CN114244631A - Computer network security protection method and system - Google Patents
Computer network security protection method and system Download PDFInfo
- Publication number
- CN114244631A CN114244631A CN202210164970.XA CN202210164970A CN114244631A CN 114244631 A CN114244631 A CN 114244631A CN 202210164970 A CN202210164970 A CN 202210164970A CN 114244631 A CN114244631 A CN 114244631A
- Authority
- CN
- China
- Prior art keywords
- list
- white list
- temporary
- computer network
- process management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 392
- 230000008569 process Effects 0.000 claims abstract description 323
- 238000012795 verification Methods 0.000 claims description 53
- 238000013475 authorization Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 10
- 230000026676 system process Effects 0.000 claims description 7
- 230000002155 anti-virotic effect Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000005764 inhibitory process Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a computer network safety protection method and a system, wherein the method comprises the following steps: generating a process management list; the process management list comprises a white list and a black list; and uploading the process management list to a linkage center so that the linkage center broadcasts the process management list to all registered host terminals. According to the computer network safety protection method and system provided by the embodiment of the invention, the process management list is generated and uploaded to the linkage center so that the linkage center broadcasts the process management list to all registered host terminals, the linkage protection of the host terminals of dangerous processes can be realized, and the safety of a computer network is improved.
Description
Technical Field
The embodiment of the invention relates to a computer network security protection method and a computer network security protection system.
Background
The rapid development of computer networks brings great convenience to the production and life of people. Computer networks also present unavoidable security risks while providing open and shared resources. Computer network security issues, and in particular local area network security issues, have become the focus of current network technology research. In the problem of computer network security, software irrelevant to service operation or malicious software is privately deployed in a host terminal, so that not only is hardware resource waste and equipment operation efficiency influenced, but also important data can be leaked due to data stealing. Therefore, it is important to implement computer network security protection.
Disclosure of Invention
The embodiment of the invention provides a computer network safety protection method, which comprises the following steps: generating a process management list; the process management list comprises a white list and a black list; and uploading the process management list to a linkage center, so that the linkage center broadcasts the process management list to all registered host terminals.
According to the computer network security protection method provided by the embodiment of the invention, the process management list further comprises a temporary list, and the temporary list comprises a temporary authorized white list and a temporary forbidden black list; the process in the temporary authorization white list is a process which is allowed to be started by an administrator user at least with a first permission; and the process in the temporary forbidden blacklist is a process which is forbidden to be started by an administrator user at least having the first permission.
According to the computer network security protection method provided by the embodiment of the invention, the generating of the process management list comprises the following steps: an initialized white list is generated by scanning the system process.
According to the computer network security protection method provided by the embodiment of the invention, the generating of the process management list further comprises: accumulating the allowed starting times of the processes in the temporary authorization white list, if the allowed starting times reach a first threshold value, adding the processes into the white list, and deleting the processes from the temporary authorization white list; accumulating the starting prohibition times of the processes in the temporary prohibition blacklist, adding the processes into the blacklist and deleting the processes from the temporary prohibition blacklist if the starting prohibition times reach a second threshold value; changing the white list according to a white list changing instruction of an administrator user at least with a second authority; changing the blacklist according to a blacklist changing instruction of an administrator user at least having the second authority; and/or directly adding the dangerous process acquired from the third-party antivirus software into the blacklist.
According to the computer network security protection method provided by the embodiment of the invention, the method further comprises the following steps: acquiring a current running process information set at fixed time; traversing the current running process information set, verifying the process in the current running process information set according to a first verification rule, allowing the process to run normally if the verification is passed, and checking and killing the process if the verification is not passed; wherein the first check rule comprises: if the process is in the white list and not in the black list, the verification is passed; if the process is in the blacklist, the verification is not passed; if the process is not in the white list and the black list but in the temporary authorized white list, the verification is passed; and if the process is not in the white list, the black list and the temporary authorized white list, the verification is not passed.
According to the computer network security protection method provided by the embodiment of the invention, the method further comprises the following steps: checking the new starting process according to a second checking rule, if the checking is passed, allowing the process to be normally started, and if the checking is not passed, not allowing the process to be normally started; wherein the second check-up rule comprises: if the newly started process is in the white list and not in the black list, the verification is passed; if the newly started process is in the blacklist, the verification is not passed; if the new starting process is not in the white list and the black list and if an allowable starting instruction of an administrator user at least with a first permission is received, the verification is passed; and if the process is not in the white list and the black list and a starting prohibition instruction of an administrator user at least with a first permission is received, the verification is failed.
The embodiment of the invention also provides another computer network security protection method, which comprises the following steps: receiving a process management list sent by any host terminal; and broadcasting the process management list to all registered host terminals.
An embodiment of the present invention further provides a computer network security protection system, including: the system comprises a linkage center and at least one host terminal registered to the linkage center; wherein: the host terminal is used for: generating a process management list and uploading the process management list to a linkage center; the process management list comprises a white list and a black list; the linkage center is used for: receiving a process management list sent by any host terminal, and broadcasting the process management list to all registered host terminals.
The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor executes the computer program to implement any of the steps of the computer network security protection method described above.
Embodiments of the present invention further provide a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the computer network security protection method as described in any one of the above.
An embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps of any of the computer network security protection methods described above.
According to the computer network safety protection method and system provided by the embodiment of the invention, the process management list is generated and uploaded to the linkage center so that the linkage center broadcasts the process management list to all registered host terminals, the linkage protection of the host terminals of dangerous processes can be realized, and the safety of a computer network is improved.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flow chart of a computer network security protection method according to an embodiment of the present invention;
FIG. 2 is a second flowchart of a computer network security protection method according to an embodiment of the present invention;
FIG. 3 is a third schematic flowchart of a computer network security protection method according to an embodiment of the present invention;
FIG. 4 is a fourth flowchart illustrating a computer network security protection method according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a computer network security system according to an embodiment of the present invention;
FIG. 6 is a second schematic structural diagram of a computer network security system according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a computer network security protection method according to an embodiment of the present invention. As shown in fig. 1, the method includes:
The method provided by the embodiment of the invention is applied to the host terminal. At least one host terminal is registered with the linkage center. The registration information includes an IP address, a port number, and a host identity. The host identifier is used for distinguishing the host terminal, and even if the host terminal changes the IP address and the port number, the linkage center can still uniquely identify the host terminal.
The host terminal locally generates a process management list. The process management list can comprise a white list and a black list, processes in the white list are allowed to run, and processes in the black list are checked and killed.
And 102, uploading the process management list to a linkage center, so that the linkage center broadcasts the process management list to all registered host terminals.
And after the process management list is generated, uploading the process management list to a linkage center so that the linkage center broadcasts the process management list to all registered host terminals. For example, after a certain host terminal identifies a dangerous process, the dangerous process is added to a blacklist, and a linkage center broadcasts a message, so that all host terminals registered to the linkage center have the capability of protecting the dangerous process. The processes in the process management list may be identified using the MD5 values or core code fragments of the processes to uniquely distinguish and identify the processes.
The safety protection mode is a host machine linkage protection mode, and is suitable for, but not limited to, scenes with high safety requirements, such as a large intranet. For the scenes with single environment and low safety, a single machine protection mode can be adopted. Under the single machine protection mode, after the host terminal generates the process management list, the process management list is not broadcasted to all registered hosts through the linkage center, but the process management list is utilized to realize local safety protection.
According to the computer network safety protection method provided by the embodiment of the invention, the process management list is generated and uploaded to the linkage center so that the linkage center broadcasts the process management list to all registered host terminals, the linkage protection of the host terminals of dangerous processes can be realized, and the safety of the computer network is improved.
According to the computer network security protection method provided by the embodiment of the invention, the process management list further comprises a temporary list, and the temporary list comprises a temporary authorized white list and a temporary forbidden black list; the process in the temporary authorization white list is a process which is allowed to be started by an administrator user at least with a first permission; and the process in the temporary forbidden blacklist is a process which is forbidden to be started by an administrator user at least having the first permission.
In addition to whitelists and blacklists, process management lists may also include temporary lists. The temporary list includes a temporary authorized white list and a temporary forbidden black list.
The process in the temporary authorization white list is a process which is allowed to be started by an administrator user with at least a first authority. And for the process which is not in the white list or the black list, if the starting is allowed by at least an administrator user with the first authority, adding the process into the temporary authorized white list. The allowed number of starts of a process in the temporary process white list characterizes the trustworthiness of the process as a secure process.
The process in the temporary forbidden blacklist is a process which is forbidden to be started by an administrator user with at least a first right. And for the process which is not in the white list or the black list, if the starting of the process is forbidden by the administrator user with at least the first authority, adding the process into the temporary forbidden black list. The number of times of start inhibition of a process in the temporary inhibition blacklist characterizes the credibility of the process as a dangerous process.
The administrator users having at least the first authority include administrator users having the first authority and higher authorities. The administrator user of the first privilege may be a general administrator user.
The process management list can be stored in the memory in real time and permanently stored at regular time so as to deal with abnormal scenes such as power failure and the like. After the system is powered on, the stored process management list can be read from the database to the memory, so that the reading speed is improved.
The computer network security protection method provided by the embodiment of the invention is favorable for improving the identification capability of the security of the process by setting the temporary list comprising the temporary authorized white list and the temporary forbidden black list.
According to the computer network security protection method provided by the embodiment of the invention, the generating of the process management list comprises the following steps: an initialized white list is generated by scanning the system process.
After the host terminal is registered in the linkage center, an initialized white list can be generated through a scanning system process, namely, the white list initialization is carried out. System processes such as those necessary for the normal operation of an operating system. The hypervisor user may be given the right to perform white list initialization. And, manual intervention may be supported in generating the initialized white list by scanning the system process. For example, a process that is added to the initialized white list is deleted, or a process that is not added to the initialized white list is added.
The computer network security protection method provided by the embodiment of the invention ensures the normal operation of the system by scanning the system process to generate the initialized white list.
According to the computer network security protection method provided by the embodiment of the invention, the generating of the process management list further comprises: accumulating the allowed starting times of the processes in the temporary authorization white list, if the allowed starting times reach a first threshold value, adding the processes into the white list, and deleting the processes from the temporary authorization white list; accumulating the starting prohibition times of the processes in the temporary prohibition blacklist, adding the processes into the blacklist and deleting the processes from the temporary prohibition blacklist if the starting prohibition times reach a second threshold value; changing the white list according to a white list changing instruction of an administrator user at least with a second authority; changing the blacklist according to a blacklist changing instruction of an administrator user at least having the second authority; and/or directly adding the dangerous process acquired from the third-party antivirus software into the blacklist.
The process of generating the process management list may further include:
and accumulating the allowed starting times of the processes in the temporary authorization white list, and adding the processes into the white list and deleting the processes from the temporary authorization white list if the allowed starting times reach a first threshold value. And accumulating the starting prohibition times of the processes in the temporary prohibition blacklist, adding the processes into the blacklist and deleting the processes from the temporary prohibition blacklist if the starting prohibition times reach a second threshold value. Wherein, the administrator user with at least the first authority has the authority of allowing the process to be started or prohibited. The administrator user of the first privilege may be a general administrator user. The first and second thresholds may be the same or different.
And changing the white list according to the white list changing instruction of the administrator user with at least the second authority. And changing the blacklist according to the blacklist changing instruction of the administrator user at least with the second authority. The administrator user of the second privilege may be a super administrator user.
In addition, the dangerous processes obtained from the third-party antivirus software can be directly added into the blacklist.
The computer network safety protection method provided by the embodiment of the invention accumulates the allowed starting times of the processes in the temporary authorized white list, adds the processes into the white list and deletes the processes from the temporary authorized white list if the allowed starting times reach a first threshold value, accumulates the prohibited starting times of the processes in the temporary prohibited black list, adds the processes into the black list and deletes the processes from the temporary prohibited black list if the prohibited starting times reach a second threshold value, changes the white list according to the white list change instruction of the administrator user at least with a second authority, changes the black list according to the black list change instruction of the administrator user at least with the second authority, and/or directly adds the dangerous processes obtained from third-party antivirus software into the black list, thereby improving the rationality of process management generation.
According to the computer network security protection method provided by the embodiment of the invention, the method further comprises the following steps: acquiring a current running process information set at fixed time; traversing the current running process information set, verifying the process in the current running process information set according to a first verification rule, allowing the process to run normally if the verification is passed, and checking and killing the process if the verification is not passed; wherein the first check rule comprises: if the process is in the white list and not in the black list, the verification is passed; if the process is in the blacklist, the verification is not passed; if the process is not in the white list and the black list but in the temporary authorized white list, the verification is passed; and if the process is not in the white list, the black list and the temporary authorized white list, the verification is not passed.
The timing protection mode can be set to carry out safety protection on the host terminal. The host terminal acquires a current running process information set at regular time, wherein the current running process information set comprises all processes running on the host terminal at present. And traversing each process, checking by adopting a white list, a black list and a temporary list to obtain whether the process is allowed to run, and forcibly checking and killing the process which is not allowed to run so as to ensure the safety of the system.
The detailed check rule is as follows:
1) and the process is in a white list and not in a black list, and the process is allowed to normally run after passing the check.
2) And the process is not in the white list, and the process is checked and killed if the process is not checked in the black list.
3) And the process is simultaneously in a white list and a black list, the principle of higher safety is obeyed, the verification is not passed, and the process is checked and killed.
4) The process is not in the white list and the black list at the same time, whether the process is in the temporary authorized white list or not is further checked, if the process is in the temporary authorized white list, the process passes the verification, and the process is allowed to run; if not, the check is failed, and the process is checked and killed.
According to the computer network safety protection method provided by the embodiment of the invention, the processes in the current running process information set are checked regularly according to the first check rule, if the processes pass the check, the processes are allowed to run normally, and if the processes do not pass the check, the processes are checked and killed, so that the safety of the computer network is further improved.
According to the computer network security protection method provided by the embodiment of the invention, the method further comprises the following steps: checking the new starting process according to a second checking rule, if the checking is passed, allowing the process to be normally started, and if the checking is not passed, not allowing the process to be normally started; wherein the second check-up rule comprises: if the newly started process is in the white list and not in the black list, the verification is passed; if the newly started process is in the blacklist, the verification is not passed; if the new starting process is not in the white list and the black list and if an allowable starting instruction of an administrator user at least with a first permission is received, the verification is passed; and if the process is not in the white list and the black list and a starting prohibition instruction of an administrator user at least with a first permission is received, the verification is failed.
The host terminal can check the new starting process, and the process is not passed by the check, and the starting is not allowed. The verification rule is as follows:
1) and the process is in a white list and not in a black list, and the process is allowed to be normally started after passing the check.
2) The process is not in the white list, and in the black list, the verification is not passed, and the process is not allowed to be started normally.
3) The process is simultaneously in a white list and a black list, the principle of higher safety is obeyed, the verification is not passed, and the process is not allowed to be normally started.
4) And simultaneously, the process is not in a white list and a black list, an authorization interface is popped up, and after the authorization information (used for verifying the authority) filled by the user with the authority of the common administrator and above is passed, operation permission and operation non-permission are executed. If the operation of 'running permission' is executed, the process is allowed to be started normally, and is added into a temporary authorization white list, and the starting times are allowed to be accumulated by 1; and if the operation of 'not allowing running' is executed, the process is not allowed to be normally started, meanwhile, the process is added into a temporary forbidden blacklist, and the number of starting times is forbidden to be accumulated by 1. And when the allowed starting times of the processes in the temporary authorization white list reach a first threshold value, immediately filling the processes into the white list, and deleting the process information from the temporary authorization white list. And when the starting prohibition times of the processes in the temporary prohibition blacklist reach a second threshold value, immediately filling the processes into the blacklist, and deleting the process information from the temporary prohibition blacklist.
Non-administrator users may directly skip the authorization interface and not allow the process to start normally.
According to the computer network safety protection method provided by the embodiment of the invention, the newly started process is verified through the second verification rule, if the verification is passed, the process is allowed to be normally started, and if the verification is not passed, the process is not allowed to be normally started, so that the safety of the computer network is further improved.
Fig. 2 is a second flowchart of a computer network security protection method according to an embodiment of the present invention. As shown in fig. 2, the security mode in the method belongs to a host linkage protection mode, and the method includes:
1) the host terminal of the host system is registered to the linkage center, and the registration information comprises an IP address, a port number and a host identifier.
2) The super administrator authorizes the host terminal to initialize the white list, the authorized host terminal scans and deploys the process information of the host system, and the process is added into the process running white list. The super administrator has the right to change the white list and black list data.
3) The host terminal further generates data information of a white list, a black list and a temporary list according to rules.
4) After the data of the white list, the black list and the temporary list in the host terminal are updated, the latest data are actively uploaded to a linkage center (host linkage center), and the linkage center broadcasts the latest data to all host terminals registered to the linkage center.
5) The host terminal scans the host process information at regular time, and forcibly checks and kills the processes which are not verified according to the first verification rule so as to ensure the system safety.
6) And the host terminal manages the starting process in real time according to the second check rule. The white list process is allowed to be started; the blacklist process is not allowed to be started; unauthorized processes (not on the white list and the black list) require a general administrator to authorize the start or the prohibition of the start and update process information and operator information into a temporary authorized white list or a temporary prohibited black list.
Fig. 3 is a third schematic flowchart of a computer network security protection method according to an embodiment of the present invention. As shown in fig. 3, the security protection mode in the method belongs to a standalone deployment protection mode, and the method includes:
1) the super administrator authorizes the host terminal to initialize the white list, the authorized host terminal scans and deploys the process information of the host system, and the process is added into the process running white list. The super administrator has the right to change the white list and black list data.
2) The host terminal further generates data information of a white list, a black list and a temporary list according to rules.
3) The host terminal scans the host process information at regular time, and forcibly checks and kills the processes which are not verified according to the first verification rule so as to ensure the system safety.
4) And the host terminal manages the starting process in real time according to the second check rule. The white list process is allowed to be started; the blacklist process is not allowed to be started; unauthorized processes (not on the white list and the black list) require a general administrator to authorize the start or the prohibition of the start and update process information and operator information into a temporary authorized white list or a temporary prohibited black list.
According to the computer network safety protection method provided by the embodiment of the invention, after a certain host identifies a dangerous process, message broadcasting is carried out through the linkage center, so that all registered hosts of the computer network have the capacity of defending the dangerous process at the same time; and can avoid the same host computer from being invaded repeatedly by the same dangerous course; the two working modes of single machine deployment and host linkage deployment are supported, the single machine working mode is applied to the scene with single environment and low safety requirement, the host linkage working mode is applied to the scene with large intranet and high safety requirement, and the application of the two modes effectively enhances the system practicability and expands the application scene.
In the protection mode: the safety verification is carried out according to the process management list of software operation by regularly scanning the process information of the host terminal, and the forced checking and killing is carried out on the high-risk processes which do not pass the verification so as to ensure the safety of the host terminal system. The protection mode starts a mode of combining white list verification, black list verification and temporary list verification, and further improves the capability of guaranteeing the safety of the deployment host system. And carrying out safety verification on the newly started process in real time, wherein the process passing the verification is allowed to be started.
Fig. 4 is a fourth flowchart of a computer network security protection method according to an embodiment of the present invention. As shown in fig. 4, the method is applied to a linkage center, and includes:
and step S1, receiving a process management list sent by any host terminal.
And step S2, broadcasting the process management list to all registered host terminals.
At least one host terminal is registered with the linkage center. And after any host terminal generates a process management list (including an updated process management list), sending the process management list to the linkage center. After receiving the process management list sent by any host terminal, the linkage center broadcasts the received process management list to all host terminals registered in the linkage center, so that after any host terminal identifies a dangerous process, the rest host terminals have the capacity of defending the dangerous process.
According to the computer network safety protection method provided by the embodiment of the invention, the process management list sent by any host terminal is received, and the process management list is broadcasted to all registered host terminals, so that the linkage protection of the host terminals of dangerous processes can be realized, and the safety of the computer network is improved.
The computer network security protection system provided by the embodiment of the invention is described below, and the computer network security protection system described below and the computer network security protection method described above can be referred to correspondingly.
Fig. 5 is a schematic structural diagram of a computer network security system according to an embodiment of the present invention. As shown in fig. 5, the system includes a linkage center 1 and at least one host terminal 2 registered with the linkage center 1; wherein: the host terminal 2 is configured to: generating a process management list and uploading the process management list to a linkage center 1; the process management list comprises a white list and a black list; the linkage center 1 is used for: and receiving a process management list sent by any host terminal 2, and broadcasting the process management list to all registered host terminals 2.
The computer network security protection system provided by the embodiment of the invention comprises a linkage center 1 and at least one host terminal 2 registered to the linkage center 1. The host terminal 2 is used for generating a process management list and uploading the process management list to the linkage center 1. The process management list comprises a white list and a black list, wherein the processes in the white list are allowed to normally run, and the processes in the black list are checked and killed. The linkage center 1 is used for: receiving a process management list sent by any host terminal 2, and broadcasting the process management list to all registered host terminals 2, so that after any host terminal 2 identifies a dangerous process, the rest host terminals 2 have the capability of defending the dangerous process.
According to the computer network safety protection system, the process management list is generated by the host terminals, uploaded to the linkage center, received by the linkage center and broadcast to all registered host terminals, linkage protection of the host terminals in dangerous processes can be achieved, and safety of a computer network is improved.
Fig. 6 is a second schematic structural diagram of a computer network security system according to an embodiment of the present invention. As shown in fig. 6, the system includes a linkage center and at least one host terminal registered with the linkage center.
The host terminal comprises a data acquisition module, a data analysis module, a DC module, a database module, a protection module, a system configuration module and a user management module.
The data acquisition module is used for: and scanning the detailed information of the current running process of the host terminal at regular time.
The data analysis module is used for: analyzing the data, processing the data and identifying a dangerous process; and fills the analysis results into a white list, a black list or a temporary list.
A DC (Dual Channel, Dual Channel memory) module is used to: and storing the white list, the black list and the temporary list in real time. And after the software is powered on, the data is automatically synchronized from the database. The method has the characteristics of rapidly storing the query data and shortening the response time of the server.
A database module: and the DC data is put into a warehouse at regular time, the data is permanently stored, abnormal scenes such as system power failure are responded, and the reliability of software is improved.
A protection module: and carrying out timing inspection and killing on the program in the host terminal. And checking the new process after the new process is started, and allowing the new process to be started after the check is passed.
A system configuration module: and (4) carrying out authority verification on the login user, wherein the user with super administrator authority supports manual configuration of white list and black list data.
A user management module: and managing the user information and the user authority.
The linkage center comprises a message forwarding module. The message forwarding module is used for: and receiving the process management list of the registered host terminal, and broadcasting the process management list to all host terminals in the registered host list.
The linkage center is used as a TCP server side, the host terminal is used as a TCP client side, a traditional C/S framework mode is adopted, network communication is carried out based on TCP/IP, and a computer network safety protection system is constructed. The host terminal collects data of the process, analyzes and processes the data in real time to generate protection list strategies (white lists, black lists and temporary lists), stores the result data in a DC (temporary memory) and a storage library (permanent memory), starts a protection function according to the list data, and ensures the safety of the host system deployment. The host terminal uploads the protection list data (process management list) to the linkage center, and the linkage center broadcasts the protection list data to all registered host terminals, so that the linkage protection function of the host terminal is realized, and the capability of ensuring the safety of a computer network system is further improved.
The system has the advantages that: 1) one host terminal in a computer network identifies a dangerous process, and other host terminals synchronously have the linkage capacity of defending the dangerous process; 2) two modes of host single machine deployment and host linkage deployment are supported to be flexibly selected; 3) the host terminal stores the data in the memory, can quickly respond to the processing of dangerous processes, has a library storage function, and can process abnormal scenes such as power failure and the like; 4) the protection mode starts a mode of combining white list inspection, black list verification and temporary list verification, and further improves the safety guarantee capability of the deployed host terminal.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 730 communicate with each other via the communication bus 740. Processor 710 may invoke logic instructions in memory 730 to perform a computer network security method comprising: generating a process management list; the process management list comprises a white list and a black list; uploading the process management list to a linkage center, so that the linkage center broadcasts the process management list to all registered host terminals; or comprises the following steps: receiving a process management list sent by any host terminal; and broadcasting the process management list to all registered host terminals.
In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, the computer program may be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, a computer is capable of executing a computer network security protection method provided by the above methods, where the method includes: generating a process management list; the process management list comprises a white list and a black list; uploading the process management list to a linkage center, so that the linkage center broadcasts the process management list to all registered host terminals; or comprises the following steps: receiving a process management list sent by any host terminal; and broadcasting the process management list to all registered host terminals.
In yet another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform a computer network security protection method provided by the above methods when executed by a processor, where the method includes: generating a process management list; the process management list comprises a white list and a black list; uploading the process management list to a linkage center, so that the linkage center broadcasts the process management list to all registered host terminals; or comprises the following steps: receiving a process management list sent by any host terminal; and broadcasting the process management list to all registered host terminals.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A computer network security protection method, comprising:
generating a process management list; the process management list comprises a white list and a black list;
and uploading the process management list to a linkage center, so that the linkage center broadcasts the process management list to all registered host terminals.
2. The computer network security protection method of claim 1, wherein the process management list further comprises a temporary list, the temporary list comprising a temporary authorized white list and a temporary forbidden black list; the process in the temporary authorization white list is a process which is allowed to be started by an administrator user at least with a first permission; and the process in the temporary forbidden blacklist is a process which is forbidden to be started by an administrator user at least having the first permission.
3. The computer network security protection method of claim 2, wherein the generating a process management list comprises:
an initialized white list is generated by scanning the system process.
4. The method of claim 3, wherein the generating a process management list further comprises:
accumulating the allowed starting times of the processes in the temporary authorization white list, and adding the processes into the white list and deleting the processes from the temporary authorization white list if the allowed starting times reach a first threshold;
accumulating the starting prohibition times of the processes in the temporary prohibition blacklist, adding the processes into the blacklist and deleting the processes from the temporary prohibition blacklist if the starting prohibition times reach a second threshold value;
changing the white list according to a white list changing instruction of an administrator user at least with a second authority;
changing the blacklist according to a blacklist changing instruction of an administrator user at least having the second authority;
and/or directly adding the dangerous process acquired from the third-party antivirus software into the blacklist.
5. The computer network security method of claim 2, further comprising:
acquiring a current running process information set at fixed time;
traversing the current running process information set, verifying the process in the current running process information set according to a first verification rule, allowing the process to run normally if the verification is passed, and checking and killing the process if the verification is not passed; wherein the first check rule comprises:
if the process is in the white list and not in the black list, the verification is passed;
if the process is in the blacklist, the verification is not passed;
if the process is not in the white list and the black list but in the temporary authorized white list, the verification is passed;
and if the process is not in the white list, the black list and the temporary authorized white list, the verification is not passed.
6. The computer network security method of claim 2, further comprising:
checking the new starting process according to a second checking rule, if the checking is passed, allowing the process to be normally started, and if the checking is not passed, not allowing the process to be normally started; wherein the second check-up rule comprises:
if the newly started process is in the white list and not in the black list, the verification is passed;
if the newly started process is in the blacklist, the verification is not passed;
if the new starting process is not in the white list and the black list and if an allowable starting instruction of an administrator user at least with a first permission is received, the verification is passed;
and if the process is not in the white list and the black list and a starting prohibition instruction of an administrator user at least with a first permission is received, the verification is failed.
7. A computer network security protection method, comprising:
receiving a process management list sent by any host terminal;
and broadcasting the process management list to all registered host terminals.
8. A computer network safety protection system is characterized by comprising a linkage center and at least one host terminal registered to the linkage center; wherein:
the host terminal is used for: generating a process management list and uploading the process management list to a linkage center; the process management list comprises a white list and a black list;
the linkage center is used for: receiving a process management list sent by any host terminal, and broadcasting the process management list to all registered host terminals.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the computer network security method according to any of claims 1 to 7 are implemented when the processor executes the program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the computer network security protection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210164970.XA CN114244631A (en) | 2022-02-23 | 2022-02-23 | Computer network security protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210164970.XA CN114244631A (en) | 2022-02-23 | 2022-02-23 | Computer network security protection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114244631A true CN114244631A (en) | 2022-03-25 |
Family
ID=80747827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210164970.XA Pending CN114244631A (en) | 2022-02-23 | 2022-02-23 | Computer network security protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244631A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884993A (en) * | 2022-05-07 | 2022-08-09 | 杭州天宽科技有限公司 | Virtual android system for enhancing data security |
| CN117857223A (en) * | 2024-03-07 | 2024-04-09 | 四川天邑康和通信股份有限公司 | Black-white list realization method, device, equipment and medium based on FTTR master-slave management |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8112485B1 (en) * | 2006-11-22 | 2012-02-07 | Symantec Corporation | Time and threshold based whitelisting |
| CN105183504A (en) * | 2015-08-12 | 2015-12-23 | 北京威努特技术有限公司 | Software server based process white-list updating method |
| CN105631319A (en) * | 2014-11-01 | 2016-06-01 | 江苏威盾网络科技有限公司 | Computer terminal control system and method based on network protection |
| CN110691083A (en) * | 2019-09-26 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | A Process-Based Outreach Blocking Method |
| US20200026846A1 (en) * | 2017-03-29 | 2020-01-23 | Seung Hwan Choi | System and method for authenticating safe software |
-
2022
- 2022-02-23 CN CN202210164970.XA patent/CN114244631A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8112485B1 (en) * | 2006-11-22 | 2012-02-07 | Symantec Corporation | Time and threshold based whitelisting |
| CN105631319A (en) * | 2014-11-01 | 2016-06-01 | 江苏威盾网络科技有限公司 | Computer terminal control system and method based on network protection |
| CN105183504A (en) * | 2015-08-12 | 2015-12-23 | 北京威努特技术有限公司 | Software server based process white-list updating method |
| US20200026846A1 (en) * | 2017-03-29 | 2020-01-23 | Seung Hwan Choi | System and method for authenticating safe software |
| CN110691083A (en) * | 2019-09-26 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | A Process-Based Outreach Blocking Method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884993A (en) * | 2022-05-07 | 2022-08-09 | 杭州天宽科技有限公司 | Virtual android system for enhancing data security |
| CN114884993B (en) * | 2022-05-07 | 2023-12-22 | 杭州天宽科技有限公司 | Virtualized android system for enhancing data security |
| CN117857223A (en) * | 2024-03-07 | 2024-04-09 | 四川天邑康和通信股份有限公司 | Black-white list realization method, device, equipment and medium based on FTTR master-slave management |
| CN117857223B (en) * | 2024-03-07 | 2024-05-28 | 四川天邑康和通信股份有限公司 | Method, device, equipment and medium for realizing black-and-white list based on FTTR master-slave management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| CN107888607B (en) | Network threat detection method and device and network management equipment | |
| CN112653655B (en) | Automobile safety communication control method and device, computer equipment and storage medium | |
| CN110677381B (en) | Penetration testing method and device, storage medium, electronic device | |
| US10033745B2 (en) | Method and system for virtual security isolation | |
| US10341350B2 (en) | Actively identifying and neutralizing network hot spots | |
| CN114244631A (en) | Computer network security protection method and system | |
| CN114257407B (en) | Equipment connection control method and device based on white list and computer equipment | |
| US11539741B2 (en) | Systems and methods for preventing, through machine learning and access filtering, distributed denial of service (“DDoS”) attacks originating from IoT devices | |
| CN111314384A (en) | Terminal authentication method, device and equipment | |
| CN107330331B (en) | Method, device and system for identifying system with vulnerability | |
| CN112583841B (en) | Virtual machine safety protection method and system, electronic equipment and storage medium | |
| US12373605B2 (en) | Secure hashing of large data files to verify file identity | |
| CN112491897A (en) | Remote anti-brute force cracking method based on database security | |
| CN113504971B (en) | Security interception method and system based on container | |
| CN108965251A (en) | A kind of safe mobile phone guard system that cloud combines | |
| CN112104618A (en) | Information determination method, information determination device and computer readable storage medium | |
| CN100592688C (en) | A system and method for security authentication of a client accessing a network | |
| CN109214182B (en) | Method for processing Lesox software in running of virtual machine under cloud platform | |
| CN111835782A (en) | Login protection method and device for network equipment, storage medium and processor | |
| CN115879106A (en) | Method and device for managing and controlling mobile storage equipment | |
| CN115935356A (en) | Software security testing method, system and application | |
| CN113569242A (en) | Illegal software identification method | |
| CN113965343A (en) | Terminal equipment isolation method and device based on local area network | |
| CN107124390B (en) | Security defense and implementation method, device and system of computing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220325 |