.
7. The security management method of mobile storage equipment based on authority allocation and cancellation as claimed in claim 1, wherein the management end is provided with a virus checking and killing function module, and virus scanning and checking and killing are carried out on the accessed mobile storage equipment according to a virus library.
8. The security management method of mobile storage device based on authority allocation and cancellation according to claim 7, wherein the management end has an authority grant function module, and the authority can be granted to the mobile storage device of the access management end only after the virus killing function module has performed virus killing, and an authority feature information file corresponding to the authority is generated and stored in the mobile storage device.
9. The rights allocation and cancellation-based mobile storage device security management method according to claim 8, wherein the management terminal has a content recording function module that records characteristics of content files other than the content information recording file while the mobile storage device is authorized, and stores the characteristic recording file in the mobile storage device.
10. The security management method of mobile storage device based on authority allocation and cancellation according to claim 9, wherein the management end has a content detection function module, after the mobile storage device is accessed to the management end for the second time, the management end detects whether the content data is the same as the last authorization time by comparing the characteristics of the current file contents except the content information record file in the mobile storage device with the characteristic record file stored in the mobile storage device by the content record function module of the management end when the mobile storage device is accessed last time.
11. The method for managing security of mobile storage device based on authority allocation and cancellation as claimed in claim 9, wherein the management end has an authority detection function module, and after the mobile storage device is accessed to the management end, the authority characteristic information file in the content recording function module in the mobile storage device is detected, so that the interaction between the mobile storage device and the protected host can be performed only within the authority range.
12. The security management method for mobile storage devices based on rights allocation and cancellation as claimed in claim 1, wherein the management end has a rights cancellation function module, and the rights feature information file in the mobile storage device is automatically deleted for the mobile storage device whose data change is detected in the detection of the content detection function module, so that the mobile storage device does not have any rights before being re-authorized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211505820.7A CN118094497A (en) | 2022-11-28 | 2022-11-28 | Mobile storage equipment safety management method based on authority allocation and cancellation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211505820.7A CN118094497A (en) | 2022-11-28 | 2022-11-28 | Mobile storage equipment safety management method based on authority allocation and cancellation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118094497A true CN118094497A (en) | 2024-05-28 |
Family
ID=91142974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211505820.7A Pending CN118094497A (en) | 2022-11-28 | 2022-11-28 | Mobile storage equipment safety management method based on authority allocation and cancellation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118094497A (en) |
-
2022
- 2022-11-28 CN CN202211505820.7A patent/CN118094497A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8898802B2 (en) | Electronic computer data management method, program, and recording medium | |
| US8402269B2 (en) | System and method for controlling exit of saved data from security zone | |
| KR100997802B1 (en) | Apparatus and method for security managing of information terminal | |
| CN106295355B (en) | A kind of active safety support method towards Linux server | |
| CN102202062B (en) | Method and apparatus for realizing access control | |
| JP2003233521A (en) | File protection system | |
| WO2005081115A1 (en) | Application-based access control system and method using virtual disk | |
| CN100419620C (en) | Method for command interaction and two-way data transmission on USB mass storage equipment by program and USB mass storage equipment | |
| CN101520831A (en) | Safe terminal system and terminal safety method | |
| CN102567667A (en) | Intelligent information equipment and operation system thereof | |
| CN104462937A (en) | Operating system peripheral access permission control method based on users | |
| US20160087989A1 (en) | Assignment of Security Contexts to Define Access Permissions for File System Objects | |
| CN103679028A (en) | Software behavior monitoring method and terminal | |
| CN101094097A (en) | Hardwware access control system and method | |
| CN113468576A (en) | Role-based data security access method and device | |
| CN114244568B (en) | Security access control method, device and equipment based on terminal access behavior | |
| KR101227187B1 (en) | Output control system and method for the data in the secure zone | |
| CN113973193A (en) | Security quality control method, electronic device and readable medium | |
| KR101954421B1 (en) | Method for preventing real-time alteration of the data in WORM storage device based on hard disk or SSD | |
| KR100941320B1 (en) | Method for Managing Distribution Duration of Secret Material through Inter-working DRM with Portable Memory and the System | |
| CN110221991B (en) | Control method and system for computer peripheral equipment | |
| CN118094497A (en) | Mobile storage equipment safety management method based on authority allocation and cancellation | |
| CN103051608B (en) | A kind of method and apparatus of movable equipment access monitoring | |
| KR20030090568A (en) | System for protecting computer resource and method thereof | |
| GB2555569A (en) | Enhanced computer objects security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |