CN110532753A - The safety protecting method and equipment of train operation monitoring and recording device business data flow - Google Patents
The safety protecting method and equipment of train operation monitoring and recording device business data flow Download PDFInfo
- Publication number
- CN110532753A CN110532753A CN201910586011.5A CN201910586011A CN110532753A CN 110532753 A CN110532753 A CN 110532753A CN 201910586011 A CN201910586011 A CN 201910586011A CN 110532753 A CN110532753 A CN 110532753A
- Authority
- CN
- China
- Prior art keywords
- data flow
- user
- intranet
- external network
- transmitted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the safety protecting methods and equipment of a kind of train operation monitoring and recording device business data flow, belong to train operation monitoring and recording device field.The described method includes: when receiving the data flow that external network user is transmitted to Intranet user, determine that the intrusion behavior feature for the data flow that external network user is transmitted to Intranet user, the intrusion behavior feature include attack feature, network and at least one of data hazard behavioural characteristic and abnormal conditions feature;Intrusion behavior feature and target intrusion behavior feature based on determining data flow determine whether the data flow that external network user is transmitted to Intranet user is the data flow for hiding intrusion behavior;When the data flow is to hide the data flow of intrusion behavior, the data flow is filtered.
Description
Technical field
The present invention relates to train operation monitoring and recording device technical field, in particular to a kind of train operation monitoring record dress
Set the safety protecting method and equipment of business data flow.
Background technique
LKJ (train operation monitoring and recording device, abbreviation monitoring device) is China railways development to guarantee train operation
Safe train speed supervisory equipment as the main purpose.LKJ is while realizing train speed security control, acquisition and recording and train
It is safely operated related various kinds of vehicles running state information, promotes the automation of locomotive operation management.The running state information
Including LKJ business data flow, i.e., terminal device is by wireless network and train with the interaction data between external equipment on train.
LKJ business data flow is that LKJ brings many security risks, such as is illegally visited by LKJ business data flow train Intranet
It asks, data are listened and are distorted and Network Intrusion risk.
Summary of the invention
The embodiment of the invention provides a kind of safety protecting method of train operation monitoring and recording device business data flow and
Equipment can be improved safety and reliability, avoids passing through LKJ business data flow and carries out unauthorized access, data to train Intranet
It is listened and distorts and Network Intrusion.The technical solution is as follows:
In a first aspect, a kind of safety protecting method of train operation monitoring and recording device business data flow is provided, it is described
Method includes:
When receiving the data flow that external network user is transmitted to Intranet user, determine that the external network user passes to Intranet user
The intrusion behavior feature of defeated data flow, the intrusion behavior feature include attack feature, network and data hazard behavior
At least one of feature and abnormal conditions feature;
Intrusion behavior feature and target intrusion behavior feature based on determining data flow, determine that the external network user is inside
Whether the data flow of network users transmission is the data flow for hiding intrusion behavior;
When the data flow that the external network user is transmitted to Intranet user is the data flow of the hiding intrusion behavior, to institute
External network user is stated to be filtered to the data flow that Intranet user transmits.
Optionally, the intrusion behavior feature includes attack feature, the invasion row based on determining data flow
Be characterized with target intrusion behavior feature, determine whether data flow that the external network user is transmitted to Intranet user is to hide invasion
The data flow of behavior, comprising:
Determine the attack feature for the data flow that external network user described in current period is transmitted to the Intranet user, it is described
Attack feature includes the number-of-packet of the number of sessions of current period, the number of sessions of unit time and unit time
Amount;
Compare the number of sessions and target session quantity, the number of sessions and target of the unit time of the current period
The number of sessions of unit time and the data packet number of the data packet number of unit time and target unit time;
When the number of sessions, the number of sessions of the unit time and the number of the unit time of the current period
It is respectively reached according to packet quantity or more than the target session quantity, the number of sessions of the target unit time and the mesh
When marking the data packet number of unit time, determine that the data flow that the external network user is transmitted to Intranet user is the hiding invasion
The data flow of behavior.
Optionally, the method also includes:
When the data flow that the external network user is transmitted to Intranet user is not the data flow of the hiding intrusion behavior, really
The corresponding application type of data flow that the fixed external network user is transmitted to Intranet user;
Based on the corresponding application type of data flow that the external network user is transmitted to Intranet user, the external network user is managed
The bandwidth for the data flow transmitted to Intranet user.
Optionally, the corresponding application type of data flow that the determination external network user is transmitted to Intranet user, comprising:
Determine the corresponding agreement of data flow that the external network user is transmitted to Intranet user;
Determine the type of the corresponding agreement;
Based on the type of the corresponding agreement, the data flow for determining that the external network user is transmitted to Intranet user is corresponding
Application type.
Optionally, the type based on the corresponding agreement, determines what the external network user was transmitted to Intranet user
The corresponding application type of data flow, comprising:
When the type of the corresponding agreement is the first kind, data flow from the external network user to Intranet user that transmitted from
In take the fingerprint information, the finger print information includes at least one of target port mark, target string and target sequence,
Finger print information based on extraction determines the corresponding application type of data flow that the external network user is transmitted to Intranet user;
When the type of the corresponding agreement is the second class, data flow that the external network user is transmitted to Intranet user
It is decoded, is based on decoded data flow, determines the corresponding application of data flow that the external network user is transmitted to Intranet user
Type;
When the type of the corresponding agreement is third class, the behavior that corresponding Intranet user has been carried out, base are determined
In the behavior that corresponding Intranet user has been carried out, determines that data flow that the external network user is transmitted to Intranet user is corresponding and answer
Use type.
Optionally, it is described receive the data flow that external network user is transmitted to Intranet user before, the method also includes:
The log on request of the Intranet user is received, the log on request includes the mark of the Intranet user;
Based on the mark of the Intranet user, the Intranet user is authenticated;
After through certification, based on the mark of the Intranet user, authorized for the Intranet user by certification corresponding outer
Net access authority.
Optionally, the method also includes:
When the data flow that the external network user is transmitted to Intranet user is not the data flow of the hiding intrusion behavior, really
The mark for the corresponding Intranet user of data flow that the fixed external network user is transmitted to Intranet user;
Mark based on the corresponding Intranet user of data flow that the external network user is transmitted to Intranet user manages in described
The bandwidth of network users.
Optionally, the mark of the corresponding Intranet user of data flow transmitted based on the external network user to Intranet user
Know, manage the bandwidth of the Intranet user, comprising:
Determine the corresponding application type of data flow that the external network user is transmitted to Intranet user;
The mark of the corresponding Intranet user of data flow transmitted to Intranet user based on the external network user and described outer
The corresponding application type of the data flow that network users are transmitted to Intranet user, manages the bandwidth of the Intranet user.
Second aspect provides a kind of safety protection equipment of train operation monitoring and recording device business data flow, described
Equipment includes:
First determining module, it is described outer for determining when receiving the data flow that external network user is transmitted to Intranet user
The intrusion behavior feature for the data flow that network users are transmitted to Intranet user, the intrusion behavior feature include attack feature,
Network and at least one of data hazard behavioural characteristic and abnormal conditions feature;
Second determining module, for the intrusion behavior feature and target intrusion behavior feature based on determining data flow, really
Whether the data flow that the fixed external network user is transmitted to Intranet user is the data flow for hiding intrusion behavior;
Filtering module, the data flow for transmitting as the external network user to Intranet user are the hiding intrusion behavior
When data flow, the external network user is filtered to the data flow that Intranet user transmits.
The third aspect provides a kind of safety protection equipment of train operation monitoring and recording device business data flow, described
Equipment includes processor and memory, and at least one instruction is stored in the memory, and described instruction is added by the processor
Carry and execute the safety protecting method to realize foregoing train running monitor and recorder business data flow.
Technical solution provided in an embodiment of the present invention has the benefit that by determining external network user to Intranet user
The intrusion behavior feature of the data flow of transmission is based on target intrusion behavior feature, determines what external network user was transmitted to Intranet user
Whether data flow is the data flow for hiding intrusion behavior, can be filtered to the data flow of hiding intrusion behavior, can incited somebody to action
Data flow, which enters before Intranet, just prevents its invasion, prevents trouble before it happens, reduces its harmfulness sufficiently, can be improved safety and
Reliability avoids passing through LKJ business data flow and train Intranet progress unauthorized access, data is listened and is distorted and invaded
Attack.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the communication schematic block diagram of train Intranet provided in an embodiment of the present invention and outer net;
Fig. 2 and Fig. 3 is a kind of safety of train operation monitoring and recording device business data flow provided in an embodiment of the present invention
The flow chart of means of defence;
Fig. 4 and Fig. 5 is a kind of safety of train operation monitoring and recording device business data flow provided in an embodiment of the present invention
The structural block diagram of safeguard.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Technical solution provided in an embodiment of the present invention for ease of understanding is introduced the technical solution is applicable in one first and is shown
Example property application scenarios.In embodiments of the present invention, Intranet can be train internal lan, and outer net can be and interior Network Communication
Other networks.Referring to Fig. 1, Intranet 1 is communicated by wireless network (including 4G network and WLAN) 2 with outer net 3.It is exemplary
Ground, Intranet 1 can be connect by interface 1a with wireless network 2.Interface 1a is used to forward the business number between Intranet 1 and outer net 3
According to stream, including, reception outer net 3 is transmitted to the data of Intranet 1 and sends Intranet 1 by wireless network 2 passes through wireless network 2
It is transmitted to the data of outer net 3.The security protection of train operation monitoring and recording device business data flow provided in an embodiment of the present invention
Equipment 4 can be set at interface 1a.The safety protection equipment 4 and LKJ 5 are respectively positioned in Intranet 1, and safety protection equipment 4 is used for
The network security for ensuring Intranet 1, the business data flow for avoiding illegal user from forwarding by interface 1a invade Intranet 1, with
Data are carried out to networked devices in Intranet 1 to be listened and distort and attack.Train operation prison provided in an embodiment of the present invention
The safety protecting method of control recording device business data flow can be executed by the safety protection equipment 4.It should be noted that Fig. 1
The application scenarios shown are only used for illustrating, the peace of train operation monitoring and recording device business data flow provided in an embodiment of the present invention
The application scenarios that full protection method and apparatus is applicable in are not limited to that.
Fig. 2 shows a kind of safety of train operation monitoring and recording device business data flow provided in an embodiment of the present invention is anti-
Maintaining method, can the safety protection equipment 4 as shown in Fig. 1 execute.Referring to fig. 2, this method process includes the following steps.
Step 101, when receiving the data flow that external network user is transmitted to Intranet user, determine external network user to Intranet use
The intrusion behavior feature of the data flow of family transmission.
Wherein, intrusion behavior feature includes attack feature, network and data hazard behavioural characteristic and abnormal conditions
At least one of feature.Network and data hazard behavior can be virus.Abnormal conditions be application program in abnormal conditions,
The source IP (Internet Protocol, the agreement interconnected between network) of abnormal conditions and data packet in network transmission
At least one of location.Illustratively, the abnormal conditions in application program can be, and user or user program violate safe item
Situations such as gap of example, operating system or application program weakness is being utilized;Abnormal conditions in network transmission can be, number
According to packet phenomena such as occurring the period that should not occur.
Step 102, intrusion behavior feature and target intrusion behavior feature based on determining data flow, determine external network user
Whether the data flow transmitted to Intranet user is the data flow for hiding intrusion behavior.
When the data flow that external network user is transmitted to Intranet user is to hide the data flow of intrusion behavior, step 103 is executed;
When the data flow that external network user is transmitted to Intranet user is not to hide the data flow of intrusion behavior, step 104 is executed.
Step 103 filters data stream.
Wherein, filtering includes discard processing.
Step 104, the data flow transmitted based on external network user to Intranet user carry out Bandwidth Management.
The embodiment of the present invention passes through the intrusion behavior feature for the data flow for determining that external network user is transmitted to Intranet user, is based on
Target intrusion behavior feature determines whether the data flow that external network user is transmitted to Intranet user is the data for hiding intrusion behavior
Stream, can be filtered the data flow of hiding intrusion behavior, its invasion can be just prevented before data flow is entered Intranet,
It prevents trouble before it happens, reduces its harmfulness sufficiently, can be improved safety and reliability, avoid passing through LKJ business data flow pair
Train Intranet progress unauthorized access, data are listened and distort and Network Intrusion.
Illustratively, referring to Fig. 3, before step 101, this method process can also include step 201- step 203.
Step 201, the log on request for receiving Intranet user.
Wherein, which includes the mark of Intranet user.Illustratively, in addition to the mark of Intranet user, this is stepped on
Land request can also include the mark of terminal.The mark of user can be bound with the mark of user terminal, prevent other people
User identity is falsely used elsewhere.
Step 202, the mark based on Intranet user, authenticate Intranet user.
Illustratively, one-time password authentication mechanism can be used, i.e. user only needs to input the once mark with user
Corresponding password.The corresponding password of mark of user can the corresponding password of mark based on user and dynamic factor calculate
It arrives.The corresponding password of the mark of user can be obtained by Intranet user in the forward direction LKJ or certificate server application logged in.Dynamically
The factor can be the current landing time of user.Password calculation can be target calculation.One-time password authentication machine
System greatly improves the safety of access control by one-time pad, effectively unauthorized user is prevented to access outer net.
Illustratively, the certification based on certificate can also be used.Certificate can follow X.509 Certification system, can be by LKJ
It generates, can also be generated by certificate server, i.e. third party CA (the third party's trust authority for generating and determining digital certificate).With
It is inner that certificate can be stored in dedicated USB (Universal Serial Bus, universal serial bus)-KEY (key) by family,
USB-KEY is like the carry-on token of each user, and user must possess USB-KEY, PIN (Personal simultaneously
Identification Number, personal identification number) (i.e. the mark of user) and legal certificate could pass through certification.It is based on
This obtains the corresponding original certificate of mark of certificate and user that user provides after receiving log on request, compares user and mentions
The certificate of confession passes through certification when the certificate that user provides is consistent with corresponding original certificate with corresponding original certificate.
Illustratively, for the ease of to existing Verification System user provide compatibility, system also supports pass through third party into
Row certification, third party include but is not limited to RADIUS (Remote Authentication Dial In User Service, far
Journey subscriber dialing authentication service) server, LDAP (Lightweight Directory Access Protocol, light weight catalog
Access protocol)/AD (Active Directory, Active Directory) server, Secure (safety) ID (Identity, identity mark
Know) authenticating party etc..
After Intranet user is by certification, step 203 is executed.When Intranet user is unauthenticated, Intranet can be guided
User re-starts certification or opens certification.
Step 203, the mark based on Intranet user authorize corresponding extranet access power for the Intranet user by certification
Limit.
After user is by input the user name and password, the authentication information (including certificate) of user will be by way of encryption
It is sent to gateway, after carrying out fitting through certification with the data of database, the user that will be provided with according to system
Extranet access permission returns to corresponding user or user group, and user will license Internet resources according to what is obtained.
Illustratively, the access authority of user can be set according to different users.User can also be grouped,
Based on different user groups, the access authority of user is set.Access authority may include following content: the calculating that user's online uses
The mark of machine, the IP address of user access network, the surf time section of user, user forbid the website of browsing, user's online
The total duration that can be surfed the Internet daily or monthly.
Illustratively, intrusion behavior feature includes attack feature, is based on this, step 102 may include steps of.
The first step, the attack feature for determining the data flow that current period external network user is transmitted to Intranet user.
Wherein, when attack feature includes the number of sessions of current period, the number of sessions of unit time and unit
Between data packet number.Session refers to the connection between Intranet user and external network user.For example the number of sessions of current period is
3, comprising: the connection between Intranet user A1 and external network user B1, the connection between Intranet user A1 and external network user B2, Intranet
Connection between user A2 and external network user B1.Unit time can be 1 second, and the period is greater than 1 second.The session number of unit time
The data packet number of amount and unit time refer both in current period.Target attack behavioural characteristic can be target session number
Amount, the number of sessions of target unit time and the data packet number of target unit time.
Second step, the number of sessions for comparing current period and target session quantity, the number of sessions of unit time and target
The number of sessions of unit time and the data packet number of the data packet number of unit time and target unit time.
When the data packet number of the number of sessions of current period, the number of sessions of unit time and unit time is distinguished
When meeting or exceeding the data packet number of target session quantity, the number of sessions of target unit time and target unit time,
Determine that the data flow that external network user is transmitted to Intranet user is to hide the data flow of intrusion behavior, for example, the data flow is hiding
DoS (Denial of Service, refusal service)/DDoS (Distributed Denial of Service, distribution refusal
Service) attack data flow, execute step 103.When the number of sessions of current period, the number of sessions of unit time, with
And the data packet number of unit time distinguishes miss the mark number of sessions, the number of sessions and target of target unit time
When the data packet number of unit time, data flow is determined not and is at this moment the data flow for hiding DoS/DDoS attack can be held
Row step 104, alternatively, continuing to test other intrusion behavior features for the data flow that external network user is transmitted to Intranet user.Example
Property, which can be the source IP address of data packet.When the source IP address is IP address in blacklist,
Directly abandon the data packet;When the source IP address is IP address in white list, step 104 is executed.Blacklist and white list can
To be added and be edited manually by administrative staff.
In step 103, when detecting data flow is to hide the data flow of intrusion behavior, the data flow, example can be filtered
It such as packet discard, and is recorded, facilitates and subsequent analyzed based on recording.
Illustratively, shaping can be carried out to its flow, to realize bandwidth for the difference of business belonging to data flow
Limitation, can guarantee that important service is gone on smoothly prior to secondary service in this way.In the present embodiment, using application type area
Separate service, application type is different, and business is different.Based on this, step 104 be may include steps of.
Step A, the corresponding application type of data flow that external network user is transmitted to Intranet user is determined.
Step B, the corresponding application type of data flow transmitted based on external network user to Intranet user, management external network user to
The bandwidth of the data flow of Intranet user transmission.
Illustratively, step A may include: the corresponding agreement of data flow that determining external network user is transmitted to Intranet user;
Determine the type of the corresponding agreement of data flow;Based on the type of the corresponding agreement of data flow, determine that data flow is corresponding using class
Type.Agreement can be underlying network protocols.
Illustratively, in the embodiment of the present invention, the type of agreement is divided into three kinds, correspondingly, provides three kinds of application types
Method of determination.
The first method of determination includes: when the type of corresponding agreement is the first kind, from external network user to Intranet user
Take the fingerprint information in the data flow of transmission, and finger print information includes in target port mark, target string and target sequence
At least one, the finger print information based on extraction determine the corresponding application type of data flow that external network user is transmitted to Intranet user.
The first method of determination is the identification technology of tagged word, and working principle is as follows.Different applications would generally use
Different agreements, and the fingerprint that various agreements have its special.These fingerprints may be specific port, specific character string or
The specific sequence of person.Identification technology based on tagged word is exactly based on the finger print information in identification data message to determine business
The application carried.According to the difference of specific detection mode, the identification technology based on tagged word can be subdivided into fixed character position again
It sets matching, variation feature location matches and state tagged word and matches three kinds of branch techniques.By the upgrading to finger print information, it is based on
What the identification technology of tagged word can be convenient expands to the detection to new agreement.In general, this portion of techniques passes through in system kernel
Bottom carries out message analysis to be handled.First kind agreement can be Http (HyperText Transfer Protocol,
Hypertext transfer protocol) or FTP (File Transfer Protocol, File Transfer Protocol) etc., it is answered in bottom kernel
With protocal analysis and reduction, and carry out the extraction of finger print information.In the corresponding relationship of finger print information and application type, determination is mentioned
The corresponding application type of the finger print information taken.The first method of determination can preferably identify application content, locate simultaneously
Reason efficiency is also relatively high, sensitive application when being suitble to.
Second of method of determination includes: when the type of corresponding agreement is the second class, to the inside network users of external network user
The data flow of transmission is decoded, and is based on decoded data flow, is determined the data flow pair that external network user is transmitted to Intranet user
The application type answered.
Second of method of determination is that application layer gateway acts on behalf of identification technology, and working principle is as follows.In some applications, by
It is encoded in the communications in data, if carrying out content reduction and identification, it is necessary to be decoded.And some decoding libraries exist
System kernel does not provide, then going to carry out the reduction of application layer network protocol with regard to needing these applications to be gone to application layer.For example,
Second class agreement can be SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol), POP3
(Post Office Protocol-Version 3, Post Office Protocol,Version 3) or IMAP (Internet Mail Access
Protocol, Interactive Mail Access Protocol) etc. mail protocols, due to mail use MIME (Multipurpose Internet
Mail Extensions, multipurpose internet mail extensions) format, Base64 coding has been carried out to Mail Contents, it just must be
Application layer is decoded processing.This just needs to use applied proxy technology.Due to needing that data are transmitted to application layer from kernel,
In order to improve the efficiency of Message processing, message zero duplication technology can be used, kernel message direct copying to applying sheaf space,
To improve the efficiency using processing.After the decoding, content knowledge directly can be carried out to decoded data flow IP load
Not, so that it is determined that the corresponding application type of data flow.
The third method of determination includes: to determine corresponding Intranet user needle when the type of corresponding agreement is third class
To the behavior that data flow has been carried out, the behavior that data flow has been carried out is directed to based on corresponding Intranet user, determines that outer net is used
The corresponding application type of the data flow that family is transmitted to Intranet user.
The third method of determination is behavior pattern recognition technology.It, can be with base for determining the data of application type by agreement
Corresponding application type is identified in behavior pattern recognition technology.Its working principle is as follows.Behavior-based control identification model, i.e., according to visitor
The behavior that family has been carried out, the movement that judges the ongoing movement of client or will implement.For example, out of Email
Appearance sees that the Business Stream of spam and surface mail is not different at all between the two.Only further analysis, with specific reference to user
The behavior having been carried out, for example send size, frequency, purpose mail and the source mail address of mail, the frequency of variation and refused
Exhausted frequency etc. carries out comprehensive analysis, can just judge whether it is spam.
It should be noted that these three identification technologies are respectively suitable for different types of agreement, can not substitute between each other.
With this three big identification technology, the types of applications on network effectively can be flexibly identified, to realize flow control and pipe
Reason.
Bandwidth Management based on application needs accurately to analyze the protocol type and application type of data, set band
Wide strategy could accurately limit each business, the network bandwidth service condition of each user.Bandwidth Management strategy based on application it is good
Be in: main business and the network applications such as secondary service, non-traffic can be distinguished as needed, key business pair is effectively ensured
The occupancy situation of network bandwidth.
Abovementioned steps B is the Bandwidth Management based on application type, and in addition to this, the embodiment of the present invention is also provided based on user
Bandwidth Management, the Bandwidth Management based on application type and user and based on control connection number Bandwidth Management, separately below
This is introduced.
For the Bandwidth Management based on user, step 104 be may include steps of.
Step a2, the mark for the corresponding Intranet user of data flow that external network user is transmitted to Intranet user is determined.
Step b2, the mark of the corresponding Intranet user of data flow transmitted based on external network user to Intranet user, in management
The bandwidth of network users.
On the basis of determining application management, gateway can also be according to user or user group setting different priorities and difference
The band-width tactics of the order of magnitude, such as different groups of every group of band-width tactics can be set, also bandwidth can be carried out according to different user set
It sets, keeps the control of Bandwidth Management more accurate.Pass through the setting to user group band-width tactics, moreover it is possible to it is for oral administration effectively to promote net
The outlet bandwidth of Wu Qi group, the external service ability of ensure ne server group shorten the response time.Bandwidth Management is set
Set and have passed through abundant consideration and reasonable planning, may be implemented in network any user or user group being capable of base
In the Bandwidth Management of application;User and user group are not required in addition add, and are read from existing user list automatically by system, so
After be selected by users.
For the Bandwidth Management based on application type and user, step 104 be may include steps of.
Step a3, the mark for the corresponding Intranet user of data flow that external network user is transmitted to Intranet user is determined.
Step b3, the corresponding application type of data flow that external network user is transmitted to Intranet user is determined.
Step c3, the mark of the corresponding Intranet user of data flow transmitted based on external network user to Intranet user and outer
The corresponding application type of the data flow that network users are transmitted to Intranet user, the bandwidth of managing intranet user.
In different users or user's group policy, different band-width tactics priority can also be set, such as can incite somebody to action
Same group and different application is classified, and priority is set, so that it is guaranteed that the bandwidth of crucial application/key user makes
With guarantee.By user and the Bandwidth Management priority level initializing of application, non-key business can also be brought into management area it
It is interior, so that the various flows of network internal are all controlled.It can be modified, delete operation refers to be arranged by addition in Bandwidth Management
Surely a variety of applications, such as Http/FTP, eMule, a sudden peal of thunder etc. are arranged in the bandwidth control strategy applied, while can also customized net
Network application can fully achieve the guarantee for having business by oneself to client by the registration to data such as address ports.Gateway can be set
Set the bandwidth control strategy of designated port.
For the Bandwidth Management based on control connection number, step 104 be may include steps of.
Step a4, the connection number that current one time Intranet user is initiated is determined.
Step b4, the connection number initiated based on current one time Intranet user, the bandwidth of managing intranet user.
Bandwidth control can also be carried out by connection number limitation in the Bandwidth Management of firewall system: i.e. control user
The connection number of initiation per second can be carried out limiting user and be successfully established the number of connection, thus reach by control connection number come
It realizes to the Bandwidth Management applied used in it.Firewall system can also carry out user by controlling the connection number of user
Bandwidth control.It is well known that connection number is more, the bandwidth that may be occupied is bigger, especially in currently used P2P
In (Peer to Peer, peer-to-peer network) downloading, limitation connection number be limit the obvious measure of P2P download bandwidth effect it
One.
The safety that Fig. 4 shows a kind of train operation monitoring and recording device business data flow provided in an embodiment of the present invention is anti-
Equipment is protected, can be adapted for application scenarios shown in fig. 1.Referring to fig. 4, which includes: the first determining module 401, second
Determining module 402 and filtering module 403.
First determining module 401, for determining outer net when receiving the data flow that external network user is transmitted to Intranet user
The intrusion behavior feature for the data flow that user is transmitted to Intranet user, intrusion behavior feature include attack feature, network and
At least one of data hazard behavioural characteristic and abnormal conditions feature.
Second determining module 402, for the intrusion behavior feature and target intrusion behavior feature based on determining data flow,
Determine whether the data flow that external network user is transmitted to Intranet user is the data flow for hiding intrusion behavior.
Filtering module 403, the data flow for transmitting as external network user to Intranet user are to hide the data of intrusion behavior
When stream, the data flow of external network user's inside network users transmission is filtered.
Illustratively, intrusion behavior feature includes attack feature.Correspondingly, which is used for, really
Determine the attack feature for the data flow that current period external network user is transmitted to Intranet user, attack feature includes current week
The data packet number of the number of sessions of phase, the number of sessions of unit time and unit time;Compare the session number of current period
Amount and target session quantity, the number of sessions of unit time and the number of sessions of target unit time and the number of unit time
According to the data packet number of packet quantity and target unit time;When the number of sessions of current period, the number of sessions of unit time, with
And the data packet number of unit time respectively reach or more than target session quantity, the number of sessions of target unit time and
When the data packet number of target unit time, determine that the data flow that external network user is transmitted to Intranet user is to hide intrusion behavior
Data flow.
Illustratively, which further includes maintenance module 404, which is used for, when external network user is inside
The data flow of network users transmission is not when hiding the data flow of intrusion behavior, to determine the data that external network user is transmitted to Intranet user
Flow corresponding application type;Based on the corresponding application type of data flow that external network user is transmitted to Intranet user, manages outer net and use
The bandwidth for the data flow that family is transmitted to Intranet user.
Illustratively, which is used for, and determines the corresponding association of data flow that external network user is transmitted to Intranet user
View;Determine the type of corresponding agreement;Based on the type of corresponding agreement, the data that external network user is transmitted to Intranet user are determined
Flow corresponding application type.
Illustratively, which is also used to, when the type of corresponding agreement is the first kind, from external network user
Take the fingerprint information in the data flow transmitted to Intranet user, and finger print information includes target port mark, target string and mesh
At least one of sequence is marked, the finger print information based on extraction determines that the data flow that external network user is transmitted to Intranet user is corresponding
Application type;When the type of corresponding agreement is the second class, the data flow of external network user's inside network users transmission is carried out
Decoding is based on decoded data flow, determines the corresponding application type of data flow that external network user is transmitted to Intranet user;When right
When the type for the agreement answered is third class, determine that corresponding Intranet user is directed to the behavior that data flow has been carried out, based on corresponding
Intranet user be directed to the behavior that has been carried out of data flow, determine that data flow that external network user is transmitted to Intranet user is corresponding and answer
Use type.
Illustratively, which further includes authentication module 405, which is used for, and receives the Intranet user
Log on request, which includes the mark of Intranet user;Mark based on the Intranet user carries out the Intranet user
Certification;After through certification, the mark based on the Intranet user authorizes corresponding extranet access for the Intranet user by certification
Permission.
Illustratively, which is also used to, and is the data flow for hiding intrusion behavior when detecting the data flow not
When, determine the mark of the corresponding Intranet user of the data flow;Based on the mark of the corresponding Intranet user of the data flow, it is interior to manage this
The bandwidth of network users.
Illustratively, which is used for, and determines the corresponding application type of the data flow;Based on the data flow pair
The mark for the Intranet user answered and the corresponding application type of the data flow, manage the bandwidth of the Intranet user.
The embodiment of the present invention passes through the intrusion behavior feature for the data flow for determining that external network user is transmitted to Intranet user, is based on
Target intrusion behavior feature determines whether the data flow that external network user is transmitted to Intranet user is the data for hiding intrusion behavior
Stream, can be filtered the data flow of hiding intrusion behavior, its invasion can be just prevented before data flow is entered Intranet,
It prevents trouble before it happens, reduces its harmfulness sufficiently, can be improved safety and reliability, avoid passing through LKJ business data flow pair
Train Intranet progress unauthorized access, data are listened and distort and Network Intrusion.
It should be understood that the security protection of train operation monitoring and recording device business data flow provided by the above embodiment
Equipment is when carrying out security protection to train operation monitoring and recording device business data flow, only with the division of above-mentioned each functional module
It is illustrated, in practical application, can according to need and be completed by different functional modules above-mentioned function distribution, i.e., will
The internal structure of equipment is divided into different functional modules, to complete all or part of the functions described above.In addition, above-mentioned
Safety protection equipment and the train operation monitoring record for the train operation monitoring and recording device business data flow that embodiment provides fill
The safety protecting method embodiment for setting business data flow belongs to same design, and specific implementation process is detailed in embodiment of the method, this
In repeat no more.
Fig. 5 shows the train operation monitoring and recording device business data flow of an illustrative embodiment of the invention offer
The structural block diagram of safety protection equipment.The safety protection equipment can be computer 300.Computer 300 includes central processing list
Member (CPU) 301, the system storage 304 including random access memory (RAM) 302 and read-only memory (ROM) 303, and
Connect the system bus 305 of system storage 304 and central processing unit 301.Computer 300 can also include helping computer
The basic input/output (I/O system) 306 of information is transmitted between interior each device, and is used for storage program area
313, the mass-memory unit 307 of application program 314 and other program modules 315.
Basic input/output 306 includes display 308 for showing information and inputs information for user
The input equipment 309 of such as mouse, keyboard etc.Wherein display 308 and input equipment 309 are all by being connected to system bus
305 input and output controller 310 is connected to central processing unit 301.Basic input/output 306 can also include defeated
Enter o controller 310 for receiving and handling from the defeated of multiple other equipment such as keyboard, mouse or electronic touch pen
Enter.Similarly, input and output controller 310 also provides output to display screen, printer or other kinds of output equipment.
Mass-memory unit 307 is connected by being connected to the bulk memory controller (not shown) of system bus 305
To central processing unit 301.Mass-memory unit 307 and its associated computer-readable medium are that computer 300 provides
Non-volatile memories.That is, mass-memory unit 307 may include such as hard disk or CD-ROM drive etc
Computer-readable medium (not shown).
Without loss of generality, computer-readable medium may include computer storage media and communication media.Computer storage
13 media include times of the information such as computer readable instructions, data structure, program module or other data for storage
The volatile and non-volatile of what method or technique realization, removable and irremovable medium.Computer storage medium includes
RAM, ROM, EPROM, EEPROM, flash memory or other solid-state storages its technologies, CD-ROM, DVD or other optical storages, tape
Box, tape, disk storage or other magnetic storage devices.Certainly, skilled person will appreciate that computer storage medium not office
It is limited to above-mentioned several.Above-mentioned system storage 304 and mass-memory unit 307 may be collectively referred to as memory.
According to various embodiments of the present invention, computer 300 can also pass through the network connections such as internet to network
On remote computer operation.Namely computer 300 can be by the Network Interface Unit 311 that is connected on system bus 305
It is connected to network 312, in other words, Network Interface Unit 311 can be used also to be connected to other kinds of network or long-range meter
Calculation machine system (not shown).
Above-mentioned memory further includes one, and perhaps more than one program one or more than one program are stored in storage
In device, it is configured to be executed by CPU.The one or more programs include for carry out it is provided in an embodiment of the present invention such as
The instruction of the safety protecting method of the lower train operation monitoring and recording device business data flow.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of safety protecting method of train operation monitoring and recording device business data flow, which is characterized in that the method packet
It includes:
When receiving the data flow that external network user is transmitted to Intranet user, determine what the external network user was transmitted to Intranet user
The intrusion behavior feature of data flow, the intrusion behavior feature include attack feature, network and data hazard behavioural characteristic,
And at least one of abnormal conditions feature;
Intrusion behavior feature and target intrusion behavior feature based on determining data flow determine that the external network user uses to Intranet
Whether the data flow of family transmission is the data flow for hiding intrusion behavior;
When the data flow that the external network user is transmitted to Intranet user is the data flow of the hiding intrusion behavior, to described outer
Network users are filtered to the data flow that Intranet user transmits.
2. the method according to claim 1, wherein the intrusion behavior feature includes attack feature, institute
The intrusion behavior feature and target intrusion behavior feature based on determining data flow are stated, determines the external network user to Intranet user
Whether the data flow of transmission is the data flow for hiding intrusion behavior, comprising:
Determine the attack feature for the data flow that external network user described in current period is transmitted to the Intranet user, the attack
Behavioural characteristic includes the data packet number of the number of sessions of current period, the number of sessions of unit time and unit time;
Compare the number of sessions and target session quantity, the number of sessions of the unit time and target unit of the current period
The number of sessions of time and the data packet number of the data packet number of unit time and target unit time;
When the number of sessions, the number of sessions of the unit time and the data packet of the unit time of the current period
Quantity respectively reaches or more than the target session quantity, the number of sessions of the target unit time and the target list
When the data packet number of position time, determine that the data flow that the external network user is transmitted to Intranet user is the hiding intrusion behavior
Data flow.
3. the method according to claim 1, wherein the method also includes:
When the data flow that the external network user is transmitted to Intranet user is not the data flow of the hiding intrusion behavior, institute is determined
State the corresponding application type of data flow that external network user is transmitted to Intranet user;
Based on the corresponding application type of data flow that the external network user is transmitted to Intranet user, it is inside to manage the external network user
The bandwidth of the data flow of network users transmission.
4. according to the method described in claim 3, it is characterized in that, what the determination external network user was transmitted to Intranet user
The corresponding application type of data flow, comprising:
Determine the corresponding agreement of data flow that the external network user is transmitted to Intranet user;
Determine the type of the corresponding agreement;
Based on the type of the corresponding agreement, the corresponding application of data flow that the external network user is transmitted to Intranet user is determined
Type.
5. according to the method described in claim 4, it is characterized in that, the type based on the corresponding agreement, determines institute
State the corresponding application type of data flow that external network user is transmitted to Intranet user, comprising:
When the type of the corresponding agreement is the first kind, mentioned in data flow from the external network user to Intranet user that transmitted from
Print information, the finger print information include at least one of target port mark, target string and target sequence, are based on
The finger print information of extraction determines the corresponding application type of data flow that the external network user is transmitted to Intranet user;
When the type of the corresponding agreement is the second class, the data flow that the external network user is transmitted to Intranet user is carried out
Decoding is based on decoded data flow, determines the corresponding application type of data flow that the external network user is transmitted to Intranet user;
When the type of the corresponding agreement is third class, the behavior that corresponding Intranet user has been carried out is determined, be based on phase
The behavior that the Intranet user answered has been carried out determines that the data flow that the external network user is transmitted to Intranet user is corresponding using class
Type.
6. according to the method described in claim 5, it is characterized in that, receiving what external network user was transmitted to Intranet user described
Before data flow, the method also includes:
The log on request of the Intranet user is received, the log on request includes the mark of the Intranet user;
Based on the mark of the Intranet user, the Intranet user is authenticated;
After through certification, based on the mark of the Intranet user, corresponding outer net is authorized for the Intranet user by certification and is visited
Ask permission.
7. according to the method described in claim 6, it is characterized in that, the method also includes:
When the data flow that the external network user is transmitted to Intranet user is not the data flow of the hiding intrusion behavior, institute is determined
State the mark for the corresponding Intranet user of data flow that external network user is transmitted to Intranet user;
Mark based on the corresponding Intranet user of data flow that the external network user is transmitted to Intranet user manages the Intranet and uses
The bandwidth at family.
8. being transmitted to Intranet user the method according to the description of claim 7 is characterized in that described based on the external network user
The mark of the corresponding Intranet user of data flow, manages the bandwidth of the Intranet user, comprising:
Determine the corresponding application type of data flow that the external network user is transmitted to Intranet user;
Mark and outer net use based on the corresponding Intranet user of data flow that the external network user is transmitted to Intranet user
The corresponding application type of the data flow that family is transmitted to Intranet user, manages the bandwidth of the Intranet user.
9. a kind of safety protection equipment of train operation monitoring and recording device business data flow, which is characterized in that the equipment packet
It includes:
First determining module, for when receiving the data flow that external network user is transmitted to Intranet user, determining that the outer net is used
The intrusion behavior feature for the data flow that family is transmitted to Intranet user, the intrusion behavior feature include attack feature, network
And at least one of data hazard behavioural characteristic and abnormal conditions feature;
Second determining module determines institute for the intrusion behavior feature and target intrusion behavior feature based on determining data flow
State whether the data flow that external network user is transmitted to Intranet user is the data flow for hiding intrusion behavior;
Filtering module, the data flow for transmitting as the external network user to Intranet user are the data of the hiding intrusion behavior
When stream, the external network user is filtered to the data flow that Intranet user transmits.
10. a kind of safety protection equipment of train operation monitoring and recording device business data flow, which is characterized in that the equipment packet
Processor and memory are included, at least one instruction is stored in the memory, described instruction is loaded and held by the processor
It goes to realize the security protection side of train operation monitoring and recording device business data flow as claimed in any one of claims 1 to 8
Method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910586011.5A CN110532753A (en) | 2019-07-01 | 2019-07-01 | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910586011.5A CN110532753A (en) | 2019-07-01 | 2019-07-01 | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110532753A true CN110532753A (en) | 2019-12-03 |
Family
ID=68659460
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910586011.5A Pending CN110532753A (en) | 2019-07-01 | 2019-07-01 | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110532753A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857486A (en) * | 2012-04-01 | 2013-01-02 | 深信服网络科技(深圳)有限公司 | Next-generation application firewall system and defense method |
| CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
| CN105592050A (en) * | 2015-09-07 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and firewall for preventing attacks |
| CN106357628A (en) * | 2016-08-31 | 2017-01-25 | 东软集团股份有限公司 | Attack defense method and device |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| US20190132353A1 (en) * | 2017-11-02 | 2019-05-02 | International Business Machines Corporation | Service overload attack protection based on selective packet transmission |
| CN109922048A (en) * | 2019-01-31 | 2019-06-21 | 国网山西省电力公司长治供电公司 | One kind serially dispersing concealed threat Network Intrusion detection method and system |
-
2019
- 2019-07-01 CN CN201910586011.5A patent/CN110532753A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857486A (en) * | 2012-04-01 | 2013-01-02 | 深信服网络科技(深圳)有限公司 | Next-generation application firewall system and defense method |
| CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
| CN105592050A (en) * | 2015-09-07 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and firewall for preventing attacks |
| CN106357628A (en) * | 2016-08-31 | 2017-01-25 | 东软集团股份有限公司 | Attack defense method and device |
| US20190132353A1 (en) * | 2017-11-02 | 2019-05-02 | International Business Machines Corporation | Service overload attack protection based on selective packet transmission |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN109922048A (en) * | 2019-01-31 | 2019-06-21 | 国网山西省电力公司长治供电公司 | One kind serially dispersing concealed threat Network Intrusion detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100471104C (en) | Illegal communication detector | |
| US8522344B2 (en) | Theft of service architectural integrity validation tools for session initiation protocol (SIP)-based systems | |
| US20060190997A1 (en) | Method and system for transparent in-line protection of an electronic communications network | |
| US20160373471A1 (en) | Human user verification of high-risk network access | |
| CN102387135B (en) | User identity filtering method and firewall | |
| US20060026678A1 (en) | System and method of characterizing and managing electronic traffic | |
| CN114598540B (en) | Access control system, method, device and storage medium | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| US20090313682A1 (en) | Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus | |
| US20080282338A1 (en) | System and method for preventing the reception and transmission of malicious or objectionable content transmitted through a network | |
| CN103875207A (en) | Network user identification and authentication | |
| CN111314381A (en) | Safety isolation gateway | |
| CN111277607A (en) | Communication tunnel module, application monitoring module and mobile terminal security access system | |
| CN114629719A (en) | Resource access control method and resource access control system | |
| CN110611682A (en) | Network access system, network access method and related equipment | |
| CN109067749A (en) | A kind of information processing method, equipment and computer readable storage medium | |
| JP2012064007A (en) | Information processor, communication relay method and program | |
| CN110532753A (en) | The safety protecting method and equipment of train operation monitoring and recording device business data flow | |
| CN108881484A (en) | A method of whether detection terminal can access internet | |
| JP3852276B2 (en) | Network connection control method and apparatus | |
| JP2019504391A (en) | Network architecture for controlling data signaling | |
| CN108093078B (en) | Safe document circulation method | |
| JP2006302295A (en) | Method and device for controlling network connection | |
| KR101160903B1 (en) | Blacklist extracting system and method thereof | |
| Alasmari et al. | Proof of network security services: Enforcement of security sla through outsourced network testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191203 |