CN100586123C - Security audit method and system based on role management - Google Patents
Security audit method and system based on role management Download PDFInfo
- Publication number
- CN100586123C CN100586123C CN200610114101A CN200610114101A CN100586123C CN 100586123 C CN100586123 C CN 100586123C CN 200610114101 A CN200610114101 A CN 200610114101A CN 200610114101 A CN200610114101 A CN 200610114101A CN 100586123 C CN100586123 C CN 100586123C
- Authority
- CN
- China
- Prior art keywords
- access
- role
- protected
- user
- users
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000012550 audit Methods 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000007726 management method Methods 0.000 title claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims abstract description 8
- 238000004374 forensic analysis Methods 0.000 claims abstract 2
- 230000004044 response Effects 0.000 claims description 5
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 claims description 2
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 claims description 2
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 claims description 2
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 claims description 2
- 101710163698 Norsolorinic acid synthase Proteins 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000004458 analytical method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000008521 reorganization Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 101000911390 Homo sapiens Coagulation factor VIII Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 102000057593 human F8 Human genes 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 229940047431 recombinate Drugs 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
本发明涉及一种作为重要的网络安全产品之一的网络安全审计系统(NSAS:Network Security Audit System)的核心关键技术——基于角色管理的安全审计方法及系统。特征是在监控网络数据的基础上,依据基于角色的审计策略对主体的访问行为进行审计,对客体进行保护,并根据管理员设定的规则记录TCP会话内容,以便事后取证分析。该系统可以定义信任用户、信任子网、认证用户三类用户,可以指定需要保护的主机和主机上需要保护的服务,可以根据应用层协议制定细粒度的访问规则,可以根据对保护资源访问控制的需要制定角色,将已定义的访问规则封装到角色中,将角色指派给已定义的用户,对受保护的资源实现基于角色的安全审计。
The present invention relates to a core key technology of a Network Security Audit System (NSAS: Network Security Audit System), which is one of the important network security products—a security audit method and system based on role management. The feature is that on the basis of monitoring network data, the access behavior of the subject is audited according to the role-based audit strategy, the object is protected, and the content of the TCP session is recorded according to the rules set by the administrator for subsequent forensic analysis. The system can define three types of users: trusted users, trusted subnets, and authenticated users. It can specify the hosts that need to be protected and the services that need to be protected on the hosts. It can formulate fine-grained access rules according to the application layer protocol. It is necessary to formulate roles, encapsulate defined access rules into roles, assign roles to defined users, and implement role-based security auditing on protected resources.
Description
Technical field
The present invention relates to the key components of a kind of network security audit system (NSAS:Network Security Audit System) as one of important network security product---based on the method for auditing safely and the system of Role Management.
Background technology
NSAS is installed in the protected network segment, and it is monitored network interface card and is operated under the promiscuous mode, by real-time collection and the analysis to network data, can realize the visit of key business main frame in the user network environment is monitored, audits and protects.Narration for convenience at first provides several related notions here:
Main body: send the masters of accessing operation, access requirement, be often referred to user or user's process;
Object: the data of invoked program or desire access;
Protection main frame: moving important service in the user network environment, the server that need control its visit;
Rule set: a series of set of having stipulated the rule of principal access behavior;
Access control policy: whether a cover has the rule of access rights in order to determine main body to object.
The key technology of NSAS is to formulate flexible and complete access control policy, makes the user authority according to the rules to visit protected Internet resources, and according to access control policy user's behavior is audited.At present NSAS generally adopts the access control mechanisms (DAC:DiscretionaryAccess Control) from principal mode, it be according to the visitor and (or) identity of group is controlled the granted access to the object target under its.It is each user and the certain access rights of user's set of dispense by the system manager, in case visitor's identity obtains confirming that this user just has corresponding access limit to resource conservation.This method realizes simple, but has following limitation:
(1) empowerment management complexity, flexibility is low.The DAC model directly binds together subject and object, need specify access permission to every pair (main body, object) during mandate.After the quantity of subject and object reached the higher order of magnitude, mandate work is difficulty very like this.When main function changes, need carry out a large amount of mandate change work.
(2) be difficult to realize fine granularity access control to resource conservation.Fine-grained access control is meant on method, attribute or content level visit is authorized, for example for http protocol, the controls that conduct interviews such as keyword that comprise in the application layer order that fine granularity adopts when wanting to accomplish visit, the URL address of visit, the webpage.Mandate in the DAC model is directly to distribute to main body, and considerable fine granularity authority problem is not had general meaning in the reality because of it is unique, for this reason must be at the proprietary user's group of this authority structure, and this has just increased the workload of empowerment management.
Summary of the invention
The objective of the invention is to design a kind of method for auditing safely and system based on Role Management; it provides a Security Audit Strategy; this strategy is divided different roles according to the demand of access control to the user; access permission to object is encapsulated among the role; the user is assigned to the role; on role's basis, realize protection and visit audit, and good user's definable interface is provided, be convenient to developer and user's on-site maintenance Internet resources.
Method for auditing safely based on Role Management of the present invention; be on the basis of monitoring network; according to audit strategy the visit behavior of main body is audited; thereby reach the purpose that object is protected; and the regular record TCP session content of setting according to the keeper, so that forensics analysis afterwards.
This method comprises the steps:
(1) definition user: specify main body with access rights;
(2) definition protection main frame and service: the main frame of definition monitoring network segment domestic demand protection, and the service that needs monitoring and audit on this main frame are equivalent to object;
(3) definition access rule: according to different application layer protocols, fine-grained access rule is formulated in order based on application layer;
(4) definition role: specify the certain user can satisfy the operation of certain class access rule;
(5) the audit engine is monitored network data, and record TCP session content allows or interrupts visit to resource conservation according to strategy.
Operation to each step is elaborated below:
The definition user
User representative the main body of an addressable locked resource, any main body that can conduct interviews in monitor network all will at first be defined as the user with it, otherwise the audit engine will directly interrupt its access request.3 types user can be set:
1) trust the user: trust the user and be associated with static ip address, the user that for example can define the IP address and be 192.168.0.1 is the trust user.
2) trust subnet: trust subnet and be associated with the static ip address scope, for example can define the IP address is 192.168.0.0, and subnet mask is that the network segment of 255.255.255.0 is the trust subnet.
3) authenticated user: such user need will be blocked otherwise visit by the authentication of authentication center before the official visit business.The USB token of digital certificate that need adopt storage that the keeper signs and issues during authentication.
Definition protection main frame and service
Shielded object in the monitor network has been represented in protection main frame and service, and any resource that needs protection all will at first be defined as it protection main frame and protection service, otherwise the audit engine will be not to non-its conduct interviews control and security audit.
The protection main frame can be an independent address, is 192.168.0.10 as the IP address, and subnet mask is the single host of 255.255.255.255; Also can be a continuous subnet section, be 192.168.0.208 as the IP address, and subnet mask is the network segment of 255.255.255.240.The protection service is the service processes that moves on the protection main frame, and it is relevant with a specific port, for example defines the HTTP service for the protection service, then will be subjected to the protection of engine at the visit of 80 ports.
The definition access rule
Access rule has been specified the performance constraint of main object.For the operation behavior of the main body of more accurately auditing, support HTTP, FTP, TELNET, SMTP, POP3, MS SQL SERVER, SYBASE SQL SERVER, 9 kinds of agreements such as ORACLE, NETBIOS are formulated the fine granularity access rule based on the application layer protocol order.For example, comprise among the URL of regulation principal access/the news/ catalogue at http protocol definable rule; Perhaps, do not comprise the file of " * .doc " type during regulation main body deleted file at the File Transfer Protocol definition rule.
The definition role
The role is the mapping of the real-life identity of people in cyberspace, and it is user's set, is again the set of access control policy.It is made up of following two aspects:
1) access control policy: relevant with access rule, stipulated to meet the response mode of the operation of certain class access rule.For example defined rule 1 and rule 2, can generate strategy makes the visit to meeting rule 1 let pass, to meeting the visit blocking-up of rule 2.
2) user under: relevant with the user, stipulated which user can be by above-mentioned access control policy visit resource conservation.For example defined user 1 and user 2,, then needed to add user 1 to this role if only allow user 1 to carry out such visit.
Audit engine access control workflow
Parallel being linked in the protecting network of audit engine, its monitors and catches data on the network, and the data of visit resource conservation are carried out message reorganization, protocal analysis and event matches.On this basis, to the operation of the resource conservation control that conducts interviews, the operation of satisfying access control policy will be allowed to according to above-mentioned audit strategy based on Role Management, and other unauthorized access will in time be interrupted.The visible accompanying drawing 1 of idiographic flow.
A kind of safety auditing system based on Role Management, this system comprises a main frame, one or more terminal servers, data storage device, network interface card, and data input device and output device, this system comprises in addition:
The user definition unit defines a main body that allows the visit resource conservation, and it can be one and trust the user, trusts subnet or based on the strong authentication user of digital certificate; Protection main frame and service definition unit, shielded object in the definition monitoring network segment, it is made up of the service that moves on protection main frame and this main frame; The access rule definition unit can be formulated fine-grained access rule based on the application layer order; The role definition unit defines the operation which kind of type of access rule which user can satisfy; Audit engine access control unit is used for catching the original message of network, to packet recombinate, analysis and event matches, according to the rule of definition to the operation of the locked resource control that conducts interviews.
The advanced part of this method is:
1. can and serve the emphasis resource that clear and definite auditing system need be protected by the protection main frame.The audit engine is only paid close attention to the access request to defined service on the protection main frame, if certain main frame no longer needs protection, perhaps the visit to this main frame service no longer needs audit, it is deleted get final product from the tabulation of correspondence.
2. can formulate complete access control policy.Owing to realized separation between the subject and object, can formulate complexity and access control policy flexibly by the role.For example, regular a and regular b have been defined, by role 1 is assigned to user A for the user A and the user B that belong to same user's group, role 2 is assigned to user B, simultaneously regular a is distributed to role 1, regular b distributes to role 2, just can reach the purpose of the different control laws of similar user.
3. variation that can the rapid adjustment main function.For example variation having taken place when the function of user A, upgraded to advanced level user from the general user, only needed it is deleted from the role of general user's correspondence, adds among the role of advanced level user's correspondence and can finish transformation.
4. can realize fine-grained access control.On the basis of auditing access control unit protocol analysis, can formulate access control rule at the application layer order, thereby strengthen the audit dynamics.For example can stipulate user A when carrying out database manipulation,, can not operate the table that comprises " netids " keyword in the table name when the visit action is " a more new record (update) ".
Description of drawings
Fig. 1 auditable unit access control flow chart.
Embodiment
Access control rule is given an example:
Definition IP is that the main frame of 192.168.0.1 is the protection main frame, and its open FTP service is the protection service.Define three user: UserA, UserB and UserC, three users' address is 192.168.0.11~192.168.0.13.Then:
1) definition rule set RAdmin is management FTP service regulation collection, comprising upload file (put, mput), application layer orders such as (mkdir) creaties directory; Definition rule set RAccess wherein includes only and checks (ls), switches catalogue (cd), downloads application layer orders such as (get, mget) for visit FTP service regulation collection.
2) if allow the FTP on the UserA administrative protection main frame to serve, then add role RoleA under the FTP service, its policy definition is for allowing RAdmin, and its user is UserA.
3) if allow UserB and UserC as the FTP service on domestic consumer's visit protection main frame, then add role RoleB under the FTP service, its policy definition is for allowing RAccess, and its user is UserB, UserC.
4) if desired with the privilege-escalation of UserB, make it can manage the FTP service, then it is deleted from the user of RoleB, join among the user of RoleA.
5) forbid the visit of UserC if desired, then it is deleted from RoleB the FTP service.
The access control unit handling process
Access control unit need generate 3 chained lists when starting: at first read in all user definitions, preserve with user's chain; Read in all undefined roles of protection main frame, service and service then, preserve with role's chain of one 3 layers; At last set of strategies is resolved, all set of strategies are formed a tactful chain.
The processing procedure of access control unit can be with reference to Fig. 1.When monitoring an access request, access control unit is at first checked the source IP address of this request, and whether search it in user's chain is defined trusted users.If do not find this address, then originating end is the user of unauthenticated, and the audit engine will directly be blocked this visit.
If passed through user's examination, the audit engine will be according to the purpose IP and the destination interface of access request, and whether search this service in role's chain is shielded service.If do not find this service, explanation is that trusted users is visited non-protection service, and the audit engine will directly be let pass; Otherwise searching among the role of this service whether comprise this user in role's chain, if comprise then enter the next stage examination, otherwise is to trust the user capture unauthorized services, and the audit engine will directly be blocked this visit.
The audit engine carries out the message reorganization to packet, carries out event matches according to the particular content of operating.According to this role's role ID and rule ID, in tactful chained list, search response mode then, and response mode in accordance with regulations blocks, audits or report to the police to this operation, finish an audit process this operation.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610114101A CN100586123C (en) | 2006-10-27 | 2006-10-27 | Security audit method and system based on role management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610114101A CN100586123C (en) | 2006-10-27 | 2006-10-27 | Security audit method and system based on role management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1953454A CN1953454A (en) | 2007-04-25 |
| CN100586123C true CN100586123C (en) | 2010-01-27 |
Family
ID=38059570
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610114101A Expired - Fee Related CN100586123C (en) | 2006-10-27 | 2006-10-27 | Security audit method and system based on role management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100586123C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109409842A (en) * | 2018-11-06 | 2019-03-01 | 中共四川天府新区成都纪律检查工作委员会 | Online audit system and method |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101426008B (en) * | 2007-10-30 | 2011-06-22 | 北京启明星辰信息技术股份有限公司 | Audit method and system based on back display |
| CN101534300B (en) * | 2009-04-17 | 2012-05-30 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
| CN103795726A (en) * | 2014-02-14 | 2014-05-14 | 浪潮通信信息系统有限公司 | Depth protection method for virtual data safety access |
| CN103929426B (en) * | 2014-04-22 | 2017-04-19 | 清华大学 | Access control method for applications in social cloud service system |
| US20200020425A1 (en) * | 2018-07-10 | 2020-01-16 | Koninklijke Philips N.V. | Method and apparatus for hybrid trust management for health records unit |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Database security audit method, system and computer readable storage medium |
| CN114205118B (en) * | 2021-11-17 | 2023-10-27 | 南方电网数字电网研究院有限公司 | Data access control analysis method based on data security method category |
| CN119337434A (en) * | 2024-12-20 | 2025-01-21 | 易联云计算(杭州)有限责任公司 | A business security audit method and system |
-
2006
- 2006-10-27 CN CN200610114101A patent/CN100586123C/en not_active Expired - Fee Related
Non-Patent Citations (2)
| Title |
|---|
| 信息网络中的认证、授权与审计方案. 袁中兰,温巧燕,杨义先.电子科学技术评论,第3期. 2005 * |
| 网络处理器平台下基于角色的分片审计研究. 高磊,张德运,李金库,李庆海.西安交通大学学报,第39卷第6期. 2005 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109409842A (en) * | 2018-11-06 | 2019-03-01 | 中共四川天府新区成都纪律检查工作委员会 | Online audit system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1953454A (en) | 2007-04-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100586123C (en) | Security audit method and system based on role management | |
| US11489879B2 (en) | Method and apparatus for centralized policy programming and distributive policy enforcement | |
| DE60307736T2 (en) | Server architecture for secure plug-ins in digital rights management systems | |
| JP4667359B2 (en) | Digital asset usage accountability by journalizing events | |
| US10148637B2 (en) | Secure authentication to provide mobile access to shared network resources | |
| US8769605B2 (en) | System and method for dynamically enforcing security policies on electronic files | |
| US8959613B2 (en) | System and method for managing access to a plurality of servers in an organization | |
| Viega | Building security requirements with CLASP | |
| CN113946839A (en) | Data access method, data access device, storage medium and electronic device | |
| US8095963B2 (en) | Securing resource stores with claims-based security | |
| US20060248599A1 (en) | Cross-domain security for data vault | |
| US20050108526A1 (en) | Query server system security and privacy access profiles | |
| CA2868741A1 (en) | Method and system for detecting unauthorized access to and use of network resources with targeted analytics | |
| US11809592B2 (en) | Data processing apparatus and methods | |
| GB2392517A (en) | Providing secure access to a database | |
| Ahmed et al. | A Method for Eliciting Security Requirements from the Business Process Models. | |
| CN103069767B (en) | Consigning authentication method | |
| Alsmadi | Identity management | |
| Haber et al. | Privileged Access Management (PAM) | |
| US12360800B2 (en) | Distributed attribute based access control as means of data protection and collaboration in sensitive (personal) digital record and activity trail investigations | |
| Simpson et al. | Use case based access control | |
| US8977691B2 (en) | Implementation of an extranet server from within an intranet | |
| Batra et al. | Autonomous multilevel policy based security configuration in distributed database | |
| US12430466B2 (en) | Data processing apparatus and methods for the controlled sharing of data | |
| US20250306981A1 (en) | Distributed Attribute Based Access Control as means of Data Protection and Collaboration in Sensitive (Personal) Digital Record and Activity Trail Investigations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING QIMINGXINCHEN INFORMATION SECURITY TECHNOL |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100081 NO 188, NO.12, ZHONGGUANCUN SOUTH AVENUE, HAIDIAN DISTRICT, BEIJING CITY TO: 100193 QIMINGXINGCHEN BUILDING, BUILDING 21, ZHONGGUANCUN SOFTWARE PARK, NO.8, DONGBEIWANG WEST ROAD, HAIDIAN DISTRICT, BEIJING CITY |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100507 Address after: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Co-patentee after: Beijing Venusense Information Security Technology Co., Ltd. Patentee after: Beijing Venus Information Technology Co., Ltd. Address before: 100081 No. 12 South Avenue, Haidian District, Zhongguancun, No. 188, Beijing Patentee before: Beijing Venus Information Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100127 Termination date: 20151027 |
|
| EXPY | Termination of patent right or utility model |