CN108366088A - A kind of information security early warning system for Instructing network - Google Patents
A kind of information security early warning system for Instructing network Download PDFInfo
- Publication number
- CN108366088A CN108366088A CN201711466279.2A CN201711466279A CN108366088A CN 108366088 A CN108366088 A CN 108366088A CN 201711466279 A CN201711466279 A CN 201711466279A CN 108366088 A CN108366088 A CN 108366088A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- signal end
- honey
- early warning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a kind of information security early warning systems for Instructing network,Including sweet net host,Data analytics server and monitor terminal,The signal end of the honey net host is connected with wireless router,The signal end of the wireless router is connected with data analytics server,The signal end of the wireless router is also associated with monitor terminal,The honey net host includes sweet net gateway and honey jar virtual group,The interaction port of the honey net gateway is connected with honey jar virtual group,The signal end of the honey net host is also associated with data analysis system,The data terminal of the honey net host is also associated with Database Systems,The control terminal of the monitor terminal is connected with monitoring management system,Whole system uses dynamic defense technique,It can realize that the real time information of network is monitored,Capture and analysis,The attack of capture and monitoring potential hacker,To grasp the motivation and inbreak method strategy of hacker,Also it can realize and a point folding evidence obtaining is carried out to network intrusions.
Description
Technical field
The present invention relates to Instructing network information security field, specially a kind of information for Instructing network is pacified
Full early warning system.
Background technology
School is the place imparted knowledge and educated people, and Instructing network plays very heavy wherein as a kind of means of informationization
The effect wanted.However security issues become increasingly urgent for Instructing network, oneself threatens the head of school information technical education through becoming
Want problem.As the test that internet is subjected to, unhealthy information, illegal invasion and various other insecurity are got over it
This block pure land of school is corroded come bigger harm.
For example, application No. is 201510727383.7, patent name is that a kind of linkage of power information system information security is pre-
Alert system invention patent:
It can real-time monitoring equipment state and security incident linkage early warning, and by collection analysis treated index with
The result presentation of event is supervised and is acquired for equipment long-distance video on large-size screen monitors, carries out information security linkage early warning, and guarantee is set
Standby and network safety.
But the information security early warning system of existing Instructing network has the following defects:
(1) active Warning System is finally for information network security service, and the reliable and stable of information network is
The important leverage of Instructing network safe operation, but current information network presence is unable to the unknown security risk of Initiative Defense
Safety problem;
(2) structure that existing Instructing network designs in terms of Prevention-Security is complex, and automatic defense
Can be poor, under the premise of no any sign, it can not determine the position of weak link and loophole.
Invention content
In order to overcome the shortcomings of prior art, it is pre- that the present invention provides a kind of information security for Instructing network
Alert system, can effectively solve the problem that the problem of background technology proposes.
The technical solution adopted by the present invention to solve the technical problems is:
A kind of information security early warning system for Instructing network, including sweet net host, data analytics server
And monitor terminal, the signal end of the honey net host are connected with wireless router, the signal end and number of the wireless router
It is connected according to Analysis server, the signal end of the wireless router is also associated with monitor terminal, and the honey net host includes
The interaction port of sweet net gateway and honey jar virtual group, the honey net gateway is connected with honey jar virtual group, the honey net host
Signal end be also associated with data analysis system, the data terminal of the honey net host is also associated with Database Systems, the prison
The control terminal of control terminal is connected with monitoring management system;
The data analysis system includes data capture module and intrusion detection module, the output of the data capture module
End is connected with parsing module, and the signal end of the parsing module is connected with recombination conversion module, described to recombinate the defeated of conversion module
Outlet is connected with intrusion detection module, and the output end of the intrusion detection module is connected separately with tracing module and early warning mould
Block.
Further, the input terminal of the intrusion detection module is connected with rule process module and is connected.
Further, the rule process module includes rule match module and rule file detection module, the rule
The output end of file detection module is connected with rule match module.
Further, monitoring management server and database service is also respectively connected in the signal end of the wireless router
Device.
Further, the warning module includes master controller, and the signal end of the master controller is connected with threshold value setting
The signal end of module, the threshold setting module is connected with program setting module, the signal end of the master controller and parsing
Module is connected.
Further, the monitoring management system includes database DSS, database decision support system
System includes data source modules and data warehouse module, and the signal end of the data source modules is connected with data capture module, institute
The output end for stating data source modules is connected with intermediate data library module, and the output end of the data source modules passes through data flow and number
It is connected according to warehouse module.
Further, the signal end of the intermediate data library module is connected with data increment update module, and the data increase
The signal end of amount update module is connected with data warehouse module.
Further, the output end of the data warehouse module is connected with host analysis processing module, the host analysis
The output end of processing module is connected with warning module.
Further, the signal end of the host analysis processing module is connected by data flow with intermediate data library module
It connects.
Compared with prior art, the beneficial effects of the invention are as follows:
(1) information security early warning system of the invention is externally an open application system, is again internally modularization
Closed system, it provides interface data for network real-time monitoring system, and convenient shared real time monitoring warning data fully carries
The high safety protection level of teaching network system, but can virtual all kinds of production operation systems as much as possible, to realize full side
The security protection of position;
(2) safety defense system of the invention uses dynamic defense technique, can realize the real time information of network into
Row monitoring, capture and analysis, the attack of capture and monitoring potential hacker, to grasp the motivation and inbreak method strategy of hacker,
Also it can realize and a point folding evidence obtaining is carried out to network intrusions.
Description of the drawings
Fig. 1 is the overall structure diagram of the present invention;
Fig. 2 is the data analysis system schematic diagram of the present invention;
Fig. 3 is the warning module schematic diagram of the present invention;
Fig. 4 is the monitoring management system schematic diagram of the present invention.
Figure label:
1- honey net hosts;2- data analytics servers;3- monitor terminals;4- monitoring management systems;5- data analyses system
System;6- wireless routers;7- monitoring management servers;8- database servers;9- Database Systems;
101- honey net gateways;102- honey jar virtual groups;
401- host analysis processing modules;402- data warehouse modules;403- data source modules;404- data increments update
Module;405- intermediate data library modules;406- database DSSs;
501- data capture modules;502- intrusion detection modules;503- parsing modules;504- recombinates conversion module;505-
Tracing module;506- warning modules;507- rule process modules;508- rule match modules;509- rule file detection modules;
510- master controllers;511- threshold setting modules;512- program setting modules.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
As shown in Figures 1 to 4, the present invention provides a kind of information security early warning system for Instructing network, packets
Sweet net host 1, data analytics server 2 and monitor terminal 3 are included, the signal end of the honey net host 1 is connected with no circuit
By device 6, monitoring management server 7 and database server 8 is also respectively connected in the signal end of the wireless router 6, described
The signal end of wireless router 6 is connected with data analytics server 2, and the signal end of the wireless router 6 is also associated with prison
Control terminal 3, the system use dynamic defense technique, it can realize that the real time information of network is monitored, captures and analyzes,
Capture and the attack of monitoring potential hacker can also be realized to network intrusions to grasp the motivation and inbreak method strategy of hacker
Carry out a point folding evidence obtaining.Its operation principle is to utilize sweet net three zones:Data control, data capture and data analysis, are completed
Real-time tracking to network risks and capture.
It further illustrates, the honey net host 1 includes sweet net gateway 101 and honey jar virtual group 102, the honey net
The interaction port of gateway 101 is connected with honey jar virtual group 102, first, sweet network data control, honey is completed on the gateway of honey net
Net gateway 101 to all data packets not restrictions for entering honey net, allow invader can easily intrude into sweet net, still
Will to invader the springboard attack initiated outward using sweet net to carry out stringent control, the signal of the honey net host 1
End is also associated with data analysis system 5, and the data terminal of the honey net host 1 is also associated with Database Systems 9, the database
System 9 is used for providing daily record and data storage service, for storing all information that HNS is captured.
The control terminal of the monitor terminal 3 is connected with monitoring management system 4, realizes that data are caught using monitoring management system 4
The demand obtained is completed by sweet net gateway 101 and the pre- honey jar virtual group 102 in honey jar host, together for entering
The data packet of honey net is alerted according to rule, generates alarm log, while also being captured to original flow data packet, and raw
At netflow flow datas.In each honey jar host, the Host behavior monitoring module that installation can be self to hide, to honey
Various change situation inside tank host, such as network connection variation, process variation, registration table variation, file change progress
Daily record is recorded and generated, sample file is captured, looks for transmission technology to be transmitted to sweet net gateway by hiding agreement, is finally sent to daily record
Server.
The monitor terminal 3 is mainly used to logical between the active Warning System various components for carrying out information network
Letter, the active Warning System administrator of information network pass through monitoring management from directorial area access system management region
The web-based management interface of system carries out daily management and log analysis.
It further illustrating, the data analysis system 5 includes data capture module 501 and intrusion detection module 502,
501 Ethernet of the data capture module is working environment, and Ethernet transmission data by way of broadcast, network interface card can pass through
Broadcast listening captures the data packet transmitted on Ethernet, provides basic data source for the realization of system, the data are caught
The output end for obtaining module 501 is connected with parsing module 503, the bottom for passing through operating system by the data packet that parsing module 503 captures
Layer driving is forwarded to system protocol stack, is decoded to the raw data packets of capture according to sequence from bottom to top in protocol stack
Analysis, is the processing service of subsequent module, and the signal end of the parsing module 503 is connected with recombination conversion module 504, utilizes weight
Group conversion module 504 handles the data packet that decoder module obtains, the output end of the recombination conversion module 504 and invasion
Detection module 502 is connected, and it is a variety of to detect that the intrusion detection module 502 carries out rule match to the data packet being converted to
Different intrusion behaviors, to find threat and the weakness of system, is responded and is tracked for early warning by constantly detecting network system
Establish technical foundation.
The output end of the intrusion detection module 502 is connected separately with tracing module 505 and warning module 506, it is described enter
The input terminal for invading detection module 502 is connected with rule process module 507 and is connected, and the rule process module 507 includes rule
Matching module 508 and rule file detection module 509, output end and the rule match mould of the rule file detection module 509
Block 508 is connected, and first has to load rule file in rule match, rule file is the knowledge base of grid attack, library
In have rule after could identify network intrusions behavior.Next resolution rules file is wanted, rule tree is established, into line discipline
Match.
It further illustrates, warning module 506 is identified, record invasion and destructive visit by monitoring network data flow
Operation is asked about, the network for finding network violation pattern and unauthorized accesses trial.When finding network violation pattern and unauthorized
When network accesses trial, early warning system can react according to System Security Policy, by carrying out analyzing processing, system to data
Determine alert levels, a variety of type of alarms are provided, classify to threat event, determine and threaten source, threat is counted, point
Analysis etc..
It further illustrates, data analysis system 5 collects Various types of data and daily record, including network by log server
Daily record and host log and original flow data packet and flow data, sample file etc., are associated analysis, in conjunction with into one
The off-line analysis technology of step realizes the " data analysis " demands of honey net.
It further illustrates, the warning module 506 includes master controller 510, the signal end of the master controller 510
It is connected with threshold setting module 511, the signal end of the threshold setting module 511 is connected with program setting module 512, described
The signal end of master controller 510 is connected with parsing module 503.
It further illustrates, it is to judge attacker invader that tracing module 505, which uses information tracing techniques its targets,
Trace, the position in seat offence source, be inferred to attacker in a network walk routing etc..
It further illustrates, the monitoring management system 4 includes database DSS 406, the database
DSS 406 includes data source modules 403 and data warehouse module 402, and the data source modules 403 are mainly used to adopt
Collect the network data of wide area network, that is, the initial data received, the signal end and data capture module of the data source modules 403
501 are connected, and the output end of the data source modules 403 is connected with intermediate data library module 405, the intermediate data library module
405 are mainly responsible for and handle the text file of initial data, eliminate dirty data, are stored in intermediate database, are postorder module
Normal data is provided.
It further illustrates, the output end of the data source modules 403 passes through data flow and 402 phase of data warehouse module
The signal end of connection, the intermediate data library module 405 is connected with data increment update module 404, the data increment update
The signal end of module 404 is connected with data warehouse module 402, and the output end of the data warehouse module 402 is connected with host
The output end of analysis and processing module 401, the host analysis processing module 401 is connected with warning module 503, the host point
The signal end of analysis processing module 401 is connected by data flow with intermediate data library module 405.
The data increment update module 404 realizes the incremental update to cube in data warehouse, network worm
Data are real pair, but in safety pre-warning system, and periodic side is used to the data in the data warehouse of analysis
Mediant is added in data in these files by method, i.e., in each cycle, newly-generated one group of structured text file, system
According to library, and realize the incremental update of Data Warehouse, in the present system, the increment of data warehouse carries out more by the period of day
Newly.
It further illustrates, host analysis processing module 401, which is realized, believes data warehouse cube information, dimension
The display of breath, metric.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie
In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter
From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power
Profit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent requirements of the claims
Variation is included within the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.
Claims (9)
1. a kind of information security early warning system for Instructing network, including sweet net host (1), data analytics server
(2) and monitor terminal (3), it is characterised in that:The signal end of the honey net host (1) is connected with wireless router (6), described
The signal end of wireless router (6) is connected with data analytics server (2), and the signal end of the wireless router (6) also connects
It is connected to monitor terminal (3), the honey net host (1) includes sweet net gateway (101) and honey jar virtual group (102), the honey net
The interaction port of gateway (101) is connected with honey jar virtual group (102), and the signal end of the honey net host (1) is also associated with
The data terminal of data analysis system (5), the honey net host (1) is also associated with Database Systems (9), the monitor terminal
(3) control terminal is connected with monitoring management system (4);
The data analysis system (5) includes data capture module (501) and intrusion detection module (502), the data capture
The output end of module (501) is connected with parsing module (503), and the signal end of the parsing module (503) is connected with recombination conversion
The output end of module (504), the recombination conversion module (504) is connected with intrusion detection module (502), the intrusion detection
The output end of module (502) is connected separately with tracing module (505) and warning module (506).
2. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute
The input terminal for stating intrusion detection module (502) is connected with rule process module (507) and is connected.
3. a kind of information security early warning system for Instructing network according to claim 2, it is characterised in that:Institute
It includes rule match module (508) and rule file detection module (509), the rule file to state rule process module (507)
The output end of detection module (509) is connected with rule match module (508).
4. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute
Monitoring management server (7) and database server (8) is also respectively connected in the signal end for stating wireless router (6).
5. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute
It includes master controller (510) to state warning module (506), and the signal end of the master controller (510) is connected with threshold setting module
(511), the signal end of the threshold setting module (511) is connected with program setting module (512), the master controller
(510) signal end is connected with parsing module (503).
6. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute
It includes database DSS (406) to state monitoring management system (4), and the database DSS (406) includes
Data source modules (403) and data warehouse module (402), the signal end and data capture module of the data source modules (403)
(501) it is connected, the output end of the data source modules (403) is connected with intermediate data library module (405), the data source mould
The output end of block (403) is connected by data flow with data warehouse module (402).
7. a kind of information security early warning system for Instructing network according to claim 6, it is characterised in that:Institute
The signal end for stating intermediate data library module (405) is connected with data increment update module (404), the data increment update module
(404) signal end is connected with data warehouse module (402).
8. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute
The output end for stating data warehouse module (402) is connected with host analysis processing module (401), the host analysis processing module
(401) output end is connected with warning module (503).
9. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute
The signal end for stating host analysis processing module (401) is connected by data flow with intermediate data library module (405).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711466279.2A CN108366088A (en) | 2017-12-28 | 2017-12-28 | A kind of information security early warning system for Instructing network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711466279.2A CN108366088A (en) | 2017-12-28 | 2017-12-28 | A kind of information security early warning system for Instructing network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108366088A true CN108366088A (en) | 2018-08-03 |
Family
ID=63010788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711466279.2A Pending CN108366088A (en) | 2017-12-28 | 2017-12-28 | A kind of information security early warning system for Instructing network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108366088A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495470A (en) * | 2018-11-12 | 2019-03-19 | 常熟理工学院 | A kind of network information risk safe early warning method and server and system |
| CN111385308A (en) * | 2020-03-19 | 2020-07-07 | 上海沪景信息科技有限公司 | Security management method, device, equipment and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
| CN102685147A (en) * | 2012-05-31 | 2012-09-19 | 东南大学 | Mobile communication honeypot capturing system and implementation method thereof |
| CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| US20140359708A1 (en) * | 2013-06-01 | 2014-12-04 | General Electric Company | Honeyport active network security |
| CN105282170A (en) * | 2015-11-04 | 2016-01-27 | 国网山东省电力公司电力科学研究院 | Information security offense and defense drill competition system for power industry |
-
2017
- 2017-12-28 CN CN201711466279.2A patent/CN108366088A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
| CN102685147A (en) * | 2012-05-31 | 2012-09-19 | 东南大学 | Mobile communication honeypot capturing system and implementation method thereof |
| CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
| US20140359708A1 (en) * | 2013-06-01 | 2014-12-04 | General Electric Company | Honeyport active network security |
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| CN105282170A (en) * | 2015-11-04 | 2016-01-27 | 国网山东省电力公司电力科学研究院 | Information security offense and defense drill competition system for power industry |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495470A (en) * | 2018-11-12 | 2019-03-19 | 常熟理工学院 | A kind of network information risk safe early warning method and server and system |
| CN111385308A (en) * | 2020-03-19 | 2020-07-07 | 上海沪景信息科技有限公司 | Security management method, device, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11546359B2 (en) | Multidimensional clustering analysis and visualizing that clustered analysis on a user interface | |
| CN101980506B (en) | Flow characteristic analysis-based distributed intrusion detection method | |
| CN102594620B (en) | Linkable distributed network intrusion detection method based on behavior description | |
| CN108833397A (en) | A kind of big data safety analysis plateform system based on network security | |
| CN106656991A (en) | Network threat detection system and detection method | |
| CN105471854B (en) | A kind of adaptive boundary method for detecting abnormality based on multistage strategy | |
| CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
| CN109587125B (en) | Network security big data analysis method, system and related device | |
| CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
| CN113642023A (en) | Data security detection model training method, data security detection device and equipment | |
| CN112511351B (en) | Security situation prediction method and system based on MES identification data intercommunication system | |
| CN109150869A (en) | A kind of exchanger information acquisition analysis system and method | |
| Pan et al. | Anomaly based intrusion detection for building automation and control networks | |
| CN106130762A (en) | A kind of network training comprehensive analysis method based on finite automaton | |
| CN113240116B (en) | Wisdom fire prevention cloud system based on class brain platform | |
| CN111698209A (en) | Network abnormal flow detection method and device | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN108297899A (en) | A kind of train safety monitoring early warning system | |
| CN106254318A (en) | A kind of Analysis of Network Attack method | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| WO2014096761A1 (en) | Network security management | |
| CN107547228A (en) | A kind of safe operation management platform based on big data realizes framework | |
| CN113810362A (en) | Safety risk detection and disposal system and method thereof | |
| CN108366088A (en) | A kind of information security early warning system for Instructing network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180803 |