CN110290147A - Safe penetration defence method, device and equipment - Google Patents

Safe penetration defence method, device and equipment Download PDF

Info

Publication number
CN110290147A
CN110290147A CN201910602330.0A CN201910602330A CN110290147A CN 110290147 A CN110290147 A CN 110290147A CN 201910602330 A CN201910602330 A CN 201910602330A CN 110290147 A CN110290147 A CN 110290147A
Authority
CN
China
Prior art keywords
network flow
access
data
preset
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910602330.0A
Other languages
Chinese (zh)
Inventor
伏明明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Tunji Network Technology Co Ltd
Original Assignee
Shanghai Tunji Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Tunji Network Technology Co Ltd filed Critical Shanghai Tunji Network Technology Co Ltd
Priority to CN201910602330.0A priority Critical patent/CN110290147A/en
Publication of CN110290147A publication Critical patent/CN110290147A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application involves a kind of safe penetration defence method, device and equipment.The described method includes: obtaining the access request that application system is sent;Protocol analysis to application layer is carried out to the corresponding network flow of access request, the network flow comprising preset protocol is intercepted, other network flows is allowed to pass through;Wherein, the protocol analysis is realized using the regular expression of json format;Whether preset Access control strategy is met by the network flow of protocol analysis according to the judgement of preset white list data;The network flow for permitting compliance with Access control strategy carries out data access, and intercepts other network flows.Using technical solution provided by the embodiments of the present application, traditional safe penetration defence based on four layers of network is promoted and arrives seven layers of network, impart the allocative abilities of more flexible safe access control rule, the thinking based on white list accesses control simultaneously, it does not need to carry out complete detection, so as to which safe penetration protection effect is greatly improved.

Description

Safe penetration defence method, device and equipment
Technical field
This application involves technical field of network security more particularly to a kind of safe penetration defence methods, device and equipment.
Background technique
With network technology and digital expanding economy, Internet technology is got over to the production of people, life bring convenience Come more significant, but the network security problem that people face simultaneously also becomes increasingly conspicuous, and large-scale sensitive data is let out in global range Dew event frequently occurs, and various safe penetration attack technologies also emerge one after another, and are also keeping updating, therefore, in order to exempt from It is influenced by various safe penetration attack technology brings, corresponding safe penetration defense technique must also grow with each passing hour, so The network security challenges to grow in intensity can be coped with.There are many common safe penetration defense techniques, as firewall technology, WAF, IPS, NIDS, HIDS, honey jar, fort machine, network traffic analysis, database audit etc. are usually deployed multiple safeguards in IDC (Internet Data Center, Internet data center) computer room, the network security for the common protection enterprise that cooperates.
Safe penetration defense technique scheme in the related technology, basic ideas are set in firewall and associated safety protection The access control rule of the standby upper various complexity of configuration, exhaustive various technological means find to threaten and then are alerted and blocked to detect It cuts, core point is the configuration of safe access control rule and the detection of security threat.On the one hand, safe access control rule It is usually configured on firewall, the network equipment, is mainly based upon regular expression and ACL (Access Control List, accesses control list) two kinds of expression-forms realize.Specifically, traditional firewall only supports the i.e. five-tuple of network layer Access rule configuration;And on the network equipment under the premise of only supporting the configuration of network layer, that is, five-tuple access rule, even more only It can be realized based on the expression-form of ACL, it is limited so as to cause the configuration ability to express of safe access control rule.In addition, by The number that system performance constrains the safe access control rule that can be configured in an equipment is also conditional, if the number of configuration It measures excessive, the performance of network communication can be significantly affected.On the other hand, the current Integral Thought of the detection technique of security threat is Based on blacklist, this results in that the behavior of all requests must be monitored in real time to be made whether abnormal judgement, This is one and is difficult to ensure very completing for task, i.e., inevitable accuracy, real-time and coverage rate in security threat detection On sacrificed.
That is, in relevant safe penetration defense technique, there is the configuration quantity of safe access control rule and Configure that ability to express is limited and the accuracy of security threat detection, the problems such as real-time and coverage rate are lower.
Summary of the invention
The application provides a kind of safe penetration defence method, device and equipment, to solve correlation at least to a certain extent Safe penetration defense technique present in safe access control rule configuration quantity and configuration ability to express is limited and peace The accuracy of full threat detection, the problems such as real-time and coverage rate are lower.
The above-mentioned purpose of the application is achieved through the following technical solutions:
In a first aspect, the embodiment of the present application provides a kind of safe penetration defence method, comprising:
Obtain the access request that application system is sent;
Protocol analysis to application layer is carried out to the corresponding network flow of the access request, by the net comprising preset protocol Network flow is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the protocol analysis uses json The regular expression of format is realized;
Judge whether preset safety is met by the network flow of the protocol analysis according to preset white list data Access control policy;Wherein, the preset Access control strategy is to be generated according to the preset white list data;Institute It states in preset white list data comprising the preset application system data for allowing to carry out data access;
The network flow for permitting compliance with the Access control strategy carries out data access, and intercepts and do not meet the peace The network flow of full access control policy.
Optionally, the protocol analysis corresponding network flow of the access request carried out to application layer, comprising:
According to the mapping table of the network port and seven layer protocol of network that pre-establish, by the network comprising heterogeneous networks port Flow is forwarded to the processing unit for carrying out corresponding protocol processes;
The protocol analysis to application layer is carried out to network flow by the processing unit;Wherein, the application layer is institute State the layer 7 of seven layer protocol of network.
Optionally, it is described allow the application system data for carrying out data access include by the requirements for access data put on record and Attribute data;The requirements for access data include agreement or domain name;The attribute data includes process title, file name, hair Title of doing business or digital signature it is one or more;
It is described judge whether to meet by the network flow of the protocol analysis according to preset white list data it is preset Access control strategy, comprising:
Judge through the network flow of the protocol analysis whether to include the attribute number according to preset white list data According to the requirements for access data;
When the network flow by the protocol analysis includes the attribute data and the requirements for access data simultaneously, The preset Access control strategy is met by the network flow of the protocol analysis described in determining.
Optionally, it is described according to the judgement of preset white list data by the network flow of the protocol analysis whether include The attribute data and whether comprising after the requirements for access data, further includes:
When the network flow by the protocol analysis only includes the attribute data but does not include the requirements for access number According to when, the network flow is examined;
Put on record what the network flow that examination & approval are completed included without the requirements for access data put on record, and will examine At the corresponding application system data of network flow be added to the white list data so that it is described examination & approval complete network flow Meet the Access control strategy.
Optionally, the method also includes:
When the quantity for getting the application system for allowing to carry out data access changes, white list described in real-time update Data.
Optionally, the method also includes:
While permitting compliance with the network flow progress data access of the Access control strategy, the secondary access is replicated Content and carry out log recording;
While interception does not meet the network flow of the Access control strategy, the content of the secondary access request is replicated And carry out log recording and push warning information.
Optionally, the method also includes:
While interception does not meet the network flow of the Access control strategy, preset miscue information is returned It is back to corresponding application system.
Second aspect, the embodiment of the present application also provide a kind of safe penetration defence installation, comprising:
Module is obtained, for obtaining the access request of application system transmission;
Protocol resolution module, for carrying out the protocol analysis to application layer to the corresponding network flow of the access request, Network flow comprising preset protocol is intercepted, the network flow not comprising the preset protocol is allowed to pass through;Wherein, institute Protocol analysis is stated to realize using the regular expression of json format;
Judgment module, for judging whether accord with by the network flow of the protocol analysis according to preset white list data Close preset Access control strategy;Wherein, the preset Access control strategy is according to the preset white name Forms data generates;Include the preset application system data for allowing to carry out data access in the preset white list data;
Blocking module, the network flow for permitting compliance with the Access control strategy carries out data access, and blocks Cut the network flow for not meeting the Access control strategy.
Optionally, the protocol resolution module includes:
Retransmission unit will include difference for the mapping table according to the network port and seven layer protocol of network that pre-establish The network flow of the network port is forwarded to the processing unit for carrying out corresponding protocol processes;
Protocol analysis unit, for carrying out the protocol analysis to application layer to network flow by the processing unit;Its In, the application layer is the layer 7 of seven layer protocol of network.
The third aspect, the embodiment of the present application also provide a kind of safe penetration defensive equipment, comprising:
Memory and the processor being connected with the memory;
The memory, for storing program, described program is at least used to execute above-mentioned safe penetration defence method;
The processor, for calling and executing the described program of the memory storage.
The technical solution that embodiments herein provides can include the following benefits:
When using technical solution provided by the embodiments of the present application, when the access for getting application system and wanting access to internet When request, the corresponding network flow of the secondary access request is carried out for application layer (layer 7 of seven layer protocol of network) first Protocol analysis can intercept the network flow containing specific protocol (preset abnormal or illegal agreement) of exchanging, i.e., to application The access behavior of layer carries out security management and control, further, since regular expression of the protocol analysis using the json format that can customize It realizes, be easy to machine parsing and generate and can effectively be promoted network transmission efficiency, so as to promote secure access control The configuration quantity and configuration ability to express of rule is made, therefore finally can be improved safe access control ability and safe penetration defence Effect;Secondly, using the thinking of white list comprehensively, analyzes by the network flow after protocol analysis, whether judge it Meet the Access control strategy generated according to preset white list data, the i.e. normal access in application layer and built-in system Demand carries out real-time linkage, (being contained in white list) the outside access request manually put on record of only letting pass, so Setting does not need to carry out complete detection, avoids complicated security threat detection model, so as to improve security threat detection Accuracy, real-time and coverage rate.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not The application can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the application Example, and together with specification it is used to explain the principle of the application.
Fig. 1 is a kind of flow chart of safe penetration defence method provided by the embodiments of the present application;
Fig. 2 is a kind of schematic diagram of the specific implementation of application layer protocol parsing provided by the embodiments of the present application;
Fig. 3 is a kind of signal for judging network flow and whether meeting Access control strategy provided by the embodiments of the present application Figure;
Fig. 4 is a kind of structural schematic diagram of safe penetration defence installation provided by the embodiments of the present application;
Fig. 5 is a kind of structural schematic diagram of safe penetration defensive equipment provided by the embodiments of the present application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
Embodiment one
Referring to Fig. 1, Fig. 1 is a kind of flow chart of safe penetration defence method provided by the embodiments of the present application.Such as Fig. 1 institute Show, method includes the following steps:
S101: the access request that application system is sent is obtained;
Specifically, application system is the external system for requesting to carry out internet data access, when it needs to carry out data visit Internally system access request can be sent when asking.
S102: carrying out the protocol analysis to application layer to the corresponding network flow of the access request, will include default association The network flow of view is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the protocol analysis makes It is realized with the regular expression of json format;
Specifically, the data access to internet that network flow, that is, outer application system issues, carries and corresponds to Outer application system relevant information, such as agreement etc..
In addition, agreement, that is, network protocol abbreviation, agreement tend to separate into several levels and are defined, layering definition be in order to The change of a certain layer protocol is set not influence the agreement of other levels.
Further, the corresponding network flow of the access request specifically include the protocol analysis of application layer:
According to the mapping table of the network port and seven layer protocol of network that pre-establish, by the network comprising heterogeneous networks port Flow is forwarded to the processing unit for carrying out corresponding protocol processes;
The protocol analysis to application layer is carried out to network flow by the processing unit;Wherein, the application layer is institute State the layer 7 of seven layer protocol of network.
Specifically, the above-mentioned network port refers to the port on logical meaning, such as the port in ICP/IP protocol, end The range of slogan is from 0 to 65535, such as 80 ports for browsing web service, 21 ports etc. for FTP service.It should Step is to establish the mapping relations of port numbers and agreement according to actual needs first, according to its packet when receiving network flow later The network port contained transfers it on corresponding processing service unit and carries out protocol analysis.
In addition, seven layer protocol of network is respectively from top to bottom: 7- application layer, 6- expression layer, 5- session layer, 4- transport layer, 3- network layer, 2- data link layer, 1- physical layer.Wherein, 7,6,5,4 layers are high level, define the function of application program;Remaining Three layers are mainly directed towards the data flow end to end by network.Traditional firewall only supports the access rule of 3- network layer to match It sets, therefore configures ability to express and be restricted;And it can be matched for 7- application layer in the technical solution of the embodiment of the present application It sets, configuration ability to express can be effectively improved.Wherein, the regular expression for the json format that allocation plan can customize It realizes, the resource object for participating in element and supporting application layer of the regular expression carries out safety to the access behavior of application layer Control, to improve safe access control ability and safe penetration protection effect.
As a kind of concrete implementation scheme of step S102, referring to Fig. 2, Fig. 2 is provided by the embodiments of the present application one The schematic diagram of the specific implementation of kind application layer protocol parsing.As shown in Fig. 2, other on core switch hang transparent gateway, The network flow that application system is sent later is transmitted to transparent gateway after core switch, which can pass through flow The prior arts such as abduction technology realize that transparent gateway carries out application layer to received network flow (such as TCP/IP flow) Protocol analysis, to intercept the network flow for the content containing specified protocol of exchanging, other kinds of network flow can then be passed through Firewall carries out subsequent processing.
The other mode hung of transparent gateway selection is attached with core switch, and reason is once event occurs for transparent gateway Hindering core switch being capable of automatic bypass, it can makes two networks obstructed by specific triggering state (power-off or crash) The system for crossing Network Security Device (such as transparent gateway), and be directly physically connected, so after having bypass, when network is pacified After full equipment fault, the network mutual conduction being connected in this equipment can be allowed.
Further, transparent gateway can form cluster by the more hosts with ten thousand Broadcoms, use LVS (Linux Virtual Server, Linux virtual server) high availability mechanism is provided, (SuSE) Linux OS is run on host, is modified System kernel parameter opens route forwarding function and the Performance tuning of (SuSE) Linux OS, then will by iptables The flow of target port is kidnapped onto corresponding agency service in PREROUTING chain.
About the specific implementation of protocol analysis, the parsing of common application layer protocol such as http, ftp, dns, ssh etc. There is the realization of open source, belongs to the prior art, therefore and will not be described here in detail.Processing meeting for cryptographic protocols such as https, sftp It is more more complicated, need the abduction to CA certificate to be just able to achieve.Specific method is to install root on the host of all application systems Certificate using root certificate dynamic grant a certificate and is deployed to transparent gateway according to the application information of application system, adds to realize The decryption of close traffic requests and agency.
S103: preset according to whether preset white list data judges to meet by the network flow of the protocol analysis Access control strategy;Wherein, the preset Access control strategy is raw according to the preset white list data At;Include the preset application system data for allowing to carry out data access in the preset white list data;
Specifically, the step is to generate white list according to the application system for allowing to carry out data access put on record first Data, and Access control strategy is generated by white list data, thus the network flow that judgement passes through above-mentioned protocol analysis Whether Access control strategy is met.
Further, described that the application system for carrying out data access is allowed to include the requirements for access data and category by putting on record Property data;The requirements for access data include agreement or domain name;The attribute data includes process title, file name, distribution Quotient's title or digital signature it is one or more;
It is described judge whether to meet by the network flow of the protocol analysis according to preset white list data it is preset Access control strategy, comprising:
Judge through the network flow of the protocol analysis whether to include the attribute number according to preset white list data According to the requirements for access data;
When the network flow by the protocol analysis includes the attribute data and the requirements for access data simultaneously, The preset Access control strategy is met by the network flow of the protocol analysis described in determining.
That is, the application system recorded in white list data includes at least requirements for access data and attribute data, When receiving new network flow request data access, judge the network flow whether include necessary requirements for access data and Attribute data, so that it is determined that whether it meets Access control strategy.
In addition, optional, which can also include:
When the network flow by the protocol analysis only includes the attribute data but does not include the requirements for access number According to when, the network flow is examined;
Put on record what the network flow that examination & approval are completed included without the requirements for access data put on record, and will examine At the corresponding application system data of network flow be added to the white list data so that it is described examination & approval complete network flow Meet the Access control strategy.
That is, further including two kinds of feelings for the network flow for not meeting pre-set Access control strategy Condition, a kind of situation are, for that by the application system put on record, may change requirements for access number before online or after online before According to, another situation is that, for the application system do not put on record before, it includes the attribute datas put on record, for both feelings Condition, it is necessary to it be audited when outer application system sends data access request, if new requirements for access meets rule Then, then ratify it to carry out data access and put to new requirements for access data on record, thus as increment white list data pair Initial white list data is supplemented and generates corresponding Access control strategy.
As a kind of concrete implementation scheme of step S103, referring to Fig. 3, Fig. 3 is provided by the embodiments of the present application one Kind judges whether network flow meets the schematic diagram of Access control strategy.As shown in figure 3, for any need access interconnection The application system of net must send access request in its management backstage, and transparent gateway judges whether it meets preset safety visit Ask control strategy, application system needs the application that accesses by dedicated permission workflow if not meeting, and when application needs Details (such as requirements for access data and attribute data) are sent to safety management backstage, safety management after application goes through The details that backstage can be sent according to application system generate increment white list data and corresponding Access control strategy, and Real-time synchronization is to transparent gateway.
In addition, the above method further include: when the quantity for getting the application system for allowing to carry out data access changes When, white list data described in real-time update.
Specifically, when capacity reducing or dilatation occur for the application system put on record, real-time update white list data.Some implementations In example when implementing, it can be the corresponding newest node information synchronization of application system to safety management by automated pubilication system From the background, newest white list data is generated in real time.
S104: the network flow for permitting compliance with the Access control strategy carries out data access, and intercepts and do not meet The network flow of the Access control strategy.
Specifically, if the network flow that application system is sent eventually by protocol analysis and meets safe access control plan Slightly, then allow it to carry out data access, otherwise intercepted.
Further, multiple while permitting compliance with the network flow progress data access of the Access control strategy It makes the content of the secondary access and carries out log recording, to audit afterwards and to count;
While interception does not meet the network flow of the Access control strategy, the content of the secondary access request is replicated And log recording and push warning information are carried out, relevant treatment is carried out so that subsequent safe operation personnel intervene.
Wherein, the transmission of above access log data uses message queue technology, shows and analysis uses ELK (Elasticsearch, Logstash, Kibana;That is three open source softwares) technology component.
In addition, the above method can also include: the same of the network flow that interception does not meet the Access control strategy When, preset miscue information is back to corresponding application system, with the reason for prompting its user access intercepted.
The technical solution that embodiments herein provides can include the following benefits:
When using technical solution provided by the embodiments of the present application, when the access for getting application system and wanting access to internet When request, the corresponding network flow of the secondary access request is carried out for application layer (layer 7 of seven layer protocol of network) first Protocol analysis can intercept the network flow containing specific protocol (preset abnormal or illegal agreement) of exchanging, i.e., to application The access behavior of layer carries out security management and control, further, since regular expression of the protocol analysis using the json format that can customize It realizes, be easy to machine parsing and generate and can effectively be promoted network transmission efficiency, so as to promote secure access control The configuration quantity and configuration ability to express of rule is made, therefore finally can be improved safe access control ability and safe penetration defence Effect;Secondly, using the thinking of white list comprehensively, analyzes by the network flow after protocol analysis, whether judge it Meet the Access control strategy generated according to preset white list data, the i.e. normal access in application layer and built-in system Demand carries out real-time linkage, (being contained in white list) the outside access request manually put on record of only letting pass, so Setting does not need to carry out complete detection, avoids complicated security threat detection model, so as to improve security threat detection Accuracy, real-time and coverage rate.
In order to more fully be introduced technical solution of the present invention, corresponding to above-mentioned safe penetration defence method, The embodiment of the present application also provides a kind of safe penetration defence installation.
Referring to Fig. 4, Fig. 4 is a kind of structural schematic diagram of safe penetration defence installation provided by the embodiments of the present application.Such as Shown in Fig. 4, which includes:
Module 41 is obtained, for obtaining the access request of application system transmission;
Protocol resolution module 42, for carrying out the agreement solution to application layer to the corresponding network flow of the access request Analysis, the network flow comprising preset protocol is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Its In, the protocol analysis is realized using the regular expression of json format;
Judgment module 43, for according to the judgement of preset white list data by the network flow of the protocol analysis whether Meet preset Access control strategy;Wherein, the preset Access control strategy is according to described preset white List data generates;Include the preset application system data for allowing to carry out data access in the preset white list data;
Blocking module 44, the network flow for permitting compliance with the Access control strategy carry out data access, and Intercept the network flow for not meeting the Access control strategy.
Optionally, protocol resolution module 42 includes:
Retransmission unit will include difference for the mapping table according to the network port and seven layer protocol of network that pre-establish The network flow of the network port is forwarded to the processing unit for carrying out corresponding protocol processes;
Protocol analysis unit, for carrying out the protocol analysis to application layer to network flow by the processing unit;Its In, the application layer is the layer 7 of seven layer protocol of network.
Specifically, the specific implementation of above-mentioned each functional module please refers to safe penetration defender in above-described embodiment Content in method realizes that this will not be detailed here.
In order to more fully be introduced technical solution of the present invention, corresponding to above-mentioned safe penetration defence method, The embodiment of the present application also provides a kind of safe penetration defensive equipment.
Referring to Fig. 5, Fig. 5 is a kind of structural schematic diagram of safe penetration defensive equipment provided by the embodiments of the present application.Such as Shown in Fig. 5, which includes:
Memory 51 and the processor 52 being connected with memory 51;
Memory 51, for storing program, described program is at least used to execute above-mentioned safe penetration defence method;
Processor 52, for calling and executing the described program of the storage of memory 51.
Specifically, the specific implementation of the function of above procedure please refers to safe penetration defence method in above-described embodiment In content realize that this will not be detailed here.
It is understood that same or similar part can mutually refer in the various embodiments described above, in some embodiments Unspecified content may refer to the same or similar content in other embodiments.
It should be noted that term " first ", " second " etc. are used for description purposes only in the description of the present application, without It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present application, unless otherwise indicated, the meaning of " multiple " Refer at least two.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the application includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be by the application Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the application can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, can integrate in a processing module in each functional unit in each embodiment of the application It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.
Although embodiments herein has been shown and described above, it is to be understood that above-described embodiment is example Property, it should not be understood as the limitation to the application, those skilled in the art within the scope of application can be to above-mentioned Embodiment is changed, modifies, replacement and variant.

Claims (10)

1. a kind of safe penetration defence method characterized by comprising
Obtain the access request that application system is sent;
Protocol analysis to application layer is carried out to the corresponding network flow of the access request, by the network flow comprising preset protocol Amount is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the protocol analysis uses json format Regular expression realize;
Judge whether preset secure access is met by the network flow of the protocol analysis according to preset white list data Control strategy;Wherein, the preset Access control strategy is to be generated according to the preset white list data;It is described pre- If white list data in comprising it is preset allow carry out data access application system data;
The network flow for permitting compliance with the Access control strategy carries out data access, and intercepts and do not meet the safety visit Ask the network flow of control strategy.
2. the method according to claim 1, wherein described carry out the corresponding network flow of the access request To the protocol analysis of application layer, comprising:
According to the mapping table of the network port and seven layer protocol of network that pre-establish, by the network flow comprising heterogeneous networks port It is forwarded to the processing unit for carrying out corresponding protocol processes;
The protocol analysis to application layer is carried out to network flow by the processing unit;Wherein, the application layer is the net The layer 7 of seven layer protocol of network.
3. the method according to claim 1, wherein the application system data packet for allowing to carry out data access Include the requirements for access data and attribute data by putting on record;The requirements for access data include agreement or domain name;The attribute number According to including the one or more of process title, file name, publisher's title or digital signature;
It is described to judge whether preset safety is met by the network flow of the protocol analysis according to preset white list data Access control policy, comprising:
According to the judgement of preset white list data by the network flow of the protocol analysis whether include the attribute data with The requirements for access data;
When the network flow by the protocol analysis includes the attribute data and the requirements for access data simultaneously, determine The network flow by the protocol analysis meets the preset Access control strategy.
4. according to the method described in claim 3, it is characterized in that, described judge according to preset white list data by described Whether the network flow of protocol analysis includes the attribute data and whether comprising also wrapping after the requirements for access data It includes:
When the network flow by the protocol analysis only includes the attribute data but does not include the requirements for access data, The network flow is examined;
Put on record what the network flow that examination & approval are completed included without the requirements for access data put on record, and examination & approval are completed The corresponding application system data of network flow are added to the white list data, so that the network flow that the examination & approval are completed meets The Access control strategy.
5. the method according to claim 1, wherein further include:
When the quantity for getting the application system for allowing to carry out data access changes, white list number described in real-time update According to.
6. the method according to claim 1, wherein further include:
While permitting compliance with the network flow progress data access of the Access control strategy, the interior of the secondary access is replicated Hold and carries out log recording;
While interception does not meet the network flow of the Access control strategy, the content for replicating the secondary access request is gone forward side by side Row log recording and push warning information.
7. according to the method described in claim 6, it is characterized by further comprising:
While interception does not meet the network flow of the Access control strategy, preset miscue information is back to Corresponding application system.
8. a kind of safe penetration defence installation characterized by comprising
Module is obtained, for obtaining the access request of application system transmission;
Protocol resolution module will be wrapped for carrying out the protocol analysis to application layer to the corresponding network flow of the access request Network flow containing preset protocol is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the association View parsing is realized using the regular expression of json format;
Judgment module, it is pre- for judging whether to meet by the network flow of the protocol analysis according to preset white list data If Access control strategy;Wherein, the preset Access control strategy is according to the preset white list number According to generation;Include the preset application system data for allowing to carry out data access in the preset white list data;
Blocking module, the network flow for permitting compliance with the Access control strategy carries out data access, and intercepts not Meet the network flow of the Access control strategy.
9. device according to claim 8, which is characterized in that the protocol resolution module includes:
Retransmission unit will include heterogeneous networks for the mapping table according to the network port and seven layer protocol of network that pre-establish The network flow of port is forwarded to the processing unit for carrying out corresponding protocol processes;
Protocol analysis unit, for carrying out the protocol analysis to application layer to network flow by the processing unit;Wherein, institute State the layer 7 that application layer is seven layer protocol of network.
10. a kind of safe penetration defensive equipment characterized by comprising
Memory and the processor being connected with the memory;
The memory, for storing program, described program is at least used to execute such as the described in any item safety of claim 1-7 Permeate defence method;
The processor, for calling and executing the described program of the memory storage.
CN201910602330.0A 2019-07-05 2019-07-05 Safe penetration defence method, device and equipment Pending CN110290147A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910602330.0A CN110290147A (en) 2019-07-05 2019-07-05 Safe penetration defence method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910602330.0A CN110290147A (en) 2019-07-05 2019-07-05 Safe penetration defence method, device and equipment

Publications (1)

Publication Number Publication Date
CN110290147A true CN110290147A (en) 2019-09-27

Family

ID=68020680

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910602330.0A Pending CN110290147A (en) 2019-07-05 2019-07-05 Safe penetration defence method, device and equipment

Country Status (1)

Country Link
CN (1) CN110290147A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111585975A (en) * 2020-04-17 2020-08-25 上海中通吉网络技术有限公司 Security vulnerability detection method, device and system, and switch
CN111865990A (en) * 2020-07-23 2020-10-30 上海中通吉网络技术有限公司 Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet
CN112333191A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Illegal network asset detection and access blocking method, device, equipment and medium
CN112565188A (en) * 2020-11-03 2021-03-26 鸬鹚科技(苏州)有限公司 Data access method and device, computer equipment and storage medium
CN113596033A (en) * 2021-07-30 2021-11-02 深信服科技股份有限公司 Access control method and device, equipment and storage medium
CN114499942A (en) * 2021-12-22 2022-05-13 天翼云科技有限公司 Data access method and device and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100268763A1 (en) * 2007-10-08 2010-10-21 Juha Antero Rasanen Methods, Apparatuses, System, and Related Computer Program Product for Policy Control
CN102571738A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN102855274A (en) * 2012-07-17 2013-01-02 北京奇虎科技有限公司 Method and device for detecting suspicious progresses
CN105138901A (en) * 2015-08-03 2015-12-09 浪潮电子信息产业股份有限公司 White list based realization method for active defense of cloud host
CN105337986A (en) * 2015-11-20 2016-02-17 英赛克科技(北京)有限公司 Credible protocol conversion method and credible protocol conversion system
CN107612733A (en) * 2017-09-19 2018-01-19 杭州安恒信息技术有限公司 A kind of network audit and monitoring method and its system based on industrial control system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100268763A1 (en) * 2007-10-08 2010-10-21 Juha Antero Rasanen Methods, Apparatuses, System, and Related Computer Program Product for Policy Control
CN102571738A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN102855274A (en) * 2012-07-17 2013-01-02 北京奇虎科技有限公司 Method and device for detecting suspicious progresses
CN105138901A (en) * 2015-08-03 2015-12-09 浪潮电子信息产业股份有限公司 White list based realization method for active defense of cloud host
CN105337986A (en) * 2015-11-20 2016-02-17 英赛克科技(北京)有限公司 Credible protocol conversion method and credible protocol conversion system
CN107612733A (en) * 2017-09-19 2018-01-19 杭州安恒信息技术有限公司 A kind of network audit and monitoring method and its system based on industrial control system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111585975A (en) * 2020-04-17 2020-08-25 上海中通吉网络技术有限公司 Security vulnerability detection method, device and system, and switch
CN111585975B (en) * 2020-04-17 2023-03-14 上海中通吉网络技术有限公司 Security vulnerability detection method, device and system and switch
CN111865990A (en) * 2020-07-23 2020-10-30 上海中通吉网络技术有限公司 Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet
CN111865990B (en) * 2020-07-23 2023-02-21 上海中通吉网络技术有限公司 Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet
CN112565188A (en) * 2020-11-03 2021-03-26 鸬鹚科技(苏州)有限公司 Data access method and device, computer equipment and storage medium
CN112333191A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Illegal network asset detection and access blocking method, device, equipment and medium
CN113596033A (en) * 2021-07-30 2021-11-02 深信服科技股份有限公司 Access control method and device, equipment and storage medium
CN114499942A (en) * 2021-12-22 2022-05-13 天翼云科技有限公司 Data access method and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN110290147A (en) Safe penetration defence method, device and equipment
Khan et al. Fog computing security: a review of current applications and security solutions
US10462188B2 (en) Computer network security system
US11533341B2 (en) Technologies for scalable security architecture of virtualized networks
US10212135B2 (en) Locked down network interface
US10742604B2 (en) Locked down network interface
US10601874B2 (en) System and apparatus for providing network security
CA2962228C (en) Distributed traffic management system and techniques
ES2702097T3 (en) Cloud-based firewall system and service
US9298917B2 (en) Enhanced security SCADA systems and methods
CN107637018A (en) Technology for the security personalization of security monitoring virtual network function
US20090276204A1 (en) Method and system for policy simulation
US20140007236A1 (en) Systems, methods, and apparatus for improved application security
TWI699666B (en) System and method for information security threat disruption via a border gateway
CN106650425B (en) A kind of control method and device of security sandbox
US10728275B2 (en) Method and apparatus for determining a threat using distributed trust across a network
CN110351275A (en) A kind of host port flux monitoring method, system, device and storage equipment
CN106534174A (en) Cloud protection method, apparatus and system of sensitive data
Rehman et al. Proactive defense mechanism: Enhancing IoT security through diversity-based moving target defense and cyber deception
Yu Access control for network management
LAAN Securing the SDN northbound interface
Heikkinen Information Security Case Study with Security Onion at Kajaani UAS Datacentre Laboratory
Elouafiq et al. Aggressive and Intelligent Self-defensive Net-work Towards a New Generation of Semi-autonomous Networks
Shaghaghi Securing Software-Defined Network Enabled Enterprises Against Insider Threats
CN109510807A (en) A kind of method, apparatus and storage medium optimizing snort rule set

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190927