Ethernet-based asset information security protection method and device
1. An asset information security protection method based on an Etherhouse is characterized by comprising the following steps:
carrying out value grade division and safety grade division on the assets, and creating, storing and issuing an asset value information file through an intelligent Ethenhouse contract according to the assets and the value grade and the safety grade thereof;
configuring a security policy corresponding to the security level of the asset according to the security level of the asset;
monitoring the access and operation actions of the assets, and implementing coping operations according to the asset value information file in combination with the security policies corresponding to the assets;
and additionally recording the log information for monitoring the assets in the asset value information file.
2. The method of claim 1, wherein:
carrying out value grade division and safety grade division on the property of the asset;
and forming an asset value information file by the data content of the asset, the value level and the security level of the asset and the storage address area of the asset, and storing the asset value information file on a block chain in a distributed manner in an intelligent contract form.
3. The method according to claim 1 or 2, wherein:
the security policy comprises access authority, access duration, alarm triggering conditions, alarm types and coping operations.
4. The method according to claim 3, wherein the method for monitoring the access and operation actions of the asset and implementing the coping operation according to the asset value information file and the security policy corresponding to the asset is specifically as follows:
and when the assets are monitored to be matched with the assets in the asset value file, responding according to the security strategy corresponding to the assets.
5. The method of claim 4, wherein:
the log information comprises monitoring information and a response strategy thereof, login account information, user authority and network parameters;
and storing the log information in a resource value information file of the corresponding resource on the blockchain.
6. An Ethernet bay-based asset information security protection device, comprising:
the asset value configuration unit is used for configuring assets and carrying out value grade division and safety grade division on the assets;
the block chain storage is used for establishing and storing the assets configured by the asset value configuration unit and the value level and the security level thereof through an intelligent Ethernet contract and issuing an asset value information file; and storing the log information;
the security policy configuration unit is used for configuring a security policy corresponding to the security level of the asset according to the security level of the asset configured by the asset value configuration unit;
the system monitoring unit is used for monitoring the access and operation actions of the assets and implementing coping operation according to the asset value information file stored in the block chain storage unit and the corresponding security policy of the assets configured by the security policy unit;
and the log management unit is used for additionally recording the log information of the monitored assets in the asset value information file stored in the block chain storage unit.
7. The apparatus of claim 6, wherein:
the asset value configuration unit performs value grade division and safety grade division on the attributes of the assets;
the block chain storage unit forms an asset value information file by the data content of the asset, the value level and the security level of the asset and the storage address area of the asset, and stores the asset value information file on a block chain in an intelligent contract form in a distributed manner; and storing the log information for monitoring the resources in a resource value information file of the resources.
8. The apparatus of claim 7, wherein:
the security policy configured by the security policy configuration unit comprises access authority, access duration, alarm triggering conditions, alarm types and coping operations.
9. The apparatus of claim 8, wherein the system monitoring unit further comprises:
a monitoring matching module for monitoring the assets and the asset matching result in the asset value file,
and the strategy response module is used for responding according to the asset matching result obtained by the monitoring matching module and the security strategy corresponding to the asset configured by the security strategy configuration unit.
10. The apparatus of claim 9, wherein:
the log information comprises monitoring information and response strategies thereof, login account information, user authority and network parameters.
Background
Today with increasingly accelerated economic globalization, continuous optimization and updating of information technology, increasingly rapid development speed of information industry, more and more business operation modes, especially development of technologies such as cloud computing and virtualization in recent years, increase of intelligent network terminals, wide application of large data platform technology and the like, and accordingly generated data volume is increased explosively. The increase in data brings more value to be included in the data, and in this case, the security of the data becomes important. Most of the current internet malicious behaviors are aimed at stealing data information and drawing out violence from the data information. Therefore, the computer information security work is more important and urgent, which not only can reduce the information risk, but also can improve the authenticity of the data information.
In the face of such problems, the current general solutions are technical means such as malicious program discovery, data file encryption, data gateway monitoring and the like.
Malicious programs, such as trojans, viruses, etc., are typically hidden in normal programs or disguised as regular programs to be executed by the system, thereby acquiring important data of the system or the user. The method for solving the problems is to find and judge whether the program is normal or not through the malicious feature codes, and forbid the program from being executed when the program is judged to be abnormal, so that the effect of preventing the malicious program from being executed is achieved, and the aim of protecting the data safety is fulfilled. However, since the method needs to extract the characteristics of the malicious code by using the empirical data, a coping strategy can be provided only after the occurrence of the malicious program, but the method cannot be used for the 0-day attack, namely the unprecedented malicious program.
The data file encryption is realized by encrypting the content of the file, so that the content of the file can be stolen, but the real content of the file cannot be analyzed, and the purpose of data protection is achieved. However, in essence, although the content of the data cannot be directly interpreted, the data itself is stolen, and the possibility of cracking the data still exists.
The gateway monitoring flow data can be regarded as a data information safety protection means outside the system, and by monitoring the data information in the flow packet and matching the sensitive information, when the existence of illegal contents in the transmission data is found, the transmission network is immediately controlled, so that the data information safety control is achieved. However, in an actual situation, data is often transmitted over a network after being encrypted, and a gateway needs to organize a data packet and decrypt content, so that not only is efficiency difficult to achieve, but also security monitoring of all data cannot be achieved for a specific encryption type gateway. Therefore, the method also has difficulty in data information security protection.
In summary, in terms of various current data information security technologies, data information security is not achieved in a true sense, and how to essentially solve the data information security is still an important problem.
Disclosure of Invention
The invention aims to provide an asset information security protection method based on an Ethernet bay, which comprises the following steps:
carrying out value grade division and safety grade division on the assets, and creating, storing and issuing an asset value information file through an intelligent Ethenhouse contract according to the assets and the value grade and the safety grade thereof;
configuring a security policy corresponding to the security level of the asset according to the security level of the asset;
monitoring the access and operation actions of the assets, and implementing coping operations according to the asset value information file in combination with the security policies corresponding to the assets;
and additionally recording the log information for monitoring the assets in the asset value information file.
Preferably:
carrying out value grade division and safety grade division on the property of the asset;
and forming an asset value information file by the data content of the asset, the value level and the security level of the asset and the storage address area of the asset, and storing the asset value information file on a block chain in a distributed manner in an intelligent contract form.
Specifically, the method comprises the following steps:
the security policy comprises access authority, access duration, alarm triggering conditions, alarm types and coping operations.
Further, the method for monitoring the access and operation actions of the asset and implementing coping operations according to the asset value information file and the security policy corresponding to the asset specifically comprises the following steps:
and when the assets are monitored to be matched with the assets in the asset value file, responding according to the security strategy corresponding to the assets.
More specifically:
the log information comprises monitoring information and response strategies thereof, login account information, user authority and network parameters.
The invention also discloses an asset information safety protection device based on the Ether house, which comprises:
the asset value configuration unit is used for configuring assets and carrying out value grade division and safety grade division on the assets;
the block chain storage is used for establishing and storing the assets configured by the asset value configuration unit and the value level and the security level thereof through an intelligent Ethernet contract and issuing an asset value information file; and storing the log information;
the security policy configuration unit is used for configuring a security policy corresponding to the security level of the asset according to the security level of the asset configured by the asset value configuration unit;
the system monitoring unit is used for monitoring the access and operation actions of the assets and implementing coping operation according to the asset value information file stored in the block chain storage unit and the corresponding security policy of the assets configured by the security policy unit;
and the log management unit is used for additionally recording the log information of the monitored assets in the asset value information file stored in the block chain storage unit.
Specifically, the method comprises the following steps:
the asset value configuration unit performs value grade division and safety grade division on the attributes of the assets;
the block chain storage unit forms an asset value information file by the data content of the asset, the value level and the security level of the asset and the storage address area of the asset, and stores the asset value information file on a block chain in an intelligent contract form in a distributed manner; and monitoring that the log information of the resource is stored in the resource value information file of the resource.
Specifically, the method comprises the following steps:
the security policy configured by the security policy configuration unit comprises access authority, access duration, alarm triggering conditions, alarm types and coping operations.
Specifically, the system monitoring unit further includes:
a monitoring matching module for monitoring the assets and the asset matching result in the asset value file,
and the strategy response module is used for responding according to the asset matching result obtained by the monitoring matching module and the security strategy corresponding to the asset configured by the security strategy configuration unit.
Specifically, the method comprises the following steps:
the log information comprises monitoring information and response strategies thereof, login account information, user authority and network parameters.
In order to solve the problem of how to safely protect the asset information, the invention provides an asset information safety protection technology. By evaluating the data assets, different data, files or equipment are graded, grading of the data information assets is realized, and different monitoring and warning strategies are executed aiming at the assets with different grades. And monitoring the file read by the system to acquire the information of the read file, matching the information with the data asset, judging the security level corresponding to the file, and feeding back the security condition of the data asset in real time. After the file is read, state information of the current system, such as key information of an operation user, user permission level, network parameter setting and the like, needs to be obtained and recorded in a log, so that the data security situation can be presented in real time, comprehensive judgment information can be provided for a decision maker, the data information insecurity reason can be deeply understood and judged, and corresponding countermeasures can be taken. In order to realize real data information security, the invention combines the Ether house technology, stores the monitoring information, the asset evaluation information and the monitoring log on the block data chain, utilizes the distributed account book storage technology to realize the tamper resistance of the asset and the log information, prevents an attacker from manufacturing a back door and hiding the identity for the attacker, and really realizes the security protection of the data information.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of an asset information security protection method based on an ethernet bay according to an embodiment of the present application;
FIG. 2 is a flowchart of a method provided in a second embodiment of the present application;
fig. 3 is a schematic structural diagram of an asset information security protection device based on an ethernet bay according to a third embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
As shown in fig. 1, it is a flowchart of an asset information security protection method based on an ethernet bay according to the present embodiment, which includes the following steps:
step S01: and carrying out value grade division and safety grade division on the assets, and creating, storing and issuing an asset value information file through an intelligent Etherhouse contract according to the assets and the value grade and the safety grade thereof.
The entry may be accomplished in the form of a white list data table.
The unique identification and access address of the asset may be classified into a security class, and the storage space of the asset may be classified into a security class.
An etherhouse is a distributed platform that runs intelligent contracts. These intelligent contracts run on "ethernet house virtual machines," which is a distributed computing network consisting of all devices running ethernet nodes. The "distributed platform" portion means that anyone can build and run the Etherhouse node.
An intelligent contract is an application running on an etherhouse virtual machine. This is a distributed "world computer" with computing power provided by all the Etherhouse nodes.
Smart contracts can be used for many different things. Developers may create intelligent contracts that provide functionality for other intelligent contracts, similar to how software libraries work. Alternatively, the smart contracts may simply be used as an application to store information on the etherhouse blockchain.
The etherhouses can support intelligent contracts which can create, store and implement contracts or agreements and can be used for operating any files besides storing transaction information of virtual currency by using a block chain technology. Therefore, the invention utilizes the Ether house technology to store the asset value information on the block chain in the form of the intelligent contract of the Ether house. The method comprises the steps of firstly establishing an asset value information file through an intelligent contract and publishing the asset value information file on a data chain of an Ethernet, so that no matter the asset value information file is modified or deleted, the modification operation of the asset value information file needs to be passed through a consensus mechanism of a block chain technology, when each node for storing the asset value information file can legally accept the modification operation of the asset value information file, the operation can be allowed, and the operation is stored in the asset value information file in the intelligent contract. Any behavior of maliciously modifying the asset value information file is modified through illegal and non-compliant channels, the modified asset value information file cannot be effective, and the method can effectively protect the asset value information through a consensus mechanism.
And the data asset value information is linked, the required storage information is less, the timeliness requirement is lower, and the actual production process is easier to realize and maintain.
Data asset value information is stored on a chain in a distributed manner in the form of an intelligent contract through a Solidity programming language by utilizing the tamper-proof and intelligent contract technology of a block chain ETH, and asset value information files recorded in the intelligent contract are information such as asset information, files, value levels corresponding to assets, safety levels corresponding to assets, disk address areas and the like.
Step S02: and configuring a security policy corresponding to the security level of the asset according to the security level of the asset.
Different security policies are configured according to different security levels.
High risk level access may limit access time, access duration, visitors, or waiting for authorization.
The security policy can be adjusted according to actual conditions, and can also be adjusted correspondingly according to the change of assets.
Step S03: and monitoring the access and operation actions of the assets, and implementing coping operations according to the asset value information file and the security policy corresponding to the assets.
Step S04: and additionally recording the log information for monitoring the assets in the asset value information file.
The invention realizes the grade division of the data information assets by evaluating the data assets, and executes different security strategies aiming at the assets with different grades; through monitoring the assets, the read asset information is obtained and matched with the data assets, the corresponding safety level of the file is judged, and the safety condition of the data assets is fed back in real time; meanwhile, state information of the current system, such as key information of an operation user, user permission levels, network settings and the like, is obtained and recorded in a log, so that the data security situation can be presented in real time, comprehensive judgment information can be provided for a decision maker, the reason that the data information is unsafe is deeply understood and judged, and corresponding countermeasures are taken. More importantly, the invention combines the Ether house technology, stores the monitoring configuration information, the asset evaluation information and the monitoring log on the block data chain, utilizes the distributed account book storage technology to realize the tamper resistance of the asset and the log information, prevents an attacker from manufacturing a back door and hiding the identity for the attacker, and really realizes the safety protection of the asset.
In order to better illustrate the present invention, a second embodiment is given to explain the working principle of each step in detail, as shown in fig. 2.
Step S201: and carrying out value grading and safety grading on the property of the asset.
The asset's own attributes typically refer to the asset's unique identification and the asset's stored address, from which the asset itself can be obtained. Since data assets usually exist in the form of files, in most cases, the value ranking and the security ranking for the own attributes of the assets may be performed by performing the value ranking and the security ranking for the own attributes of the files.
The monitoring of both attributes is thus a monitoring of the data itself. And carrying out security level division on the access address of the file and the stored address space.
The file or storage space is divided into data tables in the form of white lists, and the data tables are manually input, wherein firstly, the security level is defined for a specific file name and a specific file address, if '05' is a common danger level, and '09' is a high danger level. And secondly, defining a security level for the storage address space, wherein if the disk access address space A is in a common danger level, and the disk access address space D is in a high danger level. The method can be used for dividing the security level of the data, has the advantages that no matter what way the data is accessed by an operating system, the data is normal or abnormal, the address of the data needs to be confirmed firstly, when the address passes through a data read-write driver of the operating system, the danger level of the read-write operation can be judged according to the security level, if the read-write operation is judged to be dangerous by the security level, the accessed file or the accessed address behavior is the high-danger level behavior, no matter whether the access is normal or not, the alarm is given at the first time, the high-danger level alarm needs to be judged by an expert to be the actual condition of suspected malicious access, and the weak danger level can be executed by a monitoring system according to a strategy and is correspondingly recorded.
Step S202: and forming an asset value information file by the data content of the asset, the value level and the security level of the asset and the storage address area of the asset, and storing the asset value information file on a block chain in a distributed manner in an intelligent contract form.
The asset value information file is stored on the block chain in the form of an intelligent contract, all operations on the asset value file need to be carried out through a consensus mechanism of a block chain technology, and illegal operations of maliciously tampering, deleting and reading the asset value file cannot be allowed, so that the safety of the asset value file is further ensured.
Step S203: and configuring a security policy corresponding to the security level of the asset according to the security level of the asset.
The security policy comprises access authority, access duration, alarm triggering conditions, alarm types and coping operations.
Since the validity of all data access cannot be judged, corresponding security policies can be configured for different security levels of different data to deal with the data access.
The security configuration is similar to a general data table operation. A high risk level of access may limit its access time, access duration, restricted access, or waiting for authorized access, etc. If the disk address space D zone is at a high risk level, the accessible time is 10 AM per day, the single access is 10 minutes, the administrator can access the disk for more than the authority, and the administrator ADMIN is required to provide access service during the access. When the data access operation touches the system monitoring and the access address of the data is judged to be dangerous access through the data asset value, aiming at high-risk access, information such as an access instruction and the like can be issued to an administrator in the form of system prompt, log, short message and the like to inform the administrator of the occurrence of the suspected high-risk access, and then the administrator takes corresponding measures. When the system is used for low or specific dangerous access, the system can execute corresponding operation instructions according to the danger level without the intervention of an administrator, such as operations of interrupting access, limiting access and the like.
Step S204: access and operational actions of the asset are monitored.
Step S205: and when the assets are monitored to be matched with the assets in the asset value file, responding according to the security strategy corresponding to the assets.
Because the value grade and the safety grade are classified according to the property (the unique property identification and the property storage address) of the property, when the access and the operation action of the property are monitored, namely if the property name (file name) and the access address are matched with the file name and the access address corresponding to the property value information, the safety strategy can be triggered, and if the property name (file name) and the access address are not in the property value, the operation can be carried out according to the coping strategy in the safety strategy when the property matching is not successful.
Taking linux as an example, since file access of the system is realized through the VFS virtual file system, the system captures an access address of the monitoring Hook in a file access method when the virtual file system accesses data, and then compares the access address with the content of the data asset value table, so as to trigger a security policy and log record.
Step S206: and additionally recording the log information for monitoring the assets in the asset value information file.
The log information comprises monitoring information and response strategies thereof, login account information, user authority and network parameters.
The invention combines the Ether house technology, stores the monitoring configuration information, the asset evaluation information and the monitoring log on the block data chain, utilizes the distributed account book storage technology to realize the tamper resistance of the asset and the log information, prevents an attacker from manufacturing a back door and hiding the identity for the attacker, and realizes the high-quality safety protection of the data information.
The invention also discloses an asset information safety protection device based on the Ether house, and a third embodiment of the invention is given firstly, as shown in FIG. 3, so as to explain the structural characteristics of the device.
The device includes:
and the asset value configuration unit 1 is used for configuring assets and carrying out value grade division and safety grade division on the assets.
The block chain storage 2 is used for establishing, storing and issuing the assets, the value levels and the safety levels of the assets configured by the asset value configuration unit through an intelligent Ethernet contract; and stores the log information.
And the asset value configuration unit performs value grade division and safety grade division on the property of the asset.
The block chain storage unit forms an asset value information file by the data content of the asset, the value level and the security level of the asset and the storage address area of the asset, and stores the asset value information file on a block chain in an intelligent contract form in a distributed manner; and storing the log information for monitoring the resources in a resource value information file of the resources.
And the security policy configuration unit 3 is used for configuring the security policy corresponding to the security level of the asset according to the security level of the asset configured by the asset value configuration unit.
The security policy configured by the security policy configuration unit comprises access authority, access duration, alarm triggering conditions, alarm types and coping operations.
And the system monitoring unit 4 is used for monitoring the access and operation actions of the assets and implementing coping operations according to the asset value information file stored in the blockchain storage unit and the corresponding security policy of the assets configured by the security policy unit.
The system monitoring unit further comprises:
and the monitoring matching module 41 is used for monitoring the asset and the asset matching result in the asset value file.
And a policy response module 42, configured to respond to the security policy corresponding to the asset configured by the security policy configuration unit according to the asset matching result obtained by the monitoring matching module.
And the log management unit 5 is used for additionally recording the log information for monitoring the assets in the asset value information file stored in the block chain storage unit.
The log information comprises monitoring information and response strategies thereof, login account information, user authority and network parameters.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the foregoing method may be referred to for the corresponding process in the above-described apparatus embodiment, and is not repeated herein.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software unit executed by a processor, or in a combination of the two. The software cells may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that the embodiments of the application described herein may be practiced in sequences other than those illustrated.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
