CN100435526C - Network safety dynamic detection system and method - Google Patents
Network safety dynamic detection system and method Download PDFInfo
- Publication number
- CN100435526C CN100435526C CNB2004100549320A CN200410054932A CN100435526C CN 100435526 C CN100435526 C CN 100435526C CN B2004100549320 A CNB2004100549320 A CN B2004100549320A CN 200410054932 A CN200410054932 A CN 200410054932A CN 100435526 C CN100435526 C CN 100435526C
- Authority
- CN
- China
- Prior art keywords
- request end
- network
- package
- dynamic detection
- transmitting terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a network safety dynamic detecting system and a method and is suitable for connecting with a network system of a sending end and a requesting end. The present invention mainly comprises a connecting and judging unit, a second floor bridging device, a safe environment detecting unit, a configuration switching unit, a third floor encapsulating and processing unit and a negotiating mechanism. The network safety dynamic detecting system is adjacently positioned at the requesting end and/or the sending end and automatically detects the safe environment grade of on-line both parties. Through the network encapsulation between the requesting end and the sending end, a proper safe service routine is provided. Every required on-line requesting end provides the safe service with no need of a publicly-known technology, so the problem of network congestion can be reduced, and the execution effect of a main system is enhanced.
Description
Technical field
The present invention relates to a kind of network security dynamic detection system and method, relate in particular to the online the other side's of a kind of foundation bridge system and the method for security context so that suitable service to be provided.
Background technology
Along with making rapid progress of network technical development, though brought up the convenience that numerical data transmits, but the package (Packet) that has wherein also comprised many carrying secret data such as company's secret, individual ID or password is to and among the network system such as internet (Internet) of public's use, and may face the problem of therefrom being invaded or stealing by unworthy hacker (Hacker), therefore how the transmission safety of maintaining network data has been very important problem.At present at network security; existing all types of networking products (InternetAppliance; IA) constantly weed out the old and bring forth the new; similarly be that gateway (Gateway), router (Router) or fire compartment wall (Firewall) device can be installed in arbitrary request end of this network system and/or send end is prepared transmission with protection data; and adopt specific safety standard such as FTP, HTTP or a Telent.
The many more network security protection of installing mechanism or device no doubt can make the transmission of this network system safer reliable so that all types of security service such as enciphering/deciphering service, digital signature, and service such as filtering packets to be provided in the aforementioned network product; But, relative, enable many more network security protection mechanism or device and can take the too many network bandwidth (Bandwidth), and reduce the treatment efficiency of main system.And for aforementioned security service miscellaneous is provided, present way is not that the operating system (OS) in main system goes up install driver, utilizes the output of routing gateway (router gateway) management data package/go into exactly.But the former not only can increase the complexity of system, reduces with uniform stability, and the public laptop computer of public machine such as company also is difficult for carrying out follow-up maintenance management.The latter will often change the network architecture when practice, have open IP address and be directly connected to machine on the internet as one, when connecting routing gateway (router gateway), just must change the IP address, like this, needed security service will be more complicated as the enciphering/deciphering computing of setting up passage (Tunneling).
For example in a master-slave mode (Client-Server) network architecture, arbitrary end may be played the part of a request end (as client client end) and be required to link with data download to another transmitting terminal (as server S erver end), or on one point under point (peer-to-peer) network architecture, a request end (as client) requires to link with down-load music or image data to another transmitting terminal (providing end as data).And require with a transmitting terminal online during with data download as many request ends, then this transmitting terminal certainly will will provide online and aforementioned every security service one by one to each request end, comprising to harmless request end interior, so will make this network system be easy to congested or the main system operational effectiveness of this transmitting terminal is more reduced.
Summary of the invention
For solving the problem of above-mentioned known technology, a main purpose of the present invention is to provide a kind of network security dynamic detection system and method, be applicable in a transmitting terminal and a request end such as client the network architecture server end (Client-To-Server) or point-to-point (peer-to-peer), it utilizes the ICP/IP protocol second layer (Layer 2) bridgers (bridge) to need not to change the principle of the network address (IPaddress) of the 3rd layer (Layer 3), cooperation is processed to carry out specific security service routine the package payload (payload) of the 3rd layer (Layer 3), so higher network permeability can be provided, and the user still can keep originally any network connecting mode, and need not will change framework to connect a routing gateway device (routergateway) and changed network address (IP address) as known technology, so can not increase the complexity of system or reduce stability.
In addition, a syllabus of the present invention be to provide a kind of network security dynamic detection system and method, it is applicable in a transmitting terminal and a request end such as the client network architecture to server end (Client-To-Server) or point-to-point (peer-to-peer), when judgement require online request end be one be authorized to network connections the time, the height of the safe class that this network security dynamic detection system can the online the other side of Auto-Sensing.When the safe class of confirming this online the other side when being high, then two network security dynamic detection systems between transmitting terminal and the request end consult to provide the communications protocol of security service set point each other automatically, the package that transmits between request end and the transmitting terminal is carried out a relative security service routine.When the safe class of finding this online the other side when low, then will after package not treated and directly flow out via second layer bridger.
For realizing aforementioned purpose, the invention provides a kind of network security dynamic detection system, be applicable in the network system that connects an at least one request end and a transmitting terminal, mainly comprise: link judging unit, second layer bridger, security context detecting unit, configuration crosspoint, the 3rd layer of packet processing unit and negotiation mechanism.Wherein this network security dynamic detection system comprises at least one dynamic bridger in present embodiment, contiguous this request end and/or the transmitting terminal of being positioned at.
The binding judging unit of aforementioned network safety dynamic detection system judges whether the request of the initial binding of arbitrary request end is a network connections that is authorized to.This security context detecting unit when this binding judging unit is confirmed network connections that the binding request of this request end is authorized to, is then further judged the height of the safe class of this request end.This configuration crosspoint when this security context detecting unit confirms that the safe class of this request end of judgement is high, makes and negotiate the communications protocol that all need admit between request end and the transmitting terminal when network connections, to determine the security service routine of a correspondence.The 3rd layer of (Layer 3) packet processing unit according to aforementioned communications protocol, carried out aforementioned security service routine to the package that transmits between this request end and the transmitting terminal.And this negotiation mechanism confirms that request end and transmitting terminal both sides have finished binding all, with free system resources.
In addition, the present invention further provides a kind of network security dynamic detection method, be applicable in the network system that connects an at least one request end and a transmitting terminal,, the step of this method is as follows:
Utilize whether a request that links the initial binding of the arbitrary request end of judgment unit judges is a network connections that is authorized to;
When the binding request of judging this request end really is the network connections that is authorized to, then agree initially to link between request end and the transmitting terminal process;
Utilize a safety monitoring unit according to the initial binding process between request end and the transmitting terminal, judge the height of the safe class of this request end;
When the safe class of confirming this request end when being high, make and negotiate the communications protocol of when network connections, all admitting between request end and the transmitting terminal, to determine the security service routine of a correspondence;
According to aforementioned communications protocol, the package that transmits between this request end and the transmitting terminal is carried out aforementioned security service routine; And
Confirm that request end and transmitting terminal both sides have finished binding with free system resources.
Therefore, according to the security context grade between online both sides, suitable security service routine can be provided the network package between this request end and the transmitting terminal, and need not to require online request end that security service all is provided to each, so can reduce the network congestion problem and promote the execution usefulness of main system as known technology.For above-mentioned purpose of the present invention, feature and advantage can be become apparent, embodiment cited below particularly, and conjunction with figs. are described in detail as follows.
Description of drawings
Fig. 1 shows the inside structure according to a network security dynamic detection system of preferred embodiment of the present invention;
Fig. 2 shows the network security dynamic detection method according to preferred embodiment of the present invention;
Fig. 3 shows that the initial network that carries out three-hand shake (three-way handshaking) between the transmitting terminal of known TCP communications protocol and the request end links process;
Fig. 4 shows the package work flow according to a network security dynamic detection grid of preferred embodiment of the present invention, comprising forward operation f (X) that respectively the package characteristic value x that exports/go into or x ' is carried out specific function or reverse computing f
-1(X ');
Fig. 5 shows according to the request end of the configuration aforementioned network safety dynamic detection system of one first embodiment of invention and the initial network binding process that a transmitting terminal carries out three-hand shake;
Fig. 6 shows according to the transmitting terminal of the configuration aforementioned network safety dynamic detection system of one second embodiment of invention and the initial network binding process that three-hand shake is carried out in a request end;
Fig. 7 shows according to the initial network that carries out three-hand shake between the transmitting terminal of two each self-configuring aforementioned network safety dynamic detection systems of one the 3rd embodiment of invention and the request end and links process, wherein judges by the network security dynamic detection system of this request end whether the package characteristic value that this transmitting terminal transmits is correct;
Fig. 8 shows according to the initial network binding process of carrying out three-hand shake between the transmitting terminal of two each self-configuring aforementioned network safety dynamic detection systems of one the 4th embodiment of invention and the request end, wherein judges by the network security dynamic detection system of this transmitting terminal whether the package characteristic value that transmits this request end is correct.
Wherein, description of reference numerals is as follows:
10,32,42,52,62,72,73,82,83 network security dynamic detection systems
30,40,50,60,70,80 request ends
34,44,54,64,74,84 transmitting terminals
100 link judging unit 102 second layer bridgers
120 security context detecting units, 124 package processing mechanisms
The 3rd layer of packet processing unit of 130 configuration crosspoints 140
150 negotiation mechanisms
S200, S210, S212, S220, S222, S223, S224, S226, S230, S240, S250 are method step
Embodiment
At first as shown in Figure 1, be a kind of network security dynamic detection system 10 according to one first preferred embodiment of the present invention, the network system that is applicable to an at least one request end of connection and a transmitting terminal (is seen Fig. 4, Fig. 5, Fig. 6, Fig. 7 and Fig. 8 treat that the back describes in detail) in, it mainly comprises: link judging unit 100, second layer bridger 102, security context detecting unit 120, configuration crosspoint 130, the 3rd layer of packet processing unit 140 and negotiation mechanism 150.Wherein this network security dynamic detection system 10 comprises at least one dynamic bridger in present embodiment, contiguous this request end and/or the transmitting terminal of being positioned at.
The binding judging unit 100 of aforementioned network safety dynamic detection system 10 is judged by a default check table arbitraryly to require whether the request of the initial binding of online side such as request end is a network connections that is authorized to.Write down the data of each network connections that is authorized to (connection) in this check table in advance, comprised the mac address of nic (Layer 2 mac address) of the second layer of request end, the 3rd layer IP address (Layer 3 IP address) or the 4th layer serve port number (Layer 4 service port number).When the binding request of judging this request end when this binding judging unit 100 is not the network connections that is authorized to, then arbitrary data packet that this request end is spread out of carries out side record, and will after package not treatedly promptly directly send via a second layer bridger 102 (Layer 2 Bridge).
This security context detecting unit 120 has a package processing mechanism 124, it is when the network connections that the binding request of these binding judging unit 100 these request ends of affirmation is authorized to, further the initial network between request end and the transmitting terminal is linked and carry out further calculation process, this principle of operation as shown in Figure 4, between request end 40 and transmitting terminal 44 in arbitrary connecting step, carry out the forward operation such as the f (X) of a specific function for characteristic value (identification) X of the IP gauge outfit (header) of the arbitrary package that spreads out of via this network security dynamic detection system 42, and the gauge outfit characteristic value X ' of arbitrary package that this network security dynamic detection system 42 is received carries out the reverse computing f of this specific function
-1(X ').This security context detecting unit 120 is according to the operation result f of its package gauge outfit characteristic value X ' that receives
-1Whether (X ') equals the progression numerical value (SN+1) of a prediction, to confirm the safe class of this request end.Operation result f as this package gauge outfit characteristic value X '
-1When (X ') equaled this progression numerical value (SN+1), then the safe class of this request end was high, that is also there is the relative network security dynamic detection system 10 of installing the request end; Otherwise, as the operation result f of this package gauge outfit characteristic value X '
-1When (X ') was not equal to this progression numerical value (SN+1), then the safe class of this request end was low, then represented the request end that one relative network security dynamic detection system is not installed.The back detailed description is then treated in obtaining of relevant this progression numerical value (SN+1).
The purpose that the package processing mechanism 124 of security context detecting unit 120 of the present invention carries out computing processing in the characteristic value (identification) of the gauge outfit (header) of package is that relevant information can be coated with pin when avoiding package through various network equipment, utilize in 16 characteristic values (identification) field of IP gauge outfit and have a sequence number (SN, Serial Number), it is exactly the order that is used to unique its single package of being sent of identification originally, and when sending a package, will be the origin of aforementioned progression numerical value (SN+1) automatically in the sequence number increase by 1 of this field through this request end/transmitting terminal at every turn.Because this field seldom is used to, probably being lower than 0.25% internet package can be cut apart, so can be used for hiding the information that this network security dynamic detection system is linked up.
Traditional initial network links process as shown in Figure 3, initial binding process between one request end 30 and the transmitting terminal 34 is meeting under the ICP/IP protocol, the binding process that is a three-hand shake (three-way handshaking), necessarily transmit respectively in the process and comprise the SYN package, the package that ACK+SYN package and ACK are three types, wherein shake hands and link up earlier before the purpose of (handshaking) is to make request end 30 and transmitting terminal 34 both sides to link, it makes both sides link affirmation on the one hand, determine also on the one hand in addition whether communications protocol each other is consistent, be beneficial to the transmission action of data after a while.But in embodiments of the present invention, the initial network between request end and the transmitting terminal can be as Fig. 5 after being attached at computing through the package processing mechanism 124 of security context detecting unit 120, Fig. 6, and Fig. 7 and shown in Figure 8, the traditional initial network that is different from Fig. 3 links.
This configuration crosspoint 130, when this security context detecting unit 120 confirms that the safe class of this request end of judgement is high, then make the communications protocol that negotiates approval between request end and the transmitting terminal, and then allow the setting details of the network security dynamic detection system of knowing that each other it is installed separately, to carry out network connections.For instance, the three-hand shake of ICP/IP protocol (three-way handshaking) links general, can be under the problem of taking into account overtime (time out) and retransmitting, guarantee both sides' sharing information completely, and can set up exclusive package on their own and realize, or utilize this communication link again, make and hide both sides in the package that spreads based on linking the thin portion information that needs, but to how to use, then can look closely the kenel of both sides' communication link fully and decide.The thin portion information of carrying in the aforementioned package, be a security service set point of the communications protocol that meets both sides' approval, it can be used for determining the security service routine of a correspondence, it similarly is relatively (pattern match) service of an enciphering/deciphering (encryption/decryption) service, digital signature (digital signature) service or character string, and this security service set point, security service set point with the enciphering/deciphering service routine is an example, is a cryptographic algorithm and corresponding enciphering/deciphering gold key.
The 3rd layer of (Layer 3) packet processing unit, according to aforementioned communications protocol, the package that transmits between this request end and the transmitting terminal is carried out aforementioned security service routine, that is the security service set point of utilizing aforementioned communications protocol is carried out calculation process to the payload (Payload) of the network the 3rd layer (Layer 3) of the package that transmits between this request end and the transmitting terminal.As described above, for network security dynamic detection system, the package that is not authorized to the network connections of (or have no stomach for) is flowed into by the network port of an end, after within the scope of finding do not observing through the network second layer (layer 2) inspection, under the situation of the not treated routing mechanism that does not also change network the 3rd layer (layer 3), promptly directly flow out via another network port of the second layer bridger 102 (TCP/IP layer 2 bridge) 102 of this procotol.This is because the network port of network security dynamic detection of the present invention system 10 does not provide the IP address of disclosed network the 3rd layer (layer 3), but handle afterwards from the package gauge outfit (Header) of network the 3rd layer (layer 3), just from beginning processing more than the payload (layer 3 payload) that contains the 3rd layer on network.But for any passage (tunnel) agreement that originally promptly is applied to network the 3rd layer (layer 3), network security dynamic detection of the present invention system send the package that reduces after just setting up passage (tunnel) with agency's status and the other side more backward; Otherwise then send this passage (tunnel) after the encapsulation to toward sending outside.
For the network connections of a kind of binding guiding (session oriented) such as TCP link, when entering, this binding links when finishing (session close), and the action of network security dynamic detection of the present invention system also just finishes thereupon.For the network connections of a kind of non-binding guiding (non-session oriented) such as UDP linked, network security dynamic detection of the present invention system can not have package just to flow through and finish automatically with the mechanism of overtime (time out) in the decision how long.The network security dynamic detection system of tenth skill can start this negotiation mechanism 150 and finish binding all to determine request end and transmitting terminal both sides, with free system resources.
In addition, as shown in Figure 2, according to a kind of network security dynamic detection method of a preferred embodiment of the present invention, be applicable in the network system that connects an at least one request end and a transmitting terminal, and wherein at least one dynamic bridger vicinity is positioned at this request end and/or transmitting terminal, and the step of this method is as follows:
Step S200, the package between this request end and the transmitting terminal is to and from monitoring.
Step S210 utilizes a binding judging unit 100 to judge whether the request of the initial binding of arbitrary request end is a network connections that is authorized to.
Step S212, when this binding judging unit 100 judged that the binding request of this request end is not the network connections that is authorized to, then arbitrary data packet that this request end is spread out of was directly sent via a second layer bridger 102 (Layer 2 Bridge); Otherwise when this binding judging unit 100 judged that the binding request of this request end really is the network connections that is authorized to, then representative was agreed initially to link process between request end and the transmitting terminal, and advances to step S220.
Step S220, it is a dynamic detection (active detection) process, it utilizes a safety monitoring unit, according to the height of the initial binding process between request end and the transmitting terminal with the safe class of judging this request end, wherein this safety monitoring unit carried out as Fig. 5 in this initial binding, Fig. 6, Fig. 7 and Fig. 8 step S222,223, package work flow shown in the S224, promptly the characteristic value (identification) of the gauge outfit (header) of arbitrary package of spreading out of via this safety monitoring unit is carried out the forward operation of specific function, and the gauge outfit characteristic value of arbitrary package that this safety monitoring unit is received is carried out the reverse computing of this specific function.Then this safety monitoring unit carries out as Fig. 5, Fig. 6, and the judgement shown in the step S226 of Fig. 7 and Fig. 8 judges promptly whether the operation result of the package gauge outfit characteristic value that it receives equals the progression numerical value of a prediction, to confirm the safe class of this request end.When the operation result of this package gauge outfit characteristic value equaled this progression numerical value, the safe class of then representing this request end was for high; Otherwise when the operation result of this package gauge outfit characteristic value was not equal to this progression numerical value, then the safe class of this request end was low.
Step S230, it is configuration exchange (setting exchange) process, promptly when aforementioned safety monitoring unit confirms that the safe class of this request end is high, then utilize a configuration crosspoint 130 to make and negotiate the communications protocol of when network connections, all admitting between request end and the transmitting terminal, to determine the security service routine of a correspondence.
Step S240, be that one the 3rd layer of package handled service (Layer 3 packet process service) process, it utilizes one the 3rd layer of packet processing unit 140 payload (Payload) of the 3rd layer (Layer 3) of the package that transmits between this request end and the transmitting terminal to be carried out the calculation process of security service routine according to a security service set point of aforementioned communications protocol.
Step S250 utilizes a negotiation mechanism 150, confirms that request end and transmitting terminal both sides have finished binding all with free system resources.After this initial network links end, promptly return to step S200, handle at the package that next initial network links.
Please further see one first embodiment of Fig. 5 according to invention, show that the request end 50 of a configuration one foundation network security dynamic detection of the present invention system 52 and the initial network that a transmitting terminal 54 carries out three-hand shake link process, wherein send one when comprising the package of SYN information and gauge outfit characteristic value SN0 when this request end 50, this network security dynamic detection system 52 can carry out the package processing of abovementioned steps S222, promptly this gauge outfit characteristic value SN0 is carried out forward operation f (SN0), and pass and this transmitting terminal 54 with a package that comprises SYN information and gauge outfit characteristic value f (SN0) with specific function.This transmitting terminal 54 receive back nature gauge outfit characteristic value f (SN0) can be added 1 and produce a progression numerical value SN1 (SN1=f (SN0)+1) and with this as new gauge outfit characteristic value, answer one comprises the package of ACK, SYN information and gauge outfit characteristic value SN1.When this ACK+SYN+SN1 package is received by this network security dynamic detection system 52, can carry out the judgement of abovementioned steps S226, promptly earlier this gauge outfit characteristic value SN1 is carried out reverse computing f with specific function
-1(SN1), again to should reverse computing f
-1(SN1) the progression numerical value SN0+1 with a prediction compares, and finds this reverse computing f
-1(SN1) be not equal to a progression numerical value SN0+1, represent this transmitting terminal 54 that a relative network security dynamic detection system is not installed, so its safe class be low.Any action is not prepared to carry out by the network security dynamic detection system 52 of this request end 50, only this ACK+SYN+SN1 package is passed with this request end 50 and know, after by request end 50 this gauge outfit characteristic value SN1 being added 1 one-tenth SN2, transmit the ACK+SN2 package again and give transmitting terminal 54, to finish this connection relationship.
One second embodiment of goodbye Fig. 6 according to invention, its situation and Fig. 5 are approximate, show that the transmitting terminal 64 of a configuration network safety dynamic detection system 62 and the initial network that three-hand shake is carried out in a request end 60 link process, wherein send one when comprising the package of SYN information and gauge outfit characteristic value SN0 when this request end 60, can carry out the package processing of abovementioned steps S222 after the network security dynamic detection system 62 of this transmitting terminal 64 receives, promptly this gauge outfit characteristic value SN0 be carried out reverse computing and draw a new gauge outfit characteristic value f with specific function
-1(SN0), comprise SYN information and gauge outfit characteristic value f with one again
-1(SN0) package passes and this transmitting terminal 64.This transmitting terminal 64 is received the back nature can be with gauge outfit characteristic value f
-1(SN0) add 1 and produce a progression numerical value SN1 (SN1=f
-1(SN0)+1 as new gauge outfit characteristic value, reply a package that comprises ACK, SYN information and gauge outfit characteristic value SN1) and with this.When this ACK+SYN+SN1 package is received by this network security dynamic detection system 62, can carry out forward operation to this gauge outfit characteristic value SN1 with specific function and draw a new gauge outfit characteristic value f (SN1), and this ACK+SYN+f (SN1) package is transferred to request end 60.The back is received in this request end 60, and gauge outfit characteristic value f (SN1) can be added 1 forms SN2 (SN2=f (SN1)+1) naturally, comprises that with one the package of ACK+SN2 transfers to the network security dynamic detection system 62 of this transmitting terminal 64 afterwards.The network security dynamic detection system 62 of this transmitting terminal 64 can carry out the judgement of abovementioned steps S226, promptly earlier with specific function this gauge outfit characteristic value SN2 is carried out reverse computing f
-1(SN2), again to should reverse computing f
-1(SN2) the progression numerical value SN1+1 with a prediction compares, and finds this reverse computing f
-1(SN2) be not equal to progression numerical value SN1+1, represent this request end 60 that a relative network security dynamic detection system is not installed, so its safe class be low.Any security service is not prepared to provide by the network security dynamic detection system 62 of this transmitting terminal 64, only this ACK+SN2 package is passed with this transmitting terminal 64 and knows, to finish this connection relationship.
See one the 3rd embodiment of Fig. 7 according to invention, demonstration one is configuration network safety dynamic detection system 72 separately, the initial network that carries out three-hand shake between 73 transmitting terminal 74 and the request end 70 links process, wherein send one when comprising the package of SYN information and gauge outfit characteristic value SN0 when this request end 70, after receiving, the network security dynamic detection system 72 of this request end 70 can carry out the package processing of abovementioned steps S222, promptly this gauge outfit characteristic value SN0 is carried out forward operation and draw a new gauge outfit characteristic value f (SN0), again a package that comprises SYN information and gauge outfit characteristic value f (SN0) is passed network security dynamic detection system 73 with this transmitting terminal 74 with specific function.After receiving, the network security dynamic detection system 73 of this transmitting terminal 74 can carry out the package processing of abovementioned steps S223, promptly this gauge outfit characteristic value f (SN0) is carried out reverse computing and draw a gauge outfit characteristic value SN0, again a package that comprises SYN information and gauge outfit characteristic value SN0 is passed and this transmitting terminal 74 with specific function.This transmitting terminal 74 receive back nature gauge outfit characteristic value SN0 can be added 1 and produce a progression numerical value SN1 (SN1=SN0+1) and with this as new gauge outfit characteristic value, answer one comprises the package of ACK+SYN+SN1.When this ACK+SYN+SN1 package is received by the network security dynamic detection system 73 of this transmitting terminal 74, can carry out abovementioned steps S224, promptly this gauge outfit characteristic value SN1 is carried out forward operation and draw a new gauge outfit characteristic value f (SN1), and this ACK+SYN+f (SN1) package is transferred to the network security dynamic detection system 72 of this request end 70 with specific function.The network security dynamic detection system 72 of this request end 70 can carry out the judgement of abovementioned steps S226, promptly earlier with specific function this gauge outfit characteristic value f (SN1) is carried out reverse computing f
-1(f (SN1)), to draw operation result SN1, again the progression numerical value SN0+1 with this an operation result SN1 and a prediction is compared, find that this SN1 is just equaling progression numerical value SN0+1, represent this request end 70 to have a relative network security dynamic detection system is installed, so its safe class is high.The network security dynamic detection system 73 of this transmitting terminal 74 begins to prepare to provide security service, and this ACK+SYN+SN1 package transferred to request end 70, make request end 70 receive back nature gauge outfit characteristic value SN1 can be added 1 and produce a progression numerical value SN2 (SN2=SN1+1) and with this as new gauge outfit characteristic value, transfer to this transmitting terminal 74 with the package that comprises ACK+SN2 and know, to finish this connection relationship.
See one the 4th embodiment of Fig. 8, show that an initial network that carries out three-hand shake separately between the transmitting terminal 84 of configuration network safety dynamic detection system 82,83 and the request end 80 links process according to invention.Fig. 8 and Fig. 7 are similar, the difference part is: the network security dynamic detection system 72 of request end 70 was responsible for the safe class judgement during Fig. 7 the 3rd implemented, the network security dynamic detection system 83 of transmitting terminal 84 is responsible for the safe class judgement among Fig. 8 the 4th embodiment, and all the other principles are all identical.
In sum, as can be known according to network security dynamic detection system and method for the present invention, no matter be to the network architecture of client to server end (Client-To-Server) or point-to-point (peer-to-peer), because of only processing to carry out specific security service routine at the package payload (payload) of the 3rd layer (Layer 3), and do not change the network address (IP address) of the 3rd layer (Layer 3), so higher network permeability can be provided, and can not increase the complexity of system or reduce stability.In addition, whether the height of the online the other side's of network security dynamic detection system's energy Auto-Sensing of the present invention safe class carries out a relative security service routine to the package that transmits between request end and the transmitting terminal with decision.When the safe class of finding this online the other side is low, then will after package not treated and directly flow out via second layer bridger 102, so need not to require online request end that security service all is provided to each, so can reduce the network congestion problem and promote the execution usefulness of main system as known technology.
Though the present invention discloses as above with preferred embodiment, yet it is not in order to qualification the present invention, and any those skilled in the art without departing from the spirit and scope of the present invention, change and retouching can do some.
Claims (21)
1. a network security dynamic detection system is applicable in the network system that connects an at least one request end and a transmitting terminal, comprising:
Link judging unit, judge whether the request of the initial binding of arbitrary request end is a network connections that is authorized to;
The security context detecting unit, when this binding judging unit confirmed that the binding request of this request end is the network connections that is authorized to, this security context detecting unit was further judged the height of the safe class of this request end;
The configuration crosspoint when this security context detecting unit confirms that the safe class of this request end of judgement is high, makes negotiating the communications protocol that all need admit between request end and the transmitting terminal when network connections, determines the security service routine of a correspondence;
The 3rd layer of packet processing unit according to described communications protocol, carried out described security service routine to the package that transmits between this request end and the transmitting terminal; And
Negotiation mechanism confirms that request end and transmitting terminal both sides have finished binding, free system resources all.
2. network security dynamic detection as claimed in claim 1 system it is characterized in that comprising at least one dynamic bridger, and this dynamic bridger is this request end and/or this transmitting terminal in the adjacent network system.
3. network security dynamic detection as claimed in claim 1 system, when the binding request that it is characterized in that this this request end of binding judgment unit judges is not the network connections that is authorized to, arbitrary data packet that this request end spreads out of is directly sent via a second layer bridger.
4. network security dynamic detection as claimed in claim 1 system, it is characterized in that this binding judging unit further has the data that a check table writes down each network connections that is authorized in advance, it comprises the mac address of nic of the second layer, the 3rd layer IP address or the 4th layer serve port number.
5. network security dynamic detection as claimed in claim 1 system, it is characterized in that this security context detecting unit further has a package processing mechanism, in the initial binding process between request end and transmitting terminal, the characteristic value of the gauge outfit of arbitrary package of spreading out of via this network security dynamic detection system is carried out the forward operation of specific function, and the gauge outfit characteristic value of arbitrary package that this network security dynamic detection system is received carries out the reverse computing of this specific function, and wherein whether this security context detecting unit equals the progression numerical value of a prediction to confirm the safe class of this request end according to the operation result to the package gauge outfit characteristic value that receives.
6. network security dynamic detection as claimed in claim 5 system is characterized in that the binding process that the initial binding process between this request end and the transmitting terminal is a three-hand shake, in the process respectively transmission comprise SYN package, ACK+SYN package and ACK package.
7. network security dynamic detection as claimed in claim 5 system, when the operation result that it is characterized in that this package gauge outfit characteristic value equaled this progression numerical value, the safe class of this request end was high.
8. network security dynamic detection as claimed in claim 5 system, when the operation result that it is characterized in that this package gauge outfit characteristic value was not equal to this progression numerical value, the safe class of this request end was low.
9. network security dynamic detection as claimed in claim 1 system, this communications protocol that it is characterized in that request end and transmitting terminal both sides approval, comprise a security service set point, when wherein the 3rd layer of packet processing unit carried out described security service routine, utilize described security service set point that the 3rd layer payload of the package that transmits between this request end and the transmitting terminal is carried out calculation process.
10. network security dynamic detection as claimed in claim 9 system, it is characterized in that this security service routine further comprises: enciphering/deciphering service, digital signature service or character string are relatively served.
11. network security dynamic detection as claimed in claim 10 system is characterized in that the security service set point of this enciphering/deciphering service routine further comprises: cryptographic algorithm and corresponding enciphering/deciphering gold key.
12. a network security dynamic detection method is applicable in the network system that connects an at least one request end and a transmitting terminal, comprising:
Utilize whether a request that links the initial binding of the arbitrary request end of judgment unit judges is a network connections that is authorized to;
When the binding request of judging this request end really is the network connections that is authorized to, then agree initially to link between request end and the transmitting terminal process;
Utilize a safety monitoring unit according to the initial binding process between request end and the transmitting terminal, judge the height of the safe class of this request end;
When the safe class of confirming this request end when being high, make and negotiate the communications protocol of when network connections, all admitting between request end and the transmitting terminal, to determine the security service routine of a correspondence;
According to described communications protocol, the package that transmits between this request end and the transmitting terminal is carried out described security service routine; And
Confirm that request end and transmitting terminal both sides have finished binding with free system resources.
13. network security dynamic detection method as claimed in claim 12, it is characterized in that this binding judging unit, further have the data that a check table writes down each network connections that is authorized in advance, comprise the mac address of nic of the second layer, the 3rd layer IP address or the 4th layer serve port number.
14. network security dynamic detection method as claimed in claim 12, it is characterized in that when the binding request of this this request end of binding judgment unit judges was not the network connections that is authorized to, then arbitrary data packet that this request end is spread out of was directly sent via a second layer bridger.
15. network security dynamic detection method as claimed in claim 12, it is characterized in that in the initial binding process between request end and transmitting terminal, carry out the forward operation of specific function for the characteristic value of the gauge outfit of the arbitrary package that spreads out of via this safety monitoring unit, and the gauge outfit characteristic value of arbitrary package that this safety monitoring unit is received is carried out the reverse computing of this specific function, wherein whether this safety monitoring unit equals a progression numerical value of predicting according to the operation result of its package gauge outfit characteristic value that receives, to confirm the safe class of this request end.
16. network security dynamic detection method as claimed in claim 12 is characterized in that the binding process that the initial binding process between this request end and the transmitting terminal is a three-hand shake, transmits respectively in the process to comprise SYN package, ACK+SYN package and ACK package.
17. network security dynamic detection method as claimed in claim 15 is characterized in that when the operation result of this package gauge outfit characteristic value equals this progression numerical value, then the safe class of this request end is high.
18. network security dynamic detection method as claimed in claim 15 is characterized in that then the safe class of this request end is low when the operation result of this package gauge outfit characteristic value is not equal to this progression numerical value.
19. network security dynamic detection method as claimed in claim 12, this communications protocol that it is characterized in that request end and transmitting terminal both sides approval, comprise a security service set point, wherein when carrying out described security service routine, the security service set point of utilizing described communications protocol is carried out calculation process to the 3rd layer payload of the package that transmits between this request end and the transmitting terminal.
20. network security dynamic detection method as claimed in claim 19, it is characterized in that this security service routine further comprises: enciphering/deciphering service, digital signature service or character string are relatively served.
21. network security as claimed in claim 20 dynamic detection side is characterized in that the security service set point of this enciphering/deciphering service routine further comprises cryptographic algorithm and corresponding enciphering/deciphering gold key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100549320A CN100435526C (en) | 2004-07-21 | 2004-07-21 | Network safety dynamic detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100549320A CN100435526C (en) | 2004-07-21 | 2004-07-21 | Network safety dynamic detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1725726A CN1725726A (en) | 2006-01-25 |
| CN100435526C true CN100435526C (en) | 2008-11-19 |
Family
ID=35924975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100549320A Expired - Fee Related CN100435526C (en) | 2004-07-21 | 2004-07-21 | Network safety dynamic detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100435526C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242629B (en) * | 2007-02-05 | 2012-02-15 | 华为技术有限公司 | Method, system and device for selection of algorithm of user plane |
| CN108712275A (en) * | 2018-04-19 | 2018-10-26 | 平安科技(深圳)有限公司 | Data transmission methods of risk assessment, device, computer equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1271895A (en) * | 1999-04-23 | 2000-11-01 | 松下电器产业株式会社 | Network safety monitor and monitoring method |
| WO2003067810A1 (en) * | 2002-02-08 | 2003-08-14 | Netscreen Technologies, Inc. | Multi-method gateway-based network security systems and methods |
| CN1487412A (en) * | 2002-09-30 | 2004-04-07 | 联想(北京)有限公司 | Method of protecting safety of computer network |
-
2004
- 2004-07-21 CN CNB2004100549320A patent/CN100435526C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1271895A (en) * | 1999-04-23 | 2000-11-01 | 松下电器产业株式会社 | Network safety monitor and monitoring method |
| WO2003067810A1 (en) * | 2002-02-08 | 2003-08-14 | Netscreen Technologies, Inc. | Multi-method gateway-based network security systems and methods |
| CN1487412A (en) * | 2002-09-30 | 2004-04-07 | 联想(北京)有限公司 | Method of protecting safety of computer network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1725726A (en) | 2006-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100437543C (en) | Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device | |
| CN100380870C (en) | System and method for managing a proxy request over a secure network using inherited security attributes | |
| US6542992B1 (en) | Control and coordination of encryption and compression between network entities | |
| US6073176A (en) | Dynamic bidding protocol for conducting multilink sessions through different physical termination points | |
| US7305546B1 (en) | Splicing of TCP/UDP sessions in a firewalled network environment | |
| JP4712861B2 (en) | Incompatible transport security protocol | |
| US20030217149A1 (en) | Method and apparatus for tunneling TCP/IP over HTTP and HTTPS | |
| US20070192845A1 (en) | System and method for passively detecting a proxy | |
| CN104601550B (en) | Reverse isolation file transmission system and method based on cluster array | |
| EP1280300A2 (en) | Method of establishing a secure data connection | |
| JP2005509977A (en) | System for accessing and controlling a controllable device via a network | |
| JP2005346556A (en) | Providing device, and communication device, method and program | |
| CN109768999A (en) | A kind of SSH multichannel TCP agent method based on WebSocket | |
| US20050055579A1 (en) | Server apparatus, and method of distributing a security policy in communication system | |
| CN101022340A (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN105359480A (en) | Key establishment for constrained resource devices | |
| CN111343083B (en) | Instant messaging method, instant messaging device, electronic equipment and readable storage medium | |
| CN110324227A (en) | Data transmission method and vpn server in a kind of vpn server | |
| CN109962913A (en) | Proxy server and Proxy Method based on secure socket layer protocol | |
| CN103916485A (en) | Nat traversal method and server | |
| US8984614B2 (en) | Socks tunneling for firewall traversal | |
| CN109525514A (en) | A kind of information transferring method and information carrying means | |
| EP1282286B1 (en) | Method of establishing a secure data connection | |
| CN100435526C (en) | Network safety dynamic detection system and method | |
| US20080104693A1 (en) | Transporting keys between security protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081119 |