CN115694951A - Data transmission method, device and system based on virtualization network - Google Patents

Data transmission method, device and system based on virtualization network Download PDF

Info

Publication number
CN115694951A
CN115694951A CN202211318260.4A CN202211318260A CN115694951A CN 115694951 A CN115694951 A CN 115694951A CN 202211318260 A CN202211318260 A CN 202211318260A CN 115694951 A CN115694951 A CN 115694951A
Authority
CN
China
Prior art keywords
network
address
initiator
receiver
virtual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211318260.4A
Other languages
Chinese (zh)
Inventor
于洪
吴胜
姜春晓
于芷澜
于业浩
杨丽萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yuchuang Ruilian Information Technology Co ltd
Original Assignee
Beijing Yuchuang Ruilian Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yuchuang Ruilian Information Technology Co ltd filed Critical Beijing Yuchuang Ruilian Information Technology Co ltd
Priority to CN202211318260.4A priority Critical patent/CN115694951A/en
Publication of CN115694951A publication Critical patent/CN115694951A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2596Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses

Abstract

The invention provides a data transmission method, a device and a system based on a virtualization network, wherein the method comprises the following steps: first safety equipment on the initiator side hijacks a data message sent from the initiator; creating a virtual regeneration network between first safety equipment and second safety equipment on a receiver side by using an established physical line, wherein in the created virtual regeneration network, an initiator virtual network address is obtained by compiling the network address of the initiator by the first safety equipment based on pre-stored mapping relation information between real network information and virtual network information of a sender and a receiver, and a receiver virtual network address is obtained by compiling the network address of a receiver by the second safety equipment based on a pre-stored compiling strategy; the second safety equipment compiles a strategy to analyze and restore the virtual network address of the initiator so as to transmit the data message of the restored network address to the receiver.

Description

Data transmission method, device and system based on virtualization network
The application is a divisional application of patent application with the application date of 2021, 7 and 12 months, and the application number of 2021107863331, named as a data transmission method, device and system based on a virtualized network.
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data transmission method, apparatus, and system based on a virtualized network.
Background
Because the computer network has the characteristics of diversity of connection forms, non-uniformity of terminal distribution, openness and interconnectivity of the network and the like, an attacker not only can possibly detect and scan asset equipment in the network, eavesdrop information on the network, and steal information of passwords and databases of users; it is also possible to tamper with the database contents, falsify the user's identity, and deny his own signature. Moreover, database content can be deleted, network nodes destroyed, computer viruses released, and the like, which all complicate the information security problem.
Risks to current computer networks include security risks posed by software (risks at the software level) and security risks posed by hardware (risks at the hardware level). Among them, the risks at the software level are mainly reflected in: (1) The traditional network security defense mode is a mechanism of passively detecting virus samples, intrusion characteristic samples and the like, and meanwhile, by combining an access control mechanism of a black-and-white list, a hacker often simulates to be a common user who can pass through the access in actual network communication and directly passes through the network security gateway to enter a user intranet, so that uncontrollable risk is caused; (2) The traditional network security is tower defense, various security software products are stacked and accumulated, various static passive defenses are mutually overlapped, the defense cannot be carried out in a fundamentally effective mode, only a leakage detection and repair mode is adopted, and dynamic and unknown automatic defense cannot be realized; (3) Traditional application software, network equipment and network security equipment are marked with specific IP identifications such as IP addresses or MAC addresses, so that a hacker can create the risk that a hacker scans and detects the network IP addresses or the MAC addresses by using a hacker tool to find corresponding vulnerabilities and implement attacks; (4) In addition, the general application software or system software is often infinitely enlarged due to the continuous expansion and the boundary of a system bug or patch, and a hacker intruder can initiate the risk of intrusion attack if using the software bug, so that new risks and hidden dangers are brought.
From the risk of a hardware level, the traditional network security device performs network operation and maintenance operation in an online inline (inline) mode, so that the device can be conveniently connected and debugged from a remote place, and at this time, a potential risk exists that the network security protection device is in an exposed state in a network, that is, any node in the network can be connected to the device as long as a network route can be reached, and at that time, a user name and a password can be continuously tried, or a hacker can log in a browser of the security device or a loophole or a backdoor is searched for intrusion attack in a mode of breaking through a brute force password; meanwhile, the network security equipment itself is attacked by the crystal oscillator of the CPU through physical attack and side channel attack to the memory resource, and the two attack modes can directly bypass any security protection and directly take over the core control unit, so that the risk of arbitrarily operating and controlling the equipment is achieved. In addition, there is a problem that if the access of the client to a certain resource of the server is to be disconnected, the actual physical link needs to be disconnected to really prevent the access of the client, and the disconnection of the actual physical line will affect the access of the client to other service resources of the server.
How to prevent hacker intrusion attack without disconnecting an actual physical line and improve the security of a network and user experience is an urgent problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a data transmission method, a data transmission device and a data transmission system based on a virtual network, so as to improve the security of the network and prevent the intrusion attack of hackers.
In one aspect of the present invention, a data transmission method based on a virtualized network is provided, where the method includes the following steps:
a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology;
determining, by the first security device, a mapping relationship between real network information and virtual network information of a sender and a receiver based on a pre-stored compilation policy, compiling, by a first compiler, a network address of the initiator based on the mapping relationship to create a virtualized network on an established physical line between the initiator and the receiver, and sending, by the established physical line, a service request message to the receiver based on the virtualized network;
after receiving the service request message from the first safety equipment, the second safety equipment on the side of the communication receiver analyzes and restores the compiled virtual network address of the initiator by using a second compiler based on a pre-stored compiling strategy, and restores the service request message of the real network address of the initiator after the restoration is successful to the conveyer belt of the receiver;
the second safety equipment acquires a data message returned from the communication receiving party to the communication initiator by utilizing a hijacking technology, compiles the network address of the receiving party into a virtual network address by utilizing a second compiler based on a pre-stored compiling strategy, and sends the data message with the virtual network address of the receiving party to the initiator based on an established virtual network by utilizing an established physical line between the initiator and the receiving party;
after the first safety equipment receives the data from the second safety equipment, the first compiler is used for analyzing and restoring the compiled virtual network address of the receiver based on a pre-stored compiling strategy, and the data message of the real network address of the receiver restored to the initiator conveyor belt after the restoration is successful is sent;
the physical network card interfaces of the first safety equipment and the second safety equipment do not have IP addresses and MAC addresses, and the first safety equipment and the second safety equipment are gateways;
the compiling strategy in the second safety equipment is the same as or corresponds to the compiling strategy in the first safety equipment in content, and the compiling strategies and the compiling strategy are used for compiling the virtual network address based on the consistent address compiling principle.
In some embodiments of the invention, one or more communication initiators are connected to a first security device;
one or more communication receivers are connected with a second safety device;
the pre-stored compiling strategies of the first safety equipment and the second safety equipment comprise mapping relations between real network information and virtual network information of a sender and a receiver, and the mapping relations comprise mapping relations between real IP addresses and virtual IP addresses;
in some embodiments of the present invention, the sending, by using the established physical line, a service request packet to a receiving party based on the virtualized network includes: sending a data message with the virtual network Address to a receiver by using a physical line established between the initiator and the receiver and a compiled virtualized network Address and a data link layer ARP (Address Resolution Protocol) addressing broadcasting mode or a network layer routing mode; the sending a data message with a virtual network address of a receiver to an initiator based on the virtualized network by using the established physical line between the initiator and the receiver comprises: and sending a data message with the virtual network address of the receiver and the virtual network address of the initiator to the initiator by using the compiled virtual network address through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode.
In some embodiments of the present invention, the mapping further comprises at least one of the following mappings: the mapping relationship between the real MAC address and the virtual MAC address, the mapping relationship between the real IP port and the virtual IP port, the corresponding relationship between the real route and the virtual route and the corresponding relationship between the real network protocol and the virtual network protocol.
In some embodiments of the invention, the virtualized IP address is an address field selected from a predetermined plurality of candidate network IP address ranges; the plurality of candidate network IP address ranges includes some or all of: class a network IP address range, class B network IP address range, and class C network IP address range.
In some embodiments of the invention, the method further comprises: and if the real network address is failed to be analyzed and restored based on the pre-stored compiling strategy, the first safety equipment and/or the second safety equipment discards the data message to be transmitted.
In some embodiments of the invention, the method further comprises: and under the condition that a plurality of virtual networks are created between the first safety equipment and the second safety equipment based on the service request messages of a plurality of communication initiators, the later-established virtual network is a virtual network parallel to the previously-established virtual network or a sub-virtual network contained in the previously-established virtual network. The created virtualized network is set to have access to its child virtualized networks; the child virtualized network is set to have no access to its parent virtualized network.
In some embodiments of the present invention, the data packet transmitted between the initiator and the receiver is an encrypted data packet.
In another aspect of the present invention, there is also provided a data transmission system based on a virtualized network, the system including: the first safety equipment is positioned at the communication initiator side and the second safety equipment is positioned at the communication receiver side;
wherein the first security device is to:
hijacking a service request message sent from a communication initiator;
determining a mapping relation between real network information and virtual network information of a sender and a receiver based on a pre-stored compiling strategy, compiling a network address of the initiator based on the mapping relation by using a first compiler to create a virtualized network on an established physical line between the initiator and the receiver, and sending a service request message to the receiver based on the virtualized network by using the established physical line;
receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiver by using a first compiler based on a pre-stored compiling strategy, and restoring the data message of the real network address of the receiver after the restoration is successful to the transmission belt of the initiator;
the second security device is to:
hijacking the data message sent from the communication receiver, compiling the network address of the receiver into a virtual network address by using a second compiler based on a pre-stored compiling strategy, and sending the data message with the virtual network address of the receiver to the initiator based on the established virtual network by using an established physical line between the initiator and the receiver;
receiving a data request message from the first safety equipment, analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a pre-stored compiling strategy, and restoring the service request message of the real network address of the initiator after the restoration is successful to the conveyer belt of the receiver;
the physical network card interfaces of the first security device and the second security device do not have an IP address and an MAC address, and the first security device and the second security device are gateways;
the compiling strategy in the second safety equipment is the same as or corresponds to the compiling strategy in the first safety equipment in content, and the compiling strategies and the compiling strategy are used for compiling the virtual network address based on the consistent address compiling principle.
In another aspect of the present invention, there is also provided a network security device, the network security device being configured to connect to at least one first-end communication device, a physical network card interface of the network security device having no IP address and no MAC address, the network security device being a gateway, the network security device comprising a processor and a memory, the memory storing computer instructions, the processor being configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the method includes the steps of:
hijacking a data message sent from the at least one first-end communication device, determining a mapping relation between real network information and virtual network information of the current-end communication device and opposite-end communication devices based on a pre-stored compiling strategy, compiling network addresses of the first-end communication devices based on the mapping relation by using a first compiler so as to create a virtualized network on an established physical line between the current-end communication device and the opposite-end communication devices, and sending a service request message to the opposite-end communication devices based on the virtualized network by using the established physical line;
the network security equipment receives a message from the opposite-end communication equipment, which is sent by the opposite-end network security equipment, analyzes and restores the compiled virtual network address of the opposite-end communication equipment by using a first compiler based on a pre-stored compiling strategy, and restores a data message of a real network address of the opposite-end communication equipment, which is restored by the front-end communication equipment conveyor belt after the restoration is successful;
the compiling strategy in the network security equipment is the same as or corresponding to the compiling strategy in the opposite-end network security equipment, so that the compiling strategy is used for compiling the virtual network address based on the consistent address compiling principle.
The data transmission method, the data transmission system and the network security equipment based on the virtual network can realize safe and effective data transmission without disconnecting an actual physical line, effectively prevent hacker intrusion attack and greatly improve the security of the network.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present invention will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart illustrating a data transmission method based on a virtualized network according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of data transmission processing based on a virtualized network according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a data transmission system based on a virtualized network according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Fig. 5 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Fig. 6 is a schematic diagram of a data transmission system based on a virtualized network according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not so relevant to the present invention are omitted.
It should be emphasized that the term "comprises/comprising/comprises/comprising" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
In order to prevent the network from being invaded and attacked by hackers and improve the security of the network, the invention provides a data transmission method based on a virtualization regeneration network. The method of the invention sets a compiler in network safety equipment (safety equipment for short) such as a gateway, and utilizes the compiler to compile virtual communication network information including virtual regeneration network addresses, wherein the compiled virtual regeneration network addresses are different from network addresses between real physical equipment in an actual network, so that one or more virtual regeneration networks are created between the safety equipment of a communication initiator and a safety equipment of a communication receiver, network resources of the virtual regeneration networks are virtual network resources which do not exist in the actual network, the virtual regeneration networks between the safety equipment of the communication initiator and the safety equipment of the communication receiver can be transmitted only between the safety equipment at two ends of the virtual regeneration networks according to IETF and IEEE standard specifications, and information such as the virtual network address resources are not transmitted or forwarded by the communication initiator and the communication receiver. In the embodiment of the invention, the virtualization and regeneration network refers to the continuous regeneration of the virtual network realized by the virtualization technology. The data transmission method based on the virtualization regeneration network does not change the original network structure, the original network routing entries and routing forwarding paths, and also does not change the communication mechanism and the network topology structure, thereby improving the network security under the condition of no user feeling. Hereinafter, the virtualized regeneration network may be simply referred to as a virtualized network for convenience of description.
Fig. 1 is a flowchart illustrating a data transmission method based on a virtualized network according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
step S110, the first security device located at the communication initiator hijacks the data packets, such as the service request packets, sent from each communication initiator.
More specifically, the first secure device may use a hook hijacking technique to hijack data packets sent by the communication initiator through a hook function. Hijacking of communication initiator packets may be achieved, for example, by hijacking global traffic. Since the hook hijacking technique for monitoring and hijacking data packets is a mature technique, it will not be described in detail here.
In the embodiment of the present invention, the communication initiator may be, for example, a client such as a PC or a portable mobile terminal, and one first security device may be connected to one client or a plurality of clients. The communication recipient may be, for example, a destination server, although the invention is not limited thereto. The first safety device can be used for hijacking data packets sent by one client under the condition that the first safety device is connected with the client, and the first safety device can be used for hijacking the data packets sent by a plurality of clients under the condition that the first safety device is connected with the plurality of clients.
In the embodiment of the present invention, the first security device may be a gateway (or called gateway device). Besides the gateway, the first security device may also be an industrial module or an embedded chip, etc., and the present invention is not limited thereto. In the embodiment of the invention, the physical interface of the first safety equipment does not have an IP address and an MAC address, acquires data sent by an initiator by hijacking a data message, and sends the data out in a routing mode or a broadcasting mode.
Step S120, the first safety device determines a mapping relation between real network information and virtual network information of a sender and a receiver based on a pre-stored compiling strategy, compiles a network address of the initiator based on the mapping relation by using a first compiler to create a virtualized network on an established physical line between the initiator and the receiver, and sends a service request message to the receiver based on the virtualized network by using the established physical line.
In practical applications, there may be an untrusted network in the communication network, for example, there may be a public internet at the private network boundary of some organizations, for example, links between private networks and private networks between different branches and centers of some units depend on the public internet, in which case, data transmitted through the private networks may be hacked to cause information leakage. Therefore, the invention provides that a virtualized regeneration network is adopted on an established actual physical line between an initiator and a receiver to prevent the intrusion attack of hackers, and meanwhile, different multiple virtualized networks can be established between a server and a client according to different access requirements of different clients to the server, so that part of the multiple virtualized networks can be flexibly disconnected based on the completion condition of service without causing the disconnection of other virtualized networks and without disconnecting the actual physical line.
More specifically, in this step, after the first security device obtains the data packet of the communication initiator through the hijacking technique, the first security device may determine a mapping relationship between real network information and virtual network information of the sender and the receiver based on a predetermined and pre-stored compiling policy, and compile the network address of the communication initiator to generate a new virtual network address, so as to create a virtualized network on an established physical line between the initiator and the receiver, and send a service request packet to the receiver based on the created virtualized network by using the established physical line. In the service request message sent to the receiver, the virtual network addresses of the initiator and the receiver are carried.
Here, the pre-stored compiling policy may include a mapping relationship between real network information and virtual network information of the sender and the receiver, the mapping relationship including a mapping relationship between a real IP address and a virtual IP address.
In an embodiment of the invention, the network address compiled by the first compiler comprises a segment of a virtualized IP address selected from a predetermined plurality of candidate network IP address ranges. The plurality of candidate network IP address ranges may include some or all of the following network IP address ranges: class a network IP address range, class B network IP address range, and class C network IP address range. The class a network IP address range is the widest address range, followed by a class B network, followed by a class C network. The class A network IP address range is, for example, an IP address range from 1.0.0.0 to 126.0.0.0. The class B network IP address range is, for example, an IP address range from 128.0.0.0 to 191.255.255.255. The class C network IP address range is, for example, an IP address range from 192.0.0.0 to 223.255.255.255. The class A network uses 8 bits to represent the network number, and 24 bits to represent the host bit; the B-type network represents a network by 16 bits, and a host by 16 bits; the class C network uses 24 bits to represent the network number and 8 bits to represent the host bit.
The IP address field of the appropriate network may be selected from the several candidate network IP address ranges for the particular application service to which the service request message originated by each initiator relates. For example, for a service request corresponding to a service with a possibly large number of visitors, the address field of the virtual network address corresponding to the real network address in the compiling policy may be, for example, an IP address field selected from a class a network or a class B network IP address range; for a service request corresponding to a service with a small number of visitors, the address field of the virtual network address corresponding to the real network address in the compiling policy may be, for example, an IP address field selected from an IP address range of a class B network or a class C network. The compiler compiles the address in the generated IP address field not to conflict with the IP address of the physical line actually existing.
In some embodiments of the present invention, the mapping relationship in the compilation strategy may further include at least one of the following mapping relationships: mapping relation between real MAC address and virtual MAC address, mapping relation between real IP port and virtual IP port, corresponding relation between real route and virtual route, and corresponding relation between real network protocol and virtual network protocol. In case the mapping relationship in the compiling policy further comprises a mapping relationship between a real MAC address and a virtual MAC address, the virtual network address compiled by the first compiler may further comprise a virtual MAC address. The current MAC address, usually expressed in hexadecimal numbers, is six bytes (48 bits). MAC addresses are typically represented as 12 16-ary numbers, separated by a colon or bar between every 2 16-ary numbers, such as: 48:89: e7: d5:23: the MAC address 7A is a MAC address, wherein the first 6-bit 16-ary number (i.e. the first 3 bytes, the upper 24 bits) represents the serial number of the network hardware manufacturer, which is assigned by the Registration Authority (RA) of the IEEE, and the last 6-bit 16-ary number (i.e. the last 3 bytes, the lower 24 bits) represents the serial number of a certain network product (e.g. a network card) manufactured by the manufacturer. In the embodiment of the invention, the characteristic field in the MAC address can be changed through a preset compiling strategy, so that a hacker is prevented from carrying out intrusion attack based on the MAC address.
Based on the compiling strategy, the first compiler not only can compile the IP address and the MAC address, but also can compile direct routing, next hop routing and communication service port information so as to further improve the network security. The first compiler can map an actual physical network into a virtual network for data transmission by compiling network information such as an IP address, an MAC address, a direct route, a next hop route, a communication service port and the like, and the virtualized information is transmitted between the first security device and the second security device.
After the first safety equipment compiles the virtual network address, network information including the virtual network address and the like is encapsulated into a data message hijacked from an initiator to replace the network address information in the original data message, then the data message is sent to a receiver on the basis of each virtual network address on a physical line established between the initiator and the receiver, and the data message with the virtual network address can be sent to the receiver by utilizing a data link layer ARP addressing broadcast mode or a network layer routing mode through a compiled virtual network by utilizing the physical line established between the initiator and the receiver.
In this way, a second security device placed on the physical communication link of the initiator and the receiver, connected to the network port of the receiver, may receive the data packet from the first security device before the receiver.
Step S130, after the second security device on the communication receiver side receives the service request packet from the first security device, the second compiler analyzes and restores the compiled virtual network address of the initiator based on the pre-stored compiling policy, and restores the data packet (e.g. service request packet) of the real network address of the initiator to the receiver (e.g. server) conveyor belt after the restoration is successful.
That is, after the second security device analyzes and identifies the real network address of the initiator by using the pre-stored compiling policy, the service request message of the initiator network address restored is transmitted to the receiver (e.g., a server), so that the receiver receives the service request message with the real network address (e.g., an IP address and an MAC address) of the initiator. In the embodiment of the present invention, the second security device determines that the virtual network information carried in the data packet matches the virtual network information corresponding to the corresponding application service in the compilation strategy, and may successfully restore the real network address, and if the virtual network information does not match the virtual network information, the restoration is considered to be failed. If the second security device fails to analyze the real network address of the initiator by using the stored compiling strategy, the second security device considers that the service request message is an illegal message or an untrusted message, and then discards the message.
After receiving the data request message, the server generates data to be returned by the initiator based on the request of the initiator, and encapsulates the data into the data message to be sent to the initiator.
Step S140, the second security device obtains the data packet returned from the communication receiver to the communication initiator by using the hijacking technique, compiles the network address of the receiver into a virtual network address by using the second compiler based on a pre-stored compilation strategy, and sends the data packet with the virtual network address of the receiver to the initiator based on the established virtualized network by using the established physical line between the initiator and the receiver.
This step S140 is similar to the processing of the data packet from the initiator by the first secure device in the previous steps S110 and S120. The difference lies in hijacking the data message sent by the receiving party equipment and performing virtualization compilation on the network address of the receiving party. The compilation strategy in the second security device may be identical or correspond to the compilation strategy in the first security device, both for the compilation of virtual network addresses based on a consistent address compilation principle.
After the second security device compiles the virtual network address, the network information including the virtual network address and the like is encapsulated into a data message hijacked from the receiver again to replace the network address information in the original data message, and then a data message with the virtual network address of the receiver is sent to the initiator by a virtualized network obtained by compiling the established physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode. The data message takes the virtualized network address of the initiator as the destination address.
The first security device may receive a data message from the second security device prior to the initiator.
Step S150, after the first security device receives the data from the second security device, the first compiler analyzes and restores the compiled virtual network address of the receiving party based on the pre-stored compiling policy, and restores the data packet of the real network address of the receiving party to the initiator transport belt after the restoration is successful.
If the first security device fails to analyze the real network address of the receiver by using the stored second analysis strategy, the first security device considers that the data message is an illegal message or an untrusted message, and then discards the data message.
As described above, by creating a virtual regenerative network between the first secure device and the second secure device using an established physical line between the initiator and the recipient, it is possible to perform data transmission between the first secure device and the second secure device using the created virtual regenerative network, thereby making it difficult for a hacker to attack based on a network address.
Fig. 2 is a schematic diagram of data transmission processing based on a virtualized network according to an embodiment of the present invention. As shown in fig. 2, the network interface eth0 of the client PC1 as the initiator configures an actual IP address of 172.16.1.1, and a mac address of: 000FC5056EB0. The network interface eth1 of the access target client PC2 configures an actual IP address of 172.16.1.200, and a mac address of: f04EDA092709. Under the condition that the terminal PC1 actively initiates a request to access the terminal PC2, the terminal PC1 compiles the virtualized network information of the PC1 through a compiler of the first safety device based on a pre-stored compiling strategy, and the virtual IP address field compiled by the PC1 is as follows: 127.0.0.1/24, virtual MAC is: 000000001010; the terminal PC2 compiles the virtualized network information of the PC2 through a compiler of the second safety equipment based on a pre-stored compiling strategy, the compiled virtual IP address section of the PC2 is 127.0.0.200/24, and the virtualized MAC is as follows: 000000001111; a virtualized network Net1 is created between PC1 and PC 2. The compiler of the first safety equipment uses a virtualized network address 127.0.1/24 and a virtualized MAC address 000000001010 to access the terminal PC2, and because the first safety equipment of the PC1 can obtain the virtual network address of the PC2 based on the mapping relation between the real network information and the virtual network information of a receiver in a compiling strategy, the destination address carried in the message is the virtual network address of the PC 2; when the terminal PC1 wants to access a host other than the terminal PC2, the compiler of the first security device communicates with the outside using a broadcast policy with a virtual IP address of 10.10.10.255, so as to prevent the terminal PC1 from accessing the outside of the terminal PC2, that is, the external broadcast address of the terminal PC1 is converted into a broadcast address field capable of isolating other terminals. As an example, in a case where the terminal PC2 actively initiates a request to access the terminal PC1, the terminal PC2 may compile a virtualized network address of the PC2 by a compiler of the second secure device based on a pre-stored compilation policy, where a virtual IP address field after the compilation by the PC2 is 1.1.1.200/24, and the virtualized MAC is: 000000001111; the terminal PC1 compiles the virtualized network address of the PC1 through a compiler of the first safety equipment based on a pre-stored compiling strategy, and the virtual IP address section compiled by the PC1 is as follows: 1.1.1.1/24, virtualized MAC is: 000000001010, a virtualized network Net2 is created between PC2 and PC 1. When the accessed terminal PC1 communicates through a virtualized network created by a compiler of the first security device, the compiler of the first security device can use a virtualized network address 1.1.1.1/24 and a virtualized MAC address 000000001010, and the terminal PC2 serves as an initiator to access through the virtualized network address 1.1.1.200/24 and the virtualized MAC address 000000001111; when the terminal PC1 is to access a terminal other than the terminal PC2, the compiler of the first secure device performs communication to the outside with a broadcast policy of a virtual IP address of 10.10.10.255 and a virtualized MAC address of 0000000000000000 to prevent the terminal PC1 from being accessed by a terminal other than the terminal PC 2.
In the embodiment of the present invention, in order to further enhance the security of data transmission, the data packet transmitted between the initiator and the receiver may further be an encrypted data packet.
The compilation of the virtual address can be dynamically performed by using a compiler of the security device (such as a gateway), so that the virtual network established between the security devices can be conveniently disconnected based on the completion condition of the service, and a new virtual network can be established based on a new service. In the prior art, if a certain service requirement needs to be disconnected from the network, the whole physical line needs to be disconnected, so that the use of other users is affected.
In the existing actual network, all the communication devices need to be configured with corresponding actual IP addresses/MAC addresses by physical interfaces to generate corresponding network segment routing information, but in the embodiment of the invention, the data of a data initiator is obtained by a hijacking technology, so that the corresponding IP/MAC addresses do not need to be configured on the physical interfaces of the corresponding communication devices (the gateway and other safety devices in the invention), under the condition, the virtualized segment address newly established by the safety device can be broadcasted by virtue of an actual physical line, when the data is transmitted to the corresponding receiver of an opposite end, the safety device of the receiver restores the communication according to the virtual network address and the physical actual corresponding IP/MAC address, and the non-receiver can not restore the real internal IP/MAC address and session link communication, so that the non-specified receiver discards the message which can not be welcomed, thereby effectively preventing the network devices from being attacked by hackers.
In embodiments of the present invention, one or more communication initiators may be connected to a first security device and one or more target recipients (e.g., target servers) may be connected to a second security device.
No matter the first safety device and/or the second safety device is connected with a plurality of terminals or servers, the data transmission method based on the virtual network can create one or a plurality of virtual regeneration networks, and different access authorities can be set for different users or application services through the setting, so that the service can be better monitored.
Fig. 3-6 are schematic diagrams of a data transmission system based on a virtualization network according to various embodiments of the present invention.
Fig. 3 shows a case where one first security device (gateway a) is connected to a plurality of computer devices (only two are shown in the figure), and one second security device (gateway B) is connected to a plurality of servers (only two are shown in the figure). In fig. 3, a plurality of virtual networks are established between gateway a and gateway B based on a difference in application services requested from a server by a computer device, so that data transmission is performed using the respective virtual networks based on the different application services. In fig. 3, when the second computer device (with an actual IP address of 172.16.1.1) accesses a video server with an IP address of 172.16.1.200 and is used as a video conference application, gateway a may choose to establish virtual network 1 (net 1: 192.168.10.25/24) within a candidate network IP address range of 192.168.0.0/16, and virtual network 1 uses 192.168.10.25/24IP address segments for virtual communication between gateway a and gateway B. When a first computer device (IP address 172.16.1.10) accesses a mail server with IP address 172.16.1.100 and is used as a mail service application, the gateway A can select to establish a virtual network 2 (net 2: 192.168.0.0/16) in a candidate network IP address range 192.168.0.0/16, and virtual communication between the gateway A and the gateway B is carried out by adopting 192.168.0.0/16IP address segments.
Fig. 4 shows a situation in which a first security device (gateway a) is connected to a computer device (client) and a second security device (gateway B) is connected to a server. Even though gateway a and gateway B are each connected to only one computer device and server, they can still create multiple virtual networks, as shown in fig. 4, 2 virtual networks 1 and 2 are created within a selected candidate network IP address range, two virtual networks can be created based on the difference in access time of the computer device to the server, two virtual networks can be created based on the change in the corresponding access authority when the computer device belongs to different user groups, and the like. Fig. 5 shows a case where one first security device (gateway a) is connected to a plurality of computer devices (only two are shown in the figure), and one second security device (gateway B) is connected to one server. Fig. 6 shows a case where one first security device (gateway a) is connected to one computer device and one second security device (gateway B) is connected to a plurality of servers (only two are shown in the figure). As shown in fig. 3-6, multiple parallel virtual networks may be established between a first security device and a second security device. In a case where a plurality of virtualization networks are created between the first security device and the second security device based on the service request messages of the plurality of communication initiators, the later-established virtualization network may be a parallel virtualization network of the previously-established virtualization network or a sub-virtualization network (next-level virtualization network) included in the previously-established virtualization network. The created virtualized network may be set to have access to its child virtualized networks; but the child virtualized network is set so as not to access its upper level virtualized network (parent virtualized network).
In the embodiment of the invention, a plurality of virtual networks are established by depending on the same physical line, different application services or ports in actual physical communication are virtualized by corresponding to communication sessions in a physical actual network through different network segments of the virtual networks, and the influence on the virtual network communication caused by session hijacking, penetration invasion attack and the like in the physical network can be prevented.
Correspondingly to the above method, the present invention also provides a data transmission system based on a virtualization network, the system comprising: the method comprises the following steps that a first safety device located on a communication initiator side and a second safety device located on a communication receiver side are connected; wherein the first security device is to: hijacking a service request message sent from a communication initiator; determining a mapping relation between real network information and virtual network information of a sender and a receiver based on a pre-stored compiling strategy, compiling a network address of the initiator based on the mapping relation by using a first compiler to create a virtualized network on an established physical line between the initiator and the receiver, and sending a service request message to the receiver based on the virtualized network by using the established physical line; receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiver by using a first compiler based on a pre-stored compiling strategy, and restoring the data message of the real network address of the receiver after the restoration is successful to the transmission belt of the initiator;
the second security device is to: hijacking the data message sent from the communication receiver, compiling the network address of the receiver into a virtual network address by using a second compiler based on a pre-stored compiling strategy, and sending the data message with the virtual network address of the receiver to the initiator based on the established virtual network by using an established physical line between the initiator and the receiver; and receiving a data request message from the first safety equipment, analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a pre-stored compiling strategy, and restoring the service request message of the real network address of the initiator after the restoration is successful to the conveyer belt of the receiver.
The first safety device and the second safety device do not add, modify or delete the original IP address, subnet mask, MAC address, direct connection route, next hop gateway route, domain name DNS, WINS, netBios and other information on the original physical line or the newly added device physical interface of the original physical line, but generate a virtual IP address field, a virtual MAC address, a virtual route, a virtual communication port and the like through the compiler of the safety devices at two communication ends, but create a virtual network between the safety devices of an initiator and a receiver on the established physical line, and transmit data on the established physical line by using a data link layer ARP addressing and broadcasting mode or a network layer routing mode through the virtual network. The invention does not change the original network structure, the original network routing entries and the routing forwarding paths, or the communication mechanism and the network topology structure, and can improve the network security under the condition of no user feeling.
In addition, the virtual network can be created repeatedly, can be reused repeatedly, and is simple to realize and low in cost.
In accordance with the foregoing method, the present invention also provides a network security device (e.g., a gateway) based on a virtualized network, the network security device being configured to connect with at least one first-end communication device, the network security device comprising a processor and a memory, the memory storing computer instructions, the processor being configured to execute the computer instructions stored in the memory, and the computer instructions when executed by the processor implementing the steps of:
hijacking a data message sent from the at least one first-end communication device, compiling the network address of each first-end communication device by using a first compiler based on a first pre-stored compiling strategy to obtain the virtual network address of each first-end communication device, so as to construct one or more virtual regeneration networks based on the virtual network address of the first-end communication device and the virtual network address of an opposite-end communication device compiled by an opposite-end network security device connected with the opposite-end communication device for the opposite-end communication device;
the network security equipment receives a message from the opposite-end communication equipment, analyzes and restores the virtual network address of the opposite-end communication equipment by using a first compiler based on a first analysis strategy which is pre-stored and corresponds to the compiling strategy of the opposite-end network security equipment, and restores the message of the network address of the opposite-end communication equipment which is restored by the first-end communication equipment conveyor belt after the restoration is successful.
In the environment of a client private network or a local area network, the network security equipment cannot be detected and found, cannot be scanned by malicious personnel through a hacker tool port, can be subjected to password cracking, can be subjected to system vulnerability mining and the like, and has self-concealment; the network safety equipment is added between the communication initiating side and the receiving side, so that the original network structure is not changed, the actual IP/MAC address identification is not added, and the original network routing entry, the routing forwarding path, the communication mechanism and the network topology structure are not changed.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations thereof. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (12)

1. A data transmission method based on a virtualization network is characterized by comprising the following steps:
a first safety device at the side of a communication initiator acquires a service request message sent from the communication initiator by utilizing a hijacking technology;
determining, by the first security device, a mapping relationship between real network information and virtual network information of a sender and a receiver based on a pre-stored compilation policy, compiling, by a first compiler, a network address of the initiator based on the mapping relationship to create a virtualized network on an established physical line between the initiator and the receiver, and sending, by the established physical line, a service request message to the receiver based on the virtualized network;
after receiving the service request message from the first safety equipment, the second safety equipment on the communication receiver side analyzes and restores the compiled virtual network address of the initiator by using a second compiler based on a pre-stored compiling strategy, and restores the service request message of the real network address of the initiator after the restoration is successful to the receiver conveyer belt;
the second safety equipment acquires a data message returned from the communication receiving party to the communication initiator by utilizing a hijacking technology, compiles the network address of the receiving party into a virtual network address by utilizing a second compiler based on a pre-stored compiling strategy, and sends the data message with the virtual network address of the receiving party to the initiator based on an established virtual network by utilizing an established physical line between the initiator and the receiving party;
after the first safety equipment receives the data from the second safety equipment, the first compiler is used for analyzing and restoring the compiled virtual network address of the receiver based on a pre-stored compiling strategy, and the data message of the real network address of the receiver restored to the initiator conveyor belt after the restoration is successful is sent;
the physical network card interfaces of the first safety equipment and the second safety equipment do not have IP addresses and MAC addresses, and the first safety equipment and the second safety equipment are gateways;
the compiling strategy in the second safety device is the same as or corresponds to the compiling strategy in the first safety device.
2. The method of claim 1,
one or more communication initiators are connected with a first safety device;
one or more communication receivers are connected with a second safety device;
the pre-stored compiling strategy of the first safety device and the second safety device comprises a mapping relation between real network information and virtual network information of a sender and a receiver, and the mapping relation comprises a mapping relation between a real IP address and a virtual IP address.
3. The method of claim 1,
the sending a service request message to a receiver based on the virtual network by using the established physical line includes: sending a data message with an initiator virtual network address and a receiver virtual network address to a receiver by using a compiled virtual network address through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode;
the sending a data message with a virtual network address of a receiver to an initiator based on the virtualized network by using the established physical line between the initiator and the receiver comprises: and sending a data message with the virtual network address of the receiver and the virtual network address of the initiator to the initiator by using the compiled virtual network address through a physical line between the initiator and the receiver in a data link layer ARP addressing broadcast mode or a network layer routing mode.
4. The method of claim 2,
the mapping relationship further comprises at least one of the following mapping relationships: the mapping relationship between the real MAC address and the virtual MAC address, the mapping relationship between the real IP port and the virtual IP port, the corresponding relationship between the real route and the virtual route and the corresponding relationship between the real network protocol and the virtual network protocol.
5. The method of claim 2, wherein the virtualized IP address is an address segment selected from a predetermined plurality of candidate network IP address ranges;
the plurality of candidate network IP address ranges includes some or all of: class a network IP address range, class B network IP address range, and class C network IP address range.
6. The method of claim 1, further comprising:
and if the real network address is failed to be analyzed and restored based on the pre-stored compiling strategy, the first safety equipment and/or the second safety equipment discards the data message to be transmitted.
7. The method of claim 1,
and under the condition that a plurality of virtual networks are created between the first safety equipment and the second safety equipment based on the service request messages of a plurality of communication initiators, the later-established virtual network is a parallel virtual network of the previously established virtual network or a sub-virtual network contained in the previously established virtual network.
8. The method of claim 7,
the created virtualized network is set to have access to its child virtualized networks; the child virtualized network is set to have no access to its parent virtualized network.
9. The method of claim 1, wherein the data packets transmitted between the initiator and the recipient are encrypted data packets.
10. A data transmission system based on a virtualized network, the system comprising: the method comprises the steps that first safety equipment located on a communication initiator side and second safety equipment located on a communication receiver side are arranged;
wherein the first security device is to:
hijacking a service request message sent from a communication initiator;
determining a mapping relation between real network information and virtual network information of a sender and a receiver based on a pre-stored compiling strategy, compiling a network address of the initiator based on the mapping relation by using a first compiler to create a virtualized network on an established physical line between the initiator and the receiver, and sending a service request message to the receiver based on the virtualized network by using the established physical line;
receiving a data message from second safety equipment, analyzing and restoring the compiled virtual network address of the receiver by using a first compiler based on a pre-stored compiling strategy, and restoring the data message of the real network address of the receiver after the data message is successfully restored by the initiator conveyor belt;
the second security device is to:
hijacking the data message sent from the communication receiver, compiling the network address of the receiver into a virtual network address by using a second compiler based on a pre-stored compiling strategy, and sending the data message with the virtual network address of the receiver to the initiator based on the established virtual network by using an established physical line between the initiator and the receiver;
receiving a data request message from the first safety equipment, analyzing and restoring the compiled virtual network address of the initiator by using a second compiler based on a pre-stored compiling strategy, and restoring the service request message of the real network address of the initiator after the restoration is successful to the conveyor belt of the receiver;
the physical network card interfaces of the first safety equipment and the second safety equipment do not have IP addresses and MAC addresses, and the first safety equipment and the second safety equipment are gateways;
the compiling strategy in the second safety device is the same as or corresponds to the compiling strategy in the first safety device.
11. A network security device configured to interface with at least one first-end communication device, wherein a physical network card interface of the network security device does not have an IP address and a MAC address, wherein the network security device is a gateway, wherein the network security device comprises a processor and a memory, wherein the memory stores computer instructions, and wherein the processor is configured to execute the computer instructions stored in the memory, and wherein the computer instructions, when executed by the processor, implement the steps of:
hijacking a data message sent from the at least one first-end communication device, determining a mapping relation between real network information and virtual network information of the current-end communication device and opposite-end communication devices based on a pre-stored compiling strategy, compiling network addresses of the first-end communication devices based on the mapping relation by using a first compiler so as to create a virtualized network on an established physical line between the current-end communication device and the opposite-end communication devices, and sending a service request message to the opposite-end communication devices based on the virtualized network by using the established physical line;
the network security equipment receives a message from the opposite-end communication equipment, which is sent by the opposite-end network security equipment, analyzes and restores the compiled virtual network address of the opposite-end communication equipment by using a first compiler based on a pre-stored compiling strategy, and restores a data message of a real network address of the opposite-end communication equipment, which is restored by the front-end communication equipment conveyor belt after the restoration is successful;
the compiling strategy in the network security equipment is the same as or corresponding to the compiling strategy content in the opposite terminal network security equipment.
12. The network security appliance of claim 11, wherein the virtual network address comprises a segment of a virtualized IP address selected from a predetermined plurality of segments of candidate network IP addresses.
CN202211318260.4A 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network Pending CN115694951A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211318260.4A CN115694951A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110786333.1A CN113242270A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network
CN202211318260.4A CN115694951A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN202110786333.1A Division CN113242270A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Publications (1)

Publication Number Publication Date
CN115694951A true CN115694951A (en) 2023-02-03

Family

ID=77135449

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202110786333.1A Pending CN113242270A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network
CN202211318260.4A Pending CN115694951A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202110786333.1A Pending CN113242270A (en) 2021-07-12 2021-07-12 Data transmission method, device and system based on virtualization network

Country Status (1)

Country Link
CN (2) CN113242270A (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113542309B (en) * 2021-09-16 2022-01-11 渔翁信息技术股份有限公司 Data processing system and method
CN113891380B (en) * 2021-09-30 2024-03-15 西安四叶草信息技术有限公司 Virtual wireless network processing system and method
CN114301665A (en) * 2021-12-27 2022-04-08 山石网科通信技术股份有限公司 Data processing method and device
CN116668535B (en) * 2023-07-27 2023-09-19 之江实验室 Service execution method, device and equipment based on enhanced service architecture

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095584A (en) * 2013-02-04 2013-05-08 杭州华三通信技术有限公司 Message processing method and exchange equipment
US10193924B2 (en) * 2014-09-17 2019-01-29 Acalvio Technologies, Inc. Network intrusion diversion using a software defined network
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN106302525B (en) * 2016-09-27 2021-02-02 黄小勇 Network space security defense method and system based on camouflage
CN106657035B (en) * 2016-12-06 2019-12-03 北京东土军悦科技有限公司 A kind of network message transmission method and device
CN110611671A (en) * 2019-09-12 2019-12-24 北京邮电大学 Local area network communication method and device based on moving target defense

Also Published As

Publication number Publication date
CN113242270A (en) 2021-08-10

Similar Documents

Publication Publication Date Title
CN113242269B (en) Data transmission method and system based on virtualization network and network security equipment
US10382436B2 (en) Network security based on device identifiers and network addresses
Douligeris et al. Network security: current status and future directions
US8635695B2 (en) Multi-method gateway-based network security systems and methods
US8898785B2 (en) System and method for monitoring network traffic
US7167922B2 (en) Method and apparatus for providing automatic ingress filtering
US7124197B2 (en) Security apparatus and method for local area networks
CN115694951A (en) Data transmission method, device and system based on virtualization network
US20020104017A1 (en) Firewall system for protecting network elements connected to a public network
US7647623B2 (en) Application layer ingress filtering
US20070097976A1 (en) Suspect traffic redirection
US20080301810A1 (en) Monitoring apparatus and method therefor
Hijazi et al. Address resolution protocol spoofing attacks and security approaches: A survey
CN113489731B (en) Data transmission method and system based on virtual network and network security equipment
WO2015174100A1 (en) Packet transfer device, packet transfer system, and packet transfer method
Mandal et al. A survey on network security tools for open source
Data The defense against arp spoofing attack using semi-static arp cache table
Mohammed et al. Honeypots and Routers: Collecting internet attacks
Venkatramulu et al. Various solutions for address resolution protocol spoofing attacks
CN113489730B (en) Data transmission method, device and system based on virtualization network
Singh et al. A detailed survey of ARP poisoning detection and mitigation techniques
Li et al. Bijack: Breaking Bitcoin Network with TCP Vulnerabilities
Shah et al. Security Issues in Next Generation IP and Migration Networks
Gehrke The unexplored impact of ipv6 on intrusion detection systems
Kamal et al. Analysis of network communication attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination