CN113407949A - Information security monitoring system, method, equipment and storage medium - Google Patents

Information security monitoring system, method, equipment and storage medium Download PDF

Info

Publication number
CN113407949A
CN113407949A CN202110725559.0A CN202110725559A CN113407949A CN 113407949 A CN113407949 A CN 113407949A CN 202110725559 A CN202110725559 A CN 202110725559A CN 113407949 A CN113407949 A CN 113407949A
Authority
CN
China
Prior art keywords
information
module
risk
security monitoring
target information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110725559.0A
Other languages
Chinese (zh)
Inventor
刘志强
王方圆
尚程
阿曼太
梁彧
蔡琳
杨满智
王杰
田野
金红
陈晓光
傅强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202110725559.0A priority Critical patent/CN113407949A/en
Publication of CN113407949A publication Critical patent/CN113407949A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses an information security monitoring system, a method, equipment and a storage medium. Wherein, the system includes: the risk identification module and the safety protection module are in communication connection; the risk identification module is used for acquiring risk associated information in the target information system and providing the risk associated information to the safety protection module; and the safety protection module is used for configuring protection parameters according to the risk associated information and carrying out information safety protection on the target information system after the protection parameter configuration is completed. The embodiment of the invention can realize individuation, integrated deployment, flexible updating and expansion of the information safety monitoring system, and improve the stability and the operation and maintenance convenience of the information safety monitoring system.

Description

Information security monitoring system, method, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to an information security monitoring system, method, equipment and storage medium.
Background
In the prior art, security management measures adopted by most enterprises for information systems are stack deployment of security management devices such as firewalls, database audits and the like in a chimney mode according to security levels.
However, the above-described chimney stack deployment of safety management devices has various disadvantages. Various hardware safety devices are added blindly to meet the requirement of compliance inspection, and purchasing and construction processes related to a large amount of hardware devices are complex, so that the construction time period is long; effective linkage and unified arrangement are lacked among various hardware devices, the practical safety risk coping capability is difficult to be really improved, and meanwhile, the operation and maintenance management work is complex and low in efficiency; when various safety devices are used, different manufacturers provide services, and a uniform safety service closed loop cannot be realized. In addition, after the security management device is built, along with the continuous change of the service requirements and the security policy, the network security architecture still needs to be adjusted, and new security hardware devices are added or replaced, which causes resource waste.
Disclosure of Invention
Embodiments of the present invention provide an information security monitoring system, method, device, and storage medium, so as to implement personalization, integrated deployment, flexible update and expansion of the information security monitoring system, and improve stability and convenience of operation and maintenance thereof.
In a first aspect, an embodiment of the present invention provides an information security monitoring system, including: the risk identification module and the safety protection module are in communication connection; wherein:
the risk identification module is used for acquiring risk associated information in a target information system and providing the risk associated information to the safety protection module;
and the safety protection module is used for configuring protection parameters according to the risk associated information and carrying out information safety protection on the target information system after the protection parameter configuration is completed.
In a second aspect, an embodiment of the present invention further provides an information security monitoring method, which is applied to an information security monitoring system, and includes:
acquiring risk associated information in a target information system through a risk identification module, and providing the risk associated information to a safety protection module;
and configuring protection parameters according to the risk associated information through the safety protection module, and performing information safety protection on the target information system after the protection parameter configuration is completed.
In a third aspect, an embodiment of the present invention further provides a computer device, where the computer device includes the information security monitoring system provided in any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer storage medium, on which a computer program is stored, where the computer program implements the information security monitoring system provided in any embodiment of the present invention.
According to the embodiment of the invention, the risk identification module and the safety protection module are deployed in the information safety monitoring system, the risk associated information in the target information system is obtained through the risk identification module, the protection parameter configuration of the safety protection module is carried out according to the risk associated information, and the information safety protection is carried out on the target information system through the safety protection module after the protection parameter configuration is completed, so that the individuation, integrated deployment, flexible updating and expansion of the information safety monitoring system aiming at the target information system are realized, and the stability and the operation and maintenance convenience of the information safety monitoring system are improved.
Drawings
Fig. 1 is a schematic diagram of an information security monitoring system according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a deployment manner of an information security monitoring system according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of an information security monitoring system according to a second embodiment of the present invention.
Fig. 4 is a schematic diagram of an interactive portal module according to a second embodiment of the present invention.
Fig. 5 is a schematic diagram of another information security monitoring system according to a second embodiment of the present invention.
Fig. 6 is a flowchart of an information security monitoring method according to a third embodiment of the present invention.
Fig. 7 is a schematic structural diagram of a computer device according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention.
It should be further noted that, for the convenience of description, only some but not all of the relevant aspects of the present invention are shown in the drawings. Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1 is a schematic diagram of an information security monitoring system according to an embodiment of the present invention, where the information security monitoring system provided in this embodiment is applicable to information security monitoring of a target information system, can be implemented in a software and/or hardware manner, and can be generally integrated in a computer device. Accordingly, as shown in fig. 1, the information security monitoring system includes: risk identification module 110 and security module 120, risk identification module 110 and security module 120 are communicatively coupled.
The risk identification module 110 is configured to obtain risk associated information in the target information system, and provide the risk associated information to the security protection module 120. And the safety protection module 120 is configured to perform protection parameter configuration according to the risk associated information, and perform information safety protection on the target information system after the protection parameter configuration is completed.
Specifically, the target information system may be any system that needs information security management, and may include, for example, an information library used inside an enterprise, a key information infrastructure, or the like. The risk associated information may be any information that is relevant to the information security situation of the target information system. The protection parameter configuration may be an operation for configuring the operation parameters of the safety protection module 120, and the operation parameters of the safety protection module 120 may define the specific functions and performances of the safety protection module 120. Information security safeguards may be operations that avoid exposing information in a target information system to security risks.
Accordingly, risk associated information in the target information system may be obtained by the risk identification module 110. Optionally, the risk associated information may include, but is not limited to, at least one of information assets, security holes, passwords, and operational behavior rule baselines in the target information system; correspondingly, the risk identification module 110 may be specifically configured to perform at least one of asset mapping, vulnerability scanning, weak password detection, and baseline management on the target information system.
The information assets may include information resources in a target information system, and the asset mapping may be an operation of performing statistics on the information assets of the target information system and obtaining a statistical result. The security vulnerability may include information of a flaw on the security policy of the target information system, and the vulnerability scanning may be an operation of detecting the security policy flaw of the target information system. The password may be a password in the target information system, and the weak password detection may be an operation of detecting a password that is easily guessed in the target information system. The operation behavior rule base line may be a configuration of the operation behavior rule in a safe state, and the base line management may be an operation of managing the configuration items according to the operation behavior rule base line.
Further, the risk identification module 110 may provide the acquired risk-related information to the security module 120, so that the security module 120 may determine an information security condition of the target information system according to the risk-related information, and perform protection parameter configuration for the information security condition. Therefore, the security module 120 after completing the configuration of the protection parameters can perform information security protection for the information security condition of the target information system.
Optionally, the information security protection may include, but is not limited to, at least one of identity and authority management, VPN (Virtual Private Network), data leakage prevention, WAF (Web Application Firewall), Firewall, intrusion Detection, access control, load balancing, and EDR (Endpoint Detection and Response protection system) terminal security protection.
The identity and authority management may include identity registration or authentication of a user accessing the target information system, and/or authentication or modification of an operation authority of the user. The VPN may establish a private network for encrypted communications. Data leakage prevention can prevent information in a target information system from being illegally acquired. The WAF may provide protection for the website application by executing a security policy for HTTP/HTTPS (HyperText Transfer Protocol/HyperText Transfer Protocol over Secure Socket Layer). A firewall may provide a security gateway between a target information system and an external network, thereby protecting the target information system from intrusion by illegitimate network users. Intrusion detection can check whether there are behaviors violating security policies and signs of attack in a network or system based on several key point information of a target information system. Access control may restrict a user's access to certain information items, or restrict the use of certain control functions, by a defined set of user identities and to which they belong. Load balancing may distribute access traffic of a target information system to a plurality of servers to share load to operation units of the plurality of servers. EDR terminal security guards may monitor whether operation of a target information system crosses a security baseline.
In an optional embodiment of the present invention, based on the network function virtualization NFV technology, a main traffic gateway of a general device deployed in the target information system is bypassed, and inter-module communication connection is implemented.
Specifically, the NFV (Network Functions Virtualization) technology may construct many types of Network devices, for example, may include routers, firewalls, gateways, and the like, into a data center Network, form a virtual machine through Virtualization by using a Virtualization technology, and then deploy services to the virtual machine. The bypass deployment only counts, scans or records the traffic, and does not forward the traffic, and meanwhile, the network traffic is not influenced by the system of the bypass deployment. The generic device of the target information system may be a device in the target information system that maintains a communication connection with each device, and may be, for example, a server of the X86 architecture. The main traffic gateway may be a main traffic interface when the general-purpose device performs communication, and may be an interface connected to a core switch, for example.
Correspondingly, each module of the information security monitoring system may be created in a virtualization manner in the general device based on the NFV technology, and may include the risk identification module 110, the security protection module 120, or an integrated module in any other system, and based on the NFV technology, a communication connection between the modules is established according to the security management service flow, and finally, the communication connection is bypassed and deployed to the main traffic gateway, so that each module of the information security monitoring system performs the security management service on the target information system.
Fig. 2 is a schematic diagram illustrating a deployment manner of an information security monitoring system according to an embodiment of the present invention. As shown in fig. 2, in one specific example, the target information system is a key information infrastructure, including operation and maintenance area equipment, office area equipment, and data center equipment, and is connected to the internet through a core switch. The key information infrastructure protection device can be deployed on general equipment and is linked with the core switch in a bypass deployment mode to perform safety protection on the data center. Illustratively, when a security event occurs, an instruction is issued to the core switch to block an IP (Internet Protocol) address, so as to perform corresponding security protection.
Optionally, KVM (Kernel-based Virtual Machine) virtualization platform management software may be installed on the universal device, virtualize all security service modules of the information security monitoring system, complete business process arrangement through the NFV technology, implement communication connection between the modules, and finally deploy the system bypass to the main traffic gateway of the target information system.
The information security monitoring system is virtualized in the above embodiment, and does not need to rely on special hardware equipment, so that hardware resources are saved, a hardware network architecture is simplified, meanwhile, rapid deployment can be realized, the expansion of security management functions is facilitated, and the system compatibility is improved.
The embodiment of the invention provides an information security monitoring system, which is characterized in that a risk identification module and a security protection module are deployed in the information security monitoring system, risk associated information in a target information system is obtained through the risk identification module, protection parameter configuration of the security protection module is carried out according to the risk associated information, and information security protection is carried out on the target information system through the security protection module after protection parameter configuration is completed, so that individuation, integrated deployment, flexible updating and expansion of the information security monitoring system aiming at the target information system are realized, and the stability and the operation and maintenance convenience of the information security monitoring system are improved.
Example two
Fig. 3 is a schematic diagram of an information security monitoring system according to a second embodiment of the present invention. As shown in fig. 3, on the basis of the above embodiment, the present embodiment expands the internal architecture of the information security monitoring system, and further expands the information security monitoring system to include: risk identification module 210, security guard module 220, security monitoring module 230, and response recovery module 240.
Wherein the security monitoring module 230 is communicatively coupled to the response recovery module 240. A security monitoring module 230, configured to monitor information risk events occurring in the target information system. And the response recovery module 240 is configured to perform response recovery processing on the information risk event.
Specifically, the information risk event may be an event occurring in the target information system that causes information to face risks of loss, leakage, or tampering. The response recovery processing may be an operation of administering a suspicious terminal in an information risk event and recovering an information security environment of a target information system.
Accordingly, the security monitoring module 230 may monitor the behavior of the target information system in real time, so as to invoke the response recovery module 240 when an information risk event occurs, and perform response recovery processing on the information risk event through the response recovery module 240, so as to reduce the loss of the information risk event to the target information system.
Optionally, the safety monitoring module 230 monitors information risk events occurring in the target information system, which may specifically include but are not limited to: and performing at least one of virus prevention, attack trapping, plaintext monitoring, bastion machine deployment and webpage tamper resistance on the target information system.
The virus prevention can be real-time monitoring of any network virus invading the target information system. Attack trapping can induce potential system attackers to launch attacks through disguising, so that attacker portrait collection is convenient for later stage tracing. The plaintext monitoring may be a real-time monitoring of plaintext information in the communication traffic data. The bastion machine can monitor and record the operation behaviors of operation and maintenance personnel on the devices such as the server, the network device, the safety device, the database and the like in the target information system network, so as to realize centralized alarming, timely processing, auditing and responsibility determination. The webpage tamper resistance can prevent the Web webpage from being illegally tampered.
In an optional embodiment of the present invention, the safety monitoring module 230 may be specifically configured to: analyzing the core flow of the target information system in real time to obtain a flow analysis result; tracing the information risk event under the condition that the information risk event is determined to occur according to the flow analysis result, and providing a tracing result to a response recovery module 240; the response recovery module 240 may be specifically configured to: and sending a plugging instruction to the target information system according to the tracing result.
The core traffic may be traffic generated by performing any operation on information resources in the target information system. The real-time parsing may be an operation of determining an operation content for an information resource in the target information system according to the core traffic. The traffic resolution result may include the operation content of the information resource in the target information system. Tracing the information risk event may be an operation of an actor that determines the information risk event. The traceability results may include information identifying the performer of the information risk event. The blocking instruction may be an operation for controlling the target information system to restrict the access authority to the IP address.
Accordingly, the safety monitoring module 230 may collect the core traffic of the target information system in real time, and analyze the collected core traffic in real time to obtain a traffic analysis result. When it is determined that the core traffic includes traffic generated by any information risk event according to the traffic analysis result, it may be determined that the information risk event occurs, so that the security monitoring module 230 may obtain identification information of an executor of the information risk event, for example, an IP address of the executor obtained by the attack trapping, obtain a tracing result, and provide the tracing result to the response recovering module 240.
Further, the response recovery module 240 may send a blocking instruction to the target information system according to the tracing result provided by the security monitoring module 230, so that the target information system blocks the IP address of the executor of the information risk event, and the executor is prevented from continuing to access the target information system, which causes risk to the information.
In an optional embodiment of the present invention, the safety monitoring module 230 may further be configured to: and auditing the monitored information risk event.
The auditing of the information risk event may be an operation of collecting and recording related information of the information risk event.
Correspondingly, after monitoring the information risk event, the security monitoring module 230 may acquire relevant information of the information risk event, for example, the relevant information may include relevant information of an executor of the information risk event, relevant information of related information assets, and corresponding original traffic thereof, and record the acquired information, for example, the acquired information may be stored as a security monitoring log, so that the information risk event occurring in the target information system may be recorded, so that a worker may perform statistical review or make a relevant security policy, and the like.
In an optional embodiment of the present invention, the system may further include a unified interface module, which may be configured to report the audit result of the information risk event to a regulatory unit system corresponding to the target information system.
The audit result of the information risk event can be information generated by recording relevant information of the information risk event. The supervisory unit system may be a system used by an operation and maintenance party of the target information system.
Correspondingly, the obtained audit result of the information risk event can be reported to a supervision unit system corresponding to the target information system through the unified interface module, so that a worker of an operation and maintenance party of the target information system can obtain the information related to the information risk event in the audit result through the supervision unit system, and the information safety condition of the target information system can be known.
Optionally, the unified Interface module may maintain a communication connection with an Application Programming Interface (API) of the monitoring unit system, so as to report the audit result of the information risk event to the monitoring unit system through the API.
According to the embodiment, the unified interface module is deployed, so that data linkage between the information security monitoring system and the operation and maintenance party of the target information system is realized, and the operation and maintenance party can conveniently acquire the information security condition in real time.
In an optional embodiment of the present invention, the system may further include an interactive portal module, which is configured to receive interactive management information input by a lawful login user, and configure management information of the information security monitoring system according to the interactive management information.
The legal login user can be a user with the authority of information security monitoring on the target information system. The interaction management information may be information input by a user and configured for a target confidence system to configure the working parameters of the information security monitoring system. The management information configuration may be an operation of configuring an operating parameter of the information security monitoring system.
Correspondingly, the interactive portal module can perform information interaction with the user, and the legal login user can determine the interactive management information according to the requirement and input the interactive management information into the interactive portal module. And the interactive portal module receives the interactive management information, and then can configure the management information of the system according to the interactive management information, so that the information security monitoring system can meet the information security management requirements of the legal login user.
In an optional embodiment of the invention, the system may further comprise an internal management module; the interactive portal module is in communication connection with the internal management module, and is also used for receiving authority authentication information input by a login request user and providing the authority authentication information to the internal management module; and the internal management module is used for carrying out login authority authentication on the authority authentication information and determining that the login request user is the legal login user under the condition that the authority authentication information passes the login authority authentication.
The login requesting user may be a user requesting to login to the information security monitoring system. The authority authentication information may be information for identifying the identity of the login requesting user. The login authority authentication may be an operation of judging whether the user identified by the authority authentication information has an authority to perform information security monitoring on the target information system.
Correspondingly, the user needing to log in the information security monitoring system can input the authority authentication information through the interactive portal module, so that the authority authentication information is provided to the internal management module through the interactive portal module for login authority authentication. The internal management module can carry out login authority authentication on the authority authentication information according to the authority management strategy pre-deployed in the internal management module. If the authority authentication information is confirmed to pass the login authority authentication, the login request user can be confirmed to be a legal login user.
In an optional embodiment of the present invention, the interactive portal module is communicatively connected to the security monitoring module 230, and is further configured to display the information risk event monitored by the security monitoring module 230.
Correspondingly, when monitoring the information risk event, the security detection module can provide the relevant information of the information risk event to the interactive portal module, and based on the information interaction between the interactive portal module and the user, the interactive portal module can display the relevant information of the information risk event to the user, so that the user can intuitively know the information risk time occurring in the target information system.
Optionally, the interactive portal module may further maintain a communication connection with the security module 220, and display information related to information security protection performed by the security module 220.
Alternatively, the interactive portal module may be a page presented to the user.
Fig. 4 is a schematic diagram of an interactive portal module according to an embodiment of the present invention. As shown in fig. 4, the interactive portal module may be a page with a user interactive function, on which related information of the information security condition of the target information system is shown.
Fig. 5 is a schematic diagram of an information security monitoring system according to an embodiment of the present invention. As shown in fig. 5, in a specific example, the system includes: the risk identification module mainly comprises the functions of asset drawing, vulnerability scanning, weak password monitoring, baseline management and the like; the safety protection module mainly comprises identity and authority management, VPN, data leakage prevention, WAF, a firewall, intrusion detection, access control, load balancing and EDR terminal safety protection; the safety monitoring module mainly comprises log audit, virus prevention, attack trapping, plaintext monitoring, a bastion machine and webpage tamper prevention; the response recovery module mainly comprises emergency response, threat information and backup recovery; the unified interface module is mainly used for reporting API interface information and issuing instructions with a key information infrastructure administrative unit; the interactive portal module mainly comprises a unified configuration and data monitoring module for realizing risk identification, safety protection, safety monitoring and response recovery of each component; and the internal management module mainly comprises the management of authentication, authority and self operation record audit.
Accordingly, the target information system may be a key information infrastructure, and first, a KVM virtualization platform management software may be installed on a general-purpose device, which is typically a server of an X86 architecture, and virtualizes a security service set of all the foregoing components, and the security service set is managed in an NFV manner, so that through a network virtualization technology, a business process arrangement is completed, a network connection between security components is realized, and the device is bypassed to a main flow gateway of a key information infrastructure unit. Furthermore, after the authentication authority login of internal management is completed, all network security components are managed at the interactive portal, and the configuration and the setting of each component are completed. And then, adopting a risk identification component to finish the electronic asset condition of a key information infrastructure unit, the vulnerability condition of each electronic asset, whether a weak password exists and the behavior rule baseline of operation. And then, configuring the safety protection type component, and mainly configuring parameter settings such as VPN login, identity authentication authority system, WAF, load balancing and the like. After each component is configured, the flow passing through the key information infrastructure core equipment is monitored in real time, and the flow is analyzed. When attack events such as viruses and data leakage are found, unified display is carried out through the interactive portal, an attacker and a core switch are linked to block a source IP, event response and recovery are carried out, and attack loss is reduced. In addition, all the safety behaviors can be traced and audited through the safety monitoring component, and the generated safety events and the processing information are reported to a supervision unit through a uniform interface.
The embodiment of the invention provides an information security monitoring system, which is characterized in that a risk identification module and a security protection module are deployed in the information security monitoring system, risk associated information in a target information system is obtained through the risk identification module, protection parameter configuration of the security protection module is carried out according to the risk associated information, and information security protection is carried out on the target information system through the security protection module after protection parameter configuration is completed, so that individuation, integrated deployment, flexible updating and expansion of the information security monitoring system aiming at the target information system are realized, and the stability and the operation and maintenance convenience of the information security monitoring system are improved.
EXAMPLE III
Fig. 6 is a flowchart of an information security monitoring method provided in the third embodiment of the present invention, where this embodiment is applicable to a situation where information security monitoring is performed on a target information system, and this method may be executed by the information security monitoring system provided in the third embodiment of the present invention, and this system may be implemented in a software and/or hardware manner. In an optional implementation manner of the embodiment of the present invention, the system bypasses a main traffic gateway of a general device deployed in the target information system based on a Network Function Virtualization (NFV) technology, and implements communication connection between modules.
Accordingly, as shown in fig. 6, the method includes the following operations: .
S310, risk associated information in the target information system is obtained through the risk identification module, and the risk associated information is provided to the safety protection module.
S320, configuring protection parameters according to the risk associated information through the safety protection module, and performing information safety protection on the target information system after the protection parameter configuration is completed.
In an optional implementation manner of the embodiment of the present invention, the method may further include: monitoring information risk events occurring in the target information system through a safety monitoring module; and performing response recovery processing on the information risk event through a response recovery module.
In an optional implementation manner of the embodiment of the present invention, the monitoring information risk events occurring in the target information system may include: analyzing the core flow of the target information system in real time to obtain a flow analysis result; under the condition that the information risk event is determined to occur according to the flow analysis result, tracing the information risk event, and providing a tracing result to the response recovery module; the responding and recovering process for the information risk event may include: and sending a plugging instruction to the target information system according to the tracing result.
In an optional implementation manner of the embodiment of the present invention, the method may further include: and auditing the monitored information risk event through the safety monitoring module.
In an optional implementation manner of the embodiment of the present invention, the method may further include: and reporting the auditing result of the information risk event to a supervision unit system corresponding to the target information system through a unified interface module.
In an optional implementation manner of the embodiment of the present invention, the method may further include: and receiving interaction management information input by a legal login user through an interaction portal module, and configuring management information of the information security monitoring system according to the interaction management information.
In an optional implementation manner of the embodiment of the present invention, the method may further include: receiving authority authentication information input by a login request user through the interactive portal module, and providing the authority authentication information to an internal management module; and performing login authority authentication on the authority authentication information through the internal management module, and determining that the login request user is the legal login user under the condition that the authority authentication information passes the login authority authentication.
In an optional implementation manner of the embodiment of the present invention, the method may further include: and displaying the information risk event monitored by the safety monitoring module through the interactive portal module.
The embodiment of the invention provides an information security monitoring method, which comprises the steps of deploying a risk identification module and a security protection module in an information security monitoring system, acquiring risk associated information in a target information system through the risk identification module, configuring protection parameters of the security protection module according to the risk associated information, and performing information security protection on the target information system through the security protection module after the protection parameter configuration is completed, so that individuation, integrated deployment, flexible updating and expansion of the information security monitoring system aiming at the target information system are realized, and the stability and the operation and maintenance convenience of the information security monitoring system are improved.
Example four
Fig. 7 is a schematic structural diagram of a computer device according to a fourth embodiment of the present invention. FIG. 7 illustrates a block diagram of an exemplary computer device 12 suitable for use in implementing embodiments of the present invention. The computer device 12 shown in fig. 7 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present invention. Alternatively, the computer device may be a server device of the target information system, or any computer device that may be integrated into the server device of the target information system.
As shown in FIG. 7, computer device 12 is in the form of a general purpose computing device. The components of computer device 12 may include, but are not limited to: one or more processors 16, a memory 28, and a bus 18 that connects the various system components (including the memory 28 and the processors 16).
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. Computer device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 7, and commonly referred to as a "hard drive"). Although not shown in FIG. 7, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Computer device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with computer device 12, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, computer device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via network adapter 20. As shown, network adapter 20 communicates with the other modules of computer device 12 via bus 18. It should be appreciated that although not shown in FIG. 7, other hardware and/or software modules may be used in conjunction with computer device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processor 16 executes the programs stored in the memory 28 to execute various functional applications and data processing, so as to implement the information security monitoring system provided by the embodiment of the present invention, including: the risk identification module and the safety protection module are in communication connection; wherein: the risk identification module is used for acquiring risk associated information in a target information system and providing the risk associated information to the safety protection module; and the safety protection module is used for configuring protection parameters according to the risk associated information and carrying out information safety protection on the target information system after the protection parameter configuration is completed.
EXAMPLE five
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program implements an information security monitoring system provided in an embodiment of the present invention, and the information security monitoring system includes: the risk identification module and the safety protection module are in communication connection; wherein: the risk identification module is used for acquiring risk associated information in a target information system and providing the risk associated information to the safety protection module; and the safety protection module is used for configuring protection parameters according to the risk associated information and carrying out information safety protection on the target information system after the protection parameter configuration is completed.
Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or computer device. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (12)

1. An information security monitoring system, comprising: the risk identification module and the safety protection module are in communication connection; wherein:
the risk identification module is used for acquiring risk associated information in a target information system and providing the risk associated information to the safety protection module;
and the safety protection module is used for configuring protection parameters according to the risk associated information and carrying out information safety protection on the target information system after the protection parameter configuration is completed.
2. The system of claim 1, further comprising: the system comprises a safety monitoring module and a response recovery module, wherein the safety monitoring module is in communication connection with the response recovery module; wherein:
the safety monitoring module is used for monitoring information risk events occurring in the target information system;
and the response recovery module is used for performing response recovery processing on the information risk event.
3. The system of claim 2, wherein the safety monitoring module is specifically configured to:
analyzing the core flow of the target information system in real time to obtain a flow analysis result;
under the condition that the information risk event is determined to occur according to the flow analysis result, tracing the information risk event, and providing a tracing result to the response recovery module;
the response recovery module is specifically configured to:
and sending a plugging instruction to the target information system according to the tracing result.
4. The system of claim 2, wherein the safety monitoring module is further configured to: and auditing the monitored information risk event.
5. The system of claim 4, further comprising: unifying the interface module;
and the unified interface module is used for reporting the auditing result of the information risk event to a supervision unit system corresponding to the target information system.
6. The system of claim 2, further comprising: an interactive portal module;
and the interactive portal module is used for receiving interactive management information input by a legal login user and configuring management information of the information security monitoring system according to the interactive management information.
7. The system of claim 6, further comprising: an internal management module;
the interactive portal module is in communication connection with the internal management module, and is also used for receiving authority authentication information input by a login request user and providing the authority authentication information to the internal management module;
and the internal management module is used for carrying out login authority authentication on the authority authentication information and determining that the login request user is the legal login user under the condition that the authority authentication information passes the login authority authentication.
8. The system of claim 6, wherein the interactive portal module is communicatively connected to the security monitoring module and is further configured to display the information risk event monitored by the security monitoring module.
9. The system according to any of claims 1-8, wherein said NFV technology is based on Network Function Virtualization (NFV) technology, and said NFV technology bypasses a main traffic gateway of a general-purpose device deployed in said target information system and implements inter-module communication connection.
10. An information security monitoring method is applied to an information security monitoring system, and comprises the following steps:
acquiring risk associated information in a target information system through a risk identification module, and providing the risk associated information to a safety protection module;
and configuring protection parameters according to the risk associated information through the safety protection module, and performing information safety protection on the target information system after the protection parameter configuration is completed.
11. A computer device, characterized by comprising an information security monitoring system according to any one of claims 1 to 9.
12. A computer storage medium having stored thereon a computer program, characterized in that the program implements an information security monitoring system according to any one of claims 1 to 9.
CN202110725559.0A 2021-06-29 2021-06-29 Information security monitoring system, method, equipment and storage medium Pending CN113407949A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110725559.0A CN113407949A (en) 2021-06-29 2021-06-29 Information security monitoring system, method, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110725559.0A CN113407949A (en) 2021-06-29 2021-06-29 Information security monitoring system, method, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113407949A true CN113407949A (en) 2021-09-17

Family

ID=77680054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110725559.0A Pending CN113407949A (en) 2021-06-29 2021-06-29 Information security monitoring system, method, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113407949A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113922991A (en) * 2021-09-18 2022-01-11 深信服科技股份有限公司 Resource monitoring method and device, electronic equipment and storage medium
CN114448748A (en) * 2021-12-22 2022-05-06 中国人民解放军联勤保障部队战勤部信息保障处 System-centric deployment network system
CN114710331A (en) * 2022-03-23 2022-07-05 新华三信息安全技术有限公司 Security defense method and network security equipment
CN115659341A (en) * 2022-12-23 2023-01-31 中国计量大学现代科技学院 Software information safety monitoring system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900551A (en) * 2018-08-16 2018-11-27 中国联合网络通信集团有限公司 SDN/NFV network safety protection method and device
CN109361675A (en) * 2018-10-30 2019-02-19 深信服科技股份有限公司 A kind of method of information safety protection, system and associated component
CN111784209A (en) * 2020-07-30 2020-10-16 中国电子科技集团公司第十四研究所 Asset visualization and safe operation management system
CN112769825A (en) * 2021-01-07 2021-05-07 深圳市永达电子信息股份有限公司 Network security guarantee method, system and computer storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900551A (en) * 2018-08-16 2018-11-27 中国联合网络通信集团有限公司 SDN/NFV network safety protection method and device
CN109361675A (en) * 2018-10-30 2019-02-19 深信服科技股份有限公司 A kind of method of information safety protection, system and associated component
CN111784209A (en) * 2020-07-30 2020-10-16 中国电子科技集团公司第十四研究所 Asset visualization and safe operation management system
CN112769825A (en) * 2021-01-07 2021-05-07 深圳市永达电子信息股份有限公司 Network security guarantee method, system and computer storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113922991A (en) * 2021-09-18 2022-01-11 深信服科技股份有限公司 Resource monitoring method and device, electronic equipment and storage medium
CN114448748A (en) * 2021-12-22 2022-05-06 中国人民解放军联勤保障部队战勤部信息保障处 System-centric deployment network system
CN114448748B (en) * 2021-12-22 2024-05-28 中国人民解放军联勤保障部队战勤部信息保障处 System center deployment network system
CN114710331A (en) * 2022-03-23 2022-07-05 新华三信息安全技术有限公司 Security defense method and network security equipment
CN115659341A (en) * 2022-12-23 2023-01-31 中国计量大学现代科技学院 Software information safety monitoring system
CN115659341B (en) * 2022-12-23 2023-03-10 中国计量大学现代科技学院 Software information safety monitoring system

Similar Documents

Publication Publication Date Title
CN114978584A (en) Network security protection safety method and system based on unit cell
Montesino et al. Information security automation: how far can we go?
US7398389B2 (en) Kernel-based network security infrastructure
US7472421B2 (en) Computer model of security risks
US7669239B2 (en) Secure network system and associated method of use
CN113407949A (en) Information security monitoring system, method, equipment and storage medium
US20060031938A1 (en) Integrated emergency response system in information infrastructure and operating method therefor
CN110033174A (en) A kind of industrial information efficient public security system building method
Hassan et al. Latest trends, challenges and solutions in security in the era of cloud computing and software defined networks
Liu Securing the Clouds: Methodologies and Practices
Xu et al. Network security
Sureshkumar et al. A study of the cloud security attacks and threats
CN110086812B (en) Safe and controllable internal network safety patrol system and method
JP6933320B2 (en) Cybersecurity framework box
CN107516039B (en) Safety protection method and device for virtualization system
Lakka et al. Incident Handling for Healthcare Organizations and Supply-Chains
CN112688808A (en) Operation and maintenance management method and system of internet data center and electronic equipment
KR20100067383A (en) Server security system and server security method
Gheorghică et al. A new framework for enhanced measurable cybersecurity in computer networks
Chauhan et al. Assessment of forensics investigation methods
KR20060090408A (en) A development of enterprise vulnerability management system on a distributed network environment
Holczer et al. Virtualization-assisted testing of network security systems for NPPs
WO2020195230A1 (en) Analysis system, method, and program
Kim et al. Research on Security Threats Using VPN in Zero Trust Environments
Ogheneovo et al. Implementing a Robust Network-Based Intrusion Detection System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination