CN103391216A - Alarm and blocking method for illegal external connections - Google Patents
Alarm and blocking method for illegal external connections Download PDFInfo
- Publication number
- CN103391216A CN103391216A CN2013102958256A CN201310295825A CN103391216A CN 103391216 A CN103391216 A CN 103391216A CN 2013102958256 A CN2013102958256 A CN 2013102958256A CN 201310295825 A CN201310295825 A CN 201310295825A CN 103391216 A CN103391216 A CN 103391216A
- Authority
- CN
- China
- Prior art keywords
- intranet
- external connection
- client
- illegal external
- blocking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an alarm and blocking method for illegal external connections. The alarm and blocking method comprises that 1), an intranet host client monitors networking behaviors of intranet computers in real time according to a plurality of external connection modes; 2), the intranet host client initiatively sends an encrypted alarm data packet to an external connection alarm monitoring terminal by using a Libnet function library to detect whether the intranet computers have external connection behaviors and gives an alarm for illegal external connection behaviors; 3), the intranet host client performs bottom layer packet capture on alarmed intranet hosts to obtain all data packets passing through network cards of the hosts to judge the illegal external connection behaviors; 4), blocking the network cards of the hosts having the illegal external connection behaviors through judgment. The alarm and blocking method is high in timeliness and good in monitoring performance in the aspect of illegal external connection monitoring. By means of the alarm and blocking method, the safety and the transmission efficiency of the alarm data packets in systems are improved, leaking risks caused by stealing of alarm information are effectively avoided, meanwhile, the safety of software is improved, and the software has anti-shielding and anti-unloading capacities.
Description
Technical field
The present invention relates to a kind of illegal external connection monitoring method, be specifically related to a kind of illegal external connection warning and blocking-up method and belong to field of information security technology.
Background technology
In recent years along with informationalized development, many units all pay much attention to illegal external connection, many units have set up illegal external connection monitoring system separately, can monitor inner net computer and carry out unauthorized illegal external connection behavior by network equipments such as modulator-demodulator, ADSL dialing equipment, wireless network cards, thereby prevent that the internal institution important information from, to external leakage, having obtained certain protection effect.
Current illegal external connection monitoring mechanism mainly contains two kinds, a kind of employing Dual computer Architecture, and another kind of C/S (client/server) framework that adopts:
Dual computer Architecture is comprised of Surveillance center and alarm center.Adopt the frame detection mode to complete, detection packet is divided into the ICMP agreement and Transmission Control Protocol is surveyed two kinds.The unit of being arranged on of Surveillance center Intranet, carry out illegal external connection to the computer of unit Intranet and survey by initiatively sending the frame detection packet, and wherein the source address of detection packet is modeled as the IP address of alarm center.Alarm center is arranged on the Internet, is responsible for resolving the illegal external connection warning message.If main frame is just at connecting Internet, the detection packet of Surveillance center's transmission can induce this main frame automatically to forward warning message to alarm center.Alarm center is reported to the police after resolving.
The C/S framework is comprised of monitoring agent and monitoring alarm center.Monitoring agent is arranged on every inner net computer.The network condition of periodic monitor inner net computer, find to report to the police to the monitoring alarm center after illegal external connection, and automatically block illegal external connection.The monitoring alarm center is arranged on the internal institution network, be responsible for issuing of monitoring strategies setting and monitoring agent software, and the information such as dialing of each monitoring agent Real-time Feedback are processed, when monitored main frame breach of security policy violation outreaches, produce in real time warning message.
The monitoring technique measure mainly is comprised of detection, blocking-up etc.Wherein the basic principle of illegal external connection monitoring detection method is to send probe messages to the Internet, looks into the response that sees if there is from the Internet.Probe messages can be independent ICMP, TCP, HTTP, udp protocol message, perhaps the mode that combines of above various forms probe messages.Blocking way mainly contains disablement device, sweep equipment, positive closing system etc.Along with the development of technology, the illegal external connection mode is varied, and mechanism is complicated, relies on the monotechnics means can't meet monitoring requirement, need to take multiple technologies measure integrated protection.
Although above two kinds of frameworks prevented that to a certain extent Intranet from outreaching behavior, still have certain defect.Such as,, for the Dual computer Architecture system,, if the unit network environment is complicated, there are a plurality of network segments, and have the isolation restriction between each network segment, need a plurality of host detection agencies, increase system complexity; , for the C/S model framework, prevent that outreaching server is arranged in internal network, can't find the illegal external connection behavior that disconnects with Intranet.
To sum up, domestic and international product and a certain function of the large multi-focus of technology for illegal external connection, lack synthesization, systematization, standardized solution thinking and technical scheme, can't provide technical support comprehensively and effectively for modern security work, in actual applications more or less also have a following problem:
(1) lack solution to evade the illegal external connection warning by software virtual machine;
(2) adopt personal fire wall can shield detection packet, thereby hide monitoring, generation is failed to report;
(3) ununified warning message form, can't implement inner net computer illegal external connection centralized monitor;
(4) only can survey, can't realize block function;
(5) must detect online, in case break away from Intranet, can break away from monitoring;
(6) illegal external connection monitoring function singleness, can't all illegal external connection behaviors of overall monitor;
(7) the software oneself safety protection a little less than, anti-shielding and anti-uninstall ability are poor.
For the problem of the existence of the existing illegal external connection product of above analysis and the business unit management expectancy to illegal external connection, the present invention proposes corresponding technical solution, design and Implement a comparatively perfect anti-Intranet of cover and outreached system, realization, to the Real Time Monitoring of illegal external connection behavior, blocking-up and audit function immediately, is guaranteed the safety of internal network data.System has stronger anti-shielding and anti-uninstall ability.
Summary of the invention
The present invention is directed to the problems referred to above, propose and realized a kind of illegal external connection Realtime Alerts and blocking-up method,, by a kind of network interface card monitoring mechanism of high efficient and reliable, guaranteed Realtime Alerts and the blocking-up of inner net computer illegal external connection.Simultaneously, the robustness of program has been taked stronger security mechanism.
The technical solution used in the present invention is as follows:
A kind of illegal external connection Realtime Alerts and blocking-up method, the steps include:
1) the intranet host client is according to the multiple networking behavior that outreaches mode Real Time Monitoring inner net computer;
2) described intranet host customer end adopted libnet function library initiatively sends and encrypts the alert data bag to outer net alarm monitoring end, survey described inner net computer and whether outreach behavior, and behavior is reported to the police to illegal external connection;
3) described intranet host client is carried out the bottom packet capturing to the intranet host of receiving warning and is obtained the packet of all each main frame cards of surfing Internet of flowing through, the behavior of judgement illegal external connection;
4) host network card that is judged as the illegal external connection behavior is implemented blocking-up.
Alternatively, the described multiple mode that outreaches is following one or more: dialling up on the telephone and getting online without being tethered to a cable by ordinary telephone line, ISDN integrated services digital network and ADSL mode.
Further, send the alert data bag of XML consolidation form to outer net alarm monitoring end.
Further, the alert data bag is carried out data encryption.
Further, described intranet host client is according to all the network interface card information on the main frame of libpcap function library interface traversal place, and intercepts and captures the packet of the network interface card of flowing through at link layer.
Further, judgement illegal external connection behavioral approach is: the source data packet IP of certain piece network interface card is outer net address if discovery is flowed through, and judges that intranet host has occurred to outreach, and described intranet host client is implemented blocking-up to the network interface card communication that connects outer net.
Further, described monitoring comprises many network interface cards Concurrent monitor:
1) be registered with the server of legal network interface card information during the connection internal network arranges, judge whether to connect Intranet;
2) obtain the local ip address of the Intranet that successfully is connected to Intranet management end server;
The legal IP database of client of 3) registering on inquiry Intranet management end server, IP inquiry network interface connection attribute information legal in described client is determined the unauthorized network interface card that is connected to Intranet, and forbids this network interface card;
4) data of using all network interface cards do not forbidden on libpcap mechanism Real Time Monitoring client to receive, the network interface card of illegal external connection behavior occurs in forbidding.
Further, described monitoring comprises that breaking away from interior net mode monitors:
1) the intranet host client software is from being dynamically connected Intranet management end server, and whether checking is connected in the Intranet under intranet host;
2) if the intranet host client can not be successfully and the internal institution server connect, the client netting twine is pulled out or client computer breaks away from Intranet but the IP of its network interface card is replaced, and is linked into other forbidden networks;
3) in the situation that break away from Intranet, if not change of IP address, netting twine normally accesses computer, is the internal network communication failure, and client is not carried out illegal external connection;
4), in the situation that break away from Intranet,, if the client netting twine is extracted, judge that client uses as unit, not all right execution alarming processing;
5), in the situation that break away from Intranet,, if client NIC IP address is reset the disengaging Intranet, can't communicate with Intranet management end server and backup server, but preliminary judgement is that client has accessed other outer nets that comprise the Internet;
6), if outreach and survey successfully, send warning message and outreach network interface card to outer net alarm monitoring end and forbidding; , if it is unsuccessful to outreach detection, re-starts and outreach detection.
Further, outer net alarm monitoring end is done log recording to the behavior of inner net computer illegal external connection, and record is host information and unlawful practice in violation of rules and regulations.
Further, described intranet host client is mounted to the background process operation with application program;
Described intranet host client, by revising kernel program, is hidden client process;
Described intranet host customer end adopted file protect mechanism, the application file attribute on the change intranet host.
Beneficial effect of the present invention:
Method of the present invention is disposed convenient, has that cost is low, easy to use, the Stability and dependability advantages of higher, has practical value.Specifically, its advantage is as follows:
1) aspect illegal external connection monitoring, utilize the libpcap function library to intercept and capture at link layer the packet of network interface card of flowing through, thereby whether the source data packet IP that detects its network interface card of flowing through is that outer net IP determines to outreach behavior, the mode of application layer intercepted data bag commonly used, packet loss is low, and is safe; Can walk abreast a plurality of network interface cards are monitored simultaneously, the mode that can only monitor a network interface card or adopt common socket interface traversal network interface card to monitor commonly used, real-time is higher, and monitoring performance is good;
2) the alert data bag is adopted unified message format for communications, and carry out encrypted transmission, improved fail safe and the efficiency of transmission of system, the risk of divulging a secret of effectively having avoided warning message to be stolen bringing;
3) system adopts multiple safe mechanism, comprises hidden process, file protect mechanism, progress protection technology, has improved software inherently safe performance, and software has anti-shielding and anti-uninstall ability;
4) system is disposed simply, and is easy to use, for desktop operating system, and compatible Linux miscellaneous editions.
Description of drawings
Fig. 1 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in intranet host client workflow schematic diagram.
Fig. 2 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in outer net alarm monitoring end workflow schematic diagram.
Fig. 3 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in illegal external connection survey the basic procedure schematic diagram.
Fig. 4 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in two network interface card mode method of discrimination schematic diagrames.
Fig. 5 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in break away from net mode method of discrimination schematic diagram.
Fig. 6 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in monitoring alarm information reception server and monitoring alarm netscape messaging server Netscape schematic diagram on the Alarm Server monitoring client.
Fig. 7 is the schematic diagram of realizing under (SuSE) Linux OS in illegal external connection warning of the present invention and blocking-up method one example.
Embodiment
Below by specific embodiments and the drawings, the present invention is described in detail.
Illegal external connection Realtime Alerts and blocking-up method in an embodiment of the present invention, step is:
The networking of intranet host client Real Time Monitoring inner net computer;
Intranet host client Real Time Monitoring inner net computer is by the dialling up on the telephone of the modes such as ordinary telephone line, ISDN integrated services digital network (Integrated Services Digital Network), ADSL, networking behavior by various ways such as wireless Internet accesses;
In an embodiment of the present invention, the intranet host client utilizes the libnet function library initiatively to send the alert data bag to outer net alarm monitoring end, surveys whether behavior has occurred to outreach.If outer net alarm monitoring termination has been received the outer net packet, illustrate that the illegal external connection behavior has occurred intranet host, outer net alarm monitoring end will carry out instant alarming.Libnet provides structure, processing and the sending function of lower layer network packet, and the packet assembling sends safe ready.
In an embodiment of the present invention, the bag sending module of reporting to the police adopts unified warning message form, in order to realize the centralized monitor to the computer illegal external connection.
In an embodiment of the present invention, before sending, the bag sending module warning message of reporting to the police is encrypted, to guarantee the safety of intranet data (information such as intranet host name, director).
The intranet host client, to the illegal external connection behavior, is implemented blocking-up according to corresponding strategy, and the illegal external connection behavior is controlled in strict blocking-up.
In an embodiment of the present invention, client detects the intranet host use, and two/many network interface cards connect respectively the situation of internal, external network.All network interface cards that the scanning intranet host is installed, packet Real-Time Monitoring to each network interface card of flowing through, only forbidding connects the network card equipment of outer net, and the network card equipment that connects Intranet is not affected, thereby guarantees the proper communication of Intranet in effective blocking-up illegal external connection.
In an embodiment of the present invention, client is to breaking away from the unit of Intranet, by the alarm monitoring end is arranged on outer net, report to the police and hold the transmission warning to outreach data to outer net, unit is monitored echo message, utilize the libpcap function library to intercept and capture the packet of the network interface card of flowing through at link layer, packet loss is low, and real-time is good.Whether the packet to the network interface card of flowing through is thereby that outer net IP determines to outreach behavior by detecting its source IP, to realize effective blocking-up and the Realtime Alerts of the behavior that outreaches under stand-alone environment.
In an embodiment of the present invention, the software of client, according to functional independence, the low principle of module coupling, is monitored, is outreached warning, real-time blocking and warning interface function with network interface card and adopt respectively thread to realize, cross-thread communicates by signal.
In an embodiment of the present invention, Intranet management end server is reported to the police and is audited client violation operation behavior; Described Intranet management end server upgrades client software automatically; Described Intranet management end server carries out tactical management to client.
In an embodiment of the present invention, outer net is reported to the police to hold the log recording audit is done in the behavior of inner net computer illegal external connection, and record is host information and unlawful practice in violation of rules and regulations, in order to have good grounds in the future.
Also comprise simultaneously a kind of Process Protection mechanism in one embodiment of the invention in whole concrete mode; system client is mounted to the background process operation with application program; disconnect with terminal, thereby the stalwartness operation of assurance software avoids illegal external connection monitoring extremely to be interrupted.Client, by revising the system kernel program, is hidden client process, to guarantee that client-side program can arbitrarily not forbidden.Customer end adopted file protect mechanism, change application file attribute, can not arbitrarily be deleted it.Process Protection mechanism has improved this method realizes in system reliability greatly.
The present invention proposes and has realized a kind of inner net computer illegal external connection blocking mechanism, be used for the behavior of intranet host violation accessing Internet is monitored and blocked, report to the police to the keeper in real time, preserve simultaneously alarm logging, realize that the intranet host of operation linux system illegally connects the real-time monitoring and control of the Internet, warning function and instant block function.And the software that has provided system realizes, a kind of unit inner net computer illegal external connection monitoring mechanism with higher-security and reliability is provided.
The schematic diagram of realizing under (SuSE) Linux OS in illegal external connection warning of the present invention and blocking-up method one example as shown in Figure 7, at first respectively the framework and the function that realize from intranet host client, Intranet management end server and three part illustrative systems of outer net Alarm Server monitoring client, then provide specific implementation in conjunction with previously described method, the multiple Security mechanism that last introducing system adopts.
1. architectural framework
This method can realize the behavior of intranet host violation accessing Internet is monitored and blocked under (SuSE) Linux OS, report to the police to the keeper in real time, preserves simultaneously alarm logging.By take effectively reliably measure to illegal external connection behavior block, realize that the intranet host of operation linux system illegally connects the real-time monitoring and control of the Internet, safeguard function and instant block function.
In order to realize above function, native system mainly is comprised of three parts: Alarm Server monitoring client, client, Intranet management end server end.
On the Intranet All hosts, client software is installed, by client, to Alarm Server, is sent the alert data bag, and in time block the illegal external connection behavior that monitors;
Interior an Intranet management server is set on the net, with the main frame in Intranet, by Intranet, is connected, be responsible for generating monitoring strategies, administrative client software, audit intranet host information;
Dispose on the internet an Alarm Server monitoring client, in time to the keeper, send warning message, record alarm log.The Alarm Server monitoring client is connected with the intranet host client by the Internet.
1.1 intranet host client functionality
Be as shown in Figure 1 illegal external connection of the present invention report to the police and an embodiment of blocking-up method in intranet host client workflow schematic diagram, client mainly contains two effects: continuous time interval sends alert data bag and real-time blocking illegal external connection.For sending the alert data packet function, for centralized monitor inner net computer illegal external connection situation, the alert data bag adopts unified form, namely outreaches the data XML form, is assembled into the POST bag and sends.The destination address of packet is the address of the Alarm Server monitoring client of assemble and interlinking interconnection net.What need to send outreaches the contents such as data comprise inner net computer name, area code, unit name, department name, person liable, network interface card information, MAC Address, IP address, operating system, mainboard sequence number, hard disk sequence number, user side software version number, this outreaches time of origin, outreaches descriptor, manufacturer's numbering.Comprise the intranet host partial information owing to outreaching data content,, in order to meet the safe and secret demand of Intranet information, send again after data are encrypted.
Outreach function for real-time blocking, client software utilizes all the network interface card information on the main frame of libpcap function library interface traversal place, intercepts and captures the packet of the network interface card of flowing through at link layer, to the data Real Time Monitoring of the every network interface card of flowing through, but a plurality of network interface cards of Concurrent monitor.The source data packet IP of certain piece network interface card is outer net address if discovery is flowed through, and namely intranet host has occurred to outreach, and client is blocked the network interface card communication that connects outer net at once.Simultaneously, can not affect main frame and connect the normal operation of the network interface card of Intranet.In order to protect client-side program not by Linux station command wanton destruction, program has adopted progress protection technology, prevents that client-side program from illegally being unloaded, to guarantee effective operation of client-side program.
1.2 Intranet management end server
Intranet management end server is deployed in internal network, by Intranet, with intranet host, is connected.Intranet management end server is responsible for generating monitoring strategies, and is as described in Table 1, to the intranet host of by different modes, surfing the Net, takes different strategies to monitor blocking-up.The database that records intranet host information is installed simultaneously on Intranet management end server, the essential record main frame director of department name, warning message send number, inner net computer user, computer equipment affiliated function, computer hardware information etc.
1.3 Alarm Server monitoring client
The Alarm Server monitoring client is installed on the internet, and major function comprises the alert data bag that reception intranet host client is sent, instant alarming, and record illegal external connection information.Fig. 2 be illegal external connection of the present invention report to the police and an embodiment of blocking-up method in outer net alarm monitoring end workflow schematic diagram.Client constantly sends the alert data bag, and destination address is the IP address of monitoring client.If behavior has occurred to outreach, monitoring client is received the warning bag that client is sent, and monitoring client meeting resolution data bag content, in time report to the police to relevant director.For work later facilitates query statistic, warning message and warning message transmission situation are recorded in daily record.
2. the specific implementation of system
2.1 intranet host client
In order to improve the concurrency performance of program, realize effective monitoring and the real-time blocking of illegal external connection, the anti-client-side program that outreaches is divided into two threads and carries out, and is respectively to send alert data envelope curve journey and the blocking-up Intranet outreaches thread.
2.1.1 send warning thread bag, initiatively to outer net, initiate to connect
Outreach to survey and adopt icmp probe to survey and jointly coordinate with HTTP, the address (as well-known portal website, governmental site, the Internet alarm center etc.) that a series of strategies are set is attempted connecting.If successful connection, illustrate that the intranet host client outreaches.The illegal external connection detection process be as shown in Figure 3 illegal external connection of the present invention report to the police and an embodiment of blocking-up method in illegal external connection survey the basic procedure schematic diagram.Client sends the alert data bag to the Alarm Server monitoring client, and the data message that outreaches of transmission mainly comprises the contents such as computer name, organization, person liable, network interface card information, IP address.The information that will outreach is write as the XML form., in order to guarantee the safety of Intranet information, need to outreach information and be encrypted.The preferred cryptographic algorithm of computing repeatedly of native system, allow block and the key length of change.By good Software for Design, size of code is few, saves internal memory, and calculation process speed is quick, is a kind of superior cryptographic algorithm.
The information that outreaches of the XML form that will encrypt afterwards is assembled into the POST bag and sends, and destination address is Alarm Server client IP address on the internet.
Break down and produce failing to report of Intranet client illegal external connection behavior for fear of the end server of reporting to the police, system sends the request of outreaching simultaneously to some other outer net network address, such as send the get web-page requests to websites such as Baidu, Sinas.The operational design of giving out a contract for a project is that multi-threaded parallel is surveyed, and has reduced the rate of failing to report of illegal external connection behavior.
2.1.2 real-time blocking outreaches
The block function of client is mainly by the packet capture function library libpcap under the unix/Linux platform, the link layer data that network interface card receives to be caught, the source IP address of the packet that judgement receives is outer net IP, if outer net IP, block the illegal external connection behavior.Simultaneously, utilize GTK+ graphical tool bag to write client and outreach behavioral data, eject and outreach alert box.
Due to the diversity of Network adaptation equipment and the complexity of operating system, and the dynamics needs of the illegal external connection of finding being blocked behavior, but flexible combination is used several illegal external connection blocking strategy.Mainly contain following three kinds of strategies:
I. sweep equipment
The directly deletion on inner net computer for some dialing and peripheral equipment.Can guarantee from bottom the forbidding of illegal external connection equipment like this, reduce the risk of illegal external connection.
Ii. application protocol blocking-up
Send instruction by the user side program to the network equipment, interrupt ongoing network service.
Iii. positive closing system
Because directly shutdown and sweep equipment are larger to the normal work influence of user, therefore the mutual interface ioctl of the application layer that native system application linux kernel provides and kernel, to the equipment sending controling instruction, is forbidden the network interface card of illegal external connection, to realize instant block function., in view of the complexity of user job system, likely exist above-mentioned means all can not successfully block certain and outreach the situation of behavior.System when confirming to have illegal external connection, can not effectively stop as above-mentioned method, subscriber computer is carried out the forced shutdown operation.
2.1.3 many network interface cards mode determine mechanism
Be as shown in Figure 4 illegal external connection of the present invention report to the police and an embodiment of blocking-up method in two network interface card mode method of discrimination schematic diagrames.Many network interface cards mode illegal external connection the Internet performance form is that inner net computer normally connects Intranet, and an other network interface card accessing Internet is arranged simultaneously.
Basic ideas for many network interface cards mode illegal external connection monitoring are at internal institution network settings one station server, will allow in advance to register at all network interface cards of our unit's internal network application.System travels through all network interface cards that computer is installed, and obtains the attribute information of each network interface card.Judgement connects the legal authorization network interface card of Intranet, finds out present other network interface cards that comprise of computer, deletes all unauthorized network interface cards and completes the illegal external connection monitoring of many network interface cards.
Many network interface cards mode determine mechanism flow chart is as shown in 4.Judge whether to connect the method for Intranet: at first connect the server of the legal network interface card information of being registered with of internal network setting, attempt whether successful connection., because Intranet management end server failure or shutdown safeguard that the blocking-up user network that causes connects and cause the problem of Intranet paralysis, to provide another Intranet management end server in order reducing in design, to have connected the backup server of Intranet as judgement.
If successfully be connected to Intranet management end server, client software can be communicated by letter with linux kernel, obtain the local ip address that connects Intranet, rather than requirement must be carried out by the network interface card of appointment the Intranet connection, like this, the user can select to change or install another network interface card additional to carry out interior Network Communication easily when net card failure, and can not affect the user, do not use.
After having obtained the local ip address of connection Intranet, by the legal IP database of client of registering on inquiry Intranet management end server, the network interface card attribute database, determine the unauthorized network interface card that is connected to Intranet, and forbid this network interface card.
Simultaneously, the data of using all network interface cards do not forbidden on libpcap mechanism Real Time Monitoring client to receive, the network interface card of illegal external connection behavior occurs in forbidding.
2.1.4 net mode determine mechanism in breaking away from
Be as shown in Figure 5 illegal external connection of the present invention report to the police and an embodiment of blocking-up method in break away from net mode method of discrimination schematic diagram.In breaking away from, net mode illegal external connection the Internet refers to that the computer of internal institution network breaks away from Intranet, is the outer net network segment by computer network interface card IP address is set, with accessing Internet.
Can whether break away from the unit Intranet by at first judging inner net computer to the method that breaks away from interior net mode illegal external connection monitoring, secondly,, if computer has broken away from internal network, judge whether whether its network interface card IP is reset, carried out illegal external connection.
In breaking away from, net mode determine mechanism flow chart is as shown in 5.Its basic ideas are during network operation, to determine that at first the user side software terminal is unit operation within inner net computer breaks away from, and still are connected in other network, are provided with different strategies for the different situations system and determine whether blocking the network connection.If terminal is connected to the every other network that comprises the Internet, system will be forbidden all networks and connect; If terminal just breaks away from the internal institution network as unit operation, during without any the networking record, terminal computer connects original internal network again with unaffected.
Client software will be attempted from being dynamically connected Intranet management end server, and whether checking is connected in the Intranet under computer.If client can not be successfully and the internal institution server connect, possible situation has two kinds: the client netting twine is pulled out, and is used as unit and uses; Perhaps client computer has broken away from Intranet, and the IP of its network interface card is replaced, and is linked into other forbidden networks.For different situations, different strategies is arranged.
In the situation that break away from Intranet, if IP address is change not, netting twine also normally accesses computer, can be judged to be with the connection failure of Intranet management end server is due to the internal network communication failure, client is not carried out illegal external connection, can check the internal network fault, not need client is carried out alarm and blocking processing.
In the situation that break away from Intranet,, if client is just extracted netting twine, can judge that client uses as unit, completely cut off network service, the behavior of more impossible generation illegal external connection, do not need to carry out any alarming processing., if client can be connected to Intranet management end server after inserting netting twine, will normally carry out interior Network Communication.
In the situation that break away from Intranet,, if client NIC IP address is reset, make it break away from Intranet, can't communicate with Intranet management end server and backup server, but preliminary judgement is that client has accessed other networks that comprise the Internet.Outreach detection with trial this moment, if outreach, surveys successfully, will send warning message to alarm monitoring center, the Internet and forbid network interface card blocking-up network to connect.If it is unsuccessful to outreach detection, eject prompting and access in violation of rules and regulations the prompting of other networks, the forbidding network interface card is blocked network service.The behavior of all illegal external connections will form the daily record real time record to local, and send to Intranet management end server when client reconnects to Intranet.
2.2 Intranet management end server
Intranet management end server is responsible for generating monitoring strategies, to the intranet host of by different modes, surfing the Net, takes different strategies to monitor blocking-up.
2.2.1 strategy configuration
Intranet management end server end is responsible for generating collocation strategy.Illegal external connection monitoring provides strategy configuration comparatively flexibly, is convenient to the management and supervision of inner net computer.Except the peripheral equipment management interface is provided, also according to inner net computer, whether allow networking, adopt different strategy configurations,, in order to monitor more targetedly illegal external connection, reduce monitoring difficulty and complexity., for different illegal external connection modes, adopt different illegal external connection monitoring strategies.Its processing mode such as a mistake! Do not find Reference source.Shown in:
Table 1 illegal external connection monitoring strategy
2.2.2 intranet host information audit
Intranet management end server is enabled timer timing scan intranet host, extracts host information and makes record of the audit, and the details of intranet host, mainly comprise Hostname, main frame department, main frame end user, IP address, MAC information etc.These information recording /s in database, and are carried out host information according to the information that scanning is obtained and safeguard.
2.3 Alarm Server monitoring client
Be as shown in Figure 6 illegal external connection of the present invention report to the police and an embodiment of blocking-up method in monitoring alarm information reception server and monitoring alarm netscape messaging server Netscape schematic diagram on the Alarm Server monitoring client.The Alarm Server monitoring client is received by the Internet monitoring alarm information and process software CD, the Internet monitoring alarm process software identity key, light one-way transmission apparatus etc. form.
The function that the Alarm Server monitoring client will be realized comprises: have reception illegal external connection user terminal and send the function of warning message; Have audit analysis and incident management function; Monitoring alarm information reception server separates with the monitoring alarm netscape messaging server Netscape, should adopt the light one-way transmission apparatus to connect.
2.3.1 intranet host information management
The Internet monitoring alarm information reception server monitoring reception is from the alarm packet that outreaches of client, packet is resolved, extract the host information (information such as intranet host title, host ip, main frame MAC, main frame person liable) that packet sends, warning information is deposited in the database that defines, carry out in real time the operations such as increase, deletion, inquiry and modification that intranet host outreaches information, simultaneously, wait for that in warning message sending module his-and-hers watches, data scan.
2.3.2 receive the alert data bag, send warning message
The Internet monitoring alarm information reception server is enabled the timer timing scan and is outreached record sheet whether the information that outreaches to be processed that needs is arranged, and, if the renewal of the information of outreaching is arranged,, according to outreaching the content that information provides, to the director of relevant departments, sends warning message.
3. the security mechanism of system
Message format and transmission mechanism according to the preamble definition have been realized respectively system prototype on (SuSE) Linux OS.The transmitting terminal software and hardware system operates on built-in Linux operating system; Receiving terminal runs on respectively on the desktop computer of linux system.The present embodiment highlights the software of system and realizes.
3.1 hidden process
In order to carry out the illegal external connection process hiding, the protection process is not disabled easily, therefore native system has adopted a kind of method to realize hiding of illegal external connection process ID.
In Linux, can be by/proc file system access the internal information to many kernels.Ps order and top order are read progress information and show from/proc file system.Therefore, if the process number of a process does not reflect in/proc file system, this process " has been hidden ", and " hiding " process does not occur in the output of ps or top order.
Concrete solution:
Function proc_pid_readdir under Linux file system/fs/proc catalogue is modified.Code by reading linux kernel as can be known, need to be at if (filldir (dirent, buf+j, PROC_NUMBUF-j, filp-〉f_pos, ino, DT_DIR)<0) frontly judge whether process is illegal external connection process (basis for estimation is executable file name): the task_struct structure of first obtaining process herein, contain the process executable file name in this structure, compare with the illegal external connection executable file name, different just by filldir () function past/proc interpolation<pid catalogue, identically do not process.
3.2 file protect is machine-processed
This illegal external connection system application file is set as power user's operation authority, at running background.The file with superuser right can't be revised and be deleted in domestic consumer.For fear of power user's mistake deletion system software, the application programs file has adopted certain safeguard measure.
At first, the attribute of catalogue or file under the analysis linux system, General Properties mainly comprises: the contents such as time of the node of file or catalogue, kind, permission mode, number of links, the user who belongs to and user's group, recent visit or modification.The attribute that wherein safety is relevant (as synchronous, rights management etc.) can realize controlling by the instruction interface that Linux provides.
Leave file or directory security attribute on the file system such as ext2, ext3, ext4, xfs, ubifs, reiserfs, jfs in by change, make catalogue or file can not be deleted, rename, can't write or new content by any mode, have greatly improved for file security.
3.3 Process Protection Mechanism Design
The environment of this illegal external connection system operation is the Linux/unix environment, for preventing that process from being interrupted by end message in the process of implementation, client process is set to finger daemon, make system program at running background, life cycle is long, can not be presented at control terminal, not controlled by station command simultaneously.
When terminal was closed, client-side program still turned round, and had guaranteed the reliability service of system, had avoided the user maliciously to delete or had changed client-side program, affected the monitoring capacity of system.
Simultaneously, system program can real-time monitor client-side program and illegally be unloaded behavior, restarts client software, guarantees that client software effectively moves.
Although disclose for the purpose of illustration specific embodiments of the invention and accompanying drawing, its purpose is help to understand content of the present invention and implement according to this, but it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification are all possible.The present invention should not be limited to this specification most preferred embodiment and the disclosed content of accompanying drawing, and the scope of protection of present invention is as the criterion with the scope that claims define.
Claims (10)
1. an illegal external connection Realtime Alerts and blocking-up method, the steps include:
1) the intranet host client is according to the multiple networking behavior that outreaches mode Real Time Monitoring inner net computer;
2) described intranet host customer end adopted libnet function library initiatively sends and encrypts the alert data bag to outer net alarm monitoring end, survey described inner net computer and whether outreach behavior, and behavior is reported to the police to illegal external connection;
3) described intranet host client is carried out the bottom packet capturing to the intranet host of receiving warning and is obtained the packet of all each main frame cards of surfing Internet of flowing through, the behavior of judgement illegal external connection;
4) host network card that is judged as the illegal external connection behavior is implemented blocking-up.
2. illegal external connection Realtime Alerts as claimed in claim 1 and blocking-up method, it is characterized in that, the described multiple mode that outreaches is following one or more: dialling up on the telephone and getting online without being tethered to a cable by ordinary telephone line, ISDN integrated services digital network and ADSL mode.
3. illegal external connection Realtime Alerts as claimed in claim 1 and blocking-up method, is characterized in that, sends the encryption alert data bag of XML consolidation form to outer net alarm monitoring end.
4. illegal external connection Realtime Alerts as described in claim 1 or 3 and blocking-up method, is characterized in that, the alert data bag is carried out data encryption.
5. illegal external connection Realtime Alerts as claimed in claim 1 and blocking-up method, is characterized in that, described intranet host client is according to all the network interface card information on the main frame of libpcap function library interface traversal place, and intercept and capture the packet of the network interface card of flowing through at link layer.
6. illegal external connection Realtime Alerts as claimed in claim 1 and blocking-up method, it is characterized in that, judgement illegal external connection behavioral approach is: the source data packet IP of certain piece network interface card is outer net address if discovery is flowed through, judge that intranet host has occurred to outreach, described intranet host client is implemented blocking-up to the network interface card communication that connects outer net.
7. illegal external connection Realtime Alerts as claimed in claim 1 and blocking-up method, is characterized in that, described monitoring comprises many network interface cards Concurrent monitor:
1) be registered with the server of legal network interface card information during the connection internal network arranges, judge whether to connect Intranet;
2) obtain the local ip address of the Intranet that successfully is connected to Intranet management end server;
The legal IP database of client of 3) registering on inquiry Intranet management end server, IP inquiry network interface connection attribute information legal in described client is determined the unauthorized network interface card that is connected to Intranet, and forbids this network interface card;
4) data of using all network interface cards do not forbidden on libpcap mechanism Real Time Monitoring client to receive, the network interface card of illegal external connection behavior occurs in forbidding.
8. illegal external connection Realtime Alerts as claimed in claim 1 and blocking-up method, is characterized in that, described monitoring comprises that breaking away from interior net mode monitors:
1) the intranet host client software is from being dynamically connected Intranet management end server, and whether checking is connected in the Intranet under intranet host;
2) if the intranet host client can not be successfully and the internal institution server connect, the client netting twine is pulled out or client computer breaks away from Intranet but the IP of its network interface card is replaced, and is linked into other forbidden networks;
3) in the situation that break away from Intranet, if not change of IP address, netting twine normally accesses computer, is the internal network communication failure, and client is not carried out illegal external connection;
4), in the situation that break away from Intranet,, if the client netting twine is extracted, judge that client uses as unit, not all right execution alarming processing;
5), in the situation that break away from Intranet,, if client NIC IP address is reset the disengaging Intranet, can't communicate with Intranet management end server and backup server, but preliminary judgement is that client has accessed other outer nets that comprise the Internet;
6), if outreach and survey successfully, send warning message and outreach network interface card to outer net alarm monitoring end and forbidding; , if it is unsuccessful to outreach detection, re-starts and outreach detection.
9. illegal external connection Realtime Alerts as described in claim 1 any one and blocking-up method, outer net alarm monitoring end is done log recording to the behavior of inner net computer illegal external connection, and record is host information and unlawful practice in violation of rules and regulations.
10. illegal external connection Realtime Alerts as described in claim 1-9 any one and blocking-up method, is characterized in that,
Described intranet host client is mounted to the background process operation with application program;
Described intranet host client, by revising kernel program, is hidden client process;
Described intranet host customer end adopted file protect mechanism, the application file attribute on the change intranet host.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310295825.6A CN103391216B (en) | 2013-07-15 | 2013-07-15 | A kind of illegal external connection is reported to the police and blocking-up method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310295825.6A CN103391216B (en) | 2013-07-15 | 2013-07-15 | A kind of illegal external connection is reported to the police and blocking-up method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103391216A true CN103391216A (en) | 2013-11-13 |
| CN103391216B CN103391216B (en) | 2016-08-10 |
Family
ID=49535379
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310295825.6A Active CN103391216B (en) | 2013-07-15 | 2013-07-15 | A kind of illegal external connection is reported to the police and blocking-up method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103391216B (en) |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916391A (en) * | 2014-03-28 | 2014-07-09 | 国网山西省电力公司信息通信分公司 | Method and system for preventing illegal external connection |
| CN104994100A (en) * | 2015-07-06 | 2015-10-21 | 国家海洋技术中心 | Ashore distribution and security protection method of sea floor observation network data |
| CN105376251A (en) * | 2015-12-02 | 2016-03-02 | 华侨大学 | Intrusion detection method and intrusion detection system based on cloud computing |
| CN106302501A (en) * | 2016-08-27 | 2017-01-04 | 浙江远望信息股份有限公司 | A kind of method of real-time discovery internetwork communication behavior |
| CN106599694A (en) * | 2015-10-14 | 2017-04-26 | 广达电脑股份有限公司 | Security protection management methods, computer systems and computer-readable storage media |
| CN107707571A (en) * | 2017-11-15 | 2018-02-16 | 江苏神州信源系统工程有限公司 | A kind of method and apparatus for managing network external connection |
| CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
| CN107819787A (en) * | 2017-11-30 | 2018-03-20 | 国网河南省电力公司商丘供电公司 | One kind prevents LAN computer illegal external connection system and method |
| CN107871091A (en) * | 2017-10-31 | 2018-04-03 | 郑州云海信息技术有限公司 | A kind of computer safety protective control system |
| CN108200016A (en) * | 2017-12-19 | 2018-06-22 | 重庆亚凡科技有限公司 | Question-type picture verifies terminal |
| CN109120599A (en) * | 2018-07-23 | 2019-01-01 | 国网河南省电力公司商丘供电公司 | A kind of external connection managing and control system |
| CN109255215A (en) * | 2018-10-17 | 2019-01-22 | 北京京航计算通讯研究所 | A kind of discovery and response system of violation operation |
| CN109255216A (en) * | 2018-10-17 | 2019-01-22 | 北京京航计算通讯研究所 | A kind of discovery of violation operation and response method |
| CN110120948A (en) * | 2019-05-06 | 2019-08-13 | 四川英得赛克科技有限公司 | Based on wireless and cable data stream similarity analysis illegal external connection monitoring method |
| CN110191102A (en) * | 2019-05-09 | 2019-08-30 | 黄志英 | A kind of illegal external connection comprehensive monitoring system and its method |
| CN110324334A (en) * | 2019-06-28 | 2019-10-11 | 深圳前海微众银行股份有限公司 | Secure group policy management method, device, equipment and computer readable storage medium |
| CN110365793A (en) * | 2019-07-30 | 2019-10-22 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device, system and storage medium |
| CN110493228A (en) * | 2019-08-21 | 2019-11-22 | 中国工商银行股份有限公司 | A kind of terminal violation networking detection method and device |
| CN110691083A (en) * | 2019-09-26 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | External connection blocking method based on process |
| CN111130930A (en) * | 2019-12-16 | 2020-05-08 | 杭州迪普科技股份有限公司 | Dual-network card detection method and device |
| CN111131203A (en) * | 2019-12-12 | 2020-05-08 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
| CN111818075A (en) * | 2020-07-20 | 2020-10-23 | 北京华赛在线科技有限公司 | Illegal external connection detection method, device, equipment and storage medium |
| CN111917697A (en) * | 2020-03-17 | 2020-11-10 | 北京融汇画方科技有限公司 | Active detection online violation external connection technology based on non-client mode |
| CN112069093A (en) * | 2020-08-07 | 2020-12-11 | 北京北信源软件股份有限公司 | Detection method and device for illegal external connection of IPKVM (Internet protocol-virtual keyboard and video mouse) equipment |
| CN112653702A (en) * | 2020-12-25 | 2021-04-13 | 沈阳通用软件有限公司 | Method for identifying and building agent environment |
| CN112910735A (en) * | 2021-01-30 | 2021-06-04 | 山东兆物网络技术股份有限公司 | Comprehensive detection method and system for discovering illegal external connection of intranet equipment |
| CN113507395A (en) * | 2021-06-21 | 2021-10-15 | 华东师范大学 | State tracking device for network data flow |
| CN113836577A (en) * | 2021-09-09 | 2021-12-24 | 武汉市风奥科技股份有限公司 | Intranet and extranet access control method and access control system of confidential computer |
| CN113938305A (en) * | 2021-10-18 | 2022-01-14 | 杭州安恒信息技术股份有限公司 | Method, system and device for judging illegal external connection |
| CN114785721A (en) * | 2022-04-12 | 2022-07-22 | 中国南方电网有限责任公司 | Network violation operation identification system, method and device |
| CN114900340A (en) * | 2022-04-24 | 2022-08-12 | 金祺创(北京)技术有限公司 | Illegal external connection detection method and device based on internal and external network interactive verification |
| CN115834205A (en) * | 2022-11-23 | 2023-03-21 | 贵州电网有限责任公司 | Monitoring system illegal external connection alarm system |
| CN115987675A (en) * | 2022-12-30 | 2023-04-18 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
| CN116915503A (en) * | 2023-09-08 | 2023-10-20 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
| CN117319088A (en) * | 2023-11-28 | 2023-12-29 | 北京天防安全科技有限公司 | Method, device, equipment and medium for blocking illegal external connection equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917701A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Passive checking online violation external connection technology based on non-client mode |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257388A (en) * | 2008-04-08 | 2008-09-03 | 华为技术有限公司 | Lawless exterior joint detecting method, apparatus and system |
| US20090049143A1 (en) * | 2005-03-22 | 2009-02-19 | Aline Tarrago | System and method for transmitting messages for a set of communication devices |
| CN101848117A (en) * | 2010-04-30 | 2010-09-29 | 河南山谷创新网络科技有限公司 | Illegal external connection monitoring method and system thereof |
-
2013
- 2013-07-15 CN CN201310295825.6A patent/CN103391216B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090049143A1 (en) * | 2005-03-22 | 2009-02-19 | Aline Tarrago | System and method for transmitting messages for a set of communication devices |
| CN101257388A (en) * | 2008-04-08 | 2008-09-03 | 华为技术有限公司 | Lawless exterior joint detecting method, apparatus and system |
| CN101848117A (en) * | 2010-04-30 | 2010-09-29 | 河南山谷创新网络科技有限公司 | Illegal external connection monitoring method and system thereof |
Cited By (48)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916391B (en) * | 2014-03-28 | 2018-07-13 | 国网山西省电力公司信息通信分公司 | A kind of method and system preventing illegal external connection |
| CN103916391A (en) * | 2014-03-28 | 2014-07-09 | 国网山西省电力公司信息通信分公司 | Method and system for preventing illegal external connection |
| CN104994100A (en) * | 2015-07-06 | 2015-10-21 | 国家海洋技术中心 | Ashore distribution and security protection method of sea floor observation network data |
| CN104994100B (en) * | 2015-07-06 | 2019-02-22 | 国家海洋技术中心 | Submarine observation network data disembarkation distribution and method for security protection |
| CN106599694B (en) * | 2015-10-14 | 2019-06-07 | 广达电脑股份有限公司 | Security protection manages method, computer system and computer readable memory medium |
| CN106599694A (en) * | 2015-10-14 | 2017-04-26 | 广达电脑股份有限公司 | Security protection management methods, computer systems and computer-readable storage media |
| CN105376251A (en) * | 2015-12-02 | 2016-03-02 | 华侨大学 | Intrusion detection method and intrusion detection system based on cloud computing |
| CN106302501A (en) * | 2016-08-27 | 2017-01-04 | 浙江远望信息股份有限公司 | A kind of method of real-time discovery internetwork communication behavior |
| CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
| CN107871091A (en) * | 2017-10-31 | 2018-04-03 | 郑州云海信息技术有限公司 | A kind of computer safety protective control system |
| CN107707571A (en) * | 2017-11-15 | 2018-02-16 | 江苏神州信源系统工程有限公司 | A kind of method and apparatus for managing network external connection |
| CN107819787A (en) * | 2017-11-30 | 2018-03-20 | 国网河南省电力公司商丘供电公司 | One kind prevents LAN computer illegal external connection system and method |
| CN107819787B (en) * | 2017-11-30 | 2020-10-16 | 国网河南省电力公司商丘供电公司 | System and method for preventing illegal external connection of local area network computer |
| CN108200016A (en) * | 2017-12-19 | 2018-06-22 | 重庆亚凡科技有限公司 | Question-type picture verifies terminal |
| CN109120599A (en) * | 2018-07-23 | 2019-01-01 | 国网河南省电力公司商丘供电公司 | A kind of external connection managing and control system |
| CN109255216A (en) * | 2018-10-17 | 2019-01-22 | 北京京航计算通讯研究所 | A kind of discovery of violation operation and response method |
| CN109255215A (en) * | 2018-10-17 | 2019-01-22 | 北京京航计算通讯研究所 | A kind of discovery and response system of violation operation |
| CN110120948A (en) * | 2019-05-06 | 2019-08-13 | 四川英得赛克科技有限公司 | Based on wireless and cable data stream similarity analysis illegal external connection monitoring method |
| CN110191102A (en) * | 2019-05-09 | 2019-08-30 | 黄志英 | A kind of illegal external connection comprehensive monitoring system and its method |
| CN110191102B (en) * | 2019-05-09 | 2021-12-21 | 黄志英 | Illegal external connection comprehensive monitoring system and method thereof |
| CN110324334A (en) * | 2019-06-28 | 2019-10-11 | 深圳前海微众银行股份有限公司 | Secure group policy management method, device, equipment and computer readable storage medium |
| CN110365793B (en) * | 2019-07-30 | 2020-05-15 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device and system and storage medium |
| CN110365793A (en) * | 2019-07-30 | 2019-10-22 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device, system and storage medium |
| CN110493228A (en) * | 2019-08-21 | 2019-11-22 | 中国工商银行股份有限公司 | A kind of terminal violation networking detection method and device |
| CN110493228B (en) * | 2019-08-21 | 2021-10-26 | 中国工商银行股份有限公司 | Terminal illegal networking detection method and device |
| CN110691083B (en) * | 2019-09-26 | 2021-07-23 | 杭州安恒信息技术股份有限公司 | External connection blocking method based on process |
| CN110691083A (en) * | 2019-09-26 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | External connection blocking method based on process |
| CN111131203A (en) * | 2019-12-12 | 2020-05-08 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
| CN111130930A (en) * | 2019-12-16 | 2020-05-08 | 杭州迪普科技股份有限公司 | Dual-network card detection method and device |
| CN111917697A (en) * | 2020-03-17 | 2020-11-10 | 北京融汇画方科技有限公司 | Active detection online violation external connection technology based on non-client mode |
| CN111818075A (en) * | 2020-07-20 | 2020-10-23 | 北京华赛在线科技有限公司 | Illegal external connection detection method, device, equipment and storage medium |
| CN112069093A (en) * | 2020-08-07 | 2020-12-11 | 北京北信源软件股份有限公司 | Detection method and device for illegal external connection of IPKVM (Internet protocol-virtual keyboard and video mouse) equipment |
| CN112653702A (en) * | 2020-12-25 | 2021-04-13 | 沈阳通用软件有限公司 | Method for identifying and building agent environment |
| CN112653702B (en) * | 2020-12-25 | 2023-03-10 | 三六零数字安全科技集团有限公司 | Method for identifying establishment of agent environment |
| CN112910735A (en) * | 2021-01-30 | 2021-06-04 | 山东兆物网络技术股份有限公司 | Comprehensive detection method and system for discovering illegal external connection of intranet equipment |
| CN113507395A (en) * | 2021-06-21 | 2021-10-15 | 华东师范大学 | State tracking device for network data flow |
| CN113836577A (en) * | 2021-09-09 | 2021-12-24 | 武汉市风奥科技股份有限公司 | Intranet and extranet access control method and access control system of confidential computer |
| CN113938305B (en) * | 2021-10-18 | 2024-04-26 | 杭州安恒信息技术股份有限公司 | Illegal external connection judging method, system and device |
| CN113938305A (en) * | 2021-10-18 | 2022-01-14 | 杭州安恒信息技术股份有限公司 | Method, system and device for judging illegal external connection |
| CN114785721A (en) * | 2022-04-12 | 2022-07-22 | 中国南方电网有限责任公司 | Network violation operation identification system, method and device |
| CN114900340A (en) * | 2022-04-24 | 2022-08-12 | 金祺创(北京)技术有限公司 | Illegal external connection detection method and device based on internal and external network interactive verification |
| CN115834205A (en) * | 2022-11-23 | 2023-03-21 | 贵州电网有限责任公司 | Monitoring system illegal external connection alarm system |
| CN115987675B (en) * | 2022-12-30 | 2024-03-19 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
| CN115987675A (en) * | 2022-12-30 | 2023-04-18 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
| CN116915503A (en) * | 2023-09-08 | 2023-10-20 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
| CN116915503B (en) * | 2023-09-08 | 2023-11-14 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
| CN117319088A (en) * | 2023-11-28 | 2023-12-29 | 北京天防安全科技有限公司 | Method, device, equipment and medium for blocking illegal external connection equipment |
| CN117319088B (en) * | 2023-11-28 | 2024-02-23 | 北京天防安全科技有限公司 | Method, device, equipment and medium for blocking illegal external connection equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103391216B (en) | 2016-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103391216B (en) | A kind of illegal external connection is reported to the police and blocking-up method | |
| CN109729180B (en) | Whole system intelligent community platform | |
| CN101520831B (en) | Safe terminal system and terminal safety method | |
| CN106411562B (en) | Electric power information network safety linkage defense method and system | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| CN101610264B (en) | Firewall system, safety service platform and firewall system management method | |
| US20020078382A1 (en) | Scalable system for monitoring network system and components and methodology therefore | |
| CN101355459B (en) | Method for monitoring network based on credible protocol | |
| KR20180120157A (en) | Data set extraction based pattern matching | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN105391687A (en) | System and method for supplying information security operation service to medium-sized and small enterprises | |
| KR100788256B1 (en) | System for monitoring web server fablication using network and method thereof | |
| CN103413083A (en) | Security defending system for single host | |
| CN107276983A (en) | A kind of the traffic security control method and system synchronous with cloud based on DPI | |
| CN111314381A (en) | Safety isolation gateway | |
| CN103309937A (en) | Method of supervising content of cloud platform | |
| CN109587122A (en) | Realize that self ensures the system and method for Web subsystem safety based on WAF system function | |
| CN113645213A (en) | Multi-terminal network management monitoring system based on VPN technology | |
| CN112837194A (en) | Intelligent system | |
| CN102752289A (en) | Master station for power utilization information collecting system | |
| CN103634293A (en) | Secure data transmission method based dual hardware and secure data transmission system based dual hardware | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN116894259A (en) | Safety access control system of database | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| KR101237376B1 (en) | Integrated security control System and Method for Smartphones |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |