CN105141519A - Pseudo-network node protection method based on load transformation - Google Patents
Pseudo-network node protection method based on load transformation Download PDFInfo
- Publication number
- CN105141519A CN105141519A CN201510440400.9A CN201510440400A CN105141519A CN 105141519 A CN105141519 A CN 105141519A CN 201510440400 A CN201510440400 A CN 201510440400A CN 105141519 A CN105141519 A CN 105141519A
- Authority
- CN
- China
- Prior art keywords
- load
- message
- network node
- load change
- transformation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a pseudo-network node protection method based on load transformation, and aims to solve the problem of security threat during protection of an anomaly router in network communication. The method comprises: step 101, transforming a message load entering a node according to a transformation method set by a load transformation controller; step 102, re-encapsulating the message subjected to the load transformation; step 103, processing the message inside the node according to a message header; step 104, performing reverse transformation on the message at a node outlet to recover load information; and step 105, re-encapsulating the message of which the load information is recovered. Through adoption of the pseudo-network node protection method based on the load transformation, reversible transformation can be performed on the load, and a security backdoor starting instruction hidden in the message load is eliminated, so that protection of a network node having security defects is realized. Moreover, a load transformation method can be selected dynamically according to a management strategy, so that prediction of a message load transformation method used by a system is difficult for alien attacks.
Description
Technical field
This invention relates to a kind of network communication method, particularly relates to a kind of mimicry network node means of defence based on load change.
Background technology
Along with the development of the Internet, core router disposal ability leaps day by day, and route system becomes complex, and Routing Software is made up of thousands of line code.Wherein must imply a large amount of leak and back door, this router is called " morbid state " router.Once malicious attacker has grasped these back doors or leak, an instruction message can start them, even controls this router.Therefore, traditional network node preventive means cannot detect this security threat lying in router interior, be badly in need of a kind of can according to the means of defence of router realized there is unknown safety defect.
Summary of the invention
Instant invention overcomes in prior art, in network service there is the problem of security threat in the protection of Anomaly route device, provides the mimicry network node means of defence based on load change that a kind of security performance is high.
Technical solution of the present invention is, provides a kind of mimicry network node means of defence based on load change with following steps, comprises the following steps,
Step 101: the message load entering node is converted according to the transform method of load change controller setting;
Step 102: Reseal is carried out to the message after load conversion;
Step 103: at intra-node according to this message of header process;
Step 104: carry out inverse transformation to message at node exit place, recovers load information;
Step 105: to the message Reseal recovering load information.
The alternate arrangement of described load change controller is manual configuration load transform method or by probability Stochastic choice load transform method.
Described transform method comprise to load be encrypted interference and other data inverible transform.
Encapsulation in described step 102 carries out the message that there occurs change after load conversion, and need to recalculate heading information, it comprises message length, recalculating of School Affairs etc.
Described Message processing comprises network node and extracts header, carries out the operation such as route, forwarding to message.
Encapsulation in described step 105 be to recover after load information encapsulate, namely message is before output equipment, carries out inverse transformation, recovers the message carrying out in step 101 converting.
The course of work of described load change controller comprises: step 301: according to varying one's tactics of administrator policy configuration load transform controller; Particularly, keeper can the load change method of configuring static, according to the conversion of predetermined period dynamic-configuration different loads, according to strategies such as particular probability Stochastic choice load change methods; Step 302: controller, according to the strategy of configuration, generates load change scheme; Step 303: by control channel, is issued to conversion scheme in protection implementation system.
Compared with prior art, the mimicry network node means of defence that the present invention is based on load change has the following advantages: can carry out inverible transform to load, eliminate the safe back door enabled instruction be hidden in message load, achieve the protection to the network node with safety defect, and can dynamically select load change method according to management strategy, make external attack be difficult to the message load transform method predicting that native system uses, improve the security feature of system.
Accompanying drawing explanation
Fig. 1 the present invention is based on the flow chart in the mimicry network node means of defence of load change;
Fig. 2 the present invention is based on the safeguard structure schematic diagram in the mimicry network node means of defence of load change;
Fig. 3 is the collocation method flow chart of load change controller in the mimicry network node means of defence that the present invention is based on load change.
Embodiment
Below in conjunction with the drawings and specific embodiments, the mimicry network node means of defence that the present invention is based on load change is described further: as shown in the figure, comprise the following steps in the present embodiment,
Step 101: the message load entering node is converted according to the transform method of load change controller setting;
Step 102: Reseal is carried out to the message after load conversion;
Step 103: at intra-node according to this message of header process;
Step 104: carry out inverse transformation to message at node exit place, recovers load information;
Step 105: to the message Reseal recovering load information.
The alternate arrangement of described load change controller is manual configuration load transform method or by probability Stochastic choice load transform method, load change controller can control the preventive means of protecting implementation system, the transform method of the message of the network node that controls to come in and go out.
Described transform method comprise to load be encrypted interference and other data inverible transform.
Encapsulation in described step 102 carries out the message that there occurs change after load conversion, and need to recalculate heading information, it comprises message length, recalculating of School Affairs etc.
Described Message processing comprises network node and extracts header, carries out the operation such as route, forwarding to message.
Encapsulation in described step 105 be to recover after load information encapsulate, namely message is before output equipment, carries out inverse transformation, recovers the message carrying out in step 101 converting.
The course of work of described load change controller comprises: step 301: according to varying one's tactics of administrator policy configuration load transform controller; Particularly, keeper can the load change method of configuring static, according to the conversion of predetermined period dynamic-configuration different loads, according to strategies such as particular probability Stochastic choice load change methods; Step 302: controller, according to the strategy of configuration, generates load change scheme; Step 303: by control channel, is issued to conversion scheme in protection implementation system.
Claims (7)
1., based on a mimicry network node means of defence for load change, it is characterized in that: comprising:
Step 101: the message load entering node is converted according to the transform method of load change controller setting;
Step 102: Reseal is carried out to the message after load conversion;
Step 103: at intra-node according to this message of header process;
Step 104: carry out inverse transformation to message at node exit place, recovers load information;
Step 105: to the message Reseal recovering load information.
2. the mimicry network node means of defence based on load change according to claim 1, is characterized in that: the alternate arrangement of described load change controller is manual configuration load transform method or by probability Stochastic choice load transform method.
3. the mimicry network node means of defence based on load change according to claim 1, is characterized in that: described transform method comprise to load be encrypted interference and other data inverible transform.
4. the mimicry network node means of defence based on load change according to claim 1, it is characterized in that: the encapsulation in described step 102 carries out the message that there occurs change after load conversion, need to recalculate heading information, it comprises message length, recalculating of School Affairs etc.
5. the mimicry network node means of defence based on load change according to claim 1, is characterized in that: described Message processing comprises network node and extracts header, carries out the operation such as route, forwarding to message.
6. the mimicry network node means of defence based on load change according to claim 1, it is characterized in that: the encapsulation in described step 105 be to recover after load information encapsulate, namely message is before output equipment, carries out inverse transformation, recovers the message carrying out in step 101 converting.
7. the mimicry network node means of defence based on load change according to claim 1, is characterized in that: the course of work of described load change controller comprises:
Step 301: according to varying one's tactics of administrator policy configuration load transform controller; Particularly, keeper can the load change method of configuring static, according to the conversion of predetermined period dynamic-configuration different loads, according to strategies such as particular probability Stochastic choice load change methods;
Step 302: controller, according to the strategy of configuration, generates load change scheme;
Step 303: by control channel, is issued to conversion scheme in protection implementation system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510440400.9A CN105141519A (en) | 2015-07-24 | 2015-07-24 | Pseudo-network node protection method based on load transformation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510440400.9A CN105141519A (en) | 2015-07-24 | 2015-07-24 | Pseudo-network node protection method based on load transformation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105141519A true CN105141519A (en) | 2015-12-09 |
Family
ID=54726733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510440400.9A Pending CN105141519A (en) | 2015-07-24 | 2015-07-24 | Pseudo-network node protection method based on load transformation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105141519A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110247928B (en) * | 2019-06-29 | 2020-09-15 | 河南信大网御科技有限公司 | Simulation switch safety flow control device and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070250627A1 (en) * | 2006-04-21 | 2007-10-25 | May Robert A | Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer |
| CN101833620A (en) * | 2010-04-28 | 2010-09-15 | 国网电力科学研究院 | Custom security JDBC driver-based database protective method |
| CN102882789A (en) * | 2012-09-17 | 2013-01-16 | 华为技术有限公司 | Data message processing method, system and equipment |
| CN103491069A (en) * | 2013-09-05 | 2014-01-01 | 北京科能腾达信息技术股份有限公司 | Filtering method for network data package |
| CN103685221A (en) * | 2013-09-05 | 2014-03-26 | 北京科能腾达信息技术股份有限公司 | A network invasion detection method |
-
2015
- 2015-07-24 CN CN201510440400.9A patent/CN105141519A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070250627A1 (en) * | 2006-04-21 | 2007-10-25 | May Robert A | Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer |
| CN101833620A (en) * | 2010-04-28 | 2010-09-15 | 国网电力科学研究院 | Custom security JDBC driver-based database protective method |
| CN102882789A (en) * | 2012-09-17 | 2013-01-16 | 华为技术有限公司 | Data message processing method, system and equipment |
| CN103491069A (en) * | 2013-09-05 | 2014-01-01 | 北京科能腾达信息技术股份有限公司 | Filtering method for network data package |
| CN103685221A (en) * | 2013-09-05 | 2014-03-26 | 北京科能腾达信息技术股份有限公司 | A network invasion detection method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110247928B (en) * | 2019-06-29 | 2020-09-15 | 河南信大网御科技有限公司 | Simulation switch safety flow control device and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6932270B2 (en) | How to generate malicious samples of industrial control systems based on hostile learning | |
| Kang et al. | Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations | |
| Mallouhi et al. | A testbed for analyzing security of SCADA control systems (TASSCS) | |
| Fovino et al. | Modbus/DNP3 state-based intrusion detection system | |
| Fan et al. | Overview of cyber-security of industrial control system | |
| Yang et al. | Stateful intrusion detection for IEC 60870-5-104 SCADA security | |
| Carcano et al. | State-based network intrusion detection systems for SCADA protocols: a proof of concept | |
| Jardine et al. | Senami: Selective non-invasive active monitoring for ics intrusion detection | |
| CN104702584A (en) | Modbus communication access control method based on rule self-learning | |
| Robles-Durazno et al. | PLC memory attack detection and response in a clean water supply system | |
| CN104660593A (en) | Method for filtering OPC security gateway data packets | |
| CN104954384B (en) | A kind of url mimicry methods of protection Web applications safety | |
| Fernandez et al. | Designing secure SCADA systems using security patterns | |
| Alcaraz | Security and privacy trends in the industrial internet of things | |
| CN105282172A (en) | Uniprocessing system based on hardware data transformation technology and network security isolation method thereof | |
| Xiong et al. | A vulnerability detecting method for Modbus-TCP based on smart fuzzing mechanism | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| Alruwaili | Intrusion detection and prevention in industrial iot: A technological survey | |
| Qassim et al. | Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system | |
| Zhang et al. | Investigating the impact of cyber attacks on power system reliability | |
| CN105141519A (en) | Pseudo-network node protection method based on load transformation | |
| Roh et al. | Cyber security system with FPGA-based network intrusion detector for nuclear power plant | |
| Fernandez et al. | On building secure SCADA systems using security patterns | |
| Hong et al. | Security monitoring and network management for the power control network | |
| Xu et al. | Attack identification for software-defined networking based on attack trees and extension innovation methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20170808 Address after: 201112 3A building, No. 1588 union airways, Shanghai, Minhang District Applicant after: Shanghai RedNeurons Information Technology Co., Ltd. Applicant after: National Digital Switch System Engineering Technology Research Center Address before: 201112 3A building, No. 1588 union airways, Shanghai, Minhang District Applicant before: Shanghai RedNeurons Information Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151209 |