CN1384639A - Distributed dynamic network security protecting system - Google Patents
Distributed dynamic network security protecting system Download PDFInfo
- Publication number
- CN1384639A CN1384639A CN 02115957 CN02115957A CN1384639A CN 1384639 A CN1384639 A CN 1384639A CN 02115957 CN02115957 CN 02115957 CN 02115957 A CN02115957 A CN 02115957A CN 1384639 A CN1384639 A CN 1384639A
- Authority
- CN
- China
- Prior art keywords
- module
- subnet
- security
- little
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The distributed dynamic network security protecting system has central network administration station provided with summarizing decision module and policy releasing module. The network is divided into N subnetworks in tree structure, and each subnetwork administration station is provided with summarizing decision module and policy releasing module. Each node in the subnetwork has micro invasion detecting module and micro fire wall module installed. In the policy releasing module, mobile agency technology is adopted. The distributed micro invasion detecting module provides security protection in application layer while the distributed micro fire wall module provides security protection in kernel level. The double security protection makes the system capable of preventing outer and inner attack, preventing cooperative invasion and providing dynamic immunity.
Description
Technical field
The invention belongs to computer safety field, be specifically related to a kind of based on the decline network dynamic security protection system of fire compartment wall and little intrusion detection of distribution.
Background technology
Along with increasing progressively of the network crime and emerging in large numbers of hacker website, network security becomes the vital problem in Computer and Its Application field, so network security tool emerges in an endless stream.Though people constantly revise procotol, the intrusion detection and the firewall technology that surely belong to comparative maturity and commercialization already in the network security tool that get most of the attention.These two technology are the application safe practices that are based upon on the modern communication networks technology and information safe practice basis, and target is protected data, resource and user's a reputation.
The technical report of China network security responsing center is pointed out, current intruding detection system faces two main challenges: one is that false alarm rate is too high, U.S. government utilizes the fund of National Science Foundation to subsidize the research of academia to the false-alarm problem, it serves to show that problem is serious; Another is that detection speed is too slow, the data volume when present most of intruding detection systems still can not be handled the full load of hundred megabit networks under not sacrificing the prerequisite that detects quality.
1999, S.M.Bellovin "; Login: " magazine 24 " DistributedFirewalls " that deliver on the 5th phases of volume proposes the structure of distributed fire wall first, and its schematic diagram is as shown in Figure 1.This structure is installed fire compartment wall and is carried out the access control of packet on each node of protected subnet; the central management platform is managed concentratedly the security strategy of fire compartment wall simultaneously; and security strategy is published on each fire compartment wall by the policy issue module; issue mechanism adopts TFTP (Trivial File Transfer Protocol, TFTP).This structure eliminated some weakness that traditional firewall exists (for example: depend on network physical topological structure, can not prevent to internal attack, efficient is not high, the fault point is many, can't handle many cryptographic protocols end to end such as IPSec effectively).But in this structure, along with the increase of protected node, the task of central management platform publishing policy will be heavy day by day, reduce the extensibility of system; In addition, this structure can not prevent increasingly serious cooperating type intrusion behavior, can not effectively realize dynamically from immunity.
Summary of the invention
The present invention is directed to the deficiency of existing intrusion detection and firewall technology, propose a kind of distributed dynamic network security protecting system.Native system organically combines decline intrusion detection and little firewall technology of distribution; little fire compartment wall and little intruding detection system are installed on each shielded main frame; by turnkey console gather decision-making and policy issue mechanism to intrusion event analyze, related, early warning and processing; form double-deck fine-grained safeguard protection; thereby effectively prevented from network-external and inner attack; eliminated the bottleneck effect of fire compartment wall; avoided single point failure, can take precautions against distributed collaboration simultaneously and invade, effectively realize dynamically expanding of system from immunity and scale.System adopts mobile proxy technology, and the bottleneck effect of the turnkey console of releiving that can independence prevents the single point failure of tactical management platform effectively, and the system that guaranteed is with good expansibility.
Native system can be divided into the two large divisions from the angle of operation principle, one is mounted in little firewall system and the little intruding detection system on the protected node; Two IDS that are mounted on the central management platform gather decision-making module and firewall policy release module.
Distributed dynamic network security protecting system of the present invention; the configuration of network central management platform gathers decision-making module and policy issue module; network is divided into N subnet according to tree; N 〉=1; all dispose on each subnet management platform and gather decision-making module and policy issue module; each node is all installed little intrusion detection module and little FWSM in the subnet
Little FWSM of each node of subnet is used for the receiving network data bag, abandons the invalid data bag, legal data packet is sent to little intrusion detection module of same node;
The intrusion detection module is used to detect packet, then revises the security strategy of little FWSM if conventional invasion takes place, otherwise security incident is sent to little decision-making module that gathers of this subnet;
Each subnet gather the current safety event detection cooperative intrusion that decision-making module sends according to each node of this subnet, and adjudicate according to its order of severity whether needs are passed to the upper management platform, if do not pass to the upper management platform, notification strategy release module then, start the subnet mobile proxy system, log on the security strategy that each node of this subnet is revised little FWSM;
The central management platform gathers decision-making module and receives each subnet and gather the cooperative intrusion incident that decision-making module is sent, and the notification strategy release module generates the global safety strategy, the policy issue module starts overall mobile proxy system, strategy is sent to the policy issue module of each subnet management platform, thereby revise the security strategy of the little FWSM of all nodes.
Described distributed dynamic network security protecting system, each subnet can further be divided into some grades of subnets.
Described distributed dynamic network security protecting system, it is further characterized in that:
(1) little FWSM comprises packet filtering module and packet filtering policy library, packet filtering policy library definition current safety strategy, the packet filtering module resides at network protocol layer, it filters according to the packet of packet filtering policy library to all network protocol layers of flowing through, abandon the invalid data bag, submit legal data packet to little intrusion detection module;
(2) little intrusion detection module comprises the incident collector, conventional security incident storehouse, the conventional invasion rule base, conventional invasion analyzer and conventional invasion responsor, the incident collector is gathered the packet that the packet filtering module transmits in real time, and be combined into network safety event by predetermined format and deposit conventional security incident storehouse in, send to the conventional invasion analyzer simultaneously and gather decision-making module, the conventional invasion rule base is deposited the rule of describing conventional invasion, the conventional invasion analyzer is converted to regulation linked with these rules and network safety event and its traversal of sending is mated, when one of generation is mated fully, notice conventional invasion responsor is revised the packet filtering policy library simultaneously;
(3) gather decision-making module and comprise the incident receiver module, collaborative security incident generation module, abstraction module, support and confidence level computing module, the threshold value comparison module, collaborative event database, cooperative intrusion analyzer and cooperative intrusion rule base, the incident receiver module receives the network safety event that the incident collector of little intrusion detection module is sent, deposit collaborative event database in, produce collaborative security incident by collaborative security incident generation module simultaneously, and pass to abstraction module, this module will work in coordination with that all bytes of security incident are abstract to turn to a span, and pass to support and confidence level computing module as candidate's new cooperative intrusion rule Y, every safety regulation X calculates X support and the confidence level related with Y in the one module traversal cooperative intrusion rule base of back, and it is passed to the threshold value comparison module, compare respectively with predefined minimum support threshold value and minimum confidence level threshold value, if all have greater than threshold value, then Y is deposited in the cooperative intrusion rule base, the cooperative intrusion analyzer is differentiated the type of cooperative intrusion incident and is provided corresponding security strategy according to collaborative event database and cooperative intrusion rule base, passes to the policy issue module;
(4) subnet/overall mobile proxy system is made up of mobile agent client that resides at subnet/central management platform and the Mobile Agent Server end that resides at each node/subnet management platform, the mobile agent client comprises user interface, signature blocks, act on behalf of route logging modle and Client Agent transport protocol stack, the Digital Signature Algorithm type of user interface definition mobile agent is also submitted to signature blocks, the related content of route logging modle is acted on behalf of in definition simultaneously, signature blocks is carried out digital signature for each node/subnet policy issue module verification to mobile agent, act on behalf of the route logging modle and preserve node/subnet management platform sequence that mobile agent will be traveled round, and by Client Agent transport protocol stack and server interaction; The Mobile Agent Server end comprises that server end acts on behalf of transport protocol stack, proxy resources control module, validity checking module and tactful interpreter, the client and server end act on behalf of the bottom-up information interaction mechanism that transport protocol stack provides client end/server end, the proxy resources control module provides execution environment for mobile agent, the digital signature of validity checking module verification mobile agent, and the security strategy that the agency carries passed to tactful interpreter, then security strategy is interpreted as policy script and is loaded in the packet filtering policy library of little FWSM.
Described distributed dynamic network security protecting system, it further is characterised in that:
(1) little FWSM also comprises policy definition user interface and tactful sandbox module, the policy definition user interface is supported User Defined security strategy rule and it is passed to tactful sandbox module, then the security strategy rule in User Defined security strategy rule and the packet filtering policy library is compared, then abandon this user-defined security strategy rule if find conflict, otherwise deposit in the packet filtering policy library;
(2) gather decision-making module and also comprise superseded module of rule and timer, rule is eliminated module to new cooperative intrusion rule Y definition usage frequency, whenever Y supports an abstract cooperative intrusion incident, this regular usage frequency adds 1, when the cooperative intrusion rule that generates in the cooperative intrusion rule base is counted to when reaching maximum, this module adopts least recently used algorithm to eliminate the low rule of usage frequency; Timer is eliminated module regularly for rule and is signaled, so that eliminate the intrusion rule of minimum use.
Described distributed dynamic network security protecting system, its feature can also be that described collaborative security incident is one group of network safety event collection that is relative to each other, they can be correlated with in time, promptly press the time of origin ordering, and adjacent two interval of events are no more than the regulation unit interval; Also can spatially be correlated with, the source network protocol address of network safety event that promptly constitutes this collaborative security incident is from same subnet.
Distributed dynamic network security protecting system of the present invention has the following advantages and effect.1) dual safeguard protection
Native system comprises two subsystems that are parallel to each other: the intrusion detection module (DM-IDS) that declines of distributing can provide the safeguard protection of application layer; The distribution FWSM (DM-Firewall) that declines provides the safeguard protection of kernel level network layer, thereby dual safeguard protection is provided.2) fine granularity safeguard protection
Native system not only is the protection unit with the network segment, but also is object of protection with the individual node machine, thereby realizes fine-grained safeguard protection.Little intruding detection system (M-IDS) and the little firewall system (M-Firewall) installed on each node machine can independently detect and responding to intrusions, have not only eliminated single failpoint, and can detect inside and outside attack simultaneously.3) tree type extensible architecture
The tree type management mode of layering makes maintenance and management be easy to expansion; The advantage that mobile agent independently moves is conserve network bandwidth effectively, thereby makes system effectiveness can not reach the extensibility of system effectiveness with the increasing and descend of protected node number; Adopt JAVA to realize platform-neutral as developing instrument; 4) dynamically from immunity
Native system is divided into two kinds of conventional invasion and cooperative intrusions with intrusion behavior.Various security incidents are collected in little intrusion detection, if find conventional invasion, the strategy of the little fire compartment wall of this node is revised in little intrusion detection immediately, stop further the pouring in of invasion packet (conventional invasion response); If the discovery cooperative intrusion gathers decision-making module notification strategy body release to all little fire compartment wall issue update strategies (cooperative intrusion response).Two kinds of responses have dynamically from immune function system; 5) defence cooperative intrusion
Concerted attack under the distributional environment grows with each passing day, and traditional Intrusion Detection Technique can not satisfy application demand.Native system adopt gather that decision-making technic went up the time and the space on the cooperative intrusion behavior that distributes gather, related and detection, and the security strategy of upgrading all little fire compartment walls is carried out dynamic security.
Description of drawings
Fig. 1: the architecture of existing distributed fire wall.
Fig. 2: based on the decline architecture of distributed dynamic network security protecting system of fire compartment wall and little intrusion detection of distribution.
Fig. 3: distributed dynamic network security protecting system schematic flow sheet of the present invention.
Fig. 4: the structure and the software schematic diagram of FWSM of declining distributes.
Fig. 5: the structure and the software schematic diagram of intrusion detection module of declining distributes.
Fig. 6: the structure and the software schematic diagram that gather decision-making module.
Fig. 7: the structure of mobile agent module and software schematic diagram.
Embodiment
Make up one based on the decline network dynamic security system of fire compartment wall and little intrusion detection of distribution having 16 group systems on the node machine, its basic configuration is as shown in table 1.
????CPU | Internal memory | Hard disk | Network interface card | Operating system | Network |
Two PIII 866 | ??256M | ??30G | ?3C905B | ?Linux?6.2 | The 100M switch |
The hardware of each node of table 1 and network configuration
Wherein, one remaining service node is divided into some groups according to service as the central management platform, as: Web group, FTP group.Concrete enforcement is as follows: node 1 serves as the central management platform, loads and gathers decision-making module and policy issue module; Node 2 to node 8 in Web group, node 9 to node 16 in the FTP group, all load little intrusion detection module and little FWSM on each node.
In conjunction with the accompanying drawings, as follows to the configuration instruction of whole system: 1) packet filtering policy library (8)
This policy library is totally 6 fields, its example such as table 2 and table 3.
Little fire compartment wall that Web is organized each node (is example with 17.0.0.1) has the configuration of similar table 2, and little fire compartment wall that FTP is organized each node (is example with 17.0.0.2) has the configuration of similar table 3.
Protocol number | Source IP | Source port | Purpose IP | Destination interface | Measure |
????TCP | ????10.0.0.1 | ????>1024 | ????17.0.0.1 | ????80 | ?ACCEPT |
????ANY | ????ANY | ????ANY | ????17.0.0.1 | ????ANY | ??DROP |
Table 2 Web organizes the ios dhcp sample configuration IOS DHCP (is example with 17.0.0.1) of each node
Protocol number | Source IP | Source port | Purpose IP | Destination interface | Measure |
????TCP | ????10.0.0.1 | ????>1024 | ????17.0.0.2 | ????21 | ?ACCEPT |
????ANY | ????ANY | ????ANY | ????17.0.0.2 | ????ANY | ??DROP |
Table 3 FTP organizes the ios dhcp sample configuration IOS DHCP (is example with 17.0.0.2) of each node
Each field is explained as follows:
Protocol number: be divided into TCP, UDP, ICMP, ANY, wherein ANY refers to any agreement;
Source IP: the source IP address of packet;
Source port: the source port of packet;
Purpose IP: the source IP address of packet;
Destination interface: the destination interface of packet; Measure: refer to the coupling packet with which kind of measure of access, be divided into two kinds of ACCEPT (reception) and DROP (refusal).2) conventional security incident storehouse (10)
This event base is totally 6 fields, its example such as table 4.
The conventional security incident of table 4 storehouse example
Protocol number | Source IP | Source port | Purpose IP | Destination interface | Time |
????TCP | ????10.0.0.1 | ???16666 | ????17.0.0.1 | ?????80 | ???2000.01.01.17.00 |
????TCP | ????10.0.0.1 | ???16667 | ????17.0.0.1 | ?????80 | ???2000.01.01.17.03 |
Being described as follows of each field:
Protocol number: the protocol type of intrusion event is divided into TCP, UDP, ICMP;
Source IP: the source IP address of intrusion event;
Source port: the source port of intrusion event;
Purpose IP: the source IP address of intrusion event;
Destination interface: the destination interface of intrusion event;
Time: the time that intrusion event takes place.3) conventional invasion rule base (11)
This routine rule base is totally 5 fields, its example such as table 5.
Rule numbers | Attack type | Attack service | The attack signature sign indicating number | The extent of injury |
??????1 | ???Scan | ???ANY | ???“RST-ACK” | ?????2 |
??????2 | ???DoS | ???ANY | ?????“SYN” | ?????0 |
Being described as follows of table 5 conventional invasion rule base each field of example: rule numbers: the numeral number of a rule record; Attack type: be divided into three kinds of Dictionary Attack (dictionary attack), Scan (TCP), DoS (Denial of Service attack);
Attack service: various well-known services (as Web, FTP etc.), ANY represents any service;
Attack signature sign indicating number: the symbolic characteristic sign indicating number that the expression representative is once attacked; The invasion danger degree: refer to the extent of injury of intrusion event, this degree can be divided into: the most serious (0 grade), serious (1 grade) and time seriously (2 grades).4) threshold value comparator (18)
The span of MinSupp and MinConf is the integer greater than 0.Two threshold settings are as follows in this example: MinSupp=10, MinConf=10; 5) collaborative event database (19)
This database is totally 7 fields, its example such as table 6.
The cooperative intrusion Case Number | Correlation (S/P) | The invasion type | Source IP | Purpose IP | The invasion time | The invasion danger degree |
????1 | ???S | ??Scan | ???10.0.0.1 | ????17.0.0.1 | ????2000.01.01.17.00 | ????2 |
????1 | ???S | ??DoS | ???10.0.0.1 | ????17.0.0.2 | ????2000.01.01.17.03 | ????0 |
The ios dhcp sample configuration IOS DHCP of the collaborative event database of table 6
Each field is explained as follows:
Cooperative intrusion Case Number: the numbering that refers to one group of cooperative intrusion incident;
Correlation: be divided into space correlation (S) and time correlation (T);
Invasion type: be divided into three kinds of Dictionary Attack (dictionary attack), Scan (TCP), DoS (Denial of Service attack);
Source IP: the source IP address that refers to intrusion behavior;
Purpose IP: refer to the IP address attacked;
The invasion time: the time of origin that refers to intrusion event;
The invasion danger degree: refer to the extent of injury of intrusion event, this degree can be divided into: the most serious (0 grade), serious (1 grade) and time seriously (2 grades).6) cooperative intrusion rule base (21)
This database is totally 6 fields, its example such as table 7.
Correlation (S/P) | The invasion type | Spatial correlation | The time correlation degree | The invasion danger degree | Response policy |
???S | ??Scan | ????>0.8 | Null value | ????2 | Disconnect |
???S | ??DoS | ????>0.5 | Null value | ????0 | Current limliting |
The ios dhcp sample configuration IOS DHCP of table 7 cooperative intrusion rule base
Each field is explained as follows:
Correlation: be divided into space correlation (S) and time correlation (T);
Invasion type: be divided into three kinds of Dictionary Attack (dictionary attack), Scan (TCP), DoS (Denial of Service attack);
Spatial correlation: when " correlation " field is S, herein for constituting the degree of correlation scope of the intrusion behavior that distributes on the primary space;
Time correlation degree: when " correlation " field is T, go up the degree of correlation of the intrusion behavior that distributes herein for the time;
The invasion danger degree: refer to the extent of injury of intrusion event, this degree can be divided into: the most serious (0 grade), serious (1 grade) and time seriously (2 grades);
Response policy: at the overall response policy of a certain cooperative intrusion behavior.7) act on behalf of route record (26)
This record storehouse is totally 2 fields, preserves agency's the route of traveling round, and this route record is kept in the internal memory of agent client with the form of chained list, and its initial value is as shown in table 8.
Group | Travel round sequence node |
????Web | ?????????2,3,4,5,6,7,8 |
????FTP | ?????9,10,11,12,13,14,15,16 |
Table 8 is acted on behalf of this record of route record example and is shown that mobile agent will travel round 2 to 8 nodes of Web group and 9 to 16 nodes of FTP group.
Claims (6)
1, a kind of distributed dynamic network security protecting system; the configuration of network central management platform gathers decision-making module and policy issue module; network is divided into N subnet according to tree; N 〉=1; all dispose on each subnet management platform and gather decision-making module and policy issue module; each node is all installed little intrusion detection module and little FWSM in the subnet
Little FWSM of each node of subnet is used for the receiving network data bag, abandons the invalid data bag, legal data packet is sent to little intrusion detection module of same node;
The intrusion detection module is used to detect packet, then revises the security strategy of little FWSM if conventional invasion takes place, otherwise security incident is sent to little decision-making module that gathers of this subnet;
Each subnet gather the current safety event detection cooperative intrusion that decision-making module sends according to each node of this subnet, and adjudicate according to its order of severity whether needs are passed to the upper management platform, if do not pass to the upper management platform, notification strategy release module then, start the subnet mobile proxy system, log on the security strategy that each node of this subnet is revised little FWSM;
The central management platform gathers decision-making module and receives each subnet and gather the cooperative intrusion incident that decision-making module is sent, and the notification strategy release module generates the global safety strategy, the policy issue module starts overall mobile proxy system, strategy is sent to the policy issue module of each subnet management platform, thereby revise the security strategy of the little FWSM of all nodes.
2, distributed dynamic network security protecting system as claimed in claim 1 is characterized in that each subnet can further be divided into some secondary subnets.
3, distributed dynamic network security protecting system as claimed in claim 1 or 2 is characterized in that:
(1) little FWSM comprises packet filtering module and packet filtering policy library, packet filtering policy library definition current safety strategy, the packet filtering module resides at network protocol layer, it filters according to the packet of packet filtering policy library to all network protocol layers of flowing through, abandon the invalid data bag, submit legal data packet to little intrusion detection module;
(2) little intrusion detection module comprises the incident collector, conventional security incident storehouse, the conventional invasion rule base, conventional invasion analyzer and conventional invasion responsor, the incident collector is gathered the packet that the packet filtering module transmits in real time, and be combined into network safety event by predetermined format and deposit conventional security incident storehouse in, send to the conventional invasion analyzer simultaneously and gather decision-making module, the conventional invasion rule base is deposited the rule of describing conventional invasion, the conventional invasion analyzer is converted to regulation linked with these rules and network safety event and its traversal of sending is mated, when one of generation is mated fully, notice conventional invasion responsor is revised the packet filtering policy library simultaneously;
(3) gather decision-making module and comprise the incident receiver module, collaborative security incident generation module, abstraction module, support and confidence level computing module, the threshold value comparison module, collaborative event database, cooperative intrusion analyzer and cooperative intrusion rule base, the incident receiver module receives the network safety event that the incident collector of little intrusion detection module is sent, deposit collaborative event database in, produce collaborative security incident by collaborative security incident generation module simultaneously, and pass to abstraction module, this module will work in coordination with that all bytes of security incident are abstract to turn to a span, and pass to support and confidence level computing module as candidate's new cooperative intrusion rule Y, every safety regulation X calculates X support and the confidence level related with Y in the one module traversal cooperative intrusion rule base of back, and it is passed to the threshold value comparison module, compare respectively with predefined minimum support threshold value and minimum confidence level threshold value, if all have greater than threshold value, then Y is deposited in the cooperative intrusion rule base, the cooperative intrusion analyzer is differentiated the type of cooperative intrusion incident and is provided corresponding security strategy according to collaborative event database and cooperative intrusion rule base, passes to the policy issue module;
(4) subnet/overall mobile proxy system is made up of mobile agent client that resides at subnet/central management platform and the Mobile Agent Server end that resides at each node/subnet management platform, the mobile agent client comprises user interface, signature blocks, act on behalf of route logging modle and Client Agent transport protocol stack, the Digital Signature Algorithm type of user interface definition mobile agent is also submitted to signature blocks, the related content of route logging modle is acted on behalf of in definition simultaneously, signature blocks is carried out digital signature for each node/subnet policy issue module verification to mobile agent, act on behalf of the route logging modle and preserve node/subnet management platform sequence that mobile agent will be traveled round, and by Client Agent transport protocol stack and server interaction; The Mobile Agent Server end comprises that server end acts on behalf of transport protocol stack, proxy resources control module, validity checking module and tactful interpreter, the client and server end act on behalf of the bottom-up information interaction mechanism that transport protocol stack provides client end/server end, the proxy resources control module provides execution environment for mobile agent, the digital signature of validity checking module verification mobile agent, and the security strategy that the agency carries passed to tactful interpreter, then security strategy is interpreted as policy script and is loaded in the packet filtering policy library of little FWSM.
4, distributed dynamic network security protecting system as claimed in claim 3 is characterized in that:
(1) little FWSM also comprises policy definition user interface and tactful sandbox module, the policy definition user interface is supported User Defined security strategy rule and it is passed to tactful sandbox module, then the security strategy rule in User Defined security strategy rule and the packet filtering policy library is compared, then abandon this user-defined security strategy rule if find conflict, otherwise deposit in the packet filtering policy library;
(2) gather decision-making module and also comprise superseded module of rule and timer, rule is eliminated module to new cooperative intrusion rule Y definition usage frequency, whenever Y supports an abstract cooperative intrusion incident, this regular usage frequency adds 1, when the cooperative intrusion rule that generates in the cooperative intrusion rule base is counted to when reaching maximum, this module adopts least recently used algorithm to eliminate the low rule of usage frequency; Timer is eliminated module regularly for rule and is signaled, so that eliminate the intrusion rule of minimum use.
5, distributed dynamic network security protecting system as claimed in claim 3, it is characterized in that described collaborative security incident is one group of network safety event collection that is relative to each other, they can be correlated with in time, promptly press the time of origin ordering, and adjacent two interval of events are no more than the regulation unit interval; Also can spatially be correlated with, the source network protocol address of network safety event that promptly constitutes this collaborative security incident is from same subnet.
6, distributed dynamic network security protecting system as claimed in claim 4, it is characterized in that described collaborative security incident is one group of network safety event collection that is relative to each other, they can be correlated with in time, promptly press the time of origin ordering, and adjacent two interval of events are no more than the regulation unit interval; Also can spatially be correlated with, the source network protocol address of network safety event that promptly constitutes this collaborative security incident is from same subnet.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB021159572A CN1160899C (en) | 2002-06-11 | 2002-06-11 | Distributed dynamic network security protecting system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB021159572A CN1160899C (en) | 2002-06-11 | 2002-06-11 | Distributed dynamic network security protecting system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1384639A true CN1384639A (en) | 2002-12-11 |
CN1160899C CN1160899C (en) | 2004-08-04 |
Family
ID=4743973
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB021159572A Expired - Fee Related CN1160899C (en) | 2002-06-11 | 2002-06-11 | Distributed dynamic network security protecting system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1160899C (en) |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2883997A1 (en) * | 2005-04-04 | 2006-10-06 | France Telecom | Decision managing method for hierarchized and distributed network architecture, involves creating simplified tree with rows, and transmitting tree to terminal, if number of levels is two, so that terminal takes decision to execute it |
CN1309214C (en) * | 2004-12-20 | 2007-04-04 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
CN100337438C (en) * | 2004-06-07 | 2007-09-12 | 阿尔卡特公司 | Method for preventing attacks on a network server within a call-based-services-environment and attack-prevention-device for executing the method |
CN100376092C (en) * | 2002-12-13 | 2008-03-19 | 联想网御科技(北京)有限公司 | Firewall and invasion detecting system linkage method |
CN100380338C (en) * | 2002-12-19 | 2008-04-09 | 国际商业机器公司 | System and method to proactively detect software tampering |
CN100393046C (en) * | 2005-12-06 | 2008-06-04 | 南京邮电大学 | Analogue biological immunological mechanism invasion detecting method |
CN100414938C (en) * | 2004-01-05 | 2008-08-27 | 华为技术有限公司 | Network safety system and method |
CN100435513C (en) * | 2005-06-30 | 2008-11-19 | 杭州华三通信技术有限公司 | Method of linking network equipment and invading detection system |
CN100450012C (en) * | 2005-07-15 | 2009-01-07 | 复旦大学 | Invasion detecting system and method based on mobile agency |
CN100454842C (en) * | 2006-06-30 | 2009-01-21 | 深圳市中科新业信息科技发展有限公司 | Distributed audit system |
CN100463409C (en) * | 2004-02-13 | 2009-02-18 | Lgcns株式会社 | Network security system and method |
CN100518166C (en) * | 2003-12-16 | 2009-07-22 | 鸿富锦精密工业(深圳)有限公司 | System and method for generation and issue of data safety passport |
CN101022343B (en) * | 2007-03-19 | 2010-09-08 | 杭州华三通信技术有限公司 | Network invading detecting/resisting system and method |
CN101184088B (en) * | 2007-12-14 | 2010-12-01 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
CN101938460A (en) * | 2010-06-22 | 2011-01-05 | 北京豪讯美通科技有限公司 | Coordinated defense method of full process and full network safety coordinated defense system |
CN101977129A (en) * | 2010-10-19 | 2011-02-16 | 青海师范大学 | Artificial immunization-based MANET network attack detection method |
CN1833228B (en) * | 2003-06-24 | 2012-05-02 | 诺基亚公司 | An apparatus, system, method for implementing remote client integrity verification |
CN102523218A (en) * | 2011-12-16 | 2012-06-27 | 北京神州绿盟信息安全科技股份有限公司 | Network safety protection method, equipment and system thereof |
CN1942007B (en) * | 2005-07-20 | 2012-08-22 | 阿瓦雅技术有限公司 | Telephony extension attack detection, recording, and intelligent prevention |
CN101252467B (en) * | 2006-12-18 | 2013-03-13 | Lgcns株式会社 | Apparatus and method of securing network |
CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
CN101438534B (en) * | 2006-05-05 | 2013-04-10 | 微软公司 | Distributed firewall implementation and control |
CN104378352A (en) * | 2014-10-16 | 2015-02-25 | 江苏博智软件科技有限公司 | Method of distributed firewall secure communication mechanism |
CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
CN106506559A (en) * | 2016-12-29 | 2017-03-15 | 北京奇虎科技有限公司 | Access Behavior- Based control method and device |
CN106878340A (en) * | 2017-04-01 | 2017-06-20 | 中国人民解放军61660部队 | A kind of comprehensive safety monitoring analysis system based on network traffics |
CN108471428A (en) * | 2018-06-27 | 2018-08-31 | 北京云端智度科技有限公司 | Applied to the ddos attack initiative type safeguard technology and equipment in CDN system |
CN110365714A (en) * | 2019-08-23 | 2019-10-22 | 深圳前海微众银行股份有限公司 | Host-based intrusion detection method, apparatus, equipment and computer storage medium |
CN110855794A (en) * | 2019-11-20 | 2020-02-28 | 山东健康医疗大数据有限公司 | TCP (Transmission control protocol) -based database Socket gateway implementation method and device |
CN110891059A (en) * | 2019-11-26 | 2020-03-17 | 武汉卓云智方科技有限公司 | Internet safety management platform |
CN112039895A (en) * | 2020-08-31 | 2020-12-04 | 绿盟科技集团股份有限公司 | Network cooperative attack method, device, system, equipment and medium |
CN112584357A (en) * | 2020-12-02 | 2021-03-30 | 惠州市德赛西威智能交通技术研究院有限公司 | Method for dynamically adjusting vehicle-mounted firewall strategy |
CN113206848A (en) * | 2021-04-29 | 2021-08-03 | 福建奇点时空数字科技有限公司 | SDN moving target defense implementation method based on self-evolution configuration |
CN113691501A (en) * | 2021-07-30 | 2021-11-23 | 东莞职业技术学院 | Network security system and security method |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100385859C (en) * | 2005-01-18 | 2008-04-30 | 英业达股份有限公司 | Security management service system and its implementation method |
-
2002
- 2002-06-11 CN CNB021159572A patent/CN1160899C/en not_active Expired - Fee Related
Cited By (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100376092C (en) * | 2002-12-13 | 2008-03-19 | 联想网御科技(北京)有限公司 | Firewall and invasion detecting system linkage method |
CN100380338C (en) * | 2002-12-19 | 2008-04-09 | 国际商业机器公司 | System and method to proactively detect software tampering |
CN1833228B (en) * | 2003-06-24 | 2012-05-02 | 诺基亚公司 | An apparatus, system, method for implementing remote client integrity verification |
CN100518166C (en) * | 2003-12-16 | 2009-07-22 | 鸿富锦精密工业(深圳)有限公司 | System and method for generation and issue of data safety passport |
CN100414938C (en) * | 2004-01-05 | 2008-08-27 | 华为技术有限公司 | Network safety system and method |
CN100463409C (en) * | 2004-02-13 | 2009-02-18 | Lgcns株式会社 | Network security system and method |
CN100337438C (en) * | 2004-06-07 | 2007-09-12 | 阿尔卡特公司 | Method for preventing attacks on a network server within a call-based-services-environment and attack-prevention-device for executing the method |
CN1309214C (en) * | 2004-12-20 | 2007-04-04 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
US7991869B2 (en) | 2005-04-04 | 2011-08-02 | France Telecom | Method for managing decisions, method for constructing a decision tree, central manager, intermediate manager, terminal and corresponding computer program products |
WO2006106067A1 (en) * | 2005-04-04 | 2006-10-12 | France Telecom | Method for managing decisions, method for constructing a decision tree, central manager, intermediate manager, terminal and corresponding computer programme products |
FR2883997A1 (en) * | 2005-04-04 | 2006-10-06 | France Telecom | Decision managing method for hierarchized and distributed network architecture, involves creating simplified tree with rows, and transmitting tree to terminal, if number of levels is two, so that terminal takes decision to execute it |
CN100435513C (en) * | 2005-06-30 | 2008-11-19 | 杭州华三通信技术有限公司 | Method of linking network equipment and invading detection system |
CN100450012C (en) * | 2005-07-15 | 2009-01-07 | 复旦大学 | Invasion detecting system and method based on mobile agency |
CN1942007B (en) * | 2005-07-20 | 2012-08-22 | 阿瓦雅技术有限公司 | Telephony extension attack detection, recording, and intelligent prevention |
CN100393046C (en) * | 2005-12-06 | 2008-06-04 | 南京邮电大学 | Analogue biological immunological mechanism invasion detecting method |
CN101438534B (en) * | 2006-05-05 | 2013-04-10 | 微软公司 | Distributed firewall implementation and control |
CN100454842C (en) * | 2006-06-30 | 2009-01-21 | 深圳市中科新业信息科技发展有限公司 | Distributed audit system |
CN101252467B (en) * | 2006-12-18 | 2013-03-13 | Lgcns株式会社 | Apparatus and method of securing network |
CN101022343B (en) * | 2007-03-19 | 2010-09-08 | 杭州华三通信技术有限公司 | Network invading detecting/resisting system and method |
CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
CN101184088B (en) * | 2007-12-14 | 2010-12-01 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
CN101938460B (en) * | 2010-06-22 | 2014-04-09 | 北京中兴网安科技有限公司 | Coordinated defense method of full process and full network safety coordinated defense system |
CN101938460A (en) * | 2010-06-22 | 2011-01-05 | 北京豪讯美通科技有限公司 | Coordinated defense method of full process and full network safety coordinated defense system |
CN101977129A (en) * | 2010-10-19 | 2011-02-16 | 青海师范大学 | Artificial immunization-based MANET network attack detection method |
CN102523218B (en) * | 2011-12-16 | 2015-04-08 | 北京神州绿盟信息安全科技股份有限公司 | Network safety protection method, equipment and system thereof |
US9485261B2 (en) | 2011-12-16 | 2016-11-01 | NSFOCUS Information Technology Co., Ltd. | Web security protection method, device and system |
CN102523218A (en) * | 2011-12-16 | 2012-06-27 | 北京神州绿盟信息安全科技股份有限公司 | Network safety protection method, equipment and system thereof |
CN104378352A (en) * | 2014-10-16 | 2015-02-25 | 江苏博智软件科技有限公司 | Method of distributed firewall secure communication mechanism |
CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
CN106506559A (en) * | 2016-12-29 | 2017-03-15 | 北京奇虎科技有限公司 | Access Behavior- Based control method and device |
CN106878340A (en) * | 2017-04-01 | 2017-06-20 | 中国人民解放军61660部队 | A kind of comprehensive safety monitoring analysis system based on network traffics |
CN106878340B (en) * | 2017-04-01 | 2023-09-01 | 中国人民解放军61660部队 | Comprehensive safety monitoring analysis system based on network flow |
CN108471428B (en) * | 2018-06-27 | 2021-05-28 | 北京云端智度科技有限公司 | DDoS attack active defense technology and equipment applied to CDN system |
CN108471428A (en) * | 2018-06-27 | 2018-08-31 | 北京云端智度科技有限公司 | Applied to the ddos attack initiative type safeguard technology and equipment in CDN system |
CN110365714A (en) * | 2019-08-23 | 2019-10-22 | 深圳前海微众银行股份有限公司 | Host-based intrusion detection method, apparatus, equipment and computer storage medium |
CN110365714B (en) * | 2019-08-23 | 2024-05-31 | 深圳前海微众银行股份有限公司 | Host intrusion detection method, device, equipment and computer storage medium |
CN110855794A (en) * | 2019-11-20 | 2020-02-28 | 山东健康医疗大数据有限公司 | TCP (Transmission control protocol) -based database Socket gateway implementation method and device |
CN110891059A (en) * | 2019-11-26 | 2020-03-17 | 武汉卓云智方科技有限公司 | Internet safety management platform |
CN112039895A (en) * | 2020-08-31 | 2020-12-04 | 绿盟科技集团股份有限公司 | Network cooperative attack method, device, system, equipment and medium |
CN112039895B (en) * | 2020-08-31 | 2023-01-17 | 绿盟科技集团股份有限公司 | Network cooperative attack method, device, system, equipment and medium |
CN112584357A (en) * | 2020-12-02 | 2021-03-30 | 惠州市德赛西威智能交通技术研究院有限公司 | Method for dynamically adjusting vehicle-mounted firewall strategy |
CN112584357B (en) * | 2020-12-02 | 2023-04-28 | 惠州市德赛西威智能交通技术研究院有限公司 | Method for dynamically adjusting vehicle-mounted firewall policy |
CN113206848A (en) * | 2021-04-29 | 2021-08-03 | 福建奇点时空数字科技有限公司 | SDN moving target defense implementation method based on self-evolution configuration |
CN113691501A (en) * | 2021-07-30 | 2021-11-23 | 东莞职业技术学院 | Network security system and security method |
Also Published As
Publication number | Publication date |
---|---|
CN1160899C (en) | 2004-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1160899C (en) | Distributed dynamic network security protecting system | |
US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
RU2417417C2 (en) | Real-time identification of resource model and resource categorisation for assistance in protecting computer network | |
Modi et al. | Bayesian classifier and snort based network intrusion detection system in cloud computing | |
CN100530208C (en) | Network isolation techniques suitable for virus protection | |
KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
CN102263788B (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
CN103051615B (en) | The Dynamic Defense System of Chinese People's Anti-Japanese Military and Political College's flow attacking in a kind of sweet field system | |
CN1655518A (en) | Network security system and method | |
Aggarwal et al. | Securing IoT devices using SDN and edge computing | |
KR100996288B1 (en) | A method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses | |
JP2003228552A (en) | Mobile device for mobile telecommunication network providing intrusion detection | |
CN101958903A (en) | Method for realizing high-performance firewall based on SOC and parallel virtual firewall | |
CN101087196A (en) | Multi-layer honey network data transmission method and system | |
CN102801738A (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
CN105721457A (en) | Network security defense system and network security defense method based on dynamic transformation | |
CN104243408A (en) | Method, device and system for monitoring messages in domain name resolution service DNS system | |
CN1252555C (en) | Cooperative invading testing system based on distributed data dig | |
KR101188305B1 (en) | System and method for botnet detection using traffic analysis of non-ideal domain name system | |
CN1411209A (en) | Method of detecting and monitoring malicious user host machine attack | |
Joshi et al. | Botnet detection using machine learning algorithms | |
CN112383573B (en) | Security intrusion playback equipment based on multiple attack stages | |
CN202231744U (en) | ISP network based attack denial defensive system | |
CN205510109U (en) | A serve dynamic routing system more for cloud computing environment | |
Brahmi et al. | A Snort-based mobile agent for a distributed intrusion detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C19 | Lapse of patent right due to non-payment of the annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |