CN103749001B - The self-protection GU Generic Unit of Inner Network Security Monitor System - Google Patents
The self-protection GU Generic Unit of Inner Network Security Monitor SystemInfo
- Publication number
- CN103749001B CN103749001B CN201010048678.9A CN201010048678A CN103749001B CN 103749001 B CN103749001 B CN 103749001B CN 201010048678 A CN201010048678 A CN 201010048678A CN 103749001 B CN103749001 B CN 103749001B
- Authority
- CN
- China
- Prior art keywords
- module
- network security
- monitor system
- attack
- security monitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a kind of self-protection GU Generic Unit of Inner Network Security Monitor System, comprise analysis module, discrimination module, processing module, honey jar module and policy library module; This GU Generic Unit is separation with Inner Network Security Monitor System with internal network system on hardware is disposed.First analysis module filters out the attack for this Inner Network Security Monitor System from the attack receiving, and exports to discrimination module and processing module; Discrimination module is carried out partition of the level and mark to the attack of receiving, in order to distinguish the corresponding authority of different stage; And send to and there is relative users; Processing module is taked corresponding safeguard procedures according to the type of attack to Inner Network Security Monitor System, when processing module cannot be made effective protection, close other all external connections of Inner Network Security Monitor System, start honey jar module simultaneously, attack is traped, collected evidence, and be sent to policy library module for upgrading attack knowledge base.
Description
Technical field
The present invention relates to the self-protection GU Generic Unit of safety monitoring system, especially a kind of self-protection GU Generic Unit of Inner Network Security Monitor System, belongs to computer network security field.
Background technology
The complexity of network environment, polytropy, and the fragility of information system, determined the objective reality of network security threats.The network security problem that follows hard on Informatization Development and come day by day protrudes, and network security problem has become the challenge of information age mankind facing, if do not addressed this problem well, will hinder the process of Informatization Development.The fact shows, along with the development of computer technology and the Internet, the network crime is also becoming increasingly rampant.
According to the investigation of U.S. FBI, the U.S. is annual because the loss that the problem of network security causes exceedes 17,000,000,000 dollars.Company report's financial loss of 75% is because the safety problem of computer causes.Exceed 50% security threat from inside, only have 17% company to be ready to report hacker attacks, 59% loss can quantitatively be estimated.1998, also there is network security crime in China.According to the open source information of the Ministry of Public Security, within 1998, China cracks nearly hundred of assault cases, and utilize the network crime every year with 30% speed increase, conservative estimation, the intrusion event of exposure only has at most 15% of reality, the overwhelming majority is covered when thing department, and even some company of department goes back miss so far.Have medium report, the website of China 95% and administrative center are by hacker attacks, and wherein bank, finance and security mechanism are focus of attacks.
As can be seen here, network security relates to the significant problem of China's economic development, social development and national security.In recent years, along with the development of international political situation, and the quickening of course of economic globalization, people are more and more clearer, the network security problem that information age causes not only relates to national economic security, financial security, also relates to national national defense safety, political security and cultural security simultaneously.So to say that in informationized society, there is no the guarantee of network security, country does not just have safe barrier.Therefore for ensureing that the Network Security Monitor System of the normal operation of various information systems becomes the focus of security study in recent years gradually.
Inner Network Security Monitor System is to be often referred to offer the information system that internal network security ensures, its kind is numerous, the technology adopting is also multifarious, and common technology has: Anti-Virus, firewall system, intruding detection system, isolation gap etc.They can provide needed function of safety protection to user, and to user, carrying out safety management provides technical guarantee.
But Inner Network Security Monitor System often has inherent Security Vulnerability, for hacker and assailant, safety monitoring system be first to attack or emphasis attack target.For these systems, often by some element connections, formed, if these node self-protection weaknesses, be easy to by rogue attacks and destruction, cause single-point paralysis, thereby cause whole safety monitoring system to lose efficacy and collapse, therefore the validity of safety monitoring system must depend on the protective capacities of himself.Now, for some more famous safety monitoring systems, hackers have manufactured special attack tool targetedly, and they cast the first stone these safety monitoring systems, allow these safety systems lose efficacy, and what have even utilizes it to make springboard further to attack.
Enumerate the security threat that Network Security Monitor System faces conventionally below, as shown in table 1:
Table 1 safety monitoring system security threat table
| Object of attack | Attack means | Attack result |
| Input element | Enter journey, delete file, TCP, denial of service, buffer overflow, forged identity | Input node failure |
| Process | Enter journey, delete file, data excess, TCP, denial of service, buffer overflow | Processing node lost efficacy |
| Storage link | Enter journey, delete file, store excess | Memory node destroys |
Visible, for Inner Network Security Monitor System, inherently safe is its key property.If safety monitoring system lacks perfect self-protection system as its safety guarantee, even if having again powerful function, also has no ample scope for abilities.
Inner Network Security Monitor System is used for protecting the safety system of the normal operation service of internal network; it can offer comprehensive safety guarantee for internal network; Inner Network Security Monitor System has many types; applied different safe practices, the fail safe of himself and availability are the prerequisites that guarantees the normal operation of internal network and service.In real network attacking and defending environment, assailant is before invading internal network from outside, first can attempt Inner Network Security Monitor System to attack, therefore the service of this safety monitoring system self and the function target that first assailant will destroy often.The self-protection of Inner Network Security Monitor System is exactly the basic guarantee that can whole system bring into play self usefulness.
For Inner Network Security Monitor System, himself protection universal unit with function, system, the environment of system, be deployed with very big-difference, therefore need to consider its specific self-protection demand for certain class and certain safety monitoring system, tend to like this design iterations and realization, waste plenty of time and energy, and do not there is versatility.
For the Design and implementation of Inner Network Security Monitor System self-protection GU Generic Unit, can help to analyze different Network Security Monitor Systems and how build comprehensive and safe safeguard structure, and solve its versatility under specific environment.This self-protection GU Generic Unit integrates multiple safety protection technique, independence by deployment and function offers safety monitoring system, make various Inner Network Security Monitor Systems to select corresponding strategy and function according to the situation of threat and leak is autonomous, thereby reach the effect of self-protection.
For the self-protection of Inner Network Security Monitor System, there are a lot of manufacturers and research unit to do certain technical research and realization both at home and abroad.
Cisco Systems Inc. has proposed " self-defending network plan ", this plan is dissolved into inherently safe concept in each network systems such as router, switch, fire compartment wall, Virtual Private Network, intrusion detection, thereby makes whole network possess inherently safe characteristic.South-Center University For Nationalities has proposed artificial immunity to apply in safety system, makes armour for self-regulation and adaptive ability.The OneCare system that Microsoft releases, be a kind of special be the customized security protection software of Windows operating system, himself protection has adopted the guard technology of authentication, personal fire wall, communication encryption.
At present still not mature enough for the self-defense technology of safety monitoring system.Most of manufacturer and researcher adopt various isolated guard technologies mutually, such as authentication, communication encryption, fire compartment wall etc., there is no association between these technology; Self-protection technology itself lacks modular mentality of designing simultaneously; Various guard technologies do not have the support of tactful aspect, lack of wisdom.
The method that minority is comparatively ripe is to carry out leak analysis in conjunction with safety monitoring system, searches its potential potential safety hazard, and then takes corresponding treatment measures.Although these measures energy and safety monitoring system merge well, but because it is not independent, just in case certain node of safety monitoring system is not resisted attack, will cause the inefficacy of whole safety monitoring system, thereby cause the inefficacy of self-protection GU Generic Unit.In addition, for safety monitoring system, due to its complexity, need multi-level security protection.Existing self-protection technology is just taked the protection of individual layer, lacks design and the deployment of level.
Summary of the invention
For addressing the above problem; the object of the invention is to design and Implement a kind of self-protection GU Generic Unit of Inner Network Security Monitor System; for the protection of Inner Network Security Monitor System; guarantee in the situation that Inner Network Security Monitor System is attacked; avoid sustain damage, function and service still can be normally provided.
The self-protection GU Generic Unit of Inner Network Security Monitor System of the present invention, comprises analysis module, discrimination module, processing module, honey jar module and policy library module;
Analysis module, processing module, honey jar module are connected with policy library module with Inner Network Security Monitor System respectively; Discrimination module is connected respectively with policy library module and analysis module; Processing module is also connected respectively with analysis module and honey jar module; Wherein:
(1) analysis module: analyze for the attack stream to obtaining from Inner Network Security Monitor System, therefrom filter out the attack for this Inner Network Security Monitor System according to analysis strategy, and export to discrimination module and processing module;
(2) discrimination module: for the attack for this Inner Network Security Monitor System filtering out according to analysis strategy from analysis module is carried out to partition of the level according to attack type and the extent of injury thereof, then the attack of these different stages is marked, in order to distinguish the corresponding authority of different stage, send to the user of different stage, so that user is known corresponding attack according to self authority;
(3) processing module: for the attack of module screening is by analysis responded and processed, then according to processing policy, Inner Network Security Monitor System is taked to corresponding safeguard procedures.If the processing policy adopting cannot be eliminated this attack, interrupt external all other links of Inner Network Security Monitor System, start honey jar module simultaneously;
(4) honey jar module: for when the processing policy of processing module lost efficacy, the normal service of simulated interior Network Security Monitor System is initiatively accepted attack, and attack is traped, collected evidence, the attack that record is accepted simultaneously, sends to policy library module for upgrading attack knowledge base;
(5) policy library module: comprise an attack knowledge base of describing various known attacks, comprising the attribute of attack, policy library module also receives the attack from honey jar module, for described attack knowledge base is upgraded; Policy library module is also included as analysis module, discrimination module, processing module provides the analysis strategy storehouse of corresponding strategy and information, distinguish policy library, processing policy storehouse.
Self-protection GU Generic Unit in the present invention, on hardware deployment way, is independent of the Inner Network Security Monitor System that will protect.Wherein, analysis module is deployed on the switch that connects Inner Network Security Monitor System main frame; Discrimination module, processing module and policy library module are deployed on the router of a platform independent, and this router is only connected with the switch of having disposed analysis module; Honey jar module is deployed on the main frame of a platform independent, and this main frame is only connected with the switch of having disposed analysis module.
The Interface design of the self-protection GU Generic Unit in the present invention is as follows:
(1) external interface
Self-protection GU Generic Unit and outside interface have three, one is the interface that sends attack from Inner Network Security Monitor System to self-protection GU Generic Unit, one is the interface of self-protection GU Generic Unit to the order of Inner Network Security Monitor System transmission processing, and another is Inner Network Security Monitor System to the interface of the honey jar module forwards attack request in self-protection GU Generic Unit.These three interfaces can adopt three one-way channels to realize.
(2) internal interface
Internal interface is mainly the interface between modules.Internal interface is followed general network communication protocol stipulations.Intercommunication adopts socket communication mode.Communication message structure is: heading+text.Wherein in heading, comprise feature, text cipher mode, text verification of length, the text of text etc.Text is all actual data content, its normally multiple structure bag, and these structure bags have identical data structure composition.
The intercommunication protection mechanism of the self-protection GU Generic Unit in the present invention is as follows:
(1) communication encryption
Communication data in self-protection GU Generic Unit between each module adopts symmetric encipherment algorithm.
(2) connect authentication
Connection authentication in self-protection GU Generic Unit between each module, the authentication that adopts general network communication to connect, the namely connection of the socket communication of modules authentication.
(3) connect abnormality detection
By sending failure diagnosis packet, detect and between each module, connect abnormal problem.If certain module in this unit finds there is no data communication in the connection of its foundation within a certain period of time, the other side's module of connecting at once sends failure diagnosis packet, if receive normal response after sending, illustrate that this connection is normal, continue to keep communication; If sent unsuccessfully, explanation connection disconnects, this module releasing resource at once; If send and successfully and not receive reply data bag, illustrate that the program operation of the other side's module makes mistakes, the module of sending failure diagnosis packet disconnects this connection releasing resource at once.
The workflow of the self-protection GU Generic Unit of described Inner Network Security Monitor System is comprised of five parts below:
(1) start-up course
Described self-protection GU Generic Unit starts each module, each module can attempt mutually connecting after startup, while connecting, first need to carry out the authentication of intermodule, authentication success represents to connect to be successfully established, and communicates afterwards according to the interface of arranging between each module; Wherein, analysis module is after startup, and the port that it is connected to all security monitoring main frames of Inner Network Security Monitor System is monitored, and waits for the connection request of security monitoring main frame; If receive connection request, successfully carrying out after authentication, connect with security monitoring main frame, and keep this connection;
(2) analytic process
Analysis module continues to monitor each security monitoring main frame in Inner Network Security Monitor System, receive the attack stream that security monitoring main frame sends, analysis module calls analysis strategy from policy library module, and screen attacking flow of event according to analysis strategy, will in attack stream, for the attack of Inner Network Security Monitor System, be sent to discrimination module and processing module is carried out parallel processing;
(3) differentiation procedure
The attack that discrimination module receiving and analyzing module is sent, from policy library module, call and distinguish strategy, and according to distinguishing that strategy carries out partition of the level according to attack type and the extent of injury thereof to it, then the attack of these different stages is marked, and send the users at different levels with corresponding authority to;
(4) processing procedure
With step (3) simultaneously, the attack that processing module receiving and analyzing module is sent, calls processing policy from policy library module, then according to processing policy, start each submodule of processing module, by submodule, Inner Network Security Monitor System is taked to corresponding safeguard procedures; When processing module cannot be made effective protection to Inner Network Security Monitor System, execution step (5), otherwise continue execution step (2)-(4);
(5) trapping process
Start the break in service submodule in processing module, close other all external connections of Inner Network Security Monitor System, start honey jar module simultaneously, attack is traped, collected evidence, and be sent to policy library module for upgrading attack knowledge base.
Contrast prior art, beneficial effect of the present invention is, the present invention propose one completely independently self-protection GU Generic Unit ensure safety and the normal operation of Inner Network Security Monitor System.This self-protection GU Generic Unit is totally independent of Inner Network Security Monitor System on hardware deployment way, makes in the situation that Inner Network Security Monitor System is attacked, and this self-protection GU Generic Unit still can normally move.In addition, self-protection GU Generic Unit adopts modular Design and implementation mode, and each intermodule cooperates and jointly realizes safeguard function.Each module responds and processes according to different strategies, has guaranteed the versatility and upgrading in time property of function.Self-protection GU Generic Unit has emergent interrupt function; in the time cannot effectively protecting the attack for Inner Network Security Monitor System; interrupt by force the external connection of safety monitoring system; use honey jar module to trap and record new unknown attack event simultaneously; in protection Inner Network Security Monitor System, played the effect of upgrading attack knowledge base.
Accompanying drawing explanation
The self-protection GU Generic Unit structural representation of Fig. 1-Inner Network Security Monitor System of the present invention;
The self-protection GU Generic Unit hardware deployment way schematic diagram of Fig. 2-Inner Network Security Monitor System of the present invention;
Fig. 3-analysis module workflow diagram;
Fig. 4-analysis module initialization flowchart;
Fig. 5-analysis module pretreatment process figure;
Fig. 6-analysis module rule match flow chart;
Fig. 7-discrimination module structural representation;
Fig. 8-processing module structural representation.
Embodiment
Below in conjunction with drawings and Examples, technical solution of the present invention is further explained.
For the Design and implementation of the self-protection GU Generic Unit of Inner Network Security Monitor System, can be used for analyzing different Inner Network Security Monitor Systems and how build comprehensive and safe safeguard structure, and solve the versatility of self-protection GU Generic Unit.This self-protection GU Generic Unit integrates multiple safety protection technique, independence by deployment and function offers Inner Network Security Monitor System, make various Inner Network Security Monitor Systems independently to select corresponding strategy and function according to the situation with self leak that threatens, thereby reach the customization effect of self-protection.
Self-protection GU Generic Unit in the present invention is a system that is independent of internal network system and Inner Network Security Monitor System.Its function is that the safety of Inner Network Security Monitor System self is monitored and protected.This self-protection GU Generic Unit is deployed on switch, router and the main frame that is independent of Inner Network Security Monitor System, on hardware is disposed, accomplish separation with internal network system and Inner Network Security Monitor System, thereby guaranteed the fail safe of self.
This self-protection GU Generic Unit is owing to will being applied to multiple Inner Network Security Monitor System, therefore must accomplish that Mode and policy separates, varying environment, dissimilar Inner Network Security Monitor System are adopted to identical mechanism, different strategies, to realize the versatility of self-protection GU Generic Unit.
According to the purport of the technical program, the invention provides a kind of self-protection GU Generic Unit of Inner Network Security Monitor System, comprise analysis module, discrimination module, processing module, honey jar module and policy library module, see accompanying drawing 1.
Interactively between each module is as follows:
First analysis module is analyzed the attack receiving in Inner Network Security Monitor System, calls analysis strategy and filters out the attack for this Inner Network Security Monitor System, and export to discrimination module and processing module; Discrimination module and processing module are parallel to be operated: discrimination module is called and distinguished strategy, according to attack type and the extent of injury thereof, the attack for this Inner Network Security Monitor System filtering out according to analysis strategy from analysis module is carried out to partition of the level, then the attack of these different stages is marked, in order to distinguish the corresponding authority of different stage; And send to and there is the corresponding user who knows rank; Processing module responds it according to the type of attack, Inner Network Security Monitor System is taked to corresponding safeguard procedures, if the processing policy adopting cannot be eliminated this attack, to Inner Network Security Monitor System, send and interrupt all instructions that other externally connects, start being connected of honey jar module and Inner Network Security Monitor System simultaneously; The attack that Inner Network Security Monitor System cannot be eliminated processing module is transmitted to honey jar module, the normal service of honey jar simulated interior Network Security Monitor System, lure that assailant launches true attack action into, the attack that record is accepted simultaneously, sends to policy library module; In policy library module, record all known attack events, and analysis strategy, distinguish strategy and processing policy, the unknown attack event update of simultaneously honey jar being traped is in attack knowledge base.
As one embodiment of the present of invention, the workflow of the self-protection GU Generic Unit of described Inner Network Security Monitor System is comprised of five parts below:
(1) start-up course
Described self-protection GU Generic Unit starts each module, each module can attempt mutually connecting after startup, while connecting, first need to carry out the authentication of intermodule, authentication success represents to connect to be successfully established, and communicates afterwards according to the interface of arranging between each module; Wherein, analysis module is after startup, and the port that it is connected to all security monitoring main frames of Inner Network Security Monitor System is monitored, and waits for the connection request of security monitoring main frame; If receive connection request, successfully carrying out after authentication, connect with security monitoring main frame, and keep this connection;
(2) analytic process
Analysis module continues to monitor each security monitoring main frame in Inner Network Security Monitor System, receive the attack stream that security monitoring main frame sends, analysis module calls analysis strategy from policy library module, and screen attacking flow of event according to analysis strategy, will in attack stream, for the attack of Inner Network Security Monitor System, be sent to discrimination module and processing module is carried out parallel processing;
(3) differentiation procedure
The attack that discrimination module receiving and analyzing module is sent, from policy library module, call and distinguish strategy, and according to distinguishing that strategy carries out partition of the level according to attack type and the extent of injury thereof to it, then the attack of these different stages is marked, and send the users at different levels with corresponding authority to;
(4) processing procedure
With step (3) simultaneously, the attack that processing module receiving and analyzing module is sent, calls processing policy from policy library module, then according to processing policy, start each submodule of processing module, by submodule, Inner Network Security Monitor System is taked to corresponding safeguard procedures; When processing module cannot be made effective protection to Inner Network Security Monitor System, execution step (5), otherwise continue execution step (2)-(4);
(5) trapping process
Start the break in service submodule in processing module, close other all external connections of Inner Network Security Monitor System, start honey jar module simultaneously, attack is traped, collected evidence, and be sent to policy library module for upgrading attack knowledge base.
Self-protection GU Generic Unit in the present invention, on hardware deployment way, is independent of the Inner Network Security Monitor System that will protect.Wherein, analysis module is deployed on the switch that connects Inner Network Security Monitor System main frame; Discrimination module, processing module and policy library module are deployed on the router of a platform independent, and this router is only connected with the switch of having disposed analysis module; Honey jar module is deployed on the main frame of a platform independent, and honey jar module is only connected with the switch of having disposed analysis module.Concrete hardware deployment way schematic diagram as shown in Figure 2.
The Interface design of the self-protection GU Generic Unit in the present embodiment is as follows:
(1) external interface
Self-protection GU Generic Unit and outside interface have three, one is the interface that sends attack from Inner Network Security Monitor System to self-protection GU Generic Unit, one is the interface of self-protection GU Generic Unit to the order of Inner Network Security Monitor System transmission processing, and another is Inner Network Security Monitor System to the interface of the honey jar module forwards attack request in self-protection GU Generic Unit.These three interfaces can adopt three one-way channels to realize.Data structure adopts the data text of same structure.
(2) internal interface
Internal interface is mainly the interface between modules.Internal interface is followed the network communication protocol stipulations of standard.Intercommunication adopts socket communication mode.Communication message structure is: heading+text.Wherein in heading, comprise feature, text cipher mode, text verification of length, the text of text etc.Text is all actual data content, its normally multiple structure bag, and these structure bags have identical data structure composition.
The intercommunication protection mechanism of the self-protection GU Generic Unit described in the present embodiment is as follows:
(1) communication encryption
Communication data in self-protection GU Generic Unit between each module adopts symmetric encipherment algorithm, and symmetric encipherment algorithm is exactly that encryption and decryption adopt identical one the cryptographic algorithm of key.No matter to adopt which kind of general symmetric encipherment algorithm, algorithm secret key secret most important.In the present embodiment, adopt 3DES to realize communication encryption.
(2) connect authentication
Connection authentication in self-protection GU Generic Unit between each module, the authentication that adopts the network communication of standard to connect, the namely connection of the socket communication of modules authentication.The object that connects authentication is that assurance modules can guarantee that in connection procedure the other side is legal module.If the authentication not connecting, assailant likely connects to transmit and receive data, and this is totally unfavorable to safety.
Here by three aspects, guaranteeing to connect authentication security, is first the fail safe of guaranteeing to connect authenticate key, connect authenticate key and mainly exist in certificate, and certificate and hardware environment etc. is relevant, do not possess versatility, only in this environment, just can use.Next is the underground property of cryptographic algorithm, and the cryptographic algorithm that connects authentication does not adopt the disclosed symmetric key algorithm of main flow.Again, be exactly to be expressly to be sent by the module that proposes connection request, be random number series, so just guaranteed the otherness of the object of the encryption and decryption of each connection, allow assailant cannot study by repeating to give out a contract for a project message content.
(3) connect abnormality detection
Self-protection GU Generic Unit is in running, due to many reasons such as program coding problem, program operation make mistakes, netting twine drops off, hardware faults, may cause connecting and makeing mistakes between each module, if each module can not be diagnosed out abnormal conditions rapidly, can waste resource, cause program operational reliability to reduce.In the present embodiment, solving between each module and connect abnormal problem, is mainly to realize by sending failure diagnosis packet.If certain module in this unit finds there is no data communication in the connection of its foundation within a certain period of time, the other side's module of connecting at once sends failure diagnosis packet, if receive normal response after sending, illustrate that this connection is normal, continue to keep communication; If sent unsuccessfully, explanation connection disconnects, this module releasing resource at once; If send and successfully and not receive reply data bag, illustrate that the program operation of the other side's module makes mistakes, the module of sending failure diagnosis packet disconnects this connection releasing resource at once.
Below the function of each module is described further:
1 analysis module
The object of analysis module is the attack of submitting to by analyzing Inner Network Security Monitor System, finds in time the full spectrum of threats to Inner Network Security Monitor System.
Analysis module receives the attack that Inner Network Security Monitor System obtains after initial analysis, analysis strategy in regulative strategy library module is further analyzed these events, therefrom filter out the attack for Inner Network Security Monitor System, send these events to discrimination module and processing module simultaneously.
(1) analysis module workflow design and realization
In the present embodiment, analysis module workflow adopts Jiang Wu in the scheme described in February, 2006 Suo Zhu Beijing Institute of Technology master thesis " the general self-protection structural design of network safety system and the Study of the Realization ", sees shown in accompanying drawing 3:
In accompanying drawing 3, first analysis module starts initialization, and after initial work completes, analysis module constantly receives attack stream, and analyzes according to the analysis strategy that in policy library module, analysis strategy storehouse provides.If receive attack stream, first resolve the content of the attack in attack stream, and be mapped to corresponding regular variable, then mate one by one with the corresponding rule of this rule variable in analysis strategy storehouse, if the match is successful for the left button of rule, select corresponding regular right button to export.
Specifically, respectively to walk the course of work as follows for analysis module:
, 1) and analysis module initialization procedure
Analysis module initialization procedure is the work of first carrying out after analysis module starts, and comprises various data structures and temporary table in establishment Initialization Analysis module, reads the rule in analysis strategy storehouse and sets up rule tree.The flow chart of initialization procedure as shown in Figure 4.
2) analysis module preprocessing process
Analysis module preprocessing process is that the attack in the attack stream receiving is unpacked to processing, removes useless data, then the data after unpacking are formatd, and becomes regular variable, according to regular variable, selects corresponding rule.Analysis module pretreatment process figure as shown in Figure 5.
3) rule match process
Rule match process adopts forward reasoning, a regular variable attack being generated, travel through selected rule, if find that this rule variable meets certain regular left button condition, export this regular right button and finish traversal, otherwise continue to attempt Else Rule, until travel through complete strictly all rules.As shown in Figure 6, wherein K represents the sequence number of each rule to analysis module rule match workflow diagram, and MAX represents the regular total number in analysis strategy.
2 discrimination module
For the attack for this Inner Network Security Monitor System filtering out according to analysis strategy from analysis module is carried out to partition of the level according to attack type and the extent of injury thereof, then the attack of these different stages is marked, in order to distinguish the corresponding authority of different stage, send to the user of different stage, so that user is known corresponding attack according to self authority;
In discrimination module, there is certificates constructing submodule and dynamic password and generate submodule.Wherein,
Certificate key information, certificates constructing temporal information, certificates constructing random information that certificates constructing submodule is held according to user generate a whole set of certificate.Certificates constructing temporal information is for recording the temporal information of certificates constructing.Certificates constructing random information is for recording the random data that produce at that time.The certificate is here the relevant certificate bag of a set of and system hardware information, certificates constructing temporal information, certificates constructing random information issued by producer when system is installed, and the certificate in this certificate bag must can be effective by the disposable generation of certificate issuance program;
It is mainly that certificate and current time are carried out to algorithm calculation that dynamic password generates submodule, thereby draws dynamic password, for encrypting attack.
Dynamic password generates dynamic password technology that submodule uses be a kind of password that allows encrypted ones according to time, access times or other factors constantly change, each password can only expendable technology.Conventionally adopt dynamic token and certificate server composition.Dynamic token is a kind of specialized hardware, built-in power, password generating chip and display screen, and password generating chip moves special cryptographic algorithm, according to current time, access times or other factors, generates current password and is presented on display screen.Certificate server adopts identical algorithm to calculate valid password with dynamic token.For the user of different rights, during use, only need to input dynamic token display password and just can realize authentication.Because the password of each use must be produced by dynamic token, only have validated user just to hold this hardware, so as long as just can think that by password authentification this user identity is reliable.Because the each password using of user is not identical, even if assailant has intercepted and captured password one time, also cannot utilize this password to carry out the identity of counterfeit validated user.
The attached discrimination module structural representation that Figure 7 shows that, in discrimination module regulative strategy storehouse, distinguish the strategy of distinguishing in policy library, according to attack type and the extent of injury thereof, the attack for this Inner Network Security Monitor System filtering out according to analysis strategy from analysis module is carried out to partition of the level, then the attack of these different stages is marked, in order to distinguish the corresponding authority of different stage; Discrimination module is in order to send to the attack of different stage the user of different rights, the dynamic password authentication technology based on certificate of utilizing these two submodules to provide is carried out user identity identification, so that user has the authority that obtains the attack of knowing appropriate level.Will be failed in the authentication of following situation: user does not have the dynamic password that certificate, certificate do not mate, generate not mate, authenticate both sides the time difference to exceed threshold value etc.
3 processing modules
Processing module, for the attack of module screening is by analysis responded and processed, is then taked corresponding safeguard procedures according to processing policy to Inner Network Security Monitor System.If the processing policy adopting cannot be eliminated this attack, interrupt external all other links of Inner Network Security Monitor System, start honey jar module simultaneously;
Processing module comprises a submodule of processing top control module and one group and support extensive interface, in the present embodiment processing module structure chart as shown in Figure 8, wherein,
Process top control module and be responsible for communicating with other module of described self-protection GU Generic Unit, manage simultaneously and dispatch its subordinate's submodule, the essence of these submodules is the dynamic link libraries that encapsulated specific procedure, script, kernel module etc.This method for designing can improve the extensibility of processing module, both can add as required other submodule.
Below introduce each submodule function:
(1) system is hidden submodule: needing hiding file, process, module, network to connect in Inner Network Security Monitor System, hide, make assailant cannot locate the keystone resources of Inner Network Security Monitor System, thereby cannot determine target, cannot attack and destroy.For example,
Under linux system, being used for the system call of inquiry file information is getdents64, and its system call response function is called sys_getdents64.When the relevant information of inquiry file or catalogue, linux system is carried out corresponding query manipulation with system call getdents64, and the information obtaining is passed to user program, if so revise this system call, remove information relevant to some specific file in result, so all programs of utilizing this system call all cannot find this file, thereby have reached hiding object.
In Linux, there is not the system call of direct query procedure information, be similar to the such query procedure message command of ps and realize by inquiry proc file system.Proc file system is with the Interface realization of application file system, therefore can hide the file in proc file system by the method for hidden file equally.What utilize that strace ps order can see that in fact query procedure information utilize is exactly that the system call of getdents64 is checked, adds for the judgement of proc file system in therefore can superincumbent getdents64 to get final product hidden process.
In actual application; often can reach by module the object of improved system function; but when inserting a module; if do not take any hiding measure; be easy to be found by the other side; once the other side has found and unloaded the module of inserting, so all functions of utilizing this module to complete had just lost efficacy, so should continue to analyze how to come to hide the module of specific names.
(SuSE) Linux OS does not have the system call of special enquiry module information, therefore needs to adopt new method to hide the hiding kernel module of needs.Hide the method for module very simple: obtain kernel-driven when front module _ this_module structure, it is actually a back end of the module structure double-linked circular list stringing together by kernel Special chain list structure list_head, can obtain the information of whole module structure set by this back end.So by utilizing the grand list_for_each of list_head chained list support to travel through whole module structure double-linked circular list; then claimed module title is mated with the name of each back end; once find the data module node that will protect; first preserve the pointer of this node, then can utilize grand this node of deleting of list_del.When protection completes the node pointer that can utilize preservation when need to exit, utilize that list_add is grand to be joined data in the set of whole module structure.
Similar with hidden process, here can by hide some comprise/proc/net/tcp in proc file system and/file of proc/net/udp.So can call read by intercepting system, changing its response function sys_read is new_read, method is the same with process hiding, once read when comprising the character string of mating these two filenames, will can not state and use it in new_read system call response function.Can reach like this and hide the object that network connects.
(2) file protect submodule: program file and configuration file in protection Inner Network Security Monitor System, forbid adding, deleting or revise its file or folder, and its file is carried out to completeness check, make it avoid destroying and distorting.Be explained as follows in conjunction with the embodiments:
File operation interception: the system call that the nearly all operation of (SuSE) Linux OS all provides via operating system realizes, no exception for the operation of file.This just provides an easy approach that obtains All Files operation to us---and the execution that interception file related system calls, for example, monitor read operation, write operation etc.
File operation monitors: file operation monitors by handling it in conjunction with strategy after file operation system call interception again.First the reading and writing of real-time blocking to each file, execution, modification attribute etc. operation.Then intercept information is mated with the monitoring file object that strategy requires, once find the behavior of the needs monitoring that is definition, according to strategy, require to process at once.
Monitor data structure: the analysis of the related data structures by the analysis to linux kernel source code, particularly management of process, file management, determined " system safety access file list ".Generate in the process of this structure most of with reference to kernel in extremely important process control block (PCB) data structure, it has clearly comprised the very important information such as process, user, file system.
Guarantee file integrality: adopt MD5 algorithm.By the MD5 value of contrast identical file, carry out this file of verification and whether changed.Whether after collocation strategy comes into force, first we calculate the MD5 value of the file that will check by algorithm, then it saved, once need verification file complete, it is made to MD5 again and calculate, and then two numerical value compared, and can reach a conclusion.
(3) network protection submodule: prevent Network Abnormal, opposing Denial of Service attack.The method that prevents Network Abnormal is that the network that monitors Inner Network Security Monitor System connects, once find that malice connects, and interrupts this connection; Once opposing Denial of Service attack is to find that the connection of Inner Network Security Monitor System overloads or data traffic is excessive, interrupts the connection of excess load.For open network service port, opposing Denial of Service attack mainly connects number and judges that two aspects of flow solve problem from restriction.
In an embodiment, restriction connection number is mainly by judging whether open port has the linking number that exceedes threshold value from same IP address.If found, refuse to connect from the redundant mesh of this IP address.
Judge flow is mainly whether the network traffics that judge current time exceed normality threshold, once find that flow exceedes threshold value, the measure of taking is that notice fire compartment wall is blocked all connections.
(4) Process Protection submodule: close malicious process, set up protection process for the critical processes of Inner Network Security Monitor System, forbid closing by force the process of normal operation.
The main purpose of Process Protection is to prevent that some important system process victims from closing.If assailant has obtained after certain authority by some improper means, just can destroy system process, even cause the collapse of whole Inner Network Security Monitor System.Therefore, need to protect system process, prevent that these processes from illegally being closed.
Here the method for Process Protection as before; method is the system call kill that journey is entered in interception; then in the response function new_kill of Process Protection submodule, compare; once find that the signal object that will transmit is protected process; and signal is to kill process signals; will not respond, and event is carried out to record.Need in addition to close illegal process.Method is to realize by orders such as kill, killall, service.
(5) security audit submodule: the customer incident to Inner Network Security Monitor System is audited, the keeper's Action Events, data manipulation event, the account that audit in Inner Network Security Monitor System log in turkey, once find that above-mentioned event belongs to attack, closes the account.
In embodiment, adopt locking account and kick out of account.Locking account is mainly by account password information corresponding in modification/etc/shadow file, and in the time of this system of user's login next time, password is changed, cannot login system like this.The method of kicking out of account is to close the console terminal that target account is used.
(6) break in service submodule: if the processing module of self-protection GU Generic Unit is found the attack that cannot process, close Inner Network Security Monitor System and outside other all connection according to processing policy, start honey jar module simultaneously.
In the processing policy that processing module is called, comprise break in service strategy, provided the order of closing Inner Network Security Monitor System various piece and the order that starts Inner Network Security Monitor System various piece.Like this, when system exception being detected, and attack be when cannot be effectively handled, and processing module starts break in service submodule, calls break in service strategy, interrupts the connection of Inner Network Security Monitor System various piece, and then starts honey jar module.
4 honey jar modules
For when the processing policy of processing module lost efficacy, the normal service of simulated interior Network Security Monitor System, lures that assailant attacks honey jar into, and attack is traped, collected evidence, and the attack that record is accepted simultaneously, sends to policy library module;
Honey jar module has following two functions:
(1) analog service
Analog service is configure and start multiple real system process, and it operates in honey jar module host, and is modeled to multiple real servers, the i.e. normal service of simulated interior Network Security Monitor System.In honey jar main frame, each application program is used as one and is had the operating system of independent IP address and the particular instance of service.When the processing policy of processing module lost efficacy, processing module starts honey jar module and starts working, now when assailant sends request to the security monitoring main frame in real Inner Network Security Monitor System, this security monitoring main frame will accept request and be forwarded on honey jar main frame, by the emulating server moving on honey jar main frame, process the request that assailant sends.
(2) logout
When assailant starts honey jar module to launch after attack, the packet of all turnover honey jar modules under honey jar module records, to grasp all possible attack.The journal file of honey jar module itself also can be used as the Data Source that records attack, but journal file is easy to victim to be deleted, so the way adopting in the present invention allows honey jar module to policy library module place router timed sending Log backup, for the attack knowledge base of update strategy library module exactly.
5 policy library modules
Comprise an attack knowledge base of describing various known attacks, comprising the attribute of attack, policy library module also receives the attack from honey jar module, for described attack knowledge base is upgraded; Policy library module is also included as analysis module, discrimination module, processing module provides the analysis strategy storehouse of corresponding strategy and information, distinguish policy library, processing policy storehouse;
Strategy refers in certain module, the set of rule that must observe for practical function, and this cover rule is formulated by the mechanism or the people that realize this module, and module origin is described, implements or realizes.The strategy using in the present invention comprises analysis strategy, distinguishes strategy and processing policy.Wherein, analysis strategy refers to the set of rule that analysis module need to be observed when attack is analyzed; Distinguish that strategy refers to the set of rule that discrimination module need to be observed when attack is carried out to partition of the level; Processing policy refers to that processing module is when responding attack and taking safeguard procedures, the set of rule that need to follow.
Strategy need to be observed layering principle, and both strategy became tree structure, and tree root is highly abstract strategy, and limb or leaf are specializing upper strata strategy.
Database storage mode is taked in the storage of all kinds of strategies.
The conflict of strategy solves: strategy may conflict mutually, when there is policy conflict, a priority level is set first to each strategy, and the strategy of same type only has high being just performed of priority level.Afterwards, when adding before a new strategy, need to travel through the All Policies of same type, once find that there is and the strategy of the policy conflict newly adding, this conflicting information be fed back to user, by user, enter to judge whether to add this New Policy.
Tactful library module method for designing in the present embodiment:
Policy library module is deposited tactful database and is formed by multiple.Strategy is the set of set of rule.The policy library module designing in the present invention contains three policy librarys and an attack knowledge base.Three policy librarys are respectively analysis strategy storehouses, distinguish policy library and processing policy storehouse.The regular collection of storing in above-mentioned three policy librarys has identical regular argument table structure.Rule has been stored the variable that may contain in all intermediate variables that generation rule needs and rule in argument table.In rule-based reasoning process, the renewal of each intermediate variable and variable can offer rule match next time by regular argument table.The regular argument table structure of the policy library adopting in the present embodiment is as shown in table 2.
The regular argument table structure of table 2 policy library
| List item title | Type | Length | Implication |
| Order_ID | Int | 4 bytes | Represent recording mechanism |
| Rule_ID | Int | 4 bytes | Represent regular code name |
| Group_ID | Int | 4 bytes | Represent rule group code name |
| Priority | Char | 1 byte | Represent regular priority level |
| Reliability | Char | 2 bytes | Represent regular confidence level |
| Pre_rule | Char | 255 bytes | Represent the front key of rule |
| Act_rule | Char | 255 bytes | Represent the rear key of rule |
| Var_count | Int | 4 bytes | Before representing rule, key comprises variable number |
| Active | Char | 1 byte | Represent whether rule is set up |
| Used | Char | 1 byte | Represent that rule is whether by effectively |
| Means | Char | 255 bytes | Represent regular implication explanation |
For the policy selection process of rule-based set, object is exactly that the new data receiving is converted into the numerical value that regular variable is corresponding, then numerical value corresponding regular variable is mated with each rule successively, be whether judgment rule left button satisfies condition, if regular left button satisfies condition, the represented action of executing rule right button.That is: regular left button → regular right button.The logical expression that rule left button is mainly comprised of regular variable, regular right button is the action that will carry out.
In self-protection GU Generic Unit, analysis strategy, distinguish that strategy and processing policy are used identical rule list structure and argument table structure, but the regular content difference of three covers, and use the different regular variable of three covers:
Introduce for example its regular variable and regular form below:
(1) regular variable format sample, table 3 has provided the example of some regular variablees of processing policy use.Table 4 has provided some regular examples that processing policy is used.
The regular variable sample table of table 3
| Rule name variable | Rule types of variables | Rule variable implication |
| MaxNum_Process | Numeric type | Maximum process number |
| MinNum_Process | Numeric type | Minimum process number |
| Name_Process1 | Character string type | Certain process title |
| Name_Process2 | Character string type | Certain process title |
| Name_Service1 | Character string type | Certain service name |
| Name_Service1 | Character string type | Certain service name |
| Self_Process | Character string type | Self process collection |
| Self_Service | Character string type | Self set of service |
| Valid_Process | Character string type | Legal process collection |
| Valid_Service | Character string type | Legal set of service |
| Invalid_Process | Character string type | Illegal process collection |
| Invalid_Service | Character string type | Illegal set of service |
| Count1 | Numeric type | It is grand that some rule is used |
| Count2 | Numeric type | It is grand that some rule is used |
Table 4 Sample Rules table
The self-protection GU Generic Unit that the present invention proposes is a kind of and completely independently system of Inner Network Security Monitor System; due to itself independence and fail safe; when providing protection for Inner Network Security Monitor System, make assailant implement effectively to attack to self-protection GU Generic Unit itself.
Above-described specific descriptions; object, technical scheme and beneficial effect to invention further describe; institute is understood that; the foregoing is only specific embodiments of the invention; the protection range being not intended to limit the present invention; within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (9)
1. a self-protection GU Generic Unit for Inner Network Security Monitor System, is characterized in that, comprises analysis module, discrimination module, processing module, honey jar module and policy library module;
Analysis module, processing module, honey jar module are connected with policy library module with Inner Network Security Monitor System respectively; Discrimination module is connected respectively with policy library module and analysis module; Processing module is also connected respectively with analysis module and honey jar module;
Analysis module is deployed on the switch that connects Inner Network Security Monitor System main frame; Discrimination module, processing module and policy library module are deployed on the router of a platform independent, and this router is only connected with the switch of having disposed analysis module; Honey jar module is deployed on the main frame of a platform independent, and this main frame is only connected with the switch of having disposed analysis module;
Interface between modules is followed the network communication protocol stipulations of standard;
Described self-protection GU Generic Unit and outside interface adopt one-way channel;
The self-protection GU Generic Unit of described a kind of Inner Network Security Monitor System, comprises following workflow:
(1) start-up course
Described self-protection GU Generic Unit starts each module, each module can attempt mutually connecting after startup, while connecting, first need to carry out the authentication of intermodule, authentication success represents to connect to be successfully established, and communicates afterwards according to the interface of arranging between each module; Wherein, analysis module is after startup, and the port that it is connected to all security monitoring main frames of Inner Network Security Monitor System is monitored, and waits for the connection request of security monitoring main frame; If receive connection request, successfully carrying out after authentication, connect with security monitoring main frame, and keep this connection;
(2) analytic process
Analysis module continues to monitor each security monitoring main frame in Inner Network Security Monitor System, receive the attack stream that security monitoring main frame sends, analysis module calls analysis strategy from policy library module, and screen attacking flow of event according to analysis strategy, will in attack stream, for the attack of Inner Network Security Monitor System, be sent to discrimination module and processing module is carried out parallel processing;
(3) differentiation procedure
The attack that discrimination module receiving and analyzing module is sent, from policy library module, call and distinguish strategy, and according to distinguishing that strategy carries out partition of the level according to attack type and the extent of injury thereof to it, then the attack of these different stages is marked, and send the users at different levels with corresponding authority to;
(4) processing procedure
With step (3) simultaneously, the attack that processing module receiving and analyzing module is sent, calls processing policy from policy library module, then according to processing policy, start each submodule of processing module, by submodule, Inner Network Security Monitor System is taked to corresponding safeguard procedures; When processing module cannot be made effective protection to Inner Network Security Monitor System, execution step (5), otherwise continue execution step (2)-(4);
(5) trapping process
Start the break in service submodule in processing module, close other all external connections of Inner Network Security Monitor System, start honey jar module simultaneously, attack is traped, collected evidence, and be sent to policy library module for upgrading attack knowledge base.
2. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, it is characterized in that, in discrimination module, there is certificates constructing submodule and dynamic password and generate submodule, provide dynamic password authentication technology based on certificate for carrying out user identity identification.
3. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1; it is characterized in that; processing module comprises a submodule of processing top control module and one group and support extensive interface, and described submodule includes but not limited to that system hides submodule, file protect submodule, network protection submodule, Process Protection submodule, security audit submodule, break in service submodule.
4. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, it is characterized in that, policy library module comprises an attack knowledge base of describing various known attacks, comprising the attribute of attack, policy library module also receives the attack from honey jar module, for described attack knowledge base is upgraded; Policy library module is also included as analysis module, discrimination module, processing module provides the analysis strategy storehouse of corresponding strategy and information, distinguish policy library, processing policy storehouse.
5. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, it is characterized in that, after honey jar module starts, to policy library module place router timed sending Log backup, for the attack knowledge base of update strategy library module.
6. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, is characterized in that, the communication data between analysis module, discrimination module, processing module, honey jar module and policy library module adopts symmetric encipherment algorithm.
7. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, it is characterized in that, connection authentication between analysis module, discrimination module, processing module, honey jar module and policy library module, the authentication that adopts the network communication of standard to connect.
8. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, is characterized in that, between each module, by sending failure diagnosis packet, detects and between each module, connects abnormal problem.
9. the self-protection GU Generic Unit of Inner Network Security Monitor System according to claim 1, it is characterized in that, in the processing policy that processing module is called, comprise break in service strategy, provided the order of closing Inner Network Security Monitor System various piece and the order that starts Inner Network Security Monitor System various piece.
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103749001B true CN103749001B (en) | 2012-02-08 |
Family
ID=
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282176A (en) * | 2015-11-16 | 2016-01-27 | 上海斐讯数据通信技术有限公司 | Data safety system and method under cloud computing environment |
| CN105681211A (en) * | 2015-12-31 | 2016-06-15 | 北京安天电子设备有限公司 | Traffic recording method and system based on information extraction |
| CN107454068A (en) * | 2017-07-21 | 2017-12-08 | 河南工程学院 | A kind of sweet net security postures cognitive method of combination Danger Immune theory |
| CN107577960A (en) * | 2017-11-01 | 2018-01-12 | 郑州云海信息技术有限公司 | File hiding system and method in a kind of Linux system |
| CN107634959A (en) * | 2017-09-30 | 2018-01-26 | 北京奇虎科技有限公司 | Means of defence, apparatus and system based on automobile |
| CN107770158A (en) * | 2017-09-30 | 2018-03-06 | 北京奇虎科技有限公司 | Means of defence, apparatus and system based on automobile |
| CN108777622A (en) * | 2018-05-11 | 2018-11-09 | 吉林大学 | A kind of binary stream hash modulus encrypting and decrypting method |
| CN110099040A (en) * | 2019-03-01 | 2019-08-06 | 江苏极元信息技术有限公司 | A kind of defence method intercepting Intranet attack source based on a large amount of deployment bait host detections |
| CN111917769A (en) * | 2020-07-30 | 2020-11-10 | 中盈优创资讯科技有限公司 | Automatic handling method and device of security event and electronic equipment |
| CN112383517A (en) * | 2020-10-30 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Hiding method, device and equipment of network connection information and readable storage medium |
| CN110521179B (en) * | 2017-03-22 | 2022-06-03 | Ca公司 | System and method for enforcing dynamic network security policies |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119369A (en) * | 2007-08-14 | 2008-02-06 | 北京大学 | Safety detecting method and system of network data flow |
| CN101188613A (en) * | 2007-12-11 | 2008-05-28 | 北京大学 | A method for redirecting network attack by combining route with the tunnel |
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119369A (en) * | 2007-08-14 | 2008-02-06 | 北京大学 | Safety detecting method and system of network data flow |
| CN101188613A (en) * | 2007-12-11 | 2008-05-28 | 北京大学 | A method for redirecting network attack by combining route with the tunnel |
Non-Patent Citations (1)
| Title |
|---|
| 孙悦.基于蜜罐技术的入侵检测系统研究.大庆师范学院学报. 2009, 29(3)60-62页. * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282176B (en) * | 2015-11-16 | 2019-07-19 | 上海斐讯数据通信技术有限公司 | Data security system and method under a kind of cloud computing environment |
| CN105282176A (en) * | 2015-11-16 | 2016-01-27 | 上海斐讯数据通信技术有限公司 | Data safety system and method under cloud computing environment |
| CN105681211A (en) * | 2015-12-31 | 2016-06-15 | 北京安天电子设备有限公司 | Traffic recording method and system based on information extraction |
| CN110521179B (en) * | 2017-03-22 | 2022-06-03 | Ca公司 | System and method for enforcing dynamic network security policies |
| CN107454068A (en) * | 2017-07-21 | 2017-12-08 | 河南工程学院 | A kind of sweet net security postures cognitive method of combination Danger Immune theory |
| CN107454068B (en) * | 2017-07-21 | 2020-05-15 | 河南工程学院 | Honey net safety situation perception method combining immune hazard theory |
| CN107634959A (en) * | 2017-09-30 | 2018-01-26 | 北京奇虎科技有限公司 | Means of defence, apparatus and system based on automobile |
| CN107770158A (en) * | 2017-09-30 | 2018-03-06 | 北京奇虎科技有限公司 | Means of defence, apparatus and system based on automobile |
| CN107634959B (en) * | 2017-09-30 | 2020-07-10 | 北京奇虎科技有限公司 | Protection method, device and system based on automobile |
| CN107577960A (en) * | 2017-11-01 | 2018-01-12 | 郑州云海信息技术有限公司 | File hiding system and method in a kind of Linux system |
| CN108777622B (en) * | 2018-05-11 | 2021-03-26 | 吉林大学 | Binary stream hash modular encryption and decryption method |
| CN108777622A (en) * | 2018-05-11 | 2018-11-09 | 吉林大学 | A kind of binary stream hash modulus encrypting and decrypting method |
| CN110099040A (en) * | 2019-03-01 | 2019-08-06 | 江苏极元信息技术有限公司 | A kind of defence method intercepting Intranet attack source based on a large amount of deployment bait host detections |
| CN110099040B (en) * | 2019-03-01 | 2021-11-30 | 江苏极元信息技术有限公司 | Defense method for detecting and intercepting intranet attack source based on mass bait deployment host |
| CN111917769A (en) * | 2020-07-30 | 2020-11-10 | 中盈优创资讯科技有限公司 | Automatic handling method and device of security event and electronic equipment |
| CN112383517A (en) * | 2020-10-30 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Hiding method, device and equipment of network connection information and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rizvi et al. | Identifying the attack surface for IoT network | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| Thamer et al. | A survey of ransomware attacks for healthcare systems: Risks, challenges, solutions and opportunity of research | |
| Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
| Sigholm et al. | Towards offensive cyber counterintelligence: Adopting a target-centric view on advanced persistent threats | |
| CN108462714A (en) | A kind of APT systems of defense and its defence method based on system resilience | |
| Ask et al. | Advanced persistent threat (APT) beyond the hype | |
| Marotta et al. | Integrating a proactive technique into a holistic cyber risk management approach | |
| Bedi et al. | Threat‐oriented security framework in risk management using multiagent system | |
| Kumar et al. | Cyber-physical systems (CPS) security: state of the art and research opportunities for information systems academics | |
| Al-Marghilani | Comprehensive Analysis of IoT Malware Evasion Techniques | |
| CN115242466A (en) | Intrusion active trapping system and method based on high-simulation virtual environment | |
| US20210084061A1 (en) | Bio-inspired agile cyber-security assurance framework | |
| Alsmadi | Cyber threat analysis | |
| CN106534223A (en) | Key algorithm and log auditing based Openstack access control method | |
| CN116346430A (en) | Network threat management system based on high-interactivity honeypot | |
| CN103749001B (en) | The self-protection GU Generic Unit of Inner Network Security Monitor System | |
| Goliwale et al. | Intrusion detection system using data mining | |
| Lakhdhar et al. | Proactive security for safety and sustainability of mission critical systems | |
| Maciel et al. | Impact assessment of multi-threats in computer systems using attack tree modeling | |
| Dodi | Cyber Security's New Challenges under Covid-19 Pandemic: Between Technique and Law | |
| Kishore et al. | Intrusion Detection System a Need | |
| Brill | From hit and run to invade and stay: How cyberterrorists could be living inside your systems | |
| Beuria et al. | Applicability of blockchain towards mitigation of distributed denial of service attack in IoT | |
| Ikuomola et al. | A framework for collaborative, adaptive and cost sensitive intrusion response system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR03 | Grant of secret patent right | ||
| DC01 | Secret patent status has been lifted |