CN116723048A - Communication system and method in local area network - Google Patents

Abstract

The application discloses a communication system and a method in a local area network, which relate to the technical field of computers and solve the technical problem of insufficient safety of communication in the local area network.

Description

Communication system and method in local area network

Technical Field

The present application relates to the field of computer technologies, and in particular, to a communication system and method in a local area network.

Background

Computer networks are now widely used in a variety of fields, and security problems have been one of the most serious problems in network applications. With the continuous upgrade of network attack means, security problems of people in daily network applications become more and more serious. For such problems, the traditional method is to use antivirus software or firewall software to protect, but the software needs to be upgraded in time to ensure that the attack can be effectively resisted.

Currently, certain network attacks against businesses and institutions are more hidden and dangerous, and conventional disinfection software and firewalls have difficulty in effectively coping with these attacks, which are embodied in:

(1) It is difficult to prevent zero-day vulnerability attacks: malicious code attacks typically employ a system vulnerability, which is an undiscovered or publicly revealed security vulnerability. Therefore, even though the use of the system may prevent known malicious code attacks to some extent, it is still difficult to completely prevent zero-day vulnerability attacks.

(2) Depending on the instant update: the current malicious code attack patterns change continuously, so that the detection engine needs to be updated frequently to follow up with the latest attack patterns. The effectiveness of the system depends on the sufficiency of the instant update, which otherwise may be excessive and thus lead to vulnerabilities.

(3) The system is vulnerable to internal attacks: malicious code attacks may not be limited to only external network attacks, but internal malicious code attacks may also pose a threat to the security of the local area network. If the system lacks countermeasures against internal malicious code attacks, malicious code may still invade the system through internal pathways.

(4) System performance is affected: in order to avoid malicious code attacks, the local area network security system may employ a powerful encryption algorithm and other security measures, thereby bringing about a large system performance overhead.

(5) Possibility of false alarm and false judgment: the malicious code detection engine may identify normal network data as malicious code attack, thereby causing the problems of false alarm and false judgment and affecting the normal operation of the system.

(6) The system complexity is high: in order to protect the system security, a system for avoiding malicious code attacks in a local area network is generally required to integrate various technologies and measures, and the complexity and the operation and maintenance difficulty of the technologies and the measures are high.

In summary, the system for avoiding the attack of the malicious code in the local area network still has a plurality of defects and shortcomings, and technical innovation and system update are required to be continued. The present application addresses the above-mentioned shortcomings and drawbacks by providing a communication system and method within a local area network.

Disclosure of Invention

The application provides a communication system and a method in a local area network, which aim to strengthen vulnerability and zero-day attack detection, realize more timely and stable system update and simultaneously build a comprehensive and safe defense framework.

The technical aim of the application is realized by the following technical scheme:

a communication system within a local area network, comprising:

the client is used for receiving a network request of the host;

the malicious code detection engine is arranged on the client and used for detecting whether malicious codes exist in the network request, if so, the malicious codes are stored in the malicious code database, then the malicious codes in the network request are cleared and deleted, the network request is sent to the data encryption processing module, and otherwise, the network request is directly sent to the data encryption processing module;

The data encryption processing module is used for carrying out encryption processing on the network request, obtaining an encrypted network request and sending the encrypted network request to the bidirectional authentication module;

the bidirectional authentication module authenticates the encrypted network request to confirm the identity information of the client, then confirms the identity information of the router, and sends the encrypted network request to the router if the identity information of the client and the identity information of the router are correct;

the router is used for receiving the encrypted network request;

and the malicious code database is used for storing malicious code information.

Further, the malicious code detection engine includes:

the feature extraction module is used for analyzing the flow features, protocol information and data content of the data packet of the network request so as to extract key features of the network request;

the feature matching module is used for comparing and classifying key features of the network request with known malicious code features in a malicious code database to judge whether the malicious code request exists or not, if so, the network request is transferred to the threat assessment module, and if not, the risk of the network request is ignored;

the threat assessment module is used for assessing and grading malicious codes with malicious code requests;

And the defense control module is used for defending and controlling the malicious codes according to the evaluation and classification.

Further, the feature extraction module includes:

the flow characteristic extraction module is used for extracting and analyzing the flow characteristics of the data packet to obtain the size, the transmission rate and the time stamp information of the data packet;

the protocol information extraction module is used for extracting and analyzing the protocol information in the data packet to obtain a protocol type, a protocol version and a protocol option;

the data content extraction module is used for analyzing and extracting the data content of the data packet to obtain HTTP request content, SMTP mail content and FTP transmission content;

and the feature screening module is used for screening and filtering the data packet size, the transmission rate, the timestamp information, the protocol type, the protocol version, the protocol options, the HTTP request content, the SMTP mail content and the FTP transmission content to obtain key features.

And the model training module trains the key features so as to obtain a malicious code detection model, and finally extracts the key features of the malicious code through the malicious code detection model.

Further, the feature matching module includes:

the pattern matching module is used for comparing key features of the network request with known malicious code features in a malicious code database through a feature matching algorithm to obtain a matching result;

And the classification processing module classifies according to the matching result.

Further, the threat assessment module assesses and classifies the malicious codes through a threat classification algorithm, assessment indexes and assessment rules to obtain an assessment result, and displays the assessment result; wherein the evaluation index comprises threat degree, risk level and target influence range; the evaluation rules are specific evaluation rules and processes which are established by threat classification algorithms and evaluation indexes, and comprise judgment conditions, evaluation processes and coping processes.

Further, the defense control module includes:

the threat isolation module is used for isolating the detected malicious codes to a specific network area;

the threat blocking module is used for shielding or intercepting malicious codes in a specific network area;

the log tracking module is used for tracking and recording the request of the malicious code so as to carry out subsequent capturing and analysis;

and the threat removal module is used for removing and deleting the malicious codes.

Further, the construction process of the malicious code database comprises the following steps:

collecting malicious code samples;

extracting malicious code characteristics;

establishing a malicious code database according to the malicious code characteristics;

Marking malicious codes in a malicious code database;

and updating the malicious codes of the malicious code database.

Further, the data encryption processing module includes:

an encryption algorithm library providing an encryption algorithm and a decryption algorithm;

the key management module provides independent keys for different users or application programs;

the encryption and filtration module is used for filtering and managing the encrypted data and the decrypted data by monitoring the network traffic in real time;

the encryption policy management module is used for formulating an encryption policy and defining the encryption authority and range of a user and an application program;

the security audit module is used for recording and managing the operation log encrypted by the data and monitoring and auditing the access and the use of the encrypted data;

the encryption performance optimization module optimizes and accelerates the encryption process;

and the encryption error processing module is used for processing and responding to the encryption failure or error occurrence.

Further, the mutual authentication module includes:

the certificate management module provides digital certificates for both network communication parties;

the security protocol module is used for defining a security protocol used in a bidirectional authentication process, wherein the security protocol comprises an SSL protocol and a TLS protocol;

The safety authentication module is used for verifying various operations in the identity authentication and authorization process;

a security policy module providing a security policy for the mutual authentication;

and the safety log module is used for recording events and operation logs in the authentication communication and interaction process.

A method of communication within a local area network, comprising:

s1: the client receives a network request of the host;

s2: the malicious code detection engine arranged on the client detects whether malicious codes exist in the network request, if so, the malicious codes are stored in a malicious code database, then the malicious codes in the network request are cleared and deleted, the network request is sent to the data encryption processing module, and otherwise, the network request is directly sent to the data encryption processing module;

s3: the data encryption processing module encrypts the network request to obtain an encrypted network request and sends the encrypted network request to the two-way authentication module;

s4: the two-way authentication module authenticates the encrypted network request to confirm the identity information of the client, then confirms the identity information of the router, and sends the encrypted network request to the router if the identity information of the client and the identity information of the router are correct;

S5: the router receives the encrypted network request.

The application has the beneficial effects that:

(1) The safety and stability of the local area network are improved: the system and the method can detect and defend different types of malicious code attacks through various technical means, realize bidirectional authentication and encryption protection in network communication, and improve the safety and stability of a local area network.

(2) Data protection and privacy confidentiality are improved: by isolating terminal nodes, encrypting data streams, realizing two-way authentication and other measures, the system and the method can effectively protect the data security in the local area network and the privacy and confidentiality of users.

(3) The robustness and the expandability of the system are improved: the system and the method use a series of technical modules with flexibility and expandability, and can improve the robustness and the expandability of the system by adapting to detection engines of various malicious code attack modes.

(4) The protection against the attack of the internal malicious code is improved: the system and the method can realize the prevention of the attack of the malicious codes in the local area network, and can reduce the possibility of the attack of the malicious codes in the local area network by emphasizing the stricter authorization and the identity verification of the terminal node.

(5) Improving the operation efficiency and the usability: the system and the method can realize automation and visualization of operation setting by integrating various technologies and control modules, and improve the operation efficiency and usability of the system.

Therefore, the application improves the safety and stability of the local area network, ensures the safety and privacy confidentiality of data, and improves the robustness and expandability of the system, prevents attack of internal malicious codes, and has the advantages of high operation efficiency, usability and the like.

Drawings

FIG. 1 is a block diagram of a communication system within a local area network in accordance with an embodiment of the present application;

fig. 2 is a flowchart of a communication method in a lan according to an embodiment of the application.

Detailed Description

The technical scheme of the application will be described in detail with reference to the accompanying drawings.

As shown in fig. 1, the communication system in the local area network according to the present application includes a client, a malicious code detection engine, a data encryption processing module, a bidirectional authentication module, a router and a malicious code database.

After receiving the network request of the host computer, the client side detects whether malicious codes exist in the network request through a malicious code detection engine arranged on the network request, if so, the malicious codes are stored in a malicious code database, then the network request is sent to the data encryption processing module after the malicious codes in the network request are cleared and deleted, and otherwise, the network request is directly sent to the data encryption processing module.

The data encryption processing module encrypts the network request to obtain an encrypted network request and sends the encrypted network request to the two-way authentication module.

And the bidirectional authentication module authenticates the encrypted network request to confirm the identity information of the client, then confirms the identity information of the router, and sends the encrypted network request to the router if the identity information of the client and the identity information of the router are correct.

The router is used for receiving the encrypted network request; the malicious code database is used for storing malicious code information.

As a specific embodiment, the malicious code detection engine is designed by using a machine learning or deep learning algorithm, and can accurately detect and identify the malicious code according to the characteristic information of the network threat, so that the network threat and attack are effectively prevented, and the safety and stability of the local area network are ensured. The malicious code detection engine specifically comprises a feature extraction module, a feature matching module, a threat assessment module and a defense control module.

Specifically, the feature extraction module is a core part of a malicious code detection engine, and adopts a machine learning or deep learning algorithm to analyze flow features, protocol information and data content of a data packet of a network request so as to extract key features of the network request, thereby identifying and intercepting potential threats in the network flow.

The feature extraction module is obtained through model training and comprises a flow feature extraction module, a protocol information extraction module, a data content extraction module, a feature screening module and a model training module.

The flow characteristic extraction module extracts and analyzes the flow characteristic of the data packet to obtain the information such as the size, the transmission rate, the time stamp and the like of the data packet; it finds out the abnormal place in the network traffic by analyzing and extracting these characteristic parameters, so as to determine whether there is a request of malicious code.

The protocol information extraction module extracts and analyzes the protocol information in the data packet to obtain a protocol type, a protocol version and a protocol option; it can determine whether there is a network attack or malicious code propagation based on different characteristics of the protocol information.

The data content extraction module analyzes and extracts the data content of the data packet to obtain HTTP request content, SMTP mail content, FTP transmission content and the like; the method can identify and intercept abnormal or malicious requests in network traffic by extracting and analyzing data content.

The feature screening module screens and filters the data packet size, the transmission rate, the timestamp information, the protocol type, the protocol version, the protocol options, the HTTP request content, the SMTP mail content and the FTP transmission content to obtain key features, so that the accuracy and the efficiency of detection are improved.

The model training module carries out machine learning or deep learning algorithm training on the key features so as to obtain a malicious code detection model, and finally, the key features of the malicious code are extracted through the malicious code detection model. The model training module generally comprises links of feature selection, data preprocessing, algorithm selection, model evaluation and the like, and can be optimized and adjusted according to actual conditions.

The feature matching module is one of important components of the malicious code detection engine, and has the main functions of comparing and classifying key features of the network request with known malicious code features in a malicious code database to judge whether the malicious code request exists, if so, the key features are transferred to the threat assessment module, and if not, the risk of the network request is ignored.

Specifically, the malicious code database is a key part of the feature matching module function, and is the basis for storing the feature information of known malicious codes. The malicious code database comprises common malicious codes such as viruses, trojans, worms, malicious software and the like, and corresponding characteristic description information such as flow characteristics, protocol characteristics, data content characteristics and the like is provided for each malicious code.

The feature matching algorithm is a core algorithm of the feature matching module, and is used for judging whether a malicious code request exists in the network traffic and determining the type of the malicious code request by comparing the feature information of the data packet with the feature information in a malicious code database; feature matching algorithms typically include a variety of techniques such as string matching, rule matching, statistical analysis, etc. Based on the above, the feature matching module includes a pattern matching module and a classification processing module.

The pattern matching module compares key features of the network request with known malicious code features in a malicious code database through a feature matching algorithm to obtain a matching result. The pattern matching module generally adopts a rapid matching algorithm, such as regular expression matching, multilayer matching and other technical means, so as to improve the matching efficiency and accuracy.

And the classification processing module classifies and processes the malicious code request according to the matching result. The method can be used for classifying according to different types of viruses, trojans, worms, malicious software and the like, and then performing operations such as isolation, blocking, deletion, tracking and the like so as to protect the safety of the whole local area network.

The threat assessment module is one of the important components of the malicious code detection engine, and its main function is to assess and rank the detected network threats so as to perform proper response and processing, and ensure the network security of the whole local area network.

Specifically, the threat assessment module assesses and classifies the malicious codes through a threat classification algorithm, assessment indexes and assessment rules to obtain an assessment result, and displays the assessment result.

The threat classification algorithm is a core algorithm of the threat assessment module and classifies and processes the network threats according to different characteristics of the network threats; threat classification algorithms are divided into two modes, namely static analysis and dynamic analysis, wherein the static analysis comprises a mode of judging based on rules, classifying based on characteristics and the like, and the dynamic analysis is used for judging the type and the grade of the network threat through the behavior analysis of the network traffic.

The evaluation index is an index system for comprehensively evaluating threat evaluation results, and comprises threat degree, risk level and target influence range. The selection of the evaluation index needs to be optimized and adjusted according to actual conditions so as to ensure the accuracy and the practicability of the evaluation result.

The evaluation rule is a specific evaluation rule and flow established by a threat classification algorithm and an evaluation index, and comprises aspects of judging conditions, evaluation flow, coping process and the like, so that the system is helped to accurately evaluate and process the network threat.

After the threat assessment is carried out, threat assessment results are displayed and reported, wherein the threat assessment results comprise threat level, threat type, target influence range and other information; the information can be displayed in a visual and reporting mode, and the like, so that an administrator can conveniently and effectively manage and process the threat.

The defending control module is one of important components of the malicious code detection engine, is responsible for defending and controlling the detected network threat and taking corresponding countermeasures to ensure the network security and stability of the whole local area network.

Specifically, the defense control module comprises a threat isolation module, a threat blocking module, a log tracking module and a threat clearing module.

The threat isolation module isolates the detected malicious code to a specific network area, so that the threat isolation module avoids the detected malicious code from causing greater threat to the whole local area network. Threat isolation modules typically employ virtualization and containerization techniques to better isolate and control detected threats.

The threat blocking module is used for shielding or intercepting malicious codes in a specific network area, so that blocking and controlling of network threats are realized. The threat blocking module can block according to known threat characteristics, and can also dynamically block according to real-time threat identification results.

The log tracking module tracks and records requests for malicious code for subsequent capture and analysis. The log tracking module can record network traffic and data packets, and record relevant information such as a request source, a request target, a request time and the like, so that the network threat can be analyzed and researched more comprehensively.

The threat removal module is responsible for removing and deleting malicious code to avoid continuing to pose a threat. The threat elimination module may generally automatically eliminate the infected system and repair and restore the abnormal behavior to restore the normal state of the system.

In the embodiment of the application, the construction process of the malicious code database comprises the following steps:

(1) Collecting malicious code samples: the collection of malicious code samples is a precondition for establishing a malicious code database, and the collection of the malicious code samples can be performed from various ways, such as monitoring network traffic, scanning viruses, gathering areas from hackers, and the like, so as to obtain sample files of the malicious code.

(2) Extracting malicious code characteristics: the feature extraction of the malicious code is a key step of classifying and identifying the malicious code, and the feature extraction can be performed according to known malicious code feature information, including flow features, protocol features, data content features and the like; based on the results of feature extraction, malicious code can be classified and organized, which is very helpful for detection and defense of malicious code.

(3) Establishing a malicious code database according to the malicious code characteristics: establishing a malicious code database requires a special system or platform for supporting, such as a MySQL, mongoDB database platform; the establishment of the database requires defining fields, formats and contents, and the characteristic information of the malicious codes is stored in the database according to the characteristic extraction result.

(4) Marking malicious codes in a malicious code database: the malicious code samples extracted by the features are marked, so that the subsequent data analysis and modeling can be facilitated; the tagging data may be performed based on known malicious code type, class, jeopardy, etc. information to better manage the malicious code library.

(5) Updating malicious code of a malicious code database: malicious code is constantly changing and evolving, thus requiring constantly updating data in the database; the data updating can be performed by a virus library and the like, and the existing data needs to be revised and perfected so as to ensure the effectiveness and the rigor of the malicious code library.

In summary, the steps of collecting and extracting features, building a database, labeling data, updating data and the like are needed for building the malicious code database, so that the completeness and the effectiveness of the malicious code database are ensured.

The data encryption processing module is an important component of the malicious code detection engine, and has the main function of encrypting the network data and preventing the malicious code from stealing and falsifying the transmitted data so as to protect the security of the network data.

Specifically, the data encryption processing module comprises an encryption algorithm library, a key management module, an encryption filtering module, an encryption strategy management module, a security audit module, an encryption performance optimization module and an encryption error processing module.

The encryption algorithm library is the core of the data encryption processing module and provides various encryption algorithms and decryption algorithms, such as DES, AES, RSA and other common encryption algorithms; the encryption algorithm library adopts a mode of mixed use of symmetric key and public key encryption, so that data can be protected in the transmission process and is safer.

The key management module is responsible for providing independent keys for different users or application programs so as to ensure the security of data encryption; the key management module adopts modes of key generation, key distribution, key storage, key protection and the like to ensure the security of the key, and simultaneously supports periodic key replacement to ensure the long-term reliability of data encryption.

The encryption and filtration module filters and manages the encrypted data and the decrypted data by monitoring the network traffic in real time; the encryption and filtration module can intercept and defend requests of malicious codes and simultaneously support encryption and decryption of specific data types so as to improve data security.

The encryption policy management module is responsible for formulating an encryption policy and defining encryption rights and ranges of users and application programs; the encryption strategy management module can be optimized and adjusted according to different application scenes and business requirements so as to better meet the requirements of users and clients.

The security audit module records and manages the operation log encrypted by the data, and monitors and audits the access and use of the encrypted data; the security audit module can perform early warning and report on irregular operation and abnormal events so as to discover and eliminate potential safety hazards in time.

The encryption performance optimization module is mainly responsible for optimizing and accelerating the encryption process so as to improve the speed and efficiency of data encryption and decryption; the encryption performance optimization module optimizes the encryption algorithm and hardware equipment, so that the data processing speed and efficiency are improved, and delay and resource consumption in the encryption process are reduced, so that the data encryption process is smoother and more efficient.

The encryption error processing module processes and responds to the encryption failure or error occurrence condition, and can record and remind the encryption error and simultaneously repair and recover the corresponding error so as to ensure the continuous and smooth encryption process and the data security.

In conclusion, the data encryption processing module is provided with various technical and functional supports such as an encryption algorithm library, a key management module, an encryption filtering module, an encryption strategy management module, a security audit module, an encryption performance optimization module, an encryption error processing module and the like, so that the data security and confidentiality can be effectively improved, and the network security of the whole local area network can be ensured.

The bidirectional authentication module is an important component of the malicious code detection engine, and the main function of the bidirectional authentication module is to ensure the identity authentication of both network communication parties and avoid illegal access and attack.

Specifically, the bidirectional authentication module comprises a certificate management module, a security protocol module, a security authentication module, a security policy module and a security log module.

The certificate management module is responsible for providing digital certificates for both network communication parties so as to ensure the accuracy and reliability of identity authentication; the certificate management module comprises functions of certificate issuing, certificate distributing, certificate withdrawing, certificate verifying and the like, and timely updating and validity of the certificate are ensured.

The security protocol module defines a security protocol used in the bidirectional authentication process, wherein the security protocol comprises an SSL protocol and a TLS protocol, and the bidirectional authentication and the encryption protection of interaction data are realized by realizing the technologies of encryption algorithm, digital signature, encryption key exchange and the like.

The security authentication module verifies various operations in the identity authentication and authorization process, including the processing of identity authentication and authorization information, account management and authorization control and the like, so that the security and effectiveness of the identity authentication are ensured.

The security policy module provides a security policy for the bidirectional authentication, and sets corresponding rules according to the identities and rights of the two parties so as to ensure the smoothness and security of the bidirectional authentication communication.

The safety log module is responsible for recording events and operation logs in the communication and interaction processes so as to track and analyze abnormal events so as to improve the safety of the whole local area network.

In conclusion, the bidirectional authentication module guarantees accuracy, safety and effectiveness of bidirectional authentication communication through various technical means and functional support such as a certificate management module, a security protocol module, a security authentication module, a security policy module, a security log module and the like, and can effectively prevent and defend the influence of malicious codes on network safety and stability.

The malicious code detection engine and the bidirectional authentication module are two key components of network security protection, and the connection and the cooperative working principle between the two components are as follows:

(1) Linkage detection:

the malicious code detection engine and the two-way authentication module can jointly ensure the safety and stability of the system through linkage detection; the malicious code detection engine provides threat information in real time by detecting malicious codes existing in a network and automatically updates a security policy; the bidirectional authentication module can perform security verification and defense on the identity information in communication according to threat information provided by the malicious code detection engine so as to avoid illegal identity access and attack.

(2) And (3) bidirectional authentication:

the malicious code detection engine and the bidirectional authentication module guarantee the bidirectional authentication safety of the system through mutual authentication; the malicious code detection engine can utilize means such as a digital certificate to authenticate the identity information of the two-way communication party so as to avoid the theft and the tampering of the malicious code; the bidirectional authentication module can encrypt and decrypt the bidirectional authentication communication flow and data, so that the safety and confidentiality of the communication process are ensured.

(3) And (3) comprehensively guaranteeing:

the malicious code detection engine and the bidirectional authentication module can comprehensively ensure the safety and stability of the system through cooperative work; the malicious code detection engine can discover and early warn malicious codes existing in the network, and can rapidly respond and process the malicious codes; the two-way authentication module can perform identity authentication and data encryption processing on two parties of network communication, so that the safety and reliability of two-way communication are ensured.

In summary, the association and co-operation between the malicious code detection engine and the two-way authentication module is critical to the overall network security protection; timely discovery and processing of abnormal actions are achieved through the processes of quick response, monitoring, detection, authentication, identification and the like, normal operation of network communication and safety of data are maintained, and stability and safety of a local area network environment are guaranteed.

Fig. 2 is a flow chart of a communication method in a lan according to the present application, the method includes:

s1: the client receives a network request of the host;

s2: the malicious code detection engine arranged on the client detects whether malicious codes exist in the network request, if so, the malicious codes are stored in a malicious code database, then the malicious codes in the network request are cleared and deleted, the network request is sent to the data encryption processing module, and otherwise, the network request is directly sent to the data encryption processing module;

s3: the data encryption processing module encrypts the network request to obtain an encrypted network request and sends the encrypted network request to the two-way authentication module;

s4: the two-way authentication module authenticates the encrypted network request to confirm the identity information of the client, then confirms the identity information of the router, and sends the encrypted network request to the router if the identity information of the client and the identity information of the router are correct;

s5: the router receives the encrypted network request.

Example 1: the following is an embodiment of a system and method for avoiding malicious code attacks within a local area network, including examples of how to operate, functions involved, and code executed.

(1) The system operation mode is as follows:

the system can operate on a plurality of terminal nodes on a network, and malicious code attacks are avoided by monitoring malicious codes and abnormal data traffic in network communication. The system can adopt a plurality of means such as a key negotiation algorithm, a digital signature, a hash algorithm and the like to carry out data encryption and identity authentication.

(2) The main functions are:

the system comprises the following main functions:

2.1 initializing a function: the system is initialized, such as specifying system parameters, defining data structures, etc.

2.2 malicious code detection function: all data traffic in network communication is scanned, and detection and identification are performed based on malicious code characteristics so as to prevent malicious code attacks.

2.3 bidirectional authentication function: by carrying out identity authentication and encryption authorization on both sides in network communication, illegal access and attack are prevented.

2.4 log management function: the running log of the system is recorded, including all operations and discovered abnormal behaviors and the like.

(3) Run code example:

the following is an example of a simple run code for the system expressed in python language as follows:

/>

therefore, the system utilizes various technologies and functions to ensure the safety and stability in the local area network, and provides an operation code example, so that a user can conveniently perform actual operation.

Example 2: the system and the method for avoiding malicious code attack in the local area network of the Windows10 system are as follows:

(1) Client endpoint protection:

terminal protection software, such as terminal firewall and terminal security software, is installed on each client. The software can provide real-time malicious code detection and prevention functions, and ensure the security of host requests. Ensuring that the client installs the latest operating system updates and security patches to repair known vulnerabilities and improve system security.

The above-mentioned client endpoint protection refers to a system that takes a series of measures on each client to protect it from malicious code attacks.

The following is a detailed description of client endpoint protection:

firewall software is installed on each client to limit network traffic to and from the client and to prevent unauthorized access. The firewall may monitor and filter network connections, prevent malicious code from entering the client through the network, and prevent malicious instructions from being sent from the client.

Terminal security software, such as antivirus software and anti-malware tools, is installed on the client. Such software can scan, detect, and delete malicious code in real-time and protect clients from viruses, worms, trojans, and other malware. The security software and the virus database thereof are ensured to be updated in time so as to cope with the newly-appearing threat. The updates and security patches of the operating system and software are installed in time to fix known vulnerabilities and security issues. Malicious code attacks often exploit vulnerabilities in the operating system and software to hack the client, so maintaining the system's updates is critical. The educational user creates a strong password, uses a complex password containing letters, numbers and special characters, and periodically replaces the password. Common password cracking attacks, such as brute force and dictionary attacks, are seeded.

Downloading and executing executable files, scripts, plug-ins, and browser extensions from untrusted sources is disabled or restricted. This may prevent malicious code from being downloaded and executed over the network and reduce potential security risks.

Providing user education and training, and allowing them to learn the way to socialize and phishing attacks, emphasizes not to open e-mail attachments, links and download centers from unknown or untrusted sources. The user is reminded to keep vigilance, and personal sensitive information is prevented from being revealed. The important data is backed up periodically and the backup is stored in an offline and secure location. Thus, even if the data is attacked by malicious codes or damaged, the data can be recovered, and the data is prevented from being lost.

(2) Network boundary protection:

firewalls and intrusion detection/intrusion prevention systems (IDS/IPS) are configured on routers to filter and block unwanted network traffic, attacks and malicious code propagation. Remote management functions on the router are turned on to monitor and manage network traffic in time and to detect and intervene in potentially malicious behavior.

Network boundary protection is one of the important measures to prevent malicious code attacks.

The following are some detailed network boundary protection suggestions:

A firewall is configured on the network boundary to filter and monitor traffic entering and exiting the network. The firewall may control which packets may enter or leave the network, allowing or rejecting traffic according to predefined rules.

Firewalls are configured to prevent common attacks such as port scanning, denial of service attacks, and malware propagation.

A stateful firewall is used that is capable of tracking the state of a network connection and allowing or rejecting packets based on the state of the connection.

An intrusion detection/intrusion prevention system is deployed on the network boundary to monitor and detect potential malicious activity. The IDS/IPS can analyze patterns and behavioral anomalies in network traffic, identify possible attacks, and take responsive measures.

The IDS/IPS is configured to detect and block known malicious code and attack signatures in real-time.

The rules of the IDS/IPS are updated and maintained to ensure accurate detection and prevention of new threats and attacks.

The network is divided into different areas or sub-networks, and different resources and users are placed in different areas according to service requirements and security levels. Implementing access control policies restricts communication between different areas and prohibits unnecessary network access.

Network isolation and segmentation is achieved using Virtual Local Area Networks (VLANs), subnet masks, and network devices such as switches and routers.

DNS filters are provided in the network or DNS proxies are used to filter and prevent access to known malicious websites and domain names.

DNS filters are configured to prevent domain name hijacking and DNS spoofing attacks to protect users from malicious domain names.

A network intrusion prevention system (NIDS) is deployed to monitor and detect potential attacks and malicious activity in network traffic.

NIDS may analyze protocol and behavioral anomalies in network traffic and alert or take corresponding actions according to predefined rules or machine learning algorithms.

NIDS rules are configured and optimized to accurately detect and block known malicious code and attacks.

Email filters and security gateways are provided to detect and block malware attachments, links, and embedded malicious code.

Personnel are prohibited or restricted from using personal email accounts or external file transfer services to reduce the risk of malware.

The configuration network device, firewall, IDS/IPS and other devices generate detailed security logs, and store and monitor them centrally.

The log is analyzed and alerted in real-time using Security Information and Event Management Systems (SIEMs), as well as facilitating detection and response to potential malicious activity.

Network traffic analysis tools are used to monitor real-time network traffic and detect potential malicious activity.

And integrating threat information service, acquiring latest threat and security vulnerability information, and updating a security policy according to the threat information.

Web application firewalls are deployed to detect and block attacks against Web applications, such as SQL injection, cross-site scripting attacks, etc.

The WAF is configured to block known attack patterns and to identify new attack patterns using a machine learning algorithm. The use of antivirus and antimalware gateways at network boundaries detects and prevents the spread and execution of malware. Malware downloads, sharing, and execution are detected and prevented by file scanning and behavior monitoring. The network equipment, the operating system, the application programs and the security tools are ensured to install the latest security updates and patches in time. Automated tools are used to manage and monitor the update process to reduce the risk of vulnerabilities. Educational staff is alerted to social engineering attacks such as phishing mail, phishing, social media fraud, etc. Providing network security awareness training, educating users to identify and address potential threats, such as weak passwords, virus-free software downloads, and the like.

(3) Malicious code detection and update mechanism:

the host requests are detected and analyzed in real-time based on machine learning or deep learning algorithms using a malicious code detection engine. According to the updating of the malicious code database, new malicious code features and signatures are added to the detection engine to ensure accurate identification and prevention of new threats.

Malicious code detection and update mechanisms are key components to ensure that the system can timely identify and block emerging malicious code. The following is a detailed description:

the malicious code detection engine is a software component that detects and identifies malicious code through the use of machine learning, deep learning, behavioral analysis, and the like. It may analyze suspicious files, codes, or network traffic and determine if malicious behavior exists based on predefined characteristics and behavior patterns. Common malicious code types include viruses, worms, trojans, advertising software, and the like. Malicious code features and signatures are key information for identifying and distinguishing between different malicious codes. A feature is typically a particular attribute or behavior pattern of malicious code, such as a particular string, API call, file path, etc. A signature is a brief description of a known malicious code sample, typically generated as a hash function. The detection engine uses these features and signatures for matching and identification of malicious code.

The malicious code database stores the features, signatures, and other relevant information of known malicious code. These databases are typically maintained by a security vendor, organization, or community, and are updated periodically to contain up-to-date malicious code samples. The detection engine can quickly identify known malicious code by comparing with a malicious code database.

In order to cope with the emerging malicious code in time, the detection engine needs to be updated in real time. The security vendor would then send the updated data to the client by collecting a malicious code sample, analyzing the malicious code features and generating a new signature. An automated mechanism may ensure the efficiency and accuracy of this process, such as automated malicious code sample collection, feature extraction, and signature generation.

For large network environments, a centralized management system may be used to manage and update the malicious code detection engines. Thus, unified security policy management, updating and deployment can be realized, the workload of an administrator is reduced, and the uniformity and consistency of the whole network are ensured.

Malicious code detection and update mechanisms may also be enhanced by collaboration and information sharing between different organizations and security vendors. Sharing malicious code samples, features and security intelligence can speed up detection and coping with emerging threats, thereby improving security of the whole network.

(4) Data transmission encryption and authentication:

an encrypted communication connection is established between the client and the router, and the data packets are encrypted by using a secure transmission protocol (such as SSL/TLS) to ensure confidentiality and integrity of the data. The two-way authentication mechanism is configured to require the client and router to perform authentication, and digital certificates and key exchange protocols are used to ensure that only authorized devices can establish a connection.

Furthermore, encryption and authentication of data transmissions are important measures to ensure confidentiality, integrity and authentication of data transmissions within a local area network. The following is a detailed description:

in order to protect the confidentiality of the data during transmission, an encrypted communication connection may be established between the client and the router. Common encryption protocols include SSL (Secure Sockets Layer) and TLS (Transport Layer Security), which use public key encryption and symmetric key encryption techniques to ensure the security of data transmissions. The encrypted communication connection may prevent an unauthorized third party from obtaining sensitive information.

To enable authentication of data transmissions, digital certificates and key exchange protocols may be used. Digital certificates are electronic documents signed by a trusted Certificate Authority (CA) for proving the identity and trustworthiness of both parties to a communication. The key exchange protocol is used to securely exchange keys between two parties for encryption and authentication.

Public key infrastructure is an architecture for managing, distributing, and revoking digital certificates. It contains Certificate Authorities (CA), registration Authorities (RA) and Certificate Revocation Lists (CRLs) to ensure the trustworthiness and security of certificates.

In a local area network, a strong password policy should be employed for user authentication and encrypting communications. Strong passwords are often of sufficient length, complexity, and randomness to prevent malicious attackers from gaining access through guessing or brute force cracking.

Two-way authentication requires that the client and router perform authentication prior to establishing a connection. Both the client and the router need to have legitimate digital certificates to prove their identities. This mechanism can prevent man-in-the-middle attacks and attacks that falsify identities.

The choice of secure protocols and algorithms is also an important factor in ensuring the security of data transmissions. For example, choose to support higher TLS versions (e.g., TLS 1.3) and use stronger encryption algorithms and key lengths to ensure security of data transmission and protection against attacks.

To maintain the reliability of data transmission encryption and authentication, the associated certificates, keys, and security configurations should be updated and managed periodically. This includes updating the expiration date of the certificate, regenerating and distributing the certificate, periodically replacing encryption keys, auditing and updating security protocols and algorithms, and the like.

(5) User education and training:

education and training of users within a local area network regarding network security and malicious code improves their awareness of possible threats and security practices.

Emphasis is placed on the user not to open or download files, links and attachments from untrusted sources, and on paying attention to fraud and phishing attacks on email and web pages.

Through the measures, the system and the method can provide a certain degree of protection and protection against malicious code attacks in the local area network on the Windows 10 system. However, it is also necessary to make appropriate adjustments and optimizations according to actual needs and conditions, and to update and maintain the system periodically to improve safety.

The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (10)

1. A communication system within a local area network, comprising:

the client is used for receiving a network request of the host;

the malicious code detection engine is arranged on the client and used for detecting whether malicious codes exist in the network request, if so, the malicious codes are stored in the malicious code database, then the malicious codes in the network request are cleared and deleted, the network request is sent to the data encryption processing module, and otherwise, the network request is directly sent to the data encryption processing module;

the data encryption processing module is used for carrying out encryption processing on the network request, obtaining an encrypted network request and sending the encrypted network request to the bidirectional authentication module;

the bidirectional authentication module authenticates the encrypted network request to confirm the identity information of the client, then confirms the identity information of the router, and sends the encrypted network request to the router if the identity information of the client and the identity information of the router are correct;

the router is used for receiving the encrypted network request;

and the malicious code database is used for storing malicious code information.

2. The communication system of claim 1, wherein the malicious code detection engine comprises:

The feature extraction module is used for analyzing the flow features, protocol information and data content of the data packet of the network request so as to extract key features of the network request;

the feature matching module is used for comparing and classifying key features of the network request with known malicious code features in a malicious code database to judge whether the malicious code request exists or not, if so, the network request is transferred to the threat assessment module, and if not, the risk of the network request is ignored;

the threat assessment module is used for assessing and grading malicious codes with malicious code requests;

and the defense control module is used for defending and controlling the malicious codes according to the evaluation and classification.

3. The communication system of claim 2, wherein the feature extraction module comprises:

the flow characteristic extraction module is used for extracting and analyzing the flow characteristics of the data packet to obtain the size, the transmission rate and the time stamp information of the data packet;

the protocol information extraction module is used for extracting and analyzing the protocol information in the data packet to obtain a protocol type, a protocol version and a protocol option;

the data content extraction module is used for analyzing and extracting the data content of the data packet to obtain HTTP request content, SMTP mail content and FTP transmission content;

And the feature screening module is used for screening and filtering the data packet size, the transmission rate, the timestamp information, the protocol type, the protocol version, the protocol options, the HTTP request content, the SMTP mail content and the FTP transmission content to obtain key features.

And the model training module trains the key features so as to obtain a malicious code detection model, and finally extracts the key features of the malicious code through the malicious code detection model.

4. The communication system of claim 2, wherein the feature matching module comprises:

the pattern matching module is used for comparing key features of the network request with known malicious code features in a malicious code database through a feature matching algorithm to obtain a matching result;

and the classification processing module classifies according to the matching result.

5. The communication system of claim 2, wherein the threat assessment module assesses and ranks the malicious code through a threat classification algorithm, an assessment index, and an assessment rule to obtain an assessment result, and displays the assessment result; wherein the evaluation index comprises threat degree, risk level and target influence range; the evaluation rules are specific evaluation rules and processes which are established by threat classification algorithms and evaluation indexes, and comprise judgment conditions, evaluation processes and coping processes.

6. The communication system of claim 2, wherein the defense control module comprises:

the threat isolation module is used for isolating the detected malicious codes to a specific network area;

the threat blocking module is used for shielding or intercepting malicious codes in a specific network area;

the log tracking module is used for tracking and recording the request of the malicious code so as to carry out subsequent capturing and analysis;

and the threat removal module is used for removing and deleting the malicious codes.

7. The communication system of claim 1, wherein the process of constructing the malicious code database comprises:

collecting malicious code samples;

extracting malicious code characteristics;

establishing a malicious code database according to the malicious code characteristics;

marking malicious codes in a malicious code database;

and updating the malicious codes of the malicious code database.

8. The communication system of claim 1, wherein the data encryption processing module comprises:

an encryption algorithm library providing an encryption algorithm and a decryption algorithm;

the key management module provides independent keys for different users or application programs;

the encryption and filtration module is used for filtering and managing the encrypted data and the decrypted data by monitoring the network traffic in real time;

The encryption policy management module is used for formulating an encryption policy and defining the encryption authority and range of a user and an application program;

the security audit module is used for recording and managing the operation log encrypted by the data and monitoring and auditing the access and the use of the encrypted data;

the encryption performance optimization module optimizes and accelerates the encryption process;

and the encryption error processing module is used for processing and responding to the encryption failure or error occurrence.

9. The communication system of claim 1, wherein the mutual authentication module comprises:

the certificate management module provides digital certificates for both network communication parties;

the security protocol module is used for defining a security protocol used in a bidirectional authentication process, wherein the security protocol comprises an SSL protocol and a TLS protocol;

the safety authentication module is used for verifying various operations in the identity authentication and authorization process;

a security policy module providing a security policy for the mutual authentication;

and the safety log module is used for recording events and operation logs in the authentication communication and interaction process.

10. A method of communication in a local area network, comprising:

s1: the client receives a network request of the host;

S2: the malicious code detection engine arranged on the client detects whether malicious codes exist in the network request, if so, the malicious codes are stored in a malicious code database, then the malicious codes in the network request are cleared and deleted, the network request is sent to the data encryption processing module, and otherwise, the network request is directly sent to the data encryption processing module;

s3: the data encryption processing module encrypts the network request to obtain an encrypted network request and sends the encrypted network request to the two-way authentication module;

s4: the two-way authentication module authenticates the encrypted network request to confirm the identity information of the client, then confirms the identity information of the router, and sends the encrypted network request to the router if the identity information of the client and the identity information of the router are correct;

s5: the router receives the encrypted network request.