CN111711615A - Knowledge base information synchronization system and method for edge security computing node - Google Patents
Knowledge base information synchronization system and method for edge security computing node Download PDFInfo
- Publication number
- CN111711615A CN111711615A CN202010471748.5A CN202010471748A CN111711615A CN 111711615 A CN111711615 A CN 111711615A CN 202010471748 A CN202010471748 A CN 202010471748A CN 111711615 A CN111711615 A CN 111711615A
- Authority
- CN
- China
- Prior art keywords
- data
- data packet
- knowledge base
- module
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000002955 isolation Methods 0.000 claims abstract description 84
- 238000012545 processing Methods 0.000 claims abstract description 60
- 230000001360 synchronised effect Effects 0.000 claims abstract description 43
- 230000008569 process Effects 0.000 claims abstract description 17
- 230000008859 change Effects 0.000 claims abstract description 16
- 238000001914 filtration Methods 0.000 claims description 39
- 238000012544 monitoring process Methods 0.000 claims description 26
- 238000004458 analytical method Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 9
- 241000700605 Viruses Species 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 6
- 238000000354 decomposition reaction Methods 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 4
- 238000000926 separation method Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 17
- 230000007123 defense Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 241000283153 Cetacea Species 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241001449342 Chlorocrambe hastata Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2365—Ensuring data consistency and integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5061—Partitioning or combining of resources
- G06F9/5072—Grid computing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a knowledge base information synchronization system and a method of edge security computing nodes, wherein the knowledge base information synchronization system comprises an outer network node, an external processing unit, an isolation forwarding area, an internal processing unit and an inner network node; and the external network node detects the change condition of the knowledge base to start synchronous scheduling and sends the information needing to be synchronized to the external processing unit. The external processing unit decomposes and repackages the received TCP/IP protocol data packet into a special protocol data packet; the isolated forwarding area is connected with the external processing unit and the internal processing unit in sequence and forwards the special protocol data packet to the internal processing unit; the internal processing unit repackages the special protocol data packet into a TCP/IP protocol data packet, and then forwards the TCP/IP protocol data packet to the intranet node. And the intranet node processes the data packet to obtain knowledge base synchronization data, and realizes local knowledge base synchronization according to a synchronization strategy. The invention can also deal with the synchronization of knowledge base information under the condition of non-physical isolation.
Description
Technical Field
The invention belongs to the field of network isolation, and relates to a knowledge base information synchronization system method of an edge security computing node, which is a method for synchronizing information such as a security defense facility knowledge base, a virus base and the like in an isolation core network (such as a manufacturing bus network in an industrial control production network) under the condition of not breaking the protection of the existing isolation network (such as the industrial control production network, a military network and the like).
Background
With the development and application of edge computing, higher requirements are placed on data security and network security of edge computing nodes. Under the background of an isolation network, synchronization of databases of edge computing nodes, especially synchronization of information such as a security defense knowledge base and a virus base, also becomes a research hotspot. In order to solve the problem that an internal node knowledge base in an isolated core network cannot directly synchronize external network data in an edge computing network, the invention provides a stable and reliable knowledge base information synchronization method aiming at edge security computing nodes based on a network isolation technology.
The network isolation technology is a network security technology which is a brand-new security protection and prevention concept generated by the appearance of a novel network attack means and the special requirements of a high-security network on security. The aim of the network isolation technology is to ensure that harmful attacks are isolated, and the secure exchange of data between networks is completed outside the trusted network and on the premise of ensuring that the information inside the trusted network is not leaked. The core of network isolation is physical isolation. One characteristic of physical isolation is that the intranet and the extranet are never connected, and at most one intranet and the extranet establish a data connection of a non-TCP/IP protocol with the isolation device at the same time. Compared with the physical isolation technology, namely the strong isolation technology, a weak isolation technology exists, represented by a firewall, through an access control technology and a data packet filtering technology, forwarding, receiving and discarding of data packets are managed, communication between an internal network and an external network is guaranteed, and meanwhile safety of the internal network is protected.
With the development of network isolation technology to date, enterprises, groups and individuals at home and abroad have achieved great results. An e-GAP of Whale (Whale) company comprises three components, namely an isolation server, a data cache region, an isolation switch and the like, and a real-time exchange technology is adopted, so that the functionality is strong. The isolation function design of the NETGAP of Spearhead corporation is based on a bus technology, and although two networks are directly connected, the isolation function design has a double-switch structure and can control the connection of a link layer between the networks. In China, X-GAP of Zhongxing company, TopWalkGAP of Tianxingan company, SIS-3002 of associative network domain and the like are relatively mature network isolation products.
In addition, the document "data synchronization method based on physical isolation in mobile application" research and application of database synchronization technology in network isolation environment "discusses a method for implementing database synchronization in network isolation environment: the former adopts a proxy server and a proxy database as isolation regions, firstly realizes the synchronization of the proxy database and a source database, and then realizes the synchronization of a target database and the proxy database; the latter proposes an equivalent SQL statement method to realize synchronization under isolation conditions. The document "design and implementation of multi-protocol industrial network security isolation device" researches a method for synchronizing an Oracle database and a Modbus protocol according to a one-way isolation state and verifies synchronization logics of the Oracle database and the Modbus protocol.
Disclosure of Invention
Aiming at the problem of updating and synchronizing the database of the existing edge security computing node system, the system and the method for synchronizing the knowledge base information of the edge security computing node are provided by combining the current technology and the actual situation. Because the network security requirements of each node are different in different scenes, the isolation conditions existing between the internal network and the external network are not completely the same. Therefore, the method should consider the synchronization of safety-related databases such as a safety defense knowledge base and a virus base in the edge computing node under the conditions of 'strong isolation' and 'weak isolation'. Under the condition of strong isolation, the safe transmission of data is mainly realized through a data ferry technology; under the condition of weak isolation, data transmission between an internal network and an external network is monitored mainly through a firewall technology, and data packets are screened and filtered, so that the safety of the internal network is guaranteed.
In order to achieve the above purpose, the following technical solutions are mainly adopted: a knowledge base information synchronization system of an edge safety computing node comprises an outer network node, an inner network node and a data ferrying area arranged between the outer network node and the inner network node, wherein the inner network node is used for synchronizing change data in the outer network node, and the data ferrying area comprises:
the external processing unit is used for monitoring a network service port, receiving data packets through a TCP/IP protocol, checking all the received data packets according to the filtering rules in the security policy module, classifying and processing various data packets, and reconstructing the data packets, wherein synchronous updating data sent to an intranet database by an extranet knowledge base is encapsulated in the data packets;
the data isolation forwarding module is used for isolating and transferring the data packet from the external network node;
the external processing unit is used for reconstructing the data packet from the data isolation forwarding module and forwarding the data packet to the intranet node;
the security policy module is prestored with a data filtering rule and an access control policy;
and the knowledge base updating strategy base is used for storing data and synchronization logs in the synchronization process.
The intranet node includes:
the data processing module is used for acquiring knowledge base information needing to be updated from the knowledge base updating strategy base;
and the intranet knowledge base is used for updating the inside according to the knowledge base updating strategy base and the received knowledge base updating information.
The extranet node comprises:
the external network knowledge base is used for providing knowledge base synchronization information;
the change monitoring module is used for monitoring whether the data of the internal network knowledge base is consistent with the data of the external network knowledge base in a timing mode, if so, the monitoring is continued, and if not, the synchronous scheduling module is started;
and the synchronous scheduling module is used for scheduling a synchronous program, reading synchronous configuration information of the knowledge base, filtering data, packaging a data table to be synchronized by using a TCP/IP protocol, encrypting and signing information and sending the information to the external processing unit.
The external processing unit includes:
the data receiving port is used for monitoring the network service port and receiving a data packet through a TCP/IP protocol;
the packet filtering module is used for checking all received data packets according to the filtering rules in the security policy module, dividing the data packets into three types according to the data filtering rules, wherein one type is a strong isolation environment data packet, and forwarding the data packets to the data packet analysis module; one is a weakly isolated data packet, the data packet is subjected to identity authentication and is forwarded to a data forwarding port of the external processing unit through access control, and the data forwarding port of the external processing unit is directly discarded if the data packet of the third type is not the weakly isolated data packet of the third type;
and the data packet analysis module is used for stripping a TCP/IP protocol message header of the data packet processed by the packet filtering module, checking the safety of a data field, generating a new message authentication stamp and reconstructing the data packet according to a safety special protocol.
The data isolation forwarding module comprises:
the isolation area storage medium is used as a transfer station for receiving a data packet or receiving a data packet in a special protocol format;
and the isolation area switch control module controls the connection between the isolation area storage medium and the intranet node or the extranet node according to the specific content of the forwarding request, so as to realize the separation of the received data and the forwarded data.
The internal processing unit includes:
the data packet repackaging module is used for decomposing a special protocol data packet, verifying the integrity of a data field and then reconstructing the data packet from the data isolation forwarding module;
and the data forwarding port is used for forwarding the data packet reconstructed by the data packet repackaging module to the intranet node.
The data of the synchronization process comprises an internal network, an external network and timestamp data and is used for processing conflicts; the synchronization log is used to record each data synchronization event, including the synchronization time and the synchronized data profile.
The intranet node is also used for reading and writing the security policy module and the knowledge base updating policy base, and the extranet node, the external processing unit, the data isolation forwarding module and the internal processing unit are used for reading only the security policy module and the knowledge base updating policy base.
The invention also provides a synchronization method of the knowledge base information synchronization system of the edge security computing node, which comprises the following steps:
s1: a change monitoring module of the outer network node regularly senses whether the information of the inner network knowledge base is consistent with the data of the outer network knowledge base, if so, the monitoring is continued, and if not, a synchronous scheduling module is started;
s2: the synchronous scheduling module reads the knowledge base data configuration information of the external network node according to the starting scheduling program;
s3: filtering the external network knowledge base according to the knowledge base data configuration information and the data filtering rule, packaging the filtered data needing to be synchronized, encrypting the signature, and sending the data to a data receiving port of an external processing unit through a TCP/IP protocol;
s4: the data receiving port continuously monitors the network service port, continuously checks whether a TCP/IP connection request exists, establishes TCP/IP connection with an external network node when receiving the request, then receives a data packet sent by the external network node, and forwards the data to a packet filtering module;
s5: the packet filtering module checks IP addresses, ports and protocol information of data packets, divides the data packets into three types according to data filtering rules, wherein one type is a strong isolation environment data packet, and forwards the data packet to the data packet analysis module; one type is a weak isolation data packet, the data packet is subjected to identity authentication and is forwarded to a data forwarding port through access control, and the other type is not the weak isolation data packet and is directly discarded;
s6: after receiving the data packet, the data packet analysis module firstly checks whether the data packet is complete and error-free, then checks whether the port number is correct, if the check fails, discards the data packet, and if the check succeeds, respectively extracts the message header part information of the TCP/IP protocol and the carried data field; then, the security of the data field is detected through content inspection, viruses are killed, the file type is controlled, and data with potential safety hazards are discarded; then, using an MD5 algorithm to calculate a message digest of the data field, and then encrypting the message digest to obtain a ciphertext; repackaging the key information obtained according to the TCP/IP message header and the summary ciphertext obtained by the message authentication module, carrying out encapsulation according to a special transmission protocol rule to obtain a special protocol data packet, and sending the special protocol data packet to an isolation area storage medium; the key information comprises a source IP address, a target IP address, a source port number, a target port number, a message type, a data field length and a data field;
s7: after receiving the special protocol data packet, the isolation area storage medium controls disconnection of the connection with the external network through an isolation area switch, establishes connection with the internal network, and forwards the special protocol data packet to a data packet repackaging module;
s8: the repackaging module firstly decomposes the special protocol data packet and extracts the key information of the data packet head and the transmitted data field; then, the digest cipher text obtained from the special protocol decomposition module is decrypted, the message digest of the data field is calculated by using the MD5 algorithm, and whether the message is correct or not is verified by comparison; verifying the signature information, and comparing the information checksums; for the data which is successfully verified, reconstructing a TCP/IP protocol data packet according to key information obtained from the message header of the special protocol data packet;
s9: the data forwarding port forwards the received TCP/IP data packet to a data processing module of the intranet node;
s10: the data processing module processes the TCP/IP data packet to obtain knowledge base information needing to be updated;
s11: and carrying out synchronous operation on the internal network knowledge base according to the knowledge base updating strategy base and the received knowledge base updating table, and then updating the synchronous process into the knowledge base updating strategy base in a log mode.
The knowledge base data configuration information comprises whether synchronization is available, synchronous operation and a synchronous method.
Compared with the prior art, the invention has the beneficial effects that:
aiming at strong isolation and weak isolation network conditions, the problem of information synchronization of an intranet knowledge base can be solved simultaneously through a data ferry area device;
and secondly, the change of the knowledge base monitors the updating log information of the intranet, the intranet knowledge base does not need to be detected, the monitoring process is simplified and convenient, the monitoring is more convenient, the position of the strategy base is in a data ferry area, the internal node of the isolation area can directly modify the content of the strategy base, and the external node only has the permission to check.
Drawings
Fig. 1 is an architecture diagram of a synchronization system according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings.
As shown in fig. 1, the system of the present invention mainly comprises the following components:
an external network knowledge base: as providers of knowledge base synchronization information;
a change monitoring module: monitoring whether the data of the internal and external network knowledge bases are consistent or not and whether the knowledge bases are required to be synchronized or not;
a synchronous scheduling module: transferring a synchronization program, reading synchronous configuration information of an external network knowledge base, filtering data, packaging a data table to be synchronized by using a TCP/IP protocol, encrypting a data packet and signing, wherein the signing information comprises updating information, synchronous approval personnel information and the like, and sending the data packet;
a data receiving port: monitoring a network service port, and receiving a data packet through a TCP/IP protocol;
a security policy module: including packet filtering rules, access control, etc.;
a packet filtering module: checking all received data packets according to a filtering rule in a security policy, and classifying and processing various data packets according to the rule;
a data packet analysis module: the system comprises a TCP/IP protocol decomposition module, a content inspection module, a data authentication information generation module and a security special protocol encapsulation module, and mainly has the functions of stripping a TCP/IP protocol message header of a data packet, inspecting the security of a data field, generating a new message authentication stamp and reconstructing the data packet according to a security special protocol;
the data isolation forwarding module: the system comprises an isolation area storage medium and an isolation area switch control, wherein the isolation area storage medium is used as a transfer station to receive or receive a data packet in a special protocol format; the latter controls the connection between the storage medium and the internal network or the external network according to the concrete content of the forwarding request, and realizes the separation of two processes of receiving and forwarding data;
a data packet repackaging module: the system is divided into a safety special protocol decomposition module, a data authentication message verification module and a TCP/IP protocol module, and can realize the functions of decomposing a special protocol data packet, verifying the integrity of a data field, verifying the correctness of a signature and then reconstructing the TCP/IP data packet;
data forwarding port: forwarding the received TCP/IP data packet to an intranet;
a data processing module: processing the TCP/IP data packet to obtain knowledge base information needing to be updated;
the knowledge base updates the strategy base: the data including the synchronization process comprises data of an internal network, an external network, a timestamp and the like, and is mainly used for processing conflicts; the synchronization log records the details of each data synchronization, including the synchronization time and the data profile of the synchronization;
an intranet knowledge base: and updating the knowledge base according to the knowledge base updating strategy base and the received knowledge base updating information.
The external network knowledge base, the change monitoring module and the synchronous scheduling module are important components of the external network nodes; the data ferry area is divided into an external processing unit, an isolation forwarding area and an internal processing unit, the external processing unit comprises a data receiving port, a security strategy, a knowledge base updating strategy base, a packet filtering module and a data packet analyzing module, and the internal processing unit comprises a data packet repackaging module and a data forwarding port. The intranet node comprises a data processing module and an intranet knowledge base. The security policy and the knowledge base updating policy base are set in advance and are updated as the forwarding progresses.
In the invention, the safety special protocol is designed according to the forwarding requirement and is only used in the isolation transmission process. Under the condition of ensuring the safety and reliability of the isolated area hardware forwarding process, besides the transmitted data field, at least the source IP, the destination IP, the source port, the destination port, the data length and the data section authentication information are required to be included.
Based on the above method for synchronizing the information of the edge security computing node knowledge base, the key point for realizing the synchronization of the data of the internal network and the external network is to realize the safe transmission of the data by using the network isolation technology, and the realization steps mainly comprise:
s1: a change monitoring module of the outer network node regularly senses whether the information of the inner network knowledge base is consistent with the data of the outer network knowledge base, if so, the monitoring is continued, and if not, a synchronous scheduling module is started;
s2: the synchronous scheduling module reads the knowledge base data configuration information of the external network node according to the starting scheduling program;
s3: filtering the external network knowledge base according to the knowledge base data configuration information and the data filtering rule, then packaging the data which needs to be synchronized after filtering, encrypting and signing, and sending the data to a data receiving port of an external processing unit through a TCP/IP protocol;
s4: the data receiving port continuously monitors the network service port, continuously checks whether a TCP/IP connection request exists, establishes TCP/IP connection with an external network node when receiving the request, then receives a data packet sent by the external network node, and forwards the data to a packet filtering module;
s5: the packet filtering module checks IP addresses, ports and protocol information of data packets, divides the data packets into three types according to data filtering rules, wherein one type is a strong isolation environment data packet, and forwards the data packet to the data packet analysis module; one type is a weak isolation data packet, the data packet is subjected to identity authentication and is forwarded to a data forwarding port through access control, and the other type is not the weak isolation data packet and is directly discarded;
s6: after receiving the data packet, the data packet analysis module firstly checks whether the data packet is complete and error-free, then checks whether the port number is correct, if the check fails, discards the data packet, and if the check succeeds, respectively extracts the message header part information of the TCP/IP protocol and the carried data field; then, the security of the data field is detected through content inspection, viruses are killed, the file type is controlled, and data with potential safety hazards are discarded; then, using an MD5 algorithm to calculate a message digest of the data field, and then encrypting the message digest to obtain a ciphertext; and verifying whether the signature information is correct or not, if not, recording abnormal information, and if so, performing the following steps. Repackaging the key information obtained according to the TCP/IP message header and the summary ciphertext obtained by the message authentication module, carrying out encapsulation according to a special transmission protocol rule to obtain a special protocol data packet, and sending the special protocol data packet to an isolation area storage medium; the key information comprises a source IP address, a target IP address, a source port number, a target port number, a message type, a data field length and a data field;
s7: after receiving the special protocol data packet, the isolation area storage medium controls disconnection of the connection with the external network through an isolation area switch, establishes connection with the internal network, and forwards the special protocol data packet to a data packet repackaging module;
s8: the repackaging module firstly decomposes the special protocol data packet and extracts the key information of the data packet head and the transmitted data field; then, the digest cipher text obtained from the special protocol decomposition module is decrypted, the message digest of the data field is calculated by using the MD5 algorithm, and whether the message is correct or not is verified by comparison; verifying whether the signature information conforms to the signature information; for the data which is successfully verified, reconstructing a TCP/IP protocol data packet according to key information obtained from the message header of the special protocol data packet;
s9: the data forwarding port forwards the received TCP/IP data packet to a data processing module of the intranet node;
s10: the data processing module processes the TCP/IP data packet to obtain knowledge base information needing to be updated;
s11: and carrying out synchronous operation on the internal network knowledge base according to the knowledge base updating strategy base and the received knowledge base updating table, and then updating the synchronous process into the knowledge base updating strategy base in a log mode.
The following describes specific embodiments of the method:
firstly, system deployment: before the knowledge base is synchronized, all part modules necessary for all parts are required to be built; in addition, the knowledge base in the external network comprises a vulnerability base, a patch base and the like, and is also provided with a knowledge base change monitoring and synchronous scheduling program, so that an updating method and a strategy need to be specified in advance. In the data ferry area, the filtering rules and the access control strategies are input into a security strategy module in advance, a proper security special protocol is designed for isolating hardware transmission, and a network monitoring port in a data receiving module keeps a monitoring state. The updating of the policy base by the knowledge base in the intranet node also needs to be set in advance. The initialization procedure is as follows:
1. starting a knowledge base change detection program, starting the program at regular time, and checking the update condition of an intranet knowledge base log;
2. monitoring a port by an external processing unit of an isolation area, and constantly detecting whether a TCP/IP connection request exists;
3. the data processing module of the intranet node monitors the port and continuously detects whether a TCP/IP connection request exists;
and then waits until the change detection program detects a data change, starting the whole synchronization phase.
Secondly, synchronization of knowledge bases:
1. and (3) a knowledge base synchronization stage: when synchronization is carried out, corresponding processing actions such as addition, modification, deletion and the like are carried out according to the received synchronization table, and if data conflict is encountered, the original data is selected to be modified or kept according to historical synchronization process data recorded in a strategy library;
2. updating the knowledge base updating strategy base: after the knowledge bases are synchronized, updating the strategy base of the knowledge base in the updating process; in addition to initialization, data of the synchronization process (including data of intranet, extranet, timestamp and the like) after each synchronization is completed, and details of each data synchronization (including synchronization time and data profile of synchronization) recorded by the synchronization log are added into the update policy base.
3. Detecting the change of the knowledge base: sending a verification message regularly, inquiring an update log of the knowledge base, comparing the update log with the update log of the local knowledge base, and judging whether to start synchronous scheduling of the knowledge base according to a comparison result;
thirdly, a security policy library:
the filtering rules and the access control policies of the security policy library only can be added, changed and deleted by the intranet nodes. The form of the filtering rule is set as < source IP, source port, destination IP, destination port, protocol type, processing mode >, and the processing mode includes two types: a corresponding strong isolation method needs to be forwarded to a data packet analysis module; the other corresponding weak isolation method is used for forwarding the data to the data processing module. And if the corresponding processing mode cannot be found, discarding the data packet.
Fourthly, working stage of the data ferry area:
1. the external processing unit monitors that the port receives the connection request, establishes TCP/IP connection and forwards a subsequent TCP/IP protocol data packet to a next module;
2. after receiving a TCP/IP protocol data packet, a data analysis module firstly verifies the data packet, then starts a protocol header stripping and key data extraction program, then performs security test on a data field, generates a message authentication stamp, verifies signature information, and finally starts a special protocol encapsulation program to encapsulate the data field again;
3. the data ferry area receives the transmission information of the data analysis module, firstly controls the isolation hardware to be connected with the external processing unit, after all data packets are obtained, the connection with the external processing unit is disconnected, the connection with the internal processing unit is established, and the data packets are forwarded;
4. and the data packet repackaging module receives the safety special protocol data, decomposes the data packet, verifies the correctness and the integrity of the data field, repackages the data field without error into a TCP/IP protocol data packet and forwards the TCP/IP protocol data packet to the intranet.
Claims (10)
1. The knowledge base information synchronization system of the edge safety computing node is characterized by comprising an outer network node, an inner network node and a data ferrying area arranged between the outer network node and the inner network node, wherein the inner network node is used for synchronizing the change data in the outer network node, and the data ferrying area comprises:
the external processing unit is used for monitoring a network service port, receiving data packets through a TCP/IP protocol, checking all the received data packets according to the filtering rules in the security policy module, classifying and processing various data packets, and reconstructing the data packets, wherein synchronous updating data sent to an intranet database by an extranet knowledge base is encapsulated in the data packets;
the data isolation forwarding module is used for isolating and transferring the data packet from the external network node;
the external processing unit is used for reconstructing the data packet from the data isolation forwarding module and forwarding the data packet to the intranet node;
the security policy module is prestored with a data filtering rule and an access control policy;
and the knowledge base updating strategy base is used for storing data and synchronization logs in the synchronization process.
2. The system according to claim 1, wherein the intranet node comprises:
the data processing module is used for acquiring knowledge base information needing to be updated from the knowledge base updating strategy base;
and the intranet knowledge base is used for updating the inside according to the knowledge base updating strategy base and the received knowledge base updating information.
3. The system of claim 2, wherein the extranet node comprises:
the external network knowledge base is used for providing knowledge base synchronization information;
the change monitoring module is used for monitoring whether the data of the internal network knowledge base is consistent with the data of the external network knowledge base in a timing mode, if so, the monitoring is continued, and if not, the synchronous scheduling module is started;
and the synchronous scheduling module is used for scheduling a synchronous program, reading synchronous configuration information of the knowledge base, filtering data, packaging a data table to be synchronized by using a TCP/IP protocol, encrypting and signing information and sending the information to the external processing unit.
4. The system of claim 3, wherein the external processing unit comprises:
the data receiving port is used for monitoring the network service port and receiving a data packet through a TCP/IP protocol;
the packet filtering module is used for checking all received data packets according to the filtering rules in the security policy module, dividing the data packets into three types according to the data filtering rules, wherein one type is a strong isolation environment data packet, and forwarding the data packets to the data packet analysis module; one is a weakly isolated data packet, the data packet is subjected to identity authentication and is forwarded to a data forwarding port of the external processing unit through access control, and the data forwarding port of the external processing unit is directly discarded if the data packet of the third type is not the weakly isolated data packet of the third type;
and the data packet analysis module is used for stripping a TCP/IP protocol message header of the data packet processed by the packet filtering module, checking the safety of a data field, generating a new message authentication stamp and reconstructing the data packet according to a safety special protocol.
5. The system of claim 4, wherein the data isolation forwarding module comprises:
the isolation area storage medium is used as a transfer station for receiving a data packet or receiving a data packet in a special protocol format;
and the isolation area switch control module controls the connection between the isolation area storage medium and the intranet node or the extranet node according to the specific content of the forwarding request, so as to realize the separation of the received data and the forwarded data.
6. The system of claim 5, wherein the internal processing unit comprises:
the data packet repackaging module is used for decomposing a special protocol data packet, verifying the integrity of a data field and then reconstructing the data packet from the data isolation forwarding module;
and the data forwarding port is used for forwarding the data packet reconstructed by the data packet repackaging module to the intranet node.
7. The knowledge base information synchronization system of an edge security computing node according to claim 1, wherein the data of the synchronization process includes intranet, extranet, timestamp data for handling conflicts; the synchronization log is used to record each data synchronization event, including the synchronization time and the synchronized data profile.
8. The knowledge base information synchronization system of an edge security computing node according to claim 1, wherein the intranet node is further configured to read and write the security policy module and the knowledge base update policy base, and the extranet node, the external processing unit, the data isolation forwarding module, and the internal processing unit are configured to read only the security policy module and the knowledge base update policy base.
9. The synchronization method of the knowledge base information synchronization system of the edge security computing node according to claim 5, characterized by comprising the following steps:
s1: a change monitoring module of the outer network node regularly senses whether the information of the inner network knowledge base is consistent with the data of the outer network knowledge base, if so, the monitoring is continued, and if not, a synchronous scheduling module is started;
s2: the synchronous scheduling module reads the knowledge base data configuration information of the external network node according to the starting scheduling program;
s3: filtering the external network knowledge base according to the knowledge base data configuration information and the data filtering rule, packaging the filtered data needing to be synchronized, encrypting the signature, and sending the data to a data receiving port of an external processing unit through a TCP/IP protocol;
s4: the data receiving port continuously monitors the network service port, continuously checks whether a TCP/IP connection request exists, establishes TCP/IP connection with an external network node when receiving the request, then receives a data packet sent by the external network node, and forwards the data to a packet filtering module;
s5: the packet filtering module checks IP addresses, ports and protocol information of data packets, divides the data packets into three types according to data filtering rules, wherein one type is a strong isolation environment data packet, and forwards the data packet to the data packet analysis module; one type is a weak isolation data packet, the data packet is subjected to identity authentication and is forwarded to a data forwarding port through access control, and the other type is not the weak isolation data packet and is directly discarded;
s6: after receiving the data packet, the data packet analysis module firstly checks whether the data packet is complete and error-free, then checks whether the port number is correct, if the check fails, discards the data packet, and if the check succeeds, respectively extracts the message header part information of the TCP/IP protocol and the carried data field; then, the security of the data field is detected through content inspection, viruses are killed, the file type is controlled, and data with potential safety hazards are discarded; then, using an MD5 algorithm to calculate a message digest of the data field, and then encrypting the message digest to obtain a ciphertext; repackaging the key information obtained according to the TCP/IP message header and the summary ciphertext obtained by the message authentication module, carrying out encapsulation according to a special transmission protocol rule to obtain a special protocol data packet, and sending the special protocol data packet to an isolation area storage medium; the key information comprises a source IP address, a target IP address, a source port number, a target port number, a message type, a data field length and a data field;
s7: after receiving the special protocol data packet, the isolation area storage medium controls disconnection of the connection with the external network through an isolation area switch, establishes connection with the internal network, and forwards the special protocol data packet to a data packet repackaging module;
s8: the repackaging module firstly decomposes the special protocol data packet and extracts the key information of the data packet head and the transmitted data field; then, the digest cipher text obtained from the special protocol decomposition module is decrypted, the message digest of the data field is calculated by using the MD5 algorithm, and whether the message is correct or not is verified by comparison; verifying the signature information, and comparing the information checksums; for the data which is successfully verified, reconstructing a TCP/IP protocol data packet according to key information obtained from the message header of the special protocol data packet;
s9: the data forwarding port forwards the received TCP/IP data packet to a data processing module of the intranet node;
s10: the data processing module processes the TCP/IP data packet to obtain knowledge base information needing to be updated;
s11: and carrying out synchronous operation on the internal network knowledge base according to the knowledge base updating strategy base and the received knowledge base updating table, and then updating the synchronous process into the knowledge base updating strategy base in a log mode.
10. The synchronization method of claim 9, wherein the knowledge base data configuration information comprises synchronizability, synchronization operation, synchronization method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010471748.5A CN111711615B (en) | 2020-05-29 | 2020-05-29 | Knowledge base information synchronization system and method for edge security computing node |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010471748.5A CN111711615B (en) | 2020-05-29 | 2020-05-29 | Knowledge base information synchronization system and method for edge security computing node |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111711615A true CN111711615A (en) | 2020-09-25 |
CN111711615B CN111711615B (en) | 2022-07-26 |
Family
ID=72537530
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010471748.5A Active CN111711615B (en) | 2020-05-29 | 2020-05-29 | Knowledge base information synchronization system and method for edge security computing node |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111711615B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468571A (en) * | 2020-11-24 | 2021-03-09 | 中国联合网络通信集团有限公司 | Intranet and extranet data synchronization method and device, electronic equipment and storage medium |
CN113037833A (en) * | 2021-03-04 | 2021-06-25 | 北京安华金和科技有限公司 | Data processing method and device, storage medium and electronic equipment |
CN113114626A (en) * | 2021-03-17 | 2021-07-13 | 宁波万德高科智能科技有限公司 | Security gateway system based on edge calculation and construction method thereof |
CN113132156A (en) * | 2021-03-31 | 2021-07-16 | 中国人民解放军战略支援部队信息工程大学 | Storage-computation-transmission integrated network function basic platform structure and method |
CN113612675A (en) * | 2021-06-25 | 2021-11-05 | 北京劲群科技有限公司 | Distributed intranet transparent implementation architecture and method |
RU2762157C1 (en) * | 2021-02-20 | 2021-12-16 | Вячеслав Германович Кочанов | Method for isolating data packets transmitted over public networks in the tcp/ip family protocol format using a combination of masking, encryption and control methods for the received data |
CN114726574A (en) * | 2022-02-28 | 2022-07-08 | 新华三信息安全技术有限公司 | Safety isolation protection system and safety isolation protection method |
CN115001665A (en) * | 2022-08-01 | 2022-09-02 | 北京安盟信息技术股份有限公司 | Data reinforcement method and data transmission system based on data isolation exchange scene |
CN115001831A (en) * | 2022-06-09 | 2022-09-02 | 北京交通大学 | Method and system for dynamically deploying network security service based on malicious behavior knowledge base |
CN115086084A (en) * | 2022-08-19 | 2022-09-20 | 北京珞安科技有限责任公司 | Safety isolation and information exchange system and method |
RU2798799C1 (en) * | 2022-07-01 | 2023-06-27 | Общество с ограниченной ответственностью фирма "Интерсвязь" | Method for collecting and storing network data obtained from broadcasting an ip address |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101286978A (en) * | 2008-05-22 | 2008-10-15 | 上海交通大学 | TCP connection separation with complete semantic, control method and system |
CN103780648A (en) * | 2012-10-22 | 2014-05-07 | 百度在线网络技术(北京)有限公司 | Synchronizing system and method for developer information of inner network and outer network |
CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
CN107070907A (en) * | 2017-03-31 | 2017-08-18 | 杭州通悟科技有限公司 | Intranet and extranet data unidirectional transmission method and system |
CN108733823A (en) * | 2018-05-22 | 2018-11-02 | 浪潮软件股份有限公司 | A kind of system and method that ORACLE database intranet and extranet data double-ways are synchronized |
CN110049059A (en) * | 2019-04-26 | 2019-07-23 | 深圳市网心科技有限公司 | A kind of outer net equipment and Intranet communication between devices method and relevant apparatus |
CN110941621A (en) * | 2018-09-25 | 2020-03-31 | 北京国双科技有限公司 | Method and device for synchronizing databases between internal network and external network |
-
2020
- 2020-05-29 CN CN202010471748.5A patent/CN111711615B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101286978A (en) * | 2008-05-22 | 2008-10-15 | 上海交通大学 | TCP connection separation with complete semantic, control method and system |
CN103780648A (en) * | 2012-10-22 | 2014-05-07 | 百度在线网络技术(北京)有限公司 | Synchronizing system and method for developer information of inner network and outer network |
CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
CN107070907A (en) * | 2017-03-31 | 2017-08-18 | 杭州通悟科技有限公司 | Intranet and extranet data unidirectional transmission method and system |
CN108733823A (en) * | 2018-05-22 | 2018-11-02 | 浪潮软件股份有限公司 | A kind of system and method that ORACLE database intranet and extranet data double-ways are synchronized |
CN110941621A (en) * | 2018-09-25 | 2020-03-31 | 北京国双科技有限公司 | Method and device for synchronizing databases between internal network and external network |
CN110049059A (en) * | 2019-04-26 | 2019-07-23 | 深圳市网心科技有限公司 | A kind of outer net equipment and Intranet communication between devices method and relevant apparatus |
Non-Patent Citations (2)
Title |
---|
何伟等: ""一种网络隔离环境下数据库同步方法的实践"", 《计算机安全》 * |
何伟等: ""一种网络隔离环境下数据库同步方法的实践"", 《计算机安全》, 25 December 2009 (2009-12-25), pages 21 - 23 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468571A (en) * | 2020-11-24 | 2021-03-09 | 中国联合网络通信集团有限公司 | Intranet and extranet data synchronization method and device, electronic equipment and storage medium |
CN112468571B (en) * | 2020-11-24 | 2022-02-01 | 中国联合网络通信集团有限公司 | Intranet and extranet data synchronization method and device, electronic equipment and storage medium |
WO2022177477A1 (en) * | 2021-02-20 | 2022-08-25 | Вячеслав Германович КОЧАНОВ | Method for isolating data packets transmitted over networks |
RU2762157C1 (en) * | 2021-02-20 | 2021-12-16 | Вячеслав Германович Кочанов | Method for isolating data packets transmitted over public networks in the tcp/ip family protocol format using a combination of masking, encryption and control methods for the received data |
CN113037833A (en) * | 2021-03-04 | 2021-06-25 | 北京安华金和科技有限公司 | Data processing method and device, storage medium and electronic equipment |
CN113114626A (en) * | 2021-03-17 | 2021-07-13 | 宁波万德高科智能科技有限公司 | Security gateway system based on edge calculation and construction method thereof |
CN113132156A (en) * | 2021-03-31 | 2021-07-16 | 中国人民解放军战略支援部队信息工程大学 | Storage-computation-transmission integrated network function basic platform structure and method |
CN113132156B (en) * | 2021-03-31 | 2022-08-12 | 中国人民解放军战略支援部队信息工程大学 | Storage-computation-transmission integrated network function basic platform structure and method |
CN113612675B (en) * | 2021-06-25 | 2022-07-12 | 北京劲群科技有限公司 | Distributed intranet transparent implementation architecture and method |
CN113612675A (en) * | 2021-06-25 | 2021-11-05 | 北京劲群科技有限公司 | Distributed intranet transparent implementation architecture and method |
CN114726574A (en) * | 2022-02-28 | 2022-07-08 | 新华三信息安全技术有限公司 | Safety isolation protection system and safety isolation protection method |
CN115001831A (en) * | 2022-06-09 | 2022-09-02 | 北京交通大学 | Method and system for dynamically deploying network security service based on malicious behavior knowledge base |
RU2798799C1 (en) * | 2022-07-01 | 2023-06-27 | Общество с ограниченной ответственностью фирма "Интерсвязь" | Method for collecting and storing network data obtained from broadcasting an ip address |
CN115001665A (en) * | 2022-08-01 | 2022-09-02 | 北京安盟信息技术股份有限公司 | Data reinforcement method and data transmission system based on data isolation exchange scene |
CN115001665B (en) * | 2022-08-01 | 2022-11-15 | 北京安盟信息技术股份有限公司 | Data reinforcement method and data transmission system based on data isolation exchange scene |
CN115086084A (en) * | 2022-08-19 | 2022-09-20 | 北京珞安科技有限责任公司 | Safety isolation and information exchange system and method |
Also Published As
Publication number | Publication date |
---|---|
CN111711615B (en) | 2022-07-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111711615B (en) | Knowledge base information synchronization system and method for edge security computing node | |
Drias et al. | Taxonomy of attacks on industrial control protocols | |
US8959197B2 (en) | Intelligent integrated network security device for high-availability applications | |
CN102123076B (en) | High availability for network security devices | |
CN101754221B (en) | Data transmission method between heterogeneous systems and data transmission system | |
CN111683045B (en) | Session information processing method, device, equipment and storage medium | |
CN101820383B (en) | Method and device for restricting remote access of switcher | |
CN110225008A (en) | SDN network state consistency verification method under a kind of cloud environment | |
JP2004304752A (en) | System and method of defending attack | |
Xuan et al. | Research and implementation of Modbus TCP security enhancement protocol | |
CN112929200B (en) | SDN multi-controller oriented anomaly detection method | |
EP2790354A1 (en) | Security management system having multiple relay servers, and security management method | |
CN111988289A (en) | EPA industrial control network security test system and method | |
CN108833430B (en) | Topology protection method of software defined network | |
EP3767913B1 (en) | Systems and methods for correlating events to detect an information security incident | |
CN112019330B (en) | Intranet security audit data storage method and system based on alliance chain | |
JP4042776B2 (en) | Attack detection device and attack detection method | |
JP2007325293A (en) | System and method for attack detection | |
Lima et al. | BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures | |
Luo et al. | Security enhancement mechanism of modbus TCP protocol | |
Treytl et al. | Security flaws and workarounds for IEEE 1588 (transparent) clocks | |
Gao et al. | Defense against software-defined network topology poisoning attacks | |
JP2006099590A (en) | Access controller, access control method and access control program | |
CN115913663A (en) | Data security protection method and system, storage medium and computer equipment | |
Bhardwaj et al. | Forensic investigation-based framework for SDN using blockchain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20231219 Address after: Room 24, Floor 2, Unit 1, Building 1, No. 73, Section 2, Second Ring Road West, Qingyang District, Chengdu, 610000, Sichuan Patentee after: Sichuan Zhongding System Integration Co.,Ltd. Address before: 610000 room 421, 4th floor, building 8, No. 388, north section of Yizhou Avenue, high tech Zone, Chengdu, Sichuan Province Patentee before: Chengdu Golden Falcon Zhian Technology Co.,Ltd. |
|
TR01 | Transfer of patent right |