CN113489730B - Data transmission method, device and system based on virtualization network - Google Patents

Data transmission method, device and system based on virtualization network Download PDF

Info

Publication number
CN113489730B
CN113489730B CN202110786834.XA CN202110786834A CN113489730B CN 113489730 B CN113489730 B CN 113489730B CN 202110786834 A CN202110786834 A CN 202110786834A CN 113489730 B CN113489730 B CN 113489730B
Authority
CN
China
Prior art keywords
initiator
address
network
network address
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110786834.XA
Other languages
Chinese (zh)
Other versions
CN113489730A (en
Inventor
于洪
吴胜
姜春晓
于芷澜
于业浩
杨丽萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202110786834.XA priority Critical patent/CN113489730B/en
Publication of CN113489730A publication Critical patent/CN113489730A/en
Application granted granted Critical
Publication of CN113489730B publication Critical patent/CN113489730B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a data transmission method, a device and a system based on a virtualization network, wherein the method comprises the following steps: a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology; compiling the network address of the initiator by the first safety equipment based on a first pre-stored compiling strategy by using a first compiler to obtain the virtual network address of the initiator so as to establish a virtual network based on the virtual network address, and sending a data message with the virtual network address to a receiver by using an established physical line between the initiator and the receiver; after receiving the data from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and transmits a service request message of the initiator identifier to the receiver after the analysis is successful.

Description

Data transmission method, device and system based on virtual network
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data transmission method, apparatus, and system based on a virtualized network.
Background
In recent years in China, along with the development of network technology, the popularization and enrichment of network application and the increasing problem of network security are achieved, and the situation that high-tech criminal events conducted by utilizing information technology are increased is presented, so that the construction of a secure communication environment is a necessary trend.
Because the computer network has the characteristics of diversity of connection forms, non-uniformity of terminal distribution, openness and interconnectivity of the network and the like, an attacker not only can possibly detect and scan asset equipment in the network, eavesdrop information on the network, and steal information of passwords and databases of users; it is also possible to tamper with the database contents, falsify the user's identity, and deny his own signature. Moreover, database content can be deleted, network nodes destroyed, computer viruses released, and the like, which all complicate the information security problem.
Risks to current computer networks include security risks posed by software (risks at the software level) and security risks posed by hardware (risks at the hardware level). The risks at the software level are mainly reflected in: (1) The traditional network security defense mode is a mechanism of passively detecting virus samples, intrusion characteristic samples and the like, and meanwhile, by combining an access control mechanism of a black-and-white list, a hacker often simulates to be a common user who can pass through the access in actual network communication and directly passes through the network security gateway to enter a user intranet, so that uncontrollable risk is caused; (2) The traditional network security is tower defense, various security software products are stacked and accumulated, various static passive defenses are mutually overlapped, defense cannot be carried out in a radical effective mode, only a leakage detection and leakage compensation mode is adopted, and dynamic and unknown automatic defense cannot be realized; (3) Traditional application software, network equipment and network security equipment are marked with specific IP identifications such as IP addresses or MAC addresses, so that a hacker can create the risk that a hacker scans and detects the network IP addresses or the MAC addresses by using a hacker tool to find corresponding vulnerabilities and implement attacks; (4) In addition, common application software or system software is often expanded and bound infinitely due to continuous expansion and infinite amplification of system bugs or patches, and a hacker intruder may initiate an intrusion attack risk if using a software bug, thereby bringing new risks and hidden dangers.
From the risk of a hardware level, the traditional network security device performs network operation and maintenance operation in an online inline (inline) mode, so that the device can be conveniently connected and debugged from a remote place, and at this time, a potential risk exists that the network security protection device is in an exposed state in a network, that is, any node in the network can be connected to the device as long as a network route can be reached, and at that time, a user name and a password can be continuously tried, or a hacker can log in a browser of the security device or a loophole or a backdoor is searched for intrusion attack in a mode of breaking through a brute force password; meanwhile, the network security equipment itself is attacked by the crystal oscillator of the CPU through physical attack and the side channel of the memory resource, and the two attack modes can directly bypass any security protection and directly take over the core control unit, so that the risk of arbitrarily operating and controlling the equipment is achieved. In addition, there is a problem that if the access of the client to a certain resource of the server is to be disconnected, the actual physical link needs to be disconnected to really prevent the access of the client, and the disconnection of the actual physical line will affect the access of the client to other service resources of the server.
How to prevent hacker intrusion attack without disconnecting an actual physical line and improve the security of a network and user experience is an urgent problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a data transmission method, a data transmission device and a data transmission system based on a virtual network, so as to improve the security of the network and prevent the intrusion attack of hackers.
In one aspect of the present invention, a data transmission method based on a virtualized network is provided, where the method includes the following steps:
a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology;
the first safety equipment compiles the network address of the initiator by using a first compiler based on a pre-stored first compiling strategy to obtain the virtual network address of the initiator so as to establish a virtual network based on the virtual network address, and sends a data message with the virtual network address to the receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or comprises randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
after receiving the data from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and transmits a service request message of the initiator identifier to the receiver after the analysis is successful.
In some embodiments of the invention, in the case that the first compilation strategy comprises a network address compilation algorithm, the first resolution strategy is a network address resolution algorithm matching the network address compilation algorithm;
the analyzing the compiled virtual network address of the initiator by using the second compiler based on the pre-stored first analysis strategy, and the service request message of the initiator identifier of the receiver conveyor belt after the analysis is successful comprises: analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a first analysis strategy stored in advance, and analyzing and restoring the service request message of the real network address of the initiator after the analysis and restoration are successful and then restored to the receiving conveyor belt;
the method further comprises the following steps:
the second safety equipment acquires a data message returned from the communication receiving party to the communication initiator by utilizing a hijacking technology, compiles the network address of the receiving party by utilizing a second compiler based on a pre-stored second compiling strategy to obtain the virtual network address of the receiving party, and sends the data message with the virtual network address of the receiving party to the initiator based on the established virtual network by utilizing an established physical line between the initiator and the receiving party;
after the first safety equipment receives the data from the second safety equipment, the first compiler is used for analyzing and restoring the virtual network address compiled by the receiver based on a pre-stored second analysis strategy matched with the second compilation strategy, the data message of the real network address of the receiver is restored by the initiator conveyor belt after the restoration is successful, and the second analysis strategy is a network address analysis algorithm matched with the network address compilation algorithm.
In some embodiments of the present invention, a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port, and real routing information; and under the condition that the first compiling strategy includes randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message, the first analyzing strategy includes analyzing whether the initiator compiled virtual network address is credible or not based on the network segment where the initiator virtual IP network address is located, the uncompiled real MAC address, the real IP port and the real routing information, and if the initiator compiled virtual network address is credible, the analyzing is confirmed to be successful.
In some embodiments of the present invention, the physical network card interfaces of the first security device and the second security device do not have an IP address and a MAC address; one or more communication initiators are connected with a first safety device; one or more receivers are connected to a second security device.
In some embodiments of the invention, the method further comprises: and if the initiator virtual network address analysis fails based on a first pre-stored compiling strategy, the second safety equipment discards the data message to be transmitted.
In some embodiments of the present invention, the sending a data packet with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party includes: sending a data message with an initiator virtual network address and a receiver real network address to a receiver by using a compiled virtual network through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode;
the sending of the data message with the virtual network address of the receiver to the initiator based on the established virtual network by using the established physical line between the initiator and the receiver comprises the following steps: and sending a data message with a virtual network address of the receiving party and a virtual network address of the initiating party to the initiating party by utilizing a compiled virtual network through a physical line between the initiating party and the receiving party in a data link layer ARP addressing broadcasting mode or a network layer routing mode.
The plurality of candidate network IP address ranges comprises some or all of the following ranges: class a network IP address range, class B network IP address range, and class C network IP address range.
In some embodiments of the present invention, the data packet transmitted between the initiator and the receiver is an encrypted data packet.
In another aspect of the present invention, there is also provided a data transmission system based on a virtualized network, the system including: the first safety equipment is positioned at the communication initiator side and the second safety equipment is positioned at the communication receiver side;
wherein the first security device is to:
hijacking a service request message sent from a communication initiator;
compiling the network address of the initiator by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and sending a data message with the virtual network address to a receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or comprises randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
the second security device is to:
and receiving data from the first safety equipment, analyzing the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and analyzing the data message marked by the initiator of the receiving conveyor belt after the analysis is successful.
In some embodiments of the invention, the first security device and the second security device are gateways;
a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
the initiator identification comprises at least one of the following information: initiator real MAC address, initiator real IP port and real routing information;
in the case that the first compilation strategy comprises a predetermined network address compilation algorithm and the first resolution strategy comprises a network address resolution algorithm matching the network address compilation algorithm, the first security device is further configured to:
when a data message from second safety equipment is received, a first compiler is used for analyzing and restoring the compiled virtual network address of the receiving party based on a pre-stored second analysis strategy, and the data message of the real network address of the receiving party restored by the transmitting belt of the initiating party is restored after the restoration is successful;
the second security device is further to:
hijacking the data message sent from the communication receiver, compiling the network address of the receiver by using a second compiler based on a second compiling strategy which is stored in advance and corresponds to the second analysis strategy to obtain a virtual network address of the receiver, and sending the data message with the virtual network address of the receiver to the initiator by using an established physical line between the initiator and the receiver;
the second compiling strategy comprises a network address compiling algorithm, and the second resolving strategy is a network address resolving algorithm matched with the network address compiling algorithm.
In another aspect of the present invention, there is also provided a network security device for connecting with at least one first-end communication device, the network security device comprising a processor and a memory, wherein the memory stores computer instructions, and the processor is configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the method comprises the following steps:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual networks based on the virtual network address of the first-end communication device, and sending the data message with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party;
and under the condition that the network security equipment receives a data message from the opposite-end communication equipment, which is sent by the opposite-end network security equipment, the network security equipment analyzes and restores the virtual network address of the opposite-end communication equipment by using a first compiler based on a second analysis strategy which is stored in advance and corresponds to the compilation strategy of the opposite-end network security equipment, and a message of the real network address of the opposite-end communication equipment restored by the first-end communication equipment conveyor belt after the restoration is successful.
In some embodiments of the invention, the virtual network address comprises a segment of a virtualized IP address selected from a predetermined plurality of segments of candidate network addresses.
The data transmission method, the data transmission system and the network security equipment based on the virtual network can realize safe and effective data transmission without disconnecting an actual physical line, effectively prevent hacker intrusion attack and greatly improve the security of the network.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to what has been particularly described hereinabove, and that the above and other objects that can be achieved with the present invention will be more clearly understood from the following detailed description.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart illustrating a data transmission method based on a virtualized network according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of data transmission processing based on a virtualized network according to an embodiment of the invention.
Fig. 3 is a schematic diagram of a data transmission system based on a virtualized network according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the invention.
Fig. 5 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the invention.
Fig. 6 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the following embodiments and the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not so relevant to the present invention are omitted.
It should be emphasized that the term "comprises/comprising/comprises/having" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
In order to prevent the network from being invaded and attacked by hackers and improve the security of the network, the invention provides a data transmission method based on a virtualization regeneration network. The method of the invention sets a compiler in network safety equipment (safety equipment for short) such as a gateway, and utilizes the compiler to compile virtual communication network information including virtual regeneration network addresses, wherein the compiled virtual regeneration network addresses are different from network addresses between real physical equipment in an actual network, so that one or more virtual regeneration networks are created between the safety equipment of a communication initiator and a safety equipment of a communication receiver, network resources of the virtual regeneration networks are virtual network resources which do not exist in the actual network, the virtual regeneration networks between the safety equipment of the communication initiator and the safety equipment of the communication receiver can be transmitted only between the safety equipment at two ends of the virtual regeneration networks according to IETF and IEEE standard specifications, and information such as the virtual network address resources are not transmitted or forwarded by the communication initiator and the communication receiver. In the embodiment of the invention, the virtualization and regeneration network refers to the continuous regeneration of the virtual network realized by a virtualization technology. The data transmission method based on the virtualization regeneration network does not change the original network structure, the original network routing entries and routing forwarding paths, and also does not change the communication mechanism and the network topology structure, thereby improving the network security under the condition of no user feeling. Hereinafter, the virtualized regeneration network may be simply referred to as a virtualized network for convenience of description.
Fig. 1 is a flowchart illustrating a data transmission method based on a virtualized network according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
step S110, the first security device located at the communication initiator hijacks the data packets, such as the service request packets, sent from each communication initiator.
More specifically, the first secure device may use a hook hijacking technique to hijack data packets sent by the communication initiator through a hook function. Hijacking of communication initiator packets may be achieved, for example, by hijacking global traffic. Since the hook hijacking technique for monitoring and hijacking data packets is a mature technique, it will not be described in detail here.
In the embodiment of the present invention, the communication initiator may be, for example, a client such as a PC and a portable mobile terminal, and one first security device may be connected to one client or may be connected to a plurality of clients. The communication recipient may be, for example, a destination server, although the invention is not limited thereto. The first safety device can be used for hijacking data packets sent by one client under the condition that the first safety device is connected with the client, and the first safety device can be used for hijacking the data packets sent by a plurality of clients under the condition that the first safety device is connected with the plurality of clients.
In the embodiment of the present invention, the first security device may be a gateway (or called gateway device). Besides the gateway, the first security device may also be an industrial module or an embedded chip, etc., and the present invention is not limited thereto. In the embodiment of the invention, the physical interface of the first safety equipment does not have an IP address and an MAC address, acquires data sent by an initiator by hijacking a data message, and sends the data out in a routing mode or a broadcasting mode.
The data message sent by the communication initiator can carry the service identifier of the request, the IP address of the initiator, the IP address of the receiver, the MAC address of the initiator, the IP port, the routing information and the like, and the initially carried information is the real information of the receiver.
Step S120, the first safety device utilizes a first compiler to compile the network address of the initiator based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and utilizes the established physical line between the initiator and the receiver to send a data packet with the virtual network address to the receiver.
In practical applications, there may be an untrusted network in the communication network, for example, there may be a public internet at the private network boundary of some organizations, for example, links between private networks and private networks between different branches and centers of some units depend on the public internet, in which case, data transmitted through the private networks may be hacked to cause information leakage. Therefore, the invention provides that a virtualized regeneration network is adopted on an established actual physical line between an initiator and a receiver to prevent the intrusion attack of hackers, and meanwhile, different multiple virtualized networks can be established between a server and a client according to different access requirements of different clients to the server, so that part of the multiple virtualized networks can be flexibly disconnected based on the completion condition of service without causing the disconnection of other virtualized networks and without disconnecting the actual physical line.
More specifically, in this step, after the first security device acquires the data packet of the communication initiator by the hijacking technique, the network address of the communication initiator may be compiled based on a predetermined address compilation policy (first compilation policy) to generate a new virtual network address, so as to generate a virtualized network based on the new virtual network address. The first secure device may have a first compilation policy stored in advance.
In an embodiment, the first compiling strategy may include randomly generating the initiator virtual IP network address within a virtual IP network segment range corresponding to the service requested by the service request message.
In another embodiment, the first compilation strategy may include a network address compilation algorithm, and the first resolution strategy is a network address resolution algorithm that matches the network address compilation algorithm.
In an embodiment of the invention, the network address compiled by the first compiler comprises a segment of a virtualized IP address selected from a predetermined plurality of candidate network IP address ranges. The plurality of candidate network IP address ranges may include some or all of the following network IP address ranges: class a network IP address range, class B network IP address range, and class C network IP address range. The IP address range of the A-type network is the widest address range, and the IP address range of the A-type network is the B-type network, and the IP address range of the A-type network is the C-type network. The class a network IP address range is, for example, an IP address range from 1.0.0.0 to 126.0.0.0. The class B network IP address range is, for example, an IP address range from 128.0.0.0 to 191.255.255.255. The class C network IP address range is, for example, an IP address range from 192.0.0.0 to 223.255.255.255. The class A network uses 8 bits to represent the network number, and 24 bits to represent the host bit; the B type network represents a network by 16 bits, and 16 bits represent a host; the class C network uses 24 bits to represent the network number and 8 bits to represent the host bit.
The IP address field of the appropriate network may be selected from the several candidate network IP address ranges for the particular application service to which the service request message originated by each initiator relates. For example, for a service request corresponding to a service with a high possibility of accessing people, the first compiler may select an IP address field from an IP address range of a class a network or a class B network to generate a virtualized IP address field when performing address compilation; the first compiler may select an IP address segment from an IP address range of a class B network or a class C network to generate a virtualized IP address segment when performing address compilation for a service request corresponding to a service with a small number of visitors. The compiler compiles the address in the generated IP address field not to conflict with the IP address of the physical line actually present.
After the first safety equipment compiles the virtual network address, network information including the virtual network address and the like is encapsulated into a data message hijacked from an initiator to replace the network address information in the original data message, then the data message is sent to a receiver on the basis of each virtual network address on a physical line established between the initiator and the receiver, and the data message with the virtual network address can be sent to the receiver by utilizing a data link layer ARP addressing broadcast mode or a network layer routing mode through a compiled virtual network by utilizing the physical line established between the initiator and the receiver.
In this way, a second security device placed on the physical communication link of the initiator and the receiver, connected to the network port of the receiver, may receive the data packet from the first security device before the receiver.
Step S130, after the second security device receives the data packet from the first security device, the second compiler is used to analyze the compiled virtual network address of the initiator based on the pre-stored first analysis policy corresponding to the first compilation policy, and the service request message identified by the initiator of the receiving-side transmission belt is analyzed after the analysis is successful.
In an embodiment, the first compiling strategy may include randomly generating the initiator virtual IP network address within a virtual IP network segment range corresponding to the service requested by the service request message. Since the initiator virtual IP network address is randomly generated within a specific IP network segment, it is difficult for the second security device to know the real IP address corresponding to the initiator virtual IP address, in which case, the first resolution policy may include resolving whether the compiled virtual network address of the initiator is trusted based on the network segment where the initiator virtual IP network address is located, the uncompiled real MAC address, the real IP port, and the real routing information, and if so, confirming that the resolution is successful. That is, if the initiator virtual IP address network segment is within the predetermined network segment range and identifies that the MAC address, IP port, and routing information of the initiator match the corresponding information of an initiator in the preset identifiable list, it is determined that the parsing is successful, and then the service request packet of the initiator identifier is transmitted to the receiver, where the initiator identifier carried may be the MAC address, IP port information, routing information, and/or other information capable of identifying the initiator. In addition, the service request message transmitted to the receiver also carries the real IP address of the receiver, because the initiator does not know the virtual IP address of the receiver yet. In this case, the receiving party may receive the data packet, and may perform corresponding processing based on the content in the packet, but does not reply to the data packet. If the second security device fails to resolve the network address of the initiator, the second security device considers that the service request message is an illegal message or an untrusted message, and then the service request message is discarded.
In another embodiment, the first compilation strategy may include a network address compilation algorithm, and the first resolution strategy is a network address resolution algorithm that matches the network address compilation algorithm. At this time, when the initiator virtual network address is analyzed, the second compiler can be used for analyzing and restoring the virtual network address compiled by the initiator based on the pre-stored first analysis strategy, and the service request message of the initiator real network address restored to the receiver conveyer belt after the analysis and restoration are successful. In the embodiment of the present invention, the first security device may further store a (second resolution policy) corresponding to an address compilation policy (second compilation policy) of the second security device, and based on the second resolution policy, the first security device may obtain a virtual network address corresponding to a real network address of the receiver as the destination address, and at this time, the service request message transmitted to the receiver further carries the virtual IP address of the receiver.
That is, after the second security device successfully resolves and identifies the real network address of the initiator by using the stored first resolution policy, the second security device transmits the service request message of the restored initiator network address to the receiver (e.g., a server), so that the receiver receives the service request message with the real network address (e.g., an IP address and a MAC address) of the initiator. Correspondingly, after receiving the data request message, the server generates data to be returned by the initiator based on the request of the initiator, encapsulates the data into the data message and sends the data message to the initiator. If the second security device fails to analyze the real network address of the initiator by using the stored first analysis strategy, the second security device considers that the service request message is an illegal message or an untrusted message, and then discards the message.
If the communication between the sender and the receiver is completed, the virtualized network is only needed to be disconnected, and the actual physical line does not need to be disconnected.
Through the steps of the invention, the safe and effective transmission of data can be realized without disconnecting the actual physical line, thereby effectively preventing the invasion attack of hackers and greatly improving the security of the network.
In case that the second security device is able to restore the real IP address of the initiator, the present invention may further include the steps of:
step S140, the second security device obtains the data packet sent from the communication receiver by using the hijack technology, compiles the network address of the receiver by using the second compiler based on the pre-stored second compilation strategy to obtain the virtual network address of the receiver, and sends the data packet with the virtual network address of the receiver to the initiator by using the established physical line between the initiator and the receiver.
This step S140 is similar to the processing of the data packet from the initiator by the first secure device in the previous steps S110 and S120. The difference is that hijacking is carried out on the data message sent by the receiving party equipment, and virtualization compiling is carried out on the network address of the receiving party. Corresponding to the first compiling strategy, the second compiling strategy in the step S140 is a predetermined network address compiling algorithm. Preferably, the first compilation strategy and the second compilation strategy match, i.e. both are used for the compilation of virtual network addresses on the basis of a consistent address compilation principle.
After the second security device compiles the virtual network address, the network information including the virtual network address and the like is encapsulated into a data message hijacked from the receiver again to replace the network address information in the original data message, and then a data message with the virtual network address of the receiver is sent to the initiator by a virtualized network obtained by compiling the established physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode.
The first security device may receive a data message from the second security device prior to the initiator.
Step S150, the first security device receives data from the second security device, analyzes and restores the compiled virtual network address of the receiving party based on a second analysis policy pre-stored and corresponding to the second compilation policy by using the first compiler, and restores the data packet of the real network address of the receiving party to the initiator conveyor belt after the restoration is successful. In the embodiment of the invention, the second resolution strategy is a network address resolution algorithm matched with the network address compiling algorithm
If the first security device fails to analyze the real network address of the receiver by using the stored second analysis strategy, the first security device considers that the data message is an illegal message or an untrusted message, and then discards the data message.
As described above, by creating a virtual regenerative network between the first secure device and the second secure device using an established physical line between the initiator and the recipient, it is possible to perform data transmission between the first secure device and the second secure device using the created virtual regenerative network, thereby making it difficult for a hacker to attack based on a network address.
Fig. 2 is a schematic diagram of data transmission processing based on a virtualized network according to an embodiment of the present invention. As shown in fig. 2, the network interface eth0 of the client PC1 as the initiator configures an actual IP address of 172.16.1.1, and a mac address of: 000FC5056EB0. The network interface eth1 of the access target client PC2 configures an actual IP address of 172.16.1.200, and a mac address of: f04EDA092709. Under the condition that the terminal PC1 actively initiates a request to access the terminal PC2, the terminal PC1 compiles the virtualized network information of the PC1 through a compiler of the first security device based on a pre-stored first compiling strategy (a predetermined network address compiling algorithm), and the virtual IP address section compiled by the PC1 is as follows: 127.0.0.1/24, virtual MAC is: 00001010; the terminal PC2 compiles the virtualized network information of the PC2 by the compiler of the second secure device based on a second compilation policy (a predetermined network address compilation algorithm) stored in advance, the virtual IP address field compiled by the PC2 is 127.0.0.200/24, and the virtualized MAC is: 00001111; a virtualized network Net1 is created between PC1 and PC 2. A compiler of the first safety equipment initiates access to the terminal PC2 by using a virtualized network address of 127.0.1/24 and a virtualized MAC address of 000000001010, and if the first safety equipment of the PC1 can acquire the virtual network address of the PC2 based on a predetermined network address compiling algorithm, the destination address carried in the message is the virtual network address of the PC 2; however, if the network address compiling algorithm is to randomly generate a virtual IP address (address field) from a predetermined virtual IP network segment, the first security device cannot know the virtual network address of the PC2, and at this time, the destination address carried in the message sent to the PC2 is the real network address of the PC2 and simultaneously carries the randomly generated virtual IP network address of the PC 1. At this time, the second security device cannot resolve and identify the virtual network address of the PC1, and cannot restore the virtual network address to the real network address of the PC1, so that the second security device identifies the identity of the PC1 based on the real MAC address, the real IP port, the real routing information, and the like of the PC1, thereby resolving whether the virtual IP address of the PC1 is trusted, if so, transmitting the data packet to the PC2, and if not, discarding the data packet. After receiving the message of the PC1, the PC2 does not reply the message of the PC 1. When the terminal PC1 accesses a host other than the terminal PC2, the compiler of the first security device performs external communication using a broadcast policy with a virtual IP address of 10.10.10.255, so as to prevent the terminal PC1 from accessing the host other than the terminal PC2, that is, the external broadcast address of the terminal PC1 is converted into a broadcast address field capable of isolating other terminals.
As an example, in a case where the terminal PC2 actively initiates a request to access the terminal PC1, the terminal PC2 may compile a virtualized network address of the PC2 by a compiler of the second security device based on a second pre-stored compilation policy, where a segment of the compiled virtual IP address of the PC2 is 1.1.1.200/24, and the virtualized MAC is: 000000001111; the terminal PC1 compiles the virtualized network address of the PC1 through a compiler of the first safety equipment based on a pre-stored first compiling strategy, and the virtual IP address section compiled by the PC1 is as follows: 1.1.1.1/24, virtualized MAC is: 000000001010, a virtualized network Net2 is created between PC2 and PC 1. If the security devices of the PC2 and the PC1 can know the virtual IP addresses of the other party through a predetermined network address resolution algorithm, the message from the PC2 transmitted to the PC1 by the first security device carries the virtualized network addresses of the initiator PC2 and the receiver PC1, if the security device of the PC1 cannot know the virtual network address of the PC2, the security device of the PC1 resolves (verifies) the virtual network address of the PC2 as authentic based on the information such as the network segment, the IP port and the like of the virtual network address, and then transmits the virtual network address of the PC2 as the source address and the real network address of the PC1 as the destination address to the PC1, and after receiving the data message from the PC2, the PC1 can perform corresponding processing, but does not reply the message. When the accessed terminal PC1 communicates through the virtualized network created by the compiler of the first secure device, the compiler of the first secure device can use the virtualized network address 1.1.1.1/24 and the virtualized MAC address 000000001010, and the terminal PC2 as an initiator accesses the virtualized network address 1.1.1.200/24 and the virtualized MAC address 00001111; when the terminal PC1 is to access a terminal other than the terminal PC2, the compiler of the first secure device performs communication to the outside with a broadcast policy of a virtual IP address of 10.10.10.255 and a virtualized MAC address of 0000000000000000 to prevent the terminal PC1 from being accessed by the terminal other than the terminal PC 2.
In the embodiment of the present invention, in order to further enhance the security of data transmission, the data packet transmitted between the initiator and the receiver may further be an encrypted data packet.
The compilation of the virtual address can be dynamically performed by using a compiler of the security device (such as a gateway), the virtual network established between the security devices can be conveniently disconnected based on the service completion condition, and a new virtual network can be established based on a new service. In the prior art, if a network needs to be disconnected according to a certain service requirement, the whole physical line needs to be disconnected, so that the use of other users is influenced.
In the existing actual network, all the communication devices need to be configured with corresponding actual IP addresses/MAC addresses by physical interfaces to generate corresponding network segment routing information, but in the embodiment of the invention, the data of a data initiator is obtained by a hijacking technology, so that the corresponding IP/MAC addresses do not need to be configured on the physical interfaces of the corresponding communication devices (the gateway and other safety devices in the invention), under the condition, the virtualized segment address newly established by the safety device can be broadcasted by virtue of an actual physical line, when the data is transmitted to the corresponding receiver of an opposite end, the safety device of the receiver restores the communication according to the virtual network address and the physical actual corresponding IP/MAC address, and the non-receiver can not restore the real internal IP/MAC address and session link communication, so that the non-specified receiver discards the message which can not be welcomed, thereby effectively preventing the network devices from being attacked by hackers.
In embodiments of the present invention, one or more communication initiators may be connected to a first security device and one or more target recipients (e.g., target servers) may be connected to a second security device.
No matter the first safety device and/or the second safety device is connected with a plurality of terminals or servers, the data transmission method based on the virtual network can create one or a plurality of virtual regeneration networks, and different access authorities can be set for different users or application services through the setting, so that the service can be better monitored.
Fig. 3-6 are schematic diagrams of a data transmission system based on a virtualization network according to various embodiments of the present invention.
Fig. 3 shows a case where one first security device (gateway a) is connected to a plurality of computer devices (only two of which are shown in the figure), and one second security device (gateway B) is connected to a plurality of servers (only two of which are shown in the figure). In fig. 3, a plurality of virtual networks are established between gateway a and gateway B based on a difference in application services requested from a server by a computer device, so that data transmission is performed using the respective virtual networks based on the different application services. In fig. 3, when the second computer device (with an actual IP address of 172.16.1.1) wants to access the video server with an IP address of 172.16.1.200 and use it as a video conferencing application, the gateway a may choose to establish a virtual network 1 (net 1: 192.168.10.25/24) within a candidate network IP address range of 192.168.0.0/16, and the virtual network 1 uses the 192.168.10.25/24IP address segment for virtual communication between the gateway a and the gateway B. When a first computer device (with an IP address of 172.16.1.10) accesses a mail server with an IP address of 172.16.1.100 and is used as a mail service application, a gateway a can choose to establish a virtual network 2 (net 2: 192.168.0.0/16) in a candidate network IP address range of 192.168.0.0/16, and virtual communication between the gateway a and a gateway B is carried out by adopting an IP address segment of 192.168.0.0/16.
Fig. 4 shows a situation in which a first security device (gateway a) is connected to a computer device (client) and a second security device (gateway B) is connected to a server. Even though gateway a and gateway B are each connected to only one computer device and server, they can still create multiple virtual networks, as shown in fig. 4, 2 virtual networks 1 and 2 are created within a selected candidate network IP address range, two virtual networks can be created based on the difference in access time of the computer device to the server, two virtual networks can be created based on the change in the corresponding access authority when the computer device belongs to different user groups, and the like. Fig. 5 shows a case where one first security device (gateway a) is connected to a plurality of computer devices (only two are shown in the figure), and one second security device (gateway B) is connected to one server. Fig. 6 shows a case where one first security device (gateway a) is connected to one computer device and one second security device (gateway B) is connected to a plurality of servers (only two are shown in the figure). As shown in fig. 3-6, multiple parallel virtual networks may be established between a first security device and a second security device. In a case where a plurality of virtualization networks are created between the first security device and the second security device based on the service request messages of the plurality of communication initiators, the later-established virtualization network may be a parallel virtualization network of the previously-established virtualization network or a sub-virtualization network (next-level virtualization network) included in the previously-established virtualization network. The created virtualized network may be set to have access to its child virtualized networks; but the child virtualized network is set so as not to access its upper level virtualized network (parent virtualized network).
In the embodiment of the invention, a plurality of virtual networks are established by depending on the same physical line, different application services or ports in actual physical communication are virtualized by corresponding to communication sessions in a physical actual network through different network segments of the virtual networks, and the influence on the virtual network communication caused by session hijacking, penetration invasion attack and the like in the physical network can be prevented.
Correspondingly to the above method, the present invention also provides a data transmission system based on a virtualization network, the system comprising: the method comprises the following steps that a first safety device located on a communication initiator side and a second safety device located on a communication receiver side are connected;
wherein the first security device is to: hijacking a service request message sent from a communication initiator; compiling the network address of the initiator by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and sending a data packet with the virtual network address to the receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises a preset network address compiling algorithm or randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
the second security device is to: and receiving data from the first safety equipment, analyzing the compiled virtual network address of the initiator by using a second compiler based on a pre-stored first analysis strategy, and analyzing the data message marked by the initiator of the receiving conveyor belt after the analysis is successful.
In some embodiments of the invention, in the case that the first compilation strategy comprises a predetermined network address compilation algorithm and the first resolution strategy comprises a network address resolution algorithm matching the network address compilation algorithm, the first security device is further configured to: when receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiving party by using a first compiler based on a pre-stored second analysis strategy, and restoring the data message of the real network address of the receiving party restored by the transmitting belt of the initiating party after the restoration is successful;
the second security device is further to: hijacking a data message sent from the communication receiver, compiling the network address of the receiver by using a second compiler based on a second compiling strategy which is pre-stored and corresponds to the second analysis strategy to obtain a virtual network address of the receiver, and sending a data packet with the virtual network address of the receiver to the initiator by using an established physical line between the initiator and the receiver; the second compiling strategy comprises a network address compiling algorithm, and the second resolving strategy is a network address resolving algorithm matched with the network address compiling algorithm.
The first safety device and the second safety device do not add, modify or delete the original IP address, subnet mask, MAC address, direct connection route, next hop gateway route, domain name DNS, WINS, netBios and other information on the original physical line or the newly added device physical interface of the original physical line, but generate a virtual IP address field, a virtual MAC address, a virtual route, a virtual communication port and the like through the compiler of the safety devices at two communication ends, but create a virtual network between the safety devices of an initiator and a receiver on the established physical line, and transmit data on the established physical line by using a data link layer ARP addressing and broadcasting mode or a network layer routing mode through the virtual network. The invention does not change the original network structure, the original network routing entries and the routing forwarding paths, or the communication mechanism and the network topology structure, and can improve the network security under the condition of no user feeling.
In addition, the virtual network can be created repeatedly, can be reused repeatedly, and is simple to realize and low in cost.
In accordance with the foregoing method, the present invention also provides a network security device (e.g., a gateway) based on a virtualized network, the network security device being configured to connect with at least one first-end communication device, the network security device comprising a processor and a memory, the memory storing computer instructions, the processor being configured to execute the computer instructions stored in the memory, and the computer instructions when executed by the processor implementing the steps of:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual networks based on the virtual network address of the first-end communication device, and sending a data packet with the virtual network address to a receiving party by using an established physical line between an initiator and the receiving party;
under the condition that the network security equipment receives a data message which is sent by opposite-end network security equipment and comes from opposite-end communication equipment, a first compiler is utilized to analyze and restore the virtual network address of the opposite-end communication equipment based on a pre-stored second analysis strategy corresponding to the compilation strategy of the opposite-end network security equipment, and a message of the real network address of the opposite-end communication equipment restored by a first-end communication equipment conveyor belt is restored after the restoration is successful.
In the environment of a client private network or a local area network, the network security equipment cannot be detected and found, cannot be scanned by malicious personnel through a hacker tool port, can be subjected to password cracking, can be subjected to system vulnerability mining and the like, and has self-concealment; the network safety equipment is added between the communication initiating side and the receiving side, so that the original network structure is not changed, the actual IP/MAC address identification is not added, and the original network routing entry, the routing forwarding path, the communication mechanism and the network topology structure are not changed.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations thereof. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed at the same time.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A data transmission method based on a virtual network is characterized by comprising the following steps:
a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology, wherein a first compiling strategy for compiling a network address of the communication initiator is prestored in the first safety device, and the service request message sent by the communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
compiling the network address of the initiator by the first safety equipment based on a first pre-stored compiling strategy by using a first compiler to obtain the virtual network address of the initiator so as to establish a virtual network based on the virtual network address, and sending a data message with the virtual network address to a receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message; and
after receiving the data from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes the compiled virtual network address of the initiator by using a second compiler based on a first analysis strategy stored in advance, and transmits a service request message of the initiator identifier to the receiver after the analysis is successful; the first resolution strategy comprises the steps of resolving whether the compiled virtual network address of the initiator is credible or not based on the network segment where the virtual IP network address of the initiator is located, the uncompiled real MAC address, the real IP port and the real routing information, and if the compiled virtual network address of the initiator is credible, confirming that the resolution is successful.
2. The method according to claim 1, wherein the parsing, by using the second compiler, the compiled virtual network address of the initiator based on the pre-stored first parsing policy, and after the parsing is successful, the service request packet identified to the initiator of the receiver carousel includes: and analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a first analysis strategy stored in advance, and after the analysis and restoration are successful, restoring the service request message of the real network address of the initiator to the receiving conveyer belt.
3. The method of claim 1,
the physical network card interfaces of the first safety equipment and the second safety equipment do not have an IP address and an MAC address;
one or more communication initiators are connected with a first safety device;
one or more receivers are connected to a second security device.
4. The method of claim 1, further comprising:
and if the initiator virtual network address analysis fails based on a first pre-stored compiling strategy, the second safety equipment discards the data message to be transmitted.
5. The method of claim 1, further comprising:
the sending the data message with the virtual network address to the receiver by using the established physical line between the initiator and the receiver comprises the following steps: and sending a data message with the virtual network address of the initiator and the real network address of the receiver to the receiver by using a compiled virtual network through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode.
6. The method of claim 1, wherein each virtual network address comprises a segment of a virtualized IP address selected from a predetermined plurality of candidate network IP address ranges;
the plurality of candidate network IP address ranges includes some or all of: class a network IP address range, class B network IP address range, and class C network IP address range.
7. The method of claim 1, wherein the data packets transmitted between the initiator and the recipient are encrypted data packets.
8. A data transmission system based on a virtualized network, the system comprising: the first safety equipment is positioned at the communication initiator side and the second safety equipment is positioned at the communication receiver side;
wherein the first security device is to:
hijacking a service request message sent from a communication initiator, wherein the service request message sent by the communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
compiling the network address of the initiator by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of the initiator, and sending a data message with the virtual network address to a receiver by using an established physical line between the initiator and the receiver; the first compiling strategy comprises randomly generating an initiator virtual IP network address in a virtual IP network segment range corresponding to the service requested by the service request message;
the second security device is to:
receiving data from the first safety equipment, analyzing the compiled virtual network address of the initiator by using a second compiler based on a first pre-stored analysis strategy, and analyzing successfully to obtain a data message of the initiator identifier of the receiving conveyor belt; the first resolution strategy comprises the steps of resolving whether the compiled virtual network address of the initiator is credible or not based on the network segment where the virtual IP network address of the initiator is located, the uncompiled real MAC address, the real IP port and the real routing information, and if the compiled virtual network address of the initiator is credible, confirming that the resolution is successful.
9. The system of claim 8,
the first security device and the second security device are gateways;
a service request message sent by a communication initiator carries a real IP address, a real MAC address, a real IP port and real routing information;
the initiator identification comprises at least one of the following information: initiator real MAC address, initiator real IP port, and real routing information.
10. A network security device configured to interface with at least a first-end communication device as a communication initiator, the network security device comprising a processor and a memory, the memory having stored therein computer instructions, the processor being configured to execute the computer instructions stored in the memory, the computer instructions when executed by the processor performing the steps of:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual networks based on the virtual network address of the first-end communication device, and sending the data message with the virtual network address to a communication receiver by using an established physical line between the communication initiator and the communication receiver; the data message sent by the first end communication equipment carries a real IP address, a real MAC address, a real IP port and real routing information;
the network security equipment analyzes and restores the virtual network address of the opposite-end communication equipment by utilizing a first compiler based on a first analysis strategy which is stored in advance and corresponds to the compilation strategy of the opposite-end network security equipment under the condition that the network security equipment receives a data message which is sent by the opposite-end network security equipment and serves as the communication receiver, and analyzes and restores the real network address of the opposite-end communication equipment after the restoration is successful, wherein the real network address information of the opposite-end communication equipment is restored by a first communication equipment conveyor belt, the first analysis strategy comprises the steps of analyzing whether the compiled virtual network address of the communication initiator is credible or not based on a network segment where the virtual IP network address of the initiator is located, an uncompiled real MAC address, a real IP port and real routing information, and if the compiled virtual network address of the communication initiator is credible, the analysis is confirmed to be successful.
CN202110786834.XA 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network Active CN113489730B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110786834.XA CN113489730B (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110786834.XA CN113489730B (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Publications (2)

Publication Number Publication Date
CN113489730A CN113489730A (en) 2021-10-08
CN113489730B true CN113489730B (en) 2022-12-09

Family

ID=77938219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110786834.XA Active CN113489730B (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Country Status (1)

Country Link
CN (1) CN113489730B (en)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7188180B2 (en) * 1998-10-30 2007-03-06 Vimetx, Inc. Method for establishing secure communication link between computers of virtual private network
US20140233569A1 (en) * 2013-02-15 2014-08-21 Futurewei Technologies, Inc. Distributed Gateway in Virtual Overlay Networks
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN107453992A (en) * 2016-05-30 2017-12-08 北京京东尚科信息技术有限公司 Data forwarding method and system in a kind of virtual network
CN106302525B (en) * 2016-09-27 2021-02-02 黄小勇 Network space security defense method and system based on camouflage
CN107733887B (en) * 2017-10-11 2020-12-08 四川省电科互联网加产业技术研究院有限公司 Network security system and method based on big data
CN109451084B (en) * 2018-09-14 2020-12-22 华为技术有限公司 Service access method and device
CN110611671A (en) * 2019-09-12 2019-12-24 北京邮电大学 Local area network communication method and device based on moving target defense

Also Published As

Publication number Publication date
CN113489730A (en) 2021-10-08

Similar Documents

Publication Publication Date Title
US10382436B2 (en) Network security based on device identifiers and network addresses
CN113242269B (en) Data transmission method and system based on virtualization network and network security equipment
US10542006B2 (en) Network security based on redirection of questionable network access
CN115694951A (en) Data transmission method, device and system based on virtualization network
US8561177B1 (en) Systems and methods for detecting communication channels of bots
US20080301810A1 (en) Monitoring apparatus and method therefor
US20050182968A1 (en) Intelligent firewall
US20070294759A1 (en) Wireless network control and protection system
Hijazi et al. Address resolution protocol spoofing attacks and security approaches: A survey
CN113489731B (en) Data transmission method and system based on virtual network and network security equipment
WO2015174100A1 (en) Packet transfer device, packet transfer system, and packet transfer method
Data The defense against arp spoofing attack using semi-static arp cache table
Cabaj et al. Network threats mitigation using software‐defined networking for the 5G internet of radio light system
Mohammed et al. Honeypots and Routers: Collecting internet attacks
US9686311B2 (en) Interdicting undesired service
CN114301647A (en) Prediction defense method, device and system for vulnerability information in situation awareness
Li et al. Bijack: Breaking bitcoin network with tcp vulnerabilities
Rahman et al. Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm
CN113489730B (en) Data transmission method, device and system based on virtualization network
Patel et al. A Snort-based secure edge router for smart home
Nenovski et al. Real-world ARP attacks and packet sniffing, detection and prevention on windows and android devices
Shah et al. Security Issues in Next Generation IP and Migration Networks
Gehrke The unexplored impact of ipv6 on intrusion detection systems
Kamal et al. Analysis of network communication attacks
Albers et al. An analysis of security threats and tools in SIP-based VoIP Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant