CN112583843A - Joint protection system and method and computer equipment - Google Patents
Joint protection system and method and computer equipment Download PDFInfo
- Publication number
- CN112583843A CN112583843A CN202011546067.7A CN202011546067A CN112583843A CN 112583843 A CN112583843 A CN 112583843A CN 202011546067 A CN202011546067 A CN 202011546067A CN 112583843 A CN112583843 A CN 112583843A
- Authority
- CN
- China
- Prior art keywords
- target host
- information
- protection
- firewall
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000006399 behavior Effects 0.000 claims abstract description 26
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 238000002955 isolation Methods 0.000 claims abstract description 13
- 230000015654 memory Effects 0.000 claims description 18
- 230000007123 defense Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 2
- 230000002159 abnormal effect Effects 0.000 abstract description 7
- 230000009471 action Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003894 drinking water pollution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a joint protection system, a method and computer equipment, wherein the system comprises: protection module and firewall, wherein: the protection module is used for monitoring a target service and a target port of a target host, acquiring address information of the target host when an attack behavior on the target host is monitored, generating risk information according to the address information, and sending the risk information to a firewall; the firewall is used for generating or adjusting a protection rule according to the received risk information; and isolating the target host according to the protection rule. By implementing the method and the system, the information of the target host can be actively sent to the industrial firewall when abnormal attack behaviors occur by combining the real-time monitoring of each service and each port of the target host by the protection module, and then the industrial firewall can generate the protection rule in time according to the reported information, so that the isolation of the target host is realized, the risk existing on the target host is prevented from being diffused into an industrial control network, the risk is reduced, and the potential safety hazard is avoided.
Description
Technical Field
The invention relates to the field of industrial control system safety, in particular to a joint protection system, a joint protection method and computer equipment.
Background
With the rapid development of the mobile internet, a large number of unsafe factors in the traditional IT network are "poured into" the industrial control system, so that the original fragile industrial control system is frosted on snow, key infrastructures of the industry, energy, traffic, water conservancy and the like of the nationwide civilian face a large safety risk, once damaged, the power supply interruption, drinking water pollution, traffic paralysis and the like of the whole city can be caused, and the public life and even the national safety are influenced. Therefore, it is very urgent to enhance the safety construction work of the industrial control system.
Aiming at the situation, an industrial firewall for protecting an industrial control network and an industrial control host guard for protecting an upper computer of an industrial control system are brought into operation. By deploying the industrial firewall on the industrial control equipment and carrying out black and white name list type access control on the network communication of the industrial control equipment, the attacked surface of the industrial control equipment can be effectively reduced; by installing the industrial control host computer guard on the upper computer of the industrial control system, the host computer guard based on the white list can ensure that only programs in the credible white list can be executed, and programs except any white list cannot be executed, so that the safety of industrial control equipment is ensured.
However, in the related art, the industrial firewall and the industrial control host guard are respectively and independently protected, protection strategies need to be added through manual intervention, dynamic protection cannot be performed according to the actual operation condition of the industrial control system, time delay of manual intervention is long, timely protection cannot be performed, and serious potential safety hazards exist.
Disclosure of Invention
In view of this, embodiments of the present invention provide a joint protection system, method, and computer device, so as to solve the problems that an industrial firewall and an industrial control host guard are both independently protected, dynamic protection cannot be performed according to the actual operation condition of the industrial control system, and time delay of manual intervention is long, so that timely protection cannot be performed.
According to a first aspect, an embodiment of the present invention provides a joint defense system, including: protection module and firewall, wherein: the protection module is used for monitoring a target service and a target port of a target host, acquiring address information of the target host when an attack behavior on the target host is monitored, generating risk information according to the address information, and sending the risk information to the firewall; the firewall is used for generating or adjusting a protection rule according to the received risk information; and isolating the target host according to the protection rule.
With reference to the first aspect, in a first implementation manner of the first aspect, the firewall includes: the first address information determining module is used for determining first address information and second address information of the target host according to the risk information; the second address information determining module is used for determining a source address according to the first address information and the second address information and determining a destination address according to the first address information and the second address information; the protection rule generating module is used for generating a protection rule according to the source address and the destination address; and the isolation module is used for isolating the target host according to the protection rule.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the isolation module is specifically configured to disable a corresponding data access request according to the protection rule, and isolate the target host.
With reference to the first aspect, in a third implementation manner of the first aspect, the protection module is specifically configured to monitor a target service and a target port of the target host, and determine an operating program; and when the running program does not belong to a preset white list, determining that the target host computer has an attack behavior.
With reference to the first aspect, in a fourth implementation manner of the first aspect, the protection module is communicatively connected to the firewall, and the protection module is further configured to send heartbeat information to the firewall based on a preset period; the firewall is also used for generating heartbeat feedback information and sending the heartbeat feedback information back to the protection module when receiving the heartbeat information sent by the protection module; and/or the firewall is further configured to send heartbeat information to the protection module based on a preset period; the protection module is further used for generating heartbeat feedback information and sending the heartbeat feedback information back to the firewall when the heartbeat information sent by the protection module is received.
With reference to the first aspect, in a fifth implementation manner of the first aspect, the firewall is further configured to generate an alarm prompt message according to the risk information after isolating the target host according to the protection rule, and send the alarm prompt to a manager.
According to a second aspect, an embodiment of the present invention provides a joint protection method, including: monitoring a target service and a target port of a target host; when the attack behavior on the target host is monitored, acquiring the address information of the target host; and generating risk information according to the address information, and sending the risk information to a firewall.
According to a third aspect, an embodiment of the present invention provides a joint protection method, including: generating a protection rule according to received risk information, wherein the risk information is generated and sent according to address information of a target host when a protection module monitors that an attack behavior exists on the target host; and isolating the target host according to the protection rule.
According to a fourth aspect, an embodiment of the present invention provides a computer device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the one processor to cause the at least one processor to perform the steps of the joint defense method of the first or second aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the joint defense method described in the first aspect or the second aspect.
The technical scheme of the invention has the following advantages:
the invention provides a joint protection system, a method and computer equipment, comprising the following steps: protection module and firewall, wherein: the protection module is used for monitoring a target service and a target port of a target host, acquiring address information of the target host when an attack behavior on the target host is monitored, generating risk information according to the address information, and sending the risk information to a firewall; the firewall is used for generating or adjusting a protection rule according to the received risk information; and isolating the target host according to the protection rule. By implementing the method and the device, the problem that the serious potential safety hazard is caused due to the fact that timely protection cannot be carried out in the related technology is solved, and by combining with real-time monitoring of each service and each port of the target host by the protection module, the information of the target host can be actively sent to the industrial firewall when abnormal attack behaviors occur, then the industrial firewall generates the protection rule in time according to the reported information, the isolation of the target host is realized, the risk existing on the target host is prevented from being diffused into an industrial control network, the risk is reduced, and the potential safety hazard is avoided; and the protection subsystems form an organic whole by combining the communication between the protection module and the industrial firewall.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a functional block diagram of a specific example of a federated protection system in an embodiment of the present invention;
FIG. 2 is a schematic block diagram of a specific example of a firewall in the federated protection system in an embodiment of the present invention;
FIG. 3 is a flow chart illustrating a joint protection method according to an embodiment of the present invention;
FIG. 4 is a flow chart of the joint protection system according to an embodiment of the present invention;
FIG. 5 is a diagram showing a specific example of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
With the continuous integration and deepening of informatization and industrialization, the traditional mobile internet is communicated with a relatively closed industrial control network, so that the industrial control network faces a relatively large safety risk; aiming at the situation, an industrial firewall for protecting an industrial control network and an industrial control host guard for protecting an upper computer of an industrial control system are brought into operation. However, there are many problems in the related art, for example, protection policies of an industrial firewall and an industrial control host guard need to be added by manual intervention, which results in untimely protection.
An embodiment of the present invention provides a joint protection system, as shown in fig. 1, including: protection module 100 and firewall 200, wherein:
the protection module 100 is configured to monitor a target service and a target port of a target host, acquire address information of the target host when an attack behavior on the target host is monitored, generate risk information according to the address information, and send the risk information to a firewall; in this embodiment, the protection module 100 may be an industrial control host guard deployed in an upper computer of an industrial control system; the target host can be an upper computer of any equipment needing to be monitored in the industrial control system; the target service may be any service that can be implemented on the target host; the target port may be any one of the ports of the target host; the attack behavior may be an abnormal access behavior, for example, an access behavior of an unknown program to a sensitive port of the target host, and the sensitive port may be a port on the target host where a defense program is lower; abnormal operation behavior can also be adopted, for example, the behavior that a virus program or a trojan horse program on the target host computer tries to operate; the address information of the target host may be target host IP address information, target host MAC address information, and port sequence number information.
Specifically, an industrial control host guard monitors various services which can be provided by the industrial control host and the running states of various ports in use in real time, acquires IP address information of a target host and MAC address information of the target host when determining that an attack action exists on the target host according to the running states of the various services, generates risk information, and sends the risk information to an industrial firewall; and when the attack behavior on the target host is determined according to the running state of each port, acquiring the port serial number information of the target host, generating risk information according to the port serial number information, and sending the risk information to the industrial firewall.
The firewall 200 is used for generating or adjusting a protection rule according to the received risk information; and isolating the target host according to the protection rule. In this embodiment, the firewall 200 may be an industrial firewall disposed in an industrial control network system; the protection rule can be obtained by adjusting the initial protection rule according to the risk information or directly generated according to the risk information; specifically, the industrial firewall generates or adjusts a protection rule according to the received risk information sent by the industrial control host guard, and disables the target host according to the protection rule.
The invention provides a joint protection system, which comprises: the protection module 100 is configured to monitor a target service and a target port of a target host, acquire address information of the target host when an attack behavior on the target host is monitored, generate risk information according to the address information, and send the risk information to the firewall 200; the firewall 200 is used for generating or adjusting a protection rule according to the received risk information; and isolating the target host according to the protection rule. By implementing the method and the device, the problem that the serious potential safety hazard is caused due to the fact that timely protection cannot be carried out in the related technology is solved, and by combining with the real-time monitoring of each service and each port of the target host by the protection module 100, the information of the target host can be actively sent to the industrial firewall when an abnormal attack action occurs, and then the industrial firewall generates the protection rule in time according to the reported information, so that the isolation of the target host is realized, the risk existing on the target host is prevented from being diffused into an industrial control network, the risk is reduced, and the potential safety hazard is avoided; and in combination with the communication between the protection module 100 and the industrial firewall, all protection subsystems form an organic whole.
As an alternative embodiment of the present invention, as shown in fig. 2, the firewall 200 includes:
a first address information determining module 101, configured to determine first address information and second address information of a target host according to the risk information; in this embodiment, the address information of the target host is determined according to the risk information sent by the industrial control host guard, and includes IP address information and MAC address information. For example, the IP address information of the target host may be 211.103.202.xxx, the MAC address information of the target host may be 00-23-5A-15-99-42;
a second address information determining module 102, configured to determine a source address according to the first address information and the second address information, and determine a destination address according to the first address information and the second address information; in this embodiment, the source address information may be IP address information of the target host, or may be MAC address information of the target host; the destination address may be IP address information of the target host or MAC address information of the target host.
A protection rule generating module 103, configured to generate a protection rule according to a source address and a destination address; in this embodiment, the protection rule may include a first protection rule and a second protection rule; the first protection rule may be to disable data access whose source address is IP address information of the target host, and to disable data access whose source address is MAC address information of the target host; the second protection rule may disable data access whose destination address is IP address information of the target host, and disable data access whose destination address is MAC address information of the target host.
And the isolation module 104 is used for isolating the target host according to the protection rule. In this embodiment, the first protection rule and the second protection rule are applied to an industrial control network to implement isolation of the target host, that is, according to the first protection rule, any access of the target host to the external device may be prohibited; according to the second protection rule, any external device can be prohibited from accessing the target host.
According to the joint protection system provided by the embodiment of the invention, the industrial firewall generates the protection rule according to the risk information sent by the industrial control host guard, so that the isolation of the risky target host is realized.
As an optional embodiment of the present invention, the isolation module 104 is specifically configured to disable the corresponding data access request according to the protection rule, and isolate the target host. In this embodiment, the protection rule may include a first protection rule and a second protection rule; the first protection rule may be to disable data access whose source address is IP address information of the target host, and to disable data access whose source address is MAC address information of the target host; the second protection rule may disable data access whose destination address is IP address information of the target host, and disable data access whose destination address is MAC address information of the target host. The first protection rule and the second protection rule are applied to an industrial control network to realize the isolation of the target host, namely, the target host can be prohibited from any access to the external equipment according to the first protection rule; according to the second protection rule, any external device can be prohibited from accessing the target host.
As an optional embodiment of the present invention, the protection module 100 is specifically configured to monitor a target service and a target port of a target host, and determine an operating program; and when the running program does not belong to the preset white list, determining that the attack behavior exists on the target host. In this embodiment, the preset white list may be software list information that is preset by an industrial control host guard and can safely run on a target host; the industrial control host guard determines an operating program on the target host at the moment by monitoring various services of the target host and the operating conditions of various ports; and when the running program does not belong to the preset white list, determining that the program outside the white list runs on the target host at the moment, namely determining that the attack behavior exists on the target host.
As an alternative embodiment of the present invention, protection module 100 is communicatively coupled to firewall 200; in this embodiment, protection module 100 and firewall 200 may communicate with each other.
The protection module 100 is further configured to send heartbeat information to the firewall 200 based on a preset period; the firewall 200 is further configured to generate heartbeat feedback information and send the heartbeat feedback information back to the protection module 100 when receiving the heartbeat information sent by the protection module 100; in this embodiment, the preset period may be one minute, thirty seconds, or any other period, and a person skilled in the art may specifically determine the preset period according to an actual application scenario, which is not limited in the embodiment of the present invention.
And/or, the firewall 200 is further configured to send heartbeat information to the protection module 100 based on a preset period; the protection module 100 is further configured to generate heartbeat feedback information and send the heartbeat feedback information back to the firewall 200 when receiving the heartbeat information sent by the protection module 100. In this embodiment, the preset period may be one minute, thirty seconds, or any other time period, and a person skilled in the art may specifically determine the preset period according to an actual application scenario, which is not limited in the embodiment of the present invention.
In an optional embodiment, the industrial host guard sends heartbeat information to the industrial firewall at a frequency of twice a minute, when the firewall 200 receives the heartbeat information, heartbeat feedback information is generated and sent back to the industrial host guard, and when the industrial host guard receives the heartbeat feedback information, it can be determined that a communication link between the industrial host guard and the firewall 200 is normal.
In an alternative embodiment, the firewall 200 sends heartbeat information to the industrial host and server at a frequency of twice a minute, and when the industrial host and server receives the heartbeat information, generates heartbeat feedback information and sends the heartbeat feedback information back to the firewall 200, and when the firewall 200 receives the heartbeat feedback information, it can be determined that the communication link between the firewall 200 and the industrial host and server is normal.
In another optional embodiment, the industrial control host guard and the firewall 200 simultaneously send heartbeat information to each other at a frequency of twice a minute, and when the firewall 200 receives the heartbeat information, heartbeat feedback information is generated and sent back to the industrial control host guard; when the industrial control host guard receives the heartbeat information, heartbeat feedback information is generated and sent back to the firewall 200.
As an optional embodiment of the present invention, the firewall 200 is further configured to generate an alarm prompt message according to the risk information after isolating the target host according to the protection rule, and send the alarm prompt message to the administrator. In this embodiment, the firewall 200 may generate alarm prompt information when receiving the risk information sent by the industrial control host guard, and then send the alarm prompt information to the manager, so as to prompt the operation and maintenance personnel to process the problem host in time, thereby improving the security of the industrial control network system; the firewall 200 may also generate the protection rule after receiving the risk information sent by the industrial control host, isolate the target host according to the protection rule, generate the warning prompt information, send the warning prompt information to the administrator, be able to respond to the risk information in time, automatically generate the protection rule, instantaneously isolate, and prompt the administrator while ensuring the security of the industrial control network system.
An embodiment of the present invention further provides a joint protection method, as shown in fig. 3, for use in an upper computer of any industrial control device in an industrial control system, including:
step S21: monitoring a target service and a target port of a target host; in this embodiment, each service that the industrial control host can provide and the operating state of each port in use are monitored in real time.
Step S22: when the attack behavior on the target host is monitored, acquiring the address information of the target host; in this embodiment, when it is determined that an attack action exists on the target host according to the operating states of the services, the IP address information of the target host and the MAC address information of the target host are obtained.
Step S23: and generating risk information according to the address information, and sending the risk information to the firewall 200. In this embodiment, risk information may be generated according to the acquired IP address information of the target host and the MAC address information of the target host, and the risk information may be sent to the industrial firewall; or when the attack behavior on the target host is determined according to the running state of each port, port serial number information of the target host is obtained, risk information is generated according to the port serial number information, and the risk information is sent to the industrial firewall.
The invention provides a joint protection method, which comprises the following steps: monitoring a target service and a target port of a target host, and acquiring address information of the target host when an attack behavior on the target host is monitored; and generating risk information according to the address information, and sending the risk information to the firewall 200. By implementing the method and the system, various services of the target host and real-time monitoring of various ports are combined, and when abnormal attack behaviors occur, the information of the target host can be actively sent to the industrial firewall, so that the risk existing on the target host is prevented from being diffused into an industrial control network, the risk is reduced, and potential safety hazards are avoided.
An embodiment of the present invention further provides a joint protection method, as shown in fig. 4, including:
step S31: generating a protection rule according to the received risk information, wherein the risk information is generated and sent according to the address information of the target host when the protection module 100 monitors that an attack action exists on the target host; in this embodiment, the address information of the target host is determined according to the risk information sent by the industrial control host guard, and includes IP address information and MAC address information. The source address information can be IP address information of the target host, and can also be MAC address information of the target host; the destination address may be IP address information of the target host or MAC address information of the target host.
Step S32: and isolating the target host according to the protection rule. In this embodiment, the protection rule may include a first protection rule and a second protection rule; the first protection rule may be to disable data access whose source address is IP address information of the target host, and to disable data access whose source address is MAC address information of the target host; the second protection rule may disable data access whose destination address is IP address information of the target host, and disable data access whose destination address is MAC address information of the target host.
The invention provides a joint protection method, which comprises the following steps: and generating a protection rule according to the received risk information, wherein the risk information is generated and sent according to the address information of the target host when the protection module 100 monitors that an attack action exists on the target host, and isolating the target host according to the protection rule. By implementing the method and the device, the problem that the serious potential safety hazard is caused due to the fact that timely protection cannot be carried out in the related technology is solved, and by combining with the real-time monitoring of each service and each port of the target host by the protection module 100, the information of the target host can be actively sent to the industrial firewall when an abnormal attack action occurs, and then the industrial firewall generates the protection rule in time according to the reported information, so that the isolation of the target host is realized, the risk existing on the target host is prevented from being diffused into an industrial control network, the risk is reduced, and the potential safety hazard is avoided; and in combination with the communication between the protection module 100 and the industrial firewall, all protection subsystems form an organic whole.
An embodiment of the present invention further provides a computer device, as shown in fig. 5, the computer device may include a processor 41 and a memory 42, where the processor 41 and the memory 42 may be connected by a bus 40 or in another manner, and fig. 4 takes the example of connection by the bus 40 as an example.
The processor 41 may be a Central Processing Unit (CPU). The Processor 41 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 42, which is a non-transitory computer readable storage medium, may be used for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the joint protection method in the embodiments of the present invention. The processor 41 executes various functional applications and data processing of the processor by executing non-transitory software programs, instructions and modules stored in the memory 42, that is, implements the joint protection method in the above method embodiments.
The memory 42 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 41, and the like. Further, the memory 42 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 42 may optionally include memory located remotely from processor 41, which may be connected to processor 41 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 42 and, when executed by the processor 41, perform the joint protection method in the embodiment shown in fig. 1.
The details of the computer device can be understood with reference to the corresponding related descriptions and effects in the embodiment shown in fig. 1, and are not described herein again.
The embodiment of the present invention further provides a non-transitory computer readable medium, where the non-transitory computer readable storage medium stores a computer instruction, and the computer instruction is used to enable a computer to execute the joint protection method described in any of the above embodiments, where the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), or a Solid-State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. A joint protection system, comprising: protection module and firewall, wherein:
the protection module is used for monitoring a target service and a target port of a target host, acquiring address information of the target host when an attack behavior on the target host is monitored, generating risk information according to the address information, and sending the risk information to the firewall;
the firewall is used for generating or adjusting a protection rule according to the received risk information; and isolating the target host according to the protection rule.
2. The system of claim 1, wherein the firewall comprises:
the first address information determining module is used for determining first address information and second address information of the target host according to the risk information;
the second address information determining module is used for determining a source address according to the first address information and the second address information and determining a destination address according to the first address information and the second address information;
the protection rule generating module is used for generating a protection rule according to the source address and the destination address;
and the isolation module is used for isolating the target host according to the protection rule.
3. The system of claim 2, wherein the isolation module is specifically configured to disable the corresponding data access request according to the protection rule, and isolate the target host.
4. The system of claim 1, wherein the protection module is specifically configured to monitor a target service and a target port of the target host, and determine an operating program; and when the running program does not belong to a preset white list, determining that the target host computer has an attack behavior.
5. The system of claim 1, wherein the protection module is communicatively coupled to the firewall, and the protection module is further configured to send heartbeat information to the firewall based on a preset period; the firewall is also used for generating heartbeat feedback information and sending the heartbeat feedback information back to the protection module when receiving the heartbeat information sent by the protection module;
and/or the presence of a gas in the gas,
the firewall is further used for sending heartbeat information to the protection module based on a preset period;
the protection module is further used for generating heartbeat feedback information and sending the heartbeat feedback information back to the firewall when the heartbeat information sent by the protection module is received.
6. The system according to claim 1, wherein the firewall is further configured to generate an alarm notification message according to the risk information after isolating the target host according to the protection rule, and send the alarm notification message to a manager.
7. A joint protection method, comprising:
monitoring a target service and a target port of a target host;
when the attack behavior on the target host is monitored, acquiring the address information of the target host;
and generating risk information according to the address information, and sending the risk information to a firewall.
8. A joint protection method, comprising:
generating a protection rule according to received risk information, wherein the risk information is generated and sent according to address information of a target host when a protection module monitors that an attack behavior exists on the target host;
and isolating the target host according to the protection rule.
9. A computer device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the one processor to cause the at least one processor to perform the steps of the joint defense method of claim 7 or 8.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the joint defense method of claim 7 or 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011546067.7A CN112583843A (en) | 2020-12-23 | 2020-12-23 | Joint protection system and method and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011546067.7A CN112583843A (en) | 2020-12-23 | 2020-12-23 | Joint protection system and method and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112583843A true CN112583843A (en) | 2021-03-30 |
Family
ID=75139333
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011546067.7A Pending CN112583843A (en) | 2020-12-23 | 2020-12-23 | Joint protection system and method and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112583843A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113194075A (en) * | 2021-04-09 | 2021-07-30 | 海尔数字科技(青岛)有限公司 | Access request processing method, device, equipment and storage medium |
| CN113285952A (en) * | 2021-05-26 | 2021-08-20 | 山石网科通信技术股份有限公司 | Network vulnerability blocking method and device, storage medium and processor |
| CN115664789A (en) * | 2022-10-21 | 2023-01-31 | 北京珞安科技有限责任公司 | Industrial firewall security assessment system and method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1509006A (en) * | 2002-12-13 | 2004-06-30 | 联想(北京)有限公司 | Firewall and invasion detecting system linkage method |
| JP2007312414A (en) * | 2002-08-20 | 2007-11-29 | Nec Corp | Attack detection system and attack detection method |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| US20170180316A1 (en) * | 2015-12-22 | 2017-06-22 | Cisco Technology, Inc. | Method and apparatus for federated firewall security |
| CN109120626A (en) * | 2018-08-28 | 2019-01-01 | 深信服科技股份有限公司 | Security threat processing method, system, safety perception server and storage medium |
| CN111935061A (en) * | 2019-12-26 | 2020-11-13 | 长扬科技(北京)有限公司 | Industrial control host and network security protection implementation method thereof |
-
2020
- 2020-12-23 CN CN202011546067.7A patent/CN112583843A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007312414A (en) * | 2002-08-20 | 2007-11-29 | Nec Corp | Attack detection system and attack detection method |
| CN1509006A (en) * | 2002-12-13 | 2004-06-30 | 联想(北京)有限公司 | Firewall and invasion detecting system linkage method |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| US20170180316A1 (en) * | 2015-12-22 | 2017-06-22 | Cisco Technology, Inc. | Method and apparatus for federated firewall security |
| CN109120626A (en) * | 2018-08-28 | 2019-01-01 | 深信服科技股份有限公司 | Security threat processing method, system, safety perception server and storage medium |
| CN111935061A (en) * | 2019-12-26 | 2020-11-13 | 长扬科技(北京)有限公司 | Industrial control host and network security protection implementation method thereof |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113194075A (en) * | 2021-04-09 | 2021-07-30 | 海尔数字科技(青岛)有限公司 | Access request processing method, device, equipment and storage medium |
| CN113194075B (en) * | 2021-04-09 | 2023-04-18 | 海尔数字科技(青岛)有限公司 | Access request processing method, device, equipment and storage medium |
| CN113285952A (en) * | 2021-05-26 | 2021-08-20 | 山石网科通信技术股份有限公司 | Network vulnerability blocking method and device, storage medium and processor |
| CN115664789A (en) * | 2022-10-21 | 2023-01-31 | 北京珞安科技有限责任公司 | Industrial firewall security assessment system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112583843A (en) | Joint protection system and method and computer equipment | |
| US20210150023A1 (en) | Systems and methods for context-based mitigation of computer security risks | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| US20220239687A1 (en) | Security Vulnerability Defense Method and Device | |
| WO2016177156A1 (en) | Traffic processing method, device and system | |
| CA3021285C (en) | Methods and systems for network security | |
| CN113660296B (en) | Method and device for detecting anti-attack performance of industrial control system and computer equipment | |
| WO2004084063A1 (en) | Method and system for preventing virus infection | |
| US9245147B1 (en) | State machine reference monitor for information system security | |
| CN112039894B (en) | Network access control method, device, storage medium and electronic equipment | |
| CN111709023B (en) | Application isolation method and system based on trusted operating system | |
| CN113014571B (en) | Method, device and storage medium for processing access request | |
| CN110033174A (en) | A kind of industrial information efficient public security system building method | |
| CN113852506A (en) | Fault processing method and device, electronic equipment and storage medium | |
| CN116032629A (en) | Classification treatment method, system electronic equipment and storage medium for alarm traffic | |
| CN104219211A (en) | Detection method and detection device for network security in cloud computing network | |
| CN110708340A (en) | Enterprise private network security supervision system | |
| KR101343693B1 (en) | Network security system and method for process thereof | |
| CN115913692A (en) | Automatic isolation system of networking equipment | |
| KR102145421B1 (en) | Digital substation with smart gateway | |
| CN114600424A (en) | Security system and method for filtering data traffic | |
| CN110933066A (en) | Monitoring system and method for illegal access of network terminal to local area network | |
| CN111988333B (en) | Proxy software work abnormality detection method, device and medium | |
| KR102160537B1 (en) | Digital substation with smart gateway | |
| KR102160539B1 (en) | Digital substation with smart gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210330 |