Summary of the invention
The technical problem to be solved by the present invention is to overcome the deficiencies of existing technologies, a kind of regular self refresh is provided and is wrapped
The network protection software approach of feature identification is included.
In order to solve the above technical problems, the invention adopts the following technical scheme.
The present invention provides a kind of network protection software approach based on linux kernel, comprising the following steps:
Start command is sent to kernel module according to rule predetermined after the rule of control module reading definition;Specifically
Include:
Control module receive rule selection protection mode be simple filtration protection and/or feature identification protection then to
Kernel module sends simple filtration protection start command and/or feature identification protection start command;
It, will if belonging to permission rule if kernel module receives monitoring data packet after simple filtration protection start command
Clearance passes through;If belonging to block rule, blocked;
After if kernel module receives feature identification protection start command, according to rule capture reception predetermined and hair
The data packet sent delivers a packet to the monitoring module of user's space layer;
Feature library module is set in user's space layer, the feature library module is for storing sample characteristics data, for monitoring
Module provides data characteristics comparing function;
Monitoring module receive after data packet with the Characteristic Contrast in feature library module, it is first determined the application of the data packet
Type, if application type belongs to block rule, monitoring module can be sent to kernel module blocks notice to prevent the number
According to the flow direction of packet;Then whether detection data packet is abnormal, equally sends to kernel module if abnormal and notice is blocked to prevent
The data packet flows to and the IP of abnormal data packet is added in block rule and control module is notified to execute new rule;
The blocking that kernel module receives monitoring module decides whether the flow direction for allowing and blocking the data packet after notifying;
Further, monitoring module, which detects, is sent to control module for abnormal data packet after abnormal data packet, controls mould
Block saves abnormal data packet in a storage module.
Further, monitoring module record monitors log and monitoring log is sent to control module, and control module will be different
Regular data packet saves in memory module.
Further, rule is saved in memory module after the rule of control module reading definition.
Further, the rule of definition includes the entry of configuration information and rule.
Further, setting display module is for providing visual interface operation and showing attacking and defending behavior and flow letter
Breath.
On the other hand, the present invention provides a kind of network protection software systems based on linux kernel,
Include:
Control module, for read definition rule after according to it is predetermined rule to kernel module send starting life
It enables;It specifically includes:
Control module receive rule selection protection mode be simple filtration protection and/or feature identification protection then to
Kernel module sends simple filtration protection start command and/or feature identification protection start command;
Kernel module, if belonging to permission rule for monitoring data packet after receiving simple filtration protection start command,
Clearance is passed through;If belonging to block rule, blocked;
The kernel module is caught after being also used to receive feature identification protection start command according to rule predetermined
The data packet sended and received is obtained, the monitoring module of user's space layer is delivered a packet to;
The kernel module decides whether to allow and block the data after being also used to receive the blocking notice of monitoring module
The flow direction of packet.
Feature library module, setting is in user's space layer, and the feature library module is for storing sample characteristics data, for monitoring
Module provides data characteristics comparing function;
Monitoring module, for receive after data packet with the Characteristic Contrast in feature library module, it is first determined the data packet
Application type, if application type belongs to block rule, monitoring module can be sent to kernel module blocks notice hinder
The only flow direction of the data packet;Then whether detection data packet is abnormal, equally sends to kernel module if abnormal and blocks notice
To prevent the flow direction of the data packet and the IP of abnormal data packet be added in block rule and control module is notified to execute new rule.
Memory module, the memory module are the set of database and file storage, for saving configuration information, regular item
Mesh, monitoring log and abnormal data packet.
Preferably, further includes:
Display module, for providing visual interface operation and showing attacking and defending behavior and flow information.
It is further preferred that
Monitoring module is also used to detect after abnormal data packet abnormal data packet being sent to control module, control module
Abnormal data packet is saved in a storage module;
Monitoring module is also used to the monitoring log of monitoring module record and monitoring log is sent to control module.
It is asked advantageous effects of the invention: the present invention breaches having a single function for Linux traditional network securing software
Topic, increases regular self refresh, feature identification function, while compensating for the deficiency of applied analysis, general warranty linux system
Network security.
Specific embodiment provides a kind of network protection software systems based on linux kernel referring to Fig. 1, comprising:
Control module, for being sent out according to rule predetermined to kernel module after the Rule Information according to the definition of reading
Send start command;The Rule Information include network pre-selection protection mode, the protection mode include simple filtration protection and
Feature identification protection;It specifically includes:
Control module receive rule selection protection mode be simple filtration protection and/or feature identification protection then to
Kernel module sends simple filtration protection start command and/or feature identification protection start command;
Kernel module, if belonging to permission rule for monitoring data packet after receiving simple filtration protection start command,
Clearance is passed through;If belonging to block rule, blocked;
The kernel module is caught after being also used to receive feature identification protection start command according to rule predetermined
The data packet sended and received is obtained, the monitoring module of user's space layer is delivered a packet to;
The kernel module decides whether to allow and block the data after being also used to receive the blocking notice of monitoring module
The flow direction of packet.
Feature library module, setting is in user's space layer, and the feature library module is for storing sample characteristics data, for monitoring
Module provides data characteristics comparing function;
Monitoring module, for receive after data packet with the Characteristic Contrast in feature library module, it is first determined the data packet
Application type, if application type belongs to block rule, monitoring module can be sent to kernel module blocks notice hinder
The only flow direction of the data packet;Then whether detection data packet is abnormal, equally sends to kernel module if abnormal and blocks notice
To prevent the flow direction of the data packet and the IP of abnormal data packet be added in block rule and control module is notified to execute new rule.
Memory module, the memory module are the set of database and file storage, for saving configuration information, regular item
Mesh, monitoring log and abnormal data packet.
Display module, for providing visual interface operation and showing attacking and defending behavior and flow information;By showing mould
The visual interface operation definition rule information of block, the Rule Information can be read by control module.
It is further described below:
The embodiment of Fig. 1 is realized using software technology, follows modularized design;As shown in Figure 1, being made of six parts: interior
Core module, monitoring module, feature library module, control module, display module, memory module.
Kernel module realizes that netfilter is the network mistake of Linux kernel based on linux kernel netfilter frame
Filter frame, all network packets of operating system can all flow to netfilter and be handled, as shown in Figure 1, in total including 5
A workflow: PRE_ROUTING, POST_ROUTING, FORWARD, LOCAL_IN, LOCAL_OUT.Each workflow is infused
Volume has hook function, and corresponding hook function, the core function registration of network protection can be called when data packet passes through workflow
In netfilter workflow, so as to be screened, captured to data packet, filtered, blocked.
Monitoring module operates in user's space layer, is responsible for being monitored network, analyzing, handling, it can be by certain rule
The network packet of reception inner nuclear layer is gone, and the agreement, content, flow of analyzing data packet determine data by contrast characteristic library
The application type of packet, it is normal whether, find potential security risk early and adopt an effective measure.
Feature database operates in user's space layer, and storage has a large amount of sample data, provides data characteristics pair for analysis module
It is the foundation stone of analysis than function.
Control module operates in user's space layer, is responsible for that other modules are managed and are controlled.Such as definition rule.
Display module uses B/S framework, provides visual interface operation, and the information such as attacking and defending behavior, flow are shown
Come.
Memory module be database and file storage set, for save configuration information, rule entries, monitoring log,
Abnormal data packet.Wherein display module and memory module are optional modules, for more optimized system function,
Traditional packet filtering rules have generally comprised agreement, IP address, port, movement, and the technical program expands on this basis
The support to applied analysis, including application type, anomaly data detection, flexible configuration are opened up.
Referring to fig. 2, netfilter is a generic structure in linux core to linux kernel framework, it provides a series of
" table " (tables), each table is made of several " chains " (chains), and can be by one or several rule in every chain
(rule) it forms.It is to be understood that netfilter is the container of table, table is the container of chain, and chain is the container of rule.
The table of system default is " filter ", contains 3 chains of INPUT, FORWARD and OUTPUT in the table.It is each
There can be one or several rule in chain, each rule is all defined such that " if data packet head meets such item
Part handles this data packet like this ".When a data packet reaches a chain, system will be examined since the first rule
It looks into, sees whether meet condition defined in the rule, if it is satisfied, the processing of the method according to defined in the rule is somebody's turn to do by system
Data packet;Next rule is continued checking if being unsatisfactory for;Finally, if data packet does not meet any rules and regulations in the chain
Then, system will handle the data packet according to the chain tactful (policy) predetermined.
Another embodiment provides for a kind of network protection software approach based on linux kernel, including,
Protectiving scheme of the invention is designed to both of which, simple filtration protection and feature identification protection.Both of which can
To be used alone or be used in mixed way, the selection of mode depends on the rule being specifically defined, therefore includes fixed when definition rule
The prevention policies to be used of justice are simple filtration protection or feature identification protection.
Protect rule defining process
1) pass through the operation interface definition rule of display module;
2) control module is saved in memory module after receiving the rule of boundary's display module, and to kernel module and monitoring
Module sends notice, runs by the rule newly defined.
Simple filtration protection is consistent with traditional packet filtering principle, and kernel module detection data packet is regular if it is permission is belonged to
, clearance is passed through;If it is block rule is belonged to, can be blocked.Traditional packet filtering rules have generally comprised agreement, IP
Address, port, movement, the technical program extend the support to applied analysis, including application type, abnormal number on this basis
According to detection, flexible configuration.
Feature identification protection is realized based on the depth detection technology of the feature database in feature library module, workflow
Figure is as shown in Figure 3.
1) data packet that kernel module is sended and received according to rule capture predetermined, it delivers a packet to use
The monitoring module in family space, and wait result to be analyzed;
2) monitoring module receive data packet can immediately with feature database compare, determine the data packet application type and whether
It is abnormal;Here 2 safety detections are had, application type is first detected, if application type belongs to block rule, are monitored
Module can send to kernel module and block notice, prevent the flow direction of the data packet;Followed by whether detection data packet is abnormal, if
It is exception, then equally carrying out blocking operation.Application type rule detection is only passed through and anomaly data detection is only normally
Data packet, monitoring module can to kernel module send allow to notify.
3) after kernel module receives the notice of monitoring module, decide whether the flow direction for allowing or blocking the data packet.
4) monitoring module is notified that control module, control module can store abnormal data packet after detecting abnormal data packet
Into memory module.
While monitoring module monitors abnormal data Bao Houhui and according to circumstances updates rule, such as some IP Xiang Yitai
Linux machine sends abnormal data packet, and monitoring module can block the data packet after detecting the situation immediately, and the IP is added
In block rule.
The present invention utilizes the overall network protective capacities of linux kernel netfilter frame lifter linux system, belongs to
The conception of oneself original creation should be protected.The present invention breaches the problem that has a single function of Linux traditional network securing software, increases
Regular self refresh, feature identification function, while the deficiency of applied analysis is compensated for, the network peace of general warranty linux system
Entirely.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
The embodiment of the present invention is described in conjunction with attached drawing above, but the invention is not limited to above-mentioned specific
Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art
Under the inspiration of the present invention, without breaking away from the scope protected by the purposes and claims of the present invention, it can also make very much
Form, all of these belong to the protection of the present invention.