CN107819787B - System and method for preventing illegal external connection of local area network computer - Google Patents
System and method for preventing illegal external connection of local area network computer Download PDFInfo
- Publication number
- CN107819787B CN107819787B CN201711239286.9A CN201711239286A CN107819787B CN 107819787 B CN107819787 B CN 107819787B CN 201711239286 A CN201711239286 A CN 201711239286A CN 107819787 B CN107819787 B CN 107819787B
- Authority
- CN
- China
- Prior art keywords
- unit
- protection
- monitoring
- strategy
- target list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of computer security, in particular to a method for preventing a local area network computer from illegal external connection, which comprises the following steps: the control unit sends an identity authentication request to the server side; the server configures a monitoring strategy and a protection strategy according to the identity authentication request and sends the monitoring strategy and the protection strategy to a control unit of an application program layer; the control unit of the application program layer sends the monitoring strategy and the protection strategy to the monitoring unit and the protection unit respectively; the monitoring center unit calls monitoring strategies of the monitoring units to load the monitoring strategies into a target list, and the monitoring strategies are sequentially arranged in the target list according to the probability of triggering the protection units; the file driving unit traverses and intercepts messages matched with the target unit and the target list according to the target list; and the intercepted message is processed by the protection unit to be cut off and finished. The invention uses monitoring and protection strategies, and uses protection unit to intercept system process and execute corresponding protection strategies, thereby achieving the purpose of preventing illegal external connection of local area network computer.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a system and a method for preventing a local area network computer from illegal external connection.
Background
Currently, some internal networks with higher security, such as networks of government departments and military departments, often adopt a method of implementing physical isolation from external networks, such as the Internet, to ensure the security of the network. The physical isolation ensures that no possible physical link exists between the external network and the internal network, and the channel for information leakage is cut off. However, in the opposite case, due to the incompleteness of the management system or the lack of an effective terminal monitoring technology, individual users in the internal network use the internet access devices of telephone dialing and plug-and-play to connect the internet to perform private operations, and the physical isolation environment is damaged. In addition, the mixed use condition of the internal network and the external network of the terminal is common, so that a hidden channel appears in the internal network, and after the hidden channel is utilized by hackers or viruses, the disclosure can be caused or the performance of an information system can be influenced. These actions are referred to as illegal extras.
In an intranet network implementing physical isolation, a host terminal is used as a basic component of an information system, and has the characteristics of wide distribution, large quantity and the like.
Illegal external connection causes a hidden channel to appear between the original closed system environment and an external network, and the internal network faces various security threats such as viruses, trojans, unauthorized access, data eavesdropping, brute force cracking and the like, so that information such as a network structure, server deployment, security protection measures and the like is leaked, and even cross-security domain and cross-network damage is carried out.
In summary, it is necessary to form the fastest and most rigorous defense capability from the fundamental point of view to reduce the risk of illegal external connection. On the one hand, there is a need for an improved security awareness, and on the most important hand, there is a need for a method for effectively preventing illegal external connection of lan computers.
Disclosure of Invention
The invention provides a system and a method for preventing illegal external connection of a local area network computer.
In order to achieve the technical purpose, the technical scheme adopted by the invention is as follows:
a method for preventing illegal external connection of local area network computer is characterized in that: the method comprises the following steps:
s01: a control unit of an application program layer sends an identity authentication request to a server side;
s02: the server configures a monitoring policy and a protection policy through a configuration unit according to the identity authentication request, and sends the monitoring policy and the protection policy to a control unit of the application program layer;
s03: the control unit of the application program layer sends the monitoring strategy and the protection strategy to the monitoring unit and the protection unit respectively;
s04: the monitoring center unit calls monitoring strategies of the monitoring units and loads the monitoring strategies into a target list, and the target list is sequentially arranged according to the probability of triggering the protection units;
s05: the file driving unit traverses and intercepts messages of the target unit matched with the target list according to the target list, wherein the messages are one or more of calling a USB driver, a CD driver and a network card driver;
s06, the intercepted message is processed by the protection unit;
and S07, after detecting the protection behavior of the protection unit, the control unit sends the corresponding abnormal information to an abnormal management unit, and the abnormal management unit counts the probability data of the trigger protection unit.
Further, the monitoring unit and the protection unit are an API HOOK module and a file driver module, respectively.
Furthermore, the file driving unit can monitor the manual modification of the IP address or the change of the IP address obtained by the DHCP and feed back the information of the change of the IP address to the protection unit, and the protection unit can intercept the operation of the corresponding system program.
A system for preventing illegal external connection of local area network computer is characterized by comprising a server end and a client end,
the server side includes:
an authentication unit for receiving an authentication request;
the configuration unit is used for configuring a monitoring strategy and a protection strategy according to the identity authentication request and sending the monitoring strategy and the protection strategy to the client;
the client comprises an application program layer and an operating system layer, wherein the application program layer comprises:
the control unit is used for receiving the monitoring strategy and the protection strategy from the configuration unit and respectively sending the monitoring strategy and the protection strategy to the monitoring unit and the protection unit; the abnormal management unit is also used for receiving and forwarding protection data from the protection unit to the abnormal management unit and receiving and forwarding probability data for triggering the protection unit;
the monitoring unit is used for storing and forwarding the received monitoring strategy to the monitoring center unit;
the monitoring center unit is used for loading the target function to a target list;
the target list is used for storing the target list needing monitoring and protection and arranging the target list in sequence according to the probability of triggering the protection unit;
the protection unit is used for making an operation of ending the processing by combining a protection strategy according to the intercepted target unit and sending the protection data of the time to the control unit;
and the exception management unit is used for receiving the protection data and respectively counting the probability data of triggering the protection unit.
The beneficial effects produced by the invention are as follows:
1. the invention adopts API HOOK technology and file drive technology at the bottom layer of Windows, can block the USB device access action in real time at the kernel drive layer of the operating system, thereby being completely free from the influence of a registry, a USB drive or a group strategy and avoiding the behavior of connecting the Internet through a U port.
2. The invention increases the control of the portable wifi and the hotspot network, follows up the shielding function of the portable wifi or similar tools newly added in the market in real time, manages the network behavior of the local area network, and protects the computer security and the information security secret.
3. The invention can read the computer IP information from the kernel driving layer of the operating system, when the computer IP address is changed by manual modification or DHCP acquisition, the computer IP address can directly default to the occurrence of an illegal external connection event, and the computer network card is directly disabled by action, thereby preventing the occurrence of a network security event.
4. The target list adopted by the invention can be sequentially arranged according to the probability of the protection unit triggered by the client, and when a large-scale attack event occurs, the matched target list does not need to be repeatedly searched again, and the protection strategy can be quickly made.
Drawings
FIG. 1 is a flow chart of the present invention;
fig. 2 is a block diagram of the present invention.
In the figure: 1-server side, 2-client side, 3-application program layer, 4-operating system layer, 5-identity authentication unit, 6-configuration unit, 7-control unit, 8-monitoring unit, 9-protection unit, 10-monitoring center unit, 11-target list, 12-file driving unit, 13-target unit and 14-exception management unit.
Detailed Description
The invention will be described in more detail below with reference to the drawings and specific examples, but the scope of the invention is not limited thereto.
At present, the control of a USB storage device or a mobile device by a common security protection means is often implemented based on a manner of modifying a registry or a USB driver or hiding a drive, which is often ineffective for controlling a mobile phone, a tablet computer, and the like to connect to the internet, because these devices adopt a USB interface for transmission, but communication protocols are completely different, and with the assistance of third-party software, it is difficult to effectively deal with such a storage device by a manner of modifying a registry, a USB driver or hiding a drive, and at the same time, the control is easily bypassed by a manner of reversely modifying a registry, repairing a USB driver or redisplaying a hidden device by modifying a group policy by some technicians. Therefore, the current domestic similar method for limiting the use of the U port often faces functional and safety deficiencies and vulnerabilities, and the safety of the USB interface of the computer cannot be fully protected. The invention adopts HOOK technology and file drive technology at the bottommost layer of Windows, and can block the USB equipment access action in real time at the kernel drive layer of the operating system, thereby being completely free from the influence of a registry, a USB drive or a group strategy and avoiding the behavior of connecting to the Internet through a U port.
As shown in fig. 1 and fig. 2, a method for preventing illegal external connection of a local area network computer includes the following steps:
s01: the control unit 7 of the application layer 3 sends an authentication request to the authentication unit 5 of the server 1;
s02: configuring a monitoring policy and a protection policy through a configuration unit 6 according to the identity authentication request, and sending the monitoring policy and the protection policy to a control unit 7 of the application layer 3 by the server 1;
s03: the control unit 7 of the application layer 3 sends the monitoring policy and the protection policy to the monitoring unit 8 and the protection unit 9 respectively;
s04: the monitoring center unit 10 calls the monitoring strategies of the monitoring unit 8 to load the monitoring strategies into a target list 11, and the monitoring strategies are sequentially arranged in the target list 11 according to the probability of triggering the protection unit 9;
s05: the file driving unit 12 traverses and intercepts messages of the target unit 13 matched with the target list 11 according to the target list 11, wherein the messages are one or more of calling a USB driver, a CD driver and a network card driver;
s06: the intercepted message is processed by the protection unit 9;
s07: after detecting the protection behavior of the protection unit 9, the control unit 7 sends corresponding abnormal information to the abnormal management unit 14, and the abnormal management unit 14 counts probability data of triggering the protection unit 9.
Preferably, the monitoring unit 8 and the protection unit 9 are an API HOOK module and a file driver module, respectively. The APIHOOK module receives the monitoring strategy and converts the monitoring strategy into a DLL file, the DLL file is loaded into a target list 11, the target list 11 is positioned in an operating system layer 4, and all operation processes for calling a USB driver, a CD driver and a network card driver are intercepted by using HOOK in an application layer; and intercepting related requests sent to the file system in the file driving module, and carrying out interception processing according to the protection strategy. The method for intercepting all the operation processes of calling the USB driver, the CD driver and the network card driver by the HOOK comprises the following steps: the DLL file is loaded into the target list 11, the calling address in the DLL file is replaced by a self-defined function, namely the function of the original system process is replaced by the self-defined function, if the conditions of calling the USB drive, the CD-ROM drive and the network card drive occur, the called function is the self-defined function, so that the aim of fundamentally intercepting the USB drive is fulfilled, and the CD-ROM drive and the network card drive are the same.
Preferably, the file driving unit 12 can monitor an artificially modified IP address or a DHCP to obtain a modified IP address, and feed back information of IP address change to the protection unit 9, and the protection unit 9 can intercept corresponding system program operation.
A system for preventing illegal external connection of local area network computers comprises a server end 1 and a client end 2, wherein the server end 1 comprises: an authentication unit 5 for receiving an authentication request; the configuration unit 6 is configured to configure a monitoring policy and a protection policy according to the authentication request, and send the monitoring policy and the protection policy to the client 2; the client 2 comprises an application program layer 3 and an operating system layer 4, wherein the application program layer 3 comprises: the control unit 7 is used for receiving the monitoring strategy and the protection strategy from the configuration unit 6 and respectively sending the monitoring strategy and the protection strategy to the monitoring unit 8 and the protection unit 9; also used for receiving and forwarding the protection data from the protection unit 9 to the anomaly management unit 14, and receiving and forwarding the probability data triggering the protection unit 9; the monitoring unit 8 is used for storing and forwarding the received monitoring strategies to the monitoring center unit 10; the monitoring center unit 10 is used for loading the target function into a target list 11; the target list 11 is used for storing a target function list which needs to be monitored and protected and arranging the target function list in sequence according to the probability of triggering the protection unit 9; the protection unit 9 is used for performing the operation of ending the processing by combining a protection strategy according to the intercepted target unit 13 and sending the protection data of the time to the control unit 7; and the exception management unit 14 is configured to receive the protection data and count probability data of triggering the protection unit 9 respectively.
Preferably, the file driving unit 12 is further configured to monitor that an IP address is modified manually or a DHCP is obtained to change the IP address, and feed back information of IP address change to the protection unit 9, where the protection unit 9 can intercept corresponding system program operation.
The invention can read the computer IP information from the kernel driving layer of the operating system, when the computer IP address is changed by manual modification or DHCP acquisition, the computer IP address can directly default to the occurrence of an illegal external connection event, and the computer network card is directly disabled by action, thereby preventing the occurrence of a network security event.
The invention mainly controls the external interface of the local area network computer, forbids the computer to access the internet through a mobile network card, an intelligent mobile phone and the like, and prevents the information leakage of the computer caused by illegal access and external connection. Configuring a protection program and a monitoring program in a computer; when the configured computer tries to connect the Internet through a mobile network card or a smart phone, the control program prevents the generation of a USB virtual network card and prevents illegal external connection; the computer network card is forbidden by the protection program when detecting the illegal events such as the connection of the local area network card to the Internet and the like, and the network card cannot be started, so that the behavior of the computer network card does not affect other users of the network.
It should be noted that the above-mentioned embodiments illustrate rather than limit the technical solutions of the present invention, and that equivalent substitutions or other modifications made by persons skilled in the art according to the prior art are included in the scope of the claims of the present invention as long as they do not exceed the spirit and scope of the technical solutions of the present invention.
Claims (2)
1. A method for preventing illegal external connection of local area network computer is characterized in that: the method comprises the following steps:
s01: a control unit of an application program layer sends an identity authentication request to a server side;
s02: the server configures a monitoring policy and a protection policy through a configuration unit according to the identity authentication request, and sends the monitoring policy and the protection policy to a control unit of the application program layer;
s03: the control unit of the application program layer sends the monitoring strategy and the protection strategy to the monitoring unit and the protection unit respectively;
s04: the monitoring center unit calls monitoring strategies of the monitoring units to load the monitoring strategies into a target list, and the monitoring strategies are sequentially arranged in the target list according to the probability of triggering the protection units;
s05: the file driving unit traverses and intercepts messages of the target unit matched with the target list according to the target list, wherein the messages are one or more of calling a USB driver, a CD driver and a network card driver;
s06, the intercepted message is processed by the protection unit;
s07, after detecting the protection behavior of the protection unit, the control unit sends the corresponding abnormal information to an abnormal management unit, and the abnormal management unit counts the probability data of the trigger protection unit;
the monitoring unit and the protection unit are respectively an API HOOK module and a file driving module;
the file driving unit can monitor the manual modification of the IP address or the change of the IP address obtained by DHCP and feed back the information of the change of the IP address to the protection unit, and the protection unit can intercept the operation of the corresponding system program.
2. A system based on the method for preventing illegal external connection of local area network computer is characterized by comprising a server side and a client side,
the server side includes: the system comprises an exception management unit, an identity verification unit and a configuration unit;
the abnormal management unit is used for receiving the protection data and respectively counting the probability data of triggering the protection unit;
the identity authentication unit is used for receiving an identity authentication request;
the configuration unit is used for configuring a monitoring strategy and a protection strategy according to the identity authentication request and sending the monitoring strategy and the protection strategy to the client;
the client comprises an application program layer and an operating system layer:
the application layer comprises: a control unit; a monitoring unit; a protection unit; a monitoring center unit; a target unit;
the control unit is used for receiving the monitoring strategy and the protection strategy from the configuration unit and respectively sending the monitoring strategy and the protection strategy to the monitoring unit and the protection unit; the abnormal management unit is also used for receiving and forwarding protection data from the protection unit to the abnormal management unit and receiving and forwarding probability data for triggering the protection unit;
the monitoring unit is used for storing and forwarding the received monitoring strategy to the monitoring center unit;
the protection unit is used for making an operation of ending the processing by combining a protection strategy according to the intercepted target unit and sending protection data to the control unit;
the monitoring center unit is used for loading the target function to a target list;
the operating system layer includes: a target list; a file driving unit;
the target list is used for storing the target list to be monitored and protected and arranging the target list in sequence according to the probability of triggering the protection unit;
the file driving unit can traverse and intercept a message matched with the target unit and the target list according to the target list, the message is one or more of calling a USB driver, a CD driver and a network card driver, the file driving unit can also monitor that an IP address is manually modified or DHCP is manually modified to obtain a modified IP address, and the modified IP address is fed back to the protection unit, and the protection unit can intercept the running of a corresponding system program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711239286.9A CN107819787B (en) | 2017-11-30 | 2017-11-30 | System and method for preventing illegal external connection of local area network computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711239286.9A CN107819787B (en) | 2017-11-30 | 2017-11-30 | System and method for preventing illegal external connection of local area network computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107819787A CN107819787A (en) | 2018-03-20 |
| CN107819787B true CN107819787B (en) | 2020-10-16 |
Family
ID=61605182
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711239286.9A Active CN107819787B (en) | 2017-11-30 | 2017-11-30 | System and method for preventing illegal external connection of local area network computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107819787B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499924A (en) * | 2021-12-02 | 2022-05-13 | 厦门市美亚柏科信息股份有限公司 | Data leakage prevention method based on network interface controller and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102315992A (en) * | 2011-10-21 | 2012-01-11 | 北京海西赛虎信息安全技术有限公司 | Detection method for illegal external connection |
| CN103391216A (en) * | 2013-07-15 | 2013-11-13 | 中国科学院信息工程研究所 | Alarm and blocking method for illegal external connections |
| CN105471857A (en) * | 2015-11-19 | 2016-04-06 | 国网天津市电力公司 | Power grid terminal invalid external connection monitoring blocking method |
| CN106302501A (en) * | 2016-08-27 | 2017-01-04 | 浙江远望信息股份有限公司 | A kind of method of real-time discovery internetwork communication behavior |
-
2017
- 2017-11-30 CN CN201711239286.9A patent/CN107819787B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102315992A (en) * | 2011-10-21 | 2012-01-11 | 北京海西赛虎信息安全技术有限公司 | Detection method for illegal external connection |
| CN103391216A (en) * | 2013-07-15 | 2013-11-13 | 中国科学院信息工程研究所 | Alarm and blocking method for illegal external connections |
| CN105471857A (en) * | 2015-11-19 | 2016-04-06 | 国网天津市电力公司 | Power grid terminal invalid external connection monitoring blocking method |
| CN106302501A (en) * | 2016-08-27 | 2017-01-04 | 浙江远望信息股份有限公司 | A kind of method of real-time discovery internetwork communication behavior |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107819787A (en) | 2018-03-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11036836B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| US10929538B2 (en) | Network security protection method and apparatus | |
| US20180359272A1 (en) | Next-generation enhanced comprehensive cybersecurity platform with endpoint protection and centralized management | |
| CN109495443B (en) | Method and system for resisting Lexong software attack based on host honeypot | |
| US10701036B2 (en) | System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy | |
| EP2005350B1 (en) | Method and system for mobile network security, related network and computer program product | |
| US20220239687A1 (en) | Security Vulnerability Defense Method and Device | |
| Giaretta et al. | Adding salt to pepper: A structured security assessment over a humanoid robot | |
| US11503073B2 (en) | Live state transition using deception systems | |
| US8997201B2 (en) | Integrity monitoring to detect changes at network device for use in secure network access | |
| RU2477520C1 (en) | System and method for device configuration-based dynamic adaptation of antivirus application functional | |
| AU2016369460A1 (en) | Dual memory introspection for securing multiple network endpoints | |
| KR20150070105A (en) | System and method for providing a secure computational environment | |
| CN103384240B (en) | A kind of P2P active defense method and system | |
| US20200059473A1 (en) | Network Device Isolation For Access Control and Information Security | |
| US10567379B2 (en) | Network switch port access control and information security | |
| CN107819787B (en) | System and method for preventing illegal external connection of local area network computer | |
| CN111756707A (en) | Back door safety protection device and method applied to global wide area network | |
| CN113630381A (en) | Distributed and artificial intelligence-based duplex energized network attack and defense method and system | |
| US10757078B2 (en) | Systems and methods for providing multi-level network security | |
| CN114257405B (en) | Method, apparatus, computer device and storage medium for preventing illegal external connection | |
| Morinaga et al. | Cyber Attack Countermeasure Technologies Using Analysis of Communication and Logs in Internal Network | |
| KR102082889B1 (en) | Apparatus and method for analyzing protocol | |
| US10609064B2 (en) | Network device access control and information security | |
| US20190014150A1 (en) | Network Device Authorization For Access Control and Information Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |