CN111464516B - Safety network computer for effectively blocking attack from internal network system - Google Patents
Safety network computer for effectively blocking attack from internal network system Download PDFInfo
- Publication number
- CN111464516B CN111464516B CN202010205358.3A CN202010205358A CN111464516B CN 111464516 B CN111464516 B CN 111464516B CN 202010205358 A CN202010205358 A CN 202010205358A CN 111464516 B CN111464516 B CN 111464516B
- Authority
- CN
- China
- Prior art keywords
- module
- unit
- information
- output end
- input end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a secure network computer for effectively blocking attacks from an internal network system, which comprises an internal network interface, a scanning unit, a data storage unit, a second data isolation unit, a first data isolation unit, a formatting unit, a control system unit and a virtual control system unit, and relates to the technical field of network computers. The file is conveyed into a data temporary storage module in a data storage unit through an information output module and then is input into a virtual control system unit to perform trial operation, when detection is correct, the file is conveyed into the information storage module for storage after being screened by a firewall module, at the moment, a second data partition unit is connected, the safe information is conveyed into the control system unit to work, and the internal attack can be effectively prevented by detecting through a virtual system in one-way data connection.
Description
Technical Field
The invention relates to the technical field of network computers, in particular to a secure network computer which can effectively block attacks from an internal network system.
Background
In the modern society of increasingly developing computer networks, the network security of the local area network is more and more emphasized. At present, the border security of the local area network (mainly referring to preventing unsafe factors from the wide area network) generally adopts special security equipment arranged in each local area network, can provide functions of firewall, internet behavior analysis, internet behavior management and the like, is to monitor and control computers in the local area network, and Emulex manages the rapid development of the internet aiming at the processes of internet activities (internet monitoring) on the internal computer, internal behaviors and assets and the like related to non-internet (intranet monitoring), and the use of the internet is more and more common, so that the network and the internet not only become a communication bridge inside an enterprise, but also are important pipelines for various business transactions between the enterprise and the outside.
The security of the internal network and the data is crucial, the problem of the security of the internal network and the data mainly lies in preventing attacks from the internal network system and the external network system, and the basic defense is usually performed by adopting a hardware/software firewall technology, but the firewall may be broken along with the development and change of an attack means.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a secure network computer for effectively blocking attacks from an internal network system, which solves the problems of internal network and data security, mainly aims at preventing attacks from the internal network system and an external network system, and generally adopts a hardware/software firewall technology to perform basic defense, but the firewall can be broken along with the development and change of attack means.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme: a secure network computer for effectively blocking attacks from an internal network system comprises an internal network interface, a scanning unit, a data storage unit, a second data isolation unit, a first data isolation unit, a formatting unit, a control system unit, a virtual control system unit, an information encryption output unit, an arithmetic unit and a self-checking unit, wherein the output end of the internal network interface is connected with the input end of the scanning unit, the output end of the scanning unit is connected with the input end of the data storage unit, the output end of the data storage unit is connected with the input end of the first data isolation unit, the output end of the first data isolation unit is connected with the input end of the virtual control system unit, the output end of the virtual control system unit is connected with the input end of the arithmetic unit, and the output end of the arithmetic unit is connected with the input end of the self-checking unit, the output end of the self-checking unit is connected with the input end of the formatting unit, the output end of the formatting unit is respectively connected with the input ends of the first data partition unit and the data storage unit, the output end of the data storage unit is connected with the input end of the second data partition unit, the output end of the second data partition unit is connected with the input end of the control system unit, and the output end of the control system unit is connected with the input end of the information encryption output unit.
Preferably, the scanning unit comprises an information receiving module, a searching and killing recording module, an information scanning module, a hidden danger searching and killing module and an information output module.
Preferably, the output end of the information receiving module is connected with the input end of the information scanning module, the output end of the information scanning module is connected with the input end of the hidden danger searching and killing module, the output end of the hidden danger searching and killing module is connected with the input end of the information output module, and the output end of the information scanning module is connected with the input end of the searching and killing recording module.
Preferably, the data storage unit comprises a data temporary storage module, a partition module, a firewall module and an information storage module.
Preferably, the output end of the temporary data storage module is connected with the input end of the partition module, the output end of the partition module is connected with the input end of the firewall module, and the output end of the firewall module is connected with the input end of the information storage module.
Preferably, the information encryption output unit comprises an information conversion module, an information encryption module, an encryption database and an encryption information sending module.
Preferably, the output end of the information conversion module is connected with the input end of the information encryption module, the output end of the information encryption module is connected with the input end of the encrypted information sending module, and the output end of the encrypted database is connected with the input end of the information encryption module.
Preferably, the operation unit comprises a file reading module and a file operation module, and an output end of the file reading module is connected with an input end of the file operation module.
(III) advantageous effects
The present invention provides a secure network computer that effectively blocks attacks from an internal network system. Compared with the prior art, the method has the following beneficial effects:
(1) the output end of the internal network interface is connected with the input end of the scanning unit, the output end of the scanning unit is connected with the input end of the data storage unit, the output end of the data storage unit is connected with the input end of the first data isolating unit, the output end of the first data isolating unit is connected with the input end of the virtual control system unit, the output end of the virtual control system unit is connected with the input end of the arithmetic unit, the output end of the arithmetic unit is connected with the input end of the self-checking unit, the output end of the self-checking unit is connected with the input end of the formatting unit, the output end of the formatting unit is respectively connected with the input ends of the first data isolating unit and the data storage unit, and the output end of the data storage unit is connected with the input end of the second data isolating unit, the output end of the second data partition unit is connected with the input end of the control system unit, the output end of the control system unit is connected with the input end of the information encryption output unit, the file is conveyed into a data temporary storage module in the data storage unit through the information output module and then is input into the virtual control system unit for trial operation, when detection is correct, the file is conveyed into the information storage module for storage after being screened by the firewall module, at the moment, the second data partition unit is connected, safe information is conveyed into the control system unit for working, the detection is carried out through the virtual system in one-way data connection, and internal attack can be effectively prevented.
(2) The safe network computer for effectively resisting the attack from the internal network system comprises an information receiving module, a searching and killing recording module, an information scanning module, a hidden danger searching and killing module and an information output module in a scanning unit, wherein the output end of the information receiving module is connected with the input end of the information scanning module, the output end of the information scanning module is connected with the input end of the hidden danger searching and killing module, the output end of the hidden danger searching and killing module is connected with the input end of the information output module, the output end of the information scanning module is connected with the input end of the searching and killing recording module, the information in the computer is transmitted through an internal network interface, the information is received through the information receiving module in the scanning unit, the safety scanning is carried out through the information scanning module, the scanned potential safety hazard is searched and killed through the hidden danger searching and killing recording module, the searched and killed files are transmitted into a data temporary storage module in a data storage unit through an information output module, the received information and the files are temporarily stored after being checked, and the files are transmitted into a database after being detected to be correct.
(3) The output end of the data temporary storage module is connected with the input end of the partition module, the output end of the partition module is connected with the input end of the firewall module, the output end of the firewall module is connected with the input end of the information storage module, the operation is carried out through a file operation unit, the self-checking unit carries out self-checking on the virtual control system unit after the operation is carried out, when the safety hazard is found through the checking, the information stored in the data temporary storage module in the data storage unit is formatted through the formatting unit, the data is separated through the first data separation unit, and when the problem is detected, the separated files and the information are formatted, the protection is more thorough.
Drawings
FIG. 1 is a schematic block diagram of the system of the present invention;
FIG. 2 is a schematic block diagram of a scan cell of the present invention;
FIG. 3 is a functional block diagram of a data storage unit according to the present invention;
FIG. 4 is a schematic block diagram of an information encryption output unit according to the present invention;
FIG. 5 is a schematic block diagram of an arithmetic unit according to the present invention.
In the figure, 1-internal network interface, 2-scanning unit, 3-data storage unit, 4-second data partition unit, 5-first data partition unit, 6-formatting unit, 7-control system unit, 8-virtual control system unit, 9-information encryption output unit, 10-operation unit, 11-self-checking unit, 21-information receiving module, 22-checking and killing recording module, 23-information scanning module, 24-hidden danger checking and killing module, 25-information output module, 31-data temporary storage module, 32-partition module, 33-firewall module, 34-information storage module, 91-information conversion module, 92-information encryption module, 93-encryption database, 94-encryption information sending module, 3-information encryption module, 101-file reading module, 102-file operation module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-5, an embodiment of the present invention provides a technical solution: a safe network computer for effectively blocking attacks from an internal network system comprises an internal network interface 1, a scanning unit 2, a data storage unit 3, a second data isolation unit 4, a first data isolation unit 5, a formatting unit 6, a control system unit 7, a virtual control system unit 8, an information encryption output unit 9, an operation unit 10 and a self-checking unit 11, wherein the scanning unit 2 comprises an information receiving module 21, an information scanning module 22, an information scanning module 23, a hidden danger searching and killing module 24 and an information output module 25, information in the computer is transmitted through the internal network interface 1, the information is received through the information receiving module 21 in the scanning unit 2, safety scanning is carried out through the information scanning module 23, the scanned potential safety hazards are searched and killed through the hidden danger searching and killing module 24, and recording is carried out through the searching and killing and recording module 22, the searched and killed files are transmitted into a data temporary storage module 31 in a data storage unit 3 through an information output module 25, the received information and files are temporarily stored after being checked and then transmitted into a database after being checked without errors, the output end of an information receiving module 21 is connected with the input end of an information scanning module 23, the output end of the information scanning module 23 is connected with the input end of a hidden danger searching and killing module 24, the output end of the hidden danger searching and killing module 24 is connected with the input end of the information output module 25, the output end of the information scanning module 23 is connected with the input end of a searching and killing recording module 22, the data storage unit 3 comprises a data temporary storage module 31, a partition module 32, a firewall module 33 and an information storage module 34, the output end of the data temporary storage module 31 is connected with the input end of the partition module 32, and the output end of the partition module 32 is connected with the input end of the firewall module 33, the output end of the firewall module 33 is connected with the input end of the information storage module 34, the information encryption output unit 9 comprises an information conversion module 91, an information encryption module 92, an encryption database 93 and an encryption information sending module 94, the output end of the information conversion module 91 is connected with the input end of the information encryption module 92, the output end of the information encryption module 92 is connected with the input end of the encryption information sending module 94, the output end of the encryption database 93 is connected with the input end of the information encryption module 92, the operation unit 10 comprises a file reading module 101 and a file operation module 102, the output end of the file reading module 101 is connected with the input end of the file operation module 102, the output end of the internal network interface 1 is connected with the input end of the scanning unit 2, the output end of the scanning unit 2 is connected with the input end of the data storage unit 3, and the file is conveyed to the data temporary storage module 31 in the data storage unit 3 through the information output module 25, then inputting into the virtual control system unit 8, performing trial operation, when no error is detected, the information is screened by the firewall module 33 and then is transmitted into the information storage module 34 for storage, at the moment, the second data isolation unit 4 is connected to transmit the safe information into the control system unit 7 for operation, the internal attack can be effectively prevented by detecting through a virtual system with unidirectional data connection, the output end of the data storage unit 3 is connected with the input end of the first data isolation unit 5, the output end of the first data isolation unit 5 is connected with the input end of the virtual control system unit 8, the output end of the virtual control system unit 8 is connected with the input end of the operation unit 10, the output end of the operation unit 10 is connected with the input end of the self-checking unit 11, and the output end of the self-checking unit 11 is connected with the input end of the formatting unit 6, the output end of the formatting unit 6 is respectively connected with the input ends of the first data isolation unit 5 and the data storage unit 3, the output end of the data storage unit 3 is connected with the input end of the second data isolation unit 4, the output end of the second data isolation unit 4 is connected with the input end of the control system unit 7, the output end of the control system unit 7 is connected with the input end of the information encryption output unit 9, the operation is carried out through the file operation unit 102, the self-checking unit 11 carries out self-checking on the virtual control system unit 8 after the operation is carried out, when the potential safety hazard is found through checking, the information stored in the data temporary storage module 31 in the data storage unit 3 is formatted through the formatting unit 8, the data isolation is carried out through the first data isolation unit 5, and when the problem is detected, the files and the information which are isolated are formatted, the protection is more thorough.
When the system is used, information in a computer is transmitted through the internal network interface 1, the information is received through the information receiving module 21 in the scanning unit 2, safety scanning is carried out through the information scanning module 23, the scanned potential safety hazard is checked and killed through the potential safety hazard checking and killing module 24, recording is carried out through the checking and killing recording module 22, the checked and killed file is transmitted into the data temporary storage module 31 in the data storage unit 3 through the information output module 25, then the information is read through the file reading module 101 in the operation unit 10 in the virtual control system unit 8, operation is carried out through the file operation unit 102, the operated virtual control system unit 8 is self-checked through the self-checking unit 11, when the potential safety hazard is found through checking, the information stored in the data temporary storage module 31 in the data storage unit 3 is formatted through the formatting unit 8, and the data is cut off by the first data cut-off unit 5, when the operation is not in problem, the information is transmitted to the information storage module 34 for storage after being screened by the firewall module 33, and at the moment, the second data cut-off unit 4 is connected to transmit the safe information to the control system unit 7 for operation.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. The utility model provides a safe network computer that effective blocking comes from internal network system to attack, includes internal network interface (1), scanning unit (2), data memory cell (3), second data cut off unit (4), first data cut off unit (5), formatting unit (6), control system unit (7), virtual control system unit (8), information encryption output unit (9), arithmetic element (10) and self-checking unit (11), its characterized in that: the output end of the internal network interface (1) is connected with the input end of the scanning unit (2), the output end of the scanning unit (2) is connected with the input end of the data storage unit (3), the output end of the data storage unit (3) is connected with the input end of the first data partition unit (5), the output end of the first data partition unit (5) is connected with the input end of the virtual control system unit (8), the output end of the virtual control system unit (8) is connected with the input end of the operation unit (10), the output end of the operation unit (10) is connected with the input end of the self-checking unit (11), the output end of the self-checking unit (11) is connected with the input end of the formatting unit (6), and the output end of the formatting unit (6) is respectively connected with the input ends of the first data partition unit (5) and the data storage unit (3), the output end of the data storage unit (3) is connected with the input end of the second data partition unit (4), the output end of the second data partition unit (4) is connected with the input end of the control system unit (7), and the output end of the control system unit (7) is connected with the input end of the information encryption output unit (9).
2. The secure network computer effective to thwart attacks from internal network systems of claim 1, wherein: the scanning unit (2) comprises an information receiving module (21), a searching and killing recording module (22), an information scanning module (23), a hidden danger searching and killing module (24) and an information output module (25).
3. The secure network computer effective to thwart attacks from internal network systems of claim 2, wherein: the output end of the information receiving module (21) is connected with the input end of the information scanning module (23), the output end of the information scanning module (23) is connected with the input end of the hidden danger searching and killing module (24), the output end of the hidden danger searching and killing module (24) is connected with the input end of the information output module (25), and the output end of the information scanning module (23) is connected with the input end of the searching and killing recording module (22).
4. The secure network computer effective to thwart attacks from internal network systems of claim 1, wherein: the data storage unit (3) comprises a data temporary storage module (31), a partition module (32), a firewall module (33) and an information storage module (34).
5. The secure network computer effective to thwart attacks from internal network systems of claim 4, wherein: the output end of the data temporary storage module (31) is connected with the input end of the partition module (32), the output end of the partition module (32) is connected with the input end of the firewall module (33), and the output end of the firewall module (33) is connected with the input end of the information storage module (34).
6. The secure network computer effective to thwart attacks from internal network systems of claim 1, wherein: the information encryption output unit (9) comprises an information conversion module (91), an information encryption module (92), an encryption database (93) and an encryption information sending module (94).
7. The secure network computer effective to thwart attacks from internal network systems of claim 6, wherein: the output end of the information conversion module (91) is connected with the input end of the information encryption module (92), the output end of the information encryption module (92) is connected with the input end of the encryption information sending module (94), and the output end of the encryption database (93) is connected with the input end of the information encryption module (92).
8. The secure network computer effective to thwart attacks from internal network systems of claim 1, wherein: the operation unit (10) comprises a file reading module (101) and a file operation module (102), and the output end of the file reading module (101) is connected with the input end of the file operation module (102).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010205358.3A CN111464516B (en) | 2020-03-23 | 2020-03-23 | Safety network computer for effectively blocking attack from internal network system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010205358.3A CN111464516B (en) | 2020-03-23 | 2020-03-23 | Safety network computer for effectively blocking attack from internal network system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111464516A CN111464516A (en) | 2020-07-28 |
CN111464516B true CN111464516B (en) | 2021-12-03 |
Family
ID=71682916
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010205358.3A Active CN111464516B (en) | 2020-03-23 | 2020-03-23 | Safety network computer for effectively blocking attack from internal network system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111464516B (en) |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1690960A (en) * | 2004-04-21 | 2005-11-02 | 中国长城计算机深圳股份有限公司 | Safety network computer |
CN110557251B (en) * | 2019-09-27 | 2022-07-22 | 武汉控安融科技有限公司 | Industrial data safety isolation acquisition system and internal and external network data one-way transmission method |
-
2020
- 2020-03-23 CN CN202010205358.3A patent/CN111464516B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN111464516A (en) | 2020-07-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US12047396B2 (en) | System and method for monitoring security attack chains | |
Linger et al. | Requirements definition for survivable network systems | |
US8091127B2 (en) | Heuristic malware detection | |
US10885185B2 (en) | Graph model for alert interpretation in enterprise security system | |
CN107004088B (en) | Determining device, determining method and recording medium | |
CN111683157B (en) | Network security protection method for Internet of things equipment | |
US20200153865A1 (en) | Sensor based rules for responding to malicious activity | |
CN111885210A (en) | Cloud computing network monitoring system based on end user environment | |
CN113360475B (en) | Data operation and maintenance method, device and equipment based on intranet terminal and storage medium | |
CN114006748A (en) | Network security comprehensive monitoring method, system, equipment and storage medium | |
CN115567235A (en) | Network security emergency disposal system and application method | |
CN110826094A (en) | Information leakage monitoring method and device | |
CN111464516B (en) | Safety network computer for effectively blocking attack from internal network system | |
CN116708157A (en) | Computer security operation and maintenance service system | |
Kurra et al. | An agent based approach to perform damage assessment and recovery efficiently after a cyber attack to ensure E-government database security | |
KR101968633B1 (en) | Method for providing real-time recent malware and security handling service | |
CN115361182B (en) | Botnet behavior analysis method, device, electronic equipment and medium | |
KR100310860B1 (en) | Method for detecting real-time intrusion using agent structure on real-time intrustion detecting system | |
KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
CN112989403B (en) | Database damage detection method, device, equipment and storage medium | |
CN106789988A (en) | A kind of network inquiry platform | |
CN114745166B (en) | Industrial asset risk perception method and device and electronic equipment | |
GB2475877A (en) | Monitoring the retransmission of private information to a different network address | |
Ma et al. | A Survey of Cyber Security and Safety in Industrial Control Systems | |
Colajanni et al. | Selective alerts for runtime protection of distributed systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |