CN101567787B - Computer system, computer network and data communication method - Google Patents
Computer system, computer network and data communication method Download PDFInfo
- Publication number
- CN101567787B CN101567787B CN2008101049255A CN200810104925A CN101567787B CN 101567787 B CN101567787 B CN 101567787B CN 2008101049255 A CN2008101049255 A CN 2008101049255A CN 200810104925 A CN200810104925 A CN 200810104925A CN 101567787 B CN101567787 B CN 101567787B
- Authority
- CN
- China
- Prior art keywords
- safety
- module
- external data
- computer system
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a computer system, a computer network and a data communication method, wherein the computer system comprises a client operating system with a virtual network card driving module, a real network card driving module and a virtual machine monitor with a communication module; the computer system also comprises a safety system which is arranged outside of the client operating system, operates in a virtual machine simultaneously with the client operating system and is used for detecting and authenticating external data received by the real network card driving module according to a safety rule; and the virtual network card driving module is used for acquiring first external data passing the detection and authentication in the external data acquired from the safety system through the communication module and sends the first external data to the client operating system. The embodiment of the invention ensures that the system cannot be attacked by various attack data and strengthens the safety of the computer system.
Description
Technical field
The present invention relates to the computer security technique field, particularly a kind of computer system, computer network and data communications method.
Background technology
The fail-safe software or the security module of computer all are arranged at computer at present, fail-safe software or security module operation are based on the current operating system of user, after operating system of user is attacked, the assailant is on the basis of control operation system, fail-safe software or security module are operated, make it invalid, or provide error message, as:
The host firewall scheme, after operating system was attacked, the assailant can arbitrarily be provided with the strong safety regulation of fire prevention on the basis of control operation system;
Main frame system for monitoring intrusion and anti-virus software scheme, it is based on mode-matching technique, and after operating system was attacked, the easy victim of system for monitoring intrusion and anti-virus software was handled;
VPN network traffics encipherment scheme, after operating system was attacked, the assailant can attack key management system, made encryption system invalid, or obtained user key.
Therefore, in order to solve the above problems, a kind of trust chain solution has appearred, it is when the starting up, detect and also to repair the module of being attacked, but it can't solve operating system assailant in running Virus is particularly implanted in the attack of process and system in Installed System Memory.
Summary of the invention
The purpose of the embodiment of the invention provides a kind of computer system, computer network and data communications method, guarantees the system safety of client operating system in data communication process.
To achieve these goals, the embodiment of the invention provides a kind of computer system, comprises client operating system, true network interface card driver module that is provided with virtual network card drive module and the virtual machine monitor that is provided with communication module, wherein, also comprises:
Safety system is arranged at described client operating system outside, operates in simultaneously on the virtual machine with described client operating system, is used for according to safety regulation the external data that described true network interface card driver module receives being detected and authenticating;
The main system detection module is used for detecting and repairing described virtual machine monitor and safety system;
The custom system detection module is used for detecting and repairing described client operating system;
Described virtual network card drive module is used for obtaining first external data of described external data by detecting and authenticating by described communication module from described safety system, and sends to described client operating system.
Preferably, in the above-mentioned computer system, described safety system is arranged at service operations system or described virtual machine monitor, or is the process of described virtual machine monitor.
Preferably, in the above-mentioned computer system,
Described custom system detection module comprises characteristic acquisition unit, is used for obtaining the attack signature information of the attack data of described first external data;
Described safety system specifically comprises:
Security rule base is used to preserve safety regulation;
Safety detection module is used for according to described safety regulation described external data being detected and authenticating;
The new regulation generation module is used for according to the safety regulation of upgrading described security rule base after the new safety regulation of described attack signature information generation.
Preferably, in the above-mentioned computer system, comprise in the described safety detection module:
Fire compartment wall; And/or
The virtual private networks ciphering unit; And/or
Intrusion detecting unit; And/or
The antivirus protection unit.
To achieve these goals, the embodiment of the invention also provides a kind of computer system, comprises client operating system, true network interface card driver module that is provided with virtual network card drive module and the virtual machine monitor that is provided with communication module, wherein, also comprises:
Safety system is arranged at described client operating system outside, is used for according to safety regulation the external data that described true network interface card driver module receives being authenticated;
Described virtual network card drive module is used for obtaining first external data of described external data by authentication by described communication module from described safety system.
Preferably, in the above-mentioned computer system, described safety system is arranged at service operations system or described virtual machine monitor, or is the process of described virtual machine monitor.
Preferably, in the above-mentioned computer system, also comprise:
The user detects the reparation module, is used for detecting the attack data of described first external data, and obtains the attack signature information of described attack data;
The first Policy Updates module is used for according to the described safety regulation of described attack signature information updating.
Preferably, in the above-mentioned computer system, described safety system comprises:
Fire compartment wall; And/or
The virtual private networks ciphering unit; And/or
Intrusion detecting unit; And/or
The antivirus protection unit.
Preferably, in the above-mentioned computer system, also comprise:
System detects repairs module, is used to detect and repair the described virtual machine monitor of being attacked, described safety system or true firmware.
Preferably, in the above-mentioned computer system, also comprise:
Notification module is used for the safety regulation after the described first Policy Updates module renewal is sent to the network strategy update system;
The second Policy Updates module, the safety regulation that is used for sending according to described network strategy update system are carried out safety regulation and are upgraded operation.
To achieve these goals, the embodiment of the invention also provides a kind of computer network, comprises a plurality of computer systems, and wherein, described computer system comprises:
Be provided with the client operating system of virtual network card drive module;
True network interface card driver module;
Be provided with the virtual machine monitor of communication module;
Safety system is arranged at described client operating system outside, is used for according to safety regulation the external data that described true network interface card driver module receives being authenticated;
Described virtual network card drive module is used for obtaining first external data of described external data by authentication by described communication module from described safety system.
Preferably, in the above-mentioned computer network, described computer system also comprises:
The user detects the reparation module, is used for detecting the attack data of described first external data, and obtains the attack signature information of described attack data;
The first Policy Updates module is used for according to the described safety regulation of described attack signature information updating.
Preferably, in the above-mentioned computer network, described computer system also comprises:
System detects repairs module, is used to detect and repair the described virtual machine monitor of being attacked, described safety system or true firmware.
Preferably, in the above-mentioned computer network, described computer system also comprises the notification module and the second Policy Updates module, and described computer network also comprises the network strategy update system that is connected with described computer system, wherein:
Described notification module is used for the safety regulation after the described first Policy Updates module renewal is sent to described network strategy update system;
Described network strategy update system is used to receive the safety regulation that described notification module sends, and the safety regulation that receives is sent to the described second Policy Updates module;
Safety regulation after the renewal that the described second Policy Updates module is used for sending according to described network strategy update system is carried out safety regulation and is upgraded.
To achieve these goals, the embodiment of the invention also provides a kind of data communications method of computer system, wherein, comprises step:
The safety system that is arranged at the client operating system outside is obtained the external data that is sent to described client operating system from physical network card;
Described safety system utilizes safety regulation that described external data is authenticated;
Be arranged at the virtual network card drive module of described client operating system,, obtain first external data by authenticating the described external data from described safety system, and send to described client operating system by being arranged at the communication module of virtual machine monitor.
Preferably, in the above-mentioned method, also comprise:
Detect the attack data in described first external data, and obtain the attack signature information of described attack data;
According to the described safety regulation of described attack signature information updating.
Preferably, in the above-mentioned method, also comprise:
Detect and repair the described service operations system that is attacked, described virtual machine monitor, described safety system or true firmware.
Preferably, in the above-mentioned method, also comprise:
First computer system sends to the network strategy update system with described according to the safety regulation after upgrading in the described safety regulation step of described attack signature information updating;
Safety regulation after the renewal that described network strategy update system will receive is transmitted to second computer system;
Safety regulation after the described renewal that described second computer system is transmitted according to described network strategy update system is carried out safety regulation and is upgraded operation.
Embodiments of the invention have following beneficial effect:
At first, by safety system being arranged at the outside of GOS, the assailant is also uncontrollable safety system when control GOS, makes safety system can continue to handle the attack data of other types, and the system of assurance is unlikely to be attacked by polytype attack data;
Secondly, utilize to detect and repair the situation that module detection GOS is attacked, obtain attack signature information, and, therefore, can guarantee that GOS can not suffer the attack of the attack data of same type once more according to the safety regulation in the described attack signature information updating safety system;
At last, the safety regulation after upgrading is synchronized to other computer systems in the computer network, can further strengthens the safety of whole network.
Description of drawings
Fig. 1 is a kind of structural representation of the computer system of the embodiment of the invention;
Fig. 2 is the another kind of structural representation of the computer system of the embodiment of the invention;
Fig. 3 is the schematic flow sheet of the method for the embodiment of the invention;
Fig. 4 is another structural representation of the computer system of the embodiment of the invention;
Fig. 5 be the embodiment of the invention computer system another structural representation.
Embodiment
In the embodiments of the invention, by a safety system that is independent of client operating system is set, this secure subsystem verifies that to outer input data the data that checking is passed through send to client operating system, realizes the data communication of safety.
The computer system of the embodiment of the invention as shown in Figure 1, comprise client operating system GOS (GuestOperation System), the SOS of service operations system (Service Operation System), virtual machine monitor VMM (Virtual Machine Monitor) and custom system detection module, wherein:
Be provided with communication module among the VMM;
Be provided with among the SOS:
Live network drives, and carries out data interaction with physical network card, receives the data of physical network card transmission;
Device model DM (Device Module) is used to GOS that Microsoft Loopback Adapter is provided;
Be provided with among the GOS:
Microsoft Loopback Adapter is used for receiving the external data of passing through authentication by communication module and DM from safety system, and sends to the application program use.
This custom system detection module is independent of GOS, comprise the first trust chain system and second backup/restoration system, on virtual machine, realize, can detect the variation of GOS in real time, the first trust chain system detects the attack data in the described external data that described GOS receives, and obtain the attack signature information of attacking data, second backup/restoration system is used to repair the GOS that is attacked, application program among the GOS, process among the GOS and/or GOS corresponding virtual firmware (Firmware), wherein these attack data are to attack GOS in the external data, application program among the GOS, the data of process among the GOS and/or GOS corresponding virtual firmware (Firmware).
Simultaneously, also comprise the main system detection module in this computer system, wherein:
The main system detection module is made up of the second trust chain system and second backup/restoration system based on TPM, be used to detect and repair described virtual machine, safety system and/or the true firmware of being attacked, on computer hardware, firmware, virtual machine inside and virtual machine, realize respectively.
Main system detects the reparation module and mainly comprises 3 parts, that is:
Hardware layer detects repairs the unit, is responsible for detecting and repairing the true firmware of being attacked;
The VMM layer detects repairs the unit, is used to detect and repair the virtual machine monitor of being attacked;
System layer detects repairs the unit, is used to detect and repair the safety system of being attacked.
Wherein, this system's detection reparation module can be the trust chain system that comprises safety chip.
Under the control of TPM (trusted console module), hardware layer detects repairs unit checking BIOS when start, whether user's use authority is reliable, after checking is passed through, hardware layer detects the reparation unit trust is passed to VMM layer detection reparation unit, whether the VMM layer detects the reparation unit also believable with TPM validation-cross VMM, after checking is passed through, the VMM layer detects the reparation unit trust is passed to system layer detection reparation unit, whether believable by system layer detection reparation unit and TPM validation-cross operating system and application program etc., until finishing last detection.
In above-mentioned trust chain transmittance process, in case detect to exist and cause untrustworthy factor, integrity value and preset value as the process binary code are inconsistent, program pointer crosses the border etc., then can judge untrustworthy, just can repair this and be attacked the back object, as application program, operating system etc. according to the operation that sets in advance.
Certainly, this custom system detection module is made up of trust chain system and system backup recovery system based on virtual TPM, does not repeat them here.
Simultaneously, the computer system of the embodiment of the invention also comprises safety system, this safety system is an operating system, independent with GOS, Anti Virus Gateway or a fire compartment wall have also been moved simultaneously, comprising depth-type filtration module to network data, operate in simultaneously on the virtual machine with GOS, be used for described live network being driven the external data that receives and detect and authenticate according to safety regulation;
Certainly, this safety system operates on the virtual machine as a process of virtual machine.
Described virtual network card drive module is used for obtaining by detecting and the external data of authentication from described safety system by described communication module, and sends the data to client operating system.
This safety system operates on operating system or the described virtual machine, and it comprises at least: safety detection module, security rule base, new regulation generation module, notification module, networking rule update module.
Wherein:
Security rule base is used to preserve safety regulation;
Safety detection module drives the external data that receives according to the safety regulation in the security rule base to described live network and detects and authenticate, described Microsoft Loopback Adapter is used for obtaining by detecting and the external data of authentication from described safety detection module by described communication module, and sends the data to client operating system;
At least comprise in the described safety detection module:
Fire compartment wall; And/or
The virtual private networks ciphering unit; And/or
Intrusion detecting unit; And/or
The antivirus protection unit.
The new regulation generation module is used for obtaining according to the custom system detection module and is saved in security rule base after the attack signature information of attacking data generates new safety regulation;
Notification module is used for the new safety regulation that the new regulation generation module generates is sent to the network strategy dissemination system;
The networking rule update module is used to receive the new safety regulation that the network strategy dissemination system issues, and is saved in security rule base.
The processing procedure of above-mentioned safety system is as described below, comprising:
Step 1, custom system detection module detect and obtain the attack signature information of assailant to described client operating system.Wherein detect the attack signature information of the attack data of the process of the application program in the described client operating system, described client operating system and/or described client operating system corresponding virtual firmware;
Step 2, new regulation generation module generate new safety regulation according to described attack signature information;
Step 3, newly-generated safety regulation are upgraded security rule base;
Step 4, custom system detection module are repaired the client operating system and the application of being attacked.
Being arranged among the SOS with safety system below is that example is elaborated.
As shown in Figure 2, this computer system comprises client operating system GOS (Guest OperationSystem), the SOS of service operations system (Service Operation System), virtual machine monitor VMM (Virtual Machine Monitor), wherein:
Be provided with communication module among the VMM;
Be provided with among the SOS:
True network interface card driver module carries out data interaction with physical network card, receives the data of physical network card transmission;
Safety system is used to preserve safety regulation, and according to safety regulation the external data that true network interface card driver module receives is authenticated, and its user data feature according to external data authenticates;
Device model DM (Device Module) is used to GOS that Microsoft Loopback Adapter is provided;
Be provided with among the GOS:
Simulation network interface card driver module is used for receiving the external data of passing through authentication by communication module and DM from safety system, and sends to the application program use.
When the simulation network interface card driver module of GOS carries out PCI scanning, DM will provide Microsoft Loopback Adapter for GOS.
The computer system of the embodiment of the invention, safety system among the SOS utilizes safety regulation that external data is verified, the external data of having only checking to pass through just can send to GOS, guaranteed the safety of GOS, simultaneously, even the safety system that is provided with among the SOS can't be discerned the attack of a certain type, to attack data and send to GOS, this has attacked Data Control GOS, because SOS and GOS are separate, so attack the also uncontrollable safety system of data, can guarantee that GOS is not subjected to the attack of the attack data of other types.
Wherein this safety regulation can comprise as the lower part: firewall filtering detects rule, virus signature, authentication strategy, Password Policy and key.
But because the attack data that exist some to meet safety regulation can be attacked GOS, therefore, for the existence that addresses this problem, this computer system also comprises:
The user detects the reparation module, be independent of GOS, be used for detecting the attack data of the described external data that described client operating system receives, and obtain the attack signature information of attacking data, also be used for repairing application program, the process among the GOS and/or the GOS corresponding virtual firmware (Firmware) of the GOS, the GOS that are attacked, wherein these attack data are the data of attacking application program, the process among the GOS and/or GOS corresponding virtual firmware (Firmware) among GOS, the GOS in the external data;
The first Policy Updates module is arranged at SOS, is used to receive attack signature information, and according to the safety regulation in the described attack signature information updating safety system.
Certainly, this first Policy Updates module can be the position that is arranged at other also, as is arranged at VMM.
As with regard to process, whether the user detects the reparation module consistent with preset value by the integrity value of detection procedure binary code, and whether program pointer crosses the border judges whether to occur unusually.
Wherein, above-mentioned attack signature information can be: to file modification time, system in case of system halt time, and the application software type of the modification time of process, operation (as browser, mailing system) etc.
This safety regulation can be: Email attachment file, browser downloads code, IP address, port, application protocol, filtering content etc.
Setting by above-mentioned module, when safety system also can't be discerned the attack data of some type, the user detects and repairs module when detecting GOS, application program and/or GOS corresponding virtual firmware and attacked by the attack data of the type, the attack signature information of attacking data will be obtained, and send it to first Policy Updates module, by the first Policy Updates module according to attack signature information updating safety regulation, when when data communication next time, receiving such attack data, then can filter out, prevent that GOS from being attacked again.
As mentioned above, the safety system of embodiments of the invention and GOS isolate, to guarantee the data communications security of GOS, but this safety system is arranged at SOS, the uncertain safety of this SOS, at this moment, in order to guarantee the safety of SOS, the computer system of the embodiment of the invention also comprises:
System detects repairs module, is used to detect and repair described virtual machine monitor and/or safety system and/or the true firmware of being attacked.
As shown in Figure 2, this system detects the reparation module and mainly comprises 3 parts, that is:
Hardware layer detects repairs the unit, is responsible for detecting and repairing the true firmware of being attacked;
The VMM layer detects repairs the unit, is used to detect and repair the virtual machine monitor of being attacked;
System layer detects repairs the unit, is used to detect and repair the safety system of being attacked.
Wherein, this system detects and repairs module can be the trust chain system that comprises existing safety chip, is disclosed safety chip in the Chinese patent application of CN1553349A as publication number, can certainly adopt other safety chip.
Under the control of TPM (trusted console module), hardware layer detects repairs unit checking BIOS when start, whether user's use authority is reliable, after checking is passed through, hardware layer detects the reparation unit trust is passed to VMM layer detection reparation unit, whether the VMM layer detects the reparation unit also believable with TPM validation-cross VMM, after checking is passed through, the VMM layer detects the reparation unit trust is passed to system layer detection reparation unit, whether believable by system layer detection reparation unit and TPM validation-cross operating system and application program etc., until finishing last detection.
In above-mentioned trust chain transmittance process, in case detect to exist and cause untrustworthy factor, integrity value and preset value as the process binary code are inconsistent, program pointer crosses the border etc., then can judge untrustworthy, just can repair this and be attacked the back object, as application program, operating system etc. according to the operation that sets in advance.
Being arranged among the VMM with this safety system below is that example further specifies.
The computer system of the embodiment of the invention as shown in Figure 4, comprise client operating system GOS (GuestOperation System), the SOS of service operations system (Service Operation System), virtual machine monitor VMM (Virtual Machine Monitor) and real hardware, wherein:
Be provided with among the SOS:
True network interface card driver module carries out data interaction with physical network card, receives the data of physical network card transmission;
DM is used to GOS that Microsoft Loopback Adapter is provided;
Be provided with among the VMM:
Communication module; With
Safety system is used to preserve safety regulation, and after obtaining the external data that true network interface card driver module receives by DM, according to safety regulation external data is authenticated, and its user data feature according to external data authenticates.
Be provided with among the GOS:
Simulation network interface card driver module is used for receiving the external data of passing through authentication by communication module from safety system, and sends to the application program use.
The computer system of the embodiment of the invention, the safety system that utilization is arranged among the VMM is verified external data, the external data of having only checking to pass through just can send to GOS, has guaranteed the safety of GOS, simultaneously, even safety system can't be discerned the attack of a certain type, to attack data and send to GOS, this has attacked Data Control GOS is because VMM is independent of GOS, so attack the also uncontrollable safety system of data, can guarantee that GOS is not subjected to the attack of the attack data of other types.
But because the attack data that exist some to meet safety regulation can be attacked GOS, therefore, for the existence that addresses this problem, the computer system of sixth embodiment of the invention also comprises:
The user detects the reparation module, be independent of GOS, be used for detecting the attack data of the described external data that described client operating system receives, and obtain the attack signature information of attacking data, also be used for repairing application program, the process among the GOS and/or the GOS corresponding virtual firmware (Firmware) of the GOS, the GOS that are attacked, wherein these attack data are the data of attacking application program, the process among the GOS and/or GOS corresponding virtual firmware (Firmware) among GOS, the GOS in the external data;
The first Policy Updates module is arranged at VMM, is used to receive attack signature information, and according to the safety regulation in the described attack signature information updating safety system.
As with regard to process, whether the user detects the reparation module consistent with preset value by the integrity value of detection procedure binary code, and whether program pointer crosses the border judges whether to occur unusually.
Wherein, above-mentioned attack signature information can be: to file modification time, system in case of system halt time, and the application software type of the modification time of process, operation (as browser, mailing system) etc.
This safety regulation can be: Email attachment file, browser downloads code, IP address, port, application protocol, filtering content etc.
Setting by above-mentioned module, when safety system can't be filtered the attack data of some type, the user detects and repairs module when detecting GOS, application program and/or GOS corresponding virtual firmware and attacked, to obtain attack signature information, and send it to first Policy Updates module, by the first Policy Updates module according to attack signature information updating safety regulation, when when data communication next time, receiving such attack data, then can filter out, prevent that GOS from being attacked again.
As mentioned above, the safety system of embodiments of the invention and GOS isolate, to guarantee the data communications security of GOS, but this safety system is arranged at SOS, the uncertain safety of this SOS, at this moment, in order to guarantee the safety of SOS, the computer system of the embodiment of the invention also comprises:
System detects repairs module, is used to detect and repair described virtual machine monitor and/or safety system and/or the true firmware of being attacked.
In above-mentioned description, this safety system or rely on SOS, perhaps be arranged among the VMM, but this safety system also can be used as a process that runs on the VMM, as shown in Figure 5, this computer system comprises client operating system GOS (Guest Operation System), safety system, virtual machine monitor VMM (Virtual Machine Monitor) and real hardware, wherein:
Be provided with in the safety system:
True network interface card driver module carries out data interaction with physical network card, receives the data of physical network card transmission;
DM is used to GOS that Microsoft Loopback Adapter is provided; With
Security module is used to preserve safety regulation, and after obtaining the external data that true network interface card driver module receives by DM, according to safety regulation external data is authenticated, and its user data feature according to external data authenticates;
Be provided with communication module among the VMM;
Be provided with among the GOS:
Simulation network interface card driver module is used for receiving the external data of passing through authentication by communication module and DM from safety system, and sends to the application program use.
This computer system also comprises:
The user detects the reparation module, be independent of GOS, be used for detecting the attack data of the described external data that described client operating system receives, and obtain the attack signature information of attacking data, also be used for repairing application program, the process among the GOS and/or the GOS corresponding virtual firmware (Firmware) of the GOS, the GOS that are attacked, wherein these attack data are the data of attacking application program, the process among the GOS and/or GOS corresponding virtual firmware (Firmware) among GOS, the GOS in the external data;
Also comprise the first Policy Updates module in the safety system, be used to receive attack signature information, and according to the safety regulation in the described attack signature information updating safety system.
As with regard to process, whether the user detects the reparation module consistent with preset value by the integrity value of detection procedure binary code, and whether program pointer crosses the border judges whether to occur unusually.
Wherein, above-mentioned attack signature information can be: to file modification time, system in case of system halt time, and the application software type of the modification time of process, operation (as browser, mailing system) etc.
This safety regulation can be: Email attachment file, browser downloads code, IP address, port, application protocol, filtering content etc.
As mentioned above, the safety system of embodiments of the invention and GOS isolate, to guarantee the data communications security of GOS, but this safety system is arranged at SOS, the uncertain safety of this SOS, at this moment, in order to guarantee the safety of SOS, the computer system of the embodiment of the invention also comprises:
System detects repairs module, is used to detect and repair described virtual machine monitor and/or safety system and/or the true firmware of being attacked.
Comprise interconnective a plurality of computer system in the computer network of the embodiment of the invention, this computer system can be the computer system that the safety system described hereinbefore is arranged at diverse location, because computer system is described in detail in the above, no longer repeats at this.
Mention above, the computer system of the embodiment of the invention can be upgraded safety regulation, but this operation is also just carried out in this computer system, can't share for other system, therefore, computer network of the present invention also is provided with the network strategy update system, also is provided with the notification module and the second Policy Updates module in this computer system, wherein:
Notification module is used for the safety regulation that the first Policy Updates module is upgraded is sent to the network strategy update system;
The network strategy update system is connected with described computer system, be used for the safety regulation of the renewal of reception notification module transmission, and the safety regulation of the renewal that will receive is transmitted to the second Policy Updates module.
The second Policy Updates module be used to receive the safety regulation that the network strategy update system sends, and the safety regulation of utilizing the network strategy update system to send is upgraded the safety regulation in the described safety system.
At this, this network strategy update system is computer or the security server in the computer network.
The safety regulation of this renewal can only be new rule, also can be the strictly all rules that comprises new rule.
The safety system of foregoing description comprises one or more with in the lower unit:
Fire compartment wall to the network data filtration;
Virtual private network VPN (Virtual Private Network) ciphering unit;
Intrusion detecting unit; With
The antivirus protection unit.
The data communications method of the computer system of the embodiment of the invention comprises as shown in Figure 2:
At this, obtain external data by the true network interface card driver module among the SOS by true network interface card earlier, by safety system external data is authenticated then.
Under the not too perfect situation of safety regulation in safety system, also comprise among the embodiment of method of the present invention:
Under the computer network environment, the method for the embodiment of the invention also comprises:
Step 27, the safety regulation after first computer system will be upgraded sends to the network strategy update system;
Step 28, the safety regulation after the renewal that described network strategy update system will receive is transmitted to second computer system;
Safety regulation after the described renewal that step 29, second computer system send according to described network strategy update system is upgraded the described safety regulation in described second computer system.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds necessary general hardware platform, can certainly pass through hardware, but obviously the former is better execution mode.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product comprise some instructions with so that a computer equipment (said here computer equipment is a generalized concept, include but not limited to personal computer, server, the network equipment etc.) the described method of the execution embodiment of the invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (18)
1. a computer system comprises client operating system, true network interface card driver module that is provided with virtual network card drive module and the virtual machine monitor that is provided with communication module, it is characterized in that, also comprises:
Safety system is arranged at described client operating system outside, operates in simultaneously on the virtual machine with described client operating system, is used for according to safety regulation the external data that described true network interface card driver module receives being detected and authenticating;
The main system detection module is used for detecting and repairing described virtual machine monitor and safety system;
The custom system detection module is used for detecting and repairing described client operating system;
Described virtual network card drive module is used for obtaining first external data of described external data by detecting and authenticating by described communication module from described safety system, and sends to described client operating system.
2. computer system according to claim 1 is characterized in that, described safety system is arranged at service operations system or described virtual machine monitor, or is the process of described virtual machine monitor.
3. computer system according to claim 2 is characterized in that:
Described custom system detection module comprises characteristic acquisition unit, is used for obtaining the attack signature information of the attack data of described first external data;
Described safety system specifically comprises:
Security rule base is used to preserve safety regulation;
Safety detection module is used for according to described safety regulation described external data being detected and authenticating;
The new regulation generation module is used for according to the safety regulation of upgrading described security rule base after the new safety regulation of described attack signature information generation.
4. computer system according to claim 3 is characterized in that, comprises in the described safety detection module:
Fire compartment wall; And/or
The virtual private networks ciphering unit; And/or
Intrusion detecting unit; And/or
The antivirus protection unit.
5. a computer system comprises client operating system, true network interface card driver module that is provided with virtual network card drive module and the virtual machine monitor that is provided with communication module, it is characterized in that, also comprises:
Safety system is arranged at described client operating system outside, is used for according to safety regulation the external data that described true network interface card driver module receives being authenticated;
Described virtual network card drive module is used for obtaining first external data of described external data by authentication by described communication module from described safety system.
6. computer system according to claim 5 is characterized in that, described safety system is arranged at service operations system or described virtual machine monitor, or is the process of described virtual machine monitor.
7. computer system according to claim 6 is characterized in that, also comprises:
The user detects the reparation module, is used for detecting the attack data of described first external data, and obtains the attack signature information of described attack data;
The first Policy Updates module is used for according to the described safety regulation of described attack signature information updating.
8. computer system according to claim 7 is characterized in that, described safety system comprises:
Fire compartment wall; And/or
The virtual private networks ciphering unit; And/or
Intrusion detecting unit; And/or
The antivirus protection unit.
9. according to any described computer system of claim in the claim 5,6,7 or 8, it is characterized in that, also comprise:
System detects repairs module, is used to detect and repair the described virtual machine monitor of being attacked, described safety system or true firmware.
10. according to claim 7 or 8 described computer systems, it is characterized in that, also comprise:
Notification module is used for the safety regulation after the described first Policy Updates module renewal is sent to the network strategy update system;
The second Policy Updates module, the safety regulation that is used for sending according to described network strategy update system are carried out safety regulation and are upgraded operation.
11. a computer network comprises a plurality of computer systems, it is characterized in that, described computer system comprises:
Be provided with the client operating system of virtual network card drive module;
True network interface card driver module;
Be provided with the virtual machine monitor of communication module;
Safety system is arranged at described client operating system outside, is used for according to safety regulation the external data that described true network interface card driver module receives being authenticated;
Described virtual network card drive module is used for obtaining first external data of described external data by authentication by described communication module from described safety system.
12. computer network according to claim 11 is characterized in that, described computer system also comprises:
The user detects the reparation module, is used for detecting the attack data of described first external data, and obtains the attack signature information of described attack data;
The first Policy Updates module is used for according to the described safety regulation of described attack signature information updating.
13., it is characterized in that described computer system also comprises according to claim 11 or 12 described computer networks:
System detects repairs module, is used to detect and repair the described virtual machine monitor of being attacked, described safety system or true firmware.
14. according to claim 11 or 12 described computer networks, it is characterized in that, described computer system also comprises the notification module and the second Policy Updates module, and described computer network also comprises the network strategy update system that is connected with described computer system, wherein:
Described notification module is used for the safety regulation after the described first Policy Updates module renewal is sent to described network strategy update system;
Described network strategy update system is used to receive the safety regulation that described notification module sends, and the safety regulation that receives is sent to the described second Policy Updates module;
Safety regulation after the renewal that the described second Policy Updates module is used for sending according to described network strategy update system is carried out safety regulation and is upgraded.
15. the data communications method of a computer system is characterized in that, comprises step:
The safety system that is arranged at the client operating system outside is obtained the external data that is sent to described client operating system from physical network card;
Described safety system utilizes safety regulation that described external data is authenticated;
Be arranged at the virtual network card drive module of described client operating system,, obtain first external data by authenticating the described external data from described safety system, and send to described client operating system by being arranged at the communication module of virtual machine monitor.
16. method according to claim 15 is characterized in that, also comprises:
Detect the attack data in described first external data, and obtain the attack signature information of described attack data;
According to the described safety regulation of described attack signature information updating.
17. according to claim 15 or 16 described methods, it is characterized in that, also comprise:
Detect and repair the service operations system that is attacked, described virtual machine monitor, described safety system or true firmware.
18. method according to claim 17 is characterized in that, also comprises:
First computer system sends to the network strategy update system with described according to the safety regulation after upgrading in the described safety regulation step of described attack signature information updating;
Safety regulation after the renewal that described network strategy update system will receive is transmitted to second computer system;
Safety regulation after the described renewal that described second computer system is transmitted according to described network strategy update system is carried out safety regulation and is upgraded operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101049255A CN101567787B (en) | 2008-04-25 | 2008-04-25 | Computer system, computer network and data communication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101049255A CN101567787B (en) | 2008-04-25 | 2008-04-25 | Computer system, computer network and data communication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101567787A CN101567787A (en) | 2009-10-28 |
| CN101567787B true CN101567787B (en) | 2011-05-25 |
Family
ID=41283754
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101049255A Active CN101567787B (en) | 2008-04-25 | 2008-04-25 | Computer system, computer network and data communication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101567787B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710664A (en) * | 2012-06-27 | 2012-10-03 | 苏州奇可思信息科技有限公司 | Network communication system |
| CN102724202A (en) * | 2012-06-27 | 2012-10-10 | 苏州奇可思信息科技有限公司 | Network communication method |
| CN102904876A (en) * | 2012-09-03 | 2013-01-30 | 常州嘴馋了信息科技有限公司 | Safety protection system of websites |
| CN103023912A (en) * | 2012-12-26 | 2013-04-03 | 蓝盾信息安全技术股份有限公司 | Method for preventing network attacks based on virtual machines |
| CN103916376A (en) * | 2013-01-09 | 2014-07-09 | 台达电子工业股份有限公司 | Cloud system with attract defending mechanism and defending method thereof |
| CN109922054A (en) * | 2019-02-25 | 2019-06-21 | 贵阳忆联网络有限公司 | A kind of network security shielding system and method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1940805A (en) * | 2005-09-30 | 2007-04-04 | 联想(北京)有限公司 | Computer system and its safety encryption |
| CN101042719A (en) * | 2006-03-21 | 2007-09-26 | 联想(北京)有限公司 | System and method for killing ROOTKIT |
-
2008
- 2008-04-25 CN CN2008101049255A patent/CN101567787B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1940805A (en) * | 2005-09-30 | 2007-04-04 | 联想(北京)有限公司 | Computer system and its safety encryption |
| CN101042719A (en) * | 2006-03-21 | 2007-09-26 | 联想(北京)有限公司 | System and method for killing ROOTKIT |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101567787A (en) | 2009-10-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8359464B2 (en) | Quarantine method and system | |
| US5919257A (en) | Networked workstation intrusion detection system | |
| US7024695B1 (en) | Method and apparatus for secure remote system management | |
| US9363286B2 (en) | System and methods for detection of fraudulent online transactions | |
| CN101567787B (en) | Computer system, computer network and data communication method | |
| US6314520B1 (en) | Trusted workstation in a networked client/server computing system | |
| WO2018157247A1 (en) | System and method for securing communications with remote security devices | |
| US20060203815A1 (en) | Compliance verification and OSI layer 2 connection of device using said compliance verification | |
| US20150222596A1 (en) | Secure layered iterative gateway | |
| WO2009087702A1 (en) | Virtual machine execution program, user authentication program and information processor | |
| WO2007149140A2 (en) | System and method for providing transactional security for an end-user device | |
| WO2005094490A2 (en) | Method and apparatus for protecting a remediated computer network from entry of a vulnerable computer system thereinto | |
| EP1724701A2 (en) | Solution to the malware problems of the internet | |
| US9021253B2 (en) | Quarantine method and system | |
| US20120030459A1 (en) | Secure Network Extension Device and Method | |
| CN102333098A (en) | Implementation method for security private cloud system | |
| JP2008276457A (en) | Network protection program, network protection device, and network protection method | |
| CN107342963A (en) | A kind of secure virtual machine control method, system and the network equipment | |
| CN101800754B (en) | Method for distributing patch | |
| US20050086512A1 (en) | Worm blocking system and method using hardware-based pattern matching | |
| CN116155649A (en) | Construction method of industrial Internet based on two-layer tunnel protocol | |
| US20050076236A1 (en) | Method and system for responding to network intrusions | |
| CN114329444A (en) | System safety improving method and device | |
| US9225733B1 (en) | Preventing computer worms from attacking a private computer network through a virtual private network connection | |
| CN105825124A (en) | Server illegal operation monitoring method and monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |