CN-121808759-B - Secret-related terminal real-time behavior supervision system based on multi-factor identity authentication

Abstract

The invention discloses a secret-related terminal real-time behavior supervision system based on multi-factor identity authentication, and relates to the technical field of information security. The confidential terminal real-time behavior supervision system based on multi-factor identity authentication comprises an identity authentication unit, a terminal probe unit, an attack confidential tracing analysis unit and a behavior supervision association analysis unit, wherein the system can rapidly locate to a specific confidential terminal and an operation user thereof when network attack behaviors are found by collecting terminal identities, environments, processes and network connection logs and performing space-time association analysis with network side attack alarms, the invention solves the problem of terminal safety and network safety data splitting by correlating the multi-factor authentication, real-time behavior monitoring and network attack detection depth of the secret-related terminal, and realizes accurate tracing from network attack alarming to specific responsible persons and on-site environment evidence.

Inventors

• YAN YI
• GAO PENG

Assignees

• 西安恒安信电子信息技术有限公司

Dates

Publication Date

20260508

Application Date

20260310

Claims (6)

1. 1. The utility model provides a secret-related terminal real-time behavior supervision system based on many factor identity authentication which characterized in that includes: The identity authentication unit is used for carrying out multi-factor identity authentication on the user, continuously monitoring the environment before the terminal after the authentication is successful, and generating and uploading an environment alarm log when the illegal behavior is identified; the terminal probe unit is used for collecting process information of the secret-related terminal and a network connection log, wherein the network connection log comprises an IP address of the secret-related terminal, a destination address of connection and connection time; The attack secret-stealing tracing analysis unit is used for carrying out full-flow storage and monitoring on the network flow, detecting attack secret-stealing behavior based on threat information and generating a network attack alarm log containing event time, source address, destination address and attack characteristics; The behavior supervision association analysis unit is used for associating the network attack alarm log with the network connection log, and specifically comprises the following steps: Searching a connection record which has the same destination address and is matched in time in a network connection log according to the destination address and the event time in the network attack alarm log, and determining a target secret-related terminal which sends out the network attack flow; Associating the environment alarm log and user identity information of the target secret related terminal before and after the event time, and generating and outputting high-risk event alarm information when environment alarm exists; the method for associating the network attack warning log with the network connection log specifically comprises the following steps: defining an associated time window by taking event time in a network attack alarm log as a reference; searching records with the matched destination addresses and the connection time falling in an associated time window in the network connection log; determining a confidential terminal to which the source IP address of the matching record belongs as a target confidential terminal; the environment alarm log and user identity information of the associated target secret-related terminal specifically comprise: Defining a tracing time window which is wider than the associated time window by taking event time in the network attack alarm log as a reference; extracting all environment alarm logs of the target secret-related terminal in a tracing time window; classifying the extracted environmental alarm logs according to types, and carrying out weighted accumulation according to basic risk values and occurrence time adjacencies of various alarms to generate environmental behavior risk scores; The rule for generating the high-risk event alarm information is as follows: when the environmental behavior risk score exceeds a risk threshold, generating high-risk event alarm information; The content structure of the high-risk event alarm information is dynamically adjusted according to the main environment alarm type; generating and outputting high-risk event alarm information, which specifically comprises: The network attack alarm log, the network connection log of the target secret-related terminal, the corresponding process details, the environment alarm log snapshot of the target secret-related terminal and the user identity information are aggregated into a tracing evidence chain according to time sequence; the tracing evidence chain is displayed in a time axis view and supports drill-down to view the associated original network traffic data packet fragments.
2. 2. The confidential terminal real-time behavior supervision system based on multi-factor identity authentication according to claim 1, wherein the system is used for performing multi-factor identity authentication on a user, and specifically comprises: acquiring a face image through an intelligent perception module and extracting features; reading hardware certificate information through a USBkey; adopting a confidence fusion algorithm to carry out fusion decision on the extracted face features and the read hardware certificate information; and when the fusion decision result exceeds a preset threshold value, judging that the identity authentication passes.
3. 3. The secret-related terminal real-time behavior supervision system based on multi-factor identity authentication according to claim 2, wherein the rule for dynamically adjusting the weight by the confidence fusion algorithm comprises: When the illumination uniformity of the face image acquired by the intelligent perception module is lower than an illumination threshold value, reducing the fusion weight of the confidence coefficient of the face feature; And when the USBkey hardware certificate information is read normally but the continuous authentication failure times of the dynamic token reach the failure threshold value, reducing the fusion weight of the hardware authentication factors.
4. 4. The confidential terminal real-time behavior supervision system based on multi-factor identity authentication according to claim 1, wherein the system is capable of continuously monitoring the environment before the terminal and identifying the illegal behavior, and specifically comprises: Performing real-time target detection on the video stream acquired by the intelligent perception module through a pre-trained lightweight convolutional neural network model; and when the detection confidence of the model output aiming at the second face or the shooting equipment class exceeds the corresponding class threshold, judging that corresponding illegal behaviors exist.
5. 5. The confidential terminal real-time behavior supervision system based on multi-factor identity authentication according to claim 1, wherein collecting a network connection log specifically comprises: Collecting five-tuple information of network connection; Collecting a process name, a process hash value and parent process information corresponding to network connection; And collecting the flow magnitude value and the data packet quantity of the network connection in the sampling period.
6. 6. The confidential terminal real-time behavior supervision system based on multi-factor identity authentication according to claim 1, wherein after generating high risk event alarm information, automatically executing a linkage disposal instruction, specifically comprising: sending a screen locking instruction to an identity authentication unit of a target secret-related terminal, and triggering immediate screen locking; And sending a strategy instruction to a firewall or a switch at the network side to block subsequent communication between the target secret-related terminal and the target address in the network attack alarm log.

Description

Secret-related terminal real-time behavior supervision system based on multi-factor identity authentication Technical Field The invention relates to the technical field of information security, in particular to a secret-related terminal real-time behavior supervision system based on multi-factor identity authentication. Background The security system for the confidential terminal is generally composed of a plurality of layers of technologies. In the aspect of terminal physical access and operator identity verification, the common technical scheme is to deploy an independent identity authentication system, the system completes the body-building authentication when a user logs in by combining biological feature recognition (such as a human face) and a hardware token (such as a USB Key) and other multi-factor means, and can monitor the environment in front of the terminal through a sensor during use to early warn and lock screen disposal on visual risks such as unsetting, peeping and illegal shooting. In the network boundary and flow monitoring level, a network threat detection and tracing system is generally and independently deployed, and the system can timely discover attack and steal behaviors such as scanning, penetration, data outward transmission and the like from the Internet or an internal network and generate corresponding security event alarms by carrying out full flow collection and deep analysis on network outlet flow and utilizing a threat information base and a detection model. Currently, both technologies play an important role in the respective fields, and together form a component of three-dimensional safety protection. The prior art has the limitations of mutual splitting between terminal behavior monitoring and network attack detection in security supervision of secret related terminals, for example, when a network side monitors secret-stealing attack traffic originating from the inside, due to lack of effective association with real-time behavior data of the terminal, it is difficult to quickly determine which physical terminal the attack specifically originates from, which logged-in user actually operates, and it is also difficult to judge whether high risk environments such as screen surfing of others or using shooting equipment exist before the terminal occurs, so that security response stays on the network layer, precise positioning and instant disposal of secret-revealing source terminals and responsible persons are difficult, so that event investigation and containment periods are prolonged, and effective discovery and blocking capability for secret-stealing behavior under the condition that internal collusion or user identity is overused is not only lacked. Disclosure of Invention Aiming at the defects of the prior art, the invention provides a secret-related terminal real-time behavior supervision system based on multi-factor identity authentication, which solves the problems that in the prior art, terminal behavior supervision and network attack detection are mutually split, and a secret-leakage source terminal and a responsible person are difficult to quickly and accurately position and immediately handle. The invention is realized by the following technical scheme that the secret-related terminal real-time behavior supervision system based on multi-factor identity authentication comprises an identity authentication unit, a terminal probe unit, an attack secret-related source tracing analysis unit, a behavior association analysis unit, a network alarm supervision and supervision analysis unit, a network alarm log, a network alarm control and supervision unit and a network alarm control and supervision unit, wherein the identity authentication unit is used for carrying out multi-factor identity authentication on a user through an intelligent perception module and a USBkey, continuously monitoring the environment before the terminal after the authentication is successful, generating and uploading an environment alarm log when the condition that a second face exists, a shooting device or an authenticated user does not watch a screen is recognized, the terminal probe unit is used for acquiring process information of the secret-related terminal and a network connection log, the network connection log comprises an IP address of the secret-related terminal, a connected destination address and a connection time, the attack secret-related analysis unit is used for carrying out full-flow storage and monitoring on network traffic, detecting attack secret-related behaviors based on threat information, generating a network alarm log comprising event time, source address, destination address and attack characteristic, the network alarm log is respectively connected with the identity authentication unit, the terminal probe unit and the attack secret-related analysis unit is used for receiving the environment alarm log uploaded by the identity authentication unit and the corresponding to the net