[go: up one dir, main page]

CN110691064B - Safety access protection and detection system for field operation terminal - Google Patents

Safety access protection and detection system for field operation terminal Download PDF

Info

Publication number
CN110691064B
CN110691064B CN201811132213.4A CN201811132213A CN110691064B CN 110691064 B CN110691064 B CN 110691064B CN 201811132213 A CN201811132213 A CN 201811132213A CN 110691064 B CN110691064 B CN 110691064B
Authority
CN
China
Prior art keywords
access
data
field operation
protection
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811132213.4A
Other languages
Chinese (zh)
Other versions
CN110691064A (en
Inventor
何行
夏水斌
何欢
张芹
谢玮
冉艳春
余鹤
董重重
孙秉宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Hezhong Weiqi Technology Co ltd
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hubei Electric Power Co Ltd
Zhengzhou Institute of Technology
Original Assignee
Beijing Hezhong Weiqi Technology Co ltd
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hubei Electric Power Co Ltd
Zhengzhou Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Hezhong Weiqi Technology Co ltd, State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Hubei Electric Power Co Ltd, Zhengzhou Institute of Technology filed Critical Beijing Hezhong Weiqi Technology Co ltd
Priority to CN201811132213.4A priority Critical patent/CN110691064B/en
Publication of CN110691064A publication Critical patent/CN110691064A/en
Application granted granted Critical
Publication of CN110691064B publication Critical patent/CN110691064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

一种现场作业终端安全接入防护和检测系统,包括设备层、数据层、业务层和应用层,其中;接入层:用于现场作业终端接入防护系统;数据层:用于存储基础数据、构建数据模型和分析实时数据;业务层:由安全接入、安全防护和安全监测三部分组成;应用层:由具备可信档案管理、防护策略设置、监控及预警、漏洞扫描、入侵检测业务功能的WEB端的统一管理平台组成;从现场作业终端、终端应用和数据等层面进行安全防护,实现采集系统信息安全的全面防护目标;通过设备接入、接入防护、接入监测和预警的全方位的安全管理,针对防护主体、防护策略、监控机制等进行多个维度的分析与处理,提升采集系统信息安全的等级。

Figure 201811132213

An on-site operation terminal security access protection and detection system includes a device layer, a data layer, a business layer and an application layer, wherein; the access layer: used for the on-site operation terminal access protection system; the data layer: used to store basic data , build data model and analyze real-time data; business layer: consists of three parts: secure access, security protection and security monitoring; application layer: consists of trusted file management, protection policy setting, monitoring and early warning, vulnerability scanning, intrusion detection services It is composed of a unified management platform on the functional WEB side; security protection is carried out from the aspects of field operation terminals, terminal applications and data to achieve the comprehensive protection goal of information security of the collection system; through the comprehensive protection of equipment access, access protection, access monitoring and early warning The security management of all directions, analyzes and processes in multiple dimensions for the protection subject, protection strategy, monitoring mechanism, etc., to improve the level of information security of the collection system.

Figure 201811132213

Description

Safety access protection and detection system for field operation terminal
Technical Field
The invention relates to a safety access protection and detection system, in particular to a safety access protection and detection system for a field operation terminal.
Background
In 2017, according to the requirement of ' strengthening network and information security management and improving the whole protection capability ' of the national grid company marketing complex [ 2017 ] No. 4 ' national grid marketing part ' work suggestion on strengthening marketing professional network and information security management ', the power utilization information acquisition system is constructed according to the thought of ' security access, security protection and security monitoring ', the access equipment, application and system are required to be safe and have a security protection strategy when being accessed, and the security events can be predicted and found in time in the operation process and can be responded quickly.
The safety access protection and monitoring management module of the field operation terminal of the collection closed-loop management module of the electricity utilization information collection system is developed based on the idea of safety requirements, and the field operation terminal of the collection operation and maintenance closed-loop module accessed to an external network is subjected to safety management and access control. The metering field operation terminals of the operation and maintenance closed-loop module collected by the electricity utilization information collecting system are all accessed to the intranet through a special APN collecting channel, and are safely controlled in the network channel,
the following disadvantages exist in the operation process:
(1) the transmission encryption of data information is not enough;
(2) the real-time safety monitoring of the metering field operation terminal and the effective control of the use of an illegal SIM card and illegal terminal equipment have great defects:
(3) in the transmission and local storage processes of data, security risks such as tampering, forgery attack and information leakage exist, and the leakage of relevant sensitive data is caused by potential security holes, defects, faults and the like of a field operation terminal and an application.
Disclosure of Invention
The invention aims to provide a field operation terminal safety access protection and detection system, which aims to solve the defects of realizing the transmission encryption of data information in the operation process proposed in the background technology; the metering field operation terminal real-time safety monitoring and the effective control of the use of the illegal SIM card and the illegal terminal equipment have the following defects: the data has security risks such as tampering, forgery attack, information leakage and the like in the transmission and local storage processes, and the leakage problem of relevant sensitive data is caused by potential security holes, defects, faults and the like of a field operation terminal and an application.
The technical scheme adopted by the invention is as follows: the utility model provides a field operation terminal safety access protection and detecting system which characterized in that: the system comprises an equipment layer, a data layer, a service layer and an application layer, wherein:
an access layer: the system is used for accessing the field operation terminal into the protection system;
and (3) a data layer: the data storage module is used for storing basic data, building a data model and analyzing real-time data;
and (4) a service layer: the system consists of three parts of safety access, safety protection and safety monitoring:
an application layer: the system consists of a unified management platform of a WEB end with the functions of trusted file management, protection strategy setting, monitoring and early warning, vulnerability scanning and intrusion detection service.
Further, the step of accessing the field operation terminal into the protection system includes: identity authentication-access control-rights management;
identity authentication: when the field operation terminal accesses the related service systems such as the electricity consumption information acquisition system and the like, identity authentication is carried out through access management, identity verification is carried out according to data such as binding relations among an ESAM card serial number of an operator, a service ESAM card serial number, a field terminal serial number and an SIM (subscriber identity module) serial number, access control verification is allowed to be carried out by the terminal passing the identity authentication verification, when the field operation terminal logs in for the first time, a User Identifier (UID) is obtained, identity authentication is carried out or the UID is obtained, identity authentication is carried out, asymmetric key negotiation is carried out, and meanwhile log recording and management are carried out on interfaces and verification such as identity authentication required by the field operation terminal; transmitting data information including an operator ESAM card serial number, a service ESAM card serial number, a field terminal serial number, an SIM card serial number and user login account information to a safety access system; when the field operation terminal logs in for the first time, obtaining the UID and performing identity authentication or obtaining the UID and performing identity authentication and performing asymmetric key agreement; and (3) access control: the access control function can set access control strategies according to three levels of access time period, network type (WLAN, GPRS/CDMA) and longitude and latitude, wherein:
the access and the use of the field operation terminal are allowed in the access strategy control range, the access of the field operation terminal is not allowed outside the access strategy control range, and the alarm display is carried out on the access outside the access strategy;
and (3) authority management: the authority management function establishes an access control list with the service system through the access authority of the authorized field operation terminal to the related service system of the electricity consumption information acquisition system, the field operation terminal can only access the authorized service system, and the unauthorized service system prohibits access.
Furthermore, the safety access is to perform safety control from the aspect of identity authentication and the like of the field operation terminal at the access stage, read the file information of the field operation terminal and the credible binding file relationship in the protection system through the protection system for verification, and monitor and record the log of the access process by the protection system, so as to realize the safety verification management of the access stage before the equipment is accessed into the service system;
the safety protection is realized by adopting anti-tampering strategies such as encryption, compression, desensitization and the like for transmission data, measures such as field operation terminal port scanning and vulnerability detection during operation and adding a verification mechanism of data integrity in the safety protection strategy; the method comprises the following steps of protecting from the aspects of data tampering prevention, vulnerability detection, security defense and intrusion detection, and ensuring the safety of an operation terminal, a link and an intranet system in the communication process of a field operation terminal and the system;
the safety monitoring means that abnormal sudden changes and other behaviors can be timely judged and an alarm is given out by monitoring the running state, the operation behavior and the flow of the SIM card of the field operation terminal and adopting data modeling analysis and big data analysis; and auditing and identifying the data information flow through the operation log and the storage record of the request history record, and acquiring the operation and maintenance closed-loop module.
Further, the period access policy specifically includes: when the system is started, one time period can be set to allow the field operation terminal to access, and the other time periods do not allow the field operation terminal to access; when disabled, access is allowed for all periods;
the network type access policy specifically comprises: when the terminal is started, the network type can be set to be the network type of the SIM card to allow the field operation terminal to access, and the WLAN network does not allow the access; when disabled, all network types are allowed access;
the latitude and longitude access strategy specifically comprises the following steps: when the system is started, the field operation terminal in the latitude and longitude range allows access, and the field operation terminal outside the latitude and longitude range does not allow access; when forbidden, no limitation is made to longitude and latitude.
Furthermore, the data tamper-proofing prevents the data from being attacked and tampered by adopting data encryption, data compression and data desensitization processing on the data and the link;
the data encryption is carried out at the data transmission stage of the field operation terminal and the electricity consumption information acquisition system, the safety and the integrity of the data are guaranteed through data encryption and link encryption, and the data in a communication channel are subjected to uniform bidirectional encryption and decryption and data integrity verification by utilizing a key system of an electric energy metering cipher machine and a field operation terminal safety unit, so that the safety and the integrity of the data in the transmission process are guaranteed; the field operation terminal is safely accessed to the protection and monitoring management system and is accessed to the electric energy metering cipher machine, when the field operation terminal requests data of a service system, the protection and monitoring management system calls a cipher machine function to generate a random number, a cipher text, a signature and a Message Authentication Code (MAC) according to the version of a field operation terminal safety unit to encrypt the data, the data are decrypted by the safety unit and are verified through a corresponding key and a key matched with the key, and active attack on a communication channel is effectively prevented:
the data compression adopts a JDK deflate-based compression algorithm, and compression levels are selected for the transmitted data according to the comprehensive compression degree and the compression efficiency of the service requirements; the MD5 is combined in data transmission to realize the verification of data consistency;
the data desensitization adopts desensitization rules to deform the data, reliable protection of the sensitive data is realized, and four sensitive rules including mask, truncation, null value and encryption are defined for sensitive fields of the field operation terminal request interface data;
the vulnerability detection adopts the security vulnerability detection of application software to be installed on a field operation terminal, and mainly comprises authority vulnerability detection, static vulnerability detection and operation vulnerability detection;
safety monitoring: by monitoring the running state, the operation behavior and the SIM card flow of the field operation terminal, and adopting data modeling analysis and big data analysis, abnormal sudden change behaviors can be judged in time and an alarm is sent out; auditing and identifying the data information flow through the operation log and the storage record of the request history record, and acquiring an operation and maintenance closed-loop module; the safety detection identifies, records, stores and analyzes data and log information of the equipment in the access and protection processes, monitors who is responsible for the activity, and provides data support for safety audit; meanwhile, an alarm mechanism is set according to a protection strategy and a preset safety standard; terminal access monitoring: the method realizes real-time online monitoring of the field operation terminal, including legal and illegal equipment access requests, and sets alarms aiming at abnormal conditions of request interfaces, illegal equipment access and frequent login which do not meet the specification through identity authentication, access control, authority management of safe access management and real-time monitoring, recording, storing and analyzing of log logging in and logging out; according to the protection strategy defined in the safety protection part, automatically or manually disconnecting the system and limiting the access; providing log recording, storage, analysis and alarm identification, and being capable of searching according to the date, the log type and the alarm level condition; the device can actively alarm in the form of pop-up frame prompt and sound when the device is abnormal; providing device management for system automatic or manual disconnection and access restriction according to a defined protection policy; monitoring the running state of the terminal: the real-time online monitoring of the performance data of the field operation terminal is realized, including the occupation condition of the terminal host resources; terminal application installation and running condition information; process running state, network access state, hardware interface state information; alarm management can be performed according to a defined protection strategy; providing log recording, storage, analysis and alarm identification of the running state, and searching according to the date, the log type and the alarm level condition; the device can actively alarm in the form of pop-up frame prompt and sound when the device is abnormal; equipment management for automatically or manually disconnecting the system and limiting access is provided according to the defined protection strategy, and the completion condition of upgrading the reinforcement strategy can be recorded; the method comprises the steps of occupying the resources of a terminal host; terminal application installation and running condition information; acquiring and uploading information in a process running state, a network access state and a hardware interface state running state; monitoring and auditing terminal operation logs: continuously inputting multiple error passwords and application and system interface request responses such as electric energy meter authority data acquisition requests by logging in an operation log of the field operation terminal; the operation of the field operation terminal application requests to record logs through an application and system interface and analyzes the logs; carrying out color marking, box popping prompt and sound prompt on the operation logs which do not meet the specification; logging in a log which continuously inputs error passwords for many times and uploading the log to a system; flow monitoring and auditing: the method comprises the steps that flow data uploaded and downloaded by each application of a field operation terminal through an SIM card are obtained, flow modeling analysis is carried out according to date and time intervals, the current total flow of the SIM card and the current flow of a certain application are compared with a flow model automatically modeled by a system, abnormal conditions of flow mutation are found in time, and an alarm is given; recording, storing and analyzing the traffic use condition, constructing a traffic use model according to date and time elements, comparing the current traffic use condition with the traffic model, and giving a traffic use alarm by abnormal mutation; the method realizes active warning through a popup box prompt and a sound mode when the flow is abnormal; periodically acquiring the total flow use condition of the SIM cards of the field operation terminal, and the flow use condition of uploading and downloading of each application; the flow data can be uploaded to the system periodically;
the intrusion detection is divided into two modes of abnormal detection and misuse detection;
the anomaly detection is carried out according to the defined data under the normal condition or the modeling data under the normal condition in the daily operation and use process, the anomaly detection is compared with the current data, the anomaly of the current behavior is judged, and the possible intrusion behavior is found;
carrying out pattern matching or matching a feature library of a known intrusion behavior according to the collected information and known information in a network intrusion and system misuse pattern database, judging that the current behavior is the intrusion behavior, and early warning on the abnormality of intrusion detection; the work required by intrusion detection is realized; the method comprises the steps of supporting the definition of a normal operation range of data, modeling an operation environment, SIM card flow and application installation and use conditions according to uploaded data according to time intervals, comparing the uploaded current data with historical modeled data, and giving an abnormal alarm; establishing a feature library of known intrusion, matching the features of illegal login, illegal attack and data tampering intrusion with the feature library, and sending an intrusion alarm in matching; the operating environment of the field operation terminal and the installation condition of the system on the terminal are uploaded to a safety access protection and monitoring system in real time or periodically, and the uploaded data comprise: memory use condition, CPU use condition, network type, SIM card flow use condition, system application installation and operation condition; and (3) intrusion detection: downloading data amount every day; the same palm machine accesses the same interface frequently, repeatedly and compactly in the front; and analyzing the log records accessed by using the abnormal communication protocol, and analyzing the time and the number of abnormal malicious accesses.
The SIM card binding management realizes the binding of the field operation terminal file and the SIM card file in a manual creation, batch import and interface synchronization mode; when the field operation terminal carries out identity authentication, verification is carried out according to the binding relationship, when the field operation terminal and the power utilization information acquisition system are matched, the service system can be logged in and accessed through the APN of the power utilization information acquisition system, and when the field operation terminal is replaced by an external network or an illegal SIM card and the SIM card are installed in an illegal external network device, the APN of the power utilization information acquisition system is not allowed to be accessed; manual creation means providing a manual file relationship entry function and manually creating a bound file relationship; importing a providing template in batch and importing a binding file relationship according to the template in batch; the interface synchronization is to execute interface synchronization with the acquisition, operation and maintenance closed-loop management module which maintains the binding relationship, and regularly synchronize the latest binding relationship file; and verifying that the access to the information intranet service system is allowed by the terminal according to the file relationship, creation, modification, deletion and screening inquiry of a plurality of conditions, or else, sending a request for refusing to access the information intranet service system.
The permission vulnerability detection specifically comprises: detecting whether the components of Activity security, Broadcast Receiver security, Service security and Content Provider security have security component exposure or not;
the static vulnerability detection specifically comprises the steps of detecting whether security vulnerabilities exist in Intent security and WebView through decompiling of an application program, and finding component vulnerabilities caused by non-standard use of the program; detecting vulnerability analysis is carried out on code confusion, Dex protection, SO protection, resource file protection and security processing of codes of a third-party loading library;
the operation vulnerability detection specifically comprises detecting and analyzing a memory processing and protection mechanism of the mobile application in the operation process, and finding whether vulnerability risks are modified and damaged.
The invention has the advantages and characteristics that: (1) safety protection is carried out from the aspects of field operation terminals, terminal application, data and the like, the blank of safety protection measures of the information safety protection of the acquisition system at the field operation terminals is filled, and the comprehensive protection target of the information safety of the acquisition system is realized; (2) through the all-round safety management of equipment access, access protection, access monitoring and early warning, three aspects such as in the time of taking place to consolidate prevention before, report an emergency and ask for help or increased vigilance when the invasion takes place, in time make fast after the invasion and handle are undertaken, carry out the analysis and the processing of a plurality of dimensions to protection main part, protection strategy, monitoring mechanism etc. promote the grade of collection system information security.
Drawings
FIG. 1 is a diagram of the architecture of the preferred embodiment of the present invention;
FIG. 2 is a diagram illustrating an overall architecture of a field work terminal security access protection according to a preferred embodiment of the present invention;
FIG. 3 is a diagram of the physical architecture of the preferred embodiment of the present invention;
Detailed Description
The invention is further illustrated with reference to the accompanying drawings:
referring to fig. 1 and fig. 2, a field operation terminal security access protection and detection system includes a protection system, a protection front-end, a monitoring service and a WEB system, and is composed of an access layer, a data layer, a service layer and an application layer, where:
an access layer: the field operation terminal accesses the protection system through the safety access protection and monitoring APP; the data communication between the field operation terminal and the electricity consumption information acquisition system is encrypted and decrypted in a two-way mode through a safety unit, a special isolation gateway and a cipher machine, the application installed on the field operation terminal is accessed through a field operation terminal safety protection system, and is verified and protected through a field operation terminal safety protection and monitoring background, wherein the compatibility of a new safety unit and an old safety unit is considered, the field operation terminal safety protection system adopts different access control strategies according to the version of the safety unit, the palm machines (such as MST-II and MST-II (B) model palms of national power grids) with the safety unit versions of 2.0 and 1.0+ RESAM/TF cards are encrypted and packaged through the safety isolation gateway, and the palm machine of the safety unit version 1.0 does not have the supporting capability of the safety isolation gateway and does not pass through the safety isolation gateway;
and (3) a data layer: storing basic data, constructing a data model and analyzing real-time data;
and (4) a service layer: the system consists of three parts of safety access, safety protection and safety monitoring:
and (4) safe access: the method comprises the steps that an on-site operation terminal is accessed into the identity authentication of a service system, a user inputs dynamic numbers on the terminal by holding the terminal for generating dynamic passwords during the identity authentication, matches with face recognition, performs actions matched with the face recognition according to prompts, performs fingerprint verification, access management such as access control and authority management and SIM card binding management access control, the whole on-site control room is monitored and monitored by the terminal during the access control, the mobile phone APP is connected with the terminal monitoring, when the control room has problems, the mobile phone APP automatically alarms, the authority management is to set a manager and a user mode on the terminal, the user can only access and authorize contents, and the manager controls the terminal; the safety access is to perform safety control on the aspects of identity authentication and the like of an access stage from a field operation terminal, read the file information of the field operation terminal and the credible binding file relationship in the protection system through the protection system for verification, monitor and record the log of the access process by the protection system, and realize the safety verification management of the access stage before the equipment is accessed into the service system;
safety protection: the method comprises the steps of adopting anti-tampering strategies such as encryption, compression, desensitization and the like for transmission data, and measures such as field operation terminal port scanning and vulnerability detection during operation, and adding a data integrity verification mechanism in a security protection strategy; the safety protection is to protect from several aspects of data tamper resistance, leak detection, safety defense and intrusion detection in the communication and data use processes of the field operation terminal and the system, and ensure the safety of the operation terminal, the link and the intranet system in the communication process of the field operation terminal and the system;
data tamper-proofing prevents data from being attacked and tampered by adopting a data encryption technology, a data compression technology and data desensitization processing on data and a link; data encryption: the field operation terminal and the electricity consumption information acquisition system carry out a data transmission stage, the safety and the integrity of data are guaranteed through data encryption and link encryption, and the data in a communication channel are uniformly encrypted and decrypted in a two-way mode and verified in the data integrity by using a key system of an electric energy metering cipher machine and a field operation terminal safety unit, so that the safety and the integrity of the data in the transmission process are guaranteed; the field operation terminal is safely accessed to the protection and monitoring management system and is accessed to the electric energy metering cipher machine, when the field operation terminal requests data of a service system, the protection and monitoring management system calls a cipher machine function to generate random numbers, ciphertexts, signatures, Message Authentication Codes (MAC) and the like according to the version of a field operation terminal safety unit to encrypt the data, the data are decrypted by the safety unit, and verification is carried out through a corresponding secret key and a secret key matched with the corresponding secret key, so that active attack on a communication channel is effectively prevented: data compression: adopting a JDK deflate-based compression algorithm to select a compression level for the transmitted data according to the comprehensive compression degree and the compression efficiency of the service requirement; the MD5 is combined in data transmission to realize the verification of data consistency; data desensitization: the method comprises the steps of performing data deformation through desensitization rules to realize reliable protection of sensitive data, defining four sensitive rules including mask, truncation, null value, encryption and the like on sensitive fields of interface data requested by field operation terminals, wherein mask rules such as 13812345678 are processed into 138 × 5678, truncation rules such as 034.66666666 are processed into 034, null value rules refer to setting the data fields into null values, and encryption refers to encrypting the sensitive data fields; setting different sensitive rules according to different important users, and allowing the sensitive rules to be enabled and disabled;
detecting a vulnerability: the method comprises the steps of carrying out security vulnerability detection on application software to be installed in a field operation terminal, wherein the security vulnerability detection mainly comprises authority vulnerability detection, static vulnerability detection, operation vulnerability detection, application management detection and the like; 1. and (3) permission vulnerability detection: detecting whether the components of Activity security, Broadcast Receiver security, Service security and Content Provider security have security component exposure or not; 2. static vulnerability detection: through decompiling an application program, detecting whether security vulnerabilities exist in Intent security and WebView, and finding out component vulnerabilities caused by non-standard use of the program; detecting vulnerability analysis is carried out on code confusion, Dex protection, SO protection, resource file protection and security processing of codes of a third-party loading library; 3. and (3) operation vulnerability detection: detecting and analyzing a memory processing and protecting mechanism of the mobile application in the running process to find whether vulnerability risks of modification and damage exist; 4. application management detection: detecting whether data is left or not and whether the data is completely removed or not after the application is unloaded successfully; whether the version is hijacked, deceived and other bugs by a third party in the version upgrading process; permission vulnerability detection, static vulnerability detection, operation vulnerability detection, application management detection and the like of an application APK which needs to be installed on a field operation terminal are realized; according to whether the application needs to be operated or not, the system function realizes authority vulnerability detection and static vulnerability detection, and the palm machine function realizes operation vulnerability detection and application management detection; establishing a vulnerability detection module, and realizing uploading of APK, decompiling of a package and generation and export of a detection report, wherein detection items comprise authority vulnerability detection and static vulnerability detection; the detection of the palm machine during operation can be received, detection items comprise operation vulnerability detection and application management detection, and a detection report can be generated and exported;
safety monitoring: by monitoring the running state, the operation behavior and the SIM card flow of the field operation terminal, and adopting data modeling analysis and big data analysis, abnormal sudden change and other behaviors can be judged in time and an alarm is given; auditing and identifying the data information flow through the operation log and the storage record of the request history record, and acquiring an operation and maintenance closed-loop module; the safety detection identifies, records, stores and analyzes data and log information of the equipment in the access and protection processes, monitors who is responsible for the activity, and provides data support for safety audit; meanwhile, an alarm mechanism is set according to a protection strategy and a preset safety standard; terminal access monitoring: the method realizes real-time online monitoring of the field operation terminal, including legal and illegal equipment access requests, and sets alarms aiming at abnormal conditions such as a request interface which does not meet the specification, illegal equipment access, frequent login and the like through real-time monitoring, recording, storing and analyzing logs such as identity authentication, access control, authority management, login and logout and the like of safe access management; according to the protection strategy defined in the safety protection part, automatically or manually disconnecting the system and limiting the access; providing log recording, storage, analysis and alarm identification, and being capable of searching according to conditions such as date, log type, alarm level and the like; when the equipment is abnormal, active warning is performed in the forms of frame popping prompt, sound and the like; providing device management for system automatic or manual disconnection and access restriction according to a defined protection policy; monitoring the running state of the terminal: the real-time online monitoring of the performance data of the field operation terminal is realized, and the real-time online monitoring comprises the occupation conditions of terminal host resources (information such as CPU, memory, disk, network, link and the like); information such as installation and running conditions of terminal application; information such as process running state, network access state, hardware interface state and the like; alarm management can be performed according to a defined protection strategy; providing log recording, storage, analysis and alarm identification of the running state, and searching according to conditions such as date, log type, alarm level and the like; and the device can actively alarm in the forms of frame popping prompt, sound and the like when abnormal equipment exists. Equipment management for automatically or manually disconnecting the system and limiting access is provided according to the defined protection strategy, and the completion condition of upgrading the reinforcement strategy can be recorded; terminal host resource occupation (information such as CPU, memory, network, link, etc.); information such as installation and running conditions of terminal application; acquiring and uploading information in running states such as a process running state, a network access state, a hardware interface state and the like; monitoring and auditing terminal operation logs: the method comprises the following steps that operation logs of a field operation terminal such as login continuously input multiple times of error passwords and application and system interface request responses, such as electric energy meter authority data acquisition requests and the like; the operation of the field operation terminal application requests to record logs through an application and system interface and analyzes the logs; carrying out color marking, box popping prompt and sound prompt on the operation logs which do not meet the specification; logging in a log which continuously inputs error passwords for many times and uploading the log to a system; flow monitoring and auditing: the method comprises the steps that flow data uploaded and downloaded by each application of a field operation terminal through an SIM card are obtained, flow modeling analysis is carried out according to date and time intervals, the current total flow of the SIM card and the current flow of a certain application are compared with a flow model automatically modeled by a system, abnormal conditions of flow mutation are found in time, and an alarm is given; recording, storing and analyzing the traffic use condition, constructing a traffic use model according to factors such as date, time and the like, comparing the current traffic use condition with the traffic model, and giving a traffic use alarm by abnormal mutation; the method realizes active warning through the forms of frame popping prompt, sound and the like when the flow is abnormally used; periodically acquiring the total flow use condition of the SIM cards of the field operation terminal, and the flow use condition of uploading and downloading of each application; the flow data can be uploaded to the system periodically;
an application layer: the system consists of a unified management platform of a WEB end with service related functions.
In this embodiment, preferably, the SIM card binding management implements binding between a field operation terminal file and an SIM card file by means of manual creation, batch import, and interface synchronization; when the field operation terminal carries out identity authentication, verification is carried out according to the binding relationship, when the field operation terminal and the power utilization information acquisition system are matched, the service system can be logged in and accessed through the APN of the power utilization information acquisition system, and when the field operation terminal is replaced by an external network or an illegal SIM card and the SIM card are installed in an illegal external network device, the APN of the power utilization information acquisition system is not allowed to be accessed; manual creation means providing a manual file relationship entry function and manually creating a bound file relationship; importing a providing template in batch and importing a binding file relationship according to the template in batch; the interface synchronization is to execute interface synchronization with the acquisition, operation and maintenance closed-loop management module which maintains the binding relationship, and regularly synchronize the latest binding relationship file; the archive relation is inquired through creation, modification and deletion and screening of a plurality of conditions, and archive fields comprise archives such as a terminal serial number, a terminal manufacturer, a terminal model, a software and hardware version, a terminal state, a unit to which the archive field belongs, an SIM card serial number, an IMSI number of an SIM card, an SIM card type, an SIM card state and the like; when the field operation terminal logs in, the terminal acquires fields such as a serial number of the terminal, a serial number of an SIM (subscriber identity module), and the like, uploads the fields to a system for verification of binding relationship matching, and the verification allows the access to the information intranet service system through the terminal, otherwise, a request sent refuses the access to the information intranet service system.
Referring to fig. 3, in this embodiment, preferably, the access management verification process of the field operation terminal includes: start-identity authentication-access control-rights management-end; when the power consumption information acquisition system field operation terminal accesses the intranet through a wireless public network, access management such as identity authentication, access control and authority management needs to be carried out on the accessed field operation terminal and application software on the field operation terminal, identification management and control are carried out from the terminal and the login stage of an application program, the field operation terminal and the application program are guaranteed to access a related service system according to authority setting, and access risk is reduced; identity authentication: when the field operation terminal accesses the related service systems such as the electricity consumption information acquisition system and the like, identity authentication is carried out through access management, identity verification is carried out according to data such as binding relations among an ESAM card serial number of an operator, a service ESAM card serial number, a field terminal serial number and an SIM card serial number, access control verification is allowed to be carried out on the terminal passing the identity authentication verification, and for the safety unit 1.0, when the field operation terminal logs in for the first time, UID is obtained and identity authentication is carried out; for the safety unit 2.0, when the field operation terminal logs in for the first time, the UID is obtained to perform identity authentication and asymmetric key agreement is performed, and meanwhile, log recording and management are performed on interfaces and verification such as identity authentication requested by the field operation terminal; verifying the data information sent by the palm machine, and recording the request and a verification log; the data information includes but is not limited to an operator ESAM card serial number, a service ESAM card serial number, a field terminal serial number, an SIM card serial number and the like, the security verification of interfaces such as UID, identity authentication, asymmetric key negotiation and the like is obtained, and the information such as the operator ESAM card serial number, the service ESAM card serial number, the field terminal serial number, the SIM card serial number, a user login account number and the like is transmitted to a security access system; for the safety unit 1.0, when the field operation terminal logs in for the first time, the UID is obtained and identity authentication is carried out; for the security unit 2.0, when the field operation terminal logs in for the first time, the UID is obtained and identity authentication is carried out, and meanwhile asymmetric key agreement is supported; and (3) access control: the access control function can set access control strategies according to three levels of access time period, network type (WLAN, GPRS/CDMA) and longitude and latitude, and the access control strategies are modified, enabled and disabled; wherein:
the period access policy is as follows: when the terminal is started, one time period (for example: 08:00-20:00) can be set to allow the field operation terminal to access, and the other time periods do not allow the field operation terminal to access; when disabled, access is allowed for all periods;
network type access policy: when the terminal is enabled, the network type can be set to be the network type (such as 2G, 3G, 4G and the like) of the SIM card, the field operation terminal is allowed to access, and the WLAN network is not allowed to access; when disabled, all network types are allowed access;
latitude and longitude access policy: when the system is started, the field operation terminal in the latitude and longitude range allows access, and the field operation terminal outside the latitude and longitude range does not allow access; when forbidden, the latitude and longitude are not limited;
setting and enabling a time-period access strategy, a network type access strategy and a longitude and latitude access strategy; the access and the use of the field operation terminal are allowed in the access strategy control range, the access of the field operation terminal is not allowed outside the access strategy control range, and the alarm display is carried out on the access outside the access strategy;
the identification of the current access network type (WLAN, 2G, 3G or 4G, etc.) of the field operation terminal is supported, and the identification is sent to the system side for verification; the latitude and longitude information of the field operation terminal is read and sent to the system side for verification; and (3) authority management: the authority management function establishes an access control list with the service system through the access authority of the authorized field operation terminal to the related service system of the electricity consumption information acquisition system, the field operation terminal can only access the authorized service system, and the unauthorized service system prohibits access; meanwhile, log management is supported for a service system accessed by the field operation terminal; the authority configuration function of the field operation terminal and the service system is supported, and the service system with the authority allows access; the log management of a service system accessed by a field operation terminal is supported; and (4) safety defense: the safety defense is that before and after the information safety problem occurs, the information data can be effectively analyzed and certain defense measures can be taken; the security defense is not only sound depending on the management level, but also needs defense support from the aspects of credibility, a security defense knowledge base, access limitation and the like of the field operation terminal equipment, and controls the accessed field operation terminal by combining access management and intrusion detection; the credibility of the field operation terminal is comprehensively graded according to the guarantee conditions of daily reliability, repair rate and problems, and equipment manufacturers are replaced when the grade is low; the safety defense knowledge base is a knowledge base which establishes a troubleshooting and processing method for safety problems such as intrusion and data leakage which are possibly transmitted, and can provide processing guidance when an alarm occurs; when the invasion occurs, the access restriction is to disconnect the field operation terminal from the system and restrict the illegal equipment from accessing the system; the maintenance and management of credible files of the field operation terminal are supported, including the repair rate, the guarantee support condition of problems and the like; the management of a security defense knowledge base is supported, and an alarm processing guide is provided; the method supports the disconnection of the field operation terminal and the system, and limits the access of illegal equipment to the system; and (4) safety defense: the defense can be realized at the palm APP end according to a defense strategy formulated by the WEB end, and the palm APP is alarmed to prompt manual application closing through overhigh battery temperature (to be determined) and overhigh CPU temperature; in addition, the security defense realizes the rapid recording of the fault and realizes the analysis and the reminding of the same type of palm computer;
in this embodiment, preferably, the intrusion detection of the field operation terminal secure access protection provides two modes of anomaly detection and misuse detection; the intrusion detection of the field operation terminal safety access protection can timely find abnormal intrusion behavior and send out an alarm or early warning by establishing a feature library, a data model and other methods and adopting a mainstream intrusion detection method;
the anomaly detection is carried out according to the defined data under the normal condition or the modeling data under the normal condition in the daily operation and use process, the anomaly detection is compared with the current data, the anomaly of the current behavior is judged, and the possible intrusion behavior is found; carrying out pattern matching or matching a feature library of a known intrusion behavior according to the collected information and known information in a network intrusion and system misuse pattern database, judging that the current behavior is the intrusion behavior, and early warning on the abnormality of intrusion detection; the work required by intrusion detection is realized; modeling the operation environment, the SIM card flow and the application installation and use condition according to the uploaded data by time intervals, comparing the uploaded current data with historical modeling data, and alarming for abnormity; establishing a feature library of known intrusion, matching the intrusion features such as illegal login, illegal attack, data tampering and the like with the feature library, and sending an intrusion alarm in matching; the operating environment at the site operation terminal and the condition of APP installation on the terminal are uploaded to a safety access protection and monitoring system in real time or regularly, and the uploaded data comprise: memory use condition, CPU use condition, network type, SIM card flow use condition, APP installation and operation condition, etc.; and (3) intrusion detection: downloading data amount every day; the same palm machine accesses the same interface frequently, repeatedly and compactly in the front; log records are accessed by using an abnormal communication protocol, and the logs are analyzed to analyze the time and the number of times of abnormal malicious accesses;
in this embodiment, preferably, the acquisition closed-loop system interface includes a field operation terminal and an SIM card binding relationship interface; the system unifies identity authentication login interfaces, wherein the field operation terminal and the SIM card binding relationship interface: the on-site operation terminal and SIM card binding relationship file information comprises: the information acquired from the acquisition operation and maintenance closed-loop management module comprises SIM card file information, field operation terminal file information, an SIM card and field operation terminal relation file information; the system unifies identity authentication login interfaces: the protection WEB system logs in by using an account and a password of the collection operation and maintenance closed-loop system, the protection system is used as a module for collecting the operation and maintenance closed-loop, and login skip can be realized without inputting the account and the password when the collection operation and maintenance closed-loop is accessed;
the hardware mainly comprises a database server, an application server, a collection communication front-end processor server, an interface server, an encryption machine, a special security isolation gateway and the like and related network equipment, and the configuration conditions are as shown in the following table.
Figure BDA0001813864330000191
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only for the purpose of illustrating the structural relationship and principles of the present invention, but that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (5)

1.一种现场作业终端安全接入防护和检测系统,其特征在于:包括设备层、数据层、业务层和应用层,其中:1. a field operation terminal safety access protection and detection system is characterized in that: comprise equipment layer, data layer, business layer and application layer, wherein: 接入层:用于现场作业终端接入防护系统;Access layer: used for on-site operation terminal access protection system; 数据层:用于存储基础数据、构建数据模型和分析实时数据;Data layer: used to store basic data, build data models and analyze real-time data; 业务层:由安全接入、安全防护和安全监测三部分组成:Business layer: It consists of three parts: secure access, security protection and security monitoring: 应用层:由具备可信档案管理、防护策略设置、监控及预警、漏洞扫描、入侵检测业务功能的WEB端的统一管理平台组成。Application layer: It consists of a unified management platform on the WEB side with business functions of trusted file management, protection strategy setting, monitoring and early warning, vulnerability scanning, and intrusion detection. 所述安全接入是指从现场作业终端在接入阶段的身份认证层面进行安全控制,通过防护系统读取现场作业终端的档案信息与防护系统中的可信绑定档案关系进行校验,并由防护系统监控和记录接入过程的日志,实现设备接入业务系统前即接入阶段的安全校验管理;The secure access refers to security control from the identity authentication level of the field operation terminal in the access stage, and the protection system reads the file information of the field operation terminal and the trusted binding file relationship in the protection system for verification, and The protection system monitors and records the logs of the access process, and realizes the security verification management before the device is connected to the business system, that is, the access stage; 所述安全防护是指通过对传输数据采取加密、压缩和脱敏防篡改策略,以及对现场作业终端端口扫描和运行时漏洞检测措施,并在安全防护的策略中增加数据完整性的校验机制;从数据防篡改、漏洞检测、安全防御和入侵检测几个方面进行防护,保障现场作业终端与系统通信过程中作业终端、链路和内网系统的安全;The security protection refers to adopting encryption, compression, desensitization and tamper-proof strategies for transmission data, as well as port scanning and runtime vulnerability detection measures for field operation terminals, and adding a data integrity verification mechanism to the security protection strategy. ;Protect from the aspects of data tamper resistance, vulnerability detection, security defense and intrusion detection to ensure the security of the operation terminal, link and intranet system during the communication between the field operation terminal and the system; 所述安全监测是指通过对现场作业终端运行状态、操作行为和SIM卡流量的监控,采用数据建模分析和大数据分析,对异常突变行为能够及时判断出来并发出告警;通过操作日志和请求历史记录的存储记录对数据信息流的审计和识别,采集运维闭环模块;The safety monitoring refers to the monitoring of the operating status, operation behavior and SIM card flow of the field operation terminal, and the use of data modeling analysis and big data analysis to timely determine abnormal mutation behavior and issue an alarm; through operation logs and requests The storage records of historical records audit and identify data information flow, and collect closed-loop modules for operation and maintenance; 所述数据防篡改通过对数据和链路采用数据加密、数据压缩、数据脱敏处理,预防数据被攻击篡改;The data tamper-proofing prevents data from being attacked and tampered by adopting data encryption, data compression, and data desensitization processing on data and links; 所述数据加密在现场作业终端与用电信息采集系统进行数据传输阶段,通过对数据加密和链路加密保障数据的安全性和完整性,利用电能计量密码机和现场作业终端安全单元的密钥体系,对通信信道中的数据进行统一双向加解密和数据完整性校验,保障数据在传输过程中的安全性和完整性;现场作业终端安全接入防护及监控管理系统接入电能计量密码机,当现场作业终端请求业务系统的数据时,防护与监控管理系统会根据现场作业终端安全单元的版本,调用密码机函数生成随机数、密文、签名和消息鉴别码对数据进行加密,由安全单元进行解密,并通过对应的密钥以及与之相匹配的密匙进行校验,有效防止通信信道上的主动攻击:The data encryption is in the stage of data transmission between the field operation terminal and the power consumption information acquisition system, and the data security and integrity are ensured by encrypting the data and link encryption, using the electric energy metering encryption machine and the key of the field operation terminal security unit. The system performs unified two-way encryption and decryption and data integrity verification on the data in the communication channel to ensure the security and integrity of the data during the transmission process; the field operation terminal security access protection and monitoring management system is connected to the electric energy metering encryption machine , When the field operation terminal requests the data of the business system, the protection and monitoring management system will call the cipher machine function to generate random numbers, ciphertext, signature and message authentication code according to the version of the security unit of the field operation terminal to encrypt the data. The unit is decrypted and verified by the corresponding key and the matching key, which effectively prevents active attacks on the communication channel: 所述数据压缩采用基于JDK deflate的压缩算法,对传输的数据根据业务需求综合压缩程度和压缩效率选用压缩级别;在数据传输中结合MD5,实现数据一致性的校验;The data compression adopts the compression algorithm based on JDK deflate, and the compression level is selected for the comprehensive compression degree and compression efficiency of the transmitted data according to the business requirements; MD5 is combined in the data transmission to realize the verification of data consistency; 所述数据脱敏采用脱敏规则进行数据的变形,实现敏感数据的可靠保护,对现场作业终端请求接口数据的敏感字段定义包含掩码、截断、空值、加密四种敏感规则;In the data desensitization, desensitization rules are used to deform data, so as to realize reliable protection of sensitive data, and the definition of sensitive fields for the request interface data of the field operation terminal includes four kinds of sensitive rules: mask, truncation, null value, and encryption; 所述漏洞检测采用对要安装到现场作业终端的应用软件进行安全漏洞检测,主要包括权限漏洞检测、静态漏洞检测、运行漏洞检测;The vulnerability detection adopts the security vulnerability detection of the application software to be installed on the field operation terminal, which mainly includes permission vulnerability detection, static vulnerability detection, and operation vulnerability detection; 安全监测:通过对现场作业终端运行状态、操作行为和SIM卡流量的监控,采用数据建模分析和大数据分析,对异常突变行为能够及时判断出来并发出告警;通过操作日志和请求历史记录的存储记录对数据信息流的审计和识别,采集运维闭环模块;安全检测将设备在接入和防护过程中的数据和日志信息进行识别、记录、存储和分析,监测到谁对这个活动负责,提供安全审计的数据支持;同时,根据防护策略和预定的安全标准设置告警机制;终端接入监测:实现对现场作业终端的实时在线监测,包括合法和非法的设备接入请求,通过安全接入管理的身份认证、访问控制、权限管理以及登录注销日志的实时监测、记录、存储和分析,针对不符合规范的请求接口、非法设备接入和频繁登录异常情况设置告警;根据在安全防护部分已定义的防护策略进行系统自动或人工断开连接和限制访问;提供日志记录、存储、分析和告警识别,能够按照日期、日志类型、告警级别条件进行检索;实现设备异常时通过弹框提示、声音形式进行主动告警;提供根据已定义的防护策略进行系统自动或人工断开连接和限制访问的设备管理;终端运行状态监控:实现对现场作业终端的性能数据实时在线监测,包括终端主机资源占用情况;终端应用安装和运行情况信息;进程运行状态、网络访问状态、硬件接口状态信息;能够依照定义的防护策略进行告警管理;提供运行状态的日志记录、存储、分析和告警识别,能够按照日期、日志类型、告警级别条件进行检索;实现设备异常时通过弹框提示、声音形式进行主动告警;提供根据已定义的防护策略进行系统自动或人工断开连接和限制访问的设备管理,且能够记录加固策略升级的完成情况;包括终端主机资源占用情况;终端应用安装和运行情况信息;进程运行状态、网络访问状态、硬件接口状态运行状态时的信息获取与上传;终端操作日志监测和审计:现场作业终端的操作日志;现场作业终端应用的操作通过应用与系统接口请求记录日志,并进行分析;对于不符合规范的操作日志进行颜色标记、弹框提示和声音提示;登录连续输入多次错误密码的日志上传到系统;流量监控和审计:通过获取现场作业终端各个应用使用SIM卡上传和下载的流量数据,按照日期和时段进行流量建模分析,将当前的SIM卡总流量和某个应用当前使用的流量与系统自动建模的流量模型进行比对,及时发现流量突变异常情况,并进行告警;记录、存储、分析流量使用情况,并根据日期和时间要素构建流量使用模型,将当前的流量使用情况与流量模型进行比对,异常突变给出流量使用告警;实现流量使用异常时通过弹框提示、声音形式进行主动告警;定期获取现场作业终端SIM卡总流量使用情况,各个应用上传和下载使用的流量情况;并能将流量数据定期上传到系统;Safety monitoring: By monitoring the operating status, operation behavior and SIM card flow of the field operation terminal, using data modeling analysis and big data analysis, abnormal mutation behavior can be judged in time and an alarm will be issued; through the operation log and request history record Storage records audit and identify data information flow, and collect closed-loop modules for operation and maintenance; security detection identifies, records, stores and analyzes data and log information in the process of device access and protection, and monitors who is responsible for this activity. Provide data support for security audit; at the same time, set up an alarm mechanism according to protection strategies and predetermined security standards; terminal access monitoring: realize real-time online monitoring of field operation terminals, including legal and illegal equipment access requests, through secure access Managed identity authentication, access control, authority management, and real-time monitoring, recording, storage, and analysis of log-in and log-out logs, and set alarms for non-compliant request interfaces, illegal device access, and frequent log-in exceptions; The defined protection strategy can automatically or manually disconnect the system and restrict access; provide log recording, storage, analysis and alarm identification, and can be retrieved according to date, log type, and alarm severity conditions; Active alarms in the form of active alarms; provide equipment management for automatic or manual disconnection and restricted access according to the defined protection strategy; terminal operating status monitoring: realize real-time online monitoring of the performance data of on-site operation terminals, including terminal host resource occupancy ; Terminal application installation and running status information; process running status, network access status, hardware interface status information; alarm management according to the defined protection strategy; providing log recording, storage, analysis and alarm identification of running status Retrieve log types and alarm severity conditions; realize active alarms in the form of pop-up prompts and sounds when devices are abnormal; provide device management that automatically or manually disconnect and restrict access according to defined protection policies, and can record reinforcement Completion of policy upgrades; including terminal host resource occupancy; terminal application installation and running information; information acquisition and uploading of process running status, network access status, and hardware interface status running status; terminal operation log monitoring and auditing: field operations The operation log of the terminal; the operation of the field operation terminal application requests to record the log through the application and the system interface, and analyzes it; for the operation log that does not meet the specification, it will be color-coded, pop-up prompt and sound prompt; The logs are uploaded to the system; traffic monitoring and auditing: By obtaining the traffic data uploaded and downloaded by the SIM cards of various applications in the field operation terminal, and performing traffic modeling analysis according to the date and time period, the current total SIM card traffic and the current usage of a certain application are calculated. Compare the traffic generated by the system with the traffic model automatically modeled by the system, detect abnormal changes in traffic in time, and issue an alarm; record, store, and analyze traffic usage, and build a traffic usage model based on date and time elements to use the current traffic. Happening Compared with the traffic model, the abnormal sudden change will give traffic usage alarms; when the traffic usage is abnormal, it will give active alerts in the form of pop-up prompts and voices; regularly obtain the total traffic usage of the SIM card of the field operation terminal, and the data used by each application for uploading and downloading. Traffic situation; and can regularly upload traffic data to the system; 入侵检测分为异常检测和误用检测两种模式;Intrusion detection is divided into two modes: anomaly detection and misuse detection; 异常检测根据已定义的正常情况下的数据或日常运行和使用过程中正常情况的建模数据,与当前的数据进行比对,判断当前行为的异常性,发现可能有入侵行为;Anomaly detection is based on the defined data under normal conditions or the modeling data of normal conditions during daily operation and use, compares it with the current data, judges the abnormality of the current behavior, and finds out that there may be intrusion behaviors; 误用检测根据收集的信息与网络入侵和系统误用模式数据库中的已知信息进行模式匹配或已知入侵行为的特征库进行匹配,判定当前行为为入侵行为,需要对入侵检测的异常进行预警;实现入侵检测需要的工作;支持定义数据的正常运行范围,根据上传的数据按照时段对运行环境、SIM卡流量和应用安装使用情况进行建模,并将上传的当前数据与历史建模的数据进行比对,进行异常报警;建立已知入侵的特征库,并对非法登录、非法攻击和数据篡改入侵的特征与特征库进行匹配,匹配上的发出入侵告警;现场作业终端的运行环境和终端上系统安装的情况实时或定期上传到安全接入防护及监控系统,上传的数据包括:内存使用情况、CPU使用情况、网络类型、SIM卡流量使用情况、系统应用安装和运行情况;入侵检测:每日下载数据量;同一个掌机对前置频繁、重复、紧凑的访问同一接口;分析使用非正常的通讯协议访问日志记录,分析什么时间多少次的异常恶意访问。Misuse detection performs pattern matching with the known information in the network intrusion and system misuse pattern database or the signature database of known intrusion behaviors according to the collected information, and determines that the current behavior is an intrusion behavior. It is necessary to warn the abnormality of intrusion detection. ; Realize the work required for intrusion detection; support the definition of the normal operating range of data, model the operating environment, SIM card traffic and application installation and usage according to the uploaded data according to the time period, and compare the uploaded current data with historical modeling data Carry out comparison and alarm abnormality; establish a signature database of known intrusions, match the signatures of illegal login, illegal attack and data tampering intrusion with the signature database, and issue an intrusion alarm if they match; the operating environment and terminal of the field operation terminal The system installation status is uploaded to the security access protection and monitoring system in real time or regularly. The uploaded data includes: memory usage, CPU usage, network type, SIM card traffic usage, system application installation and operation; intrusion detection: The amount of data downloaded every day; the same handheld accesses the same interface frequently, repeatedly and compactly to the front end; analyzes the use of abnormal communication protocol access log records, and analyzes when and how many times of abnormal malicious access. 2.根据权利要求1所述的一种现场作业终端安全接入防护和检测系统,其特征在于:所述现场作业终端接入防护系统的步骤包括:身份认证-访问控制-权限管理;2. A field operation terminal security access protection and detection system according to claim 1, wherein the step of the field operation terminal access protection system comprises: identity authentication-access control-authority management; 身份认证:现场作业终端访问用电信息采集系统相关业务系统时,通过接入管理进行身份鉴别,根据操作员ESAM卡序列号、业务ESAM卡序列号、现场终端序列号、SIM卡序列号的绑定关系数据进行身份校验,身份认证校验通过的终端允许进行访问控制校验,现场作业终端首次登录时,获取UID并进行身份认证或者获取UID进行身份认证并进行非对称密钥协商,同时对现场作业终端请求的身份认证接口和校验进行日志的记录和管理;将数据信息包括操作员ESAM卡序列号、业务ESAM卡序列号、现场终端序列号、SIM卡序列号和用户登录账号信息传给安全接入系统;现场作业终端首次登录时,获取UID并进行身份认证或者获取UID并进行身份认证并进行非对称密钥协商;访问控制:访问控制功能可按访问时间段、网络类型、经纬度三个层面设置访问控制策略,其中:Identity authentication: When the field operation terminal accesses the business system related to the electricity consumption information collection system, the identity authentication is carried out through the access management. The terminal that passes the identity authentication verification is allowed to perform access control verification. When the field operation terminal logs in for the first time, it obtains the UID and performs identity authentication, or obtains the UID for identity authentication and performs asymmetric key negotiation. Log and manage the identity authentication interface and verification requested by the field operation terminal; the data information includes the operator's ESAM card serial number, business ESAM card serial number, field terminal serial number, SIM card serial number and user login account information It is passed to the security access system; when the field operation terminal logs in for the first time, it obtains the UID and performs identity authentication, or obtains the UID and performs identity authentication and performs asymmetric key negotiation; Access control policies are set at three levels of longitude and latitude, including: 在访问策略控制范围内允许现场作业终端的接入和使用,在访问策略控制范围外不允许现场作业终端接入,并对于访问策略之外的访问进行告警展示;The access and use of on-site operation terminals are allowed within the scope of access policy control, and the access of on-site operation terminals is not allowed outside the scope of access policy control, and alarms are displayed for access outside the access policy; 权限管理:权限管理功能通过授权现场作业终端对用电信息采集系统的相关业务系统的访问权限,建立与业务系统的访问控制列表,现场作业终端仅能够访问被授权的业务系统,未授权的业务系统禁止访问;Authority management: The authority management function establishes an access control list with the business system by authorizing the access authority of the field operation terminal to the relevant business system of the electricity consumption information collection system. The field operation terminal can only access the authorized business system, and the unauthorized business system. Access is prohibited by the system; 3.根据权利要求2所述的一种现场作业终端安全接入防护和检测系统,其特征在于:所述时段访问策略具体为:当启用时,可以设置一个时间段允许现场作业终端访问,其他时间段不允许访问;当禁用时,所有时段均允许访问;3. A field operation terminal security access protection and detection system according to claim 2, characterized in that: the time period access policy is specifically: when enabled, a time period can be set to allow field operation terminals to access, other Access is not allowed during time periods; when disabled, access is allowed for all periods; 所述网络类型访问策略具体为:当启用时,可以设置网络类型为SIM卡的网络类型允许现场作业终端访问,WLAN网络不允许访问;当禁用时,所有网络类型均允许访问;The network type access policy is specifically: when enabled, the network type of the SIM card can be set to allow the field operation terminal to access, and the WLAN network does not allow access; when disabled, all network types allow access; 经纬度访问策略具体为:当启用时,在经纬度范围内的现场作业终端允许访问,在经纬度范围外的现场作业终端不允许访问;当禁用时,不对经纬度做限制。The longitude and latitude access policy is specifically: when enabled, the field operation terminals within the longitude and latitude range are allowed to access, and the field operation terminals outside the longitude and latitude range are not allowed to access; when disabled, the longitude and latitude are not restricted. 4.根据权利要求1所述的一种现场作业终端安全接入防护和检测系统,其特征在于:所述SIM卡绑定管理通过手工创建、批量导入和接口同步方式,实现现场作业终端档案和SIM卡档案的绑定;当现场作业终端进行身份认证时,根据绑定关系进行验证,当两者匹配时可以通过用电信息采集系统的APN登录访问业务系统,当现场作业终端更换外网或非法的SIM卡和SIM卡安装到非法的外网设备均不允许接入到用电信息采集系统的APN;手工创建指提供档案关系手工录入功能,人工进行绑定档案关系创建;批量导入提供模板并按模板批量导入绑定档案关系;接口同步是同已经维护了绑定关系的采集运维闭环管理模块执行接口同步,定期同步最新的绑定关系档案;档案关系按创建、修改、删除和多个条件的筛选查询,验证通过终端允许访问信息内网业务系统,否则发送的请求拒绝访问信息内网的业务系统。4. The security access protection and detection system of a field operation terminal according to claim 1, wherein the SIM card binding management is manually created, imported in batches and interface synchronization mode to realize the field operation terminal file and the interface synchronization. Binding of SIM card files; when the field operation terminal performs identity authentication, it is verified according to the binding relationship. When the two match, you can log in to the business system through the APN of the electricity consumption information collection system. When the field operation terminal changes the external network or Illegal SIM cards and SIM cards installed on illegal external network devices are not allowed to access the APNs of the electricity consumption information collection system; manual creation refers to providing the function of manual entry of file relationships and manually creating binding file relationships; batch import provides templates And import the binding file relationship in batches according to the template; interface synchronization is to perform interface synchronization with the collection, operation and maintenance closed-loop management module that has maintained the binding relationship, and regularly synchronize the latest binding relationship files; file relationships are created, modified, deleted, and more. A screening query of each condition is used to verify that the terminal is allowed to access the information intranet business system, otherwise the request sent will deny access to the information intranet business system. 5.根据权利要求1所述的一种现场作业终端安全接入防护和检测系统,其特征在于:5. a kind of field operation terminal safety access protection and detection system according to claim 1, is characterized in that: 所述权限漏洞检测具体包括:检测组件Activity安全、Broadcast Receiver安全、Service安全、Content Provider安全检测是否存在安全组件暴露;The permission vulnerability detection specifically includes: detecting component Activity security, Broadcast Receiver security, Service security, and Content Provider security to detect whether security components are exposed; 所述静态漏洞检测具体包括通过对应用程序反编译,检测Intent安全、WebView是否存在安全漏洞,发现因程序不规范使用导致的组件漏洞;对代码混淆、Dex保护、SO保护、资源文件保护以及第三方加载库的代码的安全处理进行检测漏洞分析;The static vulnerability detection specifically includes decompiling the application program, detecting whether there are security vulnerabilities in Intent security and WebView, and discovering component vulnerabilities caused by irregular use of the program; code confusion, Dex protection, SO protection, resource file protection and third Security processing of the code of the third-party loading library for detection vulnerability analysis; 所述运行漏洞检测具体包括检测移动应用在运行过程中内存处理和保护机制进行检测分析,发现是否存在被修改和破坏的漏洞风险。The running vulnerability detection specifically includes detecting and analyzing the memory processing and protection mechanism of the mobile application in the running process to find out whether there is a vulnerability risk of being modified or destroyed.
CN201811132213.4A 2018-09-27 2018-09-27 Safety access protection and detection system for field operation terminal Active CN110691064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811132213.4A CN110691064B (en) 2018-09-27 2018-09-27 Safety access protection and detection system for field operation terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811132213.4A CN110691064B (en) 2018-09-27 2018-09-27 Safety access protection and detection system for field operation terminal

Publications (2)

Publication Number Publication Date
CN110691064A CN110691064A (en) 2020-01-14
CN110691064B true CN110691064B (en) 2022-01-04

Family

ID=69107482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811132213.4A Active CN110691064B (en) 2018-09-27 2018-09-27 Safety access protection and detection system for field operation terminal

Country Status (1)

Country Link
CN (1) CN110691064B (en)

Families Citing this family (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541653B (en) * 2020-04-02 2023-01-24 山东商业职业技术学院 Data communication monitoring system and method
CN111765801A (en) * 2020-06-16 2020-10-13 深圳拼客信息科技有限公司 Shooting range training and intrusion discovery method
CN112016884A (en) * 2020-07-30 2020-12-01 河北新金轧材有限公司 Safety management method and system for field production
CN112260985B (en) * 2020-09-03 2023-08-01 富联智能工坊(郑州)有限公司 Terminal security management and control device and terminal security management and control method
CN112118249B (en) * 2020-09-11 2022-09-16 南京云柜网络科技有限公司 Security protection method and device based on log and firewall
TWI781448B (en) * 2020-09-23 2022-10-21 中華電信股份有限公司 System and method for information security protection and computer readable medium
CN112291222B (en) * 2020-10-22 2022-10-28 南方电网科学研究院有限责任公司 Electric power edge calculation safety protection system and method
CN112272176A (en) * 2020-10-23 2021-01-26 常州市同济科技有限公司 Network security protection method and system based on big data platform
CN112351005B (en) * 2020-10-23 2022-11-15 杭州安恒信息技术股份有限公司 Internet of things communication method, device, readable storage medium and computer equipment
CN112351029A (en) * 2020-11-04 2021-02-09 内蒙古电力(集团)有限责任公司内蒙古电力科学研究院分公司 Integrated system based on detection equipment
CN112511494B (en) * 2020-11-05 2023-10-31 中国电力科学研究院有限公司 Safety protection system and method suitable for electric power intelligent terminal equipment
CN112230924A (en) * 2020-11-09 2021-01-15 平安普惠企业管理有限公司 Bullet box prompting method, device, computer equipment and storage medium
CN112364377B (en) * 2020-11-11 2023-06-06 国网山东省电力公司电力科学研究院 A data classification and classification safety protection system adapted to the electric power industry
CN112532612A (en) * 2020-11-25 2021-03-19 中国大唐集团科学技术研究院有限公司 Industrial control network safety protection system
CN112688808A (en) * 2020-12-18 2021-04-20 怀来斯达铭数据有限公司 Operation and maintenance management method and system of internet data center and electronic equipment
CN115085956B (en) * 2021-03-12 2023-11-24 中国移动通信集团广东有限公司 Intrusion detection method, intrusion detection device, electronic equipment and storage medium
CN113190200B (en) * 2021-05-10 2023-04-07 郑州魔王大数据研究院有限公司 Exhibition data security protection method and device
CN113239349B (en) * 2021-06-05 2024-01-09 内蒙古电力(集团)有限责任公司内蒙古电力科学研究院分公司 Network security testing method for power monitoring system
CN113360475B (en) * 2021-06-18 2022-12-09 广州中爆数字信息科技股份有限公司 Data operation and maintenance method, device and equipment based on intranet terminal and storage medium
CN113268743B (en) * 2021-06-25 2023-12-12 深圳谷探科技有限公司 Method for improving safety of movable ring monitoring system
CN113821774A (en) * 2021-09-07 2021-12-21 安徽继远软件有限公司 Terminal security risk module matching and verifying system
CN113835738B (en) * 2021-09-13 2024-10-11 许昌许继软件技术有限公司 Substation monitoring system application program management method and device
CN113973005A (en) * 2021-09-22 2022-01-25 湖南鹏城信息技术有限公司 A data processing system for computer software development
CN116132250B (en) * 2021-11-12 2025-04-01 网联清算有限公司 Operation and maintenance system, method, storage medium, and electronic device
CN114331018A (en) * 2021-12-01 2022-04-12 国网浙江省电力有限公司杭州供电公司 Platform architecture detection management system and safe operation method in full-service data
CN114254364A (en) * 2021-12-24 2022-03-29 国网江苏省电力有限公司盐城供电分公司 A security behavior monitoring system with hidden business based on zero trust
CN114301739B (en) * 2021-12-29 2023-08-22 北京国家新能源汽车技术创新中心有限公司 Central gateway security architecture, system and storage medium
CN114070654B (en) * 2022-01-17 2022-04-08 睿至科技集团有限公司 Safety management and control method and system based on big data
CN114079624B (en) * 2022-01-18 2022-04-08 广东道一信息技术股份有限公司 Architecture data flow monitoring method and system based on multi-user access
CN115276963B (en) * 2022-06-13 2024-06-14 云南电网有限责任公司 Intelligent key-based power grid security management method, system and medium
CN115412284B (en) * 2022-07-04 2025-01-14 国网浙江省电力有限公司杭州市临安区供电公司 Safe transmission method for power field fault information
CN114969798B (en) * 2022-07-25 2022-11-04 成都中科合迅科技有限公司 Industrial data safety management method based on digital middlebox
CN115225412B (en) * 2022-09-20 2023-01-03 国网江西省电力有限公司信息通信分公司 Cloud-edge access control system
CN115225415B (en) * 2022-09-21 2023-01-24 南京华盾电力信息安全测评有限公司 Password application platform for new energy centralized control system and monitoring and early warning method
CN115310090A (en) * 2022-10-08 2022-11-08 江苏安几科技有限公司 Terminal reliability dynamic detection system
CN115941326B (en) * 2022-12-07 2024-09-03 贵州电网有限责任公司 Background monitor reinforcement method
CN116155544A (en) * 2022-12-20 2023-05-23 中国船舶集团有限公司系统工程研究院 A safety information interaction method for a ship control system
CN116389092A (en) * 2023-03-27 2023-07-04 科威纳工业自动化有限公司 A Control System Based on Communication Security
CN116343443B (en) * 2023-03-31 2025-07-04 山东柏通电气有限公司 Transformer alarm method, system and readable storage medium
CN116094842B (en) * 2023-04-07 2023-06-06 北京豪密科技有限公司 State recognition system and method of network cipher machine
CN116155634B (en) * 2023-04-23 2023-08-04 驿羚江苏大数据有限公司 Charging process safety protection method and system based on SaaS mode
CN116915500B (en) * 2023-09-05 2023-11-17 武汉万数科技有限公司 Security detection method and system for access equipment
CN117424759B (en) * 2023-12-18 2024-03-22 南京思宇电气技术有限公司 Holographic monitoring gateway applied to power distribution room and monitoring system thereof
CN117424756B (en) * 2023-12-18 2024-03-01 华夏天信智能物联股份有限公司 Mining variable-frequency speed-regulating asynchronous integrated machine control encryption method and device and electronic equipment
CN117478432B (en) * 2023-12-27 2024-03-19 国网天津市电力公司信息通信公司 Safety operation and maintenance system for power communication equipment
CN117579665A (en) * 2024-01-15 2024-02-20 深圳汉德霍尔科技有限公司 An Internet of Things handheld terminal cloud display system and device
CN117792797B (en) * 2024-02-26 2024-05-14 中国信息通信研究院 Data authority management method and device based on industrial Internet identification analysis
CN119052825A (en) * 2024-08-22 2024-11-29 山西嘉讯信达科技有限公司 One-stop management and control platform based on internet mobile communication terminal

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184735A (en) * 2014-08-26 2014-12-03 国家电网公司 Electric marketing mobile application safe protection system
CN106027476A (en) * 2016-01-21 2016-10-12 李明 Identity card cloud authentication system and card reading system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100502068B1 (en) * 2003-09-29 2005-07-25 한국전자통신연구원 Security engine management apparatus and method in network nodes

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184735A (en) * 2014-08-26 2014-12-03 国家电网公司 Electric marketing mobile application safe protection system
CN106027476A (en) * 2016-01-21 2016-10-12 李明 Identity card cloud authentication system and card reading system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
现场作业终端安全接入防护的设计与应用;魏彤珈等;《信息记录材料》;20180531;74-75 *
电力采集系统安全防护和密码管理体系;翟峰等;《网络空间安全》;20180228;79-89 *

Also Published As

Publication number Publication date
CN110691064A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN110691064B (en) Safety access protection and detection system for field operation terminal
CN114978584B (en) Network security protection security method and system based on unit units
Abou el Kalam Securing SCADA and critical industrial systems: From needs to security mechanisms
CN118018277A (en) A computer information security intelligent monitoring method and system
CN117478364A (en) Transmission anti-disclosure method and system based on enterprise research and development core data
CN109361646A (en) Network security monitoring and cognitive method in a kind of application of mobile interchange
CN115314286A (en) Safety guarantee system
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
CN118827140A (en) Data security protection system based on blockchain
CN113365277A (en) Wireless network safety protection system
CN115766065A (en) Security protection method, system, medium, and equipment for electric power Internet of Things system
CN117763525A (en) Mobile terminal information safety protection system and method
CN113422776A (en) Active defense method and system for information network security
CN119249499A (en) A computer storage file protection system
CN119004521A (en) Server firmware management method
CN117763580A (en) Authorization management method, device, electronic equipment and storage medium
CN115550068B (en) Safety auditing method for log information of host
CN117375996A (en) An Internet of Things equipment security detection system and method
CN117195235A (en) User terminal access trusted computing authentication system and method
CN117292054A (en) Three-dimensional digital-based intelligent operation and maintenance method and system for power grid
CN116866032A (en) Privilege account management system
CN112769784A (en) Text processing method and device, computer readable storage medium and processor
CN113839922B (en) Information safety protection system and method for video monitoring system
CN116502240B (en) Traceability analysis method for security hole of application software
CN117857221B (en) A permission management method and system for remote service platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant