CN100385859C - Security management service system and its implementation method - Google Patents
Security management service system and its implementation method Download PDFInfo
- Publication number
- CN100385859C CN100385859C CNB2005100045446A CN200510004544A CN100385859C CN 100385859 C CN100385859 C CN 100385859C CN B2005100045446 A CNB2005100045446 A CN B2005100045446A CN 200510004544 A CN200510004544 A CN 200510004544A CN 100385859 C CN100385859 C CN 100385859C
- Authority
- CN
- China
- Prior art keywords
- strategy
- incident
- request
- project
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a security management service system and an implementation method thereof, which is used for a security mechanism (SSL) virtual private network (VPN). The security management service system mainly uses an event/state analyzer to collect and manage the behaviors or the characteristic of other assemblies and automatically calculates and analyzes security events of the system, takes action according to analysis results and adopts coping measures to analyzed security hazard to lower the possibility of security event occurrence. The method comprises the following steps: extracting event attributes comprising more than one event subject and more than one event characteristic; contrasting the event subject and more than one established characteristic item to obtain an item contrast result; selectively accumulating the occurrence times of the events according to the item contrast result, establishing a characteristic item corresponding to the events, and taking no notice of the events.
Description
Technical field
The present invention relates to a kind of security management service system and manner of execution thereof, particularly be applied to security mechanisms (Secure Sockets Layer; SSL) virtual private networks (virtual Private Network; VPN) security architecture.
Background technology
Virtual private networks (virtual Private Network; VPN) be that a kind of the utilization has the privately owned dedicated network that framework is come at the common communication networking now.Mainly can be when for instance, subsidiary under being attached to parent company or office need network with parent company by the mode or the VPN of special line.Private-line mode is to reach by the special circuit of laying point-to-point, yet the method need be born expensive track laying expense, maintenance expense and rent concerning enterprise.Therefore develop and VPN, the method is to be used in internet (Internet), frame relay, asynchronous transfer mode (Asynchronous Transfer Mode; ATM) etc. set up the virtual private passage in the existing public network, do not need to lay special circuit thus, equally can obtain safe, a reliable and manageable private network.
Wherein, security mechanisms (Secure Sockets Layer; SSL) VPN is a kind of novel long-range access enterprise solution, and main system is the security mechanism by data encryption and server (server) authentication, to provide easy easy-to-use function under the prerequisite that guarantees fail safe.With network communication protocol safety (Internet Protocol Security; IPSec) virtual private networks (VPN) in comparison, it has higher fail safe, better ease for use and easy management function.Therefore in view of the requirement of enterprise to the inner network privacy, the fail safe of the vpn gateway (Gateway) of the unique entrance that links as Intranet is extremely important.
Therefore, present many SSL vpn gateway products all are provided with integrated fire compartment wall.Simultaneously, in order to improve the fail safe of vpn products, the SSL vpn gateway generally all is used in combination following properties and improves fail safe, and these characteristics include: authentication, binding control strategy, encryption, daily record and security audit, intrusion detection etc.Wherein, the SSL vpn gateway is to utilize the service of certificate server to reach authentication, linking control strategy is generally realized by packet filter firewall, application level proxy and application layer policy configurations, encryption is to finish by SSL, and daily record and security audit then need be finished by artificial mode by the system manager.In addition, part SSL VPN then can be provided with intruding detection system.Generally speaking, all can possess at a product and have one or more characteristics to guarantee that it has certain anti-attack ability and fail safe.Yet the characteristic that possesses is many more, can seriously increase the cost of product relatively, simultaneously, also can can't bear the heavy load because of numerous and diverse maintenance management task for the user.
And almost exist without any association between each functional characteristic, so these functions or assembly all need just to be configured, to manage and coordinate with manual type by the system manager.And, when management is upward careless slightly, will stays careless omission or produce leak system, thereby make system have great potential safety hazard.Therefore, cost of idleness has not only also increased the complexity and the maintenance difficulties of product, has more increased the potential safety hazard of product.At last, when log system that these assemblies possessed has produced a large amount of system journals, the daily record that the system manager also needs careful these different assemblies of analysis to be generated, so that find out security breaches or harmful (bad) links attempt, alleviate by the binding control strategy that increases system at last or eliminate these potential safety hazards.Yet, carry out these analyze the time spent with and non real-time, the effect of this type systematic defence is had a greatly reduced quality.At above-mentioned defective, therefore need seek a kind of security management service system, it can realize higher fail safe by the assembly that less function is set, and improves the real-time of system responses and mitigation system keeper's management work simultaneously.
Summary of the invention
In view of above problem, main purpose of the present invention is to provide a kind of security management service system and manner of execution thereof, the behavior or the feature of collecting and managing other assembly by incident/state analyzer, automatically the security incident of statistics and analysis system, take action according to analysis result simultaneously, the potential safety hazard that has analyzed is taked counter-measure, to reduce the possibility that security incident takes place.
Security management service system disclosed in this invention and manner of execution thereof increase the response mechanism strategy at particular event, increase special functions such as binding control strategy.
Security management service system disclosed in this invention and manner of execution thereof can provide the higher fail safe of system and ageing.
Security management service system disclosed in this invention and manner of execution thereof, but the security threat of real time processing system identification or system's threat are with mitigation system keeper's burden.
Security management service system disclosed in this invention and manner of execution thereof, processing events automatically is to improve its accuracy.Because system known per is for the combination event that can not discern; it is the method for taking log; carry out the management of log system again by the system manager; yet log system is quite complicated; there is the certain precision problem in regular meeting during therefore with artificial treatment; and when careless and inadvertent, miss the potential threat of part possibly, and cause the part safety problem to find in real time.
Security management service system disclosed in this invention and manner of execution thereof can reduce the system safety analysis deviation.Because the finiteness and the security feature of log record have certain timeliness requirement, therefore when utilizing the method for analyzing daily record that system is carried out safety analysis, can miss many incidents particular system operation information constantly takes place, and then produced the deviation of analysis result, yet when promptly handling automatically, can fully reduce deviation and take place when being in operation.
Therefore, for achieving the above object, security management service system disclosed in this invention, be applied to virtual private networks, in order to selective filter and virtual private networks more than one user who links and the request of carrying out the user, comprising: a system strategy table, a strategy distribution device, a Packet Filter, a query analyzer, an authentication/talks manager, a strategy matching device, a state and event analysis device and one be processor regularly.
In this system strategy table, have a plurality of strategies; And the strategy distribution device is connected to the system strategy table, in order to the condition distribution policy according to strategy; Packet Filter is connected to the strategy distribution device, according to the policy filtering user from the strategy distribution device, and produces an incident according to user's connecting state selectivity; Wherein, query analyzer is asked in order to receive user's, and parsing of asking and classification judgement; Authentication/talks manager is connected to query analyzer, and in order to according to the classification of request and selectivity is carried out authentication/talks management function according to the analysis result of request, wherein, when when executing state is unusual or wrong, authentication/talks manager produces an incident; The strategy matching device, be connected to strategy distribution device and query analyzer, in order to according to the classification of request and selectivity according to strategy matching from the strategy execution request of strategy distribution device, and produce a strategy matching result, wherein, when the strategy matching result was abnormality or error condition, the strategy matching device produced an incident; State and event analysis device, be linked to Packet Filter, system strategy table, authentication/talks manager and strategy matching device, in order to receive and recording events and carry out event analysis, and according to the analysis result of incident and policy selection generation one feedback strategy in the system strategy table, wherein, state and event analysis device input to feedback strategy in the system strategy table, to carry out the distribution of feedback strategy by the strategy distribution device; And Timing Processing device, be connected to state and event analysis device, in order to regularly the request of sending to state and event analysis device, with the state analysis of the incident that writes down and efficiency analysis and select according to analysis result deletion record incident, reservation record incident or produce feedback strategy.
And state and event analysis utensil have an abnormal behaviour feature database and an event analysis buffering area.Wherein the abnormal behaviour feature database is in order to storing more than one off-note incident, and the event analysis buffering area is used for the recording events sequence.
In addition, also have two add-on assembles: user interface and policy configurations file.User interface is connected to Packet Filter and query analyzer, so the user can be by this user interface input request.The policy configurations file is connected to the system strategy table, comprising the binding strategy of many formulations, reads for the system strategy table.
The manner of execution of security management service system disclosed in this invention comprises the following steps: to receive a request; Then, analysis request with an analysis result, and learn the classification of request according to analysis result, wherein ask classification to comprise: authentication/talks administrative class, scope check class and tactful inspection class; When the request classification is authentication/talks administrative class, carries out authentication/talks management function according to analysis result, and produce an execution result; When the request classification is the scope check time-like, carry out scope check according to analysis result, and produce an execution result; When the request classification is that strategy is checked time-like,, and produce an execution result according to analysis result implementation strategy coupling and inspection; When unusual or error condition take place execution result, produce an incident and recording events; The analysis incident is analysed the result to get a point, and according to analysis result select the incident that adds up frequency, set up a feature project of corresponding event or ignore incident; Return execution result at last.
Wherein, also comprise the following steps:, carry out the analysis of a recording events, comprise the following steps: when the cycle time of advent, to obtain the project of respective record incident in cycle time; Analyze each incident project in regular turn according to more than one specified conditions, wherein specified conditions are the occurrence frequency of the off-note incident that reaches defined within a certain period of time or a particular sequence of events of generation; When project reaches specified conditions, then produce respective specific condition and event items purpose one feedback strategy; When project when reaching specified conditions, then confirm event items object time with one confirm the result, and according to confirming that the result determines the deletion event project or keeps the incident project; And distribute according to the matching condition of feedback strategy, to be applied to security management service system.
In addition, entering when security management service system before the state of the request of reception, can carry out the tactful initialization of security management service system earlier, the All Policies in the promptly first scavenge system; In the policy configurations file, obtain a plurality of bindings strategy again, with as system strategy; At last, the available strategy in the strategy is distributed in strategy matching device or the Packet Filter according to matching condition uses one by one.
About feature of the present invention and practical operation, existing conjunction with figs. is described in detail as follows as most preferred embodiment.
Description of drawings
Fig. 1 illustrates the system architecture diagram of security management service system according to an embodiment of the invention;
Fig. 2 is illustrated in security management service system among Fig. 1 to user's processing of request flow chart;
Fig. 3 is the detail flowchart that is illustrated in an embodiment of step 308 among Fig. 2;
Fig. 4 is the detail flowchart of an embodiment of the scope check among key diagram 2 and Fig. 3;
Fig. 5 is the detail flowchart that state and event analysis device are carried out event analysis in the key diagram 1; And
Fig. 6 is the detail flowchart of the cycle trigger event of Timing Processing device in the key diagram 1.
The number in the figure explanation:
100 security management service systems
110 query analyzers
120 authentication/talks managers
130 strategy matching devices
140 states and event analysis device
142 abnormal behaviour feature databases
144 event analysis buffering areas
150 Packet Filters
160 system strategy tables
170 strategy distribution devices
180 Timing Processing devices
190 policy configurations files
200 user interfaces
Is step 406 passed through?
Is step 414 passed through?
Is step 418 authentication number of times less than specific times?
Is step 504 the authentication scope check?
Is step 510 effective talks?
Step 512 logout
The request of step 514 refusal
The talks information that step 516 relatively should be asked and the talks information of record
Whether step 518 consistent?
Step 520 implementation strategy coupling
Does step 522 have matching strategy?
Step 524 is returned the action of matching strategy defined
Step 602 reception incident
Step 604 is extracted the attribute of incident
The theme of step 606 contrast project and incident
Does step 608 have the project of corresponding event theme?
Whether step 610 relatively incident conforms to the event items purpose further feature that exists
Does step 612 conform to?
Step 614 is set up the feature project
The number of times that step 616 incident that adds up occurs
Step 618 is searched the project relevant with this incident
Does step 620 find?
Step 702 is searched monitor sequence of events project
Step 704 is analyzed each project, confirms whether reach the incident occurrence frequency of off-note regulation or the particular sequence of events of generation within a certain period of time
Does step 706 reach occurrence frequency or sequence?
The strategy that step 708 will be stipulated joins the system strategy table
Whether has step 710 surpassed the official hour segment?
Step 712 suspended item also continues to observe
Step 714 delete items
Does step 716 have other project?
Step 718 is distribution policy again
Embodiment
Below enumerate specific embodiment describing content of the present invention in detail, and with accompanying drawing as aid illustration.The symbol of mentioning in the explanation is with reference to drawing reference numeral.
The present invention mainly is all security components that are integrated in the using system on the SSL VPN, come event and state to these security components to carry out gathering and analyzes regularly by one incident/state analyzer, and take a security architecture of specific action according to the result of analysis.
With reference to Fig. 1, be security management service system according to an embodiment of the invention, be applied to SSLVPN, it comprises: query analyzer 110, authentication/talks (Session) manager 120, strategy matching device 130, state and event analysis device 140, Packet Filter (Berkely Packet Filter; BPF) 150, system strategy table 160, strategy distribution device 170, and Timing Processing device 180.
This query analyzer 110 is connected to authentication/talks manager 120 and strategy matching device 130.In addition, query analyzer 110 can be connected to a user interface 200.The user can be by user interface 200 inputs one request.Query analyzer 110 carries out user's request analysis, and according to analysis result decision request classification.That is the decision request classification is the request of authentication/talks administrative class or authority or strategy inspection request.
When the request classification is the request of authentication/talks administrative class, query analyzer 110 sends analysis result to authentication/talks manager 120, and authenticate/talk manager 120 is carried out authentication/talks management again according to analysis result function, for example: the foundation of talks (create), deletion, inquiry or attribute access etc.
When the request classification is authority or strategy when checking request, query analyzer 110 sends analysis result to strategy matching device 130, and strategy matching and inspection that strategy matching device 130 is asked according to analysis result again, also or carry out the inquiry of authority.
State and event analysis device 140 are connected to authentication/talks manager 120, strategy matching device 130 and Packet Filter 150.It is in order to receiving from the incident of authentication/talks manager 120, strategy matching device 130 and Packet Filter 150 and to check the state of these incidents, and then present running-active status and safe condition etc. are carried out analysis and judgement.
System strategy table 160 comprises: systemic presupposition strategy, system manager's definition strategy and dynamic strategy.Wherein, system strategy table 160 can read the binding strategy that need be applied to security management service system 100 from a policy configurations file 190 of security management service system 100 outsides.Wherein, policy configurations file 190 comprises: system manager's strategy is set, systemic presupposition strategy and effectively interim at present tactful.
In addition, state and event analysis device 140 also are connected to a system strategy table 160.Therefore, state and event analysis device 140 are after having analyzed the incident that receives, can gather issuable result, and produce feedback, and feedback strategy is input in the system strategy table 160 according to the systemic presupposition strategy in the system strategy table 160 or system manager's definition strategy.
Wherein, comprise abnormal behaviour feature database 142 and event analysis buffering area 144 at state and event analysis device 140.Abnormal behaviour feature database 142 storage off-notes have promptly stored the known a series of unusual binding request or the sequence of abnormal behaviour.State and event analysis device 140 come according to these sequences whether decision event combination is to be abnormal behaviour, if during an abnormal behaviour, then carry out the modification of system strategy table 160 according to the relative strategy of abnormal behaviour defined.Event analysis buffering area 144 is used to store sequence of events.After an incident arrives, state and event analysis device 140 are obtained the theme of this incident, contrast with the project in the abnormal behaviour feature database 142, when if the theme of the project of discovery and the theme of incident meet, just this incident is stored in the event analysis buffering area 144 as a unusual project, and record produces the further feature of this incident, IP address for example, port numbers or the like.
The data message that Packet Filter 150 can enter, go out or pass through with filtration according to the strategy of using is again according to the processing mode of the attribute determination data information (datagram) of data message.Just, but the most of harmful requests of Packet Filter 150 filterings (Bad request), promptly only can could further encapsulate and be combined as request message, propose the request of strategy matching and inspection again to strategy matching device 130 by the data message of Packet Filter 150.
In addition, one timing processor 180 is in order to the request of sending regularly, and then initiation state and 140 pairs of incidents of event analysis device and state analyze, and according in the Timing Processing device 180 the fixed clock cycle check All Policies, with the effective status of the strategy of controlling all corresponding times.
Below, carry out the detailed description of each assembly at actual executing state.
Authentication/talks manager 120 is in order to carry out the management of authentification of user and talks.Cause the function that on SSL VPN, can carry out many application layers (Application) by this authentication/talks manager 120, for example: HTML (Hypertext Markup Language) (Hypertext Transmission Protocol; HTTP), HTTPS website binding, File Transfer Protocol (File Transfer Protocol; FTP)/the HTTP gateway, share internet file system (Common Internet File System; CIFS)/and HTTP gateway, mail (Mail)/HTTP gateway, long-range logining (Telnet)/HTTP gateway and teledata service (RemoteData Service; RDS)/and HTTP gateway etc., these service functions can be by authentication but not the simple authentication method that relies on based on main frame, and then the raising fail safe.Just, user by authentication can set up talks with SSL VPN Gateway, can be by authentication/talks manager 120 security management service systems 100 according to talks identification code (ID) and managing to the user, comprise the environment, attribute, overtime control of present talks etc.That is set up the process of talks and the state of each talks according to the user, can know the present login user information and the abnormal behaviour of the login user that some are specific, and these information are inputed to state and event analysis device 140 together with the information that module produces.
System strategy table 160 is the database of a system strategy, uses or reference in order to other assembly to be provided.System strategy table 150 comprises: global policies and user/group policy, wherein every class strategy also is divided into systemic presupposition strategy, system manager's definition strategy and dynamic strategy according to its real-time.Wherein, the systemic presupposition strategy is that the security level that defines according to the system manager determines, just, different systemic presupposition strategies is used in different fail safe meetings, and high more when fail safe, the examination of systemic presupposition strategy is strict more, otherwise low more when fail safe, the systemic presupposition strategy is then loose more.System manager's definition strategy is to add or appointment by the system manager is static, and just, the system manager adds strategy or adjusts strategy according to system requirements.At last, dynamic strategy is the dynamic increase of being carried out according to incident that each assembly produced and state at that time by state and event analysis device 140, the real-time feedback strategy of deletion.In this, system strategy table 160 can be applied to the binding strategy of security management service system 100 according to the needs in the policy configurations file 190 of security management service system 100 outsides.Therefore, the policy configurations file comprises: system manager's strategy is set, systemic presupposition strategy and effectively interim at present tactful.
Strategy distribution device 160 is in order to the policy information among the extraction system Policy Table 150, again according to the applied position of policy information decision-making.When application of policies during in application layer (being applied to strategy matching device 130), then carry out the coupling and the inspection of strategy for the command request that enters, and command request is handled according to the result of coupling according to the strategy of using.Coupling and the content of checking comprise: the service of user, group coupling (phrase match), address, source, destination address, binding and binding time etc., and corresponding matching result and the action carried out comprises: (Jump) or record etc. abandon, refuse, allow, jump.In addition, when being applied to Session Layer (Session Layer) (being applied to Packet Filter 150), then the data message that enters is carried out the coupling and the inspection of strategy, and the data package is handled according to the result of coupling according to the strategy of using.Coupling and the content of checking comprise: address, source, destination address, source port number, destination slogan, agreement or communication network interface card etc., corresponding matching result and the action carried out comprises: abandon, refuse or jump etc.At this promptly at from transmission control protocol (Transmission ControlProtocol; TCP)/internet communication protocol (Internet Protocol; IP) data message of Session Layer carries out the coupling and the inspection of strategy.
Packet Filter 150 can be carried out the application of policies and the inspection of network Session Layer.Just in order to carry out the data message that enters, goes out or pass through of Session Layer, again according to the attribute determination data information processing mode of data message.Wherein, the strategy with the data message attributes match includes: the data message agreement (for example: IP, TCP, user data information agreement (as: User Datagrarn Protocol; UDP), Internet control Message Protocol (Internet Control Message Protocol; ICMP) or FTP etc.), source IP address (Source IP Address), purpose IP address (Destination IP Address), source port number (port number) and destination slogan (when being directed to the TCP/UDP agreement), communication network interface card or direction (as: import (input) into, spread out of (output), transmission (forward) or heavily lead (redirect) etc.) etc.Therefore, can satisfy the security requirement of all Session Layers, for example: defence blocking-up service (Denial-of-Service by Packet Filter 150; DoS) attack or distributed blocking-up service (Distributed Denial-of-Service; DDoS) attack, prevent TCP (PortScanning) or prevent wooden horse intrusion etc.In other words, on SSL VPN, but harmful request (Bad request) of the most of Session Layer of Packet Filter 150 filterings, promptly only can could further encapsulate and be combined as request message, propose the request of strategy matching and inspection again to the strategy matching device 130 of application layer by the data message of Packet Filter 150 in application layer.
State and event analysis device 140 are in order to receive each assembly (promptly, authentication/talks manager 120, strategy matching device 130 and Packet Filter 150) institute's event, and the association between each incident of combinatory analysis, with the operating state of dynamically obtaining each assembly and the behavior of coordinating each assembly, just, the result that binding events is analyzed and the state of each assembly according to system manager's configuration, are made next step action purpose.
Below, be described in detail in the executive mode of the security management service system shown in Fig. 1 in conjunction with the accompanying drawings.
With reference to Fig. 2, for the security management service system in Fig. 1 to user's processing of request flow chart.
At first, the user can ask by user interface 200 inputs, and query analyzer 110 receives the user's request (step 302) from user interface 200; Query analyzer 110 carries out user's request analysis, and from analysis result analysis request classification (step 304); The decision request classification is to check class request (step 306) for the request of authentication/talks administrative class, the request of scope check class or strategy; When the request classification is during for the request of authentication/talks administrative class, authentication/talks manager 120 is according to asking execution authentication/talks management function, and produces an execution result (step 308); If the request classification is during for the request of scope check class, strategy matching device 130 is carried out the inquiry of authority according to request, and produces an execution result (step 310); If the request classification is that strategy matching device 130 is carried out the strategy matching and the inspection of request according to request, and produces an execution result (step 312) when checking the class request for strategy; At last, pass execution result back client, to be shown on the user interface 200 (step 314).This is the execution of user's request, then carries out each step once more according to above-mentioned steps when receiving when next user asks.
Wherein, when the request classification is during for the request of authentication/talks administrative class, performed authentication/talks management function, foundation, deletion, inquiry or the attribute access etc. that comprise talks, at this, deletion, inquiry and the attribute access process of talks are identical with known technology haply, therefore do not explain in addition at this.
And authenticate/talk the establishment step that manager 120 is carried out talks, as described below.With reference to Fig. 3, at first, the binding information (step 402) that obtains request from query analyzer 110 wherein comprises the authentication information of request, for example: certificate server, user name, client (Client) IP address etc. in this binding information; According to the authentication scope check (step 404) that links the information and executing request; Confirm that whether the authentication authority is by (step 406).
When authority is not passed through, produce an incident and recording events (step 408), foundation promptly closes conversation behind the record.Wherein, binding information is in order to the matching condition as the authentication scope check, and when mistake or abnormal conditions generation, these binding information are promptly in order to carry out logout
When authority is passed through, obtain user cipher (step 410) in the request certainly; Carry out authentification of user (step 412) according to binding information and user cipher, promptly carry out authentification of user by information such as user name, user cipher and client ip address; Confirm that whether authentication is by (step 414).
When authentication is not passed through, produce an incident and recording events (step 416); Confirm whether the authentication number of times is less than a specific times (as: three times) (step 418); When being less than specific times, then obtain user cipher (step 410) again, and continue and carry out step afterwards; When more than specific times, foundation promptly closes conversation behind logout.
When the authentication by the time then set up talks, and be provided with talks attribute (step 420).
Wherein, in the step of the authentication scope check of carrying out request, promptly in the step 404, in order to check whether the user has the authentication authority, that is to say that the same with other service of management service system 100 safe in utilization by security management service system 100 authentications, the user will have authority and just can carry out.When a user was not endowed the authority of other service of management service system 100 safe in utilization, no matter then this user is validated user or disabled user, security management service system 100 did not need to allow this user carry out acts of authentication.Thus, can avoid undelegated user's attachment system, and further attempt other service of using system, and system resource also can avoid waste, promptly for the unnecessary authentication service that provides again of unauthorized user, but also can avoid one to obtain the talks of domestic consumer's authority and then obtain the possibility of other authority, just avoid domestic consumer to obtain system manager's authority by the potential buffering area leak that transfinites.At this, the detailed step of authentication scope check (being step 404) is identical haply with the execution in step that the authority among Fig. 1 is inquired about (being step 310).
In addition, setting up talks and be provided with in the step of talks attribute, be in the step 420, after talks are set up, produce a talks identifier (as: session id), and be stored in authentication/talks manager 120, and information such as the record foundation user name of talking, client ip address, therefore, follow-up all scope check or strategy matching based on talks need elder generation to confirm validity of session; And passback talks identifier is given the user, and the request that continues service all uses this talks identifier to be sign.
At this, session is set up in the flow process, will carry out logout when authentification failure, and these incidents can be carried out event analysis via state and event analysis device 140 again and are recorded in the journal file.Therefore, these incidents add up in state and event analysis device 140, after user's login failure record reaches a specific times in a special time, state and event analysis device 140 will produce feedback strategy, to block the client ip or the login request of users of corresponding these login failed for user records.Just, state and event analysis device 140 produces feedback strategies and also inputs in the system strategy table 160, then strategy distribution device 170 in system strategy table 160, obtain this feedback strategy and according to the strategy matching condition with this feedback strategy delivery applications in strategy matching device 130 or Packet Filter 150.Just, if when blocking, be about to this feedback strategy and be applied to Packet Filter 150, thereby these clients will temporarily can't enter SSL VPN carries out register, or even can't enter login page by the client ip or the client network segment; If yet when blocking by user name, feedback strategy is applied to strategy matching device 130, at this moment, only directly refuses any logging request of this user name, and no longer carries out any login authentication.
And, as follows for the step of scope check (being above-mentioned step 310 or step 404).With reference to Fig. 4, at first, obtain scope check request (step 502); Confirm whether be authentication scope check (step 504).
When the authentication scope check, then strategy matching device 130 is carried out the strategy matching (step 520) of request; Whether in strategy matching device 130, find the strategy (step 522) of coupling according to the results verification of strategy matching; When no matching strategy, then refuse this request (step 514), and then finish scope check; As matching strategy, then return the action (step 524) of matching strategy defined, wherein these policy action comprise: permission, refusal, redirect, abandon etc.
When not authenticating scope check, then obtain the attribute information (step 506) of the talks of talks identifier and request by query analyzer 110; Obtain the attribute information (step 508) that this talks of record identify according to the talks identifier from authentication/talks manager 120, wherein, attribute information comprises information such as user name/client ip address (promptly in the step 420 of Fig. 2 set talks attribute); Determine whether to be effectively talks (step 510) according to the information that could obtain.
Wherein, attribute information comprises: the COS of client ip address, needs, server target, binding object and type of bond etc., and COS can be HTTP, FTP, SMB (CIFS), Telnet, virtual network arithmetic system (Virtual Network Computer; VNC), remote desktop communications protocol (Remote Desktop Protocol; RDP), Web Mail etc.At this, the above-mentioned service that long-range connecting end (being client) uses SSL VPN to provide comes server actual in the binding company; The server target is the real server that client need be passed through the internal network of SSL VPN binding; Link object and be the resource on the internal network real server that client need link, for example: webpage (HTTP/HTTPS service), file or catalogue (FTP/SMB (CIFS)/NFS serves), login user (Telnet/VNC/RDP service) and mail account (Web Mail service); Type of bond promptly is the execution manner of execution that links object, for example carries out, reads, revises, writes, renames, edits or the like.
When being invalid talks, produce an incident and recording events (step 512); Refuse this request (step 514), and then finish scope check.
When being effectively talks, the talks information (step 516) that writes down in talks information that relatively should request and the authentication/talks manager 120; Confirm talks information whether consistent (step 518).For example: compare the IP address, enter the network interface card sign of server etc.
When the talks information inconsistency, produce an incident and recording events (step 512); Refuse this request (step 514), and then finish scope check.
When talks information is consistent, prove that then this is legal talks, whether the strategy matching (step 520) of strategy matching device 130 execution requests this moment finds the strategy (step 522) of coupling in strategy matching device 130 according to the results verification of strategy matching; When no matching strategy, then refuse this request (step 514), and then finish scope check; As matching strategy, then return the action (step 524) of matching strategy defined, wherein these policy action comprise: permission, refusal, redirect, abandon etc.
Wherein, the generation of invalid talks (being step 512) comprising: do not have and to set up session, for example: the non-existent talks identifier of arbitrarily making up, this be authentication can't by the time illegal binding attempt; And it is out of date to talk, for example: implement Replay Attack etc.
Step for strategy matching device 130 implementation strategies couplings (being above-mentioned step 312 or step 520) is as follows.Carry out each strategy matching contrast in the tactful chained list at this strategy matching device 130 one by one according to the order of limit priority reservation system strategy, system strategy, highest priority user/group's strategy, user/group's strategy, lowest priority user/group's strategy and lowest priority system strategy.At this, comprise many strategies in each class strategy, thereby be called tactful chained list that wherein the strategy in tactful chained list also is the strategy from the highest (promptly 0) priority.Just, can contrast each strategy in the limit priority reservation system strategy chained list earlier, when finding matching strategy, then carry out logout and finish strategy matching at this strategy matching device 130; And when not finding matching strategy, then continue each strategy in the comparison system strategy chained list, and continue according to said method and to finish strategy matching action.Wherein, the coupling of wall scroll strategy is to contrast each attribute information in regular turn in each tactful chained list strategy chain, when all properties information is all mated, then returns the result of this strategy matching, otherwise returns unmatched result.
State and event analysis device 140 are that event-driven and timer trigger, and just, can trigger state and event analysis device 140 carries out event analysis when producing incident in the above steps; Also or the incident of when Timing Processing device 180 reaches a special time, can sending to state and event analysis device 140 with triggering state and event analysis device 140.
Therefore then, logout processing procedure and 180 cycle of Timing Processing device trigger process illustrate the executive program of the state of sending out and event analysis device 140.
With reference to Fig. 5, be the logout processing procedure of state and event analysis device 140.At first, state and event analysis device 140 receive from other assembly (as, authentication/talks manager 120, strategy matching device 130 or Packet Filter 150) incident (step 602) state that sends over and the attribute (step 604) of event analysis device 140 extraction incidents, wherein, event attribute comprises the theme of system event, and for example ICMP request (Request), TCP be (Sync), TCP replacement (Reset) or authentication error (Authentication Failed) or the like synchronously; Contrast the project in the event analysis buffering area 144 and the theme (step 606) of incident one by one; The project (step 608) whether the corresponding event theme is arranged in the decision event analysis buffers 144.
When the project of corresponding event theme, the event items purpose further feature (step 610) of existence in incident and the event analysis buffering area 144 relatively; Judge further feature whether conform to (step 612); When conforming to, the number of times (step 614) that this incident occurs in the event analysis buffering area 144 that then adds up, and then End Event is handled; When not conforming to, then in event analysis buffering area 144, set up the feature project (step 616) of the corresponding incident that receives, and then End Event is handled.
When the project of no corresponding event theme, then in abnormal behaviour feature database 142, search the project (step 618) relevant with this incident; Confirm whether to find relevant item (step 620); When finding, then in event analysis buffering area 144, set up this feature project (step 616); When not finding, then represent the non-sensitive incident of this incident, and End Event is handled.
In addition with reference to Fig. 6, the implementation that triggers at the cycle for state and event analysis device 140.At first, when Timing Processing device 180 reaches a given time, then send signal to state and event analysis device 140, at this moment, state and event analysis device 140 are searched monitor sequence of events project (step 702) in event analysis buffering area 144; Analyze each project in regular turn and whether in certain hour, reach the incident occurrence frequency of off-note regulation or the particular sequence of events (step 704) of generation; Judge whether the occurrence frequency or the sequence (step 706) that reach above-mentioned.
For instance, with regard to the occurrence frequency that whether reaches the anomalous event regulation within a certain period of time, for example, 60000 ICMP requests took place in 10 seconds or in 1 minute certain IP network section send 10000 TCP and half connect synchronously, this promptly may reach the occurrence frequency of anomalous event regulation.With regard to whether producing a particular sequence of events within a certain period of time, for example,, show that promptly TCP then is that TCP resets synchronously in a second when a kind of action sequence has repeatedly taken place, then this may be an intrusion event.
When reaching, then the strategy with regulation in the abnormal behaviour feature database 142 joins in the system strategy table 160 (step 708).For example: in 10 seconds, 60000 ICMP request has taken place, then can produce feedback strategy and use, abandoned with all requests of the network segment that directly will send this request, and then prevent the generation of DoS attack.
When not reaching, whether the project of then watching off-note has surpassed official hour segment (step 710); When also not having the overtime segment, then keep the project of off-note and be made as and continue to observe (step 712); When the overtime segment, then delete this project (step 714).
Then (that is, after step 708, step 712 or step 714), the project of confirming whether other off-note is arranged (step 716) is then proceeded the off-note analysis of project when other project, promptly get back to step 704; When not having other project, strategy distribution device 160 strategy distribution (step 718) in the system strategy table 160 again then, promptly strategy distribution device 160 is used strategy distribution according to the strategy matching condition in strategy matching device 130 or Packet Filter 150.
In addition, security management service system 100 can carry out initialization action earlier before startup, just, carries out the affirmation of starter system strategy earlier.Initialization procedure comprises the following steps: at first to empty all security strategies, wherein, comprises to be applied to the security strategy in strategy matching device 130 and the IP filter 150 and to be stored in security strategy in the system strategy table 160; Security strategy in the system strategy table 160 fetch policy configuration file 190, and be loaded into self buffer, as system strategy; The strategy distribution device is obtained the available strategy in the system strategy table 160 one by one and available strategy is distributed in strategy matching device 130 or the IP filter 150 and uses.After finishing, 100 of security management service systems enter wait state, wait to receive user request after, can ask to handle.
Though the present invention with aforesaid preferred embodiment openly as above, yet it is not in order to qualification the present invention, any those of ordinary skill of haveing the knack of this technology, without departing from the spirit and scope of the invention, a little change and the retouching done all belong within the claim of the present invention.
Claims (12)
1. a security management service system is applied to a virtual private networks, in order to selective filter and this virtual private networks more than one user who links and the request of carrying out this user, comprising:
One system strategy table has a plurality of strategies;
One strategy distribution device is connected to this system strategy table, in order to distribute this strategy according to this tactful condition;
One Packet Filter is connected to this strategy distribution device, according to this user of this policy filtering from this strategy distribution device, and produces an incident according to this user's connecting state selectivity;
One query analyzer, in order to receiving this user's a request, and the parsing and the classification of carrying out this request are judged;
One authentication/talks manager, be connected to this query analyzer, in order to according to the classification of this request and selectivity is carried out authentication/talks management function according to the analysis result of this request, wherein, when when executing state is unusual or wrong, this authentication/talks manager produces an incident;
One strategy matching device, be connected to this strategy distribution device and this query analyzer, in order to according to the classification of this request and selectivity according to strategy matching that should request from this strategy execution of this strategy distribution device, and produce a strategy matching result, wherein, when this strategy matching result was abnormality or error condition, this strategy matching device produced an incident;
One state and event analysis device, be linked to this Packet Filter, this system strategy table, this authentication/talks manager and this strategy matching device, in order to receive and to write down this incident and carry out this event analysis, and according to the analysis result of this incident and this policy selection generation one feedback strategy in this system strategy table, wherein, this state and event analysis device input to this feedback strategy in this system strategy table, to carry out the distribution of this feedback strategy by this strategy distribution device; And
One timing processor, be connected to this state and event analysis device, give this state and event analysis device in order to the request of sending regularly, with the state analysis of this incident of writing down and efficiency analysis and according to analysis result select this record of deletion incident, keep the incident of this record or produce this feedback strategy.
2. security management service system as claimed in claim 1, wherein this state and event analysis device comprise: an abnormal behaviour feature database and an event analysis buffering area, wherein this abnormal behaviour feature database is in order to storing more than one off-note incident, and this event analysis buffering area is used to write down this sequence of events.
3. security management service system as claimed in claim 1 wherein also comprises:
One user interface is connected to this Packet Filter and this query analyzer, in order to the input interface as this user's request.
4. security management service system as claimed in claim 1 wherein also comprises:
One policy configurations file is connected to this system strategy table, in order to formulate a plurality of binding strategies, reads for this system strategy table.
5. the manner of execution of a security management service system comprises the following steps:
Receive a request;
Resolve this request with an analysis result, and learn the classification of this request according to this analysis result, wherein this request classification comprises: authentication/talks administrative class, scope check class and tactful inspection class;
When this request classification is authentication/talks administrative class, carries out authentication/talks management function according to this analysis result, and produce an execution result;
When this request classification is the scope check time-like, carry out scope check according to this analysis result, and produce an execution result;
When this request classification is that strategy is checked time-like,, and produce an execution result according to this analysis result implementation strategy coupling and inspection;
When unusual or error condition take place this execution result, produce an incident and write down this incident;
Analyze this incident and analyse the result to get a point, and according to this analysis result select to add up this incident frequency, set up mutually a feature project that should incident or ignore this incident; And
Return this execution result.
6. the manner of execution of security management service system as claimed in claim 5, wherein analyze this incident and analyse the result to get a point, and comprise the following steps: according to this analysis result select to add up frequency of this incident, the step of setting up mutually a feature project that should incident or ignoring this incident
Extract the attribute of this incident, wherein comprise in this event attribute: more than one event topic and more than one affair character;
The more than one feature project that contrasts this event topic and set up is to get a project comparing result; And
According to this project comparing result select to add up this incident frequency, set up mutually a feature project that should incident or ignore this incident.
7. the manner of execution of security management service system as claimed in claim 6, wherein when contrast mutually should event topic this feature project of having set up the time, contrast this affair character and this characteristic item purpose feature of having set up, with a feature comparing result, and according to this feature comparing result select to add up this incident frequency or set up mutually should incident a feature project; And when do not contrast mutually should event topic this feature project of having set up the time, then in a plurality of feature projects of setting, search the feature project of this setting relevant, with must a lookup result with this incident.
8. the manner of execution of security management service system as claimed in claim 7, when wherein the characteristic item purpose feature of having set up when this affair character and this conforms to, the frequency of this incident that then adds up; And the characteristic item purpose feature of having set up when this affair character and this is not when conforming to, then set up mutually should incident a feature project.
9. the manner of execution of security management service system as claimed in claim 7, wherein when finding the feature project of this setting relevant with this incident, then set up mutually should incident a feature project; When not finding the feature project of this setting relevant, then ignore this incident with this incident.
10. the manner of execution of security management service system as claimed in claim 5 wherein also comprises the following steps:
In cycle time, carry out the once analysis of this recording events, comprise the following steps:
When reaching this time cycle, obtain mutually should recording events project;
Analyze each this incident project in regular turn according to more than one specified conditions, wherein these specified conditions are the occurrence frequency of the off-note incident that reaches defined within a certain period of time or a particular sequence of events of generation;
When this project reached these specified conditions, then producing mutually should specified conditions and this event items purpose one feedback strategy;
When this project does not reach these specified conditions, then confirm this event items object time with one confirm the result, and determine to delete this incident project or keep this incident project according to this affirmation result; And
Matching condition according to this feedback strategy is distributed, to be applied to this security management service system.
11. the manner of execution of security management service system as claimed in claim 10 wherein when this event items surpasses a given time fragment object time, is then deleted this incident project; And when this event items surpasses this given time fragment object time, then keep this incident project.
12. the manner of execution of security management service system as claimed in claim 5 wherein also comprises the following steps:
Before the state that enters this request of reception, carry out the tactful initialization of this security management service system, comprise the following steps:
Remove the All Policies in this security management service system;
Read a plurality of strategies from this security management service system outside, wherein, this strategy comprises: more than one system manager's strategy setting, more than one systemic presupposition strategy and more than one interim strategy;
Distribute more than one available strategy in this strategy one by one, wherein distribute, to be applied to this security management service system according to the matching condition of this available strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100045446A CN100385859C (en) | 2005-01-18 | 2005-01-18 | Security management service system and its implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100045446A CN100385859C (en) | 2005-01-18 | 2005-01-18 | Security management service system and its implementation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1808992A CN1808992A (en) | 2006-07-26 |
| CN100385859C true CN100385859C (en) | 2008-04-30 |
Family
ID=36840696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100045446A Expired - Fee Related CN100385859C (en) | 2005-01-18 | 2005-01-18 | Security management service system and its implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100385859C (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101163023B (en) * | 2006-10-09 | 2012-01-11 | 中兴通讯股份有限公司 | Media server resource allocation processing method |
| CN102035855B (en) * | 2010-12-30 | 2014-05-07 | 江苏省电力公司 | Network security incident association analysis system |
| CN102448147B (en) * | 2011-12-21 | 2014-12-03 | 华为技术有限公司 | Method and device for accessing wireless service |
| CN104378364B (en) * | 2014-10-30 | 2018-02-27 | 广东电子工业研究院有限公司 | A kind of Cooperative Analysis method at information security management center |
| CN105610774B (en) * | 2015-09-17 | 2018-11-20 | 成都索贝数码科技股份有限公司 | A kind of network safety system and secure box based on Encryption Algorithm |
| CN105721446A (en) * | 2016-01-26 | 2016-06-29 | 浪潮电子信息产业股份有限公司 | Remote desktop anti-brute force attack intercepting method based on WINDOWS operating system |
| CN105763574A (en) * | 2016-05-13 | 2016-07-13 | 北京洋浦伟业科技发展有限公司 | Firewall system based on big data analysis |
| CN107547498B (en) * | 2017-05-10 | 2021-05-14 | 新华三信息安全技术有限公司 | Auditing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6598167B2 (en) * | 1997-09-26 | 2003-07-22 | Worldcom, Inc. | Secure customer interface for web based data management |
| CN1160899C (en) * | 2002-06-11 | 2004-08-04 | 华中科技大学 | Distributed dynamic network security protecting system |
| CN1564530A (en) * | 2004-04-15 | 2005-01-12 | 沈春和 | Network safety guarded distributing invading detection and internal net monitoring system and method thereof |
-
2005
- 2005-01-18 CN CNB2005100045446A patent/CN100385859C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6598167B2 (en) * | 1997-09-26 | 2003-07-22 | Worldcom, Inc. | Secure customer interface for web based data management |
| CN1160899C (en) * | 2002-06-11 | 2004-08-04 | 华中科技大学 | Distributed dynamic network security protecting system |
| CN1564530A (en) * | 2004-04-15 | 2005-01-12 | 沈春和 | Network safety guarded distributing invading detection and internal net monitoring system and method thereof |
Non-Patent Citations (2)
| Title |
|---|
| 基于WEB资源监视的入侵检测系统设计与实现. 朱树人,李伟琴.计算机工程与应用,第7期. 2003 |
| 基于WEB资源监视的入侵检测系统设计与实现. 朱树人,李伟琴.计算机工程与应用,第7期. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1808992A (en) | 2006-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100385859C (en) | Security management service system and its implementation method | |
| US7774832B2 (en) | Systems and methods for implementing protocol enforcement rules | |
| US7428590B2 (en) | Systems and methods for reflecting messages associated with a target protocol within a network | |
| US7707401B2 (en) | Systems and methods for a protocol gateway | |
| US7664822B2 (en) | Systems and methods for authentication of target protocol screen names | |
| US7818565B2 (en) | Systems and methods for implementing protocol enforcement rules | |
| EP1231754B1 (en) | Handling information about packet data connections in a security gateway element | |
| US20060026681A1 (en) | System and method of characterizing and managing electronic traffic | |
| EP3827569A1 (en) | Cyber defence system | |
| Setiawan et al. | Web vulnerability analysis and implementation | |
| CN103563301A (en) | Incoming redirection mechanism on a reverse proxy | |
| CN104394122A (en) | HTTP (Hyper Text Transport Protocol) service firewall based on adaptive agent mechanism | |
| Rodríguez et al. | Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier | |
| Caesarano et al. | Network forensics for detecting SQL injection attacks using NIST method | |
| Fry et al. | Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks | |
| Bolzoni et al. | ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. | |
| WO2006062961A2 (en) | Systems and methods for implementing protocol enforcement rules | |
| EP1664974A2 (en) | Systems and methods for dynamically updating software in a protocol gateway | |
| CN113194088A (en) | Access interception method, device, log server and computer readable storage medium | |
| Hajdarevic | Cyber Security Audit in Business Environments | |
| Sato et al. | An Evaluation on Feasibility of a Communication Classifying System | |
| Kim et al. | Systematic Security Guideline Framework through Intelligently Automated Vulnerability Analysis. | |
| Wrzesień et al. | System Responsive to ICT Security Incidents in the LAN | |
| Org et al. | D3. 1-CYBER RISK PATTERNS | |
| Khamaisi et al. | GridDB-Enhanced Visualization and Sharing of DDoS Fingerprints |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080430 Termination date: 20110118 |