CN111404888B

Movatterモバイル変換

Info

Publication number: CN111404888B
Application number: CN202010145311.2A
Authority: CN
Inventors: 何林; 刘莹; 任罡
Original assignee: Tsinghua University
Current assignee: Tsinghua University
Priority date: 2020-03-04
Filing date: 2020-03-04
Publication date: 2021-04-20
Anticipated expiration: 2040-03-04
Also published as: CN111404888A

Abstract

Translated fromChinese

本发明公开了一种网络数据审计方法和装置，方法包括若获取到访问设备的网络数据，从所述网络数据中提取N组需验证数据；基于预先构建的审计模型，分别对每组组需验证数据中每个所述关键信息和所述关联关系进行审计，得到审计结果；若所述审计结果表示未通过，对网络进行保护，实现了基于多个数据进行验证后的审计结果对网络进行保护。采用本发明的技术方案，能够提高网络数据的审计结果的准确性，减少网络安全事件发生，进而提高网络安全性。

The invention discloses a network data auditing method and device. The method comprises: if network data of an access device is acquired, extracting N groups of data to be verified from the network data; Each of the key information and the association relationship in the verification data is audited, and an audit result is obtained; if the audit result indicates that it fails, the network is protected, and the network is implemented based on the audit results after verification of multiple data. Protect. By adopting the technical scheme of the present invention, the accuracy of the audit result of the network data can be improved, the occurrence of network security events can be reduced, and the network security can be further improved.

Description

Network data auditing method and device

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a network data auditing method and device.

Background

Network security is one of the major challenges facing the internet. In recent years, the global network security situation is becoming more severe, and the network security is being promoted to the strategic height of national security.

At present, a mode of identifying an IP address is usually adopted to identify network access equipment, so that the network security is guaranteed. For example, the current IP address is resolved to determine whether the current IP address is consistent with the hidden user IP address, thereby determining whether the network is attacked.

However, since source address forgery, dynamic address allocation and address translation, host mobility, and the like are widely available, the IP address is easily cracked, tampered, forged, and the like, so that the IP address for attacking the network is identified as valid, the network is maliciously attacked, and the network security is reduced.

Disclosure of Invention

The invention mainly aims to provide a network data auditing method and device to solve the problem of low network security in the prior art.

In view of the above problem, in a first aspect, the present invention provides a network data auditing method, including the following steps:

if network data of the access equipment are acquired, extracting N groups of data to be verified from the network data; each group of data to be verified comprises at least two key information and the incidence relation of all key information, each group of data to be verified is different, and each key information in each group of data to be verified is different; n is a positive integer;

auditing each key information and the association relation respectively based on a pre-constructed auditing model to obtain an auditing result;

and if the audit result shows that the network fails, protecting the network.

Further, in the method, the auditing each piece of the key information and the association relation based on a pre-established auditing model to obtain an auditing result includes:

comparing each piece of key information with independent verification information preset in the audit model to obtain a first comparison result, and comparing the key information with associated verification information preset in the audit model to obtain a second comparison result;

if the first comparison result and the second comparison result both represent matching, obtaining an audit result representing passing;

and if the first comparison result and/or the second comparison result show that the first comparison result and/or the second comparison result do not match, obtaining an audit result showing that the audit result does not pass.

Further, in the above method, one of the N sets of data to be verified includes two pieces of the key information, where the first key information is an identity and the second key information is a source address; the identity identification comprises a user identification and/or an access equipment identification;

correspondingly, the individual authentication information comprises an authentication identity or an authentication source address; the authentication identity comprises a user authentication identity and/or an access device authentication identity.

Further, the method described above further includes:

and if the auditing result shows that the user does not pass the auditing method, tracing the user according to the user identification, and/or tracing the use information of the access equipment according to the access equipment identification.

Further, in the above method, the process of constructing the audit model includes:

processing the original information corresponding to each individual verification information to obtain processing information with uniqueness and/or anti-counterfeiting property as the individual verification information;

and performing association processing on all the individual verification information to obtain the associated verification information.

Further, in the above method, the associating all the individual verification information includes:

and binding all the single verification information, and/or embedding all the single verification information in a plaintext and/or ciphertext mode.

Further, in the method, before the auditing the key information and/or the association relation based on the pre-established auditing model to obtain the auditing result, the method further includes:

if the N is greater than or equal to 2, determining the security level of the network;

and determining the number of the groups of the data to be verified according to the security level of the network.

Further, in the method, the security level of the network is preset, or the security level of the network is determined according to the N.

Further, in the method, the determining, according to the security level of the network, the number of groups of the data to be verified is selected includes:

if the security level of the network is lower than a preset level, randomly selecting a group of data to be verified;

and if the network security level is greater than or equal to the preset level, at least two groups of data to be verified are randomly selected.

In a second aspect, the present invention provides a network data auditing apparatus, including:

the extraction module is used for extracting N groups of data to be verified from the network data if the network data of the access equipment is acquired; each group of data to be verified comprises at least two key information and the incidence relation of all key information, each group of data to be verified is different, and each key information in each group of data to be verified is different; n is a positive integer;

the auditing module is used for auditing each key information and the association relation respectively based on a pre-constructed auditing model to obtain an auditing result;

and the protection module is used for protecting the network if the audit result shows that the audit result does not pass.

Compared with the prior art, one or more embodiments in the above scheme can have the following advantages or beneficial effects:

by applying the network data auditing method and device, N groups of data to be verified are extracted from the network data when the network data of the access equipment is acquired; and auditing the incidence relation between each key information and all key information in each group of data to be verified respectively based on a pre-constructed audit model, and protecting the network under the condition that the obtained audit result indicates failure, so that the network is protected based on the audit result after a plurality of data are verified. By adopting the technical scheme of the invention, the accuracy of the audit result of the network data can be improved, the occurrence of network security events can be reduced, and the network security can be further improved.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:

FIG. 1 is a flow chart of a first embodiment of a network data auditing method of the present invention;

FIG. 2 is a flow chart of a second embodiment of a network data auditing method of the present invention;

FIG. 3 is a schematic structural diagram of a first embodiment of a network data auditing apparatus according to the present invention;

FIG. 4 is a schematic structural diagram of a second embodiment of a network data auditing apparatus according to the present invention;

fig. 5 is a schematic structural diagram of an embodiment of the network data auditing apparatus of the present invention.

Detailed Description

The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.

In order to solve the technical problems in the prior art, an embodiment of the present invention provides a network data auditing method.

Fig. 1 is a flowchart of a first embodiment of a network data auditing method according to the present invention, and referring to fig. 1, the network data auditing method according to this embodiment includes the following steps:

100. if the network data of the access equipment is acquired, extracting N groups of data to be verified from the network data;

in a specific implementation process, network data when the access device accesses a network may be acquired, the network data may be analyzed, and N groups of data to be verified may be extracted from the network data, where N is a positive integer. In this embodiment, each set of data to be verified includes at least two pieces of key information and an association relationship between all pieces of key information, each set of data to be verified is different, and each piece of key information in each set of data to be verified is different.

101. Auditing the incidence relation of each key information and all key information respectively based on a pre-constructed audit model to obtain an audit result;

in one specific implementation, the pre-constructed audit model may be constructed in the network layer as follows:

A. processing the original information corresponding to each individual verification information to obtain processing information with uniqueness and/or anti-counterfeiting property as individual verification information;

specifically, the field designated by the original information corresponding to each individual verification information may be processed in a manner of signing, calculating by using a special algorithm, and the like, so that the original information corresponding to each individual verification information has uniqueness and/or anti-counterfeiting property, and the processed information of uniqueness and/or anti-counterfeiting property obtained after processing is stored as each individual verification information.

For example, in this embodiment, a group of data to be verified in the N groups of data to be verified includes two pieces of key information, where the first piece of key information is an identity identifier, and the identity identifier includes a user identifier and/or an access device identifier; the second key information is the source address. Correspondingly, the individual authentication information comprises an authentication identity or an authentication source address; the authentication identity includes a user authentication identity and/or an access device authentication identity. The signature processing can be carried out on relevant fields such as the identification and the source address, so that the identification and the source address have uniqueness and/or anti-counterfeiting performance.

B. And performing association processing on all the individual verification information to obtain associated verification information.

In a specific implementation process, all the individual authentication information may be bound based on an external packet association principle, for example, an association table may be established, and each individual authentication information may be associated in sequence. The out-of-packet association principle can be understood as a parallel mode between each individual authentication information.

In this embodiment, based on the principle of intra-packet association, all the individual pieces of authentication information may be embedded, for example, all the individual pieces of authentication information may be embedded in a plaintext and/or ciphertext manner. Specifically, at least one of the individual authentication information may be embedded in the other individual authentication information after being subjected to plaintext and/or ciphertext processing. Wherein, the intra-packet association principle can be understood as the dependency relationship between each individual authentication information.

In practical application, a user can construct a required audit model in a network layer in advance according to own requirements and based on the process of constructing the audit model, so that the audit model has good expandability.

Specifically, each piece of key information may be compared with individual verification information preset in the audit model to obtain a first comparison result, and the key information may be compared with associated verification information preset in the audit model to obtain a second comparison result; if the first comparison result and the second comparison result both represent matching, obtaining an audit result representing passing; and if the first comparison result and/or the second comparison result show no match, obtaining an audit result showing failure.

For example, the keyword comparison may be performed on the user identifier and the user verification identifier to determine whether the two are matched, in this embodiment, it is preferable that the user identifier and the user verification identifier are considered to be matched when they are completely consistent, otherwise, they are not matched. Similarly, the access device identification can be compared with the access device verification identification, so as to judge whether the access device identification is matched with the access device verification identification; and comparing the source address with the verification source address so as to judge whether the source address is matched with the verification source address. If the first comparison result and the second comparison result both represent matching, obtaining an audit result representing passing, and having no network attack; and if the first comparison result and/or the second comparison result show that the first comparison result and/or the second comparison result do not match, obtaining an audit result showing that the audit result fails, and having network attack.

In the embodiment, because the incidence relation between each piece of key information and all pieces of key information is audited, if an attacker attacks the network, all data in the data to be verified need to be cracked, tampered, forged and the like, and for the attacker, the difficulty of cracking all the data is higher, so that the attacker is effectively deterred, and the occurrence of network security events is reduced.

102. And if the obtained audit result indicates that the network fails, protecting the network.

In this embodiment, if the obtained audit result indicates that the network attack does not pass, it indicates that the network attack exists, and at this time, the network needs to be protected. For example, after the identity of the attacker is known, the filtering service may be based on auditability, that is, after the identity of the attacker is known, the filtering based on the identity of the attacker may be directly implemented, so that the attacker cannot access the network. And after the source address in the network data is known to be not matched with the verification source address, the packet interception protection can be carried out.

According to the network data auditing method, if the network data of the access equipment is acquired, N groups of data to be verified are extracted from the network data; and auditing the incidence relation between each key information and all key information in each group of data to be verified respectively based on a pre-constructed audit model, and protecting the network under the condition that the obtained audit result indicates failure, so that the network is protected based on the audit result after a plurality of data are verified. By adopting the technical scheme of the invention, the accuracy of the audit result of the network data can be improved, the occurrence of network security events can be reduced, and the network security can be further improved.

Further, in the above embodiment, if the obtained audit result indicates that the audit result fails, the user may be traced back according to the user identifier, and/or the use information of the access device may be traced back according to the access device identifier. Thus, when an attacker is found, the use information and the like of the attacker and/or the anti-counterfeiting equipment used by the attacker can be traced, and finally the attacker can be followed.

In practical application, if more than 2 groups of data to be verified exist, a long time is consumed when the incidence relation between the key information in each group of verification data and all the key information is checked, and because a group of data to be verified can achieve a good protection effect, in this implementation, a group of data to be verified can be randomly selected, and the incidence relation between the key information in the selected data to be verified and all the key information can be audited. However, if the security level of the network to be protected is high, although a group of data to be verified is randomly selected and the association relationship between the key information in the selected data to be verified and all the key information is audited to achieve a good protection effect, the present invention still has a large potential safety hazard.

Fig. 2 is a flowchart of a second embodiment of the network data auditing method of the present invention, and referring to fig. 2, the network data auditing method of the present embodiment further describes the technical solution of the present invention in more detail on the basis of the above embodiment, and the network data auditing method implemented in the present embodiment may specifically include the following steps:

200. if the network data of the access equipment is acquired, extracting N groups of data to be verified from the network data;

201. if N is greater than or equal to 2, determining the security level of the network;

wherein the security level of the network is preset, or the security level of the network is determined according to the number of N.

For example, the user may set the security level of the network according to actual needs. If the user does not set the security level of the network, the security level of the network can be determined according to the number of groups of data to be verified set by the user, for example, if 1 group or 2 groups are set, it can be determined that the security level of the network is relatively low, and a lower level value can be obtained at this time, and if 3 groups or more are set, it indicates that the security level of the network is higher, and a lower level value can be obtained.

202. Determining the number of groups of selected data to be verified according to the security level of the network;

specifically, if the security level of the network is less than a preset level, a group of data to be verified is randomly selected; and if the network security level is greater than or equal to the preset level, at least two groups of data to be verified are randomly selected. Therefore, when the security level of the network is low, the preferred auditing efficiency is the main, at the moment, a group of data to be verified can be randomly selected, when the security level of the network is high, the preferred auditing result accuracy is the main, at the moment, at least two groups of data to be verified can be randomly selected, wherein the preferred selection is that the number of the groups of the data to be verified is increased along with the increase of the security level value, and therefore the auditing efficiency can be considered simultaneously.

203. Auditing the incidence relation of each key information and all key information respectively based on a pre-constructed audit model to obtain an audit result;

204. and if the obtained audit result indicates that the network fails, protecting the network.

It should be noted that the method of the embodiment of the present invention may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In the case of such a distributed scenario, one of the multiple devices may only perform one or more steps of the method according to the embodiment of the present invention, and the multiple devices interact with each other to complete the method.

In order to solve the technical problems in the prior art, an embodiment of the present invention provides a network data auditing apparatus.

Fig. 3 is a schematic structural diagram of a first embodiment of the network data auditing apparatus of the present invention, and as shown in fig. 3, the network data auditing apparatus of the present embodiment includes anextraction module 30, anauditing module 31, and aprotection module 32.

The extractingmodule 30 is configured to obtain network data of the access device, and extract N groups of data to be verified from the network data; each group of data to be verified comprises at least two pieces of key information and the incidence relation of all the key information, each group of data to be verified is different, and each piece of key information in each group of data to be verified is different; n is a positive integer;

theauditing module 31 is used for auditing each key information and the association relation respectively based on a pre-constructed auditing model;

in this embodiment, the process of constructing the audit model includes: processing the original information corresponding to each individual verification information to obtain processing information with uniqueness and/or anti-counterfeiting property as individual verification information; and performing association processing on all the individual verification information to obtain associated verification information. For example, a binding process is performed between all the individual authentication information, and/or an embedding process is performed between all the individual authentication information. When all the individual verification information is subjected to embedding processing, all the individual verification information can be subjected to embedding processing in a plaintext and/or ciphertext mode.

After the obtaining module extracts at least one group of data to be verified in the network data, theauditing module 31 may compare each piece of key information with the preset individual verification information in the auditing model to obtain a first comparison result, and compare the key information with the preset associated verification information in the auditing model to obtain a second comparison result; if the first comparison result and the second comparison result both represent matching, obtaining an audit result representing passing; and if the first comparison result and/or the second comparison result show no match, obtaining an audit result showing failure.

And theprotection module 32 is used for protecting the network if the audit result shows that the audit result does not pass.

In the network data auditing device of the embodiment, if the network data of the access equipment is acquired, N groups of data to be verified are extracted from the network data; and auditing the incidence relation between each key information and all key information in each group of data to be verified respectively based on a pre-constructed audit model, and protecting the network under the condition that the obtained audit result indicates failure, so that the network is protected based on the audit result after a plurality of data are verified. By adopting the technical scheme of the invention, the accuracy of the audit result of the network data can be improved, the occurrence of network security events can be reduced, and the network security can be further improved.

Further, in the above embodiment, theprotection module 32 is further configured to trace back the user according to the user identifier and/or trace back the use information of the access device according to the access device identifier if the obtained audit result indicates that the audit result fails. Thus, when an attacker is found, the use information and the like of the attacker and/or the anti-counterfeiting equipment used by the attacker can be traced, and finally the attacker can be followed.

Fig. 4 is a schematic structural diagram of a second embodiment of the network data auditing apparatus according to the present invention, and as shown in fig. 4, the network data auditing apparatus according to the present embodiment may further include a determiningmodule 33 based on the above-mentioned embodiment.

A determiningmodule 33, configured to determine a security level of the network if N is greater than or equal to 2; and determining the number of groups of the selected data to be verified according to the security level of the network.

Specifically, the security level of the network is preset, or the security level of the network is determined according to N. If the security level of the network is less than the preset level, randomly selecting a group of data to be verified; and if the network security level is greater than or equal to the preset level, at least two groups of data to be verified are randomly selected.

The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.

Fig. 5 is a schematic structural diagram of an embodiment of the network data auditing apparatus according to the present invention, and as shown in fig. 5, the network data auditing apparatus according to the embodiment of the present invention includes astorage medium 51 and aprocessor 50, where thestorage medium 51 stores a computer program, and the computer program implements the steps of the method when executed by theprocessor 50.

In order to solve the above technical problems in the prior art, embodiments of the present invention provide a storage medium.

The storage medium provided by the embodiment of the invention stores a computer program thereon, and the computer program realizes the steps of the method when being executed by a processor.

It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.

It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present invention, the meaning of "a plurality" means at least two unless otherwise specified.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.