CN113179271A - Intranet security policy detection method and device - Google Patents
Intranet security policy detection method and device Download PDFInfo
- Publication number
- CN113179271A CN113179271A CN202110465091.6A CN202110465091A CN113179271A CN 113179271 A CN113179271 A CN 113179271A CN 202110465091 A CN202110465091 A CN 202110465091A CN 113179271 A CN113179271 A CN 113179271A
- Authority
- CN
- China
- Prior art keywords
- client
- rule
- server
- detection
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 230
- 230000002159 abnormal effect Effects 0.000 claims abstract description 159
- 238000000034 method Methods 0.000 claims abstract description 68
- 238000013475 authorization Methods 0.000 claims description 27
- 238000012795 verification Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 9
- 230000002547 anomalous effect Effects 0.000 claims description 5
- 238000003860 storage Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 15
- 238000012545 processing Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明实施例提供一种内网安全策略检测方法及装置,内网安全策略检测系统中包含至少一个客户端和服务端,所述至少一个客户端分别属于内网中的至少一个网络区域,所述方法包括:所述客户端生成规则获取请求,并将所述规则获取请求发送至所述服务端;所述服务端根据所述规则获取请求,确定所述客户端的检测规则并将所述检测规则发送至所述客户端,所述检测规则用于指示客户端与目标端之间的访问权限;所述客户端访问所述检测规则中的目标端,并将不符合所述检测规则的异常访问结果发送至所述服务端;所述服务端分析所述异常访问结果并产生告警。上述方法可以提高网络安全策略检测效率,自动更新检测规则。
Embodiments of the present invention provide an intranet security policy detection method and device. The intranet security policy detection system includes at least one client and a server, and the at least one client respectively belongs to at least one network area in the intranet, so The method includes: the client generates a rule acquisition request, and sends the rule acquisition request to the server; the server determines the detection rule of the client according to the rule acquisition request and sends the detection rule to the server. The rule is sent to the client, and the detection rule is used to indicate the access authority between the client and the target terminal; the client accesses the target terminal in the detection rule, and records the exceptions that do not meet the detection rule The access result is sent to the server; the server analyzes the abnormal access result and generates an alarm. The above method can improve the detection efficiency of the network security policy and automatically update the detection rules.
Description
Technical Field
The application relates to the technical field of networks of financial technology (Fintech), in particular to an intranet security policy detection method and device.
Background
In recent years, with the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changing to financial technology (Fintech), but higher requirements are also put on the technologies due to the requirements of the financial industry on safety and real-time performance. The network is vulnerable to malicious attacks due to the characteristics of diversity of network connection modes, wide terminal distribution, opening and interconnection of the network and the like in the computer development process, and the financial industry has extremely high requirements on the security, so that the security of the network is a crucial problem. Therefore, the network security policy serves as a basic security protection means of a network layer and plays a role in protecting information in the network.
In the information-based construction process of enterprises, information security problems are gradually highlighted, isolation protection is performed by dividing different network areas, network access control needs to be performed between different network areas and even between different ports of the same network area, so that the number of network security policies is more and more, and effective arrangement is difficult, performance bottlenecks may occur in a firewall or other network security devices, call relations between different service applications are difficult to clearly draw from the perspective of upper-layer applications, and problem location is difficult to rapidly perform from the network call relations when problems occur.
In order to solve the above problem, in the prior art, a port scanner and a corresponding detection rule are set in a client to obtain connection information between a port of the client and other ports, and whether a network security policy is valid is analyzed according to the connection information. However, in this method, the port scanners cannot be linked with each other, so it is necessary to manually acquire and analyze connection information in each port scanner, and once the detection rule is changed, it is necessary to relocate the port scanner in each client. Therefore, the security policy detection efficiency is low, and the detection rule change difficulty is high.
Therefore, there is a need for a method and an apparatus for detecting an intranet security policy, which are used to improve the network security policy detection efficiency and automatically update the detection rules.
Disclosure of Invention
The embodiment of the invention provides an intranet security policy detection method and device, which are used for improving the network security policy detection efficiency and automatically updating detection rules.
In a first aspect, an embodiment of the present invention provides a method for detecting an intranet security policy, where the method includes:
the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the method comprises the following steps: the client generates a rule obtaining request and sends the rule obtaining request to the server; the server side determines a detection rule of the client side according to the rule acquisition request and sends the detection rule to the client side, wherein the detection rule is used for indicating the access authority between the client side and a target side; the client accesses a target end in the detection rule and sends an abnormal access result which does not accord with the detection rule to the server end; and the server side analyzes the abnormal access result and generates an alarm.
In the above method, generally, the network security policies in the same network region are the same, and therefore, one client (if allowed by network resources, multiple clients may also be selected, which is only an optimal implementation method) may be selected for one network region as a client for detecting the network security policies; the plurality of network regions correspond to a plurality of clients that may communicate with the server. Therefore, the client can acquire the detection rule from the server through the rule acquisition request, so that the detection rule is automatically updated, and the difficulty in changing the detection rule is reduced. The client can also send the detected abnormal access result to the server, so that the server can analyze the abnormal access result reported by each client and determine whether the network security policy of the corresponding network area is effective.
Optionally, the analyzing, by the server, the abnormal access result and generating an alarm includes: the server side determines whether the abnormal access result accords with a network security policy in a white list; and if not, generating an alarm according to the abnormal access result.
In the above method, the white list means: the detection rules of each client in a network area are the same, but there is an exception client in the network area, and the client has a part of the detection rules which are not the same as other clients in the network area. For example, each client in the network region does not allow clients of other network regions to access port 8080, but this exceptional client allows clients of other network regions to access port 8080. But not setting two clients in one network area to obtain different detection rules, which wastes resources, so that the detection rule of the exceptional client is set in a white list, and if the clients in other network areas are communicated to the 8080 port of the exceptional client and are normal, the record of the abnormal access result is deleted without generating an alarm. Therefore, network resources are saved, and the pertinence of the network security strategy can be improved. Compared with the prior art that a Network security policy is detected by using an open source tool such as a port scanner (e.g., nmap (Network security auditing tool), etc.), and the abnormal access results between different Network areas need to be manually integrated and analyzed, the method and the system can analyze and alarm the abnormal access results of each client received by the server, and improve the detection efficiency.
Optionally, the determining, by the server, whether the abnormal access result meets a network security policy in a white list includes: the server determines whether a source IP address, a target IP address and a target port in the abnormal access result belong to a preset source IP address, a preset target IP address and a preset target port in the network security policy; and if at least one item of the abnormal access results is not in accordance with the network security policy, determining that the abnormal access results are not in accordance with the network security policy.
In the method, the access information of the client can be determined according to the source IP address, the target IP address and the target port in the abnormal access result, and the preset source IP address, the preset target IP address and the preset target port in the network security policy are rule information in the detection rule. Therefore, if the actual access information of the client is different from the rule information, the network security policy is careless, so that the server side generates an alarm in the subsequent process, related developers can know the abnormality of the network security policy, and the abnormality and the root cause thereof can be quickly positioned according to the access information.
Optionally, the rule obtaining request includes an IP address of the client and a first signature generated by the client; the server side determines the detection rule of the client side according to the rule acquisition request, and the method comprises the following steps: and the server verifies the first signature in the rule acquisition request, and determines the detection rule of the client according to the IP address of the client after the verification is passed.
In the method, the service ticket verifies the first signature in the rule acquisition request. The security of detection is improved, illegal personnel are prevented from acquiring the detection rule, and the network area is attacked according to the detection rule.
Optionally, the rule obtaining request further includes a timestamp; the first signature is generated by: the client splices the IP address of the client, the timestamp and the authorization information of the client to obtain ordered spliced data; the client encrypts the ordered splicing data through a preset encryption algorithm to obtain the first signature; the server side verifies the first signature in the rule obtaining request, and the verification comprises the following steps: the server side encrypts the IP address of the client side, the timestamp and the authorization information of the server side in the rule acquisition request according to the preset encryption algorithm to obtain a second signature; the authorization information of the client is the same as that of the server; and if the server side determines that the first signature is the same as the second signature, the client side is determined to be legal through verification.
In the method, the authorization information of the client is set to be the same as the authorization information of the server, the first signature generated subsequently and used for verification is guaranteed to be the same, so that the server and the client have communication 'permission', the server can verify the client according to the authorization information the same as the client, if the authorization information is the same, the obtained first signature and the obtained second signature are the same, the client can be determined to be legal, and a detection rule can be provided for the client. The interaction safety of the server and the client is improved.
Optionally, the method further includes: and the server receives a detection rule updating instruction, and respectively updates the detection rule and/or the network security policy according to the detection rule updating instruction.
In the method, the server can update the detection rule through the detection rule update instruction, so that the client can further acquire the latest detection rule. Compared with the prior art that the detection rules are respectively deployed on open source tools such as a port scanner and the like (such as nmap (Network map, Network security audit tool) and the like), the method and the device can enable the client to actively download the latest detection rules only by deploying the detection rules and updating the detection rules at the service end, thereby reducing the complexity of updating the detection rules, improving the timeliness of updating the detection rules and further improving the accuracy of detecting the Network security policy.
In a second aspect, an embodiment of the present invention provides a method for detecting an intranet security policy, where the method includes:
the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the method comprises the following steps: the client generates a rule obtaining request and sends the rule obtaining request to the server; the client receives a detection rule determined by the server according to the rule acquisition request; the detection rule is used for indicating the access authority between the client and the target end; the client accesses a target end in the detection rule and sends an abnormal access result which does not accord with the detection rule to the server end; and the abnormal access result is used for generating an alarm after the server side analyzes the abnormal access result.
In the method, the client can generate the rule acquisition request, actively acquire the detection rule of the client from the server, and the client can detect the network security policy according to the acquired detection rule. Therefore, automatic updating of the client detection rules is achieved, and compared with the situation that the client needs to update the detection rules manually in the prior art, timeliness of updating the detection rules can be improved, and cost for updating the detection rules is reduced. The detection rule comprises a rule for indicating the access authority between the client and the target. Therefore, when the client accesses the target end in the detection rule, the access information in the process can be obtained to determine whether the access between the client and the target end in the detection information conforms to the access authority between the client and the target end in the detection rule.
In a third aspect, an embodiment of the present invention provides a method for detecting an intranet security policy, where the method includes:
the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the method comprises the following steps: the server receives a rule acquisition request sent by the client, and determines a detection rule of the client according to the rule acquisition request; the server side sends the detection rule to the client side, and the detection rule is used for indicating the access authority between the client side and the target side; the server receives an abnormal access result sent by the client, wherein the abnormal access result is determined by the client according to a target end which does not accord with the detection rule; and the server side analyzes the abnormal access result and generates an alarm.
In the method, the server side can send the corresponding detection rule to the client side according to the rule acquisition request sent by the client side, so that the automatic updating of the detection rule is realized, and the updating efficiency of the detection rule is improved. And the server can analyze the abnormal query result sent by the client to generate an alarm, so that developers can conveniently locate the abnormal root cause, and the accuracy and the operation and maintenance efficiency of the abnormal location are improved.
In a fourth aspect, an embodiment of the present invention provides an intranet security policy detection apparatus, where the apparatus includes: the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the device comprises: the receiving and sending module is used for generating a rule obtaining request and sending the rule obtaining request to the server; the receiving and sending module is further used for determining a detection rule of the client according to the rule acquisition request and sending the detection rule to the client, wherein the detection rule is used for indicating the access authority between the client and a target end; the detection module is used for accessing a target end in the detection rule and sending an abnormal access result which does not accord with the detection rule to the server end; and the alarm module is used for analyzing the abnormal access result and generating an alarm.
In a fifth aspect, an embodiment of the present invention provides an intranet security policy detection apparatus, where the apparatus includes: the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the device comprises: the receiving and sending module is used for generating a rule obtaining request and sending the rule obtaining request to the server; the receiving and sending module is further used for receiving the detection rule determined by the server according to the rule acquisition request; the detection rule is used for indicating the access authority between the client and the target end; the detection module is used for accessing a target end in the detection rule and sending an abnormal access result which does not accord with the detection rule to the server end; and the abnormal access result is used for generating an alarm after the server side analyzes the abnormal access result.
In a sixth aspect, an embodiment of the present invention provides an intranet security policy detection apparatus, where the apparatus includes: the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the device comprises: the receiving and sending module is used for receiving a rule obtaining request sent by the client and determining a detection rule of the client according to the rule obtaining request; the transceiver module is further configured to send the detection rule to the client, where the detection rule is used to indicate an access right between the client and a target; receiving an abnormal access result sent by the client, wherein the abnormal access result is determined by the client according to a target end which does not accord with the detection rule; and the alarm module is used for analyzing the abnormal access result and generating an alarm.
In a seventh aspect, an embodiment of the present application further provides a computing device, including: a memory for storing a program; a processor for calling the program stored in the memory and executing the methods as described in the various possible designs of the first, second, and third aspects in accordance with the obtained program.
In an eighth aspect, embodiments of the present application further provide a computer-readable non-volatile storage medium, which includes a computer-readable program, and when the computer-readable program is read and executed by a computer, the computer is caused to perform the method as described in the various possible designs of the first aspect, the second aspect, and the third aspect.
These and other implementations of the present application will be more readily understood from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of an intranet security policy detection architecture according to an embodiment of the present invention;
fig. 2a is a client according to an embodiment of the present invention;
fig. 2b is a server according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of a method for detecting an intranet security policy according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a white list and abnormal access result matching method according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of a method for detecting an intranet security policy according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an intranet security policy detection apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an intranet security policy detection apparatus according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an intranet security policy detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a system architecture for detecting an intranet security policy according to an embodiment of the present invention, where the system architecture may be applied to intranet network security detection in any enterprise or organization. The intranet may include a plurality of network areas such as a network area 1, a network area 2 …, a network area n, and the like, and each network area may have a corresponding network security policy, where there may also be a network area where no network security policy is set (the network area where no network security policy is set does not need to perform network security policy detection), and a specific setting scheme is not limited. Taking the setting of the network security policy in each network area as an example, one client is determined in each of the network area 1 and the network area 2 … (generally, the network security policies of the clients in the same network area are the same, and in order to save network resources, one client may be selected for each network area to perform network security policy detection, if the network resources are abundant, multiple clients may be set for one network area, or according to the arrangement of the network security policies of the network areas, one or more clients may be determined in the network area according to the requirements). The developer can configure detection rules, white lists and the like on a front-end page in the server 1, the client sends a generated rule acquisition request to the server 1, and the server 1 determines the detection rules corresponding to the client according to the rule acquisition request sent by the client and sends the detection rules to the client. The client accesses the target terminals in the detection rules respectively according to the detection rules, acquires access information for accessing each target terminal, and sends abnormal access results which do not conform to the detection rules to the server 1. The server 1 receives the abnormal access result, analyzes the abnormal access result according to the white list, deletes the abnormal access result corresponding to the white list, generates an alarm according to the remaining abnormal access result, and notifies the alarm to developers in a mail or short message mode, so that the developers can find the abnormality of the network security policy in time, accelerate the abnormal root cause positioning and improve the operation and maintenance efficiency.
Based on the system architecture in fig. 1, as shown in fig. 2a, an embodiment of the present application provides a client, where the client includes a rule obtaining module and a detecting module; the rule obtaining module is used for generating a rule obtaining request and sending the rule obtaining request to the server 1. After receiving the detection rule returned by the server 1, respectively accessing the target end in the detection rule through the detection module to obtain an abnormal access result, and sending the abnormal access result to the server 1 through the detection module.
Based on the system architecture in fig. 1, as shown in fig. 2b, an embodiment of the present application provides a server, where the server 1 includes a detection rule module, a result processing module, and an alarm module; the detection rule module is used for respectively updating the detection rule and/or the network security policy and the white list according to the detection rule updating instruction or the white list updating instruction; and determining a corresponding detection rule according to the received rule acquisition request of the client, and sending the detection rule to the client. And the result processing module is used for receiving the abnormal access result of the client, deleting the abnormal access result corresponding to the white list according to the white list and generating an alarm according to the residual abnormal access result through the alarm module. It should be noted that the system architecture, the client and the server for intranet security policy detection are only one example of the present application, and do not limit the system and the device on which the specific implementation in the present application is based.
Based on the system architecture and the device, an embodiment of the present application provides a method flow for detecting an intranet security policy, as shown in fig. 3, including:
301, the client generates a rule obtaining request and sends the rule obtaining request to the server;
here, the client may be a personal computer, a server host, or the like, and the specific device type is not limited herein.
here, the access right may be whether the client should implement communication with the target.
here, for example, if the access rights of the client and the target in the detection rule should not be connected, but the client and the target are connected during access, it may be determined that the network security policy of the network area where the client is located is vulnerable, and an abnormal access result is generated.
And step 304, the server side analyzes the abnormal access result and generates an alarm.
In the above method, generally, the network security policies in the same network region are the same. Therefore, one client (if allowed by network resources, multiple clients can be selected, and this is just an optimal implementation method) can be selected for one network area as a client for detecting the network security policy; the plurality of network regions correspond to a plurality of clients that may communicate with the server. Therefore, the client can acquire the detection rule from the server through the rule acquisition request, so that the detection rule is automatically updated, and the difficulty in changing the detection rule is reduced. The client can also send the detected abnormal access result to the server, so that the server can analyze the abnormal access result reported by each client and determine whether the network security policy of the corresponding network area is effective.
The embodiment of the application provides an abnormal access result analysis method, wherein the server side analyzes the abnormal access result and generates an alarm, and the method comprises the following steps: the server side determines whether the abnormal access result accords with a network security policy in a white list; and if not, generating an alarm according to the abnormal access result. That is, the server includes a white list, and if the abnormal access result includes the matched information in the white list, that is, it is determined that the abnormal access result does not belong to the result of the abnormal network security policy but belongs to the network security policy in the white list, the matched abnormal access result is deleted without generating an alarm. And generating an alarm according to the abnormal access result which does not conform to the white list.
The embodiment of the application provides an abnormal access result analysis method, wherein the server determines whether the abnormal access result meets a network security policy in a white list, and the method comprises the following steps: the server determines whether a source IP address, a target IP address and a target port in the abnormal access result belong to a preset source IP address, a preset target IP address and a preset target port in the network security policy; and if at least one item of the abnormal access results is not in accordance with the network security policy, determining that the abnormal access results are not in accordance with the network security policy.
That is, the client accesses the target end in the detection rule according to the detection rule, and the obtained access information includes the client IP address, i.e., the source IP address, and also includes the target IP address and the target port of the target end. And if the access information is abnormal, recording the access information as an abnormal access result and sending the abnormal access result to the server. The white list in the server side comprises a network security policy, and the network security policy comprises a preset source IP address, a preset target IP address and a preset target port. If the source IP address, the target IP address and the target port in the abnormal access result are completely matched with the preset source IP address, the preset target IP address and the preset target port contained in the network security policy, the fact that the abnormal access result is not abnormal is considered, and the abnormal access result is deleted.
In one example, the IP address segment of network area 1 is 192.168.124.0/24, the IP address of the client is 192.168.124.20, the IP address segment of network area 2 is 192.168.125.0/24, and the network security policy in the white list of the server includes a preset source IP address of 0.0.0.0/0, a preset destination IP address 192.168.125.20 and a preset destination port 8080 of all IP addresses in the intranet. The detection rule obtained by the client in the network area 1 is as follows: all IP addresses in the intranet have access to the 80,443 ports with the IP address segment of 192.168.125.0/24, and other ports do not allow access. That is, when the client sends a rule obtaining request to the server, the data returned by the obtaining server is:
{“rules”:{
"id": 1 "- - (detection rule identification, 1)
"src _ IP" - "0.0.0.0.0/0" - - (Source IP Address is all IP addresses in the Intranet)
"dst _ IP" - - - (destination IP address being all IP addresses in network region 2) "192.168.125.0/24" -)
"open _ ports": 80,443 "- - (open ports of all devices in network area 2 being, 80,443)
}}.
That is, the network security policy is: the device in network area 2 cannot be accessed to the ports other than 80 and 443 by the devices in other network areas, and there is a device applying exception in network area 2, and the IP address of the device is: 192.168.125.20 need to be accessed by devices in other network areas to the 8080 port.
The client determines whether the IP address of the client exists in the source IP address in the detection rule 1 according to the obtained detection rule 1; if the client does not exist, the client needs to detect 65535 default ports, that is, all ports (if the own IP address of the client does not exist in the source IP address of the detection rule 1, the network security policy does not allow the client to access any one port in the network area 2; therefore, the client needs to try to connect with all ports in the network area 2 to achieve the purpose of detection, and if the client can communicate with the non-connectable port in the network area 2, the network security policy in the network area 1 and/or the network area 2 is abnormal, and an abnormal access result needs to be generated). If the client determines that its own IP address exists in the source IP address in detection rule 1, the ports 80 and 443 in network area 2 in the port list are deleted (in one possibility, the ports that the client can communicate with do not need to attempt connection), and 65533 ports other than 80 and 443 in the port list are attempted to be connected, so as to achieve the purpose of detecting the network security policy. If the client successfully establishes a connection with ports 90 and 8080 in IP address 192.168.125.20 in network area 2, the generating includes: source IP address 192.168.124.20, destination IP address 192.168.125.20, destination port 90, and source IP address 192.168.124.20, destination IP address 192.168.125.20, destination port 8080. The client side sends the abnormal access result to the server side, after receiving the abnormal access result, the server side matches the two abnormal access results with the white list respectively, and determines that the abnormal access results of the source IP address 192.168.124.20, the target IP address 192.168.125.20 and the target port 8080 conform to the network security policy of the white list, and if the preset source IP addresses are all the IP addresses 0.0.0.0/0 in the intranet, the preset target IP address 192.168.125.20 and the preset target port 8080, the abnormal access result is deleted, and an alarm is generated according to the remaining abnormal access results.
The embodiment of the present application provides a method for matching an abnormal access result with a white list, including:
the server determines whether a source IP address in the abnormal access result belongs to a preset source IP address in the network security policy, and if not, acquires the next abnormal access result;
if the abnormal access result belongs to the preset target IP address in the network security policy, the server determines whether the target IP address in the abnormal access result belongs to the preset target IP address in the network security policy, and if not, the server acquires the next abnormal access result;
if the current access result belongs to the preset target port in the network security policy, the server determines whether the target port in the abnormal access result belongs to the preset target port in the network security policy, and if not, the server acquires the next abnormal access result;
if yes, deleting the abnormal access result; and finally, obtaining the residual abnormal access results, and generating an alarm aiming at each residual abnormal access result. The server may use the time of receiving the abnormal access result as the matching abnormal access result sequence, and the abnormal access result received first is matched first, where the method of determining the matching abnormal access result sequence is only a possible design, and the method of the specific matching sequence is not limited.
Based on the above examples and methods, embodiments of the present application provide an example of a flow of a method for matching an abnormal access result with a white list, as shown in fig. 4: step 401, obtaining an abnormal access result, sequentially traversing the white list, and obtaining corresponding white list data. As in the previous example, the results of the abnormal access of the source IP address 192.168.124.20, the target IP address 192.168.125.20, and the target port 8080 are obtained. The first white list: { "white _ list _ src _ ip": 0.0.0.0.0/0 "," white _ list _ dst _ ip ": 192.168.125.20", "open _ ports": 8080 "};
The embodiment of the application provides a method for verifying a rule acquisition request, wherein the rule acquisition request comprises an IP address of a client and a first signature generated by the client; the server side determines the detection rule of the client side according to the rule acquisition request, and the method comprises the following steps: and the server verifies the first signature in the rule acquisition request, and determines the detection rule of the client according to the IP address of the client after the verification is passed. That is, the rule obtaining request may include the first signature, so that the server verifies the first signature after obtaining the first signature, and if the first signature is legal, the client sending the rule obtaining request is considered to be a legal client.
The embodiment of the application provides a method for verifying a rule acquisition request, wherein the rule acquisition request also comprises a timestamp; the first signature is generated by: the client splices the IP address of the client, the timestamp and the authorization information of the client to obtain ordered spliced data; the client encrypts the ordered splicing data through a preset encryption algorithm to obtain the first signature; the server side verifies the first signature in the rule obtaining request, and the verification comprises the following steps: the server side encrypts the IP address of the client side, the timestamp and the authorization information of the server side in the rule acquisition request according to the preset encryption algorithm to obtain a second signature; the authorization information of the client is the same as that of the server; and if the server side determines that the first signature is the same as the second signature, the client side is determined to be legal through verification. The client splices the IP address and the timestamp of the client with the authorization information of the client to obtain ordered spliced data, and then encrypts the ordered spliced data through a preset encryption algorithm to obtain a first signature, where the preset encryption algorithm may be, for example, an MD5 information digest algorithm or a hash algorithm. If the authorization information of the client is the same as the authorization information of the server, the first signature of the client and the second signature of the server are obtained by splicing the IP address of the client, the timestamp and the authorization information of the client and then encrypting the spliced information by a preset encryption algorithm, and if the first signature and the second signature are the same, the client is a legal client after verification. Correspondingly, if the authorization information of the client is different from the authorization information of the server, the first signature is different from the second signature, the verification is not passed, and the client is an illegal client.
The embodiment of the application provides a rule updating method, which comprises the following steps: and the server receives a detection rule updating instruction, and respectively updates the detection rule and/or the network security policy according to the detection rule updating instruction. That is, the server may provide an external interface such as a front-end page, so that a developer may input a detection rule and relevant configuration information such as a network security policy and a white list at a corresponding location, and the server generates a detection rule update instruction according to the configuration information input by the developer, and updates the detection rule, the network security policy and the white list correspondingly.
Based on the system architecture of fig. 1, the client and the server of fig. 2a, 2b, and 3, including the method flow of fig. 4, an embodiment of the present application provides a method flow for detecting an intranet security policy, as shown in fig. 5, including:
step 501, the server receives a detection rule updating instruction, and updates the detection rule and/or the network security policy and/or the white list according to the detection rule updating instruction. In one example, a user may configure through a front-end page of a server, configure corresponding detection rules, network security policy rules, and a white list according to a network architecture of an enterprise, and the server generates a detection rule update instruction according to configuration information input by the user on the front-end page to update the detection rules and/or the network security policies and/or the white list. In the above example, the detection rule 1 after the update of the server is: devices in network area 2 allow access to 80,443 ports to devices in other network areas in the intranet, and no access is allowed to other ports in network area 2. That is, the source IP address: "0.0.0.0/0"; destination IP address: "192.168.125.0/24"; open port: "80, 443". The network security policy in the white list updated by the server is as follows: the IP address includes a preset source IP address of 0.0.0.0/0, a preset destination IP address 192.168.125.20 and a preset destination port 8080. It should be noted that the network security policy includes a network security policy deployed in each network region in each intranet and a network security policy preset in a white list, and here, updating the network security policy preset in the white list is merely taken as an example, but a specific updating process of the network security policy deployed in each network region in each intranet is not limited, that is, the client may also obtain the network security policy of the corresponding network region from the server by requesting through the same method.
Step 502, the client splices the own IP address, the current timestamp and the authorization information, generates a first signature through a preset encryption algorithm, and further generates a rule acquisition request containing the own IP address, the current timestamp and the first signature. Here, the authorization information may be configured for the client when the client is determined to join the network area; the authorization information may be a key value; the preset encryption algorithm may be the MD5 algorithm.
Step 503, the client sends the rule obtaining request to the server.
Step 504, after the server side obtains the rule obtaining request, extracting the client side IP address and the current timestamp in the rule obtaining request, obtaining the authorization information of the server side, splicing the client side IP address, the current timestamp and the authorization information of the server side, generating a second signature through a preset encryption algorithm, comparing the first signature with the second signature, and if the first signature is the same as the second signature, determining that the client side corresponding to the rule obtaining request is legal. Here, the preset encryption algorithm of the server is the same as the preset encryption algorithm of the client.
And 505, the server side acquires the IP address of the client side from the rule acquisition request, generates a corresponding query statement and acquires the detection rule from the database.
Step 506, the server returns the detection rule to the client initiating the rule obtaining request.
And step 507, the client receives the detection rule, generates a detection list according to the detection rule, and establishes link socket connection with the target port in the detection list in sequence. In the above example, the detection list generated according to detection rule 1 is:
{192.168.125.1:1,
192.168.125.1:2,
…
192.168.125.24:65535}. Port 80 and port 443 are not included.
And step 508, the client generates an abnormal access result according to the access information which does not accord with the detection rule. In the above example, the client successfully establishes connection with ports 90 and 8080 in IP address 192.168.125.20 in network area 2, and the generating includes: source IP address 192.168.124.20, destination IP address 192.168.125.20, destination port 90, and source IP address 192.168.124.20, destination IP address 192.168.125.20, destination port 8080.
In step 509, the client sends the abnormal access result to the server.
And step 510, the server determines an abnormal access result which is not in accordance with the white list according to the white list. In the above example, the two abnormal access results are respectively compared with the white list data in the white list: the preset source IP address is matched with all IP addresses 0.0.0.0/0, the preset destination IP address 192.168.125.20 and the preset destination port 8080.
And step 511, the server side generates an alarm according to the abnormal access result which does not conform to the white list.
It should be noted here that the above method flow is not exclusive, and step 502 may be executed before step 501.
Based on the same concept, an embodiment of the present invention provides an apparatus for detecting an intranet security policy, and fig. 6 is a schematic diagram of the apparatus for detecting an intranet security policy provided in the embodiment of the present application, as shown in fig. 6, the apparatus includes:
the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the device comprises:
the receiving and sending module 601 is configured to generate a rule obtaining request and send the rule obtaining request to the server;
the transceiver module 601 is further configured to determine a detection rule of the client according to the rule obtaining request, and send the detection rule to the client, where the detection rule is used to indicate an access right between the client and a target end;
the processing module 602 is configured to access a target end in the detection rule, and send an abnormal access result that does not meet the detection rule to the server end;
the processing module 602 is further configured to analyze the abnormal access result and generate an alarm.
Optionally, the processing module 602 is specifically configured to: determining whether the abnormal access result conforms to a network security policy in a white list; and if not, generating an alarm according to the abnormal access result.
Optionally, the processing module 602 is specifically configured to: determining whether a source IP address, a target IP address and a target port in the abnormal access result belong to a preset source IP address, a preset target IP address and a preset target port in the network security policy; and if at least one item of the abnormal access results is not in accordance with the network security policy, determining that the abnormal access results are not in accordance with the network security policy.
Optionally, the rule obtaining request includes an IP address of the client and a first signature generated by the client; the transceiver module 601 is specifically configured to: and verifying the first signature in the rule acquisition request, and determining the detection rule of the client according to the IP address of the client after the verification is passed.
Optionally, the rule obtaining request further includes a timestamp; the first signature is generated by: the transceiver module 601 is specifically configured to: splicing the IP address of the client, the timestamp and the authorization information of the client to obtain ordered spliced data;
the client encrypts the ordered splicing data through a preset encryption algorithm to obtain the first signature; the transceiver module 601 is specifically configured to: encrypting the IP address of the client, the timestamp and the authorization information of the server in the rule acquisition request according to the preset encryption algorithm to obtain a second signature; the authorization information of the client is the same as that of the server; and if the first signature is determined to be the same as the second signature, the client is determined to be legal through verification.
Optionally, the processing module 602 is further configured to: and receiving a detection rule updating instruction, and respectively updating the detection rule and/or the network security policy according to the detection rule updating instruction.
Based on the same concept, an embodiment of the present invention provides an apparatus for detecting an intranet security policy, and fig. 7 is a schematic diagram of the apparatus for detecting an intranet security policy provided by the embodiment of the present application, as shown in fig. 7, the apparatus includes:
the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the device comprises:
the receiving and sending module 701 is configured to generate a rule obtaining request and send the rule obtaining request to the server;
the transceiver module 701 is further configured to receive a detection rule determined by the server according to the rule acquisition request; the detection rule is used for indicating the access authority between the client and the target end;
the detection module 702 is configured to access a target end in the detection rule, and send an abnormal access result that does not meet the detection rule to the server end; and the abnormal access result is used for generating an alarm after the server side analyzes the abnormal access result.
Based on the same concept, an embodiment of the present invention provides an apparatus for detecting an intranet security policy, and fig. 8 is a schematic diagram of the apparatus for detecting an intranet security policy provided by the embodiment of the present application, and as shown in fig. 8, the apparatus includes:
the intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network area in an intranet respectively, and the device comprises:
a transceiver module 801, configured to receive a rule obtaining request sent by the client, and determine a detection rule of the client according to the rule obtaining request;
the transceiver module 801 is further configured to send the detection rule to the client, where the detection rule is used to indicate an access right between the client and a target; receiving an abnormal access result sent by the client, wherein the abnormal access result is determined by the client according to a target end which does not accord with the detection rule;
and an alarm module 802, configured to analyze the abnormal access result and generate an alarm.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (13)
1. An intranet security policy detection method is characterized in that an intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network region in an intranet respectively, and the method comprises the following steps:
the client generates a rule obtaining request and sends the rule obtaining request to the server;
the server side determines a detection rule of the client side according to the rule acquisition request and sends the detection rule to the client side, wherein the detection rule is used for indicating the access authority between the client side and a target side;
the client accesses a target end in the detection rule and sends an abnormal access result which does not accord with the detection rule to the server end;
and the server side analyzes the abnormal access result and generates an alarm.
2. The method of claim 1, wherein the server side analyzing the abnormal access result and generating an alarm comprises:
the server side determines whether the abnormal access result accords with a network security policy in a white list;
and if not, generating an alarm according to the abnormal access result.
3. The method of claim 2, wherein the server determining whether the anomalous access result complies with a network security policy in a whitelist comprises:
the server determines whether a source IP address, a target IP address and a target port in the abnormal access result belong to a preset source IP address, a preset target IP address and a preset target port in the network security policy;
and if at least one item of the abnormal access results is not in accordance with the network security policy, determining that the abnormal access results are not in accordance with the network security policy.
4. The method of claim 1, wherein the rule acquisition request includes an IP address of the client and a first signature generated by the client;
the server side determines the detection rule of the client side according to the rule acquisition request, and the method comprises the following steps:
and the server verifies the first signature in the rule acquisition request, and determines the detection rule of the client according to the IP address of the client after the verification is passed.
5. The method of claim 4, wherein the rule fetch request further includes a timestamp;
the first signature is generated by:
the client splices the IP address of the client, the timestamp and the authorization information of the client to obtain ordered spliced data;
the client encrypts the ordered splicing data through a preset encryption algorithm to obtain the first signature;
the server side verifies the first signature in the rule obtaining request, and the verification comprises the following steps:
the server side encrypts the IP address of the client side, the timestamp and the authorization information of the server side in the rule acquisition request according to the preset encryption algorithm to obtain a second signature; the authorization information of the client is the same as that of the server;
and if the server side determines that the first signature is the same as the second signature, the client side is determined to be legal through verification.
6. The method of any one of claims 1-5, further comprising:
and the server receives a detection rule updating instruction, and respectively updates the detection rule and/or the network security policy according to the detection rule updating instruction.
7. An intranet security policy detection method is characterized in that an intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network region in an intranet respectively, and the method comprises the following steps:
the client generates a rule obtaining request and sends the rule obtaining request to the server;
the client receives a detection rule determined by the server according to the rule acquisition request; the detection rule is used for indicating the access authority between the client and the target end;
the client accesses a target end in the detection rule and sends an abnormal access result which does not accord with the detection rule to the server end; and the abnormal access result is used for generating an alarm after the server side analyzes the abnormal access result.
8. An intranet security policy detection method is characterized in that an intranet security policy detection system comprises at least one client and a server, wherein the at least one client belongs to at least one network region in an intranet respectively, and the method comprises the following steps:
the server receives a rule acquisition request sent by the client, and determines a detection rule of the client according to the rule acquisition request;
the server side sends the detection rule to the client side, and the detection rule is used for indicating the access authority between the client side and the target side;
the server receives an abnormal access result sent by the client, wherein the abnormal access result is determined by the client according to a target end which does not accord with the detection rule;
and the server side analyzes the abnormal access result and generates an alarm.
9. An intranet security policy detection device, characterized in that, the intranet security policy detection system includes at least one client and a server, the at least one client belongs to at least one network region in the intranet respectively, the device includes:
the receiving and sending module is used for generating a rule obtaining request and sending the rule obtaining request to the server;
the receiving and sending module is further used for determining a detection rule of the client according to the rule acquisition request and sending the detection rule to the client, wherein the detection rule is used for indicating the access authority between the client and a target end;
the detection module is used for accessing a target end in the detection rule and sending an abnormal access result which does not accord with the detection rule to the server end;
and the alarm module is used for analyzing the abnormal access result and generating an alarm.
10. An intranet security policy detection device, characterized in that, the intranet security policy detection system includes at least one client and a server, the at least one client belongs to at least one network region in the intranet respectively, the device includes:
the receiving and sending module is used for generating a rule obtaining request and sending the rule obtaining request to the server;
the receiving and sending module is further used for receiving the detection rule determined by the server according to the rule acquisition request; the detection rule is used for indicating the access authority between the client and the target end;
the detection module is used for accessing a target end in the detection rule and sending an abnormal access result which does not accord with the detection rule to the server end; and the abnormal access result is used for generating an alarm after the server side analyzes the abnormal access result.
11. An intranet security policy detection device, characterized in that, the intranet security policy detection system includes at least one client and a server, the at least one client belongs to at least one network region in the intranet respectively, the device includes:
the receiving and sending module is used for receiving a rule obtaining request sent by the client and determining a detection rule of the client according to the rule obtaining request;
the transceiver module is further configured to send the detection rule to the client, where the detection rule is used to indicate an access right between the client and a target; receiving an abnormal access result sent by the client, wherein the abnormal access result is determined by the client according to a target end which does not accord with the detection rule;
and the alarm module is used for analyzing the abnormal access result and generating an alarm.
12. A computer-readable storage medium, characterized in that it stores a program which, when run on a computer, causes the computer to carry out the method of any one of claims 1 to 8.
13. A computer device, comprising:
a memory for storing a computer program;
a processor for calling a computer program stored in said memory to execute the method of any of claims 1 to 8 in accordance with the obtained program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110465091.6A CN113179271A (en) | 2021-04-28 | 2021-04-28 | Intranet security policy detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110465091.6A CN113179271A (en) | 2021-04-28 | 2021-04-28 | Intranet security policy detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113179271A true CN113179271A (en) | 2021-07-27 |
Family
ID=76926881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110465091.6A Pending CN113179271A (en) | 2021-04-28 | 2021-04-28 | Intranet security policy detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113179271A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113726813A (en) * | 2021-09-09 | 2021-11-30 | 海尔数字科技(青岛)有限公司 | Network security configuration method, equipment and storage medium |
| CN113905381A (en) * | 2021-10-18 | 2022-01-07 | 中国联合网络通信集团有限公司 | Service processing method, device, equipment and readable storage medium |
| CN114244566A (en) * | 2021-11-17 | 2022-03-25 | 广东电网有限责任公司 | Illegal external connection detection method and device based on IP address and computer equipment |
| CN114257404A (en) * | 2021-11-16 | 2022-03-29 | 广东电网有限责任公司 | Abnormal external connection statistic alarm method and device, computer equipment and storage medium |
| CN114363001A (en) * | 2021-12-06 | 2022-04-15 | 国网安徽省电力有限公司超高压分公司 | Method, system and storage medium for client access limitation based on offline configuration |
| CN114500038A (en) * | 2022-01-24 | 2022-05-13 | 深信服科技股份有限公司 | Network security detection method and device, electronic equipment and readable storage medium |
| CN115695045A (en) * | 2022-12-14 | 2023-02-03 | 深圳富联富桂精密工业有限公司 | Dynamic configuration method and device for security group and computer readable storage medium |
-
2021
- 2021-04-28 CN CN202110465091.6A patent/CN113179271A/en active Pending
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113726813B (en) * | 2021-09-09 | 2023-08-15 | 海尔数字科技(青岛)有限公司 | Network security configuration method, device and storage medium |
| CN113726813A (en) * | 2021-09-09 | 2021-11-30 | 海尔数字科技(青岛)有限公司 | Network security configuration method, equipment and storage medium |
| CN113905381A (en) * | 2021-10-18 | 2022-01-07 | 中国联合网络通信集团有限公司 | Service processing method, device, equipment and readable storage medium |
| CN113905381B (en) * | 2021-10-18 | 2024-04-16 | 中国联合网络通信集团有限公司 | Service processing method, device, equipment and readable storage medium |
| CN114257404B (en) * | 2021-11-16 | 2024-04-30 | 广东电网有限责任公司 | Abnormal external connection statistical alarm method, device, computer equipment and storage medium |
| CN114257404A (en) * | 2021-11-16 | 2022-03-29 | 广东电网有限责任公司 | Abnormal external connection statistic alarm method and device, computer equipment and storage medium |
| CN114244566B (en) * | 2021-11-17 | 2023-12-22 | 广东电网有限责任公司 | Illegal external connection detection method and device based on IP address and computer equipment |
| CN114244566A (en) * | 2021-11-17 | 2022-03-25 | 广东电网有限责任公司 | Illegal external connection detection method and device based on IP address and computer equipment |
| CN114363001A (en) * | 2021-12-06 | 2022-04-15 | 国网安徽省电力有限公司超高压分公司 | Method, system and storage medium for client access limitation based on offline configuration |
| CN114500038A (en) * | 2022-01-24 | 2022-05-13 | 深信服科技股份有限公司 | Network security detection method and device, electronic equipment and readable storage medium |
| CN114500038B (en) * | 2022-01-24 | 2024-12-03 | 深信服科技股份有限公司 | Network security detection method, device, electronic device and readable storage medium |
| CN115695045B (en) * | 2022-12-14 | 2023-06-06 | 深圳富联富桂精密工业有限公司 | Dynamic configuration method and device for security group and computer readable storage medium |
| CN115695045A (en) * | 2022-12-14 | 2023-02-03 | 深圳富联富桂精密工业有限公司 | Dynamic configuration method and device for security group and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113179271A (en) | Intranet security policy detection method and device | |
| US10412109B2 (en) | Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system | |
| US7487495B2 (en) | Generic framework for runtime interception and execution control of interpreted languages | |
| US10778446B2 (en) | Detection of vulnerable root certificates in software containers | |
| JP5396051B2 (en) | Method and system for creating and updating a database of authorized files and trusted domains | |
| CN110971569A (en) | Network access rights management method, device and computing device | |
| US11588646B2 (en) | Identity-based application and file verification | |
| US11914699B2 (en) | Restricting access to application programming interfaces (APIs) | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN110968848A (en) | User-based rights management method, device and computing device | |
| CN116522308B (en) | Database account hosting method, device, computer equipment and storage medium | |
| US20230281321A1 (en) | Secure application development using distributed ledgers | |
| CN114138590A (en) | Operation and maintenance processing method, device and electronic device of Kubernetes cluster | |
| KR100949024B1 (en) | Resource Acquisition Methods and Computer-readable Media | |
| CN113194088B (en) | Access interception method, device, log server and computer readable storage medium | |
| CN118487796A (en) | Multi-program user access authority management method based on framework | |
| CN112769731B (en) | Process control method, device, server and storage medium | |
| CN115630392A (en) | Private data management method based on serverless architecture and computing gateway | |
| CN115795493A (en) | Access control policy deployment method, related device and access control system | |
| CN111953637A (en) | Application service method and device | |
| Gu et al. | More Haste, Less Speed: Cache Related Security Threats in Continuous Integration Services | |
| CN113836542B (en) | Trusted white list matching method, system and device | |
| KR102449417B1 (en) | Location information-based firewall system | |
| US20250007709A1 (en) | System and method for secret rotation using contextual management of machine identities | |
| RU2825724C1 (en) | Search for security problems in software and operating systems in public clouds |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |