CN109547397A - Network security management system - Google Patents

Network security management system Download PDF

Info

Publication number
CN109547397A
CN109547397A CN201710867950.8A CN201710867950A CN109547397A CN 109547397 A CN109547397 A CN 109547397A CN 201710867950 A CN201710867950 A CN 201710867950A CN 109547397 A CN109547397 A CN 109547397A
Authority
CN
China
Prior art keywords
information
site
permission
type
inventory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710867950.8A
Other languages
Chinese (zh)
Other versions
CN109547397B (en
Inventor
李坤荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taichung Computer Co Ltd
Original Assignee
Taichung Computer Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taichung Computer Co Ltd filed Critical Taichung Computer Co Ltd
Priority to CN201710867950.8A priority Critical patent/CN109547397B/en
Publication of CN109547397A publication Critical patent/CN109547397A/en
Application granted granted Critical
Publication of CN109547397B publication Critical patent/CN109547397B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

It the invention discloses a kind of network security management system, is used to be managed an object site belonging to an internal network environment, includes: an information collection apparatus, a kind judging device and an incident management device;Information collection apparatus collects domain information, computer name information and the account information for the site information that each object site issues when logining, the received site information comparison of kind judging device foundation information collection apparatus institute is in a network node administration inventory, to judge site type belonging to each object site;Incident management device according to kind judging device judging result and whether decision objects site has operating right or gives operating right corresponding to site type belonging to it.

Description

Network security management system
Technical field
The present invention relates to a kind of network security management systems, pacify more particularly to a kind of network for managing Intranet Full management system.
Background technique
With the development of network and digital information, computer have become between each member inside business organization with each portion Connection bridge between door, and by the erection of network mutually to provide important information or file.But the information in network Exchange also brings many risks, such as: the stealing of information, virus are disseminated.Therefore, enterprise must establish in a network environment Multiple safety management systems, such as: by firewall or antivirus program, to avoid criminal by enterprise external steal information and Computer virus disseminates.But safety management system above-mentioned is still leaky, not can avoid because the improper operation of member is made At data leak or criminal is by Intranet or computer steal information, intrusion system etc..
Therefore, in addition existing enterprise often builds internal safety management system, and to disperse and many and diverse artificial behaviour Make the work of each computer of keyholed back plate, and with complicated certification operation mode check each pen be intended to by information.This seed type Security system lack the whole ability of uniting: in terms of computer management, can not effectively learn problematic site.Also that is, waiting until When security system finds computer exception, after a period of time, in analyzing each computer mode from each section of system again afterwards And it can not rapidly learn the position of problem.Also, in terms of information management, security system must be by classified papers administrative staff According to the content of file, the permission of file is set.If but administrative staff can not set power because classified papers are excessively a large amount of in real time Limit, it will cause delay work.Therefore, the safety management system of inside in the prior art still has many shortcomings, thus It need to improve.
Summary of the invention
The purpose of the present invention is to provide a kind of network security management system, can effectively unite whole internal site and in real time The permission of site is distributed, and then reaches practical, time saving and safe effect.
Used technological means is to provide a kind of network security management to the present invention in order to solve the problems existing in the prior art System is used to be managed the point of object Petri net belonging to a network environment, which includes: an information Collection device, collects the site information that each object site issues when logining, which includes domain information, calculates Machine name information and account information;One kind judging device, signal are connected to the information collection apparatus, the type judgment means warp Setting and according to the received site information comparison of information collection apparatus institute in a network node administration inventory, to judge each Affiliated site type is logined to the network security management system in the object site, wherein the network node administration inventory corresponds to Each site type and respectively having allows domain information, allows computer name information and allows account information, and the site The comparison of information and the network node administration inventory be according to the site information respectively than for the permission domain information, this allows to calculate The comparison result of machine name information and the permission account information, thus the object site noted out in inventory corresponding to The site type and judge the site type belonging to the object site, or in the object site without the corresponding site type And judge the object site not in inventory;And an incident management device, signal are connected to the type judgment means, the event Managing device is set the judging result according to the type judgment means, to judge corresponding to the object site that one logins thing Part, and a corresponding management is executed to the object site accordingly and is operated, wherein management operation includes determining that the object site is It is no to have operating right or give the operating right that the object site corresponds to the affiliated site type.
A kind of network security management system is provided in one embodiment of this invention, which includes a permission the machine Login type, corresponding to the permission domain information and the permission account information be empty information, the type judgment means compare In the permission domain information, if the comparison result of the permission domain information be it is no, than logining type for the permission the machine The permission computer name information, if the permission the machine login type the permission computerized information comparison result be it is yes, sentence Permission the machine belonged in inventory of logining of the disconnected object site out logins type, which is then judged as that one permits Permitted to login and logins event in the inventory of the machine.
A kind of network security management system is provided in one embodiment of this invention, if the permission the machine logins being somebody's turn to do for type Allow computerized information comparison result be it is no, then judge that logining for the object site belongs to non-permitted not in inventory and step on Enter the machine type, the incident management device be then judged as one it is non-permitted login the machine event is not logined in inventory.
A kind of network security management system is provided in one embodiment of this invention, which includes a general account Type, corresponding to the permission computer name be known as empty information, the type judgment means are respectively than believing the permission domain Breath, the permission computer name information and the permission account information, if the comparison result of the permission domain information is yes, this is permitted Perhaps the comparison result of computer name information be no and the comparison result of the permission account information be it is yes, then further compare should The permission account information of general account type, if the permission account information comparison result of the general account type be it is yes, That judges the object site logins the general account type belonged in inventory, which is then judged as that one is general Event is logined in the inventory of account.
A kind of network security management system is provided in one embodiment of this invention, if the comparison knot of the permission domain information Fruit is yes, the comparison result of the permission computer name information is no and the comparison result of the permission account information be it is no, then Judge that logining for the object site belongs to a non-management inventory not in inventory, which is then judged as that one is non- Management inventory does not login event in inventory.
A kind of network security management system is provided in one embodiment of this invention, if the permission of the general account type Account information comparison result be it is no, then that judges the object site logins that belong to one non-designated computer not in inventory Type, what which was then judged as a non-designated computer does not login event in inventory.
A kind of network security management system is provided in one embodiment of this invention, which includes that a binding calculates Machine and account type, the type judgment means respectively than for the permission domain information and the permission computer name information, If the comparison result of the permission domain information be and the comparison result of the permission computer name information be it is yes, than for Permission account information of the binding computer and account type, if the permission account of the binding computer and account type is believed The comparison result of breath is to be, that judges the object site logins the binding computer and account type belonged in inventory, should Incident management device, which is then judged as in a binding computer and the inventory of account, logins event.
A kind of network security management system is provided in one embodiment of this invention, which includes a general-purpose computations Machine type, corresponding to the permission account be empty information, if the type judgment means are in the binding computer and account type The permission account information comparison result be it is no, then further than the permission computer name for the general purpose computer type Claim information, if the comparison result of the permission computer name information of general purpose computer type be it is yes, judge the object Petri net Point logins the general purpose computer type belonged in inventory, which is then judged as the inventory of a general purpose computer Inside login event.
A kind of network security management system is provided in one embodiment of this invention, if the permission of general purpose computer type The comparison result of computer name information be it is no, then judge the object site login belong to it is one non-designated not in inventory Account type, what which was then judged as a non-designated account does not login event in inventory.
A kind of network security management system is provided in one embodiment of this invention, further includes an online monitoring device, is believed Number be connected to the incident management device, when the online monitoring device be set and one it is previous judged not in inventory this is right As site is online when the network environment, then judge whether the object site is forced to login the network security management system, when The object site is when not being forced to login the network security management system, which then judges that the object site is One legal online not event within a governance context, and the object site is notified to execute the management operation of an installation agent program.
A kind of network security management system is provided in one embodiment of this invention, be set when the online monitoring device and When judging the object site is to be forced to login the network security management system, then the information collection apparatus is further confirmed that Whether the site information of the object site is collected within the time limit, if it has not, then the incident management device judges the object site The not event within a governance context that management system is not added for one.
A kind of network security management system is provided in one embodiment of this invention, further includes a timing confirmation device, letter Number be connected to the incident management device, timing confirmation device be set and to the object site in inventory whether timing Return a site information confirmed and the incident management device further include one timing return event manager module, when its warp It is arranged when it is non-timing reported information that timing confirmation device, which confirms the object site, then is judged as a computer without sound The not event within a governance context answered.
A kind of network security management system is provided in one embodiment of this invention, when the timing return event manager module When being set and being judged as a computer without response events, then the inquiry of a management regulation is carried out to the object Petri net point, if the pipe The result for managing the inquiry of specification is that authorization identifying mistake or domain name are not inconsistent, then be further judged as a logout domain is not managing model Enclose interior event.
A kind of network security management system is provided in one embodiment of this invention, when the result of the inquiry of the management regulation It has no authorization identifying mistake or when domain name is not inconsistent, timing return event manager module then carries out the inquiry of a management regulation again, To judge whether the object site is not installed with the broker program, if it has, then being judged as a non-installation agent program not Event within a governance context, if it has not, being then judged as not within a governance context event of the computer without response.
A kind of network security management system is provided in one embodiment of this invention, further includes a computer identification device, Signal is connected to the incident management device, which is set for the object site in inventory, passes through The universal unique identifier data of the one object site are obtained by the inquiry of a management regulation, and are counted using based on it as one Calculation machine identification information and store, and by by the computer identification information than for previous stored computer identification information, When comparison result is not to be inconsistent, which is then judged as the anomalous event that a computer puppet emits.
Via the technology used in the present invention means, there is the working environment of multiple domains in Intranet environment Under, when site, operating system is logined in booting, this system quickly can collect the object site using the information collection apparatus Site information, and information is logined according to this with the type judgment means and is compared with the network node administration inventory built, from And it can quickly identify the object site and login movement at present whether in accordance in the network node administration inventory, to reach simple keyholed back plate network The purpose of system.Also, the type judgment means will classify in accordance with the object Petri net point in the network node administration inventory, from And enable the incident management device rapidly judge to login according to the site type belonging to the object site event and to The operating right corresponding to it is given, such as: limiting the permission of the specific permission computer in non-domain, restriction only specifically makes The permission etc. that the permission of user, the permission for limiting specific computer, the specific computer of restriction add specific user that can just have, Or in the object site departing from network node administration inventory, so as to directly block, to reach inside rapidly integration Network environment and the effect for protecting information security.
In addition, the present invention can be with the type judgment means to departing from the object Petri net click-through of the network node administration inventory Row classification, and event is logined by incident management device judgement, thus enable an administrator to login event according to affiliated and Abnormal problem is directly found out, such as: using the event for not meeting inventory of non-designated computer or not being inconsistent for non-designated account The event etc. for closing inventory, to be not necessary to solve by many and diverse analysis.
In addition, the present invention can carry out detailed classification to the object Petri net point, so as to reach elasticity and diversification management Purpose.
In addition, the present invention still further comprises the online monitoring device, so as to the object site not in inventory It the judgement of carry out event and notifies it that broker program is installed and the management of system is added, and pass through the incident management device foundation Event and control its permission to ensure network security.
Also, the present invention still further comprises timing confirmation device, is confirmed with timing and has been given in inventory in this system Whether the object site for giving permission is returned, and can learn whether the network on-line of the object site normal, and can again into One step judges that unusual condition is the event that computer exits domain without response events or privately, to strengthen network security management The management of system, to solve the problems, such as the big pain spot that is difficult to differentiate of the administrator on network security management.
It is worth mentioning, the present invention also further obtains the object by the inquiry of management regulation with computer identification device The data of site, and form unique computer identification information by the data of the object site and store, to be used to identify this Whether the computer hardware of object site has artificially was replaced manually.And after comparison result exception, it is judged as a computer Anomalous event that puppet emits and notify that manager monitors in real time, and then ensure that computer hardware is not artificially replaced and reaches bursting tube The purpose of reason.
Detailed description of the invention
Fig. 1 is the schematic diagram according to the network security management system of one embodiment of the invention;
Fig. 2 is the system block schematic diagram according to the network security management system of the embodiment of the present invention;
Fig. 3 is the schematic table according to the network node administration inventory of the network security management system of the embodiment of the present invention;
Fig. 4 compares step and its institute to login type according to the site of the network security management system of the embodiment of the present invention The corresponding flow chart for logining event;
Fig. 5 is to be sentenced according to the event of accessing system not in inventory of the network security management system of the embodiment of the present invention The flow chart of disconnected step;
Fig. 6 is according to the on-line state of object site in the inventory of the network security management system of the embodiment of the present invention The flow chart of event judgment step;
Fig. 7 is the thing according to the computer hardware of object site in the inventory of the network security management system of the embodiment of the present invention The flow chart of the judgment step of part.
Description of symbols: 100- network security management system;1- information collection apparatus;2- kind judging device;3- thing Part managing device;31- timing return event manager module;The online monitoring device of 4-;5- timing confirmation device;The identification of 6- computer Device;A, B- domain;A1, A2, A3, B1, B2, B3- object site;S101,S102,S105,S106,S107,S111,S113- Compare step;S103, S104, S108, S109, S110, S112, S114, S115- judgment step;S201~S206- judgement step Suddenly;S301~S309- judgment step;S401, S403, S406- judgment step;S402- query steps;S405- compares step; S404- access step.
Specific embodiment
Illustrate embodiments of the present invention below according to Fig. 1 to Fig. 7.The explanation is not limitation embodiment party of the invention Formula, and it is one kind of the embodiment of the present invention.
The integrated service of service domain on a Windows Server proposed by the invention.Mainly manage " people, The resources such as machine " and the mechanism for constituting network environment relationship (e.g., company organization's framework, department, meeting room etc.).The Windows Server provides many services, and archives service or printer service are only one of the service of integration resource.
As shown in Figure 1, a network security management system 100 of an embodiment according to the present invention, it is used for in one Object site (A1, A2, A3, B1, B2, B3) belonging to portion's network environment (domain A, domain B) is managed.The network security pipe Reason system 100 includes: an information collection apparatus 1, a kind judging device 2 and an incident management device 3.
For example, as shown in Figures 1 and 2, which is installed on the internal master control built In computer.Incident management device 3 is all dresses for being used and linking this system as overall management in the embodiment of the present invention Set (information collection apparatus 1, the type judgment means 2, an online 4, one timing confirmation device 5 of monitoring device, computer knowledge Other device 6).The internal network environment that the network security management system 100 is managed includes an a domain A and domain B.And And domain A is linked in the object site A1, A2, A3;Domain B is linked in the object site B1, B2, B3.
In the present embodiment, which is by one AD of a Microsoft (Microsoft) system deployment (Active Directory) environment simultaneously sends software with charge free by gpo (GPO, Group Policy Object), and Installation agent program (Agent) on the object site (A1, A2, A3, B1, B2, B3).
The information collection apparatus 1 collects the net that each object site (A1, A2, A3, B1, B2, B3) issues when logining Point information.The site information includes domain information, computer name information and account information.In the present embodiment, information collects dress The broker program (Agent) of the 1 collection object site (A1, A2, A3, B1, B2, B3) is set in the site logining AD environment and being issued Information.The site information includes: logining domain, computer name, logins account, and has additionally comprised IP address, MAC Address Deng.
As shown in Figures 1 and 2,2 signal of the type judgment means is connected to the information collection apparatus 1.The type judgement dress 2 are set to be set and judge according to the 1 received site information comparison of institute of information collection apparatus in a network node administration inventory Each object site (A1, A2, A3, B1, B2, B3) is that belong to the network node administration clear to logining for the network security management system Which single site type;Or judges and be not belonging to the network node administration inventory, and further judge which is Kind is not in the type of inventory.The type judgment means 2 simultaneously pass the comparison result of logining of the site information in incident management dress Set 3.
3 signal of incident management device is connected to the type judgment means 2.The incident management device 3 is set foundation should The judging result of kind judging device 2, thus belonging to judging one corresponding to the object site (A1, A2, A3, B1, B2, B3) Event is logined in the inventory of the site type, or logins event not in inventory.Also, the incident management device 3 is right The object site (A1, A2, A3, B1, B2, B3) in inventory according to the affiliated site type, allow its accessing system and to Give specific management operating right.The incident management device 3 and can to not in inventory the object site (A1, A2, A3, B1, B2, B3) and operating right is determined whether there are according to type, its accessing system is blocked for high-risk type and online, Or the object site (A1, A2, A3, B1, B2, B3) directly by all not in inventory blocks.
As shown in figure 3, for example, which is accessed in this system, the present embodiment is to be accessed in the thing Part managing device 3.The network node administration inventory is a list.The content of the network node administration inventory represents: call number, the different nets Vertex type and with corresponding to the site type one allow domain information, one allow computer name information and one allow account The condition of information.
The site type be selected from a permission the machine login, a general account, a binding computer and account and a general meter One of four types of calculation machine.The permission domain information, the permission computer name information and the permission account information can For information (null), to indicate that the information is not required to have corresponding condition, that is, ignore when carrying out the information comparison and It does not compare.The permission the machine logins type, corresponding to the permission domain information and the permission account information be empty information;It should General account type, corresponding to the permission computer name be known as empty information;The binding computer and account type, then without sky Information;The general purpose computer type, corresponding to the permission account be empty information.
The type judgment means 2 are believed according to the domain information, the computer name information and the account of the site information Breath is respectively than the permission domain information, the permission computer name information and the permission account letter for the network node administration inventory Breath.The type judgment means 2 are again according to comparison result respectively and in the object site (A1, A2, A3, B1, B2, B3) noted out Corresponding site type in inventory and judge the site class belonging to the object site (A1, A2, A3, B1, B2, B3) Type.Or it can not note any corresponding net in the object site (A1, A2, A3, B1, B2, B3) in the type judgment means 2 Vertex type and judge the object site (A1, A2, A3, B1, B2, B3) and judge the class not in inventory not in inventory and further Type.
As shown in figure 4, logining type the following are the site of the site information and the network node administration inventory compares step and its Corresponding logins event.
Permission domain information comparison step S101: whether the domain for comparing the site information is the permission domain;
When the result of the comparison step S101 of the permission domain information is no, then carries out the permission the machine and login type The comparison step S102 of the permission computer name: whether the computer name for comparing the site information is that the permission the machine is stepped on Enter the permission computer name of type;
When the result that the permission computer name that the permission the machine logins type compares step S102 is to be, then carry out Type judgment step S103 in inventory: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs in inventory The permission the machine login type, and its login to allow to login for one and login event in the inventory of the machine.
When the result that the permission computerized information that the permission the machine logins type compares step S102 is no, then carry out Type judgment step S104 not in inventory: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to one Non-permitted not in inventory logins the machine type, and its login for one it is non-permitted login the machine thing is not logined in inventory Part.
When the result of the comparison step S101 of the permission domain information, which is, is, then the ratio of the permission computer name is carried out To step S105: whether the computer name for comparing the site information is the permission computer name;
When the result of the comparison step S105 of the permission computer name information is no, then the permission account information is carried out Comparison step S106: whether the account for comparing the site information is the permission account;
When the result of the comparison step S106 of the permission account information be when, then the further progress general account should Allow account information comparison step S107: compare the site information the account whether be the general account the permission account Number;
When the result of the comparison step S107 of the permission account information of the general account type, which is, is, then inventory is carried out Interior type judgment step S108: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to being somebody's turn to do in inventory General account type, and its login in the inventory for a general account and login event.
When the result of the comparison step S107 of the permission account information of the general account type is no, then carry out not existing Type judgment step S110 in inventory: judge that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to one and do not exist Non-designated computer type in inventory, and its login and do not login event in inventory for a non-designated computer.
When the result of the comparison step S105 of the permission computer name information is no, and the comparison of the permission account information When the result of step S106 is no, then carry out the type judgment step S109 not in inventory: judge the object site (A1, A2, A3, B1, B2, B3) login the non-management List Type belonged to one not in inventory and its login as a non-management inventory Event is not logined in inventory.
When the result of the comparison step S105 of the permission computer name information be when, then carry out the binding computer with The comparison step S111 of the permission account information of account type: whether the account for comparing the site information is that the binding calculates This of machine and account type permission account;
When the result of the binding computer and the comparison step S111 of the permission account information of account type, which are, is, then It carries out the type judgment step S112 in inventory: judging that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to clearly The binding computer and account type in list, and its login to login event in a binding computer and the inventory of account.
When the result of the binding computer and the comparison step S111 of the permission account information of account type are no, then The comparison step S113 of the permission computer name information of the further progress general purpose computer type: the site information is compared The computer name information whether be the general purpose computer type the permission computer name;
When the result of the comparison step S113 of the permission computer name information of the general purpose computer type, which is, is, then It carries out the type judgment step S114 in inventory: judging that logining for the object site (A1, A2, A3, B1, B2, B3) belongs to clearly The general purpose computer type in list, and its login in the inventory for a general purpose computer and login event.
When the result of the comparison step S113 of the permission computer name information of the general purpose computer type is no, then Carry out the type judgment step S115 not in inventory: that judges the object site (A1, A2, A3, B1, B2, B3) logins category In the non-designated account type not in inventory, and its logins and do not login event in inventory for a non-designated account.
Enable to login event in the inventory of the incident management device 3 according to the object site and allow it through the above steps It logins in the management system and gives permission according to the site type, and the non-inventory according to the object site is logined event and allowed It can not be logined in the management system, safeguard network security so as to multi-zone supervision permission.
As shown in Figures 1 and 2, which can also include an online monitoring device 4.This is online 4 signal of monitoring device is connected to the incident management device 3.The online monitoring device 4 is set and previous has judged not exist one The object site (A1, A2, A3, B1, B2, B3) in inventory is online when the network environment, to monitor the object site (A1,A2,A3,B1,B2,B3).Also, by one, not in inventory, the event of accessing system judges step to the online monitoring device 4 Suddenly, to generate a corresponding event in the incident management device 3, thus enable the incident management device 3 according to event and to It gives permission and knows whether exception.
For example, the online monitoring device 4 learn it is previous judged not in inventory the object site (A1, A2, A3, B1, B2, B3) online mode, it is the equipment management inventory according to one not in inventory and judges the object site in previous Not in inventory.The equipment management inventory not in inventory is to judge that the object site does not exist in the type judgment means 2 Under situation in inventory, synchronizes and build on the incident management device 3 and by the site information of the object site not in inventory In the list of deposit.
As shown in figure 5, the event judgment step of the accessing system not in inventory is as follows:
Judgment step S201 carries out judgment step S202, sentences when the object site (A1, A2, A3, B1, B2, B3) is online Whether the object site (A1, A2, A3, B1, B2, B3) of breaking is forced to login the network security management system.
When the judging result of judgment step S202 is no, then enter judgment step S203, judge the object site (A1, A2, A3, B1, B2, B3) it is that one legal online (such as printer, facsimile machine can not be not necessary to login event within a governance context System), and the object site (A1, A2, A3, B1, B2, B3) is notified to execute the management operation of the installation agent program.And sentenced Disconnected step S204, judges whether the object site (A1, A2, A3, B1, B2, B3) an installation agent program and returns site letter Breath, if it has, then c in map interlinking 4 and manage;If it has not, being then again introduced into judgment step S203.
When the judging result of judgment step S202, which is, is, then the judgment step S205 of further progress confirms that the information is received Whether acquisition means 1 are collected into the site information of the object site (A1, A2, A3, B1, B2, B3) within the time limit.If in judgment step The judging result of S205 be it is no, then judge that management system is not added not for one for the object site (A1, A2, A3, B1, B2, B3) Event S206 within a governance context.
As shown in Figures 1 and 2, which can also include that a timing confirms device 5.The timing Confirmation 5 signal of device is connected to the incident management device 3.The timing confirmation device 5 be set and to the object in inventory After site (A1, A2, A3, B1, B2, B3) accessing system, the event judgment step through an on-line state is to be timed confirmation connection The monitoring of machine stability.Also, after abnormal case generation, which generates a corresponding event in the event pipe Device 3 is managed, so that the incident management device 3 be enable to give permission according to event and learn its unusual condition.The event pipe Reason device 3 further includes a timing return event manager module 31, is set and confirms the object Petri net in timing confirmation device 5 When point (A1, A2, A3, B1, B2, B3) is non-timing reported information, be judged as a computer without response not within a governance context Event.
As shown in fig. 6, the event judgment step of the on-line state is as follows:
Judgment step S301 judges whether the object site (A1, A2, A3, B1, B2, B3) is online, when online, is sentenced Disconnected step S302 and for whether timing one site information of return is confirmed.When the timing confirmation device 5 judges the object Petri net When point returns site information for timing, which judges the object site for " within a governance context Legal online S303 ".Conversely, when the timing confirmation device 5 judges that the object site is uncertain when return site information, the timing Return event manager module 31 judges the object site for " not within a governance context event S304 of the computer without response ".
When timing return event manager module 31 is set and is judged as a computer without response events, to the object Petri net Point (A1, A2, A3, B1, B2, B3) carries out Windows management regulation (WMI, Windows a Management Instrumentation inquiry judging step S305).When the result of judgment step S305 be authorization identifying mistake or domain name not Fu Shi, then further progress judgment step S306, judge the object site it is online be a logout domain not within a governance context Event.
When the result of judgment step S305 is not inconsistent for no authorization identifying mistake or domain name, the timing return incident management mould Block 31 then carries out the inquiry judging step S307 of a management regulation again, thus judge the object site (A1, A2, A3, B1, B2, B3) whether it is not installed with the broker program.If judgment step S307 be it is yes, judgment step S308 is carried out, to judge that this is right As site it is online be a non-installation agent program not event within a governance context.If judgment step S307 be it is no, carry out Judgment step S309, to be judged as not within a governance context event of the computer without response.
As shown in Figures 1 and 2, which can also include a computer identification device 6.The meter 6 signal of calculation machine identification device is connected to the incident management device 3.In setting firmly for the object site (A1, A2, A3, B1, B2, B3) When standby different from the previous case, which generates the information for the anomalous event that a computer puppet emits and sends the thing to Part managing device 3, to enable the incident management device 3 to give the object site permission according to event and learn computer puppet The unusual condition emitted.The computer identification device 6 is set the general unique of the computer hardware for obtaining the site of the object in inventory Identifier data (UUID, Universally Unique Identifier).Wherein, the computer hardware of object site it is general only One identifier is that the computer identification device 6 is obtained via the inquiry of a management regulation.Also, the computer identification device 6 It is stored using based on universal unique identifier data as a computer identification information, and the computer identification information is compared In previous stored computer identification information.When comparison result is not to be inconsistent, which is then judged as a calculating The anomalous event that machine puppet emits.
As shown in fig. 7, the judgment step of the event of the computer hardware of the computer identification device 6 is as follows:
In judgment step S401, computer identification device 6 judge object site (A1, A2, A3, B1, B2, B3) whether on Line.Then, computer identification device 6 carries out query steps S402 to obtain the computer identification information of object site.Also, it counts The judgment step S403 that calculation machine identification device 6 is carried out with the computer identification information of this object site, to judge this pair As whether site has the computer identification information of previous online object site.
When the result of judgment step S403 is no, computer identification device 6 then carries out access step S404, to establish this The computer identification information of secondary online object site.
When the result of judgment step S403, which is, is, the comparison step S405 that computer identification device 6 then carries out, to compare Not whether the computer identification information of this online object site and the computer identification information of previous online object site Together.When the result for comparing step S405 is no, then 6 judging result of computer identification device is normal.As comparison step S405 Result be when being, computer identification device 6 then carries out judgment step S406, with judge this object site (A1, A2, A3, B1, B2, B3) the online event of computer hardware be the anomalous event that emits of a computer puppet.
Above narration and explanation is only the explanation of presently preferred embodiments of the present invention, and those skilled in the art can be according to this Case scope of the claims and above-mentioned explanation and make other modifications, only these modifications should be for creation spirit of the invention And in interest field of the invention.

Claims (15)

1. a kind of network security management system is used to be managed the point of object Petri net belonging to an internal network environment, It is characterized in that, which includes:
One information collection apparatus collects the site information that each object site issues when logining, which includes net Domain information, computer name information and account information;
One kind judging device, signal are connected to the information collection apparatus, and the type judgment means are set and according to the information The received site information comparison of collection device institute is in a network node administration inventory, to judge each object site to the net Network safety management system logins affiliated site type, wherein the network node administration inventory correspond to each site type and Respectively having allows domain information, allows computer name information and allows account information, and the site information and the network node administration The comparison of inventory be according to the site information respectively than for the permission domain information, the permission computer name information and this permit Perhaps the comparison result of account information, to sentence in corresponding site type in inventory of the object site noted out Break the site type belonging to the object site, or judges the object site without the corresponding site type in the object site Not in inventory;And
One incident management device, signal are connected to the type judgment means, which is set sentences according to the type The judging result of disconnected device to judge corresponding to the object site that one logins event, and accordingly executes the object site One corresponding management operation, wherein management operation includes determining whether the object site has operating right or give the object Petri net Point corresponds to the operating right of the affiliated site type.
2. network security management system as described in claim 1, which is characterized in that the site type includes that a permission the machine is stepped on Enter type, corresponding to the permission domain information and the permission account information be empty information, the type judgment means ratio for The permission domain information, if the comparison result of the permission domain information be it is no, than for the permission the machine login type should Allow computer name information, if the permission the machine login type the permission computerized information comparison result be it is yes, judge Permission the machine belonged in inventory of logining of the object site logins type out, which is then judged as a permission It logins and logins event in the inventory of the machine.
3. network security management system as claimed in claim 2, which is characterized in that if the permission the machine login type this permit Perhaps computerized information comparison result is no, then judges that logining for the object site belongs to non-permitted not in inventory and login The machine type, the incident management device be then judged as one it is non-permitted login the machine event is not logined in inventory.
4. network security management system as described in claim 1, which is characterized in that the site type includes a general account class Type, corresponding to the permission computer name be known as empty information, the type judgment means respectively than for the permission domain information, The permission computer name information and the permission account information, if the comparison result of the permission domain information is yes, the permission The comparison result of computer name information be no and the comparison result of the permission account information be it is yes, then it is logical further to compare this With the permission account information of account type, if the permission account information comparison result of the general account type be it is yes, sentence The general account type belonged in inventory is logined in the disconnected object site out, which is then judged as a general account Number inventory in login event.
5. network security management system as claimed in claim 4, which is characterized in that if the comparison result of the permission domain information Be yes, the comparison result of the permission computer name information is no and the comparison result of the permission account information be it is no, then sentence Disconnected logining for the object site out belongs to a non-management inventory not in inventory, which is then judged as a non-pipe It clears and single does not login event in inventory.
6. network security management system as claimed in claim 4, which is characterized in that if the permission account of the general account type Family information comparison result be it is no, then that judges the object site logins that belong to one non-designated computer not in inventory Type, what which was then judged as a non-designated computer does not login event in inventory.
7. network security management system as described in claim 1, which is characterized in that the site type includes a binding computer With account type, the type judgment means respectively than for the permission domain information and the permission computer name information, if The comparison result of the permission domain information be and the comparison result of the permission computer name information be it is yes, then than for this Permission account information for binding computer and account type, if the permission account information of the binding computer and account type Comparison result be it is yes, then that judges the object site logins the binding computer and account type belonged in inventory, should Incident management device, which is then judged as in a binding computer and the inventory of account, logins event.
8. network security management system as claimed in claim 7, which is characterized in that the site type includes a general purpose computer Type, corresponding to the permission account be empty information, if the type judgment means are in the binding computer and account type The comparison result of the permission account information be it is no, then further than the permission computer name for the general purpose computer type Information, if the comparison result of the permission computer name information of general purpose computer type be it is yes, judge the object site Login the general purpose computer type belonged in inventory, which is then judged as in the inventory of a general purpose computer Login event.
9. network security management system as claimed in claim 8, which is characterized in that if this of general purpose computer type allows to count The comparison result of calculation machine name information be it is no, then that judges the object site logins the non-designated account belonged to not in inventory Number type, what which was then judged as a non-designated account does not login event in inventory.
10. network security management system as described in claim 1, which is characterized in that further include an online monitoring device, signal It is connected to the incident management device, when the online monitoring device is set and in the previous object judged not in inventory Site is online when the network environment, then judges whether the object site is forced to login the network security management system, when this Object site is when not being forced to login the network security management system, which then judges the object site for one Legal online not event within a governance context, and the object site is notified to execute the management operation of an installation agent program.
11. network security management system as claimed in claim 10, which is characterized in that be set when the online monitoring device and When judging the object site is to be forced to login the network security management system, then the information collection apparatus is further confirmed that Whether the site information of the object site is collected within the time limit, if it has not, then the incident management device judges the object site The not event within a governance context that management system is not added for one.
12. network security management system as described in claim 1, which is characterized in that further include a timing confirmation device, signal It is connected to the incident management device, timing confirmation device is set and whether periodically returning to the object site in inventory It reports a site information to be confirmed and the incident management device further includes a timing and returns event manager module, periodically return Event manager module is set when it is non-timing reported information that timing confirmation device, which confirms the object site, then is judged Not event within a governance context for a computer without response.
13. network security management system as claimed in claim 12, which is characterized in that when the timing return event manager module When being set and being judged as a computer without response events, then the inquiry of a management regulation is carried out to the object Petri net point, if the pipe The result for managing the inquiry of specification is that authorization identifying mistake or domain name are not inconsistent, then be further judged as a logout domain is not managing model Enclose interior event.
14. network security management system as claimed in claim 13, which is characterized in that when the result of the inquiry of the management regulation It has no authorization identifying mistake or when domain name is not inconsistent, timing return event manager module then carries out the inquiry of a management regulation again, To judge whether the object site is not installed with the broker program, if it has, then being judged as a non-installation agent program not Event within a governance context, if it has not, being then judged as not within a governance context event of the computer without response.
15. network security management system as described in claim 1, which is characterized in that further include a computer identification device, believe Number it is connected to the incident management device, which is set and for the object site in inventory, via The inquiry of one management regulation and obtain the universal unique identifier data of the object site, and with the universal unique identifier number It stores, and passes through the computer identification information than for previous stored as a computer identification information based on Computer identification information, when comparison result is not to be inconsistent, which is then judged as the abnormal thing that a computer puppet emits Part.
CN201710867950.8A 2017-09-22 2017-09-22 Network security management system Active CN109547397B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710867950.8A CN109547397B (en) 2017-09-22 2017-09-22 Network security management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710867950.8A CN109547397B (en) 2017-09-22 2017-09-22 Network security management system

Publications (2)

Publication Number Publication Date
CN109547397A true CN109547397A (en) 2019-03-29
CN109547397B CN109547397B (en) 2021-09-28

Family

ID=65828371

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710867950.8A Active CN109547397B (en) 2017-09-22 2017-09-22 Network security management system

Country Status (1)

Country Link
CN (1) CN109547397B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111885070A (en) * 2020-07-29 2020-11-03 解来斌 Network and information security management system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1924907A (en) * 2005-09-02 2007-03-07 鸿富锦精密工业(深圳)有限公司 Network resources automatic management system and method
CN102063588A (en) * 2010-12-15 2011-05-18 北京北信源软件股份有限公司 Control method and system for safety protection of computer terminal network
CN102882828A (en) * 2011-07-11 2013-01-16 上海可鲁***软件有限公司 Information safe transmission control method between inside network and outside network and gateway thereof
CN103024740A (en) * 2011-09-28 2013-04-03 腾讯科技(深圳)有限公司 Method and system for accessing internet by mobile terminal
CN103248657A (en) * 2012-02-10 2013-08-14 董天群 Equipment information web publishing and sharing method
CN103746995A (en) * 2014-01-03 2014-04-23 汉柏科技有限公司 User management and control method and system for security network
US20140366120A1 (en) * 2013-06-06 2014-12-11 Apple Inc. Systems and Methods for Application-Specific Access to Virtual Private Networks
CN104335523A (en) * 2014-04-15 2015-02-04 华为技术有限公司 Access control method, client and server
US20170250980A1 (en) * 2014-09-29 2017-08-31 Amazon Technologies, Inc. Management and authentication in hosted directory service

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1924907A (en) * 2005-09-02 2007-03-07 鸿富锦精密工业(深圳)有限公司 Network resources automatic management system and method
CN102063588A (en) * 2010-12-15 2011-05-18 北京北信源软件股份有限公司 Control method and system for safety protection of computer terminal network
CN102882828A (en) * 2011-07-11 2013-01-16 上海可鲁***软件有限公司 Information safe transmission control method between inside network and outside network and gateway thereof
CN103024740A (en) * 2011-09-28 2013-04-03 腾讯科技(深圳)有限公司 Method and system for accessing internet by mobile terminal
CN103248657A (en) * 2012-02-10 2013-08-14 董天群 Equipment information web publishing and sharing method
US20140366120A1 (en) * 2013-06-06 2014-12-11 Apple Inc. Systems and Methods for Application-Specific Access to Virtual Private Networks
CN103746995A (en) * 2014-01-03 2014-04-23 汉柏科技有限公司 User management and control method and system for security network
CN104335523A (en) * 2014-04-15 2015-02-04 华为技术有限公司 Access control method, client and server
US20170250980A1 (en) * 2014-09-29 2017-08-31 Amazon Technologies, Inc. Management and authentication in hosted directory service

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111885070A (en) * 2020-07-29 2020-11-03 解来斌 Network and information security management system

Also Published As

Publication number Publication date
CN109547397B (en) 2021-09-28

Similar Documents

Publication Publication Date Title
EP3111433B1 (en) Wireless sensor network
CN109831327A (en) IMS full service network based on big data analysis monitors intelligent operation support system
CN108134764B (en) Distributed data sharing and exchanging method and system
Balasubramaniyan et al. An architecture for intrusion detection using autonomous agents
CN100550768C (en) A kind of information security management platform
CN104219218B (en) A kind of method and device of active safety defence
EP2080317B1 (en) Apparatus and a security node for use in determining security attacks
US20060155738A1 (en) Monitoring method and system
CN101309180B (en) Security network invasion detection system suitable for virtual machine environment
CN106888106A (en) The extensive detecting system of IT assets in intelligent grid
CN102195991A (en) Terminal security management and authentication method and system
CN101009004A (en) Warming device and warming method
CN102148712B (en) Cloud computing-based service management system
CN103338128A (en) Information security management system with integrated security management and control function
CN108769289A (en) A kind of network address resources Visualized management system
CN104378365A (en) Safety management center capable of conducting collaborative analysis
CN102906756A (en) Security threat detection associated with security events and actor category model
CN105096034B (en) The implementation method and electronic government affairs system of E-Government
CN103150800A (en) Device for adding permissions in entrance guard system
CN104753952A (en) Intrusion detection and analysis system on basis of service data flow of virtual machines
CN109636307A (en) The system structure of the long APP in river
CN102469098B (en) Information safety protection host machine
CN104378364A (en) Collaborative analysis method of information security operation centers
CN100504813C (en) System management method and system management device
CN109547397A (en) Network security management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant