CN110601889B - System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management - Google Patents
System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management Download PDFInfo
- Publication number
- CN110601889B CN110601889B CN201910870875.XA CN201910870875A CN110601889B CN 110601889 B CN110601889 B CN 110601889B CN 201910870875 A CN201910870875 A CN 201910870875A CN 110601889 B CN110601889 B CN 110601889B
- Authority
- CN
- China
- Prior art keywords
- subsystem
- network
- encryption
- link
- resource scheduling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0823—Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/75—Indicating network or usage conditions on the user display
Abstract
The invention relates to a system for realizing safe backtracking deep encryption controlled network link resource scheduling management based on a tunnel encryption technology, which comprises a link access subsystem, a network access subsystem and a network encryption subsystem, wherein the link access subsystem is used for managing the external access condition of network link resources; the resource scheduling subsystem is used for managing link networking requirements and network resources; the autonomous defense subsystem is used for providing defense for each networking node of the system; the monitoring management subsystem is used for monitoring and managing the full-environment equipment; and the intelligent networking subsystem is used for linking a proper amount of resource nodes to form a deep encrypted anti-tracing controlled network link. The invention also relates to a method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology. The system and the method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology can be used as a defense fort machine for resisting network attacks by relying on a strong big data network attack behavior analysis platform, and can return attacked detailed information to a visual monitoring system in a mode of monitoring a data encryption bin.
Description
Technical Field
The invention relates to the field of security, in particular to the field of network security, and specifically relates to a system and a method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on a tunnel encryption technology.
Background
With the rapid development of internet networks, more and more offline businesses change operation modes to perform online operations, and thus, various complicated business popularizations emerge, and various popularization links become more and more main channels for consumers to know diversified commodities, which directly leads to a plurality of false and fraudulent illegal sites to be mixed therein, wherein the sites are not lack of high-risk websites with internet attack behaviors, and the sites are full of diverse network security traps, which directly threaten personal property, private data and even personal security of users in a group.
Fraud and false popularization of network sites such as financing, investment and health maintenance can be prevented to a certain extent by improving the safety awareness of user base groups, but illegal network violence invasion behaviors such as endless attacks and steals in network spaces are lost by professional technicians carelessly, and users of the base groups are more likely to sit on needle felts, especially units or enterprises with higher safety level requirements, and the loss is more difficult to compensate due to problems caused by network safety. Although most of the commonly used network devices such as mobile phones and computers have their own firewall functions, if the user is not a professional practitioner, it is difficult to reasonably use the firewall related functions to protect the internet access device from the interference of the network security problem, so that in daily work and life, people urgently need a set of safe, efficient and rigorous network access environment to meet the security and stability of their own network in the process of enjoying the internet convenience.
The traditional security software such as 360 security guards, gold mountain guards, Tencent computer steward and the like focuses on protecting the operation security of the system space of the user network access equipment, but due to the limitation of local strategies, the user can have the following problems in the internet access process:
1. partially sensitive communication data is unencrypted
2. Exposing real IP addresses
3. Exposing real network card information
4. Exposing real time zone information
5. Exposing real geographic locations
6. Exposing a true open port
If the sensitive information is utilized maliciously, some influences which are difficult to predict are caused to users, and in order to solve the problems, many people can use tunnels such as l2tp over ipsec, openvpn and the like to perform traffic skipping, so that sensitive information related to internet surfing of own equipment is covered, but the mode of realizing traffic skipping through the tunnels to encrypt communication data has the following fatal defects:
1. the egress device open port cannot be hidden.
2. The user's own information cannot be hidden from the egress device.
3. Data encryption only exists in a network link, and data packets are forwarded in a plaintext mode locally at a link jumping device.
4. Complete attack defense measures cannot be carried out on the outlet equipment, and the outlet equipment is easy to be exploded and invaded.
5. The leakage of the related information and network behavior of the local internet access equipment of the user can be directly caused after the exit equipment is abnormally invaded.
6. Due to the characteristics of the point-to-point connection, an attacker can directly access the local device of the user through the outlet device after the outlet device is abnormally invaded.
The invention inherits the advantages of automatic deployment of self-security policies of an operating system by traditional security software, optimizes an abnormal self-processing scheme related to system security, is used for strengthening the system security of network link networking equipment, is assisted by an efficient and safe deep network communication encryption means (deep encryption, namely after data packet information of a user reaching a public network through a network link is deeply encrypted, an exit node cannot see related information such as a local IP address of the user equipment), and provides a highly-safe and highly-stable backtracking controlled security private deep encryption network for the user through the automatic deployment policies of a control platform by each highly-defense networking node so as to protect various security in the internet surfing process of the user.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a system and a method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on a tunnel encryption technology, which have the advantages of high safety, high stability and high efficiency.
In order to achieve the above purpose, the system and method for achieving safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology of the present invention are as follows:
the system for realizing the safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology is mainly characterized by comprising the following steps:
the link access subsystem is used for managing the external access condition of network link resources;
the resource scheduling subsystem is connected with the link access subsystem and is used for managing link networking requirements and network resources;
the autonomous defense subsystem is connected with the resource scheduling subsystem and the monitoring management subsystem and is used for providing defense for each networking node of the system;
the monitoring management subsystem is connected with the autonomous defense subsystem and is used for monitoring and managing the full-environment equipment;
and the intelligent networking subsystem is connected with the link access subsystem, the resource scheduling subsystem, the autonomous defense subsystem and the monitoring management subsystem and is used for linking a proper amount of resource nodes to form a deep encryption backtracking controlled network link.
Preferably, the link access subsystem includes:
the user identity authentication module is connected with the resource scheduling subsystem and is used for authenticating the identity of the user;
and the access demand response module is connected with the resource scheduling subsystem and used for returning parameters according to the resource use demand.
Preferably, the resource scheduling subsystem includes:
the hard resource scheduling module is connected with the link access subsystem and the intelligent networking subsystem, is used for managing issued link networking requirements, and is compatible with a third-party resource control API interface;
and the network resource scheduling module is connected with the link access subsystem and the intelligent networking subsystem and is used for providing the link resource with the best performance for the link access subsystem.
Preferably, the link networking requirements include hardware resources, an operating system, a device location, and a floating IP address.
Preferably, the autonomous defense subsystem includes an operating system automation task security deployment and control module, an operating system process space security deployment and control module, an operating system user data security deployment and control module, an operating system security policy deployment and control module, an operating system local network policy security deployment and control module, an operating system login personnel behavior habit analysis and management module, a network space attack behavior reconnaissance and defense module, a network space high-risk site access control module, an operating system local trace hiding module, a remote login induction system module, a network flow interference simulation module and a networking device emergency self-destruction mechanism module, which are all connected with the resource scheduling subsystem and the monitoring management subsystem for maintaining the device security of the networking node.
Preferably, the monitoring management subsystem includes:
the monitoring module is connected with the intelligent networking subsystem and is used for performing special access on monitoring information encryption bins in all networking equipment;
and the management module is connected with the monitoring module and the intelligent networking subsystem and is used for analyzing the data of the monitoring module, taking response measures, issuing instructions to schedule automatic link deployment service and carrying out configuration adjustment on nodes and network links.
Preferably, the network link of the system includes two parts, namely a surface layer encryption tunnel and an internal encryption tunnel, and the internal encryption tunnel is created by relying on the surface layer network encryption tunnel which takes the inlet node as a starting point and the outlet node as an end point.
The method for realizing the safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology by using the system is mainly characterized by comprising the following steps of:
(1) preparing a cloud network master controller and a cloud network monitoring machine;
(2) a cloud network controlled machine with high prevention capability is established and configured, and the system is subjected to safety processing operation;
(3) deploying an attack inducer on the cloud network controlled machine;
(4) the master control machine and the controlled machines form an encryption link and mark each controlled machine;
(5) the master controller and the controlled machine respond to start a deep communication encryption function and a symbiosis detection function;
(6) and (5) system access use.
Preferably, the security processing operation in step (2) includes checking and updating a vulnerability patch, initializing user permissions, checking a user permission number stub, initializing user roles, automatically cleaning redundant user roles, deploying user role, deploying ports, deploying startup sequence, deploying clock task centralization, deploying history record, deploying process space, deploying system log, deploying equipment local security policy, deploying equipment local network rules and protecting against network attack.
The system and the method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology support a multi-layer network flow encryption function through a deep encryption network link established by a plurality of high-security nodes, in the whole network link, any networking node except an inlet node cannot know the local source address information of a link user, and any networking node except the inlet node and the outlet node at two ends of the link cannot acquire the target address information of the user internet data. When the user works in daily network through the invention, the user can well hide sensitive data such as IP address, geographic position, network card information, equipment identification and the like of the user, and the property, privacy and network data safety of the user are ensured. Besides the ability of actively hiding the sensitive information of the user in the network use process, due to the unique serial property of the network topology, each high-protection networking node is provided with a high-sensitivity attack defense coping mechanism, and by relying on a powerful large data network attack behavior analysis platform, each high-protection networking node can serve as a defense bastion machine for resisting network attacks under the condition that the user faces illegal attacks on the network, and can return the attacked detailed information to a visual monitoring system through a mode of monitoring a data encryption bin, so that the user can master the use condition of a private link.
Drawings
Fig. 1 is a deep encryption network tunnel profile of the system for implementing secure backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology of the present invention.
Fig. 2 is a cross-sectional view of the functional composition of the secure backtracking deep encryption controlled network of the system for realizing the link resource scheduling management of the secure backtracking deep encryption controlled network based on the tunnel encryption technology.
Fig. 3 is a network controlled machine automation task deployment and control flow chart of the method for realizing the safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology.
Fig. 4 is a network controlled machine automation task deployment flow chart of the method for implementing safe backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology of the present invention.
Fig. 5 is a process space deployment and control flow diagram of a network controlled machine for implementing the method for scheduling and managing the resources of the secure backtracking deep encryption controlled network link based on the tunnel encryption technology.
Fig. 6 is a user control flow chart of the network controlled machine system for implementing the method for scheduling and managing the resources of the secure backtracking deep encryption controlled network link based on the tunnel encryption technology.
Fig. 7 is a schematic diagram of encrypted tunnel data transmission of the system for implementing secure backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology.
Detailed Description
In order that the technical contents of the present invention can be more clearly described, the present invention will be further described with reference to specific embodiments.
The invention discloses a system for realizing safe backtracking deep encryption controlled network link resource scheduling management based on a tunnel encryption technology, which comprises the following steps:
the link access subsystem is used for managing the external access condition of network link resources;
the resource scheduling subsystem is connected with the link access subsystem and is used for managing link networking requirements and network resources;
the autonomous defense subsystem is connected with the resource scheduling subsystem and the monitoring management subsystem and is used for providing defense for each networking node of the system;
the monitoring management subsystem is connected with the autonomous defense subsystem and is used for monitoring and managing the full-environment equipment;
and the intelligent networking subsystem is connected with the link access subsystem, the resource scheduling subsystem, the autonomous defense subsystem and the monitoring management subsystem and is used for linking a proper amount of resource nodes to form a deep encryption backtracking controlled network link.
As a preferred embodiment of the present invention, the link access subsystem includes:
the user identity authentication module is connected with the resource scheduling subsystem and is used for authenticating the identity of the user;
and the access demand response module is connected with the resource scheduling subsystem and is used for returning parameters according to the resource use demand.
As a preferred embodiment of the present invention, the resource scheduling subsystem includes:
the hard resource scheduling module is connected with the link access subsystem and the intelligent networking subsystem, is used for managing issued link networking requirements, and is compatible with a third-party resource control API interface;
and the network resource scheduling module is connected with the link access subsystem and the intelligent networking subsystem and is used for providing link resources with the best performance for the link access subsystem.
As a preferred embodiment of the present invention, the link networking requirements include hardware resources, an operating system, a device location, and a floating IP address.
As a preferred embodiment of the present invention, the autonomous defense subsystem includes an operating system automation task security deployment and control module, an operating system process space security deployment and control module, an operating system user data security deployment and control module, an operating system security policy deployment and control module, an operating system local network policy security deployment and control module, an operating system login personnel behavior habit analysis and management module, a network space attack behavior reconnaissance and defense module, a network space high-risk site access control module, an operating system local trace hiding module, a remote login induction system module, a simulated network traffic interference module, and a networking device emergency self-destruction mechanism module, which are all connected to the resource scheduling subsystem and the monitoring management subsystem, and are used for maintaining the device security of the networking node.
As a preferred embodiment of the present invention, the monitoring management subsystem includes:
the monitoring module is connected with the intelligent networking subsystem and is used for performing special access on monitoring information encryption bins in all networking equipment;
and the management module is connected with the monitoring module and the intelligent networking subsystem and is used for analyzing the data of the monitoring module, taking response measures, issuing instructions to schedule automatic link deployment service and carrying out configuration adjustment on nodes and network links.
As a preferred embodiment of the present invention, a network link of the system includes two parts, namely a surface layer encrypted tunnel and an internal encrypted tunnel, where the internal encrypted tunnel is created by relying on a surface layer network encrypted tunnel with an entry node as a starting point and an exit node as an end point.
The invention discloses a method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on a tunnel encryption technology by using the system, which comprises the following steps:
(1) preparing a cloud network master controller and a cloud network monitoring machine;
(2) a cloud network controlled machine with high prevention capability is established and configured, and the system is subjected to safety processing operation;
(3) deploying an attack inducer on the cloud network controlled machine;
(4) the master control machine and the controlled machines form an encryption link and mark each controlled machine;
(5) the master controller and the controlled machine respond and start a deep communication encryption function and a symbiotic detection function;
(6) and (5) system access use.
As a preferred embodiment of the present invention, the security processing operation in step (2) includes checking and updating a vulnerability patch, initializing user permissions, checking a user permission number root, initializing user roles, automatically cleaning redundant user roles, deploying ports, deploying start sequence, deploying clock task centralization, deploying history records, deploying process space, deploying system logs, deploying equipment local security policies, deploying equipment local network rules, and protecting against network attacks.
In the specific implementation mode of the invention, the invention aims to provide a set of safe, efficient and rigorous controlled anti-tracing hidden deep encryption network access environment (hereinafter referred to as a deep encryption network) for individuals, enterprises and units when network operation with high security level requirements is carried out.
The deep encryption network carries out deeper network encryption through a carrier network tunnel established in advance by using a deep encryption tunnel technology in the construction process, when a user carries out network data transmission in the deep encryption tunnel, all network data traffic packets forwarded by each networking node (except an entry node) are subjected to encryption processing, the technical bottleneck that local traffic is not encrypted in the conventional technical means is broken, various sensitive information exposed in the public network environment by the user in the normal internet surfing process is eliminated, the network attack means is defended through an autonomous security mechanism of the networking node in a security link mode, and a local security strategy of each networking node is technically supported by a powerful large data network attack analysis cloud platform, so that the requirements of the user on network security and stability in network operation are met.
The system comprises the following components:
a. the link access subsystem is divided into an access identity authentication module and an access requirement corresponding module, and is responsible for identity authentication of a network link access request of external equipment and providing a reasonable and efficient network link resource allocation service for an access party according to an access requirement;
b. the resource scheduling subsystem comprises a hard resource scheduling module and a network resource scheduling module and is responsible for the unified regulation and control of hard resources and network resources;
c. the autonomous defense subsystem comprises but is not limited to defense of networking equipment, deployment and control of the networking equipment, security deployment and control of network links, abnormal self-processing, trace hiding, access control and other defense means aiming at high-risk network behaviors.
d. The monitoring management subsystem is responsible for monitoring and managing the full-environment equipment, and any instruction issued by the monitoring management system has the highest priority and the highest execution authority.
e. The intelligent networking subsystem takes hard resources of a resource scheduling system as basic support, takes global deployment and control of a monitoring management system as coordination support, and links a proper amount of irrelevant resource nodes to form a deep encryption backtracking controlled network link.
The operation is characterized in that all networking behaviors are uniformly allocated by a monitoring management self-system, all controlled networking equipment exists in hidden zombie nodes in a passive response mode, and only the management nodes in the system are responded properly. All configuration information required by the operation of the networking nodes comes from the cloud, and the local service of the nodes is managed by the configuration words.
The access is characterized in that the access mode and the relevant credentials can be dynamically returned according to the connection request of the demand method, and the user can self-adapt to the optimal access mode to carry out the network environment access operation.
The networking is characterized in that the backtracking deep encryption controlled network link is composed of a surface layer encryption tunnel and an internal encryption tunnel, and the two layers of network tunnels are combined and nested for use. The internal encryption tunnel is established by relying on a surface network encryption tunnel with an entrance node as a starting point and an exit node as a terminal point. In the link environment, each node only has certain contact with the superior/inferior equipment of the node, and the single node only records the IP addresses of the corresponding equipment of the superior/inferior level of the node. Because the inner-layer tunnel and the outer-layer tunnel both belong to encrypted communication tunnels, when the packet data traffic analysis behavior is locally performed on the networking equipment, only the data traffic based on the virtual address can be monitored to exist in the surface-layer encrypted tunnel, the real address information of the entrance node equipment cannot be monitored, and meanwhile, the network behavior of the operation terminal cannot be analyzed and judged.
The security protection is characterized in that all node devices carry out rule strategy security protection and control of a unified template, and abnormal sudden change of local environment of networking nodes is corrected and illegal processes are checked and killed hard.
The invention is composed of five systems of a link access subsystem, a resource scheduling subsystem, an autonomous defense subsystem, a monitoring management subsystem and an intelligent networking subsystem, wherein the main functions of each system are as follows:
1. link access subsystem
The invention aims to provide a safe, reliable and efficient backtracking controlled safe network access environment for user groups, and the link access subsystem is an external access management system of safe network link resources and is formed by the cooperation of a user identity authentication module and an access demand response module.
The user is authenticated by the user identity authentication module, can request the use of the safe backtracking deep encryption source controlled network access resource from the link access subsystem through a specific request rule, the access demand response module returns various parameters required by the access to the user individual according to different use demands of the resource, the link can be used as a private link by an applicant within a certain time after the user is accessed, after the use, the user releases the resource autonomously or performs resource release action on a target link through a system self-detection mechanism, after the release, all data of the current operating system of each networking node of the original link are subjected to traceless processing, and all use traces are eliminated.
In order to cope with different application scenes and meet the complicated and changeable access requirements of users, the link access subsystem is compatible with a tunnel protocol which is mainstream in the market and is used as a technical support for accessing the backtracking deep encryption network link by the users, and barrier-free access service of multiple platforms, multiple devices and multiple operating systems is provided for the users.
2. Resource scheduling subsystem
In order to meet the complex and variable use request of the invention and serve as the hard support of the safe networking, the main functions of the system resource scheduling subsystem are two parts of hard resource scheduling and network resource scheduling.
In the aspect of hard resource scheduling, the resource scheduling subsystem provides, for single or diversified link networking, creation, release, and verification of hard essential resources including but not limited to hardware resources (including but not limited to CPUs, memories, external storages, etc.), operating systems (including but not limited to win7/10, unnenu series, CentOS series, etc.), device locations (including but not limited to sika, london, frankfurt, tokyo singapore, hong kong, shanghai, etc.), floating IP addresses, etc., according to networking requirements issued by the management unit, and provides zero-bias resource deployments for the networking requirements of the present invention.
In order to provide multi-directional resource support, the resource scheduling subsystem is compatible with, but not limited to, third-party resource control API interfaces of domestic and foreign mainstream cloud providers such as the Ali cloud, Tencent cloud, Baidu cloud, AWS, vultr and linnode, and can efficiently meet the hard requirements of various networking resources in real time.
In the aspect of network resource scheduling, the resource scheduling subsystem has the highest scheduling right for the ready network link, and provides the link resource with the best performance to the link access system through a series of allocation measures including but not limited to sequential allocation, load balancing and the like, so that the link access subsystem accesses the demand response module to perform demand calibration and access allocation.
3. Autonomous defense subsystem
As a central point of the present invention, the autonomous defense subsystem provides highly sensitive and high-strength security defense for each networking node of the backtracking deep encryption security controlled network of the present invention, and mainly related security defense functional modules include but are not limited to:
(1) operating system automation task safety control
(2) Operating system process space security deployment and control
(3) Operating system user data security deployment and control
(4) Operating system security policy deployment
(5) Operating system local network policy security deployment and control
(6) Behavior habit analysis and management of login personnel of operating system
(7) Cyberspace attack behavior reconnaissance defense
(8) Network space high risk site access control
(9) Operating system local trace hiding
(10) Telnet induction system
(11) Simulating network traffic interference
(12) Emergency self-destruction mechanism of networking equipment
(13)......
Wherein, the first and the second end of the pipe are connected with each other,
(1) the automatic task security control function of the operating system mainly carries out sensitive monitoring and exception handling on a sensitive boot area which can be triggered by system behaviors including but not limited to a starting sequence, a clock task and the like in the system, and prevents other illegal services from being disguised as system tasks or other unnecessary tasks from being illegally started, so that the security of the environment of the system and the concealment of the network environment are ensured;
(2) the security control function of the process space of the operating system is to perform unified analysis and management on all process data which are already operated in the process space, and perform backup isolation on an unauthorized process which is not necessarily operated by the system and is being executed, and then forcibly check and kill the unauthorized process, so that the security of the process space and the normal use of a memory space are ensured, and the situations of exposure of a local environment and abnormal intrusion caused by dangerous behaviors such as memory border crossing and the like due to the illegal network action or abnormal memory operation of the unauthorized process are prevented;
(3) the user data safety control function of the operating system mainly manages the user authority and user roles of system users, for unauthorized illegal users, the function can record and backup abnormal data and report the abnormal data to the monitoring information encryption bin, then clear the unauthorized users in real time, and for unauthorized user authority abnormal change, the function can record and report the abnormal conditions to the monitoring information encryption bin, then correct the illegal authority problem of legal users in real time, and ensure the formal use of the legal users;
(4) the security policy deployment and control function of the operating system can rely on an operator cloud firewall, a user local environment firewall and local privatization service deployment to carry out strict deployment and control on network behaviors including but not limited to port forwarding, port opening, flow forwarding, flow releasing, network transparent transmission, DNS hijacking, equipment access and the like, once an illegal security policy change behavior is found, the function can carry out detailed recording on the illegal behavior and report the illegal behavior to a monitoring information encryption bin, then a local abnormal policy is corrected strongly, and the local security policy of a user is guaranteed to be legal and effective;
(5) the strategy safety control function of the local network of the operating system can cut off the network communication between the current equipment and an external network by default, and notes normal and necessary conventional information including but not limited to a network routing table, a strategy routing table and other main network routing management tables, adopts a routing release strategy to ensure the normal communication of the network for necessary network access targets, adopts a route blocking mode to each illegal address, and forcibly cuts off all data communication between the current equipment and the illegal addresses to protect the network safety of the local equipment;
(6) the behavior habit analysis and management function of login personnel of the operating system carries out strong behavior analysis on an online user logged on current equipment, if the behavior does not meet the specified safety standard, the current login operation is judged to be illegal login, the function records the illegal login and reports the illegal login operation to a monitoring information encryption bin, then the account number and the password of the current user are changed, the network address of the illegal login behavior is set as a high-risk address to be notified to the functional modules (4) and (5) for illegal isolation, the continuous blocking of network communication between the networking equipment and the high-risk address is ensured, and the safety of a local environment is maintained;
(7) the network space attack reconnaissance defense function depends on a powerful big data network attack behavior analysis platform, each networking node passively updates a local encrypted network attack behavior feature library at variable time, performs feature analysis on inlet data through a technical means, notifies the functional modules (4) and (5) of strong data isolation for the first time after finding an illegal network attack flow table, and directly cuts off data communication of the illegal network attack from a link layer;
(8) the network space high-risk site access control function depends on a big data high-risk site statistical platform, each networking node can actively or custom update a local high-risk site encryption bin, the function can update and deploy and control the high-risk site blocking space in real time based on data in the high-risk site encryption bin, when the situation that the blocking data of the high-risk site blocking space and the data in the encryption bin are not matched is found, the blocking data of the high-risk site blocking space can be updated strongly, and the security of network access of a user is guaranteed.
(9) The local trace hiding function of the operating system can clear unnecessary network access sensitive data in real time, close the connection tracking module and monitor the opening state of the connection tracking module in real time, if the abnormal opening state occurs, the connection tracking module is forcibly closed and then reported to the monitoring information encryption bin, and the local communication data of the equipment is ensured not to leave traces as far as possible.
(10) The remote login induction system deploys the induced honeypot system on the connecting port of the device, which is open to the outside, records and analyzes the operation behavior inside the honeypot in real time, and provides case support for a big data network attack behavior analysis platform.
(11) The network traffic interference simulating function simulates artificial internet access operation in real time, quantitative complex security site traffic interaction actions are performed in an operating system, main target equipment addresses connected with the equipment are hidden, and the IP address information of normal equipment nodes is prevented from being leaked when the equipment is invaded suddenly.
(12) When the networking equipment encounters an abnormal intrusion behavior which cannot be repaired or the self service is fatally damaged, the self-destruction mechanism can forcibly interrupt all data communication between the current equipment and the public network environment, after the inactivation state keeps a certain event, the monitoring system can automatically eliminate all stored data of the problem equipment and release and destroy the current equipment, finally release and destroy the public network IP used by the problem equipment, thoroughly eliminate the problem equipment, and finally notify the resource scheduling system to copy and create available node resources according to the relevant configuration of the destroyed problem equipment, so that the available quantity of the resources is ensured.
In conclusion, the active defense of the autonomous defense subsystem is divided into two parts, namely network defense and local strategy defense, and all functional modules are complemented and assisted to jointly maintain the equipment safety of the networking nodes, so that the nonresponsive silent controlled networking nodes are created, the networking nodes realize the whole-network concealment except the management equipment, the safety and the concealment of the nodes are ensured, and the foundation is laid for the networking work.
4. Monitoring management subsystem
The monitoring management subsystem is used as the AI brain of the invention and is responsible for monitoring and managing the whole environment equipment, and any instruction issued by the monitoring management system has the highest priority and the highest execution authority in the invention.
The monitoring management subsystem is mainly divided into two modules of monitoring and management.
The monitoring module is mainly responsible for carrying out special access through monitoring information encryption bins in all networking equipment in a public network environment, all encryption bin data are mixed, encrypted and stored by key information of the equipment in a privatized encryption mode, all key information of the equipment required for decryption can be found in the monitoring management subsystem to carry out data decryption in a privatized decryption mode, the monitoring module is different from the fact that the management module is independently arranged in the network environment (only the management module is allowed to access the equipment), and monitoring data are transmitted back to the management module for behavior analysis and use through a completely encrypted closed transmission means.
The management module is responsible for analyzing data returned by the monitoring module and taking response measures, and all automatic link deployment services of the invention are realized by unified scheduling of instructions issued by the management module.
5. Intelligent networking subsystem
As a core system of the invention, all other systems serve an intelligent networking subsystem, under the premise of definite networking requirements and sufficient networking resources, the hard resources of the resource scheduling subsystem are used as basic support, the global deployment and control of the monitoring management subsystem are used as coordination support, and a proper amount of irrelevant resource nodes are linked to form a deep encryption backtracking controlled network link.
The networking steps are as follows:
a. and a plurality of high-protection networking nodes are created and form an encryption tunnel.
b. And acquiring the tunnel addresses of the link inlet device and the link outlet device.
c. And deeply encrypting the tunnel address of the entrance device and the tunnel address of the exit device of the link.
d. Except for the entrance device and the exit device, other devices of the network link carry out unconditional forwarding on the data packet from the entrance device to the exit device through a configuration route.
e. All data is decrypted at the egress device and then forwarded to the public network.
As a preferred subsystem of the present invention, the encrypted tunnel described in step a is obtained according to l2tp over ipsec, and the tunnel address described in step c is unique. Each networking device plays a dual role, for one networking device, the networking device is a server of a front-end device of a series network and a client of a rear-end device of the series network, in the process that more than three networking nodes are connected in series for networking, a DHCP interval of each device serving as a tunnel server is absolutely unique, and a tunnel address acquired by each networking device is absolutely unique in a whole network link.
As a core implementation manner of the present invention, the depth encryption described in step c is obtained according to an ipsec Transport.
As the core of the invention, the construction of the deep encryption network tunnel depends on the creation of the virtual network tunnel, and the number of networking devices of the virtual network tunnel is greater than or equal to 3.
The traditional data encryption transmission mode only acts between gateways of all devices, but no data encryption concept exists in the local devices, the mechanism has fatal weakness of data leakage in the local devices of all nodes in the secure network access environment, a third party organization or an individual can acquire the initial address and the target address of data traffic transmitted by the local devices only by invading the devices to perform traffic analysis, and both network behaviors and device information have great risk of being analyzed.
The deep encryption function of the invention is based on the original encryption network, the internal encryption tunnel is created again based on the virtual encryption tunnel, all the data transmitted in the original encryption network tunnel are encrypted and hidden except the virtual tunnel addressing header, and only the virtual initial address and the target address of the internal virtual tunnel can be seen in the process that a third party intrudes into the node equipment to carry out transient packet grabbing data flow analysis, and the group of addresses has no relation with the external encryption network, thereby greatly increasing the difficulty of tracing the source, reducing the risk degree of network attack, and having the important functions of hiding the behavior of network operation and node shielding.
Similarly, the exit node locally performs data packet capturing analysis, and only can detect a data packet with the address as the initial address of the internal encryption tunnel, and the data packet is completely meaningless for external personnel, because the addressing IP of the internal/external encryption tunnel is completely irrelevant, the safety and the robustness of the platform network are greatly improved.
In the networking process, the combination encryption tunnel of l2tp over ipsec is adopted for tunnel connection among each group of adjacent devices, except for an inlet node and an outlet node, other nodes all have double roles, and are a service end of the front-end equipment and a client end of the back-end equipment in the network topology, before networking equipment is deployed with autonomous security services, the system can perform cleaning action on redundant data and parameters of the equipment, after cleaning is completed, basic configuration of communication parameters necessary for dependency of each node is initialized, a network service daemon is deployed, a DHCP (dynamic host configuration protocol) segment of a virtual tunnel among network nodes is completely unique and used for marking a forming segment of a tunnel network, in order to prevent analysis of malicious network behaviors from the outside of the equipment, an ipsec (Internet protocol Security) negotiation mode abandons universal ike dynamic negotiation, a static mode is adopted uniformly, and all connection parameters are configured uniformly by a management module of a monitoring management system.
After the networking link of l2tp over ipsec is run through, a group of unique entry and exit tunnel addresses are provided at both ends of the whole tunnel link, GRE tunnel creation of a deep network link is performed based on the group of unique entry and exit tunnel addresses, and l2tp over ipsec is used for communication encryption between networking nodes in the GRE creation process, so that no risk of data leakage exists in a public network environment.
The section view of a deep encryption network tunnel is shown in fig. 1, in the process of building a deep encryption network, each network link is formed by mutually handshaking and combining a plurality of unrelated nodes to form an intercommunicated series-connection type shared network link, after the links are completed, the whole network link is communicated with each other by relying on a privatized encryption tunnel, after the normal communication is ensured, the control nodes coordinate uniformly, a deep virtual network tunnel which is directly led to a virtual outlet from a virtual inlet of the link is built at the starting point and the end point of the link on the basis of the privatized encryption tunnel, the deep virtual network tunnel completely depends on virtual network tunnels built among the nodes, l2tp over ipsec is responsible for outer layer network encapsulation and outer layer data encryption, gre over ipsec at the inner layer is responsible for deep encryption, in the process of network transmission, a data packet which reaches the outlet node through the inlet node is transmitted on the local of an intermediate device, the encryption processing is carried out, only the entrance node can obtain the specific address information of the local environment of the user, other networking nodes carry out packet capturing processing locally, the transmission data in the tunnel is subjected to deep encryption processing based on GRE, so that the encrypted data between the virtual addresses is captured, the information of the local environment of the user cannot be obtained, and similarly, only the entrance node and the exit node on a network link can obtain the real target address information of the network flow data packet of the user, so that the deep encryption effect is achieved.
By combining the above 5 systems, all parts cooperate to jointly form a secure backtracking deep encryption controlled network access system composed of a plurality of 'multiprotocol combination backtracking deep encryption college network communication tunnels', and a cross-sectional view formed by the secure backtracking deep encryption controlled network functions is shown in fig. 2.
As shown in fig. 7, the components of the backtracking deep encryption controlled network link are divided into two parts, namely a surface layer encryption tunnel and an internal encryption tunnel, and the two layers of networks are nested for use. The internal encryption tunnel is established by relying on a surface network encryption tunnel with an entrance node as a starting point and an exit node as a terminal point. In a link environment, each node itself has only a certain contact to its own upper/lower level device.
If an organization or an individual successfully invades the node equipment and the self-destruction system is not yet in effect, the single node only has the possibility of being analyzed to obtain the IP addresses of the upper and lower-level equipment of the equipment in the short data flow analysis process, and all networking nodes except the entrance node cannot obtain the local data of the user.
Because the inner-layer tunnel and the outer-layer tunnel both belong to encrypted communication tunnels, if an organization or an individual attacks and analyzes the flow of the equipment through a man-in-the-middle mode and the self-destruction system is not yet in effect, under the premise that the surface-layer encrypted tunnel is cracked, the data flow analysis behavior of packet capturing on a single node equipment can only monitor that the data flow based on a virtual address exists in the surface-layer encrypted tunnel, the real address information of the entrance node equipment cannot be monitored, and meanwhile, the network behavior of the operation terminal cannot be analyzed and judged.
The implementation of the backtracking network access system is mainly divided into the following parts:
1, preparing a cloud network master control machine.
2, preparing a cloud network monitoring machine.
3, creating and configuring a cloud network controlled machine with high defense capability.
And 4, deploying the attack inducing machine on the cloud network controlled machine.
5, the master control machine jointly controls 2-6 controlled machines to form an encryption link and mark each controlled machine.
6, the master controller controls the controlled machine to respond and start the deep communication encryption function.
7, the main control computer and the controlled computer respond to start the symbiosis detection function.
And 8, accessing and using by the user.
Wherein:
the cloud network master controller in the step 1 is an AI brain of the whole backtracking network access system and is responsible for performing unified resource scheduling and function machine-related safety and communication service deployment on each network controlled machine according to requirements.
And the cloud network monitor in the step 2 is responsible for information monitoring and function summarization of the full-system functional equipment and the network link, and finally feeds back the information to the cloud network main control computer to evaluate, control and centrally manage the integrity of the network link and the safety of the networking equipment through big data analysis.
The high-protection cloud network controlled machine in the step 3 provides high-safety and stable networking support for the whole anti-backtracking network access system, a main control machine is not required to perform any main control task, the cloud network controlled machine performs a series of safety processing operations on the system at the beginning of starting after deployment is completed, and the detailed categories are divided into the following categories:
a) checking and updating vulnerability patches
b) User rights initialization
c) User authority number root stub checking
d) User role initialization
e) Automatic clearing of redundant user roles
f) User role deployment and control
g) Port deployment and control
h) Start sequence deployment control
i) Centralized control of clock tasks
j) Historical record control
k) Process space deployment and control
l) System Log deployment
m) device local security policy deployment
n) device local network rule deployment
o) network attack protection
p)......
The services do not depend on any external service assistance, and all the services independently run in each cloud network controlled machine.
The attack inducer in the step 4 is to deploy an induced honeypot system on the externally open connecting port of the equipment and redefine a real access port, all operation behaviors of a login user in the honeypot system are recorded in real time due to the characteristics of the honeypot system, and the behavior habit of more illegal intrusions can be independently learned by analyzing the operation behaviors in the honeypot, so that case support is provided for a big data network attack behavior analysis platform.
As the most core functional flow of the invention, step 5 and step 6 finish the networking behavior of the safe backtracking depth encryption controlled network link jointly, adopt the combination encryption tunnel of l2tp over ipsec to carry on the tunnel connection among every group of adjacent apparatuses in the networking course, except entry node and exit node, other nodes all belong to the dual role, it is the server of the front-mounted apparatus in the network topology, it is the customer end of the back-mounted apparatus, the virtual tunnel DHCP section among every network node is totally unique, used for marking the composition section of the tunnel network, in order to prevent the malicious network behavior analysis from outside the apparatus, the ipsec negotiation mode abandons the general ike dynamic negotiation, adopt the static mode unitedly, all connection parameters are disposed by the management module of the monitoring management system unitedly.
After the networking link of l2tp over ipsec is through, a group of unique entrance and exit tunnel addresses are provided at the two ends of the whole tunnel link, GRE tunnel creation of the deep network link is performed based on the group of unique entrance and exit tunnel addresses, in the process of creating GRE, because l2tp over ipsec is adopted for communication encryption among networking nodes, the risk of data leakage does not exist in the public network environment, after the GRE tunnel creation is completed, data communication at the two ends of the tunnel is encrypted by using ipsec transport, and then corresponding routing adjustment is performed on networking equipment of the network link, so that the constructed deep network encryption tunnel can perform normal data communication.
In the process of building a deep encryption network, each network link is formed by mutually handshaking and combining a plurality of irrelevant nodes to form an intercommunicated series-connection type shared network link, after the links are completed, the whole network link is communicated with each other by relying on a privatized encryption tunnel, after the normal communication is ensured, the control nodes coordinate uniformly, a deep virtual network tunnel which is from a link virtual inlet to a virtual outlet is established at the starting point and the end point of the link on the basis of the privatized encryption tunnel, the deep virtual network tunnel is completely dependent on the virtual network tunnels established among the nodes, l2tp over ipsec is responsible for outer network encapsulation and outer data encryption, gre over ipsec at the inner layer is responsible for deep encryption, in the process of locally transmitting data packets which reach the outlet node through the inlet node on an intermediate device in the network transmission process, the encryption processing is carried out, only the entrance node can obtain the specific address information of the local environment of the user, other networking nodes carry out the packet capturing processing locally, because the transmission data in the tunnel is subjected to the deep encryption processing based on GRE, the encrypted data between the virtual addresses is captured, and the information of the local environment of the user cannot be obtained.
After the safe backtracking deep encryption controlled network access link is completed, the symbiotic system in the step 7 is deployed on the whole link, the symbiotic environment on each node circularly monitors the front node and the rear node in the self-networking network topology, if one device in the network link is abnormal, the symbiotic system of the abnormal device can be directly self-destroyed, other devices associated with the abnormal device can be self-destroyed due to the symbiotic system, and the like, after the node is seriously abnormal, in order to protect the user environment from being leaked, the whole link can be self-destroyed in a short time and can not be used continuously.
The system and the method for realizing safe backtracking deep encryption controlled network link resource scheduling management based on the tunnel encryption technology support a multi-layer network flow encryption function through a deep encryption network link established by a plurality of high-security nodes, in the whole network link, any networking node except an inlet node cannot know the local source address information of a link user, and any networking node except the inlet node and the outlet node at two ends of the link cannot acquire the target address information of the user internet data. When the user works on a daily network through the invention, the sensitive data such as the IP address, the geographic position, the network card information, the equipment identification and the like of the user can be well hidden, and the property, the privacy and the network data safety of the user are ensured. Besides the ability of actively hiding the sensitive information of the user in the network use process, due to the unique serial property of the network topology, each high-protection networking node is provided with a high-sensitivity attack defense coping mechanism, and by relying on a powerful large data network attack behavior analysis platform, each high-protection networking node can serve as a defense bastion machine for resisting network attacks under the condition that the user faces illegal attacks on the network, and can return the attacked detailed information to a visual monitoring system through a mode of monitoring a data encryption bin, so that the user can master the use condition of a private link.
In this specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.
Claims (9)
1. A system for realizing safe backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology is characterized in that the system comprises:
the link access subsystem is used for managing the external access condition of network link resources;
the resource scheduling subsystem is connected with the link access subsystem and is used for managing link networking requirements and network resources;
the autonomous defense subsystem is connected with the resource scheduling subsystem and the monitoring management subsystem and is used for providing defense for each networking node of the system;
the monitoring management subsystem is connected with the autonomous defense subsystem and is used for being responsible for monitoring and managing the full-environment equipment;
the intelligent networking subsystem is connected with the link access subsystem, the resource scheduling subsystem, the autonomous defense subsystem and the monitoring management subsystem and is used for linking a proper amount of resource nodes to form a deep encryption backtracking controlled network link;
the system performs the following processes:
(1) preparing a cloud network master controller and a cloud network monitoring machine;
(2) a cloud network controlled machine with high prevention capability is established and configured, and the system is subjected to safety processing operation;
(3) deploying an attack inducer on the cloud network controlled machine;
(4) the master control machine and the controlled machines form an encryption link and mark each controlled machine;
(5) the master controller and the controlled machine respond to start a deep communication encryption function and a symbiosis detection function;
(6) and (5) system access use.
2. The system for implementing secure backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology as claimed in claim 1, wherein said link access subsystem comprises:
the user identity authentication module is connected with the resource scheduling subsystem and is used for authenticating the identity of the user;
and the access demand response module is connected with the resource scheduling subsystem and is used for returning parameters according to the resource use demand.
3. The system for implementing secure backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology as claimed in claim 1, wherein said resource scheduling subsystem comprises:
the hard resource scheduling module is connected with the link access subsystem and the intelligent networking subsystem, is used for managing issued link networking requirements, and is compatible with a third-party resource control API interface;
and the network resource scheduling module is connected with the link access subsystem and the intelligent networking subsystem and is used for providing the link resource with the best performance for the link access subsystem.
4. The system for implementing secure backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology as claimed in claim 3, wherein the link networking requirements include hardware resources, operating system, device location and floating IP address.
5. The system for implementing deep encryption controlled network link resource scheduling management based on tunnel encryption technology as claimed in claim 1, wherein the autonomous defense subsystem includes an operating system automation task security deployment and control module, an operating system process space security deployment and control module, an operating system user data security deployment and control module, an operating system security policy deployment and control module, an operating system local network policy security deployment and control module, an operating system login personnel behavior habit analysis and management module, a cyberspace attack behavior reconnaissance and defense module, a cyberspace high-risk site access control module, an operating system local trace hiding module, a remote login induction system module, a simulated network traffic interference module and a networking equipment emergency self-destruction mechanism module, all connected to the resource scheduling subsystem and the monitoring management subsystem, and the equipment is used for maintaining the equipment security of the networking nodes.
6. The system for implementing secure backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology as claimed in claim 1, wherein said monitoring management subsystem comprises:
the monitoring module is connected with the intelligent networking subsystem and is used for accessing the monitoring information encryption bins in all networking equipment;
and the management module is connected with the monitoring module and the intelligent networking subsystem and is used for analyzing the data of the monitoring module, taking response measures, issuing instructions to schedule automatic link deployment service and carrying out configuration adjustment on nodes and network links.
7. The system for achieving safe backtracking deep encryption controlled network link resource scheduling management based on tunnel encryption technology according to claim 1, wherein a network link of the system comprises a surface layer encryption tunnel and an internal encryption tunnel, and the internal encryption tunnel is created by relying on the surface layer network encryption tunnel which takes an entrance node as a starting point and an exit node as an end point.
8. A method for realizing the resource scheduling management of a secure backtracking deep encryption controlled network link based on a tunnel encryption technology utilizes a system for realizing the resource scheduling management of the secure backtracking deep encryption controlled network link based on the tunnel encryption technology, and the system comprises the following steps:
the link access subsystem is used for managing the external access condition of network link resources;
the resource scheduling subsystem is connected with the link access subsystem and is used for managing link networking requirements and network resources;
the autonomous defense subsystem is connected with the resource scheduling subsystem and the monitoring management subsystem and is used for providing defense for each networking node of the system;
the monitoring management subsystem is connected with the autonomous defense subsystem and is used for monitoring and managing the full-environment equipment;
the intelligent networking subsystem is connected with the link access subsystem, the resource scheduling subsystem, the autonomous defense subsystem and the monitoring management subsystem and is used for linking a proper amount of resource nodes to form a deep encryption backtracking controlled network link;
the method is characterized by comprising the following steps:
(1) preparing a cloud network master control machine and a cloud network monitoring machine;
(2) a cloud network controlled machine with high prevention capability is established and configured, and the system is subjected to safety processing operation;
(3) deploying an attack inducer on the cloud network controlled machine;
(4) the master control machine and the controlled machines form an encryption link and mark each controlled machine;
(5) the master controller and the controlled machine respond to start a deep communication encryption function and a symbiosis detection function;
(6) and (4) system access usage.
9. The method for implementing secure backtracking source deep encryption controlled network link resource scheduling management based on tunnel encryption technology as claimed in claim 8, wherein said security processing operation of step (2) comprises:
checking and updating a vulnerability patch, initializing user authority, checking a user authority number stub, initializing a user role, automatically cleaning a redundant user role, deploying and controlling the user role, deploying and controlling a port, deploying and controlling a starting sequence, centrally deploying and controlling a clock task, deploying and controlling a history record, deploying and controlling a process space, deploying and controlling a system log, deploying and controlling a local security policy of equipment, deploying and controlling rules of a local network of the equipment and protecting network attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910870875.XA CN110601889B (en) | 2019-09-16 | 2019-09-16 | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910870875.XA CN110601889B (en) | 2019-09-16 | 2019-09-16 | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110601889A CN110601889A (en) | 2019-12-20 |
| CN110601889B true CN110601889B (en) | 2022-07-26 |
Family
ID=68859693
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910870875.XA Active CN110601889B (en) | 2019-09-16 | 2019-09-16 | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110601889B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111813774B (en) * | 2020-05-18 | 2021-02-05 | 广州锦行网络科技有限公司 | Method for monitoring and acquiring traceability information based on sysdig system |
| CN112468449B (en) * | 2020-11-06 | 2022-11-01 | 中国电子科技集团公司电子科学研究院 | Method for optimizing and configuring backtracking security controlled network access channel resources |
| CN112383565B (en) * | 2020-12-07 | 2022-05-10 | 珠海市鸿瑞信息技术股份有限公司 | IPSEC communication is with anti DOS attack system |
| CN112685446B (en) * | 2020-12-31 | 2023-07-25 | 上海梦鱼信息科技有限公司 | Complex SQL query method, device, processor and storage medium through elastic search database |
| CN114584386B (en) * | 2022-03-11 | 2023-02-17 | 四川邦辰信息科技有限公司 | Global multistage encryption network communication method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106549936A (en) * | 2016-09-29 | 2017-03-29 | 北京知道未来信息技术有限公司 | A kind of anti-source tracing method of the scanner based on multichannel VPN load balancing and equipment |
| CN106899601A (en) * | 2017-03-10 | 2017-06-27 | 北京华清信安科技有限公司 | Network attack defence installation and method based on cloud and local platform |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10476891B2 (en) * | 2015-07-21 | 2019-11-12 | Attivo Networks Inc. | Monitoring access of network darkspace |
| CN108965210A (en) * | 2017-05-19 | 2018-12-07 | 南京骏腾信息技术有限公司 | Safety test platform based on scene-type attacking and defending simulation |
-
2019
- 2019-09-16 CN CN201910870875.XA patent/CN110601889B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106549936A (en) * | 2016-09-29 | 2017-03-29 | 北京知道未来信息技术有限公司 | A kind of anti-source tracing method of the scanner based on multichannel VPN load balancing and equipment |
| CN106899601A (en) * | 2017-03-10 | 2017-06-27 | 北京华清信安科技有限公司 | Network attack defence installation and method based on cloud and local platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110601889A (en) | 2019-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110601889B (en) | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management | |
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| CN101802837B (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| CN104104679B (en) | A kind of data processing method based on private clound | |
| Abou el Kalam | Securing SCADA and critical industrial systems: From needs to security mechanisms | |
| CN101355459A (en) | Method for monitoring network based on credible protocol | |
| CN113645213A (en) | Multi-terminal network management monitoring system based on VPN technology | |
| Dondossola et al. | Effects of intentional threats to power substation control systems | |
| Samaila et al. | Security threats and possible countermeasures in IoT applications covering different industry domains | |
| Toosarvandani et al. | The risk assessment and treatment approach in order to provide LAN security based on ISMS standard | |
| Zeng et al. | Full-stack vulnerability analysis of the cloud-native platform | |
| CN102325132B (en) | System level safety domain name system (DNS) protection method | |
| CN107104953A (en) | A kind of pair of net security system and the method for lifting Information Security | |
| Mack | Cyber security | |
| Tzokatziou et al. | Exploiting SCADA vulnerabilities using a human interface device | |
| CN114189355A (en) | Layered network safety protection integrated linkage defense method | |
| CN113365277A (en) | Wireless network safety protection system | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Ruha | Cybersecurity of computer networks | |
| Mahmood et al. | Securing Industrial Internet of Things (Industrial IoT)-A Reviewof Challenges and Solutions | |
| Mohammed et al. | Security challenges for cloud computing development framework in saudi arabia | |
| Seymour | Zero Trust Architectures: A Comprehensive Analysis and Implementation Guide | |
| Djambazova et al. | Emerging and future cyber threats to critical systems | |
| Aakash et al. | Security Issues in IoT, Cloud and their Convergence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |