CN113489730A - Data transmission method, device and system based on virtualization network - Google Patents
Data transmission method, device and system based on virtualization network Download PDFInfo
- Publication number
- CN113489730A CN113489730A CN202110786834.XA CN202110786834A CN113489730A CN 113489730 A CN113489730 A CN 113489730A CN 202110786834 A CN202110786834 A CN 202110786834A CN 113489730 A CN113489730 A CN 113489730A
- Authority
- CN
- China
- Prior art keywords
- initiator
- network address
- network
- address
- receiver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a data transmission method, a device and a system based on a virtualization network, wherein the method comprises the following steps: a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology; the first safety equipment compiles the network address of the initiator by using a first compiler based on a pre-stored first compiling strategy to obtain the virtual network address of the initiator so as to establish a virtual network based on the virtual network address, and sends a data message with the virtual network address to the receiver by using an established physical line between the initiator and the receiver; after receiving the data from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and transmits a service request message of the initiator identifier to the receiver after the analysis is successful.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data transmission method, apparatus, and system based on a virtualized network.
Background
In recent years in China, along with the development of network technology, the popularization and enrichment of network application and the increasing problem of network security are achieved, and the situation that high-tech criminal events conducted by utilizing information technology are increased is presented, so that the construction of a secure communication environment is a necessary trend.
Because the computer network has the characteristics of diversity of connection forms, non-uniformity of terminal distribution, openness and interconnectivity of the network and the like, an attacker not only can possibly detect and scan asset equipment in the network, eavesdrop information on the network, and steal information of passwords and databases of users; it is also possible to tamper with the database contents, falsify the user's identity, and deny his own signature. Moreover, database content can be deleted, network nodes destroyed, computer viruses released, and the like, which all complicate the information security problem.
Risks to current computer networks include security risks posed by software (risks at the software level) and security risks posed by hardware (risks at the hardware level). Among them, the risks at the software level are mainly reflected in: (1) the traditional network security defense mode is a mechanism of passively detecting virus samples, intrusion characteristic samples and the like, and meanwhile, by combining an access control mechanism of a black-and-white list, a hacker often simulates to be a common user who can pass through the access in actual network communication and directly passes through the network security gateway to enter a user intranet, so that uncontrollable risk is caused; (2) the traditional network security is tower defense, various security software products are stacked and accumulated, various static passive defenses are mutually overlapped, defense cannot be carried out in a radical effective mode, only a leakage detection and leakage compensation mode is adopted, and dynamic and unknown automatic defense cannot be realized; (3) traditional application software, network equipment and network security equipment are marked with specific IP identifications such as IP addresses or MAC addresses, so that a hacker is created with the risk that the hacker scans and detects the network IP addresses or the MAC addresses by using a hacker tool to find corresponding vulnerabilities to implement attacks; (4) in addition, common application software or system software is often expanded and bound infinitely due to continuous expansion and infinite amplification of system bugs or patches, and a hacker intruder may initiate an intrusion attack risk if using a software bug, thereby bringing new risks and hidden dangers.
From the risk of a hardware level, the traditional network security device performs network operation and maintenance operation in an online inline (inline) mode, so that the device can be conveniently connected and debugged from a remote place, and at this time, a potential risk exists that the network security protection device is in an exposed state in a network, that is, any node in the network can be connected to the device as long as a network route can be reached, and at that time, a user name and a password can be continuously tried, or a hacker can log in a browser of the security device or a loophole or a backdoor is searched for intrusion attack in a mode of breaking through a brute force password; meanwhile, the network security equipment itself is attacked by the crystal oscillator of the CPU through physical attack and the side channel of the memory resource, and the two attack modes can directly bypass any security protection and directly take over the core control unit, so that the risk of arbitrarily operating and controlling the equipment is achieved. In addition, there is a problem that if the access of the client to a certain resource of the server is to be disconnected, the actual physical link needs to be disconnected to really prevent the access of the client, and the disconnection of the actual physical line will affect the access of the client to other service resources of the server.
How to prevent hacker intrusion attack without disconnecting an actual physical line and improve the security of a network and user experience is an urgent problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a data transmission method, a data transmission device and a data transmission system based on a virtual network, so as to improve the security of the network and prevent the intrusion attack of hackers.
In one aspect of the present invention, a data transmission method based on a virtualized network is provided, where the method includes the following steps:
a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology;
the first safety equipment compiles the network address of the initiator by using a first compiler based on a pre-stored first compiling strategy to obtain the virtual network address of the initiator so as to establish a virtual network based on the virtual network address, and sends a data message with the virtual network address to the receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
after receiving the data from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and transmits a service request message of the initiator identifier to the receiver after the analysis is successful.
In some embodiments of the invention, in the case that the first compilation strategy comprises a network address compilation algorithm, the first resolution strategy is a network address resolution algorithm matching the network address compilation algorithm;
the analyzing the compiled virtual network address of the initiator by using the second compiler based on the pre-stored first analysis strategy, and the service request message of the initiator identifier of the receiver conveyor belt after the analysis is successful comprises: analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a first analysis strategy stored in advance, and analyzing and restoring the service request message of the real network address of the initiator after the analysis and restoration are successful and then restored to the receiving conveyor belt;
the method further comprises the following steps:
the second safety equipment acquires a data message returned from the communication receiving party to the communication initiator by utilizing a hijacking technology, compiles the network address of the receiving party by utilizing a second compiler based on a pre-stored second compiling strategy to obtain the virtual network address of the receiving party, and sends the data message with the virtual network address of the receiving party to the initiator based on the established virtual network by utilizing an established physical line between the initiator and the receiving party;
after the first safety device receives data from the second safety device, the first compiler is used for resolving and restoring the virtual network address compiled by the receiver based on a pre-stored second resolution strategy matched with the second compilation strategy, the data message of the real network address of the receiver restored by the initiator conveyor belt is restored after the restoration is successful, and the second resolution strategy is a network address resolution algorithm matched with the network address compilation algorithm.
In some embodiments of the present invention, a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port, and real routing information; and under the condition that the first compiling strategy comprises randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message, the first analyzing strategy comprises analyzing whether the initiator compiled virtual network address is credible or not based on the network segment where the initiator virtual IP network address is located, the uncompiled real MAC address, the real IP port and the real routing information, and if the initiator compiled virtual network address is credible, the analyzing is confirmed to be successful.
In some embodiments of the present invention, the physical network card interfaces of the first security device and the second security device do not have an IP address and a MAC address; one or more communication initiators are connected with a first safety device; one or more receivers are connected to a second security device.
In some embodiments of the invention, the method further comprises: and if the initiator virtual network address analysis fails based on a first pre-stored compiling strategy, the second safety equipment discards the data message to be transmitted.
In some embodiments of the present invention, the sending a data packet with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party includes: sending a data message with an initiator virtual network address and a receiver real network address to a receiver by using a compiled virtual network through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode;
the sending of the data message with the virtual network address of the receiver to the initiator based on the established virtual network by using the established physical line between the initiator and the receiver comprises the following steps: and sending a data message with a virtual network address of the receiving party and a virtual network address of the initiating party to the initiating party by utilizing a compiled virtual network through a physical line between the initiating party and the receiving party by utilizing a data link layer ARP addressing broadcast mode or a network layer routing mode.
The plurality of candidate network IP address ranges includes some or all of the following ranges: class a network IP address range, class B network IP address range, and class C network IP address range.
In some embodiments of the present invention, the data packet transmitted between the initiator and the receiver is an encrypted data packet.
In another aspect of the present invention, there is also provided a data transmission system based on a virtualized network, the system including: the first safety equipment is positioned at the communication initiator side and the second safety equipment is positioned at the communication receiver side;
wherein the first security device is to:
hijacking a service request message sent from a communication initiator;
compiling the network address of the initiator by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and sending a data message with the virtual network address to a receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
the second security device is to:
and receiving data from the first safety equipment, analyzing the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and analyzing the data message marked by the initiator of the receiving conveyor belt after the analysis is successful.
In some embodiments of the invention, the first security device and the second security device are gateways;
a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
the initiator identification comprises at least one of the following information: initiator real MAC address, initiator real IP port and real routing information;
in the case that the first compilation policy includes a predetermined network address compilation algorithm and the first resolution policy includes a network address resolution algorithm that matches the network address compilation algorithm, the first security device is further configured to:
when receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiving party by using a first compiler based on a pre-stored second analysis strategy, and restoring the data message of the real network address of the receiving party restored by the transmitting belt of the initiating party after the restoration is successful;
the second security device is further to:
hijacking the data message sent from the communication receiver, compiling the network address of the receiver by using a second compiler based on a second compiling strategy which is stored in advance and corresponds to the second analysis strategy to obtain a virtual network address of the receiver, and sending the data message with the virtual network address of the receiver to the initiator by using an established physical line between the initiator and the receiver;
the second compiling strategy comprises a network address compiling algorithm, and the second resolving strategy is a network address resolving algorithm matched with the network address compiling algorithm.
In another aspect of the present invention, there is also provided a network security device for connecting with at least one first-end communication device, the network security device comprising a processor and a memory, wherein the memory stores computer instructions, and the processor is configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the method comprises the following steps:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual networks based on the virtual network address of the first-end communication device, and sending the data message with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party;
and under the condition that the network security equipment receives a data message from the opposite-end communication equipment, which is sent by the opposite-end network security equipment, the network security equipment analyzes and restores the virtual network address of the opposite-end communication equipment by using a first compiler based on a second analysis strategy which is stored in advance and corresponds to the compilation strategy of the opposite-end network security equipment, and a message of the real network address of the opposite-end communication equipment restored by the first-end communication equipment conveyor belt after the restoration is successful.
In some embodiments of the invention, the virtual network address comprises a segment of a virtualized IP address selected from a predetermined plurality of segments of candidate network addresses.
The data transmission method, the data transmission system and the network security equipment based on the virtual network can realize safe and effective data transmission without disconnecting an actual physical line, effectively prevent hacker intrusion attack and greatly improve the security of the network.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present invention will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart illustrating a data transmission method based on a virtualized network according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of data transmission processing based on a virtualized network according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a data transmission system based on a virtualized network according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Fig. 5 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Fig. 6 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not so relevant to the present invention are omitted.
It should be emphasized that the term "comprises/comprising/comprises/having" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
In order to prevent the network from being invaded and attacked by hackers and improve the security of the network, the invention provides a data transmission method based on a virtualization regeneration network. The method of the invention sets a compiler in network safety equipment (safety equipment for short) such as a gateway, and utilizes the compiler to compile virtual communication network information including virtual regeneration network addresses, wherein the compiled virtual regeneration network addresses are different from network addresses between real physical equipment in an actual network, so that one or more virtual regeneration networks are created between the safety equipment of a communication initiator and a safety equipment of a communication receiver, network resources of the virtual regeneration networks are virtual network resources which do not exist in the actual network, the virtual regeneration networks between the safety equipment of the communication initiator and the safety equipment of the communication receiver can be transmitted only between the safety equipment at two ends of the virtual regeneration networks according to IETF and IEEE standard specifications, and information such as the virtual network address resources are not transmitted or forwarded by the communication initiator and the communication receiver. In the embodiment of the invention, the virtualization and regeneration network refers to the continuous regeneration of the virtual network realized by the virtualization technology. The data transmission method based on the virtualization regeneration network does not change the original network structure, the original network routing entries and routing forwarding paths, and also does not change the communication mechanism and the network topology structure, thereby improving the network security under the condition of no user feeling. Hereinafter, the virtualized regeneration network may be simply referred to as a virtualized network for convenience of description.
Fig. 1 is a flowchart illustrating a data transmission method based on a virtualized network according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
step S110, the first security device located at the communication initiator hijacks the data packets, such as the service request packets, sent from each communication initiator.
More specifically, the first secure device may use a hook hijacking technique to hijack data packets sent by the communication initiator through a hook function. Hijacking of communication initiator packets may be achieved, for example, by hijacking global traffic. Since the hook hijacking technique for monitoring and hijacking data packets is a mature technique, it will not be described in detail here.
In the embodiment of the present invention, the communication initiator may be, for example, a client such as a PC and a portable mobile terminal, and one first security device may be connected to one client or may be connected to a plurality of clients. The communication recipient may be, for example, a destination server, although the invention is not limited thereto. The first safety device can be used for hijacking data packets sent by one client under the condition that the first safety device is connected with the client, and the first safety device can be used for hijacking the data packets sent by a plurality of clients under the condition that the first safety device is connected with the plurality of clients.
In the embodiment of the present invention, the first security device may be a gateway (or called gateway device). Besides the gateway, the first security device may also be an industrial module or an embedded chip, etc., and the present invention is not limited thereto. In the embodiment of the invention, the physical interface of the first safety equipment does not have an IP address and an MAC address, acquires data sent by an initiator by hijacking a data message, and sends the data out in a routing mode or a broadcasting mode.
The data message sent by the communication initiator can carry the service identifier of the request, the IP address of the initiator, the IP address of the receiver, the MAC address of the initiator, the IP port, the routing information and the like, and the initially carried information is the real information of the receiver.
Step S120, the first safety device utilizes a first compiler to compile the network address of the initiator based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and utilizes the established physical line between the initiator and the receiver to send a data packet with the virtual network address to the receiver.
In practical applications, there may be an untrusted network in the communication network, for example, there may be a public internet at the private network boundary of some organizations, for example, links between private networks and private networks between different branches and centers of some units depend on the public internet, in which case, data transmitted through the private networks may be hacked to cause information leakage. Therefore, the invention provides that a virtualized regeneration network is adopted on an established actual physical line between an initiator and a receiver to prevent the intrusion attack of hackers, and meanwhile, different multiple virtualized networks can be established between a server and a client according to different access requirements of different clients to the server, so that part of the multiple virtualized networks can be flexibly disconnected based on the completion condition of service without causing the disconnection of other virtualized networks and without disconnecting the actual physical line.
More specifically, in this step, after the first security device acquires the data packet of the communication initiator by the hijacking technique, the network address of the communication initiator may be compiled based on a predetermined address compilation policy (first compilation policy) to generate a new virtual network address, so as to generate a virtualized network based on the new virtual network address. The first secure device may have a first compilation policy stored in advance.
In an embodiment, the first compiling strategy may include randomly generating the initiator virtual IP network address within a virtual IP network segment range corresponding to the service requested by the service request message.
In another embodiment, the first compilation strategy may include a network address compilation algorithm, and the first resolution strategy is a network address resolution algorithm that matches the network address compilation algorithm.
In an embodiment of the invention, the network address compiled by the first compiler comprises a segment of a virtualized IP address selected from a predetermined plurality of candidate network IP address ranges. The plurality of candidate network IP address ranges may include some or all of the following network IP address ranges: class a network IP address range, class B network IP address range, and class C network IP address range. The class a network IP address range is the widest address range, followed by a class B network, followed by a class C network. The class a network IP address range is, for example, an IP address range from 1.0.0.0 to 126.0.0.0. The class B network IP address range is, for example, an IP address range from 128.0.0.0 to 191.255.255.255. The class C network IP address range is, for example, an IP address range from 192.0.0.0 to 223.255.255.255. The class A network uses 8 bits to represent the network number, and 24 bits to represent the host bit; the B-type network represents a network by 16 bits, and a host by 16 bits; the class C network uses 24 bits to represent the network number and 8 bits to represent the host bit.
The IP address field of the appropriate network may be selected from the several candidate network IP address ranges for the particular application service to which the service request message originated by each initiator relates. For example, for a service request corresponding to a service with a high possibility of accessing people, the first compiler may select an IP address field from an IP address range of a class a network or a class B network to generate a virtualized IP address field when performing address compilation; the first compiler may select an IP address segment from an IP address range of a class B network or a class C network to generate a virtualized IP address segment when performing address compilation for a service request corresponding to a service with a small number of visitors. The compiler compiles the address in the generated IP address field not to conflict with the IP address of the physical line actually present.
After the first safety equipment compiles the virtual network address, network information including the virtual network address and the like is encapsulated into a data message hijacked from an initiator to replace the network address information in the original data message, then the data message is sent to a receiver on the basis of each virtual network address on a physical line established between the initiator and the receiver, and the data message with the virtual network address can be sent to the receiver by utilizing a data link layer ARP addressing broadcast mode or a network layer routing mode through a compiled virtual network by utilizing the physical line established between the initiator and the receiver.
In this way, a second security device placed on the physical communication link of the initiator and the receiver, connected to the network port of the receiver, may receive the data packet from the first security device before the receiver.
Step S130, after the second security device receives the data packet from the first security device, the second compiler is used to analyze the compiled virtual network address of the initiator based on the pre-stored first analysis policy corresponding to the first compilation policy, and the service request message identified by the initiator of the receiving-side transmission belt is analyzed after the analysis is successful.
In an embodiment, the first compiling strategy may include randomly generating the initiator virtual IP network address within a virtual IP network segment range corresponding to the service requested by the service request message. Since the initiator virtual IP network address is randomly generated within a specific IP network segment, it is difficult for the second security device to know the real IP address corresponding to the initiator virtual IP address, in which case, the first resolution policy may include resolving whether the initiator compiled virtual network address is authentic based on the network segment where the initiator virtual IP network address is located, the uncompiled real MAC address, the real IP port, and the real routing information, and if so, confirming that the resolution is successful. That is, if the initiator virtual IP address network segment is in the predetermined network segment range and the MAC address, IP port and routing information of the initiator are identified to match with the corresponding information of a certain initiator in the preset identifiable list, it is determined that the parsing is successful, and then the service request packet of the initiator identifier is transmitted to the receiver, where the initiator identifier carried may be the MAC address, IP port information, routing information of the initiator and/or other information capable of identifying the initiator. In addition, the service request message transmitted to the receiver also carries the real IP address of the receiver, because the initiator does not know the virtual IP address of the receiver. In this case, the receiving party may receive the data packet, and may perform corresponding processing based on the content in the packet, but does not reply to the data packet. If the second safety device fails to analyze the network address of the initiator, the second safety device considers that the service request message is an illegal message or an unreliable message, and then the service request message is discarded.
In another embodiment, the first compilation strategy may include a network address compilation algorithm, and the first resolution strategy is a network address resolution algorithm that matches the network address compilation algorithm. At this time, when the initiator virtual network address is analyzed, the second compiler can be used for analyzing and restoring the virtual network address compiled by the initiator based on the pre-stored first analysis strategy, and the service request message of the initiator real network address restored to the receiver conveyer belt after the analysis and restoration are successful. In the embodiment of the present invention, the first security device may further store a second resolution policy (second compiling policy) corresponding to an address compiling policy (second compiling policy) of the second security device, and based on the second resolution policy, the first security device may obtain a virtual network address corresponding to a real network address of the receiver as the destination address, and at this time, the service request message transmitted to the receiver also carries the virtual IP address of the receiver.
That is, after the second security device successfully resolves and identifies the real network address of the initiator by using the stored first resolution policy, the service request packet of the initiator network address is transmitted to the receiver (e.g., a server) so that the receiver receives the service request packet with the real network address (e.g., an IP address and an MAC address) of the initiator. Correspondingly, after receiving the data request message, the server generates data to be returned by the initiator based on the request of the initiator, encapsulates the data into the data message and sends the data message to the initiator. If the second security device fails to analyze the real network address of the initiator by using the stored first analysis strategy, the second security device considers that the service request message is an illegal message or an untrusted message, and then discards the message.
If the communication between the sender and the receiver is completed, the virtualized network is only needed to be disconnected, and the actual physical line does not need to be disconnected.
Through the steps of the invention, the safe and effective transmission of data can be realized without disconnecting the actual physical line, thereby effectively preventing the invasion attack of hackers and greatly improving the security of the network.
In case that the second security device is able to restore the real IP address of the initiator, the present invention may further include the steps of:
step S140, the second security device obtains the data packet sent from the communication receiver by using the hijack technology, compiles the network address of the receiver by using the second compiler based on the pre-stored second compilation strategy to obtain the virtual network address of the receiver, and sends the data packet with the virtual network address of the receiver to the initiator by using the established physical line between the initiator and the receiver.
This step S140 is similar to the processing of the data packet from the initiator by the first secure device in the previous steps S110 and S120. The difference lies in hijacking the data message sent by the receiving party equipment and performing virtualization compilation on the network address of the receiving party. Corresponding to the first compiling strategy, the second compiling strategy in the step S140 is a predetermined network address compiling algorithm. Preferably, the first compilation strategy and the second compilation strategy match, i.e. both are used for the compilation of virtual network addresses based on a consistent address compilation principle.
After the second security device compiles the virtual network address, the network information including the virtual network address and the like is encapsulated into a data message hijacked from the receiver again to replace the network address information in the original data message, and then the data message with the virtual network address of the receiver is sent to the initiator by a virtualized network obtained by compiling the established physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode.
The first security device may receive a data message from the second security device prior to the initiator.
Step S150, the first security device receives data from the second security device, analyzes and restores the compiled virtual network address of the receiving party based on a second analysis policy pre-stored and corresponding to the second compilation policy by using the first compiler, and restores the data packet of the real network address of the receiving party to the initiator conveyor belt after the restoration is successful. In the embodiment of the invention, the second resolution strategy is a network address resolution algorithm matched with the network address compiling algorithm
If the first security device fails to analyze the real network address of the receiver by using the stored second analysis strategy, the first security device considers that the data message is an illegal message or an untrusted message, and then discards the data message.
As described above, by creating a virtual regenerative network between the first secure device and the second secure device using an established physical line between the initiator and the recipient, it is possible to perform data transmission between the first secure device and the second secure device using the created virtual regenerative network, thereby making it difficult for a hacker to attack based on a network address.
Fig. 2 is a schematic diagram of data transmission processing based on a virtualized network according to an embodiment of the present invention. As shown in fig. 2, the network interface eth0 of the client PC1 as the initiator configures the actual IP address as 172.16.1.1, and the MAC address as: 000FC5056EB 0. The network interface eth1 of the access target client PC2 configures the actual IP address as 172.16.1.200, and the MAC address as: f04EDA 092709. In the case where the terminal PC1 actively initiates a request to access the terminal PC2, the terminal PC1 compiles the virtualized network information of the PC1 by the compiler of the first secure device based on a first compilation policy (predetermined network address compilation algorithm) stored in advance, and the virtual IP address field compiled by the PC1 is: 127.0.0.1/24, virtual MAC is: 000000001010, respectively; the terminal PC2 compiles the virtualized network information of the PC2 by the compiler of the second security device based on a second compilation policy (predetermined network address compilation algorithm) stored in advance, the virtual IP address segment compiled by the PC2 is 127.0.0.200/24, and the virtualized MAC is: 000000001111, respectively; a virtualized network Net1 is created between PC1 and PC 2. The compiler of the first security device initiates access to the terminal PC2 by using the virtualized network address 127.0.0.1/24 and the virtualized MAC address 000000001010, and if the first security device of the PC1 can know the virtual network address of the PC2 based on a predetermined network address compiling algorithm, the destination address carried in the message is the virtual network address of the PC 2; however, if the network address compiling algorithm is to randomly generate a virtual IP address (address segment) from a predetermined virtual IP network segment, the first secure device cannot know the virtual network address of the PC2, and at this time, the destination address carried in the message sent to the PC2 is the real network address of the PC2 and simultaneously carries the randomly generated virtual IP network address of the PC 1. At this time, the second security device cannot resolve and identify the virtual network address of the PC1, and cannot restore the virtual network address to the real network address of the PC1, so that the second security device identifies the identity of the PC1 based on the real MAC address, the real IP port, the real routing information, and the like of the PC1, thereby resolving whether the virtual IP address of the PC1 is trusted, if so, transmitting the data packet to the PC2, and if not, discarding the data packet. The PC2 receives the PC1 message and then does not reply to the PC1 message. When the terminal PC1 wants to access a host other than the terminal PC2, the compiler of the first secure device performs an external communication using a broadcast policy with a virtual IP address of 10.10.10.255, and prevents the terminal PC1 from accessing the external of the terminal PC2, i.e., converts the external broadcast address of the terminal PC1 into a broadcast address field capable of isolating other terminals.
As an example, in the case that the terminal PC2 actively initiates a request to access the terminal PC1, the terminal PC2 may compile a virtualized network address of the PC2 by a compiler of the second security device based on a pre-stored second compilation policy, where a compiled virtual IP address segment of the PC2 is 1.1.1.200/24, and the virtualized MAC is: 000000001111, respectively; the terminal PC1 compiles the virtualized network address of the PC1 by the compiler of the first security device based on a first pre-stored compilation policy, and the virtual IP address field compiled by the PC1 is: 1.1.1.1/24, virtualized MAC is: 000000001010, a virtualized network Net2 is created between PC2 and PC 1. If the security devices of the PC2 and the PC1 can know the virtual IP addresses of the other party through a predetermined network address resolution algorithm, the message from the PC2 transmitted by the first security device to the PC1 carries the virtualized network addresses of the initiator PC2 and the receiver PC1, if the security device of the PC1 cannot know the virtual network address of the PC2, the security device of the PC1 resolves (verifies) the virtual network address of the PC2 as authentic based on the network segment, the IP port and other information of the virtual network address, and then transmits the virtual network address of the PC2 as the source address and the real network address of the PC1 as the destination address to the PC1, and after receiving the data message from the PC2, the PC1 can perform corresponding processing, but does not reply to the message. When the accessed terminal PC1 communicates through the virtualized network created by the compiler of the first security device, the compiler of the first security device can use the virtualized network address 1.1.1.1/24 and the virtualized MAC address 000000001010, and the terminal PC2 serves as the initiator to access the virtualized network address 1.1.1.200/24 and the virtualized MAC address 000000001111; when the terminal PC1 is to access a terminal other than the terminal PC2, the compiler of the first secure device will perform communication to the outside with a broadcast policy of a virtual IP address of 10.10.10.255 and a virtualized MAC address of 000000000000 to prevent the terminal PC1 from being accessed by a terminal other than the terminal PC 2.
In the embodiment of the present invention, in order to further enhance the security of data transmission, the data packet transmitted between the initiator and the receiver may further be an encrypted data packet.
The compilation of the virtual address can be dynamically performed by using a compiler of the security device (such as a gateway), the virtual network established between the security devices can be conveniently disconnected based on the service completion condition, and a new virtual network can be established based on a new service. In the prior art, if a certain service requirement needs to be disconnected from the network, the whole physical line needs to be disconnected, so that the use of other users is affected.
In the existing actual network, all the communication devices need to configure the physical interface with the corresponding actual IP address/MAC address to generate the corresponding network segment routing information, but in the embodiment of the invention, the data of the data initiator is acquired by the hijacking technology, so that the physical interface of the corresponding communication device (the gateway and other safety devices in the invention) does not need to be configured with the corresponding IP/MAC address, under the condition, the virtualized segment address newly established by the safety device can be broadcasted by virtue of an actual physical line, when the data is transmitted to the corresponding receiver of the opposite end, the safety device of the receiver restores the communication according to the virtual network address and the physical actual corresponding IP/MAC address, the non-receiver can not restore the real internal IP/MAC address and the session link communication, therefore, the non-designated receiver can discard the message which can not be welcomed, thereby effectively preventing the network device from being hacked.
In embodiments of the present invention, one or more communication initiators may be connected to a first security device and one or more target recipients (e.g., target servers) may be connected to a second security device.
No matter the first safety device and/or the second safety device is connected with a plurality of terminals or servers, the data transmission method based on the virtual network can create one or a plurality of virtual regeneration networks, and different access authorities can be set for different users or application services through the setting, so that the service can be better monitored.
Fig. 3-6 are schematic diagrams of a data transmission system based on a virtualization network according to various embodiments of the present invention.
Fig. 3 shows a case where one first security device (gateway a) is connected to a plurality of computer devices (only two are shown in the figure), and one second security device (gateway B) is connected to a plurality of servers (only two are shown in the figure). In fig. 3, a plurality of virtual networks are established between gateway a and gateway B based on a difference in application services requested from a server by a computer device, so that data transmission is performed using the respective virtual networks based on the different application services. In fig. 3, a second computer device (with an actual IP address of 172.16.1.1) accessing a video server with an IP address of 172.16.1.200 for use as a video conferencing application, gateway a may choose to establish a virtual network 1(net 1: 192.168.10.25/24) within a candidate network IP address range of 192.168.0.0/16, with virtual network 1 using 192.168.10.25/24IP address segments for virtual communication between gateway a and gateway B. To access a mail server with IP address 172.16.1.100 for a mail service application, a first computer device (IP address 172.16.1.10) may choose to establish a virtual network 2(net 2: 192.168.0.0/16) within a candidate network IP address range of 192.168.0.0/16, and use the 192.168.0.0/16IP address segment for virtual communication between gateway a and gateway B.
Fig. 4 shows a situation in which a first security device (gateway a) is connected to a computer device (client) and a second security device (gateway B) is connected to a server. Even though gateway a and gateway B are each connected to only one computer device and server, they can still create multiple virtual networks, as shown in fig. 4, 2 virtual networks 1 and 2 are created within a selected candidate network IP address range, two virtual networks can be created based on the difference in access time of the computer device to the server, two virtual networks can be created based on the change in the corresponding access authority when the computer device belongs to different user groups, and the like. Fig. 5 shows a case where one first security device (gateway a) is connected to a plurality of computer devices (only two are shown in the figure), and one second security device (gateway B) is connected to one server. Fig. 6 shows a case where one first security device (gateway a) is connected to one computer device and one second security device (gateway B) is connected to a plurality of servers (only two are shown in the figure). As shown in fig. 3-6, multiple parallel virtual networks may be established between the first security device and the second security device. In a case where a plurality of virtualization networks are created between the first security device and the second security device based on the service request messages of the plurality of communication initiators, the later-established virtualization network may be a parallel virtualization network of the previously-established virtualization network or a sub-virtualization network (next-level virtualization network) included in the previously-established virtualization network. The created virtualized network may be set to have access to its child virtualized networks; but the child virtualized network is set so as not to access its upper level virtualized network (parent virtualized network).
In the embodiment of the invention, a plurality of virtual networks are established by depending on the same physical line, different application services or ports in actual physical communication are virtualized by corresponding to communication sessions in a physical actual network through different network segments of the virtual networks, and the influence on the virtual network communication caused by session hijacking, penetration invasion attack and the like in the physical network can be prevented.
Correspondingly to the above method, the present invention also provides a data transmission system based on a virtualization network, the system comprising: the method comprises the following steps that a first safety device located on a communication initiator side and a second safety device located on a communication receiver side are connected;
wherein the first security device is to: hijacking a service request message sent from a communication initiator; compiling the network address of the initiator by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and sending a data packet with the virtual network address to the receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
the second security device is to: and receiving data from the first safety equipment, analyzing the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and analyzing the data message marked by the initiator of the receiving conveyor belt after the analysis is successful.
In some embodiments of the invention, in the case that the first compilation strategy comprises a predetermined network address compilation algorithm and the first resolution strategy comprises a network address resolution algorithm matching the network address compilation algorithm, the first security device is further configured to: when receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiving party by using a first compiler based on a pre-stored second analysis strategy, and restoring the data message of the real network address of the receiving party restored by the transmitting belt of the initiating party after the restoration is successful;
the second security device is further to: hijacking a data message sent from the communication receiver, compiling the network address of the receiver by using a second compiler based on a second compiling strategy which is stored in advance and corresponds to the second analysis strategy to obtain a virtual network address of the receiver, and sending a data packet with the virtual network address of the receiver to the initiator by using an established physical line between the initiator and the receiver; the second compiling strategy comprises a network address compiling algorithm, and the second resolving strategy is a network address resolving algorithm matched with the network address compiling algorithm.
The first safety device and the second safety device do not add, modify or delete the original IP address, subnet mask, MAC address, direct connection route, next hop gateway route, domain name DNS, WINS, NetBios and other information on the original physical line or the newly added device physical interface of the original physical line, but generate a virtual IP address field, a virtual MAC address, a virtual route, a virtual communication port and the like through the compiler of the safety devices at two communication ends, but create a virtual network between the safety devices of an initiator and a receiver on the established physical line, and transmit data on the established physical line by using a data link layer ARP addressing and broadcasting mode or a network layer routing mode through the virtual network. The invention does not change the original network structure, the original network routing entries and the routing forwarding paths, or the communication mechanism and the network topology structure, and can improve the network security under the condition of no user feeling.
In addition, the virtual network can be created repeatedly, can be reused repeatedly, and is simple to realize and low in cost.
In accordance with the foregoing method, the present invention also provides a network security device (e.g., a gateway) based on a virtualized network, the network security device being configured to connect with at least one first-end communication device, the network security device comprising a processor and a memory, the memory storing computer instructions, the processor being configured to execute the computer instructions stored in the memory, and the computer instructions when executed by the processor implementing the steps of:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual networks based on the virtual network address of the first-end communication device, and sending a data packet with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party;
and under the condition that the network security equipment receives a data message from the opposite-end communication equipment, which is sent by the opposite-end network security equipment, the network security equipment analyzes and restores the virtual network address of the opposite-end communication equipment by using a first compiler based on a second analysis strategy which is stored in advance and corresponds to the compilation strategy of the opposite-end network security equipment, and a message of the real network address of the opposite-end communication equipment restored by the first-end communication equipment conveyor belt after the restoration is successful.
In the environment of a client private network or a local area network, the network security equipment cannot be detected and found, cannot be scanned by malicious personnel through a hacker tool port, can be subjected to password cracking, can be subjected to system vulnerability mining and the like, and has self-concealment; the network safety equipment is added between the communication initiating side and the receiving side, so that the original network structure is not changed, the actual IP/MAC address identification is not added, and the original network routing entry, the routing forwarding path, the communication mechanism and the network topology structure are not changed.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations of both. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. A data transmission method based on a virtualization network is characterized by comprising the following steps:
a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology, wherein a first compiling strategy for compiling a network address of the communication initiator and a second analyzing strategy for analyzing the network address of a communication receiver are prestored in the first safety device;
the first safety equipment compiles the network address of the initiator by using a first compiler based on a pre-stored first compiling strategy to obtain the virtual network address of the initiator so as to establish a virtual network based on the virtual network address, and sends a data message with the virtual network address to the receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
after receiving the data from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and transmits a service request message of the initiator identifier to the receiver after the analysis is successful.
2. The method of claim 1, wherein, in the case that the first compilation strategy comprises a network address compilation algorithm, the first resolution strategy is a network address resolution algorithm that matches the network address compilation algorithm;
the analyzing the compiled virtual network address of the initiator by using the second compiler based on the pre-stored first analysis strategy, and the service request message of the initiator identifier of the receiver conveyor belt after the analysis is successful comprises: analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a first analysis strategy stored in advance, and analyzing and restoring the service request message of the real network address of the initiator after the analysis and restoration are successful and then restored to the receiving conveyor belt;
the method further comprises the following steps:
the second safety equipment acquires a data message returned from the communication receiving party to the communication initiator by utilizing a hijacking technology, compiles the network address of the receiving party by utilizing a second compiler based on a pre-stored second compiling strategy to obtain the virtual network address of the receiving party, and sends the data message with the virtual network address of the receiving party to the initiator based on the established virtual network by utilizing an established physical line between the initiator and the receiving party;
after the first safety device receives data from the second safety device, the first compiler is used for resolving and restoring the virtual network address compiled by the receiver based on a pre-stored second resolution strategy matched with the second compilation strategy, the data message of the real network address of the receiver restored by the initiator conveyor belt is restored after the restoration is successful, and the second resolution strategy is a network address resolution algorithm matched with the network address compilation algorithm.
3. The method of claim 1,
a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
and under the condition that the first compiling strategy comprises randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message, the first analyzing strategy comprises analyzing whether the initiator compiled virtual network address is credible or not based on the network segment where the initiator virtual IP network address is located, the uncompiled real MAC address, the real IP port and the real routing information, and if the initiator compiled virtual network address is credible, the analyzing is confirmed to be successful.
4. The method of claim 1,
the physical network card interfaces of the first safety equipment and the second safety equipment do not have IP addresses and MAC addresses;
one or more communication initiators are connected with a first safety device;
one or more receivers are connected to a second security device.
5. The method of claim 1, further comprising:
and if the initiator virtual network address analysis fails based on a first pre-stored compiling strategy, the second safety equipment discards the data message to be transmitted.
6. The method of claim 1, further comprising:
the sending the data message with the virtual network address to the receiver by using the established physical line between the initiator and the receiver comprises the following steps: and sending a data message with the virtual network address of the initiator and the real network address of the receiver to the receiver by using a compiled virtual network through a physical line between the initiator and the receiver in a data link layer ARP addressing and broadcasting mode or a network layer routing mode.
7. The method of claim 2, further comprising:
the sending the data message with the virtual network address to the receiver by using the established physical line between the initiator and the receiver comprises the following steps: sending a data message with an initiator virtual network address and a receiver real network address to a receiver by using a compiled virtual network through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode;
the sending of the data message with the virtual network address of the receiver to the initiator based on the established virtual network by using the established physical line between the initiator and the receiver comprises the following steps: and sending a data message with a virtual network address of the receiving party and a virtual network address of the initiating party to the initiating party by utilizing a compiled virtual network through a physical line between the initiating party and the receiving party by utilizing a data link layer ARP addressing broadcast mode or a network layer routing mode.
8. The method of claim 1, wherein each virtual network address comprises a segment of a virtualized IP address selected from a predetermined plurality of candidate network IP address ranges;
the plurality of candidate network IP address ranges includes some or all of: class a network IP address range, class B network IP address range, and class C network IP address range.
9. The method of claim 1, wherein the data packets transmitted between the initiator and the recipient are encrypted data packets.
10. A data transmission system based on a virtualized network, the system comprising: the first safety equipment is positioned at the communication initiator side and the second safety equipment is positioned at the communication receiver side;
wherein the first security device is to:
hijacking a service request message sent from a communication initiator;
compiling the network address of the initiator by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and sending a data message with the virtual network address to a receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
the second security device is to:
and receiving data from the first safety equipment, analyzing the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and analyzing the data message marked by the initiator of the receiving conveyor belt after the analysis is successful.
11. The system of claim 10,
the first security device and the second security device are gateways;
a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
the initiator identification comprises at least one of the following information: initiator real MAC address, initiator real IP port and real routing information;
in the case that the first compilation policy includes a predetermined network address compilation algorithm and the first resolution policy includes a network address resolution algorithm that matches the network address compilation algorithm, the first security device is further configured to:
when receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiving party by using a first compiler based on a pre-stored second analysis strategy, and restoring the data message of the real network address of the receiving party restored by the transmitting belt of the initiating party after the restoration is successful;
the second security device is further to:
hijacking the data message sent from the communication receiver, compiling the network address of the receiver by using a second compiler based on a second compiling strategy which is stored in advance and corresponds to the second analysis strategy to obtain a virtual network address of the receiver, and sending the data message with the virtual network address of the receiver to the initiator by using an established physical line between the initiator and the receiver;
the second compiling strategy comprises a network address compiling algorithm, and the second resolving strategy is a network address resolving algorithm matched with the network address compiling algorithm.
12. A network security device configured to interface with at least one first-end communication device, the network security device comprising a processor and a memory, the memory having stored therein computer instructions, the processor configured to execute the computer instructions stored in the memory, the computer instructions when executed by the processor performing the steps of:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual networks based on the virtual network address of the first-end communication device, and sending the data message with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party;
and under the condition that the network security equipment receives a data message from the opposite-end communication equipment, which is sent by the opposite-end network security equipment, the network security equipment analyzes and restores the virtual network address of the opposite-end communication equipment by using a first compiler based on a second analysis strategy which is stored in advance and corresponds to the compilation strategy of the opposite-end network security equipment, and a message of the real network address of the opposite-end communication equipment restored by the first-end communication equipment conveyor belt after the restoration is successful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110786834.XA CN113489730B (en) | 2021-07-12 | 2021-07-12 | Data transmission method, device and system based on virtualization network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110786834.XA CN113489730B (en) | 2021-07-12 | 2021-07-12 | Data transmission method, device and system based on virtualization network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113489730A true CN113489730A (en) | 2021-10-08 |
| CN113489730B CN113489730B (en) | 2022-12-09 |
Family
ID=77938219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110786834.XA Active CN113489730B (en) | 2021-07-12 | 2021-07-12 | Data transmission method, device and system based on virtualization network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113489730B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103205A1 (en) * | 1998-10-30 | 2004-05-27 | Science Applications International Corporation | Method for establishing secure communication link between computers of virtual private network |
| US20140233569A1 (en) * | 2013-02-15 | 2014-08-21 | Futurewei Technologies, Inc. | Distributed Gateway in Virtual Overlay Networks |
| CN105429957A (en) * | 2015-11-02 | 2016-03-23 | 芦斌 | IP address jump safety communication method based on SDN framework |
| CN106302525A (en) * | 2016-09-27 | 2017-01-04 | 黄小勇 | A kind of cyberspace security defend method and system based on camouflage |
| CN107453992A (en) * | 2016-05-30 | 2017-12-08 | 北京京东尚科信息技术有限公司 | Data forwarding method and system in a kind of virtual network |
| CN107733887A (en) * | 2017-10-11 | 2018-02-23 | 四川省电科互联网加产业技术研究院有限公司 | A kind of network safety system and method based on big data |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| CN110611671A (en) * | 2019-09-12 | 2019-12-24 | 北京邮电大学 | Local area network communication method and device based on moving target defense |
-
2021
- 2021-07-12 CN CN202110786834.XA patent/CN113489730B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103205A1 (en) * | 1998-10-30 | 2004-05-27 | Science Applications International Corporation | Method for establishing secure communication link between computers of virtual private network |
| US20140233569A1 (en) * | 2013-02-15 | 2014-08-21 | Futurewei Technologies, Inc. | Distributed Gateway in Virtual Overlay Networks |
| CN105429957A (en) * | 2015-11-02 | 2016-03-23 | 芦斌 | IP address jump safety communication method based on SDN framework |
| CN107453992A (en) * | 2016-05-30 | 2017-12-08 | 北京京东尚科信息技术有限公司 | Data forwarding method and system in a kind of virtual network |
| CN106302525A (en) * | 2016-09-27 | 2017-01-04 | 黄小勇 | A kind of cyberspace security defend method and system based on camouflage |
| CN107733887A (en) * | 2017-10-11 | 2018-02-23 | 四川省电科互联网加产业技术研究院有限公司 | A kind of network safety system and method based on big data |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| CN110611671A (en) * | 2019-09-12 | 2019-12-24 | 北京邮电大学 | Local area network communication method and device based on moving target defense |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113489730B (en) | 2022-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10382436B2 (en) | Network security based on device identifiers and network addresses | |
| CN113242269B (en) | Data transmission method and system based on virtualization network and network security equipment | |
| US10542006B2 (en) | Network security based on redirection of questionable network access | |
| CN113242270A (en) | Data transmission method, device and system based on virtualization network | |
| US8561177B1 (en) | Systems and methods for detecting communication channels of bots | |
| US20080301810A1 (en) | Monitoring apparatus and method therefor | |
| US20050182968A1 (en) | Intelligent firewall | |
| US20070097976A1 (en) | Suspect traffic redirection | |
| Hijazi et al. | Address resolution protocol spoofing attacks and security approaches: A survey | |
| CN113489731B (en) | Data transmission method and system based on virtual network and network security equipment | |
| WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| Cabaj et al. | Network threats mitigation using software‐defined networking for the 5G internet of radio light system | |
| Mohammed et al. | Honeypots and Routers: Collecting internet attacks | |
| US9686311B2 (en) | Interdicting undesired service | |
| CN114301647A (en) | Prediction defense method, device and system for vulnerability information in situation awareness | |
| Li et al. | Bijack: Breaking bitcoin network with tcp vulnerabilities | |
| CN113489730B (en) | Data transmission method, device and system based on virtualization network | |
| Patel et al. | A Snort-based secure edge router for smart home | |
| Singh et al. | A detailed survey of ARP poisoning detection and mitigation techniques | |
| Nenovski et al. | Real-world ARP attacks and packet sniffing, detection and prevention on windows and android devices | |
| Shah et al. | Security Issues in Next Generation IP and Migration Networks | |
| Gehrke | The unexplored impact of ipv6 on intrusion detection systems | |
| Kamal et al. | Analysis of network communication attacks | |
| Albers et al. | An analysis of security threats and tools in SIP-based VoIP Systems | |
| KR102571147B1 (en) | Security apparatus and method for smartwork environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |