CN110661791A - File reading system with safety isolation function - Google Patents

File reading system with safety isolation function Download PDF

Info

Publication number
CN110661791A
CN110661791A CN201910872164.6A CN201910872164A CN110661791A CN 110661791 A CN110661791 A CN 110661791A CN 201910872164 A CN201910872164 A CN 201910872164A CN 110661791 A CN110661791 A CN 110661791A
Authority
CN
China
Prior art keywords
controller
module
data
equipment
file format
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910872164.6A
Other languages
Chinese (zh)
Inventor
王刚
代法刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei Star Space Mdt Infotech Ltd
Original Assignee
Hefei Star Space Mdt Infotech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei Star Space Mdt Infotech Ltd filed Critical Hefei Star Space Mdt Infotech Ltd
Priority to CN201910872164.6A priority Critical patent/CN110661791A/en
Publication of CN110661791A publication Critical patent/CN110661791A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of data transmission safety, in particular to a file reading system with a safety isolation function, which comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, the second controller is provided with a network interface for connecting an Ethernet, the second controller is connected with a transmission file format setting module for setting a file format allowed to be transmitted according to a file format instruction sent from the network interface, and the second controller is connected with a second memory for storing a user historical operation record; the technical scheme provided by the invention can effectively overcome the defect that the virus can not be effectively prevented from invading along with the mobile storage equipment in the prior art.

Description

File reading system with safety isolation function
Technical Field
The invention relates to the field of data transmission safety, in particular to a file reading system with a safety isolation function.
Background
With the continuous development of society, people use computers more and more frequently, and the computers become indispensable tools in daily life. However, the network security problem should also bring sufficient attention to us.
With the popularization and use of the USB flash disk, viruses also wonderfully invade a user's computer along with the USB flash disk. The principle of U disk virus transmission is that the automatic operation function of Windows in Microsoft operating system is relied on, so that when a computer user opens the U disk file with virus by double-click, the virus and Trojan horse program can be automatically operated, and further the computer system is polluted and invaded.
Traditional USB protective equipment can only protect the attack of part of known viruses and still remains the protection of a user data layer, while emerging USB viruses can attack multiple layers of computer hardware, an operating system, an application program and the like, so that the protective effect of the USB protective equipment is weaker and weaker.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects in the prior art, the invention provides a file reading system with a security isolation function, which can effectively overcome the defect that the virus cannot be effectively prevented from invading along with a mobile storage device in the prior art.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a file reading system with a safety isolation function comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, a network interface used for connecting an Ethernet is arranged on the second controller, the second controller is connected with a transmission file format setting module used for setting a file format allowing transmission according to a file format instruction sent from the network interface, and the second controller is connected with a second storage used for storing a user history operation record;
the first controller is connected with a user account management module for managing system accounts, the first controller is connected with a device information management module for managing device information, the first controller is connected with a first storage for storing the device information managed by the device information management module, the first controller is connected with a device information detection module for detecting the device information of the data receiving device and the data storage device accessed by the second controller, and the first controller is connected with a device information matching module for comparing the device information detected by the device information detection module with the device information stored in the first storage;
the first controller is connected with an instruction identification module which is used for identifying in the network interface and only allows file format instructions to pass through, the first controller is connected with a virus scanning module which is used for carrying out virus scanning on the file format instructions which are allowed to pass through by the instruction identification module, the first controller is connected with a protocol stripping storage module which is used for stripping the head of a data protocol and storing the data protocol, the first controller is connected with an instruction information recovery module which is used for recovering the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the first controller is connected with a decryption module which is used for decrypting the TCP/IP data recovered by the instruction information recovery module.
Preferably, the data receiving device receives the data of the transmission file format allowed by the transmission file format setting module from the data storage device.
Preferably, the user account management module only grants an operation authority to a system administrator, and the system administrator performs addition, deletion and stop management operations on the user account through the user account management module.
Preferably, the user logging in the user account management module performs management operations of adding and deleting device information of the data receiving device and the data storage device, which are allowed to establish connection with the second controller, through the device information management module.
Preferably, if the device information matching module finds a matching item of the device information detected by the device information detection module from the device information stored in the first memory, the second controller establishes a connection with the data receiving device and the data storage device; otherwise, the second controller does not establish connection with the data receiving equipment and the data storage equipment.
Preferably, the decryption module performs IPSec/HIP/SSL decryption on the TCP/IP data restored by the instruction information restoring module, and the decrypted data is securely received by the second controller through the network interface.
(III) advantageous effects
Compared with the prior art, the file reading system with the safety isolation function provided by the invention has the following beneficial effects:
1. the device information matching module is used for matching the device information stored in the first storage device with the device information stored in the second storage device, and the device information matching module is used for matching the device information stored in the first storage device with the device information detected by the device information detection module; otherwise, the second controller does not establish connection with the data receiving device and the data storage device, so that connection between the unauthorized data receiving device and the unauthorized data storage device and the second controller can be avoided;
2. the transmission file format setting module sets a file format allowing transmission according to a file format command sent from the network interface, and the data receiving equipment receives the data allowing the transmission file format set by the transmission file format setting module from the data storage equipment, so that viruses can be prevented from entering the data receiving equipment to carry out intrusion propagation along with the file data in an unfamiliar format;
3. the system comprises a command identification module, a virus scanning module, a protocol stripping storage module, a command information reduction module, a decryption module and a network interface, wherein the command identification module identifies in the network interface and only allows a file format command to pass, the virus scanning module performs virus scanning on the file format command allowed by the command identification module, the protocol stripping storage module is used for stripping and storing the head of a data protocol, the command information reduction module reduces the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the decryption module decrypts the TCP/IP data reduced by the command information reduction module, so that the file data transmitted from the network interface can be ensured to be safe, and the path of virus invasion and propagation is.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic diagram of the system of the present invention;
fig. 2 is a schematic diagram of an embodiment of the second controller and its connection device in fig. 1 according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A file reading system with a security isolation function is disclosed, as shown in fig. 1 and fig. 2, and comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, the second controller is provided with a network interface for connecting an Ethernet, the second controller is connected with a transmission file format setting module for setting a file format allowing transmission according to a file format instruction sent from the network interface, and the second controller is connected with a second memory for storing a user history operation record;
the first controller is connected with a user account management module for managing system accounts, the first controller is connected with an equipment information management module for managing equipment information, the first controller is connected with a first memory for storing the equipment information managed by the equipment information management module, the first controller is connected with an equipment information detection module for detecting the equipment information of data receiving equipment and data storage equipment accessed by a second controller, and the first controller is connected with an equipment information matching module for comparing the equipment information detected by the equipment information detection module with the equipment information stored in the first memory;
the first controller is connected with an instruction identification module which is used for identifying in a network interface and only allows file format instructions to pass through, the first controller is connected with a virus scanning module which is used for scanning viruses of the file format instructions which are allowed to pass through by the instruction identification module, the first controller is connected with a protocol stripping storage module which is used for stripping the head of a data protocol and storing the data protocol, the first controller is connected with an instruction information restoring module which is used for restoring the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the first controller is connected with a decryption module which is used for decrypting the TCP/IP data restored by the instruction information restoring module.
The data receiving device receives the data which is set by the transmission file format setting module and allows the transmission file format from the data storage device.
The user account management module only grants the operation authority of a system administrator, and the system administrator performs the management operations of adding, deleting and stopping the user accounts through the user account management module.
And the user logging in the user account management module performs management operations of adding and deleting the equipment information of the data receiving equipment and the data storage equipment which are allowed to be connected with the second controller through the equipment information management module.
If the equipment information matching module finds a matching item of the equipment information detected by the equipment information detection module from the equipment information stored in the first memory, the second controller is connected with the data receiving equipment and the data storage equipment; otherwise, the second controller does not establish connection with the data receiving device and the data storage device.
The decryption module performs IPSec/HIP/SSL decryption processing on the TCP/IP data restored by the instruction information restoration module, and the decrypted data is safely received by the second controller through the network interface.
The device information matching module is used for matching the device information stored in the first storage device with the device information stored in the second storage device, and the device information matching module is used for matching the device information stored in the first storage device with the device information detected by the device information detection module; otherwise, the second controller does not establish connection with the data receiving device and the data storage device, and connection between the unauthorized data receiving device and the data storage device and the second controller can be avoided.
The user account management module only grants the operation authority of a system administrator, and the system administrator performs the management operations of adding, deleting and stopping the user accounts through the user account management module.
The transmission file format setting module sets a file format allowing transmission according to a file format command sent from the network interface, and the data receiving equipment receives the data allowing transmission of the file format, which is set by the transmission file format setting module, from the data storage equipment, so that viruses can be prevented from entering the data receiving equipment to carry out intrusion propagation along with the file data in the strange format.
The system comprises a command identification module, a virus scanning module, a protocol stripping storage module, a command information reduction module, a decryption module and a network interface, wherein the command identification module identifies in the network interface and only allows a file format command to pass, the virus scanning module performs virus scanning on the file format command allowed by the command identification module, the protocol stripping storage module is used for stripping and storing the head of a data protocol, the command information reduction module reduces the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the decryption module decrypts the TCP/IP data reduced by the command information reduction module, so that the file data transmitted from the network interface can be ensured to be safe, and the path of virus invasion and propagation is.
The decryption module performs IPSec/HIP/SSL decryption processing on the TCP/IP data restored by the instruction information restoration module, and the decrypted data is safely received by the second controller through the network interface.
In the technical solution of the present application, as shown in fig. 2, the second controller may adopt an RK3399 chip, and the device has two high-speed USB3.0 interfaces, one is a USB device interface and is connected to a USB3.0 interface of a computer, and the other is a USB host interface and is connected to a USB disk, a card reader, and a mobile hard disk of the USB3.0 interface, so as to assist the two to complete a data transmission management function. And a network interface GMAC is also provided on the basis of the above, and the interface can convert the equipment into a network-to-USB security gateway or configure the management equipment by using the network interface GMAC.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (6)

1. A file reading system with a security isolation function is characterized in that: the system comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, a network interface for connecting the Ethernet is arranged on the second controller, the second controller is connected with a transmission file format setting module for setting a file format allowed to be transmitted according to a file format instruction sent from the network interface, and the second controller is connected with a second storage for storing a user history operation record;
the first controller is connected with a user account management module for managing system accounts, the first controller is connected with a device information management module for managing device information, the first controller is connected with a first storage for storing the device information managed by the device information management module, the first controller is connected with a device information detection module for detecting the device information of the data receiving device and the data storage device accessed by the second controller, and the first controller is connected with a device information matching module for comparing the device information detected by the device information detection module with the device information stored in the first storage;
the first controller is connected with an instruction identification module which is used for identifying in the network interface and only allows file format instructions to pass through, the first controller is connected with a virus scanning module which is used for carrying out virus scanning on the file format instructions which are allowed to pass through by the instruction identification module, the first controller is connected with a protocol stripping storage module which is used for stripping the head of a data protocol and storing the data protocol, the first controller is connected with an instruction information recovery module which is used for recovering the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the first controller is connected with a decryption module which is used for decrypting the TCP/IP data recovered by the instruction information recovery module.
2. The file reading system with security isolation function according to claim 1, wherein: and the data receiving equipment receives the data which is set by the transmission file format setting module and allows the transmission file format from the data storage equipment.
3. The file reading system with security isolation function according to claim 1, wherein: the user account management module only grants an operation authority to a system administrator, and the system administrator performs addition, deletion and stop management operations on the user account through the user account management module.
4. The file reading system with security isolation function according to claim 1, wherein: and the user logging in the user account management module performs management operation of adding and deleting the equipment information of the data receiving equipment and the data storage equipment which are allowed to be connected with the second controller through the equipment information management module.
5. The file reading system with security isolation function according to claim 1, wherein: if the equipment information matching module finds a matching item of the equipment information detected by the equipment information detection module from the equipment information stored in the first memory, the second controller is connected with the data receiving equipment and the data storage equipment; otherwise, the second controller does not establish connection with the data receiving equipment and the data storage equipment.
6. The file reading system with security isolation function according to claim 1, wherein: the decryption module performs IPSec/HIP/SSL decryption processing on the TCP/IP data restored by the instruction information restoration module, and the decrypted data is safely received by the second controller through the network interface.
CN201910872164.6A 2019-09-16 2019-09-16 File reading system with safety isolation function Pending CN110661791A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910872164.6A CN110661791A (en) 2019-09-16 2019-09-16 File reading system with safety isolation function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910872164.6A CN110661791A (en) 2019-09-16 2019-09-16 File reading system with safety isolation function

Publications (1)

Publication Number Publication Date
CN110661791A true CN110661791A (en) 2020-01-07

Family

ID=69037078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910872164.6A Pending CN110661791A (en) 2019-09-16 2019-09-16 File reading system with safety isolation function

Country Status (1)

Country Link
CN (1) CN110661791A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567888A (en) * 2008-12-29 2009-10-28 郭世泽 Safety protection method of network feedback host computer
CN101901315A (en) * 2010-07-12 2010-12-01 浪潮齐鲁软件产业有限公司 Security isolation and monitoring management method of USB mobile storage media
CN105760743A (en) * 2015-11-24 2016-07-13 哈尔滨安天科技股份有限公司 Device and method for security communication among high interaction equipment
US20170249455A1 (en) * 2016-02-26 2017-08-31 Cylance Inc. Isolating data for analysis to avoid malicious attacks
CN107948209A (en) * 2018-01-05 2018-04-20 宝牧科技(天津)有限公司 A kind of network security partition method and device
CN109977653A (en) * 2017-12-28 2019-07-05 航天信息股份有限公司 USB flash disk isolator and method for USB flash disk isolator

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567888A (en) * 2008-12-29 2009-10-28 郭世泽 Safety protection method of network feedback host computer
CN101901315A (en) * 2010-07-12 2010-12-01 浪潮齐鲁软件产业有限公司 Security isolation and monitoring management method of USB mobile storage media
CN105760743A (en) * 2015-11-24 2016-07-13 哈尔滨安天科技股份有限公司 Device and method for security communication among high interaction equipment
US20170249455A1 (en) * 2016-02-26 2017-08-31 Cylance Inc. Isolating data for analysis to avoid malicious attacks
CN109977653A (en) * 2017-12-28 2019-07-05 航天信息股份有限公司 USB flash disk isolator and method for USB flash disk isolator
CN107948209A (en) * 2018-01-05 2018-04-20 宝牧科技(天津)有限公司 A kind of network security partition method and device

Similar Documents

Publication Publication Date Title
CN108701188B (en) System and method for modifying a file backup in response to detecting potential lasso software
US20200082081A1 (en) Systems and methods for threat and information protection through file classification
US9077747B1 (en) Systems and methods for responding to security breaches
US10079835B1 (en) Systems and methods for data loss prevention of unidentifiable and unsupported object types
US8245042B2 (en) Shielding a sensitive file
KR101641697B1 (en) Security box
WO2018004891A1 (en) Ransomware protection for cloud file storage
CN100504899C (en) Software watchdog system and method
WO2001010079A1 (en) Adapter having secure function and computer secure system using it
US10210330B1 (en) Systems and methods for detecting malicious processes that encrypt files
EP2835997B1 (en) Cell phone data encryption method and decryption method
CN106716333A (en) Method for completing secure erase operation
US20190294777A1 (en) Systems and methods for managing access to host computing devices by external devices
CN111046405B (en) Data processing method, device, equipment and storage medium
US8954624B2 (en) Method and system for securing input from an external device to a host
CN106951790B (en) USB storage medium transparent encryption method
CN110661791A (en) File reading system with safety isolation function
CN109145602B (en) Lesso software attack protection method and device
CN202050425U (en) Illegal external connection monitoring system for internal network equipment
KR100432420B1 (en) Efficient attack detection method using log in Intrusion Detection System
CN114340051A (en) Portable gateway based on high-speed transmission interface
CN110704870A (en) Separated file isolation reading system
US11671422B1 (en) Systems and methods for securing authentication procedures
WO2023140826A1 (en) Device and methods for protecting computer systems against unauthorized access
CN114510733A (en) Method and device for data security isolation transmission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200107

RJ01 Rejection of invention patent application after publication