CN112929373B - Intranet equipment protection method - Google Patents
Intranet equipment protection method Download PDFInfo
- Publication number
- CN112929373B CN112929373B CN202110174279.5A CN202110174279A CN112929373B CN 112929373 B CN112929373 B CN 112929373B CN 202110174279 A CN202110174279 A CN 202110174279A CN 112929373 B CN112929373 B CN 112929373B
- Authority
- CN
- China
- Prior art keywords
- intranet
- state
- mirror image
- equipment
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention provides an intranet equipment protection method, which comprises the following steps: in the pre-preparation stage, the software state of the equipment in the intranet is cloned and copied to generate an intranet reference mirror image; the intranet reference mirror checks the intranet reference mirror image file and the operating system state and reports a reference check result; in the protection stage, the software state of the equipment in the intranet is cloned and copied to generate an intranet virtual mirror image; receiving the flow sent by the intranet equipment, and copying and distributing the flow to the intranet virtual mirror image; the internal network virtual mirror image checks the internal network virtual mirror image file and the state of the operating system and reports the check result; and judging the system state of the reference check result and the system state of the check result, identifying abnormal equipment when the inconsistent state occurs in the virtual mirror image of the intranet by taking the reference mirror image of the intranet as a reference, and sending a flow control instruction to block the flow of the abnormal equipment in the intranet.
Description
Technical Field
The invention belongs to the technical field of mimicry security, and particularly relates to an intranet equipment protection method.
Background
At present, traditional safety protection equipment such as a firewall, an IPS (intrusion prevention system) and an IDS (IDS) have a good protection effect on the north-south flow between an internal network and an external network, but do not protect the east-west flow between the internal networks by mature equipment. At present, some protection software such as a virus killing tool is often installed on intranet equipment, or some hardware is hung on the intranet equipment externally to protect the intranet equipment.
Disclosure of Invention
The invention aims to provide a method for protecting intranet equipment, aiming at the defects of the prior art.
In order to achieve the purpose, the invention adopts the technical scheme that:
the invention provides a method for protecting intranet equipment, which comprises the following steps:
preliminary preparation phase
Cloning and copying the software state of the equipment in the intranet to generate an intranet reference mirror image;
the intranet reference mirror checks the intranet reference mirror image file and the operating system state and reports a reference check result;
guard phase
Cloning and copying the software state of the equipment in the intranet to generate an intranet virtual mirror image;
receiving the flow sent by the intranet equipment, and copying and distributing the flow to the intranet virtual mirror image;
the internal network virtual mirror image checks the internal network virtual mirror image file and the state of the operating system and reports the check result;
and judging the system state of the reference check result and the system state of the check result, identifying abnormal equipment when the inconsistent state occurs in the virtual mirror image of the intranet by taking the reference mirror image of the intranet as a reference, and sending a flow control instruction to block the flow of the abnormal equipment in the intranet.
Based on the above, the software state includes an operating system state, an application software state, a file state, an IP address, and a MAC address.
The second aspect of the present invention provides a protection system for an intranet device, comprising:
the intranet virtual mirror image keeps the same software state with the equipment in the intranet in a clone copying mode; a state monitoring module is arranged in the intranet virtual mirror image, the intranet virtual mirror image file and the operating system state are checked, and a checking result is reported to an intranet state judging module; the intranet virtual mirror image is also used for receiving the flow sent by the intranet equipment;
the intranet reference mirror image keeps the same software state with the equipment in the intranet in a clone copying mode; a reference state monitoring module is arranged in the intranet reference image, the intranet reference image file and the operating system state are checked, and a check result is reported to an intranet state judging module;
the flow agent is used for copying and distributing the flow between the intranet equipment and the intranet virtual mirror image;
the intranet state judging module is used for receiving the intranet virtual mirror image and the system state reported by the intranet reference mirror image to judge, and when the intranet reference mirror image is used as a reference, abnormal equipment is identified and a flow control instruction is sent to the flow control module when the intranet virtual mirror image has an inconsistent state;
and the flow control module is used for blocking the flow of the abnormal intranet equipment according to the flow control instruction.
Based on the above, the software state includes an operating system state, an application software state, a file state, an IP address, and a MAC address.
Based on the above, the traffic broker is a transparent broker.
Based on the above, the intranet reference mirror image is only in single-line contact with the intranet state judging module.
Compared with the prior art, the method has outstanding substantive characteristics and remarkable progress, and particularly, the method realizes detection and judgment of threats introduced to the east-west flow of the intranet by introducing a flow agent, an intranet virtual mirror image, an intranet reference mirror image, an intranet state judging module, a flow control module and the like on the basis of the traditional exchange, realizes blocking of the flow of the intranet of abnormal equipment by means of an ACL function of the traditional exchange, realizes protection of the intranet equipment under the condition of not changing the state of the intranet equipment, and avoids transverse diffusion of known or unknown threats in the intranet.
Drawings
FIG. 1 is a schematic block diagram of the system of the present invention.
Detailed Description
The technical solution of the present invention is further described in detail by the following embodiments.
Example 1
The embodiment provides an intranet equipment protection method, which includes:
preliminary preparation phase
Cloning and copying the software state of the equipment in the intranet to generate an intranet reference mirror image; the software state comprises an operating system state, an application software state, a file state, an IP address and an MAC address;
the intranet reference mirror checks the intranet reference mirror image file and the operating system state and reports a reference check result;
guard phase
Cloning and copying the software state of the equipment in the intranet to generate an intranet virtual mirror image;
receiving the flow sent by the intranet equipment, and copying and distributing the flow to the intranet virtual mirror image;
the internal network virtual mirror image checks the internal network virtual mirror image file and the state of the operating system and reports the check result;
and judging the system state of the reference check result and the system state of the check result, identifying abnormal equipment when the inconsistent state occurs in the virtual mirror image of the intranet by taking the reference mirror image of the intranet as a reference, and sending a flow control instruction to block the flow of the abnormal equipment in the intranet.
Example 2
As shown in FIG. 1, the embodiment provides a protection system for intranet equipment, which includes
The intranet virtual mirror image keeps the same software state as the equipment in the intranet through a clone copying mode, and the software state comprises an operating system state, an application software state, a file state, an IP address and an MAC address; meanwhile, a state monitoring module is introduced into the virtual mirror image of the intranet, so that the state of the virtual mirror image file and the state of the operating system are checked, and a check result is uploaded to the intranet state judging module; meanwhile, the virtual inner network mirror image receives the flow sent by the inner network equipment. Specifically, the check result may include the number of processes in the operating system, the number of files in the system directory, and the number of Windows operating system registries;
the intranet reference mirror image keeps the same software state as the equipment in the intranet through a clone copying mode, wherein the software state comprises an operating system state, an application software state, a file state, an IP address and an MAC address; meanwhile, a reference state monitoring module is introduced into the intranet reference image to realize the state check of the virtual image file and the operating system, and the check result is uploaded to an intranet state judging module; specifically, the checking result includes the number of processes in the operating system, the number of files in the system directory, and the number of the Windows operating system registry, and is consistent with the content of the intranet virtual mirror image checking; different from the intranet virtual mirror image, the intranet reference mirror image does not receive the flow of the intranet equipment, and provides a reference judgment basis for the intranet state judging module, so that the intranet reference mirror image is credible, and is not interfered by the outside to ensure the credibility of the intranet reference mirror image, and the intranet reference mirror image only keeps single-line contact with the intranet state judging module.
And the flow agent is mainly used for copying and distributing the flow between the intranet equipment and the intranet virtual mirror image. For example, when the PC1 and the PC2 in the intranet device communicate with each other, when the PC1 transmits traffic data to the PC2, the traffic transmitted by the PC1 first passes through the traffic agent, and the traffic agent copies the traffic transmitted by the PC1 and transmits the copied traffic to the PC2 and the intranet virtual image PCV21 in the intranet device. In particular, the traffic broker herein may employ a transparent proxy, which does not have IP address and MAC address to outside, so as to implement copy distribution of TCP connection and transparent forwarding of UDP stateless data and two-layer protocol message, and when being a TCP connection, the transparent proxy simultaneously maintains the connection from PC1 to two virtual links of PC2 and PCV 21. The traffic broker should ensure that the traffic data sent by the PC1 can be received indiscriminately by the PC2 and the PCV 21.
The intranet state judging module is used for receiving the intranet virtual mirror image and judging the system state reported by the intranet reference mirror image, taking the intranet reference mirror image as a reference, and sending a flow control instruction to the flow controller when the inconsistent state appears in the intranet virtual mirror image so as to block abnormal equipment in the intranet. If there are 10 PCs in the intranet, each PC is installed with a windows operating system, the virtual image of the intranet and the reference image of the intranet both correspond to 10 PCs in the intranet, and the operating systems are all windows operating systems. When the virtual mirror image is judged, for example, the number of the PC1 processes in the virtual mirror image is 11, and the number of the PC1 processes in the intranet reference mirror image is 10; the intranet virtual mirror PC1 performs 1 more process than the intranet reference mirror PC1, and at this time, it can be determined that an illegal program is started in the intranet virtual mirror, and the state of the intranet virtual mirror corresponds to the real state of the intranet host one by one, so that it can be determined that the illegal program is started in the PC1 in the intranet, and at this time, the flow of the PC1 in the intranet is blocked.
And the flow control instruction sent by the intranet state judging module comprises information such as an IP address, an MAC address and a port number of the intranet equipment, and according to the information and by means of a traditional exchange ACL rule, the flow blocking of abnormal intranet equipment is realized, and the diffusion of suspicious flow in the intranet is avoided.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention and not to limit it; although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art will understand that: modifications to the specific embodiments of the invention or equivalent substitutions for parts of the technical features may be made; without departing from the spirit of the present invention, it is intended to cover all aspects of the invention as defined by the appended claims.
Claims (6)
1. A method for protecting intranet equipment is characterized by comprising the following steps:
preliminary preparation phase
Cloning and copying the software state of the equipment in the intranet to generate an intranet reference mirror image;
the intranet reference mirror checks the intranet reference mirror image file and the operating system state and reports a reference check result;
guard phase
Cloning and copying the software state of the equipment in the intranet to generate an intranet virtual mirror image;
receiving the flow sent by the intranet equipment, and copying and distributing the flow to the intranet virtual mirror image;
the internal network virtual mirror image checks the internal network virtual mirror image file and the state of the operating system and reports the check result;
and judging the system state of the reference check result and the system state of the check result, identifying abnormal equipment when the inconsistent state occurs in the virtual mirror image of the intranet by taking the reference mirror image of the intranet as a reference, and sending a flow control instruction to block the flow of the abnormal equipment in the intranet.
2. The intranet equipment protection method according to claim 1, wherein: the software state comprises an operating system state, an application software state, a file state, an IP address and a MAC address.
3. An intranet equipment protection system, comprising:
the intranet virtual mirror image keeps the same software state with the equipment in the intranet in a clone copying mode; a state monitoring module is arranged in the intranet virtual mirror image, the intranet virtual mirror image file and the operating system state are checked, and a checking result is reported to an intranet state judging module; the intranet virtual mirror image is also used for receiving the flow sent by the intranet equipment;
the intranet reference mirror image keeps the same software state with the equipment in the intranet in a clone copying mode; a reference state monitoring module is arranged in the intranet reference image, the intranet reference image file and the operating system state are checked, and a check result is reported to an intranet state judging module;
the flow agent is used for copying and distributing the flow between the intranet equipment and the intranet virtual mirror image;
the intranet state judging module is used for receiving the intranet virtual mirror image and the system state reported by the intranet reference mirror image to judge, and when the intranet reference mirror image is used as a reference, abnormal equipment is identified and a flow control instruction is sent to the flow control module when the intranet virtual mirror image has an inconsistent state;
and the flow control module is used for blocking the flow of the abnormal intranet equipment according to the flow control instruction.
4. The intranet equipment protection system of claim 3, wherein: the software state comprises an operating system state, an application software state, a file state, an IP address and a MAC address.
5. The intranet equipment protection system of claim 3, wherein: the flow agent is a transparent agent.
6. The intranet equipment protection system of claim 3, wherein: the intranet reference mirror image is only in single-line contact with the intranet state judging module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110174279.5A CN112929373B (en) | 2021-02-07 | 2021-02-07 | Intranet equipment protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110174279.5A CN112929373B (en) | 2021-02-07 | 2021-02-07 | Intranet equipment protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112929373A CN112929373A (en) | 2021-06-08 |
| CN112929373B true CN112929373B (en) | 2022-09-06 |
Family
ID=76171272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110174279.5A Active CN112929373B (en) | 2021-02-07 | 2021-02-07 | Intranet equipment protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112929373B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363041B (en) * | 2021-12-31 | 2023-08-11 | 河南信大网御科技有限公司 | Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110110520A (en) * | 2019-03-22 | 2019-08-09 | 珠海高凌信息科技股份有限公司 | A kind of the cloud workflow implementing method and system of tolerant invading |
| US11516050B2 (en) * | 2019-06-21 | 2022-11-29 | Amazon Technologies, Inc. | Monitoring network traffic using traffic mirroring |
| CN111654469B (en) * | 2020-04-30 | 2022-09-06 | 河南信大网御科技有限公司 | Mimic flowmeter and mimic exchange system |
| CN111683162B (en) * | 2020-06-09 | 2022-10-25 | 福建健康之路信息技术有限公司 | IP address management method based on flow identification |
-
2021
- 2021-02-07 CN CN202110174279.5A patent/CN112929373B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112929373A (en) | 2021-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8356349B2 (en) | Method and system for intrusion prevention and deflection | |
| EP2555486B1 (en) | Multi-method gateway-based network security systems and methods | |
| US7370354B2 (en) | Method of remotely managing a firewall | |
| US20030065943A1 (en) | Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network | |
| US20050283831A1 (en) | Security system and method using server security solution and network security solution | |
| KR20140022975A (en) | Apparatus and method for controlling traffic based on captcha | |
| WO2003100617A1 (en) | Adaptive intrusion detection system | |
| JP2006243878A (en) | Unauthorized access detection system | |
| CN115150208B (en) | Zero-trust-based Internet of things terminal secure access method and system | |
| CN112738125A (en) | Network security collaborative defense system | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| Hastings et al. | TCP/IP spoofing fundamentals | |
| JP2004302538A (en) | Network security system and network security management method | |
| CN112929373B (en) | Intranet equipment protection method | |
| JP2001034553A (en) | Network access control method and device therefor | |
| CN112671781A (en) | RASP-based firewall system | |
| RU2304302C2 (en) | Method for processing network packets to detect computer attacks | |
| JP3790486B2 (en) | Packet relay device, packet relay system, and story guidance system | |
| Yuhong et al. | Industrial internet security protection based on an industrial firewall | |
| JP2008011008A (en) | Unauthorized access prevention system | |
| Kiuchi et al. | Security technologies, usage and guidelines in SCADA system networks | |
| WO2011013947A2 (en) | Distributed denial of service attack blocking system and method | |
| CN117678195A (en) | Mobile radio device, method for operating a mobile radio device and vehicle | |
| CN117714163A (en) | Availability stabilizing device and method for website system | |
| Gan et al. | Design and implementation of network attacks detection module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |