CN109547397A - Network security management system - Google Patents
Network security management system Download PDFInfo
- Publication number
- CN109547397A CN109547397A CN201710867950.8A CN201710867950A CN109547397A CN 109547397 A CN109547397 A CN 109547397A CN 201710867950 A CN201710867950 A CN 201710867950A CN 109547397 A CN109547397 A CN 109547397A
- Authority
- CN
- China
- Prior art keywords
- information
- site
- permission
- type
- inventory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
It the invention discloses a kind of network security management system, is used to be managed an object site belonging to an internal network environment, includes: an information collection apparatus, a kind judging device and an incident management device;Information collection apparatus collects domain information, computer name information and the account information for the site information that each object site issues when logining, the received site information comparison of kind judging device foundation information collection apparatus institute is in a network node administration inventory, to judge site type belonging to each object site;Incident management device according to kind judging device judging result and whether decision objects site has operating right or gives operating right corresponding to site type belonging to it.
Description
Technical field
The present invention relates to a kind of network security management systems, pacify more particularly to a kind of network for managing Intranet
Full management system.
Background technique
With the development of network and digital information, computer have become between each member inside business organization with each portion
Connection bridge between door, and by the erection of network mutually to provide important information or file.But the information in network
Exchange also brings many risks, such as: the stealing of information, virus are disseminated.Therefore, enterprise must establish in a network environment
Multiple safety management systems, such as: by firewall or antivirus program, to avoid criminal by enterprise external steal information and
Computer virus disseminates.But safety management system above-mentioned is still leaky, not can avoid because the improper operation of member is made
At data leak or criminal is by Intranet or computer steal information, intrusion system etc..
Therefore, in addition existing enterprise often builds internal safety management system, and to disperse and many and diverse artificial behaviour
Make the work of each computer of keyholed back plate, and with complicated certification operation mode check each pen be intended to by information.This seed type
Security system lack the whole ability of uniting: in terms of computer management, can not effectively learn problematic site.Also that is, waiting until
When security system finds computer exception, after a period of time, in analyzing each computer mode from each section of system again afterwards
And it can not rapidly learn the position of problem.Also, in terms of information management, security system must be by classified papers administrative staff
According to the content of file, the permission of file is set.If but administrative staff can not set power because classified papers are excessively a large amount of in real time
Limit, it will cause delay work.Therefore, the safety management system of inside in the prior art still has many shortcomings, thus
It need to improve.
Summary of the invention
The purpose of the present invention is to provide a kind of network security management system, can effectively unite whole internal site and in real time
The permission of site is distributed, and then reaches practical, time saving and safe effect.
Used technological means is to provide a kind of network security management to the present invention in order to solve the problems existing in the prior art
System is used to be managed the point of object Petri net belonging to a network environment, which includes: an information
Collection device, collects the site information that each object site issues when logining, which includes domain information, calculates
Machine name information and account information;One kind judging device, signal are connected to the information collection apparatus, the type judgment means warp
Setting and according to the received site information comparison of information collection apparatus institute in a network node administration inventory, to judge each
Affiliated site type is logined to the network security management system in the object site, wherein the network node administration inventory corresponds to
Each site type and respectively having allows domain information, allows computer name information and allows account information, and the site
The comparison of information and the network node administration inventory be according to the site information respectively than for the permission domain information, this allows to calculate
The comparison result of machine name information and the permission account information, thus the object site noted out in inventory corresponding to
The site type and judge the site type belonging to the object site, or in the object site without the corresponding site type
And judge the object site not in inventory;And an incident management device, signal are connected to the type judgment means, the event
Managing device is set the judging result according to the type judgment means, to judge corresponding to the object site that one logins thing
Part, and a corresponding management is executed to the object site accordingly and is operated, wherein management operation includes determining that the object site is
It is no to have operating right or give the operating right that the object site corresponds to the affiliated site type.
A kind of network security management system is provided in one embodiment of this invention, which includes a permission the machine
Login type, corresponding to the permission domain information and the permission account information be empty information, the type judgment means compare
In the permission domain information, if the comparison result of the permission domain information be it is no, than logining type for the permission the machine
The permission computer name information, if the permission the machine login type the permission computerized information comparison result be it is yes, sentence
Permission the machine belonged in inventory of logining of the disconnected object site out logins type, which is then judged as that one permits
Permitted to login and logins event in the inventory of the machine.
A kind of network security management system is provided in one embodiment of this invention, if the permission the machine logins being somebody's turn to do for type
Allow computerized information comparison result be it is no, then judge that logining for the object site belongs to non-permitted not in inventory and step on
Enter the machine type, the incident management device be then judged as one it is non-permitted login the machine event is not logined in inventory.
A kind of network security management system is provided in one embodiment of this invention, which includes a general account
Type, corresponding to the permission computer name be known as empty information, the type judgment means are respectively than believing the permission domain
Breath, the permission computer name information and the permission account information, if the comparison result of the permission domain information is yes, this is permitted
Perhaps the comparison result of computer name information be no and the comparison result of the permission account information be it is yes, then further compare should
The permission account information of general account type, if the permission account information comparison result of the general account type be it is yes,
That judges the object site logins the general account type belonged in inventory, which is then judged as that one is general
Event is logined in the inventory of account.
A kind of network security management system is provided in one embodiment of this invention, if the comparison knot of the permission domain information
Fruit is yes, the comparison result of the permission computer name information is no and the comparison result of the permission account information be it is no, then
Judge that logining for the object site belongs to a non-management inventory not in inventory, which is then judged as that one is non-
Management inventory does not login event in inventory.
A kind of network security management system is provided in one embodiment of this invention, if the permission of the general account type
Account information comparison result be it is no, then that judges the object site logins that belong to one non-designated computer not in inventory
Type, what which was then judged as a non-designated computer does not login event in inventory.
A kind of network security management system is provided in one embodiment of this invention, which includes that a binding calculates
Machine and account type, the type judgment means respectively than for the permission domain information and the permission computer name information,
If the comparison result of the permission domain information be and the comparison result of the permission computer name information be it is yes, than for
Permission account information of the binding computer and account type, if the permission account of the binding computer and account type is believed
The comparison result of breath is to be, that judges the object site logins the binding computer and account type belonged in inventory, should
Incident management device, which is then judged as in a binding computer and the inventory of account, logins event.
A kind of network security management system is provided in one embodiment of this invention, which includes a general-purpose computations
Machine type, corresponding to the permission account be empty information, if the type judgment means are in the binding computer and account type
The permission account information comparison result be it is no, then further than the permission computer name for the general purpose computer type
Claim information, if the comparison result of the permission computer name information of general purpose computer type be it is yes, judge the object Petri net
Point logins the general purpose computer type belonged in inventory, which is then judged as the inventory of a general purpose computer
Inside login event.
A kind of network security management system is provided in one embodiment of this invention, if the permission of general purpose computer type
The comparison result of computer name information be it is no, then judge the object site login belong to it is one non-designated not in inventory
Account type, what which was then judged as a non-designated account does not login event in inventory.
A kind of network security management system is provided in one embodiment of this invention, further includes an online monitoring device, is believed
Number be connected to the incident management device, when the online monitoring device be set and one it is previous judged not in inventory this is right
As site is online when the network environment, then judge whether the object site is forced to login the network security management system, when
The object site is when not being forced to login the network security management system, which then judges that the object site is
One legal online not event within a governance context, and the object site is notified to execute the management operation of an installation agent program.
A kind of network security management system is provided in one embodiment of this invention, be set when the online monitoring device and
When judging the object site is to be forced to login the network security management system, then the information collection apparatus is further confirmed that
Whether the site information of the object site is collected within the time limit, if it has not, then the incident management device judges the object site
The not event within a governance context that management system is not added for one.
A kind of network security management system is provided in one embodiment of this invention, further includes a timing confirmation device, letter
Number be connected to the incident management device, timing confirmation device be set and to the object site in inventory whether timing
Return a site information confirmed and the incident management device further include one timing return event manager module, when its warp
It is arranged when it is non-timing reported information that timing confirmation device, which confirms the object site, then is judged as a computer without sound
The not event within a governance context answered.
A kind of network security management system is provided in one embodiment of this invention, when the timing return event manager module
When being set and being judged as a computer without response events, then the inquiry of a management regulation is carried out to the object Petri net point, if the pipe
The result for managing the inquiry of specification is that authorization identifying mistake or domain name are not inconsistent, then be further judged as a logout domain is not managing model
Enclose interior event.
A kind of network security management system is provided in one embodiment of this invention, when the result of the inquiry of the management regulation
It has no authorization identifying mistake or when domain name is not inconsistent, timing return event manager module then carries out the inquiry of a management regulation again,
To judge whether the object site is not installed with the broker program, if it has, then being judged as a non-installation agent program not
Event within a governance context, if it has not, being then judged as not within a governance context event of the computer without response.
A kind of network security management system is provided in one embodiment of this invention, further includes a computer identification device,
Signal is connected to the incident management device, which is set for the object site in inventory, passes through
The universal unique identifier data of the one object site are obtained by the inquiry of a management regulation, and are counted using based on it as one
Calculation machine identification information and store, and by by the computer identification information than for previous stored computer identification information,
When comparison result is not to be inconsistent, which is then judged as the anomalous event that a computer puppet emits.
Via the technology used in the present invention means, there is the working environment of multiple domains in Intranet environment
Under, when site, operating system is logined in booting, this system quickly can collect the object site using the information collection apparatus
Site information, and information is logined according to this with the type judgment means and is compared with the network node administration inventory built, from
And it can quickly identify the object site and login movement at present whether in accordance in the network node administration inventory, to reach simple keyholed back plate network
The purpose of system.Also, the type judgment means will classify in accordance with the object Petri net point in the network node administration inventory, from
And enable the incident management device rapidly judge to login according to the site type belonging to the object site event and to
The operating right corresponding to it is given, such as: limiting the permission of the specific permission computer in non-domain, restriction only specifically makes
The permission etc. that the permission of user, the permission for limiting specific computer, the specific computer of restriction add specific user that can just have,
Or in the object site departing from network node administration inventory, so as to directly block, to reach inside rapidly integration
Network environment and the effect for protecting information security.
In addition, the present invention can be with the type judgment means to departing from the object Petri net click-through of the network node administration inventory
Row classification, and event is logined by incident management device judgement, thus enable an administrator to login event according to affiliated and
Abnormal problem is directly found out, such as: using the event for not meeting inventory of non-designated computer or not being inconsistent for non-designated account
The event etc. for closing inventory, to be not necessary to solve by many and diverse analysis.
In addition, the present invention can carry out detailed classification to the object Petri net point, so as to reach elasticity and diversification management
Purpose.
In addition, the present invention still further comprises the online monitoring device, so as to the object site not in inventory
It the judgement of carry out event and notifies it that broker program is installed and the management of system is added, and pass through the incident management device foundation
Event and control its permission to ensure network security.
Also, the present invention still further comprises timing confirmation device, is confirmed with timing and has been given in inventory in this system
Whether the object site for giving permission is returned, and can learn whether the network on-line of the object site normal, and can again into
One step judges that unusual condition is the event that computer exits domain without response events or privately, to strengthen network security management
The management of system, to solve the problems, such as the big pain spot that is difficult to differentiate of the administrator on network security management.
It is worth mentioning, the present invention also further obtains the object by the inquiry of management regulation with computer identification device
The data of site, and form unique computer identification information by the data of the object site and store, to be used to identify this
Whether the computer hardware of object site has artificially was replaced manually.And after comparison result exception, it is judged as a computer
Anomalous event that puppet emits and notify that manager monitors in real time, and then ensure that computer hardware is not artificially replaced and reaches bursting tube
The purpose of reason.
Detailed description of the invention
Fig. 1 is the schematic diagram according to the network security management system of one embodiment of the invention;
Fig. 2 is the system block schematic diagram according to the network security management system of the embodiment of the present invention;
Fig. 3 is the schematic table according to the network node administration inventory of the network security management system of the embodiment of the present invention;
Fig. 4 compares step and its institute to login type according to the site of the network security management system of the embodiment of the present invention
The corresponding flow chart for logining event;
Fig. 5 is to be sentenced according to the event of accessing system not in inventory of the network security management system of the embodiment of the present invention
The flow chart of disconnected step;
Fig. 6 is according to the on-line state of object site in the inventory of the network security management system of the embodiment of the present invention
The flow chart of event judgment step;
Fig. 7 is the thing according to the computer hardware of object site in the inventory of the network security management system of the embodiment of the present invention
The flow chart of the judgment step of part.
Description of symbols: 100- network security management system;1- information collection apparatus;2- kind judging device;3- thing
Part managing device;31- timing return event manager module;The online monitoring device of 4-;5- timing confirmation device;The identification of 6- computer
Device;A, B- domain;A1, A2, A3, B1, B2, B3- object site;S101,S102,S105,S106,S107,S111,S113-
Compare step;S103, S104, S108, S109, S110, S112, S114, S115- judgment step;S201~S206- judgement step
Suddenly;S301~S309- judgment step;S401, S403, S406- judgment step;S402- query steps;S405- compares step;
S404- access step.
Specific embodiment
Illustrate embodiments of the present invention below according to Fig. 1 to Fig. 7.The explanation is not limitation embodiment party of the invention
Formula, and it is one kind of the embodiment of the present invention.
The integrated service of service domain on a Windows Server proposed by the invention.Mainly manage " people,
The resources such as machine " and the mechanism for constituting network environment relationship (e.g., company organization's framework, department, meeting room etc.).The Windows
Server provides many services, and archives service or printer service are only one of the service of integration resource.
As shown in Figure 1, a network security management system 100 of an embodiment according to the present invention, it is used for in one
Object site (A1, A2, A3, B1, B2, B3) belonging to portion's network environment (domain A, domain B) is managed.The network security pipe
Reason system 100 includes: an information collection apparatus 1, a kind judging device 2 and an incident management device 3.
For example, as shown in Figures 1 and 2, which is installed on the internal master control built
In computer.Incident management device 3 is all dresses for being used and linking this system as overall management in the embodiment of the present invention
Set (information collection apparatus 1, the type judgment means 2, an online 4, one timing confirmation device 5 of monitoring device, computer knowledge
Other device 6).The internal network environment that the network security management system 100 is managed includes an a domain A and domain B.And
And domain A is linked in the object site A1, A2, A3;Domain B is linked in the object site B1, B2, B3.
In the present embodiment, which is by one AD of a Microsoft (Microsoft) system deployment
(Active Directory) environment simultaneously sends software with charge free by gpo (GPO, Group Policy Object), and
Installation agent program (Agent) on the object site (A1, A2, A3, B1, B2, B3).
The information collection apparatus 1 collects the net that each object site (A1, A2, A3, B1, B2, B3) issues when logining
Point information.The site information includes domain information, computer name information and account information.In the present embodiment, information collects dress
The broker program (Agent) of the 1 collection object site (A1, A2, A3, B1, B2, B3) is set in the site logining AD environment and being issued
Information.The site information includes: logining domain, computer name, logins account, and has additionally comprised IP address, MAC Address
Deng.
As shown in Figures 1 and 2,2 signal of the type judgment means is connected to the information collection apparatus 1.The type judgement dress
2 are set to be set and judge according to the 1 received site information comparison of institute of information collection apparatus in a network node administration inventory
Each object site (A1, A2, A3, B1, B2, B3) is that belong to the network node administration clear to logining for the network security management system
Which single site type;Or judges and be not belonging to the network node administration inventory, and further judge which is
Kind is not in the type of inventory.The type judgment means 2 simultaneously pass the comparison result of logining of the site information in incident management dress
Set 3.
3 signal of incident management device is connected to the type judgment means 2.The incident management device 3 is set foundation should
The judging result of kind judging device 2, thus belonging to judging one corresponding to the object site (A1, A2, A3, B1, B2, B3)
Event is logined in the inventory of the site type, or logins event not in inventory.Also, the incident management device 3 is right
The object site (A1, A2, A3, B1, B2, B3) in inventory according to the affiliated site type, allow its accessing system and to
Give specific management operating right.The incident management device 3 and can to not in inventory the object site (A1, A2, A3,
B1, B2, B3) and operating right is determined whether there are according to type, its accessing system is blocked for high-risk type and online,
Or the object site (A1, A2, A3, B1, B2, B3) directly by all not in inventory blocks.
As shown in figure 3, for example, which is accessed in this system, the present embodiment is to be accessed in the thing
Part managing device 3.The network node administration inventory is a list.The content of the network node administration inventory represents: call number, the different nets
Vertex type and with corresponding to the site type one allow domain information, one allow computer name information and one allow account
The condition of information.
The site type be selected from a permission the machine login, a general account, a binding computer and account and a general meter
One of four types of calculation machine.The permission domain information, the permission computer name information and the permission account information can
For information (null), to indicate that the information is not required to have corresponding condition, that is, ignore when carrying out the information comparison and
It does not compare.The permission the machine logins type, corresponding to the permission domain information and the permission account information be empty information;It should
General account type, corresponding to the permission computer name be known as empty information;The binding computer and account type, then without sky
Information;The general purpose computer type, corresponding to the permission account be empty information.
The type judgment means 2 are believed according to the domain information, the computer name information and the account of the site information
Breath is respectively than the permission domain information, the permission computer name information and the permission account letter for the network node administration inventory
Breath.The type judgment means 2 are again according to comparison result respectively and in the object site (A1, A2, A3, B1, B2, B3) noted out
Corresponding site type in inventory and judge the site class belonging to the object site (A1, A2, A3, B1, B2, B3)
Type.Or it can not note any corresponding net in the object site (A1, A2, A3, B1, B2, B3) in the type judgment means 2
Vertex type and judge the object site (A1, A2, A3, B1, B2, B3) and judge the class not in inventory not in inventory and further
Type.
As shown in figure 4, logining type the following are the site of the site information and the network node administration inventory compares step and its
Corresponding logins event.
Permission domain information comparison step S101: whether the domain for comparing the site information is the permission domain;
When the result of the comparison step S101 of the permission domain information is no, then carries out the permission the machine and login type
The comparison step S102 of the permission computer name: whether the computer name for comparing the site information is that the permission the machine is stepped on
Enter the permission computer name of type;
When the result that the permission computer name that the permission the machine logins type compares step S102 is to be, then carry out
Type judgment step S103 in inventory: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs in inventory
The permission the machine login type, and its login to allow to login for one and login event in the inventory of the machine.
When the result that the permission computerized information that the permission the machine logins type compares step S102 is no, then carry out
Type judgment step S104 not in inventory: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to one
Non-permitted not in inventory logins the machine type, and its login for one it is non-permitted login the machine thing is not logined in inventory
Part.
When the result of the comparison step S101 of the permission domain information, which is, is, then the ratio of the permission computer name is carried out
To step S105: whether the computer name for comparing the site information is the permission computer name;
When the result of the comparison step S105 of the permission computer name information is no, then the permission account information is carried out
Comparison step S106: whether the account for comparing the site information is the permission account;
When the result of the comparison step S106 of the permission account information be when, then the further progress general account should
Allow account information comparison step S107: compare the site information the account whether be the general account the permission account
Number;
When the result of the comparison step S107 of the permission account information of the general account type, which is, is, then inventory is carried out
Interior type judgment step S108: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to being somebody's turn to do in inventory
General account type, and its login in the inventory for a general account and login event.
When the result of the comparison step S107 of the permission account information of the general account type is no, then carry out not existing
Type judgment step S110 in inventory: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to one and do not exist
Non-designated computer type in inventory, and its login and do not login event in inventory for a non-designated computer.
When the result of the comparison step S105 of the permission computer name information is no, and the comparison of the permission account information
When the result of step S106 is no, then carry out the type judgment step S109 not in inventory: judge the object site (A1,
A2, A3, B1, B2, B3) login the non-management List Type belonged to one not in inventory and its login as a non-management inventory
Event is not logined in inventory.
When the result of the comparison step S105 of the permission computer name information be when, then carry out the binding computer with
The comparison step S111 of the permission account information of account type: whether the account for comparing the site information is that the binding calculates
This of machine and account type permission account;
When the result of the binding computer and the comparison step S111 of the permission account information of account type, which are, is, then
It carries out the type judgment step S112 in inventory: judging that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to clearly
The binding computer and account type in list, and its login to login event in a binding computer and the inventory of account.
When the result of the binding computer and the comparison step S111 of the permission account information of account type are no, then
The comparison step S113 of the permission computer name information of the further progress general purpose computer type: the site information is compared
The computer name information whether be the general purpose computer type the permission computer name;
When the result of the comparison step S113 of the permission computer name information of the general purpose computer type, which is, is, then
It carries out the type judgment step S114 in inventory: judging that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to clearly
The general purpose computer type in list, and its login in the inventory for a general purpose computer and login event.
When the result of the comparison step S113 of the permission computer name information of the general purpose computer type is no, then
Carry out the type judgment step S115 not in inventory: that judges the object site (A1, A2, A3, B1, B2, B3) logins category
In the non-designated account type not in inventory, and its logins and do not login event in inventory for a non-designated account.
Enable to login event in the inventory of the incident management device 3 according to the object site and allow it through the above steps
It logins in the management system and gives permission according to the site type, and the non-inventory according to the object site is logined event and allowed
It can not be logined in the management system, safeguard network security so as to multi-zone supervision permission.
As shown in Figures 1 and 2, which can also include an online monitoring device 4.This is online
4 signal of monitoring device is connected to the incident management device 3.The online monitoring device 4 is set and previous has judged not exist one
The object site (A1, A2, A3, B1, B2, B3) in inventory is online when the network environment, to monitor the object site
(A1,A2,A3,B1,B2,B3).Also, by one, not in inventory, the event of accessing system judges step to the online monitoring device 4
Suddenly, to generate a corresponding event in the incident management device 3, thus enable the incident management device 3 according to event and to
It gives permission and knows whether exception.
For example, the online monitoring device 4 learn it is previous judged not in inventory the object site (A1, A2,
A3, B1, B2, B3) online mode, it is the equipment management inventory according to one not in inventory and judges the object site in previous
Not in inventory.The equipment management inventory not in inventory is to judge that the object site does not exist in the type judgment means 2
Under situation in inventory, synchronizes and build on the incident management device 3 and by the site information of the object site not in inventory
In the list of deposit.
As shown in figure 5, the event judgment step of the accessing system not in inventory is as follows:
Judgment step S201 carries out judgment step S202, sentences when the object site (A1, A2, A3, B1, B2, B3) is online
Whether the object site (A1, A2, A3, B1, B2, B3) of breaking is forced to login the network security management system.
When the judging result of judgment step S202 is no, then enter judgment step S203, judge the object site (A1,
A2, A3, B1, B2, B3) it is that one legal online (such as printer, facsimile machine can not be not necessary to login event within a governance context
System), and the object site (A1, A2, A3, B1, B2, B3) is notified to execute the management operation of the installation agent program.And sentenced
Disconnected step S204, judges whether the object site (A1, A2, A3, B1, B2, B3) an installation agent program and returns site letter
Breath, if it has, then c in map interlinking 4 and manage;If it has not, being then again introduced into judgment step S203.
When the judging result of judgment step S202, which is, is, then the judgment step S205 of further progress confirms that the information is received
Whether acquisition means 1 are collected into the site information of the object site (A1, A2, A3, B1, B2, B3) within the time limit.If in judgment step
The judging result of S205 be it is no, then judge that management system is not added not for one for the object site (A1, A2, A3, B1, B2, B3)
Event S206 within a governance context.
As shown in Figures 1 and 2, which can also include that a timing confirms device 5.The timing
Confirmation 5 signal of device is connected to the incident management device 3.The timing confirmation device 5 be set and to the object in inventory
After site (A1, A2, A3, B1, B2, B3) accessing system, the event judgment step through an on-line state is to be timed confirmation connection
The monitoring of machine stability.Also, after abnormal case generation, which generates a corresponding event in the event pipe
Device 3 is managed, so that the incident management device 3 be enable to give permission according to event and learn its unusual condition.The event pipe
Reason device 3 further includes a timing return event manager module 31, is set and confirms the object Petri net in timing confirmation device 5
When point (A1, A2, A3, B1, B2, B3) is non-timing reported information, be judged as a computer without response not within a governance context
Event.
As shown in fig. 6, the event judgment step of the on-line state is as follows:
Judgment step S301 judges whether the object site (A1, A2, A3, B1, B2, B3) is online, when online, is sentenced
Disconnected step S302 and for whether timing one site information of return is confirmed.When the timing confirmation device 5 judges the object Petri net
When point returns site information for timing, which judges the object site for " within a governance context
Legal online S303 ".Conversely, when the timing confirmation device 5 judges that the object site is uncertain when return site information, the timing
Return event manager module 31 judges the object site for " not within a governance context event S304 of the computer without response ".
When timing return event manager module 31 is set and is judged as a computer without response events, to the object Petri net
Point (A1, A2, A3, B1, B2, B3) carries out Windows management regulation (WMI, Windows a Management
Instrumentation inquiry judging step S305).When the result of judgment step S305 be authorization identifying mistake or domain name not
Fu Shi, then further progress judgment step S306, judge the object site it is online be a logout domain not within a governance context
Event.
When the result of judgment step S305 is not inconsistent for no authorization identifying mistake or domain name, the timing return incident management mould
Block 31 then carries out the inquiry judging step S307 of a management regulation again, thus judge the object site (A1, A2, A3, B1, B2,
B3) whether it is not installed with the broker program.If judgment step S307 be it is yes, judgment step S308 is carried out, to judge that this is right
As site it is online be a non-installation agent program not event within a governance context.If judgment step S307 be it is no, carry out
Judgment step S309, to be judged as not within a governance context event of the computer without response.
As shown in Figures 1 and 2, which can also include a computer identification device 6.The meter
6 signal of calculation machine identification device is connected to the incident management device 3.In setting firmly for the object site (A1, A2, A3, B1, B2, B3)
When standby different from the previous case, which generates the information for the anomalous event that a computer puppet emits and sends the thing to
Part managing device 3, to enable the incident management device 3 to give the object site permission according to event and learn computer puppet
The unusual condition emitted.The computer identification device 6 is set the general unique of the computer hardware for obtaining the site of the object in inventory
Identifier data (UUID, Universally Unique Identifier).Wherein, the computer hardware of object site it is general only
One identifier is that the computer identification device 6 is obtained via the inquiry of a management regulation.Also, the computer identification device 6
It is stored using based on universal unique identifier data as a computer identification information, and the computer identification information is compared
In previous stored computer identification information.When comparison result is not to be inconsistent, which is then judged as a calculating
The anomalous event that machine puppet emits.
As shown in fig. 7, the judgment step of the event of the computer hardware of the computer identification device 6 is as follows:
In judgment step S401, computer identification device 6 judge object site (A1, A2, A3, B1, B2, B3) whether on
Line.Then, computer identification device 6 carries out query steps S402 to obtain the computer identification information of object site.Also, it counts
The judgment step S403 that calculation machine identification device 6 is carried out with the computer identification information of this object site, to judge this pair
As whether site has the computer identification information of previous online object site.
When the result of judgment step S403 is no, computer identification device 6 then carries out access step S404, to establish this
The computer identification information of secondary online object site.
When the result of judgment step S403, which is, is, the comparison step S405 that computer identification device 6 then carries out, to compare
Not whether the computer identification information of this online object site and the computer identification information of previous online object site
Together.When the result for comparing step S405 is no, then 6 judging result of computer identification device is normal.As comparison step S405
Result be when being, computer identification device 6 then carries out judgment step S406, with judge this object site (A1, A2, A3,
B1, B2, B3) the online event of computer hardware be the anomalous event that emits of a computer puppet.
Above narration and explanation is only the explanation of presently preferred embodiments of the present invention, and those skilled in the art can be according to this
Case scope of the claims and above-mentioned explanation and make other modifications, only these modifications should be for creation spirit of the invention
And in interest field of the invention.
Claims (15)
1. a kind of network security management system is used to be managed the point of object Petri net belonging to an internal network environment,
It is characterized in that, which includes:
One information collection apparatus collects the site information that each object site issues when logining, which includes net
Domain information, computer name information and account information;
One kind judging device, signal are connected to the information collection apparatus, and the type judgment means are set and according to the information
The received site information comparison of collection device institute is in a network node administration inventory, to judge each object site to the net
Network safety management system logins affiliated site type, wherein the network node administration inventory correspond to each site type and
Respectively having allows domain information, allows computer name information and allows account information, and the site information and the network node administration
The comparison of inventory be according to the site information respectively than for the permission domain information, the permission computer name information and this permit
Perhaps the comparison result of account information, to sentence in corresponding site type in inventory of the object site noted out
Break the site type belonging to the object site, or judges the object site without the corresponding site type in the object site
Not in inventory;And
One incident management device, signal are connected to the type judgment means, which is set sentences according to the type
The judging result of disconnected device to judge corresponding to the object site that one logins event, and accordingly executes the object site
One corresponding management operation, wherein management operation includes determining whether the object site has operating right or give the object Petri net
Point corresponds to the operating right of the affiliated site type.
2. network security management system as described in claim 1, which is characterized in that the site type includes that a permission the machine is stepped on
Enter type, corresponding to the permission domain information and the permission account information be empty information, the type judgment means ratio for
The permission domain information, if the comparison result of the permission domain information be it is no, than for the permission the machine login type should
Allow computer name information, if the permission the machine login type the permission computerized information comparison result be it is yes, judge
Permission the machine belonged in inventory of logining of the object site logins type out, which is then judged as a permission
It logins and logins event in the inventory of the machine.
3. network security management system as claimed in claim 2, which is characterized in that if the permission the machine login type this permit
Perhaps computerized information comparison result is no, then judges that logining for the object site belongs to non-permitted not in inventory and login
The machine type, the incident management device be then judged as one it is non-permitted login the machine event is not logined in inventory.
4. network security management system as described in claim 1, which is characterized in that the site type includes a general account class
Type, corresponding to the permission computer name be known as empty information, the type judgment means respectively than for the permission domain information,
The permission computer name information and the permission account information, if the comparison result of the permission domain information is yes, the permission
The comparison result of computer name information be no and the comparison result of the permission account information be it is yes, then it is logical further to compare this
With the permission account information of account type, if the permission account information comparison result of the general account type be it is yes, sentence
The general account type belonged in inventory is logined in the disconnected object site out, which is then judged as a general account
Number inventory in login event.
5. network security management system as claimed in claim 4, which is characterized in that if the comparison result of the permission domain information
Be yes, the comparison result of the permission computer name information is no and the comparison result of the permission account information be it is no, then sentence
Disconnected logining for the object site out belongs to a non-management inventory not in inventory, which is then judged as a non-pipe
It clears and single does not login event in inventory.
6. network security management system as claimed in claim 4, which is characterized in that if the permission account of the general account type
Family information comparison result be it is no, then that judges the object site logins that belong to one non-designated computer not in inventory
Type, what which was then judged as a non-designated computer does not login event in inventory.
7. network security management system as described in claim 1, which is characterized in that the site type includes a binding computer
With account type, the type judgment means respectively than for the permission domain information and the permission computer name information, if
The comparison result of the permission domain information be and the comparison result of the permission computer name information be it is yes, then than for this
Permission account information for binding computer and account type, if the permission account information of the binding computer and account type
Comparison result be it is yes, then that judges the object site logins the binding computer and account type belonged in inventory, should
Incident management device, which is then judged as in a binding computer and the inventory of account, logins event.
8. network security management system as claimed in claim 7, which is characterized in that the site type includes a general purpose computer
Type, corresponding to the permission account be empty information, if the type judgment means are in the binding computer and account type
The comparison result of the permission account information be it is no, then further than the permission computer name for the general purpose computer type
Information, if the comparison result of the permission computer name information of general purpose computer type be it is yes, judge the object site
Login the general purpose computer type belonged in inventory, which is then judged as in the inventory of a general purpose computer
Login event.
9. network security management system as claimed in claim 8, which is characterized in that if this of general purpose computer type allows to count
The comparison result of calculation machine name information be it is no, then that judges the object site logins the non-designated account belonged to not in inventory
Number type, what which was then judged as a non-designated account does not login event in inventory.
10. network security management system as described in claim 1, which is characterized in that further include an online monitoring device, signal
It is connected to the incident management device, when the online monitoring device is set and in the previous object judged not in inventory
Site is online when the network environment, then judges whether the object site is forced to login the network security management system, when this
Object site is when not being forced to login the network security management system, which then judges the object site for one
Legal online not event within a governance context, and the object site is notified to execute the management operation of an installation agent program.
11. network security management system as claimed in claim 10, which is characterized in that be set when the online monitoring device and
When judging the object site is to be forced to login the network security management system, then the information collection apparatus is further confirmed that
Whether the site information of the object site is collected within the time limit, if it has not, then the incident management device judges the object site
The not event within a governance context that management system is not added for one.
12. network security management system as described in claim 1, which is characterized in that further include a timing confirmation device, signal
It is connected to the incident management device, timing confirmation device is set and whether periodically returning to the object site in inventory
It reports a site information to be confirmed and the incident management device further includes a timing and returns event manager module, periodically return
Event manager module is set when it is non-timing reported information that timing confirmation device, which confirms the object site, then is judged
Not event within a governance context for a computer without response.
13. network security management system as claimed in claim 12, which is characterized in that when the timing return event manager module
When being set and being judged as a computer without response events, then the inquiry of a management regulation is carried out to the object Petri net point, if the pipe
The result for managing the inquiry of specification is that authorization identifying mistake or domain name are not inconsistent, then be further judged as a logout domain is not managing model
Enclose interior event.
14. network security management system as claimed in claim 13, which is characterized in that when the result of the inquiry of the management regulation
It has no authorization identifying mistake or when domain name is not inconsistent, timing return event manager module then carries out the inquiry of a management regulation again,
To judge whether the object site is not installed with the broker program, if it has, then being judged as a non-installation agent program not
Event within a governance context, if it has not, being then judged as not within a governance context event of the computer without response.
15. network security management system as described in claim 1, which is characterized in that further include a computer identification device, believe
Number it is connected to the incident management device, which is set and for the object site in inventory, via
The inquiry of one management regulation and obtain the universal unique identifier data of the object site, and with the universal unique identifier number
It stores, and passes through the computer identification information than for previous stored as a computer identification information based on
Computer identification information, when comparison result is not to be inconsistent, which is then judged as the abnormal thing that a computer puppet emits
Part.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710867950.8A CN109547397B (en) | 2017-09-22 | 2017-09-22 | Network security management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710867950.8A CN109547397B (en) | 2017-09-22 | 2017-09-22 | Network security management system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109547397A true CN109547397A (en) | 2019-03-29 |
CN109547397B CN109547397B (en) | 2021-09-28 |
Family
ID=65828371
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710867950.8A Active CN109547397B (en) | 2017-09-22 | 2017-09-22 | Network security management system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109547397B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111885070A (en) * | 2020-07-29 | 2020-11-03 | 解来斌 | Network and information security management system |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1924907A (en) * | 2005-09-02 | 2007-03-07 | 鸿富锦精密工业(深圳)有限公司 | Network resources automatic management system and method |
CN102063588A (en) * | 2010-12-15 | 2011-05-18 | 北京北信源软件股份有限公司 | Control method and system for safety protection of computer terminal network |
CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁***软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
CN103024740A (en) * | 2011-09-28 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Method and system for accessing internet by mobile terminal |
CN103248657A (en) * | 2012-02-10 | 2013-08-14 | 董天群 | Equipment information web publishing and sharing method |
CN103746995A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | User management and control method and system for security network |
US20140366120A1 (en) * | 2013-06-06 | 2014-12-11 | Apple Inc. | Systems and Methods for Application-Specific Access to Virtual Private Networks |
CN104335523A (en) * | 2014-04-15 | 2015-02-04 | 华为技术有限公司 | Access control method, client and server |
US20170250980A1 (en) * | 2014-09-29 | 2017-08-31 | Amazon Technologies, Inc. | Management and authentication in hosted directory service |
-
2017
- 2017-09-22 CN CN201710867950.8A patent/CN109547397B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1924907A (en) * | 2005-09-02 | 2007-03-07 | 鸿富锦精密工业(深圳)有限公司 | Network resources automatic management system and method |
CN102063588A (en) * | 2010-12-15 | 2011-05-18 | 北京北信源软件股份有限公司 | Control method and system for safety protection of computer terminal network |
CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁***软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
CN103024740A (en) * | 2011-09-28 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Method and system for accessing internet by mobile terminal |
CN103248657A (en) * | 2012-02-10 | 2013-08-14 | 董天群 | Equipment information web publishing and sharing method |
US20140366120A1 (en) * | 2013-06-06 | 2014-12-11 | Apple Inc. | Systems and Methods for Application-Specific Access to Virtual Private Networks |
CN103746995A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | User management and control method and system for security network |
CN104335523A (en) * | 2014-04-15 | 2015-02-04 | 华为技术有限公司 | Access control method, client and server |
US20170250980A1 (en) * | 2014-09-29 | 2017-08-31 | Amazon Technologies, Inc. | Management and authentication in hosted directory service |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111885070A (en) * | 2020-07-29 | 2020-11-03 | 解来斌 | Network and information security management system |
Also Published As
Publication number | Publication date |
---|---|
CN109547397B (en) | 2021-09-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3111433B1 (en) | Wireless sensor network | |
CN109831327A (en) | IMS full service network based on big data analysis monitors intelligent operation support system | |
CN108134764B (en) | Distributed data sharing and exchanging method and system | |
Balasubramaniyan et al. | An architecture for intrusion detection using autonomous agents | |
CN100550768C (en) | A kind of information security management platform | |
CN104219218B (en) | A kind of method and device of active safety defence | |
EP2080317B1 (en) | Apparatus and a security node for use in determining security attacks | |
US20060155738A1 (en) | Monitoring method and system | |
CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
CN106888106A (en) | The extensive detecting system of IT assets in intelligent grid | |
CN102195991A (en) | Terminal security management and authentication method and system | |
CN101009004A (en) | Warming device and warming method | |
CN102148712B (en) | Cloud computing-based service management system | |
CN103338128A (en) | Information security management system with integrated security management and control function | |
CN108769289A (en) | A kind of network address resources Visualized management system | |
CN104378365A (en) | Safety management center capable of conducting collaborative analysis | |
CN102906756A (en) | Security threat detection associated with security events and actor category model | |
CN105096034B (en) | The implementation method and electronic government affairs system of E-Government | |
CN103150800A (en) | Device for adding permissions in entrance guard system | |
CN104753952A (en) | Intrusion detection and analysis system on basis of service data flow of virtual machines | |
CN109636307A (en) | The system structure of the long APP in river | |
CN102469098B (en) | Information safety protection host machine | |
CN104378364A (en) | Collaborative analysis method of information security operation centers | |
CN100504813C (en) | System management method and system management device | |
CN109547397A (en) | Network security management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |