CN104580087A - Immune network system - Google Patents
Immune network system Download PDFInfo
- Publication number
- CN104580087A CN104580087A CN201310493140.2A CN201310493140A CN104580087A CN 104580087 A CN104580087 A CN 104580087A CN 201310493140 A CN201310493140 A CN 201310493140A CN 104580087 A CN104580087 A CN 104580087A
- Authority
- CN
- China
- Prior art keywords
- network
- immune
- attack
- flow
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the Internet field and provides an immune network system. The immune network system comprises a transparent firewall, an intelligent tour-inspection device and an emergency device, wherein the transparent firewall is used for analyzing the present network scanning technology, extracting universal scanning features and taking the universal scanning features as filtering rules for filtering; the intelligent tour-inspection device is used for auditing and monitoring flow entering the network, offering abnormal flow treatment proposals, communicating with a host computer generating abnormal flow, extracting features of attack fingerprints and saving the attack fingerprints in an immune feature library; the emergency device is used for providing an emergency channel for detected damaged intranet nodes and reminding a user of restoring the damaged nodes to the safe state before attacking after the user completes work. According to the invention, the network flow is monitored and audited to keep the network in a good state, unknown invasion actions are analyzed and memorized to improve the network immunocompetence, the hazard range can be effectively controlled after invasion to guarantee network connection and normal service providing, and the system has an autonomous remediation and restoration capacities and can comprehensively maintain stable network operation.
Description
Technical field
The invention belongs to internet arena, particularly relate to a kind of immunological network system.
Background technology
Information security issue is prevalent in the various aspects such as social economy, military technology, national security, intellectual property, business secret and even individual privacy.Network security is the key issue always studied in computer network and application thereof, but traditional network security theory and technology also exist following three defects that cannot overcome.First, central controlled method seems unable to do what one wishes for current distributed network environment; Secondly, network has homoorganicity, cannot stop suspected intruder and virus wide-scale distribution rapidly; Again, current network threatens makes rapid progress, and the nature static of legacy network safety theory and technology and passivity cannot adapt to badly changeable network environment.
At present, make a general survey of domestic and international research, biological treatability research is mainly still in theoretical research stage, and absorb fault-tolerant, tolerant invading constantly, reshuffling ability or redundant ability can survival ability to what improve system.But in these solutions, to attacking, abnormal detection, the execution assessing and reconfigure, all need artificial intervention, there is time delay in various degree.Enhancing for the automated response of survivability network system, recovery and developmental capacity does not also relate to.
Summary of the invention
The embodiment of the present invention provides a kind of immunological network system, is intended to solve in prior art to stop suspect program to be invaded and viral fast-spreading problem.
The embodiment of the present invention is achieved in that a kind of immunological network system, and described system comprises:
Transparent fireproof wall, for analyzing existing network scanning technique, extracting the scanning feature of universality and it can be used as filtering rule to filter;
Intelligent patrol detection device, enters net flow for auditing and monitoring, and proposes abnormal flow treatment advice, and with produce the main-machine communication of abnormal flow, extracting attack fingerprint characteristic, is stored to immune characteristic storehouse; And
Emergency set, the impaired Intranet node detected for described intelligent patrol detection device provides escape truck, and point out after user job completes user described impaired node is reduced to not under fire before safe condition.
The embodiment of the present invention is by carrying out monitoring to network traffics and auditing, maintaining network kilter, by to the analysis of unknown intrusion behavior and memory, improve network immunocompetence, effectively damaging range can be controlled after invasion, guarantee a network connections and normally providing of serving, this system possesses independently repairs reducing power, and the operation of maintaining network is stablized.
Accompanying drawing explanation
Fig. 1 is the structure chart of the immunological network system that the embodiment of the present invention provides;
Fig. 2 is the structure chart of the intelligent patrol detection device that the embodiment of the present invention provides.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
The embodiment of the present invention is closely cooperated by each intermodule, has effectively filled up the vacancy between existing safety product system, has avoided the situation that legacy network safety product is fought separately.
Fig. 1 is the structure chart of the immunological network system that the embodiment of the present invention provides, and details are as follows:
Existing network scanning technique analyzed by transparent fireproof wall 11, extracts the scanning feature of universality and it can be used as filtering rule to filter.
In embodiments of the present invention; transparent fireproof wall be operated in protected between network internal and all the other external networks; it is the bridge that inside and outside information interchange must be passed through; be set to the state without IP; therefore inside and outside network all can not find the existence of fire compartment wall in network topology; the effective guarantee safety of self, achieves the transparent characteristic of internal-external network.
In embodiments of the present invention, transparent fireproof wall also prevents outer net from scanning.The basic step that current network is attacked is: scanning port, judge to have opened which service, the operating system that judges invasion object and the services selection inbreak method opened.As can be seen here, for obtaining having in goal systems which service can be accessed and attack, invasion incipient stage often blindly, and TCP is usually the prelude attacked.All, in system, the main target of fire compartment wall shows the scanning preventing outer net, allows the assailant outside netting cannot obtain the correct information of main frame in net, to isolate the attack of great majority from outer net.
Intelligent patrol detection device 12 is audited and is monitored and enters net flow, proposes abnormal flow treatment advice, and with produce the main-machine communication of abnormal flow, extracting attack fingerprint characteristic, is stored to immune characteristic storehouse.
In embodiments of the present invention, intelligent patrol detection device is the second defence line of network immune system, plays the function similar to the second defence line in human immunity.
The impaired Intranet node that emergency set 13 detects for intelligent patrol detection device 12 provides escape truck, and point out after user job completes user described impaired node is reduced to not under fire before safe condition.
In embodiments of the present invention, emergency set 13 comprises emergency unit and reduction unit.Wherein:
The user of main frame is captured in emergency unit prompting, the operational environment of this user is temporarily adjourned to escape truck, user can continue to enjoy normal network service and other system service by escape truck, and in a brand-new security context, continue the work of oneself, and safety problem need not be processed immediately by interruption of work.When using emergency access, all processes except process except all cannot accesses network, thus prevention attack, the safety of protecting network entirety.
Reduction unit until user finish the work leave computer time, there is potential safety hazard and provide the suggestion of accurate recovery time in prompting user, help user select that computer returned to invasion before safe condition.
Fig. 2 shows the structure chart of the intelligent patrol detection device that the embodiment of the present invention provides, and details are as follows:
In embodiments of the present invention, intelligent patrol detection device 12 comprises patrol monitoring unit 21 and immune isolation unit 22.Wherein:
Patrol monitoring unit 21 is audited and monitor and enters net flow, proposition abnormal flow treatment advice, and guides it and be redirected to immune isolation unit.
The embodiment of the present invention may be very large for the concurrent flow of Intranet situation, system patrol monitoring unit, the mode of interior patrol of single time monitors several intranet hosts on a small quantity.This mode is that the one of safety and efficiency is traded off, and what both ensure that patrol service normally provides the stability and safety with server self, also takes full advantage of server performance.
In embodiments of the present invention, patrol monitoring unit 21 specifically comprises immune characteristic matching module 211, port Audit Module 212, traffic statistics module 213, and Traffic Anomaly evaluation module 214.Wherein:
Immune characteristic matching module 211 calculates the immune characteristic fingerprint of monitored main-machine communication packet, records comparison with in immune characteristic storehouse.
The embodiment of the present invention calculates the immune characteristic fingerprint of monitored main-machine communication packet, with Record Comparison in immune characteristic storehouse, if there is the project that fingerprint is consistent, the more byte-by-byte contrast of packet that current data packet and immune characteristic storehouse are recorded, if message content conforms to completely, think that current data packet belongs to Attacking Packets, then current patrol main frame is identified as to exist and threatens, and prompting user is connected emergency set 13.
The key element that port Audit Module 212 chooses communication connection neutralization service relevant is comprehensively analyzed, for maintenance and research provide full and accurate report.
Five key elements that the embodiment of the present invention chooses communication connection neutralization service relevant are comprehensively analyzed, for the maintenance of keeper and research provide full and accurate report.Five elements is respectively: IP, Port, Service, Product and Version, be used for describing this host IP address, open port, port provide service, use application software and version number information, such as using the record of the information 127.0.0.1:80:http:apache:2.2.17 of connection one side as examination & verification list.
Traffic statistics module 213 utilizes raw data packets header information to carry out traffic statistics, traffic statistics are carried out in units of each connection that main frame is external, by extracting communicating pair IP and the computing of port numbers characteristic information participation hash function, hash-collision is solved with the algorithm of step-length multiplication, and the integrated flow connected belonging to upgrading with the message length field value in packet header.
Flow monitoring is basis and the prerequisite of network security and network management, can identify various flow, analyze, add up exactly, for intrusion detection and awareness network health status significant.Traffic statistics unit in the embodiment of the present invention is added up the flow of patrol object on the one hand by uplink traffic and downlink traffic two class, classify on the other hand by common application layer protocol and non-agreement.
Traffic Anomaly evaluation module 214 sets up polymorphic response traffic anomaly assessment model, choosing tool characteristic parameter when network attack occurs and carries out quantification investigation, providing different response and treatment advice to threatening in various degree.
The embodiment of the present invention establishes the polymorphic response traffic anomaly assessment model based on fuzzy synthetic appraisement method, choose tool characteristic five characteristic parameters when network attack occurs and carry out quantizing examination, abandon traditional intrusion detection thinking based on probability analysis, turn to and describe network behavior and belong to the degree of invasion but not probability, with the biological treatability of maintaining network for principle, different response and handling suggestion are provided to threat in various degree.
Immune isolation unit 22 utilizes analog service and the main-machine communication producing abnormal flow, and extracting attack fingerprint characteristic enriches immune characteristic storehouse.
In embodiments of the present invention, immune isolation unit 22 specifically comprises virtual responder module 221, analog service module 222, attacks put on record module 223 and intelligent extraction module 224.Wherein:
Virtual responder module 221, by providing virtual response and providing corresponding Virtual Service, makes opponent continue to attack to obtain attack traffic.
In embodiments of the present invention, the flow of two kinds of situations is had to be identified as unknown attack flow, being assert for patrol monitoring unit 21 communication possessing the main frame of higher security threat on the one hand, is the communication for initiatively initiating to IP address of not surviving to connect on the other hand.Engine is obtained for first kind communication and threat main-machine communication can be redirected to isolated area, be called that guiding is caught; Equations of The Second Kind corresponding is with it called to the communication that connection request initiated by main frame of not surviving hauls oneself willingly into the net.Capture engine will provide false response, and provide corresponding Virtual Service, inveigle opponent to continue to attack to obtain attack traffic.
Analog service module 222 is by performing analog service script, and the main frame being redirected to immune isolation unit with flow carries out alternately, the reciprocal process of simulation normal service, makes threat main frame continue to attack.
The embodiment of the present invention is by performing analog service script, and the main frame being redirected to immune isolated area with flow carries out alternately, the reciprocal process of simulation normal service, inveigles and threatens main frame to continue to attack.Due to the not real operational system service of immune isolated area, so the danger be not broken.System provides the authenticity of analog service to depend on the careful degree of script edit, therefore needs to weigh between authenticity and efficiency.Even if analog service is finally identified, also delay the progress of attack, to the time of the sufficient Reactive scheduling of immune system, prevented real injurious act and occur.
Attack module 223 of putting on record to record isolation immune unit and having and threaten the communication information between main frame and write into Databasce, the described communication information comprises call duration time, the IP of communicating pair and port information and assailant's operation system fingerprint information.
If intelligent extraction module 224 identification arrives the flow of immune isolation unit when being dangerous flow, system intelligence extracting attack fingerprint characteristic by described feature stored in immune characteristic storehouse.
The embodiment of the present invention is by carrying out monitoring to network traffics and auditing, maintaining network kilter, by to the analysis of unknown intrusion behavior and memory, improve network immunocompetence, effectively damaging range can be controlled after invasion, guarantee a network connections and normally providing of serving, this system possesses independently repairs reducing power, and the operation of maintaining network is stablized.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. an immunological network system, is characterized in that, described system comprises:
Transparent fireproof wall, for analyzing existing network scanning technique, extracting the scanning feature of universality and it can be used as filtering rule to filter;
Intelligent patrol detection device, enters net flow for auditing and monitoring, and proposes abnormal flow treatment advice, and with produce the main-machine communication of abnormal flow, extracting attack fingerprint characteristic, is stored to immune characteristic storehouse; And
Emergency set, the impaired Intranet node detected for described intelligent patrol detection device provides escape truck, and point out after user job completes user described impaired node is reduced to not under fire before safe condition.
2. the system as claimed in claim 1, is characterized in that, described intelligent patrol detection device specifically comprises:
Patrol monitoring unit, enters net flow for audit and monitoring, proposition abnormal flow treatment advice, and guides it and be redirected to immune isolation unit;
Immune isolation unit, utilizes analog service and the main-machine communication producing abnormal flow, extracting attack fingerprint characteristic, enriches immune characteristic storehouse.
3. the system as claimed in claim 1, is characterized in that, described emergency set specifically comprises:
Emergency unit, points out and is captured the user of main frame, operational environment is adjourned to escape truck and works on, need not interruption of work process safety problem;
Reduction unit, until user finish the work leave computer time, there is potential safety hazard and provide the suggestion of accurate recovery time in prompting user, help user select that computer returned to invasion before safe condition.
4. system as claimed in claim 2, it is characterized in that, described patrol monitoring unit specifically comprises:
Immune characteristic matching module, calculates the immune characteristic fingerprint of monitored main-machine communication packet, records comparison with in immune characteristic storehouse;
Port Audit Module, the key element choosing communication connection neutralization service relevant is comprehensively analyzed, for maintenance and research provide full and accurate report;
Traffic statistics module, raw data packets header information is utilized to carry out traffic statistics, traffic statistics are carried out in units of each connection that main frame is external, by extracting communicating pair IP and the computing of port numbers characteristic information participation hash function, hash-collision is solved with the algorithm of step-length multiplication, and the integrated flow connected belonging to upgrading with the message length field value in packet header; And
Traffic Anomaly evaluation module, sets up polymorphic response traffic anomaly assessment model, choosing tool characteristic parameter when network attack occurs and carries out quantification investigation, providing different response and treatment advice to threatening in various degree.
5. system as claimed in claim 4, is characterized in that, described and serve relevant key element and comprise host IP address, open port, the service that port provides, the application software used and version number information.
6. system as claimed in claim 2, it is characterized in that, described immune isolation unit specifically comprises:
Virtual responder module, by providing virtual response and providing corresponding Virtual Service, makes opponent continue to attack to obtain attack traffic;
Analog service module, by performing analog service script, the main frame being redirected to immune isolation unit with flow carries out alternately, the reciprocal process of simulation normal service, makes threat main frame continue to attack;
Attack is put on record module, and the record immune unit of isolation and having threatens the communication information between main frame and write into Databasce, and the described communication information comprises call duration time, the IP of communicating pair and port information and assailant's operation system fingerprint information; And
Intelligent extraction module, when to arrive the flow of immune isolation unit if assert be dangerous flow, system intelligence extracting attack fingerprint characteristic by described feature stored in immune characteristic storehouse.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310493140.2A CN104580087A (en) | 2013-10-21 | 2013-10-21 | Immune network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310493140.2A CN104580087A (en) | 2013-10-21 | 2013-10-21 | Immune network system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104580087A true CN104580087A (en) | 2015-04-29 |
Family
ID=53095290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310493140.2A Pending CN104580087A (en) | 2013-10-21 | 2013-10-21 | Immune network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580087A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105429987A (en) * | 2015-11-25 | 2016-03-23 | 西安科技大学 | Security system for computer network |
| CN105847291A (en) * | 2016-05-13 | 2016-08-10 | 内蒙古工业大学 | Computer network defense decision system |
| CN106209901A (en) * | 2016-08-01 | 2016-12-07 | 黑河学院 | A kind of intelligent computer remote interactive system |
| CN112398876A (en) * | 2021-01-19 | 2021-02-23 | 北京智仁智信安全技术有限公司 | Network security early warning system of self-adaptation mimicry technique |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009046667A1 (en) * | 2007-09-30 | 2009-04-16 | Huawei Technologies Co., Ltd. | System, device and method of security management |
| CN103227798A (en) * | 2013-04-23 | 2013-07-31 | 西安电子科技大学 | Immunological network system |
-
2013
- 2013-10-21 CN CN201310493140.2A patent/CN104580087A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009046667A1 (en) * | 2007-09-30 | 2009-04-16 | Huawei Technologies Co., Ltd. | System, device and method of security management |
| CN103227798A (en) * | 2013-04-23 | 2013-07-31 | 西安电子科技大学 | Immunological network system |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105429987A (en) * | 2015-11-25 | 2016-03-23 | 西安科技大学 | Security system for computer network |
| CN105847291A (en) * | 2016-05-13 | 2016-08-10 | 内蒙古工业大学 | Computer network defense decision system |
| CN106209901A (en) * | 2016-08-01 | 2016-12-07 | 黑河学院 | A kind of intelligent computer remote interactive system |
| CN112398876A (en) * | 2021-01-19 | 2021-02-23 | 北京智仁智信安全技术有限公司 | Network security early warning system of self-adaptation mimicry technique |
| CN112398876B (en) * | 2021-01-19 | 2021-04-02 | 北京智仁智信安全技术有限公司 | Network security early warning system of self-adaptation mimicry technique |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534195B (en) | A kind of network attack person's behavior analysis method based on attack graph | |
| JP5248612B2 (en) | Intrusion detection method and system | |
| CN103227798B (en) | A kind of immunological network system | |
| US9369484B1 (en) | Dynamic security hardening of security critical functions | |
| Wattanapongsakorn et al. | A practical network-based intrusion detection and prevention system | |
| CN105471875A (en) | Computer network monitoring system | |
| CN103957203B (en) | A kind of network security protection system | |
| US9961047B2 (en) | Network security management | |
| Akbar et al. | Intrusion detection system methodologies based on data analysis | |
| CN107347047A (en) | Attack guarding method and device | |
| Lahre et al. | Analyze different approaches for ids using kdd 99 data set | |
| CN108462714A (en) | A kind of APT systems of defense and its defence method based on system resilience | |
| CN108712425A (en) | A kind of analysis monitoring and managing method towards industrial control system network security threats event | |
| CN105743880A (en) | Data analysis system | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| CN103532957A (en) | Device and method for detecting trojan remote shell behavior | |
| US10897472B1 (en) | IT computer network threat analysis, detection and containment | |
| Nijim et al. | FastDetict: A data mining engine for predecting and preventing DDoS attacks | |
| CN104580087A (en) | Immune network system | |
| CN107623691A (en) | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm | |
| CN116781412A (en) | Automatic defense method based on abnormal behaviors | |
| CN102307184A (en) | Information asset protection method based on intrusion tolerance | |
| Anastasiadis et al. | A novel high-interaction honeypot network for internet of vehicles | |
| Jaiganesh et al. | An efficient algorithm for network intrusion detection system | |
| CN107277070A (en) | A kind of computer network instrument system of defense and intrusion prevention method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150429 |
|
| WD01 | Invention patent application deemed withdrawn after publication |