CN104811446A - Novel network safety protection system - Google Patents

Abstract

The invention discloses a novel network safety protection system. A judgment module is used for judging whether a client in the network is provided with a monitoring software or not; a control module is used for allowing the client to use resources when the judgment module judges that the client is provided with the monitoring software; a storage module is used for storing data information of the control module; a power module is used for supplying power for the control module; a monitoring module is used for monitoring software which is operated on the control module and allows the client to use the resources; a comparison and judgment module is used for comparing a monitored software and a white list and judging whether the monitored software is in the white list or not; a software control module is used for allowing the monitored software to continuously operate if the comparison and judgment module compares and judges that the monitored software is in the white list and forbidding the monitored software to operate if not.

Description

A kind of new network safety system

Technical field

The invention belongs to technical field of network security, particularly relate to a kind of new network safety system.

Background technology

White list refers to the software matrix of credible (known good application), store the identity information of trusted software, by following the trail of the identity information of application software, the application software only in white list just can perform, thus realizes the security protection of terminal etc.The mode of white list conventional at present comprises code signature and large white list storehouse.The certificate of code signature makes software developer can carry out digital signature to the software code of its exploitation, when allowing it issue, user can be sure of that this code is not illegally distorted and originates credible, thus protect code integrality, protect user can not by virus, malicious code and spyware encroach on; Large list storehouse is then to provide a large amount of white list software, carries out checking compare its confidence level for client.But above-mentioned two kinds of white lists being realized to the mode of network security, all there is practical not, inflexible problem in enterprise when applying.In one Intranet, the various system such as office, business needs the amount of software used to be very limited, and the quantity in large white list storehouse and signature code storehouse constantly increases, and relevant with specific enterprise but cans be counted on one's fingers.Certain enterprise will verify the confidence level of software used in the huge white list storehouse relevant with all enterprises and individuals, and along with the continuous growth of the quantity in storehouse, availability can be worse and worse.Moreover prior art is not all mentioned and is guaranteed that all computers of enterprises are all included in the monitoring management of white list, causes practical application effect poor.

Summary of the invention

The object of the embodiment of the present invention is to provide a kind of new network safety system, and the mode that the white list that being intended to solve prior art provides realizes network security is impracticable, inflexible problem.

The embodiment of the present invention is achieved in that a kind of new network safety system, and native system comprises judge module, control module, memory module, power module, monitoring module, contrast judgement module and running software control module;

Described judge module is for judging whether the client in network is provided with monitoring software;

If when described control module judges that client is provided with monitoring software for described judge module, client is allowed to use resource; Described memory module is for storing the data message of described control module;

Described power module is used for powering to described control module;

Described monitoring module is used for allowing to use the software of the client of resource to monitor to operating in described control module;

Described contrast judgement module is used for monitoring software and white list is compared, and whether the software monitored described in judgement is on described white list;

If described running software control module is for the software that monitors described in described contrast judgement module contrast judgement at described white list, then the software monitored described in allowing continues to run, otherwise the running software monitored described in forbidding;

Described memory module comprises client, work dispenser and storage device;

Described work dispenser, for the treatment of the sharing out the work of request of client, selects a server in described storage device for described client;

Each server in described storage device includes:

Embedded system process device, is suitable for the memory space of managed storage unit, and transmits and processing controls data;

Network interface components, for network and network storage device are carried out interface connection, described network interface components comprises local flush bonding processor, for embedded system process device transmitting control data;

Storage Unit Management processor, is suitable for tissue and stores data communication, and between network interface components and memory cell, transmit storage data;

Network interface components comprises the hardware processor realized with specialized hardware, and for carrying out specialized hardware process to the data transmitted between network and memory cell, described data comprise data payload and at least one navigational portions;

Network interface components also comprises control data interface and stores data-interface; Network interface components is suitable for transmitting by control data interface and embedded system process device the data payload only comprising control data, and is suitable for transmitting by storage data-interface and Storage Unit Management processor the data payload only comprising and store data; Store data-interface to be separated completely each other with control data interface;

Described monitoring module is provided with monitoring host computer, display screen, communication computer systems;

Described communication computer systems comprises: the backup server being positioned at bottom, and this server is connected with local area network (LAN) by core switch; Be positioned at the network subnet monitoring server be connected with local area network (LAN), note processing server, gateway server, database server, the swipe system server on upper strata;

Described monitoring module is monitored by the host disk of independently installing, database table space is monitored, database process number is monitored, image data is monitored, each network subnet is monitored each submodule and formed, the disk space of the other monitoring host computer of differential, monitoring overall network device process and table space, monitor the connection of each subnet and critical network device;

Described individual network subnet monitoring submodule is provided with database monitoring device, for receiving the triggering command from monitoring cluster; Send the first instruction to load balancing apparatus, whether whether whether described first instruction be used to indicate described load balancing apparatus and detect cluster and can exist with the software agent of each node referred in described cluster with, described cluster; Receive the first response message from described load balancing apparatus; If described first response message indicates described cluster to use, then scan each node in described cluster, determine whether each node in described cluster can be used, whether described each node can with referring to whether the software agent of described each node exists; If there is disabled node, then generate and to described monitoring cluster sending node warning message, described node warning message is used to indicate disabled node.

Further, the memory block of each client of corresponding described storage device, this memory block is for storing the resource data of each client;

When one of them client needs to another client transmissions data, this client sends an instruction by described work dispenser to the server of in described storage device;

This client is needed the data Replica of transmission according to described instruction and adds in the data storage area of another client corresponding by described server;

Another client obtains data by server access memory block;

When client Update Table, if record the operation that described amendment uses, the size of the journal file of the information of the content of the position that amendment occurs and amendment is more than a threshold values, then adopt the mode all copied that amended whole file transfer is covered original file to described server, otherwise, this journal file is transferred to described server, and described server adopts the mode Update Table of incremental replication according to described journal file.

Further, described new network safety system, also comprises white list download module, solar obligation control module, checking judge module, white list updating module;

Described white list download module is used in advance self-defined white list being downloaded to client by network;

Described solar obligation control module, if judge that described client does not install monitoring software for described judge module, forbids that described client uses resource or client forwarded to and repairs district, carry out the solar obligation of monitoring software;

Described checking judge module, for not having at described white list when the software monitored described in described contrast judgement module judgement, described running software control module forbid described in while the running software that monitors, carry out safety verification to the described software monitored, whether the software monitored described in judgement is fail-safe software.

Described white list updating module, if the software monitored described in judging for described checking judge module is fail-safe software, is then saved in described self-defined white list by the described software monitored.

Further, each network subnet monitoring submodule of described monitoring module also comprises monitoring cluster and authentication module;

Described monitoring cluster, for sending triggering command to database monitoring device, the first instruction is sent to load balancing apparatus to make described database monitoring device, whether described first instruction is used to indicate described load balancing apparatus detection cluster and can uses, whether whether described cluster can exist with the software agent of each node referred in described cluster, described database monitoring device receives the first response message from described load balancing apparatus, if described first response message indicates described cluster to use, described database monitoring device then scans each node in described cluster, determine whether each node in described cluster can be used, whether described each node can with referring to whether the software agent of described each node exists, if described cluster is unavailable, then receive the cluster warning message that described database monitoring device sends, it is unavailable that described cluster warning message is used to indicate described cluster, if there is disabled node, then receive the node warning message that described database monitoring device sends, described node warning message is used to indicate disabled node,

Described authentication module comprises the user terminal being positioned at client and the back-end system being positioned at remote validation end and the front end system be connected with back-end system, described user terminal includes smart card, containing the user's credential information stored in advance in described smart card, smart card has a private key of pairing and the PKI of a system issue to the back-end in advance, and smart card independently starts module, the first Encryption Decryption module, the first modulation /demodulation module and the first audio processing modules composition primarily of the first central processing module, user; Described user independently starts module, the first Encryption Decryption module and the first modulation /demodulation module and all mutually communicates to connect with the first central processing module, and the first audio processing modules and the first modulation /demodulation module communicate to connect mutually; Described front end system forms primarily of the second audio processing modules, the second central processing module, the second modulation /demodulation module and the second Encryption Decryption module;

The second described audio processing modules and the second described modulation /demodulation module communicate to connect mutually, and the second modulation /demodulation module and the second described Encryption Decryption module all communicate to connect mutually with the second described central processing module.

In embodiments of the present invention, judge whether the client in network is provided with monitoring software; If client is provided with monitoring software, then allows described client to use resource, and the software operating in client is monitored; To monitoring software and white list is compared, whether the software monitored described in judgement is on described white list; If described in the software that monitors on described white list, then the software monitored described in allowing continues to run, otherwise the running software monitored described in forbidding, by access control and self-defining white list protection intranet security.

Accompanying drawing explanation

Fig. 1 is the structural representation of a kind of new network safety system that the embodiment of the present invention provides.

In figure: 1, judge module; 2, control module; 3, memory module; 4, power module; 5, monitoring module; 5-1, monitoring host computer; 5-2, display screen; 6, contrast judgement module; 7, running software control module; 8, white list download module; 9, solar obligation control module; 10, judge module is verified; 11, white list updating module.

Embodiment

In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.

Below in conjunction with drawings and the specific embodiments, application principle of the present invention is further described.

Refer to Fig. 1:

A kind of new network safety system, native system comprises judge module 1, control module 2, memory module 3, power module 4, monitoring module 5, contrast judgement module 6 and running software control module 7, in embodiments of the present invention, set up a self-defined white list in advance, this white list can carry out self-defined according to the characteristic of computer network, the foundation of self-defined white list can be carried out on the server, after then client uses resource, carry out white list and download to client; Also the foundation of self-defined white list can be carried out in client.Described judge module 1 is for judging whether the client in network is provided with monitoring software; If when described control module 2 judges that client is provided with monitoring software for described judge module 1, client is allowed to use resource; Described memory module 3 is for storing the data message of described control module 2; Described power module 4 is for powering to described control module 2; Described monitoring module 5 allows to use the software of the client of resource to monitor for the right described control module 2 that operates in; Described contrast judgement module 6 is for monitoring software and white list is compared, and whether the software monitored described in judgement is on described white list; If described running software control module 7 is for the software that monitors described in described contrast judgement module 6 contrast judgement at described white list, then the software monitored described in allowing continues to run, otherwise the running software monitored described in forbidding;

Described network security protection system also comprises white list download module 8, in advance self-defined white list being downloaded to client by network.

Described network security protection system also comprises solar obligation control module 9; if judge that described client does not install monitoring software for described judge module 1; forbid that described client uses resource or client forwarded to and repair district, carry out the solar obligation of monitoring software.

Described network security protection system also comprises checking judge module 10; the software that monitors is not at described white list described in judge when described contrast judgement module 6; described running software control module 7 forbid described in while the running software that monitors; carry out safety verification to the described software monitored, whether the software monitored described in judgement is fail-safe software.

Described network security protection system also comprises white list updating module 11, if the software monitored described in judging for described checking judge module 10 is fail-safe software, is then saved in described self-defined white list by the described software monitored.

Described memory module comprises client, work dispenser and storage device;

Described work dispenser, for the treatment of the sharing out the work of request of client, selects a server in described storage device for described client;

Each server in described storage device includes:

Embedded system process device, is suitable for the memory space of managed storage unit, and transmits and processing controls data;

Network interface components, for network and network storage device are carried out interface connection, described network interface components comprises local flush bonding processor, for embedded system process device transmitting control data;

Storage Unit Management processor, is suitable for tissue and stores data communication, and between network interface components and memory cell, transmit storage data;

Network interface components comprises the hardware processor realized with specialized hardware, and for carrying out specialized hardware process to the data transmitted between network and memory cell, described data comprise data payload and at least one navigational portions;

Network interface components also comprises control data interface and stores data-interface; Network interface components is suitable for transmitting by control data interface and embedded system process device the data payload only comprising control data, and is suitable for transmitting by storage data-interface and Storage Unit Management processor the data payload only comprising and store data; Store data-interface to be separated completely each other with control data interface;

Described monitoring module is provided with monitoring host computer, display screen, communication computer systems;

Described communication computer systems comprises: the backup server being positioned at bottom, and this server is connected with local area network (LAN) by core switch; Be positioned at the network subnet monitoring server be connected with local area network (LAN), note processing server, gateway server, database server, the swipe system server on upper strata;

Described monitoring module is monitored by the host disk of independently installing, database table space is monitored, database process number is monitored, image data is monitored, each network subnet is monitored each submodule and formed, the disk space of the other monitoring host computer of differential, monitoring overall network device process and table space, monitor the connection of each subnet and critical network device;

Described individual network subnet monitoring submodule is provided with database monitoring device, for receiving the triggering command from monitoring cluster; Send the first instruction to load balancing apparatus, whether whether whether described first instruction be used to indicate described load balancing apparatus and detect cluster and can exist with the software agent of each node referred in described cluster with, described cluster; Receive the first response message from described load balancing apparatus; If described first response message indicates described cluster to use, then scan each node in described cluster, determine whether each node in described cluster can be used, whether described each node can with referring to whether the software agent of described each node exists; If there is disabled node, then generate and to described monitoring cluster sending node warning message, described node warning message is used to indicate disabled node.

Further, the memory block of each client of corresponding described storage device, this memory block is for storing the resource data of each client;

When one of them client needs to another client transmissions data, this client sends an instruction by described work dispenser to the server of in described storage device;

This client is needed the data Replica of transmission according to described instruction and adds in the data storage area of another client corresponding by described server;

Another client obtains data by server access memory block;

When client Update Table, if record the operation that described amendment uses, the size of the journal file of the information of the content of the position that amendment occurs and amendment is more than a threshold values, then adopt the mode all copied that amended whole file transfer is covered original file to described server, otherwise, this journal file is transferred to described server, and described server adopts the mode Update Table of incremental replication according to described journal file.

Further, described new network safety system, also comprises white list download module, solar obligation control module, checking judge module, white list updating module;

Described white list download module is used in advance self-defined white list being downloaded to client by network;

Described solar obligation control module, if judge that described client does not install monitoring software for described judge module, forbids that described client uses resource or client forwarded to and repairs district, carry out the solar obligation of monitoring software;

Described checking judge module, for not having at described white list when the software monitored described in described contrast judgement module judgement, described running software control module forbid described in while the running software that monitors, carry out safety verification to the described software monitored, whether the software monitored described in judgement is fail-safe software.

Described white list updating module, if the software monitored described in judging for described checking judge module is fail-safe software, is then saved in described self-defined white list by the described software monitored.

Further, each network subnet monitoring submodule of described monitoring module also comprises monitoring cluster and authentication module;

Described monitoring cluster, for sending triggering command to database monitoring device, the first instruction is sent to load balancing apparatus to make described database monitoring device, whether described first instruction is used to indicate described load balancing apparatus detection cluster and can uses, whether whether described cluster can exist with the software agent of each node referred in described cluster, described database monitoring device receives the first response message from described load balancing apparatus, if described first response message indicates described cluster to use, described database monitoring device then scans each node in described cluster, determine whether each node in described cluster can be used, whether described each node can with referring to whether the software agent of described each node exists, if described cluster is unavailable, then receive the cluster warning message that described database monitoring device sends, it is unavailable that described cluster warning message is used to indicate described cluster, if there is disabled node, then receive the node warning message that described database monitoring device sends, described node warning message is used to indicate disabled node,

Described authentication module comprises the user terminal being positioned at client and the back-end system being positioned at remote validation end and the front end system be connected with back-end system, described user terminal includes smart card, containing the user's credential information stored in advance in described smart card, smart card has a private key of pairing and the PKI of a system issue to the back-end in advance, and smart card independently starts module, the first Encryption Decryption module, the first modulation /demodulation module and the first audio processing modules composition primarily of the first central processing module, user; Described user independently starts module, the first Encryption Decryption module and the first modulation /demodulation module and all mutually communicates to connect with the first central processing module, and the first audio processing modules and the first modulation /demodulation module communicate to connect mutually; Described front end system forms primarily of the second audio processing modules, the second central processing module, the second modulation /demodulation module and the second Encryption Decryption module;

The second described audio processing modules and the second described modulation /demodulation module communicate to connect mutually, and the second modulation /demodulation module and the second described Encryption Decryption module all communicate to connect mutually with the second described central processing module.

In embodiments of the present invention, set up a self-defined white list in advance, this white list can carry out self-defined according to the characteristic of computer network, fail-safe software in this white list is the fail-safe software of limited quantity in this computer network, wherein this sets up the process of self-defined white list, can be distributed, also can be centralized.The foundation of self-defined white list can be carried out on the server, after then client uses resource, carry out white list and download to client; Also can carry out the foundation of self-defined white list in client, not need to download, directly contrast uses, and is not used in restriction the present invention at this.Judge module 1 judges whether the client in network is provided with monitoring software in the present invention; If when judge module 1 judges that client is provided with monitoring software, control module 2 allows client to use resource; Control module 2 that what monitoring module 5 was right operate in allows to use the software of the client of resource to monitor; If judge module 1 judges that client does not install monitoring software, solar obligation control module 9 is forbidden that client uses resource or client forwarded to and is repaired district, carries out the solar obligation of monitoring software; Contrast judgement module 6 is compared to the software monitored and white list, judges the software that monitors whether on white list; If the software that contrast judgement module 6 contrast judgement monitors is on described white list, running software control module 7 allows the software that monitors to continue to run, otherwise forbids the running software that monitors.

In embodiments of the present invention, when contrast judgement module 6 judges that the software monitored is not on white list, while running software control module 7 forbids the running software monitored, checking judge module 10 carries out safety verification to the software monitored, and judges whether the software monitored is fail-safe software; If checking judge module 10 judges that the software monitored is fail-safe software, the self-defined white list set up is downloaded to client by network by white list download module 8 in advance, the software monitored is saved in self-defined white list by white list updating module 11, upgrade white list, wherein, checking judge module 10 and white list updating module 11 can be built in client, also can be built in server end, at this not in order to limit the present invention.

The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.

Claims (4)

1. a new network safety system, is characterized in that, described system comprises judge module, control module, memory module, power module, monitoring module, contrast judgement module and running software control module;

Described judge module is for judging whether the client in network is provided with monitoring software;

If when described control module judges that client is provided with monitoring software for described judge module, client is allowed to use resource; Described memory module is for storing the data message of described control module;

Described power module is used for powering to described control module;

Described monitoring module is used for allowing to use the software of the client of resource to monitor to operating in described control module;

Described contrast judgement module is used for monitoring software and white list is compared, and whether the software monitored described in judgement is on described white list;

If described running software control module is for the software that monitors described in described contrast judgement module contrast judgement at described white list, then the software monitored described in allowing continues to run, otherwise the running software monitored described in forbidding;

Described memory module comprises client, work dispenser and storage device;

Described work dispenser, for the treatment of the sharing out the work of request of client, selects a server in described storage device for described client;

Each server in described storage device includes:

Embedded system process device, is suitable for the memory space of managed storage unit, and transmits and processing controls data;

Network interface components, for network and network storage device are carried out interface connection, described network interface components comprises local flush bonding processor, for embedded system process device transmitting control data;

Storage Unit Management processor, is suitable for tissue and stores data communication, and between network interface components and memory cell, transmit storage data;

Network interface components comprises the hardware processor realized with specialized hardware, and for carrying out specialized hardware process to the data transmitted between network and memory cell, described data comprise data payload and at least one navigational portions;

Network interface components also comprises control data interface and stores data-interface; Network interface components is suitable for transmitting by control data interface and embedded system process device the data payload only comprising control data, and is suitable for transmitting by storage data-interface and Storage Unit Management processor the data payload only comprising and store data; Store data-interface to be separated completely each other with control data interface;

Described monitoring module is provided with monitoring host computer, display screen, communication computer systems;

Described communication computer systems comprises: the backup server being positioned at bottom, and this server is connected with local area network (LAN) by core switch; Be positioned at the network subnet monitoring server be connected with local area network (LAN), note processing server, gateway server, database server, the swipe system server on upper strata;

Described monitoring module is monitored by the host disk of independently installing, database table space is monitored, database process number is monitored, image data is monitored, each network subnet is monitored each submodule and formed, the disk space of the other monitoring host computer of differential, monitoring overall network device process and table space, monitor the connection of each subnet and critical network device;

Described individual network subnet monitoring submodule is provided with database monitoring device, for receiving the triggering command from monitoring cluster; Send the first instruction to load balancing apparatus, whether whether whether described first instruction be used to indicate described load balancing apparatus and detect cluster and can exist with the software agent of each node referred in described cluster with, described cluster; Receive the first response message from described load balancing apparatus; If described first response message indicates described cluster to use, then scan each node in described cluster, determine whether each node in described cluster can be used, whether described each node can with referring to whether the software agent of described each node exists; If there is disabled node, then generate and to described monitoring cluster sending node warning message, described node warning message is used to indicate disabled node.

2. new network safety system as claimed in claim 1, it is characterized in that, the memory block of each client of corresponding described storage device, this memory block is for storing the resource data of each client;

When one of them client needs to another client transmissions data, this client sends an instruction by described work dispenser to the server of in described storage device;

This client is needed the data Replica of transmission according to described instruction and adds in the data storage area of another client corresponding by described server;

Another client obtains data by server access memory block;

When client Update Table, if record the operation that described amendment uses, the size of the journal file of the information of the content of the position that amendment occurs and amendment is more than a threshold values, then adopt the mode all copied that amended whole file transfer is covered original file to described server, otherwise, this journal file is transferred to described server, and described server adopts the mode Update Table of incremental replication according to described journal file.

3. new network safety system as claimed in claim 1, is characterized in that, described new network safety system, also comprises white list download module, solar obligation control module, checking judge module, white list updating module;

Described white list download module is used in advance self-defined white list being downloaded to client by network;

Described solar obligation control module, if judge that described client does not install monitoring software for described judge module, forbids that described client uses resource or client forwarded to and repairs district, carry out the solar obligation of monitoring software;

Described checking judge module, for not having at described white list when the software monitored described in described contrast judgement module judgement, described running software control module forbid described in while the running software that monitors, carry out safety verification to the described software monitored, whether the software monitored described in judgement is fail-safe software.

Described white list updating module, if the software monitored described in judging for described checking judge module is fail-safe software, is then saved in described self-defined white list by the described software monitored.

4. new network safety system as claimed in claim 1, is characterized in that, each network subnet monitoring submodule of described monitoring module also comprises monitoring cluster and authentication module;

Described monitoring cluster, for sending triggering command to database monitoring device, the first instruction is sent to load balancing apparatus to make described database monitoring device, whether described first instruction is used to indicate described load balancing apparatus detection cluster and can uses, whether whether described cluster can exist with the software agent of each node referred in described cluster, described database monitoring device receives the first response message from described load balancing apparatus, if described first response message indicates described cluster to use, described database monitoring device then scans each node in described cluster, determine whether each node in described cluster can be used, whether described each node can with referring to whether the software agent of described each node exists, if described cluster is unavailable, then receive the cluster warning message that described database monitoring device sends, it is unavailable that described cluster warning message is used to indicate described cluster, if there is disabled node, then receive the node warning message that described database monitoring device sends, described node warning message is used to indicate disabled node,

Described authentication module comprises the user terminal being positioned at client and the back-end system being positioned at remote validation end and the front end system be connected with back-end system, described user terminal includes smart card, containing the user's credential information stored in advance in described smart card, smart card has a private key of pairing and the PKI of a system issue to the back-end in advance, and smart card independently starts module, the first Encryption Decryption module, the first modulation /demodulation module and the first audio processing modules composition primarily of the first central processing module, user; Described user independently starts module, the first Encryption Decryption module and the first modulation /demodulation module and all mutually communicates to connect with the first central processing module, and the first audio processing modules and the first modulation /demodulation module communicate to connect mutually; Described front end system forms primarily of the second audio processing modules, the second central processing module, the second modulation /demodulation module and the second Encryption Decryption module;

The second described audio processing modules and the second described modulation /demodulation module communicate to connect mutually, and the second modulation /demodulation module and the second described Encryption Decryption module all communicate to connect mutually with the second described central processing module.