CN107979609A - Reaction equation means of defence and autonomous learning type firewall system afterwards - Google Patents

Abstract

The invention discloses reaction equation means of defence after a kind of, change the problem of influencing Firewall Protection function for computer software and hardware, there is provided following technical scheme：Access request based on external network, request data enter internal network by firewall engine；Request data enters internal network, is sent to inside terminals request data mirror image and can carry out the virtual terminal of network service using identical IP with inside terminals；Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to external network, and communication is by firewall engine one-way isolation between inside terminals external network；Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out safety analysis；Safety analysis is by the way that the isolation of inside terminals to external network is cancelled, and the actual feedback data external network of inside terminals is transmitted, and improves the adaptability to computer system software and hardware to a certain extent.

Description

Reaction equation means of defence and autonomous learning type firewall system afterwards

Technical field

The present invention relates generally to computer systems and networks security.It is more particularly related to reacted after one kind Formula means of defence and autonomous learning type firewall system.

Background technology

Fire wall is the system of one or a set of implementation access control policy.His internal network（Dedicated network）With outside Network（Common network）Between form one of safeguard protection barrier, prevent the illegal of resource on unauthorized users to access internal network Internal information is outwards transmitted, while being also prevented from this kind of illegal and malice network behavior causes internal network operation to be destroyed. Its basic function is to filter and may stop that the data between local network or some part of network and Internet transmit （Data packet）.Data packet is exactly a section data in fact, wherein including at the same time for sending them to respective purpose Information necessary to ground.Data packet can be imagined as a mailbag：Data in data packet inherently mailbag, and on envelope It is then all for these information being sent to the letter taken in correct machine and correct program new line, it is also included at the same time The information of return address etc..It can implement more extensive security strategy and carry out control information stream, prevent unexpected Invasion destroy.Fire rated wall structure can use the various structures such as double-hosted host structure, host filtration, subnet filtering.

Wall with flues needs have higher anti-attack ability in itself, should be arranged at the bottom of system and procotol, access with Accessed port must be provided with stringent access rule, to cut off the network connection beyond all rules.Secondly, in architecture On, the fire savety of building, is by each relevant speciality and relevant device common guarantee.And on the computer systems, prevent The security protection performance of wall with flues is by fire wall, the rule of user setting and computer system common guarantee itself.In addition exist On architecture, the change of original material and arrangement, will make fire wall ineffective, and over time, some are by resistance The material of processing is fired, its anti-flammability is also progressively lost.On the computer systems and in this way, the change of computer system network, The change of system hardware and software environment, will also make fire wall ineffective, and over time, the original safety of fire wall is prevented Shield technology starts to fall behind, and safeguard function also just reduces at leisure.

The content of the invention

In view of the deficienciess of the prior art, the first object of the present invention is to provide a kind of rear reaction equation means of defence, It is good to the continuous change adaptability of computer system software and hardware to have the advantages that.

To achieve the above object, the present invention provides following technical solution：

Reaction equation means of defence after a kind of, it is described protect be adapted to fire wall between internal network and external network, it is described Fire wall framework further comprises the firewall engine with multiple mounted wave filters, the described method includes：

Access request based on external network, request data enter internal network by firewall engine；

After request data enters internal network, inside terminals are sent to request data mirror image and can use phase with inside terminals The virtual terminal of network service is carried out with IP；

Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to outside Network, and communication is by firewall engine one-way isolation between inside terminals external network；

Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out afterwards Safety analysis；

Safety analysis is by rear, and the reverse isolation between inside terminals and external network is cancelled, the actual feedback number of inside terminals Transmitted according to external network.

Using above-mentioned technical proposal, when external network has access request to internal network, firewall engine first records this Partial data, firewall engine is always by one-way isolation between inside terminals and external network at this time, and by virtual terminal with The identical IP external networks transmission feedback data of inside terminals, these feedback data are corresponding with request data, virtual afterwards whole End receive again external network for feedback data send back come associated data, firewall engine is to request data and secondary biography The associated data come carries out safety analysis, and the company between inside terminals and external network is determined according to the result of safety analysis It is logical, when safety analysis by after, firewall engine cancels isolation, and actual feedback data can be sent to extranets by inside terminals Network, from regardless of whether how the software and hardware of inside terminals changes, as long as virtual terminal request data can be made it is targetedly anti- Present data, it is possible to determine whether to isolate by carrying out safety analysis to request data and associated data, certain journey The adaptability to computer system software and hardware is improved on degree.

Preferably, the safety analysis includes：

By the request stage of external network, the context data structure of request data and request data is connect from external network；

By the feedback stage of external network, the associated data bag and incidence number for being directed to feedback data are received from external network According to the context data structure of bag；

Pass through request stage and feedback stage, the identification parameter set associated with request data and associated data；

Send classification to call, classification, which is called, includes the parameter set associated with request data and associated data；

By the parameter set of request data and associated data compared with the filtering condition of multiple wave filters and identify matching please The associated fire wall sought at least one wave filter of data and associated data parameter set and specified by least one wave filter Strategy；

In response to classification call, according to associated firewall policy come determine to receive and/or isolation act.

Preferably, the data of the safety analysis can also extend to

Associated data and/or the request data of association phase the latter half on request stage previous stage.

Preferably, the request data is the inbound communication bag received from external network；Also, wherein, parameter set includes Information, association phase analyze information according to the agreement performed by association phase from inbound communication bag.

Preferably, the associated data is sent to the outbound information bag that the network equipment is gone；Also, wherein, parameter set bag Include the agreement according to performed by request stage and be added into the information of packet.

Preferably, further comprise：

By increasing parameter set, carry out modification information bag context data structure.

Preferably, the parameter in the parameter set includes request stage, the mark of association phase, parameter type and value.

Preferably, when virtual terminal receives request data,

The data packet that virtual terminal is stored, and will be with the matched data of request data compared with received request data Bag passes external network back in the form of feedback data by the virtual IP address identical with inside terminals.

Preferably, virtual terminal can self-teaching to the increase of interior data storehouse supplement new data packet.

In view of the deficienciess of the prior art, the second object of the present invention is to provide a kind of autonomous learning type fire wall system System, it is good to the continuous change adaptability of computer system software and hardware to have the advantages that.

To achieve the above object, the present invention provides following technical solution：

A kind of autonomous learning type firewall system, including

Firewall engine, including multiple mounted wave filters, for safety analysis request data and associated data, and are pacifying Matched security strategy isolation or connection internal network and external network are performed after complete analysis；

Inside terminals, connect between internal network, are protected by firewall engine, and isolate or connect by firewall engine External network；

Virtual terminal, can match corresponding data packet for request data in database, use IP generations identical with inside terminals Data packet external network is fed back for inside terminals.

Using above-mentioned technical proposal, when external network has access request to internal network, firewall engine first records this Partial data, firewall engine is always by one-way isolation between inside terminals and external network at this time, and by virtual terminal with The identical IP external networks transmission feedback data of inside terminals, these feedback data are corresponding with request data, virtual afterwards whole End receive again external network for feedback data send back come associated data, firewall engine is to request data and secondary biography The associated data come carries out safety analysis, and the company between inside terminals and external network is determined according to the result of safety analysis It is logical, when safety analysis by after, firewall engine cancels isolation, and actual feedback data can be sent to extranets by inside terminals Network, from regardless of whether how the software and hardware of inside terminals changes, as long as virtual terminal request data can be made it is targetedly anti- Present data, it is possible to determine whether to isolate by carrying out safety analysis to request data and associated data, certain journey The adaptability to computer system software and hardware is improved on degree.

In conclusion the invention has the advantages that：

1. in exterior network request access internal network, only allow one way data communication from outside to inside, only in safety point Analysis could allow being pierced by for internal data, the safety of enhancing data storage after passing through；

2. computer network software and hardware changes, as long as virtual terminal can make specific aim according to the request data of external network Feedback, so that it may carry out safety analysis for request data and associated data, prevented so as to match corresponding security strategy Shield, adaptability are high；

3. virtual terminal can self-teaching to the increase of interior data storehouse supplement new data packet, to continually changing extranets Network and the enhancing of computer software and hardware adaptability.

Brief description of the drawings

Fig. 1 is the functional block diagram of rear reaction equation means of defence in the present invention；

Fig. 2 is the principle schematic of learning type firewall system of the present invention；

Fig. 3 is the schematic diagram of Computer system of the present invention.

Embodiment

With reference to the accompanying drawings and embodiments, the present invention will be described in detail.

Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment only part of the embodiment of the present invention, rather than whole embodiments.Based on this Embodiment in invention, the every other reality that those of ordinary skill in the art are obtained without creative efforts Example is applied, belongs to the scope of protection of the invention.

Embodiment 1

Reaction equation means of defence, this method are based on particular host, particular port and application-specific, are adapted to and set after a kind of The fire wall between external network and internal network is put, and Fire Wire architecture further comprises thering is multiple mounted filters The firewall engine of ripple device, with reference to Fig. 1, this method includes：

Access request based on external network, request data enter internal network by firewall engine；

After request data enters internal network, inside terminals are sent to request data mirror image and can use phase with inside terminals The virtual terminal of network service is carried out with IP；

Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to outside Network, and communication is by firewall engine one-way isolation between inside terminals external network；

Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out afterwards Safety analysis；

Safety analysis is by rear, and the reverse isolation between inside terminals and external network is cancelled, the actual feedback number of inside terminals Transmitted according to external network.

When external network is to internal network request access, external data needs to enter in-house network by firewall engine Network, firewall engine is by checking the source address of each data packet, destination address, port numbers used, agreement shape in data flow The factors such as state, or combinations thereof determine whether that the data packet passes through.

The request data being filtered through for firewall engine, it will what is be mirrored is sent to inside terminals and virtual end End, the two is synchronously acted, and is carried out for the actual feedback data that inside terminals produce request data, firewall engine It is temporarily isolating, that is, realizes the unidirectional blocking of internal network external network.At the same time, virtual terminal receives identical request Data, by the request data received compared with the data packet in own database, and will be matched with request data Data packet passes external network back in the form of feedback data by the virtual IP address identical with inside terminals.

For the data packet in virtual terminal data storehouse, virtual terminal can be in backstage self-teaching to interior data storehouse Increase supplements new data packet.

Specifically, safety analysis includes：By the request stage of external network, connect request data from external network and ask Seek the context data structure of data；

By the feedback stage of external network, the associated data bag and incidence number for being directed to feedback data are received from external network According to the context data structure of bag；

Pass through request stage and feedback stage, the identification parameter set associated with request data and associated data；

Send classification to call, classification, which is called, includes the parameter set associated with request data and associated data；

By the parameter set of request data and associated data compared with the filtering condition of multiple wave filters and identify matching please The associated fire wall sought at least one wave filter of data and associated data parameter set and specified by least one wave filter Strategy；

In response to classification call, according to associated firewall policy come determine to receive and/or isolation act.

In addition, the data of safety analysis can also extend to the associated data on request stage previous stage and/or association The request data of the latter half in stage.

Request data is the inbound communication bag received from external network；Also, wherein, parameter set includes information, rank is associated Section analyzes information according to the agreement performed by association phase from inbound communication bag.

Associated data is sent to the outbound information bag that the network equipment is gone；Also, wherein, parameter set is included according to request rank Section performed by agreement and be added into the information of packet.

This method makes the wave filter that network information bag is subordinate at multiple layers in protocol stack.In the processing of multiple operating systems This method and fire rated wall structure are performed in (being referred to as " core schema processing " and " user model processing ").Alternatively, in list In the processing of one operating system, or held in the one or more program modules or application program performed beyond the operating system Row this method and structure.

Core schema processing includes protocol stack, core firewall engine and one or more exhalation.The protocol stack Stack includes application layer, transport layer, network layer and link layer.Increase on demand or extra layer is deleted from the system.These layers Each forms requesting layer, which receives in the network information bag and corresponding packet from previous layer or processing there Context data.Then, which issues the core firewall engine via layer API by classification request.Classification request includes The packet, the packet context and the one group of layer parameter associated with the requesting layer received by the requesting layer.

The core firewall engine handles the request, and return action.For example, how which indicates the requesting layer Dispose the packet (such as, it is allowed to or retardance).If the action is to allow, which handles the letter according to layer protocol Breath bag, which is arrived down into including these layer parameters, and by the packet and packet context transfer One layer.If the action is retardance, which loses the packet, and the packet is not delivered to this next layer. As the block action as a result, the requesting layer may perform extra function (for example, demolition TCP connections).The core is prevented Wall with flues engine includes this layer of API, one group of wave filter being mounted and exhalation API.This mounted wave filter is concentrated each Wave filter includes one group of filter conditions and an associated action.The core firewall engine is by identifying one or more With wave filter, to handle the classification request sent from requesting layer there.These matched filters have joins with these layers The filter conditions that number and packet context match.Once these matched filters are identified, just by filter precedence Order applies them.If this action for the filtering being employed is permission or retardance,

This action is then returned into the requesting layer.If the action is exhalation, the classification which is sent please The company of asking

These exhalation moulds exhalation module in the block is delivered to together with matched filter mark.The exhalation module performs its quilt The function of programming, and action is returned into the core firewall engine.If not identifying matched filter for packet, to The requesting layer notifies：Not it has been found that matched filter；Then, which determines how to dispose the packet.

Example user mode treatment includes user model firewall engine and one or more policy provisioning persons.These plans Supplier is omited from any suitable source (for example, volatile and nonvolatile memory) acquisition strategy.The strategy is to be used to present newly Wave filter information source, including this of filter conditions and relevant action set.The user's firewall engine is via filtering This new wave filter, is added this mounted wave filter collection in the core firewall engine by device engine API.

The user's pattern also includes the example of the core firewall engine, so as to allow to create user model layer.Then, this A little user model layers identify the filtering with one group of match parameters using the user's schema instance of the core firewall engine Device, this group of parameter allow within the user's pattern using filtering.

In an embodiment of the present invention, substantially permit from the core firewall engine to the exhalation interface of one group of exhalation module Perhaps the infinite expanding of these fire wall performances.For example, the exhalation of HTTP contexts is by identifying acceptable and cannot receive URL addresses, to provide parents' feature." internet security " (IPSec) exhalation verification：Packet is suitably subjected to always IPSec processing.The packet for meeting established standard is charged in record exhalation, so that the inspection after promoting to packet.Invade Enter detection exhalation and suspicious packet is identified according to known algorithm.

The present invention is shown as being performed in suitable computing environment.Although being not required, will be just by a The present invention described in the general context for the computer executable instructions (for example, program module) that people's computer performs.In general, journey Sequence module includes execution special duty or the routine for implementing special abstract data type, program, object, component, data Structure etc..The present invention can also be put into practice in a distributed computing environment, in these distributed computing environment, by passing through communication network Network and connected remote processing devices perform task.In a distributed computing environment, program module can be located locally note Recall in storage device and remote memory storage devices.

Embodiment 2

A kind of autonomous learning type firewall system, based on the rear reaction equation means of defence in embodiment 1, with reference to Fig. 2, including：

Firewall engine, including multiple mounted wave filters, for safety analysis request data and associated data, and are pacifying Matched security strategy isolation or connection internal network and external network are performed after complete analysis；

Inside terminals, connect between internal network, are protected by firewall engine, and isolate or connect by firewall engine External network；

Virtual terminal, can match corresponding data packet for request data in database, use IP generations identical with inside terminals Data packet external network is fed back for inside terminals.

Fig. 3 illustrates the example that can perform the suitable computing system environment of the present invention on it.Computing system environment is One example of suitable computing environment, it is not intended to use or functional scope proposition any restrictions to the present invention. Computing environment should not be also construed to have any one component or component combination for being related to and being shown in exemplary operational environment Any dependence or requirement.

The present invention can be used for the universal or special computing system environment of numerous others or configuration.It is likely to be suited for the present invention's Well-known computing system, environment and/or the example of configuration include but is not limited to personal computer, server calculates Machine, handheld device or portable set, multicomputer system, the system based on microprocessor, set top box, programmable consumption electricity Sub- equipment, network PC, minicom, mainframe computer include the distributed computing environment of any of the above system or equipment, with And the like.

It can be retouched in the general context of positive computer executable instructions (for example, program module) State the present invention.In general, program module includes performing special duty or implements the routine of special abstract data type, journey Sequence, object, component, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these Distributed Calculation rings In border, by performing task by communication network and connected remote processing devices.In a distributed computing environment, program mould Block can be located in the local computer storage medium and remote computer storage medium that include memory storage devices.

With reference to Fig. 3, the demonstration system for performing the present invention includes the universal computing device for taking the form of computer.Meter The component of calculation machine can include but is not limited to processing unit, system storage and system bus, and system bus will include should The various couple system components of system storage are to processing unit.System bus can be several types bus structures (including Memory bus or memory controller, peripheral bus and the local bus using any bus architecture in various bus architectures) in Any bus structures.(it is not restricted) for example, this class formation includes " industrial standard architectures " (ISA) bus, " microchannel Structure " (MCA) bus, " ISA " (EISA) bus of enhancing, " Video Electronics Standards Association " (VESA) local bus and also claimed Make " peripheral parts interconnected " (PCI) bus of " mezzanine (Mezzanine) bus ".

Computer generally includes various computer-readable mediums.Computer-readable medium can be accessible by a computer Any usable medium, it includes volatile and nonvolatile medium, removable and immovable medium.(do not limit for example System), computer-readable medium can include computer storage media and communication media.Computer-readable storage medium includes volatile and non- Volatile removable and immovable medium, these media with information (for example, computer-readable instruction, data structure, Program module or other data) any method or technique of storage performed.Computer-readable storage medium includes (but not limiting to In) RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disc (DVD) or other CDs Memory, cassette tape, tape, magnetic disk storage or other magnetic storage apparatus can be used to store the information needed And can be by computer come into other any media of line access.The usual specific manifestation computer-readable instruction of communication media, number According to other data in structure, program module or modulated data signal (for example, carrier wave or other transfer mechanisms), it includes any Information transmitting medium.Term " modulated data signal " means a kind of signal, and the one or more features of the signal are by such Mode is set or is changed, to be the information coding in the signal.(it is not restricted) for example, communication media includes Wire medium (for example, cable network or straight line connection) and wireless medium are (for example, sound, RF, infrared ray and other wireless Jie Matter).The combination of any of the above content should be also included within the scope of computer readable media.

System storage includes taking volatile and/or nonvolatile storage (for example, read-only storage (ROM) and depositing at random The computer-readable storage medium of the form of access to memory (RAM).Basic input/output (BIOS) is typically stored within ROM In, which, which includes, contributes between each element in computer to transmit information (for example, starting Period) these basic routines.RAM is generally comprised can be immediately by processing unit access and/or at present just by handling The data and/or program module that unit is operated.(it is not restricted) for example, Fig. 3 illustrates operating system, using journey Sequence, other program modules and routine data.

Computer can also include other removable/nonremovable volatile/nonvolatile computer storage medias.Only illustrate For, Fig. 3 illustrate read from immovable nonvolatile magnetic media or it write hard disk drive, from moveable Nonvolatile magnetic disk is read or the disc driver that is write to it, and from moveable nonvolatile optical disk (for example, CDROM or its His optical medium) CD drive that reads or write to it.Can be used in the exemplary operational environment other are removable/ Immovable volatile/nonvolatile computer storage media include but is not limited to cassette, flash memory cards, Digital versatile disc, digital video tape, solid-state RAM, solid-state ROM and similar storage medium.Hard disk drive is not usually by Moveable memory interface (for example, interface) and be connected to system bus, disc driver and CD drive are usually by can Mobile memory interface (for example, interface) is connected to system bus.

These drivers discussed above and demonstrated in Figure 3 and its associated computer-readable storage medium are computer The storage of computer-readable instruction, data structure, program module and other data is provided.In figure 3, for example, hard disk drive It is shown as storage program area, application program, other program modules and routine data.Note that these components can be equal to Or different from operating system, application program, other program modules and routine data.Here for operating system, application program, other Program module and routine data provide different numbers, with displaying：They are at least different copies.User can pass through input Equipment (for example, keyboard) and pointing device (being commonly referred to as " mouse ", " tracking ball " or " touch pad "), by order and information Input computer.Other input equipment (not shown) can include microphone, control stick, game mat, satellite dish, Scanner or similar input equipment.The input equipment of these and other is defeated frequently by the user for being coupled to the system bus Incoming interface and be connected to processing unit, but can also be by other interfaces and bus structures (for example, parallel port, game port Or Universal Serial Bus (USB)) connected.Monitor or other kinds of display device are also via interface (for example, video Interface) and it is connected to system bus.In addition to the monitor, computer can also include other peripheral output devices (for example, Loudspeaker and printer), these peripheral output devices can be connected by peripheral interface.

In the above-described embodiments, the description to each embodiment emphasizes particularly on different fields, and does not have the part being described in detail in some embodiment, It may refer to the associated description of other embodiment.

It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the present invention and from the limitation of described sequence of movement because According to the present invention, some steps may use other orders or be carried out at the same time.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, the action being related to and module not necessarily this hair Necessary to bright.

In several embodiments provided herein, it should be understood that disclosed device, can be real in other way It is existing.For example, device embodiment described above is only schematical, such as the division of said units, it is only that one kind is patrolled The division of volume function, can there is an other dividing mode when actually realizing, such as multiple units or component can combine or can be with Another system is integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed mutual Coupling or communication connection can be INDIRECT COUPLING or communication connection between device or unit by some interfaces, can be electricity Letter or other forms.

The above-mentioned unit illustrated as separating component may or may not be physically separate, be shown as unit The component shown may or may not be physical location, you can with positioned at a place, or can also be distributed to multiple In network unit.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.

The above, the above embodiments are merely illustrative of the technical solutions of the present invention, and without limiting it；Although reference The present invention will be described in detail for previous embodiment, it will be understood by those of ordinary skill in the art that：It still can be to preceding State the technical solution described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic；And these Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical solution.

Claims (10)

1. reaction equation means of defence after a kind of, it is described protect be adapted to fire wall between internal network and external network, institute The firewall engine that fire wall framework further comprises having multiple mounted wave filters is stated, the described method includes：

Access request based on external network, request data enter internal network by firewall engine；

After request data enters internal network, inside terminals are sent to request data mirror image and can use phase with inside terminals The virtual terminal of network service is carried out with IP；

Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to outside Network, and communication is by firewall engine one-way isolation between inside terminals external network；

Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out afterwards Safety analysis；

Safety analysis is by rear, and the reverse isolation between inside terminals and external network is cancelled, the actual feedback number of inside terminals Transmitted according to external network.

2. the method as described in claim 1, the safety analysis includes：

By the request stage of external network, the context data structure of request data and request data is connect from external network；

By the feedback stage of external network, the associated data bag and incidence number for being directed to feedback data are received from external network According to the context data structure of bag；

Pass through request stage and feedback stage, the identification parameter set associated with request data and associated data；

Send classification to call, classification, which is called, includes the parameter set associated with request data and associated data；

By the parameter set of request data and associated data compared with the filtering condition of multiple wave filters and identify matching please The associated fire wall sought at least one wave filter of data and associated data parameter set and specified by least one wave filter Strategy；

In response to classification call, according to associated firewall policy come determine to receive and/or isolation act.

3. method as claimed in claim 2, the data of the safety analysis can also extend to

Associated data and/or the request data of association phase the latter half on request stage previous stage.

4. method as claimed in claim 2, the request data is the inbound communication bag received from external network；Also, its In, parameter set includes information, and association phase analyzes information according to the agreement performed by association phase from inbound communication bag.

5. method as claimed in claim 2, the associated data is sent to the outbound information bag that the network equipment is gone；Also, Wherein, parameter set includes the agreement according to performed by request stage and is added into the information of packet.

6. method as claimed in claim 2, further comprises：

By increasing parameter set, carry out modification information bag context data structure.

7. method as claimed in claim 6, the parameter in the parameter set includes request stage, the mark of association phase, ginseng Several classes of types and value.

8. the method as described in claim 1, when virtual terminal receives request data,

The data packet that virtual terminal is stored, and will be with the matched data of request data compared with received request data Bag passes external network back in the form of feedback data by the virtual IP address identical with inside terminals.

9. method as claimed in claim 8, virtual terminal can self-teaching to the increase of interior data storehouse supplement new number According to bag.

A kind of 10. autonomous learning type firewall system applied such as any the method for claim 1 to 9, it is characterised in that bag Include：

Firewall engine, including multiple mounted wave filters, for safety analysis request data and associated data, and are pacifying Matched security strategy isolation or connection internal network and external network are performed after complete analysis；

Inside terminals, connect between internal network, are protected by firewall engine, and isolate or connect by firewall engine External network；

Virtual terminal, can match corresponding data packet for request data in database, use IP generations identical with inside terminals Data packet external network is fed back for inside terminals.