CN110661791A - File reading system with safety isolation function - Google Patents
File reading system with safety isolation function Download PDFInfo
- Publication number
- CN110661791A CN110661791A CN201910872164.6A CN201910872164A CN110661791A CN 110661791 A CN110661791 A CN 110661791A CN 201910872164 A CN201910872164 A CN 201910872164A CN 110661791 A CN110661791 A CN 110661791A
- Authority
- CN
- China
- Prior art keywords
- controller
- module
- data
- equipment
- file format
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of data transmission safety, in particular to a file reading system with a safety isolation function, which comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, the second controller is provided with a network interface for connecting an Ethernet, the second controller is connected with a transmission file format setting module for setting a file format allowed to be transmitted according to a file format instruction sent from the network interface, and the second controller is connected with a second memory for storing a user historical operation record; the technical scheme provided by the invention can effectively overcome the defect that the virus can not be effectively prevented from invading along with the mobile storage equipment in the prior art.
Description
Technical Field
The invention relates to the field of data transmission safety, in particular to a file reading system with a safety isolation function.
Background
With the continuous development of society, people use computers more and more frequently, and the computers become indispensable tools in daily life. However, the network security problem should also bring sufficient attention to us.
With the popularization and use of the USB flash disk, viruses also wonderfully invade a user's computer along with the USB flash disk. The principle of U disk virus transmission is that the automatic operation function of Windows in Microsoft operating system is relied on, so that when a computer user opens the U disk file with virus by double-click, the virus and Trojan horse program can be automatically operated, and further the computer system is polluted and invaded.
Traditional USB protective equipment can only protect the attack of part of known viruses and still remains the protection of a user data layer, while emerging USB viruses can attack multiple layers of computer hardware, an operating system, an application program and the like, so that the protective effect of the USB protective equipment is weaker and weaker.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects in the prior art, the invention provides a file reading system with a security isolation function, which can effectively overcome the defect that the virus cannot be effectively prevented from invading along with a mobile storage device in the prior art.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a file reading system with a safety isolation function comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, a network interface used for connecting an Ethernet is arranged on the second controller, the second controller is connected with a transmission file format setting module used for setting a file format allowing transmission according to a file format instruction sent from the network interface, and the second controller is connected with a second storage used for storing a user history operation record;
the first controller is connected with a user account management module for managing system accounts, the first controller is connected with a device information management module for managing device information, the first controller is connected with a first storage for storing the device information managed by the device information management module, the first controller is connected with a device information detection module for detecting the device information of the data receiving device and the data storage device accessed by the second controller, and the first controller is connected with a device information matching module for comparing the device information detected by the device information detection module with the device information stored in the first storage;
the first controller is connected with an instruction identification module which is used for identifying in the network interface and only allows file format instructions to pass through, the first controller is connected with a virus scanning module which is used for carrying out virus scanning on the file format instructions which are allowed to pass through by the instruction identification module, the first controller is connected with a protocol stripping storage module which is used for stripping the head of a data protocol and storing the data protocol, the first controller is connected with an instruction information recovery module which is used for recovering the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the first controller is connected with a decryption module which is used for decrypting the TCP/IP data recovered by the instruction information recovery module.
Preferably, the data receiving device receives the data of the transmission file format allowed by the transmission file format setting module from the data storage device.
Preferably, the user account management module only grants an operation authority to a system administrator, and the system administrator performs addition, deletion and stop management operations on the user account through the user account management module.
Preferably, the user logging in the user account management module performs management operations of adding and deleting device information of the data receiving device and the data storage device, which are allowed to establish connection with the second controller, through the device information management module.
Preferably, if the device information matching module finds a matching item of the device information detected by the device information detection module from the device information stored in the first memory, the second controller establishes a connection with the data receiving device and the data storage device; otherwise, the second controller does not establish connection with the data receiving equipment and the data storage equipment.
Preferably, the decryption module performs IPSec/HIP/SSL decryption on the TCP/IP data restored by the instruction information restoring module, and the decrypted data is securely received by the second controller through the network interface.
(III) advantageous effects
Compared with the prior art, the file reading system with the safety isolation function provided by the invention has the following beneficial effects:
1. the device information matching module is used for matching the device information stored in the first storage device with the device information stored in the second storage device, and the device information matching module is used for matching the device information stored in the first storage device with the device information detected by the device information detection module; otherwise, the second controller does not establish connection with the data receiving device and the data storage device, so that connection between the unauthorized data receiving device and the unauthorized data storage device and the second controller can be avoided;
2. the transmission file format setting module sets a file format allowing transmission according to a file format command sent from the network interface, and the data receiving equipment receives the data allowing the transmission file format set by the transmission file format setting module from the data storage equipment, so that viruses can be prevented from entering the data receiving equipment to carry out intrusion propagation along with the file data in an unfamiliar format;
3. the system comprises a command identification module, a virus scanning module, a protocol stripping storage module, a command information reduction module, a decryption module and a network interface, wherein the command identification module identifies in the network interface and only allows a file format command to pass, the virus scanning module performs virus scanning on the file format command allowed by the command identification module, the protocol stripping storage module is used for stripping and storing the head of a data protocol, the command information reduction module reduces the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the decryption module decrypts the TCP/IP data reduced by the command information reduction module, so that the file data transmitted from the network interface can be ensured to be safe, and the path of virus invasion and propagation is.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic diagram of the system of the present invention;
fig. 2 is a schematic diagram of an embodiment of the second controller and its connection device in fig. 1 according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A file reading system with a security isolation function is disclosed, as shown in fig. 1 and fig. 2, and comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, the second controller is provided with a network interface for connecting an Ethernet, the second controller is connected with a transmission file format setting module for setting a file format allowing transmission according to a file format instruction sent from the network interface, and the second controller is connected with a second memory for storing a user history operation record;
the first controller is connected with a user account management module for managing system accounts, the first controller is connected with an equipment information management module for managing equipment information, the first controller is connected with a first memory for storing the equipment information managed by the equipment information management module, the first controller is connected with an equipment information detection module for detecting the equipment information of data receiving equipment and data storage equipment accessed by a second controller, and the first controller is connected with an equipment information matching module for comparing the equipment information detected by the equipment information detection module with the equipment information stored in the first memory;
the first controller is connected with an instruction identification module which is used for identifying in a network interface and only allows file format instructions to pass through, the first controller is connected with a virus scanning module which is used for scanning viruses of the file format instructions which are allowed to pass through by the instruction identification module, the first controller is connected with a protocol stripping storage module which is used for stripping the head of a data protocol and storing the data protocol, the first controller is connected with an instruction information restoring module which is used for restoring the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the first controller is connected with a decryption module which is used for decrypting the TCP/IP data restored by the instruction information restoring module.
The data receiving device receives the data which is set by the transmission file format setting module and allows the transmission file format from the data storage device.
The user account management module only grants the operation authority of a system administrator, and the system administrator performs the management operations of adding, deleting and stopping the user accounts through the user account management module.
And the user logging in the user account management module performs management operations of adding and deleting the equipment information of the data receiving equipment and the data storage equipment which are allowed to be connected with the second controller through the equipment information management module.
If the equipment information matching module finds a matching item of the equipment information detected by the equipment information detection module from the equipment information stored in the first memory, the second controller is connected with the data receiving equipment and the data storage equipment; otherwise, the second controller does not establish connection with the data receiving device and the data storage device.
The decryption module performs IPSec/HIP/SSL decryption processing on the TCP/IP data restored by the instruction information restoration module, and the decrypted data is safely received by the second controller through the network interface.
The device information matching module is used for matching the device information stored in the first storage device with the device information stored in the second storage device, and the device information matching module is used for matching the device information stored in the first storage device with the device information detected by the device information detection module; otherwise, the second controller does not establish connection with the data receiving device and the data storage device, and connection between the unauthorized data receiving device and the data storage device and the second controller can be avoided.
The user account management module only grants the operation authority of a system administrator, and the system administrator performs the management operations of adding, deleting and stopping the user accounts through the user account management module.
The transmission file format setting module sets a file format allowing transmission according to a file format command sent from the network interface, and the data receiving equipment receives the data allowing transmission of the file format, which is set by the transmission file format setting module, from the data storage equipment, so that viruses can be prevented from entering the data receiving equipment to carry out intrusion propagation along with the file data in the strange format.
The system comprises a command identification module, a virus scanning module, a protocol stripping storage module, a command information reduction module, a decryption module and a network interface, wherein the command identification module identifies in the network interface and only allows a file format command to pass, the virus scanning module performs virus scanning on the file format command allowed by the command identification module, the protocol stripping storage module is used for stripping and storing the head of a data protocol, the command information reduction module reduces the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the decryption module decrypts the TCP/IP data reduced by the command information reduction module, so that the file data transmitted from the network interface can be ensured to be safe, and the path of virus invasion and propagation is.
The decryption module performs IPSec/HIP/SSL decryption processing on the TCP/IP data restored by the instruction information restoration module, and the decrypted data is safely received by the second controller through the network interface.
In the technical solution of the present application, as shown in fig. 2, the second controller may adopt an RK3399 chip, and the device has two high-speed USB3.0 interfaces, one is a USB device interface and is connected to a USB3.0 interface of a computer, and the other is a USB host interface and is connected to a USB disk, a card reader, and a mobile hard disk of the USB3.0 interface, so as to assist the two to complete a data transmission management function. And a network interface GMAC is also provided on the basis of the above, and the interface can convert the equipment into a network-to-USB security gateway or configure the management equipment by using the network interface GMAC.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (6)
1. A file reading system with a security isolation function is characterized in that: the system comprises a first controller and a second controller which are connected with each other, wherein the second controller is connected with a data receiving device and a data storage device, a network interface for connecting the Ethernet is arranged on the second controller, the second controller is connected with a transmission file format setting module for setting a file format allowed to be transmitted according to a file format instruction sent from the network interface, and the second controller is connected with a second storage for storing a user history operation record;
the first controller is connected with a user account management module for managing system accounts, the first controller is connected with a device information management module for managing device information, the first controller is connected with a first storage for storing the device information managed by the device information management module, the first controller is connected with a device information detection module for detecting the device information of the data receiving device and the data storage device accessed by the second controller, and the first controller is connected with a device information matching module for comparing the device information detected by the device information detection module with the device information stored in the first storage;
the first controller is connected with an instruction identification module which is used for identifying in the network interface and only allows file format instructions to pass through, the first controller is connected with a virus scanning module which is used for carrying out virus scanning on the file format instructions which are allowed to pass through by the instruction identification module, the first controller is connected with a protocol stripping storage module which is used for stripping the head of a data protocol and storing the data protocol, the first controller is connected with an instruction information recovery module which is used for recovering the data protocol stripped by the protocol stripping storage module into TCP/IP data, and the first controller is connected with a decryption module which is used for decrypting the TCP/IP data recovered by the instruction information recovery module.
2. The file reading system with security isolation function according to claim 1, wherein: and the data receiving equipment receives the data which is set by the transmission file format setting module and allows the transmission file format from the data storage equipment.
3. The file reading system with security isolation function according to claim 1, wherein: the user account management module only grants an operation authority to a system administrator, and the system administrator performs addition, deletion and stop management operations on the user account through the user account management module.
4. The file reading system with security isolation function according to claim 1, wherein: and the user logging in the user account management module performs management operation of adding and deleting the equipment information of the data receiving equipment and the data storage equipment which are allowed to be connected with the second controller through the equipment information management module.
5. The file reading system with security isolation function according to claim 1, wherein: if the equipment information matching module finds a matching item of the equipment information detected by the equipment information detection module from the equipment information stored in the first memory, the second controller is connected with the data receiving equipment and the data storage equipment; otherwise, the second controller does not establish connection with the data receiving equipment and the data storage equipment.
6. The file reading system with security isolation function according to claim 1, wherein: the decryption module performs IPSec/HIP/SSL decryption processing on the TCP/IP data restored by the instruction information restoration module, and the decrypted data is safely received by the second controller through the network interface.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910872164.6A CN110661791A (en) | 2019-09-16 | 2019-09-16 | File reading system with safety isolation function |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910872164.6A CN110661791A (en) | 2019-09-16 | 2019-09-16 | File reading system with safety isolation function |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110661791A true CN110661791A (en) | 2020-01-07 |
Family
ID=69037078
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910872164.6A Pending CN110661791A (en) | 2019-09-16 | 2019-09-16 | File reading system with safety isolation function |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110661791A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
CN101901315A (en) * | 2010-07-12 | 2010-12-01 | 浪潮齐鲁软件产业有限公司 | Security isolation and monitoring management method of USB mobile storage media |
CN105760743A (en) * | 2015-11-24 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Device and method for security communication among high interaction equipment |
US20170249455A1 (en) * | 2016-02-26 | 2017-08-31 | Cylance Inc. | Isolating data for analysis to avoid malicious attacks |
CN107948209A (en) * | 2018-01-05 | 2018-04-20 | 宝牧科技(天津)有限公司 | A kind of network security partition method and device |
CN109977653A (en) * | 2017-12-28 | 2019-07-05 | 航天信息股份有限公司 | USB flash disk isolator and method for USB flash disk isolator |
-
2019
- 2019-09-16 CN CN201910872164.6A patent/CN110661791A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
CN101901315A (en) * | 2010-07-12 | 2010-12-01 | 浪潮齐鲁软件产业有限公司 | Security isolation and monitoring management method of USB mobile storage media |
CN105760743A (en) * | 2015-11-24 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Device and method for security communication among high interaction equipment |
US20170249455A1 (en) * | 2016-02-26 | 2017-08-31 | Cylance Inc. | Isolating data for analysis to avoid malicious attacks |
CN109977653A (en) * | 2017-12-28 | 2019-07-05 | 航天信息股份有限公司 | USB flash disk isolator and method for USB flash disk isolator |
CN107948209A (en) * | 2018-01-05 | 2018-04-20 | 宝牧科技(天津)有限公司 | A kind of network security partition method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108701188B (en) | System and method for modifying a file backup in response to detecting potential lasso software | |
US20200082081A1 (en) | Systems and methods for threat and information protection through file classification | |
US9077747B1 (en) | Systems and methods for responding to security breaches | |
US10079835B1 (en) | Systems and methods for data loss prevention of unidentifiable and unsupported object types | |
US8245042B2 (en) | Shielding a sensitive file | |
KR101641697B1 (en) | Security box | |
WO2018004891A1 (en) | Ransomware protection for cloud file storage | |
CN100504899C (en) | Software watchdog system and method | |
WO2001010079A1 (en) | Adapter having secure function and computer secure system using it | |
US10210330B1 (en) | Systems and methods for detecting malicious processes that encrypt files | |
EP2835997B1 (en) | Cell phone data encryption method and decryption method | |
CN106716333A (en) | Method for completing secure erase operation | |
US20190294777A1 (en) | Systems and methods for managing access to host computing devices by external devices | |
CN111046405B (en) | Data processing method, device, equipment and storage medium | |
US8954624B2 (en) | Method and system for securing input from an external device to a host | |
CN106951790B (en) | USB storage medium transparent encryption method | |
CN110661791A (en) | File reading system with safety isolation function | |
CN109145602B (en) | Lesso software attack protection method and device | |
CN202050425U (en) | Illegal external connection monitoring system for internal network equipment | |
KR100432420B1 (en) | Efficient attack detection method using log in Intrusion Detection System | |
CN114340051A (en) | Portable gateway based on high-speed transmission interface | |
CN110704870A (en) | Separated file isolation reading system | |
US11671422B1 (en) | Systems and methods for securing authentication procedures | |
WO2023140826A1 (en) | Device and methods for protecting computer systems against unauthorized access | |
CN114510733A (en) | Method and device for data security isolation transmission |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200107 |
|
RJ01 | Rejection of invention patent application after publication |