CN1160899C - Distributed dynamic network security protecting system - Google Patents
Distributed dynamic network security protecting system Download PDFInfo
- Publication number
- CN1160899C CN1160899C CNB021159572A CN02115957A CN1160899C CN 1160899 C CN1160899 C CN 1160899C CN B021159572 A CNB021159572 A CN B021159572A CN 02115957 A CN02115957 A CN 02115957A CN 1160899 C CN1160899 C CN 1160899C
- Authority
- CN
- China
- Prior art keywords
- module
- subnet
- rule
- network
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a distributed network security protective system. Summarizing decision modules and strategy releasing modules are configured at a network central management station. A network is divided into N subnetworks according to a tree structure. Summarizing decision modules and strategy releasing modules are all configured on a management station of each subnetwork. Micro invasion detection modules and micro fire wall modules are all installed at each node of the subnetworks. A mobile agent technique is adopted by the strategy releasing modules. Distributed micro invasion detection modules of the system can provide security protection for an application layer, and distributed micro fire wall modules provide security protection for a network layer of an inner core stage. The present invention not only regards a network segment as a protective unit, but also regards a single node machine as a protective object, and thereby, the security protection of a double-granule degree is realized. Compared with the traditional intrusion detection and fire wall products, the system has the advantages of outer and inner attack prevention, strong expandable performance, single failure point prevention, coordinated invasion prevention, real-time security protection, dynamic self immunity, etc.
Description
Technical field
The invention belongs to computer safety field, be specifically related to a kind of based on the decline network dynamic security protection system of fire compartment wall and little intrusion detection of distribution.
Background technology
Along with increasing progressively of the network crime and emerging in large numbers of hacker website, network security becomes the vital problem in Computer and Its Application field, so network security tool emerges in an endless stream.Though people constantly revise procotol, the intrusion detection and the firewall technology that surely belong to comparative maturity and commercialization already in the network security tool that get most of the attention.These two technology are the application safe practices that are based upon on the modern communication networks technology and information safe practice basis, and target is protected data, resource and user's a reputation.
The technical report of China network security responsing center is pointed out, current intruding detection system faces two main challenges: one is that false alarm rate is too high, U.S. government utilizes the fund of National Science Foundation to subsidize the research of academia to the false-alarm problem, it serves to show that problem is serious; Another is that detection speed is too slow, the data volume when present most of intruding detection systems still can not be handled the full load of hundred megabit networks under not sacrificing the prerequisite that detects quality.
1999, S.M.Bellovin "; Login: " magazine 24 " DistributedFirewalls " that deliver on the 5th phases of volume proposes the structure of distributed fire wall first, and its schematic diagram is as shown in Figure 1.This structure is installed fire compartment wall and is carried out the access control of packet on each node of protected subnet; the central management platform is managed concentratedly the security strategy of fire compartment wall simultaneously; and security strategy is published on each fire compartment wall by the policy issue module; issue mechanism adopts TFTP (Trivial File Transfer Protocol, TFTP).This structure eliminated some weakness that traditional firewall exists (for example: depend on network physical topological structure, can not prevent to internal attack, efficient is not high, the fault point is many, can't handle many cryptographic protocols end to end such as IPSec effectively).But in this structure, along with the increase of protected node, the task of central management platform publishing policy will be heavy day by day, reduce the extensibility of system; In addition, this structure can not prevent increasingly serious cooperating type intrusion behavior, can not effectively realize dynamically from immunity.
Summary of the invention
The present invention is directed to the deficiency of existing intrusion detection and firewall technology, propose a kind of distributed dynamic network security protecting system.Native system organically combines decline intrusion detection and little firewall technology of distribution; little fire compartment wall and little intruding detection system are installed on each shielded main frame; by turnkey console gather decision-making and policy issue mechanism to intrusion event analyze, related, early warning and processing; form double-deck fine-grained safeguard protection; thereby effectively prevented from network-external and inner attack; eliminated the bottleneck effect of fire compartment wall; avoided single point failure, can take precautions against distributed collaboration simultaneously and invade, effectively realize dynamically expanding of system from immunity and scale.System adopts mobile proxy technology, and the bottleneck effect of the turnkey console of releiving that can independence prevents the single point failure of tactical management platform effectively, and the system that guaranteed is with good expansibility.
Native system can be divided into the two large divisions from the angle of operation principle, one is mounted in little firewall system and the little intruding detection system on the protected node; Two IDS that are mounted on the central management platform gather decision-making module and firewall policy release module.
Distributed dynamic network security protecting system of the present invention; the configuration of network central management platform gathers decision-making module and policy issue module; network is divided into N subnet according to tree; N 〉=1; all dispose on each subnet management platform and gather decision-making module and policy issue module; each node is all installed little intrusion detection module and little FWSM in the subnet
Little FWSM of each node of subnet is used for the receiving network data bag, abandons the invalid data bag, legal data packet is sent to little intrusion detection module of same node;
The intrusion detection module is used to detect packet, then revises the security strategy of little FWSM if conventional invasion takes place, otherwise security incident is sent to little decision-making module that gathers of this subnet;
Each subnet gather the current safety event detection cooperative intrusion that decision-making module sends according to each node of this subnet, and adjudicate according to its order of severity whether needs are passed to the upper management platform, if do not pass to the upper management platform, notification strategy release module then, start the subnet mobile proxy system, log on the security strategy that each node of this subnet is revised little FWSM;
The central management platform gathers decision-making module and receives each subnet and gather the cooperative intrusion incident that decision-making module is sent, and the notification strategy release module generates the global safety strategy, the policy issue module starts overall mobile proxy system, strategy is sent to the policy issue module of each subnet management platform, thereby revise the security strategy of the little FWSM of all nodes.
Described distributed dynamic network security protecting system, each subnet can further be divided into some grades of subnets.
Described distributed dynamic network security protecting system, it is further characterized in that:
(1) little FWSM comprises packet filtering module and packet filtering policy library, packet filtering policy library definition current safety strategy, the packet filtering module resides at network protocol layer, it filters according to the packet of packet filtering policy library to all network protocol layers of flowing through, abandon the invalid data bag, submit legal data packet to little intrusion detection module;
(2) little intrusion detection module comprises the incident collector, conventional security incident storehouse, the conventional invasion rule base, conventional invasion analyzer and conventional invasion responsor, the incident collector is gathered the packet that the packet filtering module transmits in real time, and be combined into network safety event by predetermined format and deposit conventional security incident storehouse in, send to the conventional invasion analyzer simultaneously and gather decision-making module, the conventional invasion rule base is deposited the rule of describing conventional invasion, the conventional invasion analyzer is converted to regulation linked with these rules and network safety event and its traversal of sending is mated, when one of generation is mated fully, notice conventional invasion responsor is revised the packet filtering policy library simultaneously;
(3) gather decision-making module and comprise the incident receiver module, collaborative security incident generation module, abstraction module, support and confidence level computing module, the threshold value comparison module, collaborative event database, cooperative intrusion analyzer and cooperative intrusion rule base, the incident receiver module receives the network safety event that the incident collector of little intrusion detection module is sent, deposit collaborative event database in, produce collaborative security incident by collaborative security incident generation module simultaneously, and pass to abstraction module, this module will work in coordination with that all bytes of security incident are abstract to turn to a span, and pass to support and confidence level computing module as candidate's new cooperative intrusion rule Y, every safety regulation X calculates X support and the confidence level related with Y in the one module traversal cooperative intrusion rule base of back, and it is passed to the threshold value comparison module, compare respectively with predefined minimum support threshold value and minimum confidence level threshold value, if all have greater than threshold value, then Y is deposited in the cooperative intrusion rule base, the cooperative intrusion analyzer is differentiated the type of cooperative intrusion incident and is provided corresponding security strategy according to collaborative event database and cooperative intrusion rule base, passes to the policy issue module;
(4) subnet/overall mobile proxy system is made up of mobile agent client that resides at subnet/central management platform and the Mobile Agent Server end that resides at each node/subnet management platform, the mobile agent client comprises user interface, signature blocks, act on behalf of route logging modle and Client Agent transport protocol stack, the Digital Signature Algorithm type of user interface definition mobile agent is also submitted to signature blocks, the related content of route logging modle is acted on behalf of in definition simultaneously, signature blocks is carried out digital signature for each node/subnet policy issue module verification to mobile agent, act on behalf of the route logging modle and preserve node/subnet management platform sequence that mobile agent will be traveled round, and by Client Agent transport protocol stack and server interaction; The Mobile Agent Server end comprises that server end acts on behalf of transport protocol stack, proxy resources control module, validity checking module and tactful interpreter, the client and server end act on behalf of the bottom-up information interaction mechanism that transport protocol stack provides client end/server end, the proxy resources control module provides execution environment for mobile agent, the digital signature of validity checking module verification mobile agent, and the security strategy that the agency carries passed to tactful interpreter, then security strategy is interpreted as policy script and is loaded in the packet filtering policy library of little FWSM.
Described distributed dynamic network security protecting system, it further is characterised in that:
(1) little FWSM also comprises policy definition user interface and tactful sandbox module, the policy definition user interface is supported User Defined security strategy rule and it is passed to tactful sandbox module, then the security strategy rule in User Defined security strategy rule and the packet filtering policy library is compared, then abandon this user-defined security strategy rule if find conflict, otherwise deposit in the packet filtering policy library;
(2) gather decision-making module and also comprise superseded module of rule and timer, rule is eliminated module to new cooperative intrusion rule Y definition usage frequency, whenever Y supports an abstract cooperative intrusion incident, this regular usage frequency adds 1, when the cooperative intrusion rule that generates in the cooperative intrusion rule base is counted to when reaching maximum, this module adopts least recently used algorithm to eliminate the low rule of usage frequency; Timer is eliminated module regularly for rule and is signaled, so that eliminate the intrusion rule of minimum use.
Described distributed dynamic network security protecting system, its feature can also be that described collaborative security incident is one group of network safety event collection that is relative to each other, they can be correlated with in time, promptly press the time of origin ordering, and adjacent two interval of events are no more than the regulation unit interval; Also can spatially be correlated with, the source network protocol address of network safety event that promptly constitutes this collaborative security incident is from same subnet.
Distributed dynamic network security protecting system of the present invention has the following advantages and effect.
1) dual safeguard protection
Native system comprises two subsystems that are parallel to each other: the intrusion detection module (DM-IDS) that declines of distributing can provide the safeguard protection of application layer; The distribution FWSM (DM-Firewall) that declines provides the safeguard protection of kernel level network layer, thereby dual safeguard protection is provided.
2) fine granularity safeguard protection
Native system not only is the protection unit with the network segment, but also is object of protection with the individual node machine, thereby realizes fine-grained safeguard protection.Little intruding detection system (M-IDS) and the little firewall system (M-Firewall) installed on each node machine can independently detect and responding to intrusions, have not only eliminated single failpoint, and can detect inside and outside attack simultaneously.
3) tree type extensible architecture
The tree type management mode of layering makes maintenance and management be easy to expansion; The advantage that mobile agent independently moves is conserve network bandwidth effectively, thereby makes system effectiveness can not reach the extensibility of system effectiveness with the increasing and descend of protected node number; Adopt JAVA to realize platform-neutral as developing instrument;
4) dynamically from immunity
Native system is divided into two kinds of conventional invasion and cooperative intrusions with intrusion behavior.Various security incidents are collected in little intrusion detection, if find conventional invasion, the strategy of the little fire compartment wall of this node is revised in little intrusion detection immediately, stop further the pouring in of invasion packet (conventional invasion response); If the discovery cooperative intrusion gathers decision-making module notification strategy body release to all little fire compartment wall issue update strategies (cooperative intrusion response).Two kinds of responses have dynamically from immune function system;
5) defence cooperative intrusion
Concerted attack under the distributional environment grows with each passing day, and traditional Intrusion Detection Technique can not satisfy application demand.Native system adopt gather that decision-making technic went up the time and the space on the cooperative intrusion behavior that distributes gather, related and detection, and the security strategy of upgrading all little fire compartment walls is carried out dynamic security.
Description of drawings
Fig. 1: the architecture of existing distributed fire wall.
Fig. 2: based on the decline architecture of distributed dynamic network security protecting system of fire compartment wall and little intrusion detection of distribution.
Fig. 3: distributed dynamic network security protecting system schematic flow sheet of the present invention.
Fig. 4: the structure and the software schematic diagram of FWSM of declining distributes.
Fig. 5: the structure and the software schematic diagram of intrusion detection module of declining distributes.
Fig. 6: the structure and the software schematic diagram that gather decision-making module.
Fig. 7: the structure of mobile agent module and software schematic diagram.
Embodiment
Make up one based on the decline network dynamic security system of fire compartment wall and little intrusion detection of distribution having 16 group systems on the node machine, its basic configuration is as shown in table 1.
| CPU | Internal memory | Hard disk | Network interface card | Operating system | Network |
| Two PIII 866 | 256M | 30G | 3C905B | Linux 6.2 | The 100M switch |
The hardware of each node of table 1 and network configuration
Wherein, one remaining service node is divided into some groups according to service as the central management platform, as: Web group, FTP group.Concrete enforcement is as follows: node 1 serves as the central management platform, loads and gathers decision-making module and policy issue module; Node 2 to node 8 in Web group, node 9 to node 16 in the FTP group, all load little intrusion detection module and little FWSM on each node.
In conjunction with the accompanying drawings, as follows to the configuration instruction of whole system:
1) packet filtering policy library (8)
This policy library is totally 6 fields, its example such as table 2 and table 3.
Little fire compartment wall that Web is organized each node (is example with 17.0.0.1) has the configuration of similar table 2, and little fire compartment wall that FTP is organized each node (is example with 17.0.0.2) has the configuration of similar table 3.
| Protocol number | Source IP | Source port | Purpose IP | Destination interface | Measure |
| TCP | 10.0.0.1 | >1024 | 17.0.0.1 | 80 | ACCEPT |
| ANY | ANY | ANY | 17.0.0.1 | ANY | DROP |
Table 2 Web organizes the ios dhcp sample configuration IOS DHCP (is example with 17.0.0.1) of each node
| Protocol number | Source IP | Source port | Purpose IP | Destination interface | Measure |
| TCP | 10.0.0.1 | >1024 | 17.0.0.2 | 21 | ACCEPT |
| ANY | ANY | ANY | 17.0.0.2 | ANY | DROP |
Table 3 FTP organizes the ios dhcp sample configuration IOS DHCP (is example with 17.0.0.2) of each node
Each field is explained as follows:
Protocol number: be divided into TCP, UDP, ICMP, ANY, wherein ANY refers to any agreement;
Source IP: the source IP address of packet;
Source port: the source port of packet;
Purpose IP: the source IP address of packet;
Destination interface: the destination interface of packet;
Measure: refer to the coupling packet with which kind of measure of access, be divided into two kinds of ACCEPT (reception) and DROP (refusal).
2) conventional security incident storehouse (10)
This event base is totally 6 fields, its example such as table 4.
| Protocol number | Source IP | Source port | Purpose IP | Destination interface | Time |
| TCP | 10.0.0.1 | 16666 | 17.0.0.1 | 80 | 2000.01.01.17.00 |
| TCP | 10.0.0.1 | 16667 | 17.0.0.1 | 80 | 2000.01.01.17.03 |
The conventional security incident of table 4 storehouse example
Being described as follows of each field:
Protocol number: the protocol type of intrusion event is divided into TCP, UDP, ICMP;
Source IP: the source IP address of intrusion event;
Source port: the source port of intrusion event;
Purpose IP: the source IP address of intrusion event;
Destination interface: the destination interface of intrusion event;
Time: the time that intrusion event takes place.
3) conventional invasion rule base (11)
This routine rule base is totally 5 fields, its example such as table 5.
| Rule numbers | Attack type | Attack service | The attack signature sign indicating number | The extent of |
| 1 | Scan | ANY | “RST-ACK” | 2 |
| 2 | DoS | ANY | “SYN” | 0 |
Table 5 conventional invasion rule base example
Being described as follows of each field:
Rule numbers: the numeral number of a rule record;
Attack type: be divided into three kinds of Dictionary Attack (dictionary attack), Scan (TCP), DoS (Denial of Service attack);
Attack service: various well-known services (as Web, FTP etc.), ANY represents any service;
Attack signature sign indicating number: the symbolic characteristic sign indicating number that the expression representative is once attacked;
The invasion danger degree: refer to the extent of injury of intrusion event, this degree can be divided into: the most serious (0 grade), serious (1 grade) and time seriously (2 grades).
4) threshold value comparator (18)
The span of MinSupp and MinConf is the integer greater than 0.Two threshold settings are as follows in this example: MinSupp=10, MinConf=10;
5) collaborative event database (19)
This database is totally 7 fields, its example such as table 6.
| The cooperative intrusion Case Number | Correlation (S/P) | The invasion type | Source IP | Purpose IP | The invasion time | The invasion danger degree |
| 1 | S | Scan | 10.0.0.1 | 17.0.0.1 | 2000.01.01.17.00 | 2 |
| 1 | S | DoS | 10.0.0.1 | 17.0.0.2 | 2000.01.01.17.03 | 0 |
The ios dhcp sample configuration IOS DHCP of the collaborative event database of table 6
Each field is explained as follows:
Cooperative intrusion Case Number: the numbering that refers to one group of cooperative intrusion incident;
Correlation: be divided into space correlation (S) and time correlation (T);
Invasion type: be divided into three kinds of Dictionary Attack (dictionary attack), Scan (TCP), DoS (Denial of Service attack);
Source IP: the source IP address that refers to intrusion behavior;
Purpose IP: refer to the IP address attacked;
The invasion time: the time of origin that refers to intrusion event;
The invasion danger degree: refer to the extent of injury of intrusion event, this degree can be divided into: the most serious (0 grade), serious (1 grade) and time seriously (2 grades).
6) cooperative intrusion rule base (21)
This database is totally 6 fields, its example such as table 7.
| Correlation (S/P) | The invasion type | Spatial correlation | The time correlation degree | The invasion danger degree | Response policy |
| S | Scan | >0.8 | | 2 | Disconnect |
| S | DoS | >0.5 | Null value | 0 | Current limliting |
The ios dhcp sample configuration IOS DHCP of table 7 cooperative intrusion rule base
Each field is explained as follows:
Correlation: be divided into space correlation (S) and time correlation (T);
Invasion type: be divided into three kinds of Dictionary Attack (dictionary attack), Scan (TCP), DoS (Denial of Service attack);
Spatial correlation: when " correlation " field is S, herein for constituting the degree of correlation scope of the intrusion behavior that distributes on the primary space;
Time correlation degree: when " correlation " field is T, go up the degree of correlation of the intrusion behavior that distributes herein for the time;
The invasion danger degree: refer to the extent of injury of intrusion event, this degree can be divided into: the most serious (0 grade), serious (1 grade) and time seriously (2 grades);
Response policy: at the overall response policy of a certain cooperative intrusion behavior.
7) act on behalf of route record (26)
This record storehouse is totally 2 fields, preserves agency's the route of traveling round, and this route record is kept in the internal memory of agent client with the form of chained list, and its initial value is as shown in table 8.
| Group | Travel round |
| Web | |
| 2,3,4,5,6,7,8 | |
| FTP | 9,10,11,12,13,14,15,16 |
Table 8 is acted on behalf of route record example
This record shows that mobile agent will travel round 2 to 8 nodes of Web group and 9 to 16 nodes of FTP group.
Claims (6)
1, a kind of distributed dynamic network security protecting system; the configuration of network central management platform gathers decision-making module and policy issue module; network is divided into N subnet according to tree; N 〉=1; all dispose on each subnet management platform and gather decision-making module and policy issue module; each node is all installed little intrusion detection module and little FWSM in the subnet
Little FWSM of each node of subnet is used for the receiving network data bag, abandons the invalid data bag, legal data packet is sent to little intrusion detection module of same node;
Little intrusion detection module is used to detect packet, then revises the security strategy of little FWSM if conventional invasion takes place, otherwise security incident is sent to the decision-making module that gathers of this subnet;
Each subnet gather the current safety event detection cooperative intrusion that decision-making module sends according to each node of this subnet, adjudicate according to its order of severity whether needs are passed to the upper management platform, if do not pass to the upper management platform, notification strategy release module then, start the subnet mobile proxy system, log on the security strategy that each node of this subnet is revised little FWSM;
The central management platform gathers decision-making module and receives each subnet and gather the cooperative intrusion incident that decision-making module is sent, and the notification strategy release module generates the global safety strategy, the policy issue module starts overall mobile proxy system, strategy is sent to the policy issue module of each subnet management platform, thereby revise the security strategy of the little FWSM of all nodes.
2, distributed dynamic network security protecting system as claimed in claim 1 is characterized in that each subnet can further be divided into some secondary subnets.
3, distributed dynamic network security protecting system as claimed in claim 1 or 2 is characterized in that:
(1) little FWSM comprises packet filtering module and packet filtering policy library, packet filtering policy library definition current safety strategy, the packet filtering module resides at network protocol layer, it filters according to the packet of packet filtering policy library to all network protocol layers of flowing through, abandon the invalid data bag, submit legal data packet to little intrusion detection module;
(2) little intrusion detection module comprises the incident collector, conventional security incident storehouse, the conventional invasion rule base, conventional invasion analyzer and conventional invasion responsor, the incident collector is gathered the packet that the packet filtering module transmits in real time, and be combined into network safety event by predetermined format and deposit conventional security incident storehouse in, send to the conventional invasion analyzer simultaneously and gather decision-making module, the conventional invasion rule base is deposited the rule of describing conventional invasion, the conventional invasion analyzer is converted to regulation linked with these rules and network safety event and its traversal of sending is mated, when one of generation is mated fully, notice conventional invasion responsor is revised the packet filtering policy library simultaneously;
(3) gather decision-making module and comprise the incident receiver module, collaborative security incident generation module, abstraction module, support and confidence level computing module, the threshold value comparison module, collaborative event database, cooperative intrusion analyzer and cooperative intrusion rule base, the incident receiver module receives the network safety event that the incident collector of little intrusion detection module is sent, deposit collaborative event database in, pass to collaborative security incident generation module simultaneously and produce collaborative security incident, and pass to abstraction module, this module will work in coordination with that all bytes of security incident are abstract to turn to a span, and pass to support and confidence level computing module as candidate's new cooperative intrusion rule, every safety regulation in the one module traversal cooperative intrusion rule base of back, calculate they and the support and the confidence level of new cooperative intrusion rule association, and it is passed to the threshold value comparison module, compare respectively with predefined minimum support threshold value and minimum confidence level threshold value, if all have greater than threshold value, then new cooperative intrusion rule is deposited in the cooperative intrusion rule base, the cooperative intrusion analyzer is differentiated the type of cooperative intrusion incident and is provided corresponding security strategy according to collaborative event database and cooperative intrusion rule base, passes to the policy issue module;
(4) subnet/overall mobile proxy system is made up of mobile agent client that resides at subnet/central management platform and the Mobile Agent Server end that resides at each node/subnet management platform, the mobile agent client comprises user interface, signature blocks, act on behalf of route logging modle and Client Agent transport protocol stack, the Digital Signature Algorithm type of user interface definition mobile agent is also submitted to signature blocks, the related content of route logging modle is acted on behalf of in definition simultaneously, signature blocks is carried out digital signature for each node/subnet policy issue module verification to mobile agent, act on behalf of the route logging modle and preserve node/subnet management platform sequence that mobile agent will be traveled round, and by Client Agent transport protocol stack and server interaction; The Mobile Agent Server end comprises that server end acts on behalf of transport protocol stack, proxy resources control module, validity checking module and tactful interpreter, the client and server end act on behalf of the bottom-up information interaction mechanism that transport protocol stack provides client end/server end, the proxy resources control module provides execution environment for mobile agent, the digital signature of validity checking module verification mobile agent, and the security strategy that the agency carries passed to tactful interpreter, then security strategy is interpreted as policy script and is loaded in the packet filtering policy library of little FWSM.
4, distributed dynamic network security protecting system as claimed in claim 3 is characterized in that:
(1) little FWSM also comprises policy definition user interface and tactful sandbox module, the policy definition user interface is supported User Defined security strategy rule and it is passed to tactful sandbox module, tactful then sandbox module compares the security strategy rule in User Defined security strategy rule and the packet filtering policy library, then abandon this user-defined security strategy rule if find conflict, otherwise deposit in the packet filtering policy library;
(2) gather decision-making module and also comprise superseded module of rule and timer, rule is eliminated module to new cooperative intrusion rule definition usage frequency, whenever new cooperative intrusion rule is supported an abstract cooperative intrusion incident, this regular usage frequency adds 1, when the cooperative intrusion rule that generates in the cooperative intrusion rule base is counted to when reaching maximum, this module adopts least recently used algorithm to eliminate the low rule of usage frequency; Timer is eliminated module regularly for rule and is signaled, so that eliminate the intrusion rule of minimum use.
5, distributed dynamic network security protecting system as claimed in claim 3, it is characterized in that described collaborative security incident is one group of network safety event collection that is relative to each other, they can be correlated with in time, promptly press the time of origin ordering, and adjacent two interval of events are no more than the regulation unit interval; Also can spatially be correlated with, the source network protocol address of network safety event that promptly constitutes this collaborative security incident is from same subnet.
6, distributed dynamic network security protecting system as claimed in claim 4, it is characterized in that described collaborative security incident is one group of network safety event collection that is relative to each other, they can be correlated with in time, promptly press the time of origin ordering, and adjacent two interval of events are no more than the regulation unit interval; Also can spatially be correlated with, the source network protocol address of network safety event that promptly constitutes this collaborative security incident is from same subnet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021159572A CN1160899C (en) | 2002-06-11 | 2002-06-11 | Distributed dynamic network security protecting system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021159572A CN1160899C (en) | 2002-06-11 | 2002-06-11 | Distributed dynamic network security protecting system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1384639A CN1384639A (en) | 2002-12-11 |
| CN1160899C true CN1160899C (en) | 2004-08-04 |
Family
ID=4743973
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021159572A Expired - Fee Related CN1160899C (en) | 2002-06-11 | 2002-06-11 | Distributed dynamic network security protecting system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1160899C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100385859C (en) * | 2005-01-18 | 2008-04-30 | 英业达股份有限公司 | Security management service system and its implementation method |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100376092C (en) * | 2002-12-13 | 2008-03-19 | 联想网御科技(北京)有限公司 | Firewall and invasion detecting system linkage method |
| US7305564B2 (en) * | 2002-12-19 | 2007-12-04 | International Business Machines Corporation | System and method to proactively detect software tampering |
| US7591017B2 (en) * | 2003-06-24 | 2009-09-15 | Nokia Inc. | Apparatus, and method for implementing remote client integrity verification |
| CN100518166C (en) * | 2003-12-16 | 2009-07-22 | 鸿富锦精密工业(深圳)有限公司 | System and method for generation and issue of data safety passport |
| CN100414938C (en) * | 2004-01-05 | 2008-08-27 | 华为技术有限公司 | Network safety system and method |
| KR100609170B1 (en) * | 2004-02-13 | 2006-08-02 | 엘지엔시스(주) | system of network security and working method thereof |
| DE602004002198T2 (en) * | 2004-06-07 | 2007-07-19 | Alcatel Lucent | Method and device for preventing attacks on a call server |
| CN1309214C (en) * | 2004-12-20 | 2007-04-04 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
| FR2883997A1 (en) * | 2005-04-04 | 2006-10-06 | France Telecom | Decision managing method for hierarchized and distributed network architecture, involves creating simplified tree with rows, and transmitting tree to terminal, if number of levels is two, so that terminal takes decision to execute it |
| CN100435513C (en) * | 2005-06-30 | 2008-11-19 | 杭州华三通信技术有限公司 | Method of linking network equipment and invading detection system |
| CN100450012C (en) * | 2005-07-15 | 2009-01-07 | 复旦大学 | Invasion detecting system and method based on mobile agency |
| US7653188B2 (en) * | 2005-07-20 | 2010-01-26 | Avaya Inc. | Telephony extension attack detection, recording, and intelligent prevention |
| CN100393046C (en) * | 2005-12-06 | 2008-06-04 | 南京邮电大学 | Analogue biological immunological mechanism invasion detecting method |
| US8079073B2 (en) * | 2006-05-05 | 2011-12-13 | Microsoft Corporation | Distributed firewall implementation and control |
| CN100454842C (en) * | 2006-06-30 | 2009-01-21 | 深圳市中科新业信息科技发展有限公司 | Distributed audit system |
| KR101206542B1 (en) * | 2006-12-18 | 2012-11-30 | 주식회사 엘지씨엔에스 | Apparatus and method of securing network of supporting detection and interception of dynamic attack based hardware |
| CN101022343B (en) * | 2007-03-19 | 2010-09-08 | 杭州华三通信技术有限公司 | Network invading detecting/resisting system and method |
| CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
| CN101184088B (en) * | 2007-12-14 | 2010-12-01 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
| CN101938460B (en) * | 2010-06-22 | 2014-04-09 | 北京中兴网安科技有限公司 | Coordinated defense method of full process and full network safety coordinated defense system |
| CN101977129B (en) * | 2010-10-19 | 2012-10-10 | 青海师范大学 | Artificial immunization-based MANET network attack detection method |
| CN102523218B (en) * | 2011-12-16 | 2015-04-08 | 北京神州绿盟信息安全科技股份有限公司 | Network safety protection method, equipment and system thereof |
| CN104378352A (en) * | 2014-10-16 | 2015-02-25 | 江苏博智软件科技有限公司 | Method of distributed firewall secure communication mechanism |
| CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
| CN106506559B (en) * | 2016-12-29 | 2020-02-18 | 北京奇虎科技有限公司 | Access behavior control method and device |
| CN106878340B (en) * | 2017-04-01 | 2023-09-01 | 中国人民解放军61660部队 | Comprehensive safety monitoring analysis system based on network flow |
| CN108471428B (en) * | 2018-06-27 | 2021-05-28 | 北京云端智度科技有限公司 | DDoS attack active defense technology and equipment applied to CDN system |
| CN110855794A (en) * | 2019-11-20 | 2020-02-28 | 山东健康医疗大数据有限公司 | TCP (Transmission control protocol) -based database Socket gateway implementation method and device |
| CN110891059A (en) * | 2019-11-26 | 2020-03-17 | 武汉卓云智方科技有限公司 | Internet safety management platform |
| CN112039895B (en) * | 2020-08-31 | 2023-01-17 | 绿盟科技集团股份有限公司 | Network cooperative attack method, device, system, equipment and medium |
| CN112584357B (en) * | 2020-12-02 | 2023-04-28 | 惠州市德赛西威智能交通技术研究院有限公司 | Method for dynamically adjusting vehicle-mounted firewall policy |
| CN113206848A (en) * | 2021-04-29 | 2021-08-03 | 福建奇点时空数字科技有限公司 | SDN moving target defense implementation method based on self-evolution configuration |
| CN113691501A (en) * | 2021-07-30 | 2021-11-23 | 东莞职业技术学院 | Network security system and security method |
-
2002
- 2002-06-11 CN CNB021159572A patent/CN1160899C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100385859C (en) * | 2005-01-18 | 2008-04-30 | 英业达股份有限公司 | Security management service system and its implementation method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1384639A (en) | 2002-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1160899C (en) | Distributed dynamic network security protecting system | |
| CN100530208C (en) | Network isolation techniques suitable for virus protection | |
| CN101087196B (en) | Multi-layer honey network data transmission method and system | |
| CN102263788B (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| Aggarwal et al. | Securing IoT devices using SDN and edge computing | |
| WO2011010823A2 (en) | Method for detecting and preventing a ddos attack using cloud computing, and server | |
| CN1655518A (en) | Network security system and method | |
| CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| JP2003228552A (en) | Mobile device for mobile telecommunication network providing intrusion detection | |
| KR100996288B1 (en) | A method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses | |
| CN101958903A (en) | Method for realizing high-performance firewall based on SOC and parallel virtual firewall | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| CN1874303A (en) | Method for implementing black sheet | |
| CN105721457A (en) | Network security defense system and network security defense method based on dynamic transformation | |
| CN1725709A (en) | Method of linking network equipment and invading detection system | |
| CN1252555C (en) | Cooperative invading testing system based on distributed data dig | |
| CN102594834B (en) | Method and device for defending network attack and network equipment | |
| Ramprasath et al. | Mitigation of malicious flooding in software defined networks using dynamic access control list | |
| CN1820452A (en) | Detecting and protecting against worm traffic on a network | |
| CN1257632C (en) | Firm gateway system and its attack detecting method | |
| CN202231744U (en) | ISP network based attack denial defensive system | |
| CN112383573B (en) | Security intrusion playback equipment based on multiple attack stages | |
| CN1602470A (en) | Protecting against malicious traffic | |
| CN205510109U (en) | A serve dynamic routing system more for cloud computing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |