CN112733147B - Equipment security management method and system - Google Patents
Equipment security management method and system Download PDFInfo
- Publication number
- CN112733147B CN112733147B CN202110016967.9A CN202110016967A CN112733147B CN 112733147 B CN112733147 B CN 112733147B CN 202110016967 A CN202110016967 A CN 202110016967A CN 112733147 B CN112733147 B CN 112733147B
- Authority
- CN
- China
- Prior art keywords
- equipment
- information
- management system
- abnormality
- deployment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/69—Types of network addresses using geographic information, e.g. room number
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a device security management method and system, and belongs to the technical field of cloud computing. The equipment safety management method comprises the following steps: collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information; determining equipment deployment abnormality according to the strategy base line and the equipment information corresponding to the equipment type; generating an optimization script according to the equipment deployment abnormality; and running the optimization script to generate a script running result. The invention can meet the equipment safety control requirement, unify analysis standards, reduce safety risk and improve rectifying and modifying effects and efficiency.
Description
Technical Field
The invention relates to the technical field of cloud computing, in particular to a device security management method and system.
Background
When safety management is carried out on a large number of devices in a large-scale group enterprise, multiple and targeted protection is needed to be carried out on the devices with different purposes, so that the large-scale group can purchase or develop various safety management systems including client management, anti-virus management, user management, patch management and the like from different manufacturers. The volume of large enterprises determines that the whole group needs to use millions of equipment to handle the complex demands of various businesses, offices and the like in daily life. In view of the different emphasis points of the security management systems, the difference among devices in the group is large, the differentiated security management systems and customized information security protection strategies are required to be deployed aiming at the devices with different types and purposes, and the existing various comprehensive security protection systems can not meet the current demands of large groups. In practice, it has been found that the following problems are faced:
1. The report form compatibility among products and platforms is weak: each device relates to the installation of a plurality of safety management systems and the deployment of a plurality of safety strategies, operation and maintenance personnel of each product are administrative, related reports are stored in different storage systems, when the device is used as a dimension for risk investigation, a large number of records are involved, the reports from each platform need to be acquired respectively, and corresponding data are difficult to integrate. Reports such as the antivirus management system and microsoft patch distribution management system may use different variables as an identification of the device maintenance department, as well as mark whether the device is online with different variables. Furthermore, individual products may have defects, resulting in incomplete protection records or incomplete functions, and a thorough inspection of the equipment is not possible.
2. Detecting and controlling dead angles of equipment which is not deployed with a safety management system: most safety management systems lack self-discovery function, only the equipment with the deployed safety management system can be detected, but the equipment without the deployed safety management system cannot be actively discovered, so that the equipment without the deployed safety management system is in an information safety monitoring dead angle for a long time, lacks effective safety management and control, and has safety risks.
3. The detection analysis result cannot quickly locate the problem, and a treatment scheme is absent: the existing tool cannot automatically deploy and repair the problems in time for the equipment with the missing strategy; for equipment with problems in policy deployment or security management system deployment, the treatment scheme is undefined, so that the problem correction effect is poor and the efficiency is low.
Disclosure of Invention
The embodiment of the invention mainly aims to provide a device safety management method and system, so as to meet the device safety management and control requirement, unify analysis standards, reduce safety risk and improve rectifying effect and efficiency.
In order to achieve the above object, an embodiment of the present invention provides a device security management method, including:
Collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information;
Determining equipment deployment abnormality according to the strategy base line and the equipment information corresponding to the equipment type;
generating an optimization script according to the equipment deployment abnormality;
and running the optimization script to generate a script running result.
The embodiment of the invention also provides a device security management system, which comprises:
The device type determining unit is used for collecting device information from each management system and determining the device type of the device according to the management system corresponding to the device information;
the equipment anomaly determination unit is used for determining equipment deployment anomalies according to the strategy base lines corresponding to the equipment types and the equipment information;
the script generation unit is used for generating an optimization script according to the equipment deployment abnormality;
The script running unit is used for running the optimization script and generating a script running result.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor realizes the steps of the equipment safety management method when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the steps of the device security management method.
The equipment safety management method and the equipment safety management system of the embodiment of the invention collect the equipment information from each management system and determine the equipment type, then determine equipment deployment abnormality according to the strategy base line corresponding to the equipment type and the equipment information to generate the optimization script, finally run the optimization script to generate the script running result, thereby meeting the equipment safety management and control requirement, unifying the analysis standard, reducing the safety risk and improving the rectifying and modifying effect and efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method of device security management in an embodiment of the invention;
FIG. 2 is a flow chart of the operation of the device security management system in another embodiment of the invention;
FIG. 3 is a flow chart of determining device anomalies in another embodiment of the invention;
FIG. 4 is a schematic diagram of a device information security representation in an embodiment of the invention;
FIG. 5 is a block diagram of a device security management system in an embodiment of the invention;
Fig. 6 is a block diagram of a computer device in an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
In view of the fact that the prior art cannot meet the equipment safety control requirement, dead angles exist in detection and control, the rectifying effect is poor, and the efficiency is low, the embodiment of the invention provides the equipment safety management method, which can meet the equipment safety control requirement, and based on the equipment type unified analysis standard, the safety risk is reduced, and the rectifying effect and the efficiency are improved. The present invention will be described in detail with reference to the accompanying drawings.
The conventional equipment safety management is to manage the equipment which is not deployed with the safety management system by a single module of each safety management system, and the detection and management dead angles exist. In addition, if multiple safety management systems are involved, different safety management systems are managed and risk-examined by multiple operation and maintenance personnel, the safety risk of the equipment can be judged only through experience, the analysis standards are not uniform, the analysis results are possibly incomplete, and the treatment scheme is not well evaluated.
The invention does not manage the equipment through the module of the conventional safety management system, but directly automatically collects the safety strategy and the concerned data of the whole equipment. By establishing a unified device information fingerprint library, active online devices in a group are automatically identified, and the deployment condition of a security policy is monitored. And carrying out centralized management and presentation on the security management system and the policy deployment condition by describing the equipment information security portraits. And automatically tracking and tracing possible problems of the safety management system according to the abnormal condition of the equipment, and directly deploying the automatic safety management system, updating the safety strategy and providing a deployment scheme, a script and a log for the equipment according to the tracing result.
Fig. 1 is a flowchart of a device security management method in an embodiment of the present invention. Fig. 2 is a flowchart of the operation of the device security management system in another embodiment of the present invention. As shown in fig. 1 and 2, the device security management method includes:
S101: and collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information.
In the prior art, the problems of large equipment scale, multiple equipment types and complex use scene also exist: the large group enterprises use millions of devices, which are various and heterogeneous, and relate to the types of devices such as various servers (such as Unix, windows and the like), clients, special terminals, network devices and the like. Depending on the different types of devices and the use scenario, there is a great difference in the exposure level, risk type and information security standard policy of various devices. For example, a server that provides services to the outside has a larger exposed surface than a common office terminal used by an intranet, and is at a more serious risk of external attack. Therefore, independent safety protection requirements are required to be analyzed according to the number of devices, the types of the devices and the devices in different scenes, different safety management systems and safety strategies are deployed in a targeted manner, and unified safety management systems and strategy deployment management cannot be carried out on all the devices. The existing comprehensive safety protection software cannot meet the safety control requirements of all the equipment of a large group.
When the method is specifically implemented, scripts and timing tasks can be placed on a server side through an information acquisition module, information can be acquired from each system in a timing and automatic mode, the acquired information is transmitted into the information acquisition module through GTP (GENERAL DATA TRANSFER Platform), FTP (FILE TRANSFER Protocol), SYSLOG (SYSLOG Protocol) and the like to be managed in a centralized mode, and then collected system data (equipment information), personnel information and strategy information are subjected to centralized data cleaning, and data formats and standards are unified to form a data pool. Wherein, the data format comprises numerals, characters, date, boolean format and the like. The unified standard refers to that the machine name of the equipment can be unified into capital letters, and if the equipment lacks a machine name field, the IP address is used as the machine name to complement. Therefore, the invention can eliminate the technical difference of equipment identification between the safety management systems compared with the prior art.
System data: including device information collected from various security management systems, configuration management systems, and special terminal management systems. The security management system comprises a client management system, an antivirus management system, a microsoft patch distribution management system, a user management system, a vulnerability management system and the like, and the collected device information comprises a device machine name, an IP address, an operating system, an affiliated environment, an affiliated maintenance mechanism, login operation user information (from the user management system) and policy deployment conditions (such as last communication time, a system update record, a microsoft patch installation record and the like). The equipment information collected by the configuration management system comprises information such as an IP address, a bearing application, an equipment cluster, a network segment pool, an NAT (Network Address Translation ) address pool, operation and maintenance personnel and the like; the special terminal management system collects the equipment information of the special terminal, including the equipment machine name, the IP address and the like.
Personnel information: and obtaining information such as organization architecture, operation and maintenance personnel information, contact information, user account numbers and the like from the human resource system.
Policy information: including policy baselines and policy whitelists. The policy base line is used as a reference value of the compliant device, such as device type, longest connection update period, lowest-requirement system version, flow identification information and Microsoft patch information which should be installed; the policy whitelist includes various types of security exception information. Such as device machine name, IP address, applicant, application reason, system involved, security policy values on whitelist, etc.
Device information fingerprint library: different security management systems can provide a large amount of information records for the same terminal, extract and integrate the relationship information of equipment type identification based on the actual nano-tube requirements, product characteristic differences and equipment type differences of various security management systems, correlate the data of the security management systems, configuration management systems and special terminal management systems collected in the information acquisition module, and eliminate the equipment identification technical differences among different management systems. And establishing an equipment information fingerprint library by combining the policy information, so as to realize the accurate positioning of equipment and maintenance responsibilities. The device information fingerprint library comprises a device machine name, an IP address, an operating system, an affiliated environment, an affiliated maintenance mechanism, login operation user information, last communication time, a system update record, a Microsoft patch installation record, a bearing application, a device cluster, a network segment pool, a NAT address pool, security management system information which is included by operation and maintenance personnel and devices, and the like.
The device type determining of the device according to the management system corresponding to the device information comprises the following steps:
According to the machine name and the IP address of the equipment collected by each management system, the management system corresponding to the equipment information of the same equipment can be determined so as to classify the equipment.
TABLE 1
Table 1 is a table of correspondence between management systems and device types. As shown in table 1, when the device information originates from the special terminal management system, the device type is identified as a special terminal; when the device information originates from the client management system, then the device type is identified as a client. In addition, the device type may be more accurately identified based on the incorporated security management system information, such as server-Windows type for devices where the device information is from an antivirus system or Microsoft patch distribution management system.
As shown in fig. 2, the present invention can also perform home identification, and the positioning device actually uses personnel (operation and maintenance personnel) and maintenance responsibilities. And associating the equipment information with information acquired by the configuration management system to acquire the information of actual use personnel and maintenance responsibilities of the equipment. If the device is a client, the login operation user information and the like are utilized to match personnel information, and the actual user and maintenance responsibilities are positioned. If the device type is identified as a special terminal, the actual usage department and maintenance responsibilities can be matched according to the device machine name, the IP address, the device cluster and the network segment pool, etc. In addition, the attribution default value can be supplemented by accurate matching through the included security management system information. This information can be used for subsequent analysis schemes, while deployment schemes (optimization scripts) and logs can be automatically pushed with this information.
As shown in FIG. 2, the invention can also dynamically track and manage the full life cycle of the equipment from online to off-line. Because the total group devices are of multiple types, for different types of devices, the machine name, the IP address and the like can be used as the unique identification of the device; in addition, the equipment is updated quickly and has high mobility, and the single equipment cannot be identified as stock or new online equipment only through a machine name or an IP address. For example, the client may change the IP address due to a change in the network environment, and the system may recognize the IP address as a new device after the change, and discontinue the analysis of the historical situation and the tracking management of the original device. In order to prevent the occurrence of the situation, a dynamic tracking model of the equipment is established, and the intelligent and accurate tracking and positioning of the equipment are realized by taking the unique equipment machine name and the IP address as equipment identifiers. For the equipment machine name or IP address of the equipment, the new online equipment which is not matched with the old equipment information is definitely provided with the flow identification information of the terminal equipment according to the equipment type, the newly acquired equipment information and the historical equipment information acquired by each safety management system are analyzed and standardized by utilizing the flow identification information, the equipment machine name and the IP address are updated to serve as new equipment identifications, meanwhile, the historical equipment identifications are reserved, and the safety management condition of the equipment is dynamically tracked. For example: the equipment type with the changed IP address is identified as a client, the flow identification information corresponding to the client is equipment machine name, at the moment, the equipment machine name is used for analysis and matching with the data of each security management system, the IP address corresponding to the current equipment machine name is used as a new IP address, the new equipment identifier is formed by the equipment machine name, and meanwhile, the original IP address is used as a historical IP address of the equipment for analysis and tracking management of historical conditions. And managing the newly-online equipment under the condition that the machine name is modified by the client reinstallation system, and not associating the history information.
S102: and determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type and the equipment information.
In one embodiment, the step S102 includes:
and determining the active equipment according to the preset activity threshold and the last communication time of the equipment.
In specific implementation, the activity recognition can be performed: monitoring the running and connection state of the equipment. Based on the differences of the safety management systems, the processing of redundant and historical data is considered in the data processing process. And identifying the truly active online equipment by utilizing the acquired last communication time and the corresponding strategy base line, such as the longest connection update period of different equipment types, and analyzing and tracking the active equipment to reduce invalid detection of the replaced and offline equipment. For example, according to a policy baseline, the client management system takes the device connected in the last 14 days as an active device, the antivirus management system takes the device connected in the last 14 days as an active device, only carries out subsequent risk detection on the active device, generates a risk prompt for the inactive device and pushes the risk prompt to an operation and maintenance person corresponding to the device.
At this time S102 includes:
and determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type of the active equipment and the equipment information of the active equipment.
In the specific implementation, the device information of the active device can be matched with the policy base line through the risk detection module, and the reasons for the mismatching of the device information of the active device and the policy base line are analyzed and traced by utilizing the risk model, so that analysis and analysis of the nano-tube problems, the security policy deployment problems and the device health condition of a large number of device management systems are realized.
For example, a strategic blind spot analysis may be performed: analyzing whether the equipment is incorporated into a related management system or not by using the equipment information and the corresponding strategy baseline to manage, analyzing equipment strategy deployment conditions, identifying equipment which is not incorporated into a management system to be managed, and identifying a strategy (management system) missing of a single equipment as risks, wherein the method comprises the following steps:
Identifying policy (management system) poorly deployed devices: firstly, a full-quantity equipment list of strategies to be deployed is obtained according to the strategy base line and the strategy white list. Secondly, the strategy deployment condition of the equipment in the equipment information check list in the equipment information fingerprint library is utilized to identify equipment with problems in strategy deployment. For example, the device type is a client, and it is determined that the client is not included in the client management system and is not in the client policy white list, and a client list is obtained that is not included in the client management system.
Strategy for identifying single device misses: matching the policy of the device with a policy baseline and a policy white list through the device information in the device information fingerprint library: and if the management system corresponding to the equipment does not accord with the baseline, identifying that a strategy blind spot exists. For example, the information of the client in the device information fingerprint library is not associated with the record in the anti-virus management system, and the configuration of the client management system of the client does not accord with the policy baseline, and is not in the anti-virus management system or the policy white list of the client management system, then the anti-virus policy and the client management policy of the client are identified as blind spots. And simultaneously, recording the first occurrence time and the repeated occurrence times of the abnormality.
FIG. 3 is a flow chart of determining device anomalies in another embodiment of the invention. As shown in fig. 3, the device security management method further includes:
S201: the device information collected by the respective management systems is compared to determine device association anomalies.
Most of the devices need to be managed by a plurality of management systems, and the security policies are not independent, and the states and risks of the devices are further detected by correlating the information of the management systems. The device association anomalies specifically include a device context association, a device liveness association, and a device attribution association.
Device environment association: each management system can configure and record different security policies according to the environment identified by the system, and related information can be obtained from the equipment information fingerprint library. And verifying the safety strategy deployment condition of the equipment according to the environment of the equipment identified among the systems. If a certain device is identified as an environment I in the management system A and is identified as an environment II in the management system B, the environment association of the device is abnormal.
Device liveness association: each management system records the last communication time of the equipment, and all the last communication time of a single piece of equipment is in the equipment information fingerprint library. And identifying whether the connection state of the equipment and the single system is normal or not according to the difference of the last communication time recorded by each system. For example, if the last communication time of the device and the management system a is greater than the policy baseline corresponding to the device type, and the last communication time of the device and other management systems is less than or equal to the policy baseline corresponding to the device type, it is determined that the device and the management system a are in a loss connection for a long time, the activity of the device is associated with an abnormality, and the first occurrence time and the number of repeated occurrences of the abnormality are recorded.
Device home association: the maintenance mechanism of the equipment is recorded in the equipment information fingerprint library, and if a great number of equipment of one mechanism is identified as risk abnormality, the equipment is marked as a major problem.
S202: and carrying out historical trend analysis on the equipment information to obtain equipment index abnormality.
In the specific implementation, the standard condition of indexes such as the management system nano-tube rate and the security policy deployment rate of a single device type or a single device can be tracked according to the device information corresponding to the device type and the affiliated maintenance mechanism, and the historical trend is analyzed. Tracing the abnormal decline of the information safety monitoring index and the like, and judging that the problem is caused by the configuration problem of the equipment, operation of operation and maintenance personnel or other reasons. For example, in a device information fingerprint library, devices which are incorporated into a microsoft patch distribution management system are screened out, microsoft patch installation records are obtained, and the installation condition of a single patch is tracked. If the patch installation state of a large number of devices stays on the uninstalled state for a long time, judging that the patch push delay is caused; the problem of failure in large-area installation of single patches commonly existing in the whole cluster is judged as the cause of the Microsoft patches. Meanwhile, the time is taken as a dimension, and the correction completion condition of the equipment is tracked based on the problem retention time and the repeated occurrence times. And (3) carrying out equipment index warning on the problem with abnormally rising problem number or long-term unmodified problem, and pushing the equipment index warning to corresponding operation and maintenance personnel in the equipment fingerprint library.
FIG. 4 is a schematic diagram of a device information security portrait in an embodiment of the present invention. As shown in fig. 4, the key information such as the deployment position of a single device, operation and maintenance personnel, deployment conditions of each management system and the like can be displayed in a centralized manner by using the device information fingerprint library information and the device policy blind spot information acquired in the risk monitoring module and displaying the device information security image and the risk degree by taking the device as a clue. For example, for a single client, it can be seen from the security image whether the device has policy anomalies, policy anomalies details, and reasons. Policy anomalies in FIG. 4 may include device deployment anomalies, device association anomalies, and device index anomalies.
S103: and generating an optimization script according to the equipment deployment abnormality.
In one embodiment, S103 further includes: and generating an optimization script according to the equipment deployment abnormality, the equipment association abnormality and the equipment index abnormality.
In specific implementation, S103 and S104 may be executed by an automated handling module, and are used for automatically handling the discovered risk by analyzing the cause for the risk in the equipment information security portrait and the risk detection system and combining with the policy baseline. The deployment scenario script library includes an automation treatment script (optimization script) and solutions generated from device anomalies. The device anomalies include device deployment anomalies, device association anomalies, and device index anomalies.
S104: and running the optimization script to generate a script running result.
When the method is implemented, an automatic processing script is pushed to the equipment, related scripts (such as updating a security policy or incorporating a security management system) are operated in the background, and a script operation result is returned after the script operation is finished.
In one embodiment, after performing S104, further includes:
and generating a device management notification according to the script running result and the device abnormality, and sending the device management notification to a maintenance mechanism corresponding to the device.
In the implementation, when the script running result is successful, the device management notification including the log record can be pushed to the operation and maintenance personnel of the affiliated maintenance mechanism. For risks which cannot be handled through the optimization script or risks for which the cause of the problem cannot be clarified, device management notifications including risk prompts can be generated to be pushed to operation and maintenance personnel, and a treatment scheme is generated according to analysis results in the risk monitoring module. For the equipment corresponding to the failed script running result, the equipment judged to be required to be disconnected and the equipment required to be confirmed by the operation and maintenance personnel, an optimal treatment scheme can be automatically generated according to the strategy base line and the problem reasons obtained in the risk detection module, and the operation and maintenance personnel can select a pushing scheme to process according to the risk prompt and the log record. In addition, for a device identified as inactive in the device information fingerprint library, it is necessary to push a risk prompt to a maintenance mechanism to which the device in the device information fingerprint library and the device information security portrait belongs, and to confirm the device state.
The execution subject of the device security management method shown in fig. 1 may be a device security management system located on a computer. As can be seen from the flow shown in fig. 1, the device security management method in the embodiment of the present invention collects device information from each management system and determines the device type, then determines that the device deploys abnormally according to the policy baseline and the device information corresponding to the device type to generate an optimization script, and finally runs the optimization script to generate a script running result, so that the device security management and control requirement can be met, the analysis standard is unified, the security risk is reduced, and the modification effect and efficiency are improved.
The specific flow of the embodiment of the invention is as follows:
1. And collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information.
2. And determining the active equipment according to the preset activity threshold and the last communication time of the equipment.
3. And determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type of the active equipment and the equipment information of the active equipment.
4. Device information collected by the respective management systems is compared to determine device association anomalies for the active devices.
5. And carrying out historical trend analysis on the equipment information of the active equipment to obtain equipment index abnormality.
6. Generating an optimization script according to the equipment abnormality of the active equipment; and running the optimization script to generate a script running result.
7. And generating a device management notification according to the script running result and the device abnormality, and sending the device management notification to a maintenance mechanism corresponding to the device.
TABLE 2
Table 2 is a comparison table of the prior art and the present invention, as shown in Table 2, the present invention designs a set of equipment security management method and system suitable for use in large group enterprises, which can perform information security management and control, risk situation mining, problem tracing and automatic disposal for group equipment assets, and effectively solves the following problems in the prior art:
1. large scale of equipment, multiple equipment types and complex use scene: the invention gathers the data of the key information of the equipment which is scattered in the whole quantity and managed everywhere; and cleaning and analyzing the data, and establishing a unified device information fingerprint library according to the device type and the use scene to eliminate the device identification technical differences of different safety management systems.
2. The report form compatibility among products and platforms is weak: the invention sends various product strategies and inspection results to a data pool, establishes equipment information security portraits based on actual deployment requirements of various security management systems and product characteristic differences, and makes analysis standards uniformly.
3. Detecting and controlling dead angles of equipment which is not deployed with a safety management system: according to the invention, a risk detection library is established through association relation of the security management system, historical trend analysis and strategy blind spot analysis, equipment which is newly online or stores without the security management system is automatically found, and the reason of untimely updating of the security strategy is actively traced.
4. For detection analysis results, the problem cannot be rapidly located, and a treatment scheme is absent: according to the analysis result and the tracing reason, the method combines the uploaded policy white list and the security policy base line to automatically treat the risk equipment, and comprises the steps of automatically deploying a security management system, automatically updating the security policy, pushing an automatic processing script and the like. And for the failure of automatic treatment or failure of automatic treatment, automatically pushing the treatment method to operation and maintenance personnel for treatment.
Based on the same inventive concept, the embodiment of the invention also provides a device security management system, and because the principle of solving the problem of the system is similar to that of the device security management method, the implementation of the system can refer to the implementation of the method, and the repetition is omitted.
Fig. 5 is a block diagram of a device security management system in an embodiment of the present invention. As shown in fig. 5, the device security management system includes:
The device type determining unit is used for collecting device information from each management system and determining the device type of the device according to the management system corresponding to the device information;
the equipment anomaly determination unit is used for determining equipment deployment anomalies according to the strategy base lines corresponding to the equipment types and the equipment information;
the script generation unit is used for generating an optimization script according to the equipment deployment abnormality;
The script running unit is used for running the optimization script and generating a script running result.
In one of the embodiments, the device anomaly determination unit is further configured to:
Comparing the equipment information collected by each management system to determine equipment association anomalies;
Carrying out historical trend analysis on the equipment information to obtain equipment index abnormality;
the script generation unit is further configured to:
and generating the optimization script according to the equipment deployment abnormality, the equipment association abnormality and the equipment index abnormality.
In one embodiment, the method further comprises:
a notification generation unit for generating a device management notification according to the script operation result and the device deployment abnormality;
and the notification sending unit is used for sending the equipment management notification to the maintenance mechanism corresponding to the equipment.
In one embodiment, the device information includes a last communication time;
The equipment abnormality determining unit is specifically configured to:
determining active equipment according to a preset liveness threshold value and the last communication time of the equipment;
and determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type of the active equipment and the equipment information of the active equipment.
As shown in fig. 2, in practical application, the information acquisition module includes a device type determining unit, the device information fingerprint library includes a device type determining unit and a device abnormality determining unit, the risk detection module includes a device abnormality determining unit, and the automated handling module includes a script generating unit, a script running unit, a notification generating unit, and a notification transmitting unit.
In summary, the device security management system of the embodiment of the invention firstly collects device information from each management system and determines the device type, then determines the device deployment abnormality according to the policy base line corresponding to the device type and the device information to generate the optimization script, and finally operates the optimization script to generate the script operation result, thereby meeting the device security management and control requirement, unifying the analysis standard, reducing the security risk and improving the rectifying and modifying effect and efficiency.
The embodiment of the invention also provides a concrete implementation mode of the computer equipment capable of realizing all the steps in the equipment safety management method in the embodiment. Fig. 6 is a block diagram of a computer device according to an embodiment of the present invention, and referring to fig. 6, the computer device specifically includes:
A processor (processor) 601 and a memory (memory) 602.
The processor 601 is configured to invoke a computer program in the memory 602, where the processor executes the computer program to implement all the steps in the device security management method in the above embodiment, for example, the processor executes the computer program to implement the following steps:
Collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information;
Determining equipment deployment abnormality according to the strategy base line and the equipment information corresponding to the equipment type;
generating an optimization script according to the equipment deployment abnormality;
and running the optimization script to generate a script running result.
In summary, the computer equipment of the embodiment of the invention firstly collects equipment information from each management system and determines equipment types, then determines equipment deployment abnormality according to the strategy base line corresponding to the equipment types and the equipment information to generate an optimization script, finally operates the optimization script to generate a script operation result, thereby meeting equipment safety control requirements, unifying analysis standards, reducing safety risks and improving rectifying and modifying effects and efficiency.
The embodiment of the present invention also provides a computer-readable storage medium capable of implementing all the steps in the device security management method in the above embodiment, the computer-readable storage medium storing thereon a computer program which, when executed by a processor, implements all the steps in the device security management method in the above embodiment, for example, the processor implements the following steps when executing the computer program:
Collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information;
Determining equipment deployment abnormality according to the strategy base line and the equipment information corresponding to the equipment type;
generating an optimization script according to the equipment deployment abnormality;
and running the optimization script to generate a script running result.
In summary, the computer readable storage medium of the embodiment of the invention firstly collects the equipment information from each management system and determines the equipment type, then determines equipment deployment abnormality according to the strategy base line corresponding to the equipment type and the equipment information to generate an optimization script, and finally operates the optimization script to generate a script operation result, thereby meeting the equipment safety control requirement, unifying analysis standards, reducing safety risk and improving the rectifying and modifying effect and efficiency.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Those of skill in the art will further appreciate that the various illustrative logical blocks (illustrative logical block), units, and steps described in connection with the embodiments of the invention may be implemented by electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software (interchangeability), various illustrative components described above (illustrative components), elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Those skilled in the art may implement the described functionality in varying ways for each particular application, but such implementation is not to be understood as beyond the scope of the embodiments of the present invention.
The various illustrative logical blocks, or units, or devices described in the embodiments of the invention may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described. A general purpose processor may be a microprocessor, but in the alternative, the general purpose processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. In an example, a storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may reside in a user terminal. In the alternative, the processor and the storage medium may reside as distinct components in a user terminal.
In one or more exemplary designs, the above-described functions of embodiments of the present invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer readable media includes both computer storage media and communication media that facilitate transfer of computer programs from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media may include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that may be used to carry or store program code in the form of instructions or data structures and other data structures that may be read by a general or special purpose computer, or a general or special purpose processor. Further, any connection is properly termed a computer-readable medium, e.g., if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, digital Subscriber Line (DSL), or wireless such as infrared, radio, and microwave, and is also included in the definition of computer-readable medium. The disks (disks) and disks (disks) include compact disks, laser disks, optical disks, DVDs, floppy disks, and blu-ray discs where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included within the computer-readable media.
Claims (8)
1. A device security management method, comprising:
Collecting equipment information from each management system, and determining the equipment type of the equipment according to the management system corresponding to the equipment information;
determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type and the equipment information;
Generating an optimization script according to the equipment deployment abnormality;
running the optimization script to generate a script running result;
the device information includes a last communication time;
determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type and the equipment information comprises the following steps:
determining active equipment according to a preset liveness threshold value and the last communication time of the equipment;
determining equipment deployment abnormality according to a strategy baseline corresponding to the equipment type of the active equipment and equipment information of the active equipment;
analyzing whether the equipment is brought into a related management system for management by using the equipment information and the corresponding policy base line, analyzing equipment policy deployment conditions, identifying equipment which is not brought into the management system to be managed, and identifying a single equipment missing policy as risk:
acquiring a full-scale equipment list of a strategy to be deployed according to the strategy base line and the strategy white list; identifying equipment with problems in strategy deployment by utilizing strategy deployment conditions of equipment in an equipment information verification list in an equipment information fingerprint library;
matching the policy of the device with a policy baseline and a policy white list through the device information in the device information fingerprint library: and identifying that a strategy blind spot exists when the management system corresponding to the equipment does not accord with the baseline.
2. The device security management method according to claim 1, further comprising;
Comparing the equipment information collected by each management system to determine equipment association anomalies;
Carrying out historical trend analysis on the equipment information to obtain equipment index abnormality;
Generating an optimization script according to the device deployment exception further includes:
And generating the optimization script according to the equipment deployment abnormality, the equipment association abnormality and the equipment index abnormality.
3. The device security management method according to claim 1, further comprising:
Generating a device management notification according to the script operation result and the device deployment abnormality;
and sending the equipment management notification to a maintenance mechanism corresponding to the equipment.
4.A device security management system, comprising:
the device type determining unit is used for collecting device information from each management system and determining the device type of the device according to the management system corresponding to the device information;
The equipment abnormality determining unit is used for determining equipment deployment abnormality according to the strategy base line corresponding to the equipment type and the equipment information;
the script generation unit is used for generating an optimization script according to the equipment deployment abnormality;
The script running unit is used for running the optimization script and generating a script running result;
the device information includes a last communication time;
the equipment abnormality determining unit is specifically configured to:
determining active equipment according to a preset liveness threshold value and the last communication time of the equipment;
determining equipment deployment abnormality according to a strategy baseline corresponding to the equipment type of the active equipment and equipment information of the active equipment;
analyzing whether the equipment is brought into a related management system for management by using the equipment information and the corresponding policy base line, analyzing equipment policy deployment conditions, identifying equipment which is not brought into the management system to be managed, and identifying a single equipment missing policy as risk:
acquiring a full-scale equipment list of a strategy to be deployed according to the strategy base line and the strategy white list; identifying equipment with problems in strategy deployment by utilizing strategy deployment conditions of equipment in an equipment information verification list in an equipment information fingerprint library;
matching the policy of the device with a policy baseline and a policy white list through the device information in the device information fingerprint library: and identifying that a strategy blind spot exists when the management system corresponding to the equipment does not accord with the baseline.
5. The apparatus security management system according to claim 4, wherein the apparatus abnormality determination unit is further configured to;
Comparing the equipment information collected by each management system to determine equipment association anomalies;
Carrying out historical trend analysis on the equipment information to obtain equipment index abnormality;
The script generation unit is further configured to:
And generating the optimization script according to the equipment deployment abnormality, the equipment association abnormality and the equipment index abnormality.
6. The device security management system of claim 4, further comprising:
a notification generation unit, configured to generate a device management notification according to the script operation result and the device deployment abnormality;
And the notification sending unit is used for sending the equipment management notification to the maintenance mechanism corresponding to the equipment.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and running on the processor, characterized in that the processor implements the steps of the device security management method of any of claims 1 to 3 when the computer program is executed by the processor.
8. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the device security management method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110016967.9A CN112733147B (en) | 2021-01-07 | 2021-01-07 | Equipment security management method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110016967.9A CN112733147B (en) | 2021-01-07 | 2021-01-07 | Equipment security management method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112733147A CN112733147A (en) | 2021-04-30 |
| CN112733147B true CN112733147B (en) | 2024-05-17 |
Family
ID=75590966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110016967.9A Active CN112733147B (en) | 2021-01-07 | 2021-01-07 | Equipment security management method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112733147B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113515751A (en) * | 2021-09-13 | 2021-10-19 | 富通云腾科技有限公司 | Deployment analysis platform based on modular software |
| CN115235638A (en) * | 2022-06-28 | 2022-10-25 | 上海自动化仪表有限公司 | A kind of distributed steelmaking furnace temperature measurement method, device, electronic equipment and medium |
| CN116318783B (en) * | 2022-12-05 | 2023-08-22 | 浙江大学 | Network industrial control equipment safety monitoring method and device based on safety index |
| CN116165939A (en) * | 2023-02-08 | 2023-05-26 | 无锡骏祥工业自动化有限公司 | Remote supervision system and method for environmental protection equipment based on big data |
| CN116318934A (en) * | 2023-03-06 | 2023-06-23 | 广东电网有限责任公司 | Security early warning method and system based on behavior modeling of Internet of things equipment |
| CN116562627A (en) * | 2023-05-19 | 2023-08-08 | 中国电信股份有限公司湖州分公司 | A security risk management method, system, equipment, medium and product |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107194256A (en) * | 2017-03-21 | 2017-09-22 | 北京神州泰岳信息安全技术有限公司 | Riskless asset baseline reinforcement means and device |
| CN107689954A (en) * | 2017-08-21 | 2018-02-13 | 国家电网公司 | Power information system monitoring method and device |
| CN108933672A (en) * | 2017-05-25 | 2018-12-04 | 中兴通讯股份有限公司 | A kind of policing rule script configuration method, apparatus and system |
| CN111078490A (en) * | 2019-10-11 | 2020-04-28 | 广西电网有限责任公司信息中心 | Server safety guarantee method and system based on monitoring analysis of operating system |
| CN111176755A (en) * | 2019-12-25 | 2020-05-19 | 哈尔滨安天科技集团股份有限公司 | Cloud security policy configuration method and system, electronic device and storage medium |
| CN111600740A (en) * | 2020-04-02 | 2020-08-28 | 深圳市国电科技通信有限公司 | Remote operation and maintenance management system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9996331B1 (en) * | 2016-12-02 | 2018-06-12 | Vmware, Inc. | Customized application state transition |
-
2021
- 2021-01-07 CN CN202110016967.9A patent/CN112733147B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107194256A (en) * | 2017-03-21 | 2017-09-22 | 北京神州泰岳信息安全技术有限公司 | Riskless asset baseline reinforcement means and device |
| CN108933672A (en) * | 2017-05-25 | 2018-12-04 | 中兴通讯股份有限公司 | A kind of policing rule script configuration method, apparatus and system |
| CN107689954A (en) * | 2017-08-21 | 2018-02-13 | 国家电网公司 | Power information system monitoring method and device |
| CN111078490A (en) * | 2019-10-11 | 2020-04-28 | 广西电网有限责任公司信息中心 | Server safety guarantee method and system based on monitoring analysis of operating system |
| CN111176755A (en) * | 2019-12-25 | 2020-05-19 | 哈尔滨安天科技集团股份有限公司 | Cloud security policy configuration method and system, electronic device and storage medium |
| CN111600740A (en) * | 2020-04-02 | 2020-08-28 | 深圳市国电科技通信有限公司 | Remote operation and maintenance management system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112733147A (en) | 2021-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112733147B (en) | Equipment security management method and system | |
| JP7199775B2 (en) | Data processing method, data processing device, node device, and computer program based on smart contract | |
| EP2893447B1 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
| CN101321084A (en) | Method and apparatus for generating configuration rules for computing entities within a computing environment using association rule mining | |
| US20160352573A1 (en) | Method and System for Detecting Network Upgrades | |
| CN112163198B (en) | Host login security detection method, system, device and storage medium | |
| CN110088744A (en) | A database maintenance method and system thereof | |
| CN117544402A (en) | Vulnerability management system based on network asset | |
| CN116909838B (en) | Abnormal log reporting method, system, terminal equipment and storage medium | |
| CN118860800A (en) | An operation and maintenance management system based on cloud computing services | |
| CN104135483A (en) | Automatic configuration management system for network security | |
| CN120067080A (en) | Data acquisition method and system based on low-code development platform | |
| CN111818025A (en) | User terminal detection method and device | |
| CN118284885A (en) | Software application development tool for maturity promotion automation | |
| CN112600709A (en) | Management system for local area network terminal and use method | |
| CN119938365A (en) | Log processing method, device and equipment | |
| CN116991724A (en) | Interface testing method and device based on monitoring log, electronic equipment and storage medium | |
| KR102406421B1 (en) | Explainable advanced persistent threat detect system and method using multiple machine learning | |
| CN114416507A (en) | Communication behavior monitoring method and device, computer equipment and storage medium | |
| CN113592421A (en) | Security management method, system, device and medium for power monitoring system | |
| CN111125130B (en) | Account type analysis method, system and storage medium for dream database | |
| CN116089965B (en) | Information security emergency management system and method based on SOD risk model | |
| CN117670261B (en) | Safe operation and maintenance audit operation integrated terminal | |
| CN115941326B (en) | Background monitor reinforcement method | |
| CN119814475B (en) | Monitoring abnormality investigation method and monitoring system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |