CN111031003B - Intelligent evaluation system of cross-network isolation safety system - Google Patents
Intelligent evaluation system of cross-network isolation safety system Download PDFInfo
- Publication number
- CN111031003B CN111031003B CN201911145071.XA CN201911145071A CN111031003B CN 111031003 B CN111031003 B CN 111031003B CN 201911145071 A CN201911145071 A CN 201911145071A CN 111031003 B CN111031003 B CN 111031003B
- Authority
- CN
- China
- Prior art keywords
- evaluation
- security
- value
- safety
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intelligent evaluation system of a cross-network isolation safety system, and belongs to the technical field of safety. The intelligent evaluation system comprises a user interaction device, an intelligent evaluation processing module and a system database; the user interaction device is used for inputting evaluation parameters of the cross-network isolation safety system to be evaluated, maintaining and updating a system database, selecting an evaluation mode and outputting and displaying an evaluation result by a user; the evaluation parameters comprise parameters of three stages, namely parameters of a cross-network isolation safety system to be evaluated in a sending stage, a data transmission stage and a receiving stage; and the intelligent evaluation processing module is used for obtaining the evaluation result of the current to-be-evaluated cross-network isolation safety system by combining operation processing of related query parameters from a system database based on the evaluation parameters input by the user and based on preset evaluation rules, wherein the evaluation result comprises a safety evaluation result and a performance evaluation result. The method and the device are used for deploying the specific cross-network isolation safety system based on the obtained evaluation result by the user.
Description
Technical Field
The invention belongs to the technical field of safety, and particularly relates to an automatic evaluation system for an inter-network isolation safety system.
Background
Since some companies or enterprises that involve secret data have some confidential and sensitive data in their internal networks, the security requirements for the internal networks are quite strict, and network isolation techniques are also in use and are more widely used in order to protect the security of the data. The isolation security system is used for realizing data exchange between two secret-involved networks, namely, one user in a network transmits data to one user in the other network through the data exchange system between the networks, and the user of a receiving end network stores and otherwise operates the received data. The existing technical system for network isolation includes:
(1) an artifact local area network.
Virtual local area networks are one of the most common isolation techniques in local area networks. On the basis of exchanging the local area network, the local area network is divided logically instead of physically, the geographical limitation is broken, the workstation is allowed to move among different subnets or work groups, the information resources and hardware resources and the utilization rate are improved, and the burden of network managers is greatly reduced.
(2) The access control list.
Access control lists are a common isolation technique and are generally applicable to some small-scale networks. It consists of a list of rules at the routing interface according to which the network control device decides whether a received packet is received or dropped. The rules include characteristic information such as source address, destination address, source port, destination port, etc. for distinguishing packets. The concept of access control lists is not complex, and the configuration and management of access control rules is the most central task. Traditional firewalls are mostly implemented in this way.
(3) Multi-protocol label switching.
Multi-protocol label switching is a network isolation technique widely used in wide area networks, intranets, and campus networks. The access mode is flexible, and the inter-access of user groups in a park or a wide area network is supported. The method provides safe end-to-end service isolation for users, has strong mobility and good expandability, and is suitable for large-scale networks. But it requires device support, and in practical application, routing and forwarding need to be implemented depending on the backbone network router and the core switch.
(4) A safety network gate.
The safety network gate is one kind of safety isolating technology, which utilizes special hardware to cut off the link layer connection between networks and provides proper data exchange capacity for the cut network. The method adopts a hardware mode to disconnect two networks on a link layer, and realizes protocol-free ferry of data between the two independent networks through read-write operation of a hardware storage chip, thereby replacing data forwarding based on a specific protocol. The safety network gate can realize network isolation physically, and ensures the safety of connection.
(5) An intrusion prevention system.
The intrusion prevention system monitors network transmission in real time, can detect various attack behaviors, and can adopt a targeted protection strategy according to the detected attack types to effectively block attack. The intrusion prevention system absorbs and integrates the firewall and the intrusion detection technology, and can provide effective and deep security protection for the network.
At present, the network security isolation technology widely used at home and abroad can be divided into three types: Real-Time Switch (Real-Time Switch), One-Way connection (One-Way Link), and Network Switch (Network Switch).
Among them, Real-time Switch architecture (Real-time Switch): the main operations of the technology are as follows: GAP (generic Access Profile) is configured in different networks and performs bidirectional information transmission, and GAP can only be connected with a single network at a time and is a special hardware switch.
Unidirectional Link architecture (One-way Link): the basic unidirectional link established may be referred to as a "read-only" type of network connection, with the corresponding data transmission being unidirectional. The unidirectional link hardware-based solution requires a separation of the lowest layers of the network system in order to prevent information transfer in different directions. Two directly connected networks, one is a source network and one is a target network, and the data transmission always flows from the source network to the target network.
Network switch architecture (Network switch): the special point is that two ports are provided, the two ports are respectively connected to the corresponding internal and external networks, and only one port can be used in the same time. In general, a system has a lot of data and information, and the data and information are often configured on each port. When one port is activated, only the network corresponding to the port can be used, and data interaction between the networks cannot be transmitted to the other port.
However, when a user needs to select or deploy a specific isolation system, it is usually considered that a result of predictive evaluation of the security of the isolation system is considered, and since there is no robust security evaluation standard about the isolation system in the market at present, the user needs to perform actual operation measurement on all the candidate isolation systems to obtain the corresponding security degree, so it is necessary to provide an intelligent evaluation system capable of intelligently performing security evaluation on the isolation system input by the user, thereby simplifying the work complexity of the user in setting the isolation system, realizing the intelligence of the security evaluation of the isolation system, and facilitating the use of the user.
Disclosure of Invention
The invention aims to: in order to solve the existing problems, an intelligent evaluation system of a cross-network isolation safety system is provided.
The intelligent evaluation system of the cross-network isolation safety system comprises a user interaction device, an intelligent evaluation processing module and a system database;
the user interaction device is used for inputting evaluation parameters of the cross-network isolation safety system to be evaluated by a user, maintaining and updating a system database and outputting and displaying an evaluation result;
the system database comprises an evaluation measurement unit information table, wherein the evaluation measurement unit information table comprises evaluation parameters of each evaluation measurement unit and preset weights of the evaluation measurement units; the evaluation parameters comprise a plurality of characteristic indexes and preset weight of each characteristic index; the characteristic indexes comprise two types, one type is the characteristic index input by a user, the other type is the preset value characteristic index, namely the parameter of the characteristic index of the first type is a default value; a type determined by a parameter input by a user; wherein the default values may be adjusted by a system administrator of the intelligent evaluation system;
the setting mode of the evaluation measurement unit is as follows:
the cross-network isolation safety system to be evaluated is divided into three stages: a sending stage, a data transmission stage and a receiving stage;
taking the data transmission stage as an evaluation measurement unit, and presetting corresponding characteristic indexes;
regarding a sending stage and a receiving stage, taking the safety measures related to each stage as an evaluation measurement unit, and presetting the characteristic indexes of each evaluation measurement unit;
in the invention, the evaluation measurement unit can be a security component, such as key distribution, identity authentication, authority and data authentication, security check, security audit and the like; or it may be a security module, i.e. a set of security components that are processed in parallel.
The intelligent evaluation processing module prompts a user to input corresponding evaluation parameters in the user interaction device based on an evaluation measurement unit information table preset in the system database, performs quantitative processing on the evaluation parameters input by the user, and calculates the evaluation result of the current cross-network isolation safety system to be evaluated based on a preset evaluation measurement rule:
for each evaluation measurement unit, quantizing the included characteristic indexes based on a preset quantization rule, and performing weighted fusion based on the weight of each characteristic index to obtain an evaluation measurement result of each evaluation measurement unit;
and performing weighted fusion on the evaluation measurement results of the evaluation measurement units based on the weight of each evaluation measurement unit to obtain the evaluation result of the cross-network isolation safety system, and outputting and displaying the evaluation result through a user interaction device.
Preferably, when weights of a plurality of characteristic indexes preset in the same evaluation measurement unit and the weights of the evaluation measurement units are set, an analytic hierarchy process AHP is adopted to set:
constructing a judgment matrix V with dimension of n multiplied by n based on the number n of objects included by the weight to be set; the number of the objects is the number of the characteristic indexes included in the same evaluation measurement unit or the number of the evaluation measurement units included in the cross-network isolation safety system;
each element V in the decision matrix VijRepresenting the importance of the ith object relative to the jth object, wherein the initial value of the importance is a preset value;
defining consistency index of judgment matrix V
Wherein the content of the first and second substances,
RInis the average value of the CI,
and e ═ 1,1,.., 1)T,w=(w1,w2,...,wn)T,
Superscript T denotes transpose;
judging whether CR is less than or equal to a preset threshold value, if so, basing on wiObtaining the weights of n objects; otherwise adjust vijUntil the consistency index CR is less than or equal to the preset threshold. Wherein, the preferable value of the preset threshold is 0.1.
Further, in the present invention, the evaluation metric unit included in the sending phase is set as: identity authentication, authority and data authentication, security check and security audit;
the characteristic indexes of the identity authentication comprise: identity authentication mode, whether the authentication system is unified or not, whether the authentication system is connected with an external network or not, authentication speed, key updating period, key space size, key length and authentication platform;
the characteristic indexes of authority and data authentication comprise: whether to examine and approve, whether to connect an external network, the number of examination and approval indexes, the authentication speed and the authentication platform;
the characteristic indexes of the safety check comprise: malicious code detection mode, error detection rate, false detection rate, virus library updating period and whether data is leaked or not;
the characteristic indexes of the security audit comprise: log retention days, automatic storage time, log memory size, emergency system, whether monitoring is carried out in the whole process or not, and audit log period is checked;
the characteristic indexes related to the data transmission stage comprise: transmission path, transmission mode, transmission speed, whether physical isolation exists or not and whether the transmission process is independent or not;
the evaluation metric unit included in the data reception phase is set to: safety audit, safety check, identity authentication and authority and data authentication;
the security audit, security check and identity authentication in the data receiving stage comprise the same characteristic indexes as those in the sending stage;
the authority of the data receiving stage and the characteristic indexes of the data authentication comprise: authentication speed, authentication platform.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that: the cross-network isolation safety system is quantifiable and intelligently evaluated, and the safety prediction of the cross-network isolation safety system to be evaluated under the current user input parameters is realized, so that the prediction of the isolation performance of the cross-network isolation system to be deployed under different user input parameters is effectively realized, and the method is further used for the deployment setting of the cross-network isolation system by the user.
Drawings
FIG. 1 is a system block diagram of an intelligent evaluation system of the present invention;
FIG. 2 is a schematic view of an initialization interface of the intelligent evaluation system of the present invention;
FIG. 3 is a diagram of a functional component tree of a general cross-network security isolation system;
FIG. 4 is a schematic diagram of security components of an inter-network security isolation system;
FIG. 5 is a diagram illustrating evaluation results of the intelligent evaluation system of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings.
Referring to fig. 1, the intelligent evaluation system of the present invention includes a user interaction device, an intelligent evaluation processing module, and a system database;
the user interaction device is used for inputting evaluation parameters of the cross-network isolation safety system to be evaluated, maintaining and updating a system database, selecting an evaluation mode, outputting and displaying an evaluation result and the like by a user;
and the intelligent evaluation processing module is used for obtaining the evaluation result (such as a safety evaluation result and a performance evaluation result) of the current cross-network isolation safety system to be evaluated by combining operation processing of related query parameters from a system database based on the evaluation parameters input by the user and the preset evaluation rules. And the method is used for deploying a specific cross-network isolation safety system by a user based on the obtained evaluation result.
In the invention, the evaluation parameters comprise parameters of three stages, namely parameters of a cross-network isolation safety system to be evaluated in a sending stage, a data transmission stage and a receiving stage.
In general, the operating environment for operating the cross-network isolated security system includes: server, terminal computer, firewall network exchanger, storage device and output device, and information management system and application software system for storing, processing, transmitting and operating secret information on each device. That is, for the cross-network isolated security system to be evaluated, the user needs to first know the parameters of the sending stage, the data transmission stage and the receiving stage corresponding to the user in the test operation or the trial operation, and input the parameters into the evaluation system of the present invention, so as to obtain the corresponding evaluation result.
A sending stage: the process of transmitting the data to be transmitted from a user in the network to the data exchange system from the concerned secret network.
In the sending stage, a user firstly needs to perform identity authentication, only a legal user passing the authentication can transmit data, then the security level of the data to be transmitted and whether the user has the authority to send the data are examined, the data are sent to a data exchange system after the examination is passed, in the process, the transmitted data need to be subjected to security inspection, such as malicious code detection, data leakage prevention and the like, and finally, security audit throughout the whole sending process is performed, and the next operation can be performed only under the condition that the whole sending process is not abnormal, namely, the transmission stage.
The transmission phase will therefore be briefly summarized in 4 steps, respectively: identity authentication, authority and data authentication, security check and security audit. The user needs to know the corresponding parameters in these 4 steps and input them into the intelligent evaluation system of the present invention.
Identity authentication is the first step of the sending phase, and data transmission can be performed only by a legal user who passes authentication.
The indicators required in the authentication phase include: identity authentication mode, whether the authentication system is unified or not, whether the internet (extranet) is connected or not, authentication speed, key updating period, key space size, key length and authentication platform.
The identity authentication method comprises the following steps: account password authentication, biometric authentication (fingerprint, iris, etc.), and special part authentication (U-shield, etc.), the user indicates the identity authentication method of the isolated security system by filling in the number of each authentication method, for example: and account password authentication: 1. and (3) biometric authentication: 1. special component authentication: 0, the identity authentication mode of the isolated security system is as follows: account password + biometric authentication; the unified authentication system means that a unified authentication system is established in the whole network, so that the authentication loopholes are avoided and the identity of any user can be verified; the authentication speed is the average time from the time of inputting the authentication information to the time of returning the authentication result; because the authentication information is transmitted to the background in an encryption mode, the secret key needs to be updated regularly to ensure the security,therefore, the key updating period is the period of time, and if the isolation security system does not update the key, the isolation security system fills 0; the size of the key space is expressed as the number of keys available to the user, for example, the keys may be composed of upper and lower case letters and numbers, the length of the input key is 64 bits, and the size of the key space is 6264The binary storage length of the key at least needs to be
A bit; the authentication platform mainly refers to whether identity authentication is performed through software or hardware.
The process mainly comprises the steps of judging the security level of data (files) to be transmitted, whether the user has the authority of transmitting the security level data and whether a receiver has the authority of receiving the security level data. Therefore, the user needs to fill in corresponding information application transmission, the isolation security system carries out approval according to the application submitted by the user, and approval indexes generally comprise: whether the file content is secret, the file security level, whether sensitive words exist, whether the file type is in the range of the transmittable file type, whether the file size meets transmittable regulations, whether a sender has the right to send the file, whether a receiver has the right to receive the file and the like. If the approval is passed, namely the user has the right to transmit the file to the receiving party through the isolation system, the next operation can be carried out, otherwise, the file cannot be transmitted.
Therefore, the indexes required in the authorization and data authentication phase include: whether to examine and approve, whether to connect the Internet (extranet), the number of examination and approval indexes, the authentication speed and the authentication platform. Wherein the number of approval indexes is expressed as the number of items of the approval judgment standard (i.e. the number of approval indexes); the authentication speed refers to the average time from the time when the user submits the application to the time when the approval result is obtained; the authentication platform is used for identity authentication and hardware and software filling.
The security check mainly checks whether the data to be transmitted is complete, tampered, leaked or carried with viruses in the process of transmitting the data to the data exchange system from the local by a user in the sending stage, mainly checks through malicious code detection, and also checks data leakage prevention by some security isolation systems.
The existing malicious code detection methods are mainly divided into four detection methods in the detection technology, which are respectively as follows: feature code scanning, integrity detection, virtual machine detection and heuristic detection. The characteristic code scanning means that a characteristic library file of malicious codes is established before a scanning program works. And then, scanning and matching the file to be detected according to the characteristic character strings in the characteristic file, and judging whether a file fragment is matched with a sample of the characteristic library. And updating the latest malicious code characteristic character string by updating the characteristic file. Integrity detection is a detection technique for file-infected malicious code. The principle is that a new file is not infected with malicious codes, and then the hash value of the file is calculated through a certain hash algorithm and is put into a safe database. And during periodic detection, the hash value of the detected file is calculated again, the hash value is compared with the original value in the database, and if the hash value is different from the original value, the original file is judged to be modified and possibly contain malicious codes. Common hashing algorithms used in integrity detection are CRC32 and MD 5. The virtual machine detection mainly utilizes sandbox technology to virtualize system resources and establish a 'sandbox' of an application program, wherein the 'sandbox' has access resources of each executable program in a system and permissions given by the system. By executing untrusted code and scripts in a "sandbox," the system may limit or even prevent the integrity of the system from being compromised by malicious code. The heuristic detection is to judge whether the specific purpose of the program is malicious code according to the conditions (feature combination, occurrence frequency and the like) of win32 API function called by decompiled program codes when the comparison of the characteristic values is not met according to the experience of analyzing suspicious program samples on the basis of the original characteristic value identification technology, and alarm to prompt a user to find the suspicious program when the judgment conditions are met, so that the purpose of defending unknown malicious code is achieved. The defects existing in single-pass characteristic value comparison are overcome.
The indicators required during the security check phase thus include: malicious code detection mode, error detection rate, false detection rate, virus library updating period and whether data is leaked or not. The malicious code detection mode is one or more detection modes selected from the existing four main detection modes (feature code scanning, integrity detection, virtual machine detection and heuristic detection); the detection accuracy rate refers to the probability of successfully detecting data with malicious codes; the error detection rate refers to the probability of detection errors, that is, data does not have malicious codes but has the malicious codes detected or data has the malicious codes but has the malicious codes detected as a result; because the virus is updated quickly, if the virus library is not updated in time, a new virus is difficult to detect, and the update period of the virus library is the average update time of the virus library; data leakage is an additional term of security detection, which is more secure if present in the security isolation system.
The security audit runs through the whole process of the sending stage, namely, from the beginning of identity authentication of a user to the preparation of data sending, each process has a detailed log for recording, such as the time of identity authentication, whether the identity authentication is successful, whether authority data authentication is passed or not, whether malicious codes are detected or not, and the like.
The following functions should be possessed by the security audit: the maximum capacity of a single log file should be set, such as 1M. When the file reaches the maximum capacity, automatically storing the file and writing a subsequent log into the file; an automatic holding time, such as 1 hour, needs to be set. Due to the audit daemon process, when an event occurs, the detailed content of the event occurrence can be recorded in time, such as: the system is subject to attacks, insufficient memory storage, etc. And should have responsive actions to take when the event occurs. In addition, the result of the audit should be protected from unexpected deletion, modification, or override. Therefore, reasonable log authority needs to be set, and only authorized administrators can access and browse the audit records. When the system is abnormal or illegal behaviors are detected, real-time alarm is required to remind an administrator of finding problems in time. And the system should generate different levels of alarms depending on different event levels.
Thus, the indicators in the security audit process include: log retention days, automatic storage time, log memory size, emergency system, whether monitoring is performed in the whole process or not, and audit log period is checked. The log retention days represent the longest storage time of the log, and the log exceeding a certain time is generally deleted due to limited memory; the automatic saving time interval represents that the log is automatically saved at regular intervals when written; the emergency system comprises: whether real-time alarm can be given, whether an emergency response system exists or not and whether data backup exists or not. The real-time alarm means that the system can give an alarm in time when the system encounters a problem, such as the system is abnormal or illegal behavior is detected; the emergency response system refers to measures taken after an emergency occurs. Monitoring the whole process: whether each process is recorded by a detailed log or not is judged from the beginning of identity authentication of a user to the preparation of data transmission; the period of checking and auditing the log refers to the period of regularly checking the log by a security and privacy technology manager, and periodically forming a checking report.
And in the data transmission stage, the related indexes comprise: transmission path, transmission mode, transmission speed, whether physical isolation exists or not, and whether the transmission process is independent or not.
The transmission path comprises an optical disk, a hard disk, a U disk and laser;
the transmission mode comprises the following steps: whether an error correction function exists, whether transmission is encrypted or not, whether transmission is segmented or not, whether transmission is unidirectional or not and whether transmission is performed once or not;
the transmission speed represents an average transmission speed from the start of transmission of the data to the reception of the data at the receiving end after the transmission of the data is permitted;
the physical isolation means that the transmission process is physically isolated from any external third party, namely the third party cannot monitor the transmission data between the two communication parties;
the transmission process is independent, that is, the transmission process is independent of the communication party and the data itself cannot control the transmission process (also called a transmission mechanism), that is, any party in the communication cannot control the transmission, so that multiple transmissions, interrupted transmissions, failed retransmissions or reverse transmissions, etc. are performed between the two communication parties. The transmission mechanism is independently selected and executed by the cross-network isolation system.
The data reception phase is similar to the transmission phase and requires a series of checks and authentications. Firstly, security audit is carried out, then security check is carried out, such as malicious code check and data leakage prevention, whether data are abnormal in the transmission process is checked, then identity authentication is carried out on receiving personnel, authority and data authentication are carried out after the data are authenticated, security level of the data is checked, and whether the receiving personnel have the right to receive the data is authenticated.
The security audit, security check and identity authentication of the data receiving stage are similar to those of the transmitting stage;
and after passing the identity authentication, the receiving user authenticates whether the system has the authority to receive and transmit the data, compares the receiving party in the application form filled by the sender in the sending stage with the identity of the receiving user, and can receive the data if the identities are consistent or meet the receiving requirement, otherwise, the system does not have the authority to receive the data. Thus, the metrics required in the process of authority and data authentication include: authentication speed, authentication platform. The authentication speed is the average speed from the end of receiving the user identity authentication to the return of the authentication result.
Aiming at five basic safety attributes (confidentiality, integrity, authenticity, verifiability and reliability) of a common cross-network isolation safety system, the invention provides an evaluation scheme for any common cross-network isolation safety system by sorting all safety indexes of all possible functional components in the cross-network isolation safety system based on an analytic hierarchy process, and simultaneously provides a corresponding evaluation scheme for the performance (high efficiency, robustness and cost performance) of the isolation safety system. The method solves the technical problems that the evaluation of a common cross-network isolation system is difficult and the quantitative evaluation is not good. Meanwhile, deployment setting of the cross-network isolation safety system by a user is facilitated, the user can also take an evaluation result given by the intelligent evaluation system as a safety performance prediction result of the cross-network isolation safety system to be evaluated under the current user input parameter, a plurality of safety performance prediction results can be obtained based on different user input parameters, and a user input parameter which is most matched with the deployment requirement is selected as a deployment setting parameter of the cross-network isolation system. Or selecting the cross-network isolation safety system which is most matched with the deployment requirement from the plurality of cross-network isolation safety systems based on the evaluation result.
Since the cross-network isolated security system is implemented by security enforcement functions of some security components, the security certification of these functions needs to be abstracted into corresponding provable mathematical models, typically, protocols or algorithms. Based on this, the function of describing a cross-network isolated security system can be generally described by some protocols and some detection algorithm components,
among other things, the security component generally includes: key distribution, identity authentication, approval, authority authentication, security audit, malicious code inspection, message authentication, encryption, transmission phase, and the like. The security components may be characterized by a function tree and each security component analyzed by an analytic hierarchy process.
In the present invention, the input operation of the user can be realized by a user operation interface, that is, based on a security assessment level selection interface provided in the user operation interface displayed in the user interaction device, the user can select a security assessment level, which includes: high security, medium security, low security, as shown in fig. 2. Based on the selection result of the security evaluation level of the user, the intelligent evaluation processing module provides the user with a corresponding evaluation system, namely, the parameters of each security component of the cross-network isolation security system to be evaluated are set with different default values according to the security level.
For the cross-network isolated security system to be evaluated, the cross-network isolated security system to be evaluated can be defined as a function tree, which is marked as
Wherein
Representing n abstract schemes for constructing a function tree and realizing the functions of the function tree;
representing m independent detection algorithms typically used for data detection between protocols, etc.
For example,
and is
Namely, it is
The method comprises four protocols, wherein the IAC represents an identity authentication protocol, the KE represents a key exchange protocol, the MAC represents message authentication, the SKE represents symmetric key encryption, and a detection algorithm Check is a malicious code detection algorithm. Then
The method is a function tree, realizes identity authentication of one party and symmetric encryption with a message authentication function, and simultaneously performs malicious code detection in the whole transmission process.
In this embodiment, for a security component included in a general cross-network isolated security system, the security component may be written as:
namely, it is
Is a function tree which satisfies the isolation security system, and one-way represents a physical one-way transmission device.
And is
Where i e s, r, s denotes the user in the transmitting network and r denotes the user in the receiving network, the transmitting and transmitting phases of the corresponding isolated security system can be as shown in the figure3, respectively.
Wherein, KE1,iAnd KE2,iRespectively representing identity authentication, message authentication and key distribution of a symmetric encryption protocol; AA1,iAnd AA2,iAuthentication protocol AA for AuthorityiTwo parts of (i.e. proof for arbitrary j ∈ I and arbitrary
Satisfies x ∈ Us,jL is equal to AA1,iAnd AA2,iAuthenticating two parts of transmission data and transmission data before message transmission when respectively passing through an identity authentication protocol, wherein I represents a user set with different levels, j represents different types of operations, x represents data in a network, L represents a set formed by the data, L' represents a data set after the operation of adding or deleting the L, Us,jRepresenting the user authority, namely, the user s has the operation authority on the operation type j; split authority authentication protocol AAiThe reason for this is that in practical cases, when an illegal situation can be found by the identity authentication protocol, the subsequent process is not needed); IACi、MACiAnd SKEiRespectively representing an identity authentication protocol, a message authentication code and a symmetric encryption protocol; EAAi、AuditiAnd CheckiRespectively representing approval, security audit and malicious code detection; one-way represents a physical unidirectional transmission device.
Then, a set of security components processed in parallel is defined as a security module, such as: { Auditi,Checki,KE1,iIs a security module in which the Auditi,Checki,KE1,iRespectively a safety component. This results in a total of 11 security components for a typical cross-network isolation system (10 for the transmit phase and receive phase, as in the component configuration of fig. 4, plus 1 transmit component): the system comprises a security audit component, a malicious code detection component, a first key distribution component, an identity authentication component, an approval component, an authority authentication component, a second key distribution component, a message authentication component, an encryption component, an authority authentication component and a sending component; wherein the first key distribution is used for identity authentication, and the second key distribution is used for message authentication. Which includes user input parametersThe numbers (evaluation parameters) are the same and may typically include: the system comprises a security degree, common attack resistance, security parameters (key length), attack success probability, a key distribution protocol configuration platform, average running time, maintenance cost, agreement of key management, addition of a power filter to an external power supply of a key management center, encryption of key storage, backup of a key, failure or damage by viruses, and the like, and the security degree (high, medium or low) of the database management system.
Based on the principle that a group of security components processed in parallel is used as one security module, a plurality of security modules of the cross-network isolation security system to be evaluated can be obtained. For example, if the transmission stage and the reception stage correspond to 6 security modules respectively, and the transmission component corresponds to one transmission module, a total of 13 security modules can be obtained.
And the parameters of each security module include: basic parameters (several-degree of security, against common attacks), additional parameters (several-all parameters of whether or not to choose), performance parameters (several-time, cost).
When calculating the module evaluation value of each security module, the calculation rule based on the preset module evaluation value in the intelligent evaluation processing module of the invention and the parameter information of each security module input by the user is obtained:
first, for the protocol in which the security module operates, se is defined0Representing a basic score, se' representing an additional score, and se representing a protocol metric value;
in order to realize the quantitative processing of the security module, the invention respectively presets different security information (including basic se division) for each protocol in the cross-network isolation security system0And a security level value b) and stores the preset information in a system database in the form of a table (e.g., a security information table named protocol); for ease of expansion and maintenance.
Wherein a basic partition of the protocol is set0The specific mode can be as follows:
first, it is evaluated whether it physically satisfies a predetermined basic physical index (e.g., basic physical device, unified management system, etc.)If not, se0<60。
Then, on the premise of meeting the basic physical index, the security strength se is considered1And whether to resist a common attack type se2I.e. se0=se1+se2。
For se1Setting according to the pre-divided security score segments and the corresponding definitions thereof: if the safety standard can not be met, se is taken10; if the basic standard in practical application is not met (namely the basic safety standard is not met), se is taken1E [60, 80-M); if the standard just reaches the basic safety standard, se is taken1E.g. [80-M, 90-M); if the higher theoretical standard is reached (except the three cases), se is taken1∈[90-M,90-M)。
The security score segments (i.e., different score segments correspond to different security levels) may be set to: [0,60) which indicates that the basic security in physics and the absolute security in protocol cannot be achieved, but can play a certain security role, and the stronger the effect, the higher the score; [60,80 ], indicating that physical basic security and protocol absolute security can be achieved; [80,90 ], the safety standard of practical application can be ensured and common attacks can be resisted; [90,100] shows that the basic safety on physics and the absolute safety on protocol can be achieved, the higher safety standard on theory can be ensured, and common attacks can be resisted; only the most basic security standards are guaranteed and not necessarily resistant to common attacks.
For se2Assuming that there are n common attack types, the weight of each attack type can be determined by using an analytic hierarchy process, and the weight vector is denoted as w, so that when there is a certain attack that is not defendable, the security is greatly reduced, in other words, the score se obtained by the attack type of the attack that is defended is obtained2Should not be additive, a multiplicative score is chosen to characterize. Note se2Is M, and the attack type that can be resisted is given by the vector b ═ b1,b2,...,bn)TIs shown in the specification, wherein biE {0,1} represents whether or not ith resistance is available(i-1, …, n) attack types, then
For se1Setting according to the pre-divided security score segments and the corresponding definitions thereof: if the safety standard can not be met, se is taken10; if the basic standard in practical application is not met (namely the basic safety standard is not met), se is taken1E [60, 80-M); if the standard just reaches the basic safety standard, se is taken1E.g. [80-M, 90-M); if the higher theoretical standard is reached (except the three cases), se is taken1∈[90-M,90-M)。
The security score segment may be set to: [0,60) which indicates that the basic security in physics and the absolute security in protocol cannot be achieved, but can play a certain security role, and the stronger the effect, the higher the score; [60,80 ], indicating that physical basic security and protocol absolute security can be achieved; [80,90 ], the safety standard of practical application can be ensured and common attacks can be resisted; [90,100] shows that the basic safety on physics and the absolute safety on protocol can be achieved, the higher safety standard on theory can be ensured, and common attacks can be resisted; only the most basic security standards are guaranteed and not necessarily resistant to common attacks.
That is, if the basic physical index is not satisfied, se00; otherwise se0=se1+se2。
The specific way of setting the additional sub-se' of the protocol may be:
additional score se ' primarily includes an additional detection algorithm score se ' in protocol execution '1Enhancement score se 'of the protocol itself'2And a security measure score se 'on other layers related to the protocol'3。
The detection algorithm generally comprises an error rate p1(lambda) (probability of not detecting malicious code) and false positive rate p2(λ), while security only sums with p1(λ) related, definition
Lambda represents the length of the character string, i.e. the length of the code to be detected;
due to se'1E [0, + ∞) so as to be from [0,1 by the constructor]Function h (-) to [0, + ∞) satisfies: when p'1The more hours, h (p'1) The higher the value of (a), i.e. h (-) is conductive and
h(0)=+∞,h(1)=0;
meanwhile, different algorithms should have independence, so: h (p'1)+h(q′1)=h(p′1q′1) This is true. Thereby obtaining se'1=h(p′1)=-ln(p′1) The condition is satisfied. That is, in the present invention, se 'may be provided'1=-ln(p′1);
For the evaluation of the key length in the protocol, it is obvious that the larger the key length λ is, the better, and se 'may be set in conjunction with the key update period T'2H (T · epsilon (λ)) — ln (T · epsilon (λ)), where epsilon (·) represents a negligible function.
And se'3The operation mechanism depending on the functional component includes the level of safety caused by indexes such as a management mode, an operation mode and an emergency treatment plan. Broadly speaking, the safety measure implemented in the operation mechanism can give the success probability in the defense process through mechanism analysis, then the ratio of the success probability to the failure probability can be used as the score of the operation mechanism, and an expert evaluation can also give a score of [0,1 ]]The score is then taken as the value after it has been acted on by h. In fact, the function h is a function that will [0,1 ]]Mapping to [0, + ∞). That is, se 'is provided'3Comprises the following steps:
wherein beta iskA preset score, w, representing the kth security measurekIs a preset weight; wherein the preset scores and weights for different security measures may be pre-stored in the system database in the form of a data table, e.g. to be storedWhich is defined as the security measure rating table of the protocol.
Score additional detection algorithm se'1Enhancement score se 'of the protocol itself'2And a security measure score se 'on other layers related to the protocol'3Weighted fusion is performed to obtain additional score se'.
The protocol metric value se for a protocol is defined as: se ═ exp (-c.se') se0+(1-exp(-c·se′))b;
Wherein c is a preset constant, preferably 1, and b is a safety se0Corresponding security level value, i.e. se1The upper limit of the fraction segment where the current value is located, namely: if se10, then b is 60; if se1E is from [80-M,90-M), then b is 80; if se1E [60, 80-M)), then b is 90; if se1E [90-M, 90-M)), then b is 100.
And for each security module, obtaining a module evaluation value of each security module based on the protocol metric of the protocol in which it operates: only one protocol is involved, the protocol metric value of the protocol is the module evaluation value of the security module; if a plurality is involved, the module evaluation value of the security module is the sum of a plurality of protocol metric values.
Furthermore, an additional partition' for the protocol can also be set directly in the following way:
for all choices yes/no, high/medium, low, i.e. characteristic indicators of each protocol (unless uniform) are assigned a corresponding probability PiAnd a weight wiAccording to the formula
An additional partition of the protocol is obtained.
Further, in the present invention, when setting the weight of multiple indexes (or multiple modules), an Analytic Hierarchy Process (AHP) may be used to determine the weight of each index. The specific setting mode is as follows:
firstly, constructing a judgment matrix V with dimension of n multiplied by n, wherein n represents index number or module number;
each element V in the decision matrix VijIndicating the importance of the ith index relative to the jth index. Based on the actual application scene, the importance among the indexes is quantified, different grades are divided based on the importance degree, and each grade corresponds to a score. Thereby obtaining a corresponding decision matrix V; in the invention, the judgment matrixes V for different objects can be preset in the system database according to the situation, thereby being convenient for quickly determining the corresponding weight.
For example, for a judgment matrix V containing 13 indexes, for any 1 ≦ i < j ≦ n, the value meaning of AHP is defined as the following table,
AHP value definition and description
For j < i < n > 1, if any
And is apparently vii=1。
And for the constructed judgment matrix, taking the normalization of the spectrum radius rho and the corresponding feature vector as the weight vector w corresponding to the judgment matrix (w is equal to1,w2,...,wn)T;
Wherein the content of the first and second substances,
and is
Defining consistency index of judgment matrix
Wherein CI is a consistency index, and
RInis average consistency index, i.e. average value of CI corresponding to all judgment matrixes, if CR is less than or equal to 0.1, the current setting is consideredThe consistency of the judgment matrix can be accepted, otherwise, the judgment matrix needs to be adjusted until CR is less than or equal to 0.1.
Based on the module evaluation value of each security module, evaluation values of five basic security attributes are calculated, respectively: the security evaluation value, the integrity evaluation value, the authenticity evaluation value, the verifiability evaluation value and the reliability evaluation value are specifically as follows:
firstly, respectively constructing a judgment matrix V of each basic security attribute(j)To determine different security attribute weights for each security module
Then, based on the module evaluation value of the security module and the corresponding security attribute weight, weighting and fusing are carried out to obtain the evaluation value SE of each security attribute(j)The subscript j is used to distinguish different security attributes, and the subscript i is a security module identifier.
For example, as for the confidentiality evaluation value, the judgment matrix V of the confidentiality is first constructed(1)To determine security weights for each security module
For example, by calculating a feature vector;
module evaluation value (denoted Sm) based on security modulei) And privacy weight
Weighting and summing the two to obtain a confidentiality evaluation value SE(1)I.e. by
Finally, the evaluation values SE of the five security attributes are further determined(j)The average value of (a) is used as a safety total evaluation value of the cross-network isolated safety system.
In addition, the invention also provides a corresponding evaluation scheme for the following performances (high efficiency, robustness and cost performance) of the cross-network isolation safety system, wherein the evaluation scheme comprises a transmission safety evaluation value, an economic cost performance evaluation value, an efficiency cost performance evaluation value, an attack robustness evaluation value and a defense robustness evaluation value, the performance evaluation values are selectable items, and the user selects whether to perform the calculation processing of the performance evaluation values.
The specific setting manner of each performance evaluation value is as follows:
(1) transmission security evaluation value:
the data transmission phase is divided into the following three cases:
unidirectional: transmission between a and B and by a and B only once. (transmitting all data at once is considered a transmission process in its entirety).
Isolation interference immunity: the transmission process is physically isolated and anti-interference to any external third party, namely the third party cannot monitor, interfere or intercept the data transmitted between A and B.
Transmission independence: the transmission process is independent of the communicating party and the data carrier, i.e. neither the communicating party nor the data carrier has control over the transmission such that additional transmissions, interrupted transmissions, failed retransmissions or reverse transmissions, etc. are made between a and B. I.e. the transmission mechanism is completely independently selected and enforced by the isolated system.
Determining transmission indexes included in each transmission condition, quantizing each transmission index, determining the weight of each transmission index based on an Analytic Hierarchy Process (AHP), and performing weighted fusion on the quantized transmission indexes based on corresponding weights to obtain an additional score of each transmission condition, namely a unidirectional additional score DSe ' in a transmission stage, an additional score GSe ' for isolating interference resistance, and an additional score CSe ' for transmission independence, so as to obtain a transmission security evaluation value CSe: CSe ═ (DSe ' + GSe ' + CSe ')/3.
(2) Evaluation value of economic performance-price ratio: a ratio of the total security assessment value to a total cost, wherein the total cost may be considered a total maintenance cost or a total time overhead.
(3) Evaluation value of efficiency cost ratio:
firstly, for each security component in each security module, calculating an efficiency metric value of each security component:
and order
Wherein
A mapping function representing a running time and an evaluation value, that is, satisfying: minimum standard tminThe mapping score value of (a) is an upper limit of a first level of the security level; the highest standard is tmaxThe mapping score value of (a) is an upper limit of a third level of the security level, or a lower limit of a highest level; in the invention, the value range of the safety module evaluation value is divided into four safety levels, and the higher the safety level is, the larger the value of the safety module evaluation value is. In this embodiment, the value range corresponding to 0-100 points is, and the four security levels are sequentially from low to high: the first security level: [0, 60); the second security level: [60, 80); the third safety level: [80, 90); a fourth security level: [90,100]。
Based on
And
and the total score M (full score) of the security module evaluation value, for the function
Solving to obtain a function
A mapping relation of (i.e.)
The expression of (1);
thus, based on the runtime t (λ) of each full component, an efficiency metric is obtained, denoted as Eff, i.e.
For the case of a value range of 0 to 100 pointsMapping of
Mapping [0, + ∞) to [0,100]To a
Comprises the following steps: the score is lower as the run time is longer. Then there are
Is conductive and
can set up
Wherein the content of the first and second substances,
then, taking the minimum value in the efficiency metric values of all the security components included in each security module as the efficiency metric value of the current security module;
based on preset weight, carrying out weighted fusion on the efficiency metric values of all the safety modules to obtain a total efficiency metric value of the cross-network isolation safety system; and the ratio of the efficiency cost ratio to the total cost is used as an efficiency cost ratio evaluation value.
(4) Attack robustness assessment value:
the possibility of attack on each security module is 2 in totalN-1 possibility, N representing the number of security modules;
defining the probability of each probability to occur as Pj,j=1,2…,2N-1;
Calculate the overall evaluation of safety for each possibility: setting the module evaluation value of the attacked security module to 0, calculating evaluation values of five basic security attributes respectively, and taking the evaluation values of the five basic security attributesThe average value is taken as the total safety evaluation value in each possibility and is marked as GSEj;
Finally, based on the probability PjAnd obtaining attack robustness assessment values according to the accumulated value of the security total assessment value under each possibility:
(5) defense robustness assessment value:
definition PiRepresenting the defense attack probability of each security module, and determining the defense weight w of each security module based on Analytic Hierarchy Process (AHP)i,i=1,2…,N;
According to the formula FySei=Pi*wiCalculating a defense robustness score for each security module;
according to the value of the security parameter of each security module (for example, the value of the security parameter is set to the key length r, namely the key length of the protocol, if a plurality of the security parameters are involved, one of the security parameters is randomly selected), according to the formula
And obtaining a defense robustness evaluation value.
Based on the intelligent evaluation system of the present invention, when a user inputs evaluation parameters (user input parameters) of the cross-network isolated security system to be evaluated and selects an evaluation mode, an evaluation result is obtained as shown in fig. 5, which includes a security evaluation result and a performance evaluation result, wherein the security evaluation result includes confidentiality, integrity, authenticity, verifiability, reliability, i.e., confidentiality evaluation value, integrity evaluation value, authenticity evaluation value, verifiability evaluation value and reliability evaluation value; and a security total score (security total evaluation value) and a transmission security (transmission security evaluation value); the performance evaluation results include: efficiency, cost-performance evaluation, efficiency-cost evaluation, attack robustness evaluation, and defense robustness evaluation. Therefore, the intelligent evaluation of the general cross-network isolation system is effectively realized, namely the isolation performance of the cross-network isolation system to be deployed is predicted under different user input parameters, and the deployment setting of the cross-network isolation system by a user is facilitated.
While the invention has been described with reference to specific embodiments, any feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise; all of the disclosed features, or all of the method or process steps, may be combined in any combination, except mutually exclusive features and/or steps.
Claims (8)
1. An intelligent evaluation system of a cross-network isolation safety system is characterized by comprising a user interaction device, an intelligent evaluation processing module and a system database;
the user interaction device is used for inputting evaluation parameters of the cross-network isolation safety system to be evaluated by a user, maintaining and updating a system database and outputting and displaying an evaluation result;
the system database comprises an evaluation measurement unit information table, wherein the evaluation measurement unit information table comprises evaluation parameters of each evaluation measurement unit and preset weights of the evaluation measurement units; the evaluation parameters comprise a plurality of characteristic indexes and preset weight of each characteristic index; the characteristic indexes comprise two types, one type is the characteristic index input by a user, the other type is the preset value characteristic index, namely the parameter of the characteristic index of the first type is a default value; a type determined by a parameter input by a user; wherein the default values are adjusted by a system administrator of the intelligent evaluation system;
the setting mode of the evaluation measurement unit is as follows:
the cross-network isolation safety system to be evaluated is divided into three stages: a sending stage, a data transmission stage and a receiving stage;
taking the data transmission stage as an evaluation measurement unit, and presetting corresponding characteristic indexes;
regarding a sending stage and a receiving stage, taking the safety measures related to each stage as an evaluation measurement unit, and presetting the characteristic indexes of each evaluation measurement unit;
the intelligent evaluation processing module prompts a user to input corresponding evaluation parameters in the user interaction device based on an evaluation measurement unit information table preset in the system database, performs quantitative processing on the evaluation parameters input by the user, and calculates the evaluation result of the current cross-network isolation safety system to be evaluated based on a preset evaluation measurement rule:
for each evaluation measurement unit, quantizing the included characteristic indexes based on a preset quantization rule, and performing weighted fusion based on the weight of each characteristic index to obtain a unit evaluation measurement value of each evaluation measurement unit;
based on the weight of each evaluation measurement unit, carrying out weighted fusion on the unit evaluation measurement values of each evaluation measurement unit to obtain an evaluation result of the cross-network isolation safety system, and outputting and displaying the evaluation result through a user interaction device;
when weights of a plurality of characteristic indexes of the same evaluation measurement unit are preset and the weights of the evaluation measurement units are set, an Analytic Hierarchy Process (AHP) is adopted for setting:
constructing a judgment matrix V with dimension of n multiplied by n based on the number n of objects included by the weight to be set;
each element V in the decision matrix VijRepresenting the importance of the ith object relative to the jth object, wherein the initial value of the importance is a preset value;
defining consistency index of judgment matrix V
Wherein the content of the first and second substances,
RInis the average value of the CI,
and e ═ 1,1,.., 1)T,w=(w1,w2,...,wn)T,
Judging whether CR is less than or equal to a preset threshold value, if so, basing on wiObtaining the weights of n objects; otherwise adjust vijUntil the consistency index CR is less than or equal to the preset threshold.
2. The system of claim 1, wherein the preset threshold is preferably 0.1.
3. The system according to claim 1 or 2, wherein the characteristic indicators included in the sending phase, the data transmission phase and the receiving phase are specifically:
the evaluation metric unit included in the transmission phase is set as: identity authentication, authority and data authentication, security check and security audit;
the characteristic indexes of the identity authentication comprise: identity authentication mode, whether the authentication system is unified or not, whether the authentication system is connected with an external network or not, authentication speed, key updating period, key space size, key length and authentication platform;
the characteristic indexes of authority and data authentication comprise: whether to examine and approve, whether to connect an external network, the number of examination and approval indexes, the authentication speed and the authentication platform;
the characteristic indexes of the safety check comprise: malicious code detection mode, error detection rate, false detection rate, virus library updating period and whether data is leaked or not;
the characteristic indexes of the security audit comprise: log retention days, automatic storage time, log memory size, emergency system, whether monitoring is carried out in the whole process or not, and audit log period is checked;
the characteristic indexes related to the data transmission stage comprise: transmission path, transmission mode, transmission speed, whether physical isolation exists or not and whether the transmission process is independent or not;
the evaluation metric unit included in the data reception phase is set to: safety audit, safety check, identity authentication and authority and data authentication;
the security audit, security check and identity authentication in the data receiving stage comprise the same characteristic indexes as those in the sending stage;
the authority of the data receiving stage and the characteristic indexes of the data authentication comprise: authentication speed, authentication platform.
4. The system of claim 1, wherein the characteristic indexes of each evaluation metric unit include two types, a user-input characteristic index and a characteristic index preset by the intelligent evaluation system, namely a default characteristic index parameter;
the default characteristic index parameter has different values based on different preset safety evaluation grades;
the intelligent evaluation processing module provides operation for a user to select a safety evaluation grade on the user interaction device, and acquires a default characteristic index parameter matched with the safety evaluation grade based on the safety evaluation grade selected by the user.
5. The system of claim 1, wherein a set of security components processed in parallel in the transmit and receive stages, respectively, are used as an evaluation metric unit;
wherein, the safety subassembly includes: safety audit, malicious code detection, first key distribution, identity authentication, approval, authority authentication, second key distribution, message authentication and encryption;
wherein the first key distribution is used for identity authentication and the second key distribution is used for message authentication;
and the unit evaluation metric value of each evaluation metric unit is specifically as follows:
calculating a protocol metric value se of a protocol included in each evaluation metric unit:
se=exp(-c·se′)se0+(1-exp(-c·se′))b;
wherein c is a preset constant se0Se' denotes a basic score and an additional score preset for each protocol, and b denotes se0A corresponding security level value;
wherein the basic partition of the protocol0The additional se' and the safety grade value b are obtained from a system database based on a table look-up mode, a protocol safety information table is preset in the system database, and the protocol safety information table comprises a protocolMeeting name, base score se0Additional se' and a safety grade value b;
if the evaluation measurement unit comprises a protocol, the protocol measurement value of the protocol is the unit evaluation measurement value; otherwise, the unit evaluates the metric value to be the sum of the plurality of protocol metric values.
6. The system of claim 1, wherein five judgment matrices V of basic security attributes are constructed separately(j)For determining the weight w of each evaluation metric unit under different levels of security attributesi (j)And respectively carrying out weighted fusion on the unit evaluation metric values to obtain an evaluation value SE of each security attribute(j)The subscript i is a security module identifier;
and the evaluation values SE of the five security attributes(j)The mean value of (a) is used as the evaluation result of the cross-network isolated security system;
the output display information of the evaluation result comprises: evaluation result of cross-network isolated security system and evaluation values SE of five security attributes(j);
Wherein the five security attributes include: confidentiality, integrity, authenticity, verifiability, and authenticity.
7. The system of claim 6, wherein the output display information of the evaluation result displayed in the user interaction device further includes an economic cost performance evaluation value and/or an efficiency cost performance evaluation value;
wherein, the economic cost performance evaluation value is as follows: a ratio of the evaluation result of the cross-network isolated security system to a total cost, wherein the total cost may be considered as a total maintenance cost or a total time overhead;
the efficiency cost ratio evaluation value is:
calculating the efficiency metric value of each safety component for each safety component of each evaluation metric unit;
mapping function based on preset running time and evaluation value
Obtaining an efficiency measure of each security component based on its running time t (lambda)
Taking the minimum value of the efficiency metric values Eff of all the safety components included in each evaluation metric unit as the efficiency metric value of the current evaluation metric unit;
based on preset weight, carrying out weighted fusion on the efficiency metric values of all the evaluation metric units to obtain a total efficiency metric value of the cross-network isolation safety system; and the ratio of the efficiency cost ratio to the total cost is used as an efficiency cost ratio evaluation value.
8. The system of claim 6, wherein an attack robustness assessment value and/or a defense robustness assessment value is further included in output display information of an assessment result displayed in the user interaction device;
wherein, the attack robustness assessment value is:
when there is an attack on the evaluation metric unit, 2 is includedN-1 likelihood, where N represents the number of evaluation metric units, i.e. attacks on only one of the evaluation metric units, or on multiple evaluation metric units simultaneously;
defining the probability of each probability to occur as Pj,j=1,2…,2N-1;
And calculating the evaluation result of the cross-network isolation safety system under each possibility: setting the unit evaluation metric value of the attacked evaluation metric unit to be 0, then respectively calculating evaluation values of five basic security attributes, taking the average value of the evaluation values of the five basic security attributes as the evaluation result of the cross-network isolation security system under each possibility, and recording the result as GSEj;
According to the formula
Obtaining an attack robustness evaluation value;
the defense robustness assessment value is:
definition PiRepresenting the defense attack probability of each evaluation metric unit, and presetting defense weight w 'based on each evaluation metric unit'iI is 1,2 …, N; according to the formula FySei=Pi*w′iCalculating a defense robustness score for each security module;
according to the safety parameter r of each evaluation measurement unit and according to the formula
And obtaining a defense robustness evaluation value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911145071.XA CN111031003B (en) | 2019-11-21 | 2019-11-21 | Intelligent evaluation system of cross-network isolation safety system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911145071.XA CN111031003B (en) | 2019-11-21 | 2019-11-21 | Intelligent evaluation system of cross-network isolation safety system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111031003A CN111031003A (en) | 2020-04-17 |
| CN111031003B true CN111031003B (en) | 2022-03-15 |
Family
ID=70206333
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911145071.XA Active CN111031003B (en) | 2019-11-21 | 2019-11-21 | Intelligent evaluation system of cross-network isolation safety system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111031003B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112269984B (en) * | 2020-09-23 | 2023-07-11 | 江苏三台山数据应用研究院有限公司 | Automatic code audit platform system for guaranteeing source code safety |
| CN112261041B (en) * | 2020-10-21 | 2021-08-13 | 中国科学院信息工程研究所 | Multistage distributed monitoring and anti-seepage system for power terminal |
| CN115412402B (en) * | 2021-05-28 | 2024-03-26 | 深圳双安科技有限公司 | Communication gateway |
| CN114465821B (en) * | 2022-04-02 | 2022-07-29 | 浙江国利网安科技有限公司 | Data transmission system and data transmission method |
| CN114708970B (en) * | 2022-04-11 | 2023-05-16 | 上海铂桐医疗科技有限公司 | Pain comprehensive evaluation data processing method and system suitable for big data |
| CN114884735A (en) * | 2022-05-10 | 2022-08-09 | 厦门融达信数据技术股份有限公司 | Multisource data intelligent evaluation system based on security situation |
| CN115174418A (en) * | 2022-06-09 | 2022-10-11 | 深圳Tcl新技术有限公司 | Communication environment safety early warning method and device, electronic equipment and storage medium |
| CN115022084B (en) * | 2022-07-18 | 2022-11-25 | 深圳市城市交通规划设计研究中心股份有限公司 | Network isolation gatekeeper data exchange method and application thereof |
| CN115567301B (en) * | 2022-09-28 | 2023-10-17 | 宋舒涵 | Information security authentication transmission method and system based on local area network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761208A (en) * | 2005-11-17 | 2006-04-19 | 郭世泽 | System and method for evaluating security and survivability of network information system |
| CN103905450A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | Smart power grid embedded device network detection assessment system and detection assessment method |
| CN106850551A (en) * | 2016-12-12 | 2017-06-13 | 长春理工大学 | Network security risk evaluation and Autonomous Defense system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9495655B2 (en) * | 2014-09-27 | 2016-11-15 | International Business Machines Corporation | Cross-domain multi-attribute hashed and weighted dynamic process prioritization |
| US10362021B2 (en) * | 2016-05-31 | 2019-07-23 | Airwatch Llc | Device authentication based upon tunnel client network requests |
-
2019
- 2019-11-21 CN CN201911145071.XA patent/CN111031003B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761208A (en) * | 2005-11-17 | 2006-04-19 | 郭世泽 | System and method for evaluating security and survivability of network information system |
| CN103905450A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | Smart power grid embedded device network detection assessment system and detection assessment method |
| CN106850551A (en) * | 2016-12-12 | 2017-06-13 | 长春理工大学 | Network security risk evaluation and Autonomous Defense system |
Non-Patent Citations (6)
| Title |
|---|
| Hong Tang ; Jie Zhang.Study on Fuzzy AHP Group Decision-Making Method Based on Set-Valued Statistics.《 Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007)》.2007, * |
| Tang Hong ; Zhang Jie.Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007).《 2008 27th Chinese Control Conference》.2008, * |
| Turing Machine-Based Cross-Network Isolation and Data Exchange Theory Model;Dan Liu;《IEEE Access》;20190917;第7卷;第13-14页 * |
| 一种云环境下防火墙策略异常处理的优化方法;杨川等;《微电子学与计算机》;20150905(第09期);全文 * |
| 基于DDS通信的舰载网络安全评估指标及应用研究;章清亮等;《信息网络安全》;20170210(第02期);全文 * |
| 基于优化BP神经网络的WSNs路由安全评估模型;卿昱等;《计算机安全》;20080615(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111031003A (en) | 2020-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111031003B (en) | Intelligent evaluation system of cross-network isolation safety system | |
| Ghorbani et al. | Network intrusion detection and prevention: concepts and techniques | |
| CN108337219B (en) | Method for preventing Internet of things from being invaded and storage medium | |
| CN117081868B (en) | Network security operation method based on security policy | |
| CN111917714A (en) | Zero trust architecture system and use method thereof | |
| CN116132989B (en) | Industrial Internet security situation awareness system and method | |
| CN108683654B (en) | Network vulnerability assessment method based on zero-day attack graph | |
| CN113315666A (en) | Defense control method and system for information network security | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN115051836A (en) | APT attack dynamic defense method and system based on SDN | |
| Adeleke | Intrusion detection: issues, problems and solutions | |
| Chatterjee | An efficient intrusion detection system on various datasets using machine learning techniques | |
| Qin et al. | Computer network security protection system based on genetic algorithm | |
| Verwoerd | Active network security | |
| Kaskar et al. | A system for detection of distributed denial of service (DDoS) attacks using KDD cup data set | |
| Monteiro et al. | An authentication and validation mechanism for analyzing syslogs forensically | |
| CN117560230B (en) | Network data transmission encryption type data transmission method | |
| CN111832006B (en) | Patent retrieval platform based on intelligent operation and maintenance management | |
| CN115277173B (en) | Network security monitoring management system and method | |
| CN111931142B (en) | Distributed dynamic identity control method based on block chain and non-directional approval mechanism | |
| Pillutla et al. | A brief review of fuzzy logic and its usage towards counter-security issues | |
| Zhang | Application Research of Computer Artificial Intelligence Technology in Network Security System | |
| Rice et al. | A hierarchical approach for detecting system intrusions through event correlation | |
| Kumari et al. | Vulnerability Assessment and Mitigation Techniques on Hadoop Framework. | |
| CN115865517A (en) | Attack detection method and system for big data application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |