CN1960286A - Kernel devices of credible network - Google Patents
Kernel devices of credible network Download PDFInfo
- Publication number
- CN1960286A CN1960286A CN 200610137683 CN200610137683A CN1960286A CN 1960286 A CN1960286 A CN 1960286A CN 200610137683 CN200610137683 CN 200610137683 CN 200610137683 A CN200610137683 A CN 200610137683A CN 1960286 A CN1960286 A CN 1960286A
- Authority
- CN
- China
- Prior art keywords
- network
- access controller
- credible access
- decision
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention comprises a trusted access controller (TAC), a trusted information processor (TIP) and a network behavior monitor (NBM). It controls the user's access and supervises his behavior after accessing in case of not changing the current network architecture and transmission protocol. The invention can also be used to make remote check for the mobile users, completes the attack source tracing, restraining and recovering by cooperation between network devices and provides the standard interface for said functions.
Description
Technical field
The present invention relates to computer network, network service, network service standard, computer program, relate in particular to the network core device that a cover is realized credible access procedure and credible monitoring.
Background technology
In the current information age, the application of computer network is omnipresent, thereby the fail safe of network also just becomes one of problem of network application most critical.Yet, be an opening and network freely based on the network of TCP/IP framework, diverse network is attacked and the emerging in an endless stream of information taking and carring away, and causes the distrust of people to network.In order to solve that people increase day by day to the dependence of network and the contradiction of security service between limited in one's ability, the researcher has proposed trustable network, when being implemented in guarantee information private, integrality and availability, but ensure security of network system survivability and controllability.
Trustable network is to grow up on the basis of fault-tolerant calculation and credible calculating.The authoritative institution of reliable computing technology is (the Trusted Computing Group of credible computation organization in the world at present, TCG), this tissue is devoted to the formulation of believable terminal and correlation technique standard from the beginning, but along with networks development, trusted terminal is faced with the strong challenge of diverse network attack, at this problem TCG formulated specially a network based on reliable computing technology connect standard (Trusted Network Connect, TNC).
TNC has comprised that open terminal integrality framework and overlaps the standard of guaranteeing safe interoperability.The target of TNC is protected terminal and network exactly; but at present; it focuses in the control of access; original intention is that authentication and the safety examination when the user is inserted is isolated in attack outside the network; though this has greatly reduced the generation of passive attack (victim user is destroyed network by hacker's utilization) under unwitting situation; but still can't to avoid active attack (be the attack that the hacker initiatively initiates; since he will destroy the authentication that will inevitably try every possible means when inserting) generation; because the huge problem that network faces at present is exactly complicated attack form; as: virus; worm; the back door; malicious attack etc., and propagation velocity is fast.These attack forms only rely on manpower to defeat, and need new-type network defence framework and technology badly and occur.
A cover provided by the invention is realized the nucleus equipment of trustable network, not only can control the trusted terminal access network, can also monitor and manage behavior behind the accessing terminal to network and network state, finish the mobile subscriber is carried out long-range verification, attack is traced to the source, is suppressed and recovers, and provides the foundation for the credible calculating platform of compatible different vendor, access control equipment, authenticating device and Network Security Device simultaneously.This equipment is served as theme with incident management, is aided with effective management, supervision and response function, for the user makes up dynamic trustable network management system.
Summary of the invention
The invention provides a cover and realize the nucleus equipment of trustable network.This cover nucleus equipment comprises: comprise credible access controller (TAC), reliable information processor (TIP) and network behavior watch-dog (NBM).Can be implemented in by this cover nucleus equipment and the communication specification between them under the prerequisite of the architecture that do not change existing network and host-host protocol, the behavior that the user inserts after controlling and inserting is monitored and managed.The present invention disposes according to the architecture shown in the accompanying drawing 1, credible access controller carries out work according to workflow shown in the accompanying drawing 2, the reliable information processor carries out work according to the workflow shown in the accompanying drawing 3, and the network behavior watch-dog carries out work according to the workflow shown in the accompanying drawing 4.
Description of drawings
Fig. 1 nucleus equipment architecture.
Fig. 2 is credible access controller workflow diagram.
Fig. 3 reliable information processor workflow diagram.
Fig. 4 network behavior watch-dog workflow diagram.
Embodiment
Hardware is formed:
● the complete host computer system of two covers comprises processor, memory, network adapter
● network processing unit (NP)
● high-speed data acquisition card
Software is formed:
● operating system
● the unusual verification module of network in the network behavior watch-dog
● NBM server module in the network behavior watch-dog
● integrity measurement verification module in the reliable information processor
● TIP server module in the reliable information processor
● data forwarding, mapping and policy enforcement module in the credible access controller
● the NBM client modules
● the running state information collection module
After possessing above-mentioned hardware device, network processing unit is as the hardware foundation of credible access controller, and load as lower module: data forwarding, mapping and policy enforcement module, its workflow as shown in Figure 2.
A host computer system is made the hardware foundation of reliable information processor, and operating system loads as lower module: integrity measurement verification module, TIP server module, its workflow as shown in Figure 3.
Another host computer system can be used as the hardware foundation of network behavior watch-dog, and operating system loads as lower module: the unusual verification module of network, NBM server module, its workflow as shown in Figure 4.
Shown in the accompanying drawing 1 is that this cover realizes that the network device architecture of trustable network and function distribute, wherein, credible access controller, reliable information processor, network behavior watch-dog are three kinds of equipment realizing trustable network, these three kinds of equipment are connected in the autonomous territory, are used for realizing that trustable network connects in this territory; " autonomous territory " is made up of a plurality of working fields; " working field A " and " working field B " is the signal of numerous working fields in this territory, and the end system of each working field is all directly or indirectly received on the credible access controller; " Internet " is the general reference wide area network.
Shown in the accompanying drawing 2 is credible access controller workflow, wherein, " communication data stream " be meant the data flow of user to this overseas main-machine communication, data flow hereto, credible access controller need just can determine whether to allow data flow pass through through judging; " decision information " is to come from reliable information processor or network behavior watch-dog, is the result of decision that credible access controller can be carried out; " access control message " is the request message of customer requirements trustable network access; " message sink " is a processing procedure, is responsible for received communication data flow, decision information, access control message, calls different processing procedures again and handles different message; " extraction relevant information " is a processing procedure, and the packet header relevant information of the packet in the communication data stream is extracted; " related data " is to extract the result of relevant information processing procedure; " access strategy table " is a processing procedure, finds the strategy that is fit to related data from the Policy Table according to related data; The input that " related data and strategy " judged as correspondence with foreign country; " correspondence with foreign country judgement " is a processing procedure, judges whether to allow this user's correspondence with foreign country according to related data and strategy; " refusal communication " is two kinds of results that correspondence with foreign country is judged with " allowing to communicate by letter "; " packet discard " and " forwarding datagram " is to be respectively applied for a data packet discarding, cleaning space and packet forwarded; " forwarding " is that the access control request message to the user is transmitted to the reliable information processor; " result of decision analysis " handled decision information, generates the result of decision; " permission inserts " and " refusal inserts " is two results of decision; " structure New Policy " is according to the result of decision, constructs new strategy respectively; " New Policy " is the New Policy that structure New Policy processing procedure generates; " adding the Policy Table " is that newly-generated strategy is added the Policy Table.
Shown in the accompanying drawing 3 is the workflow of reliable information processor, and wherein, " other TIP message " refers to the security message from other reliable information processor; " insert request " and from the user, require the request of trustable network access, this request is forwarded by credible access controller; " message sink " is be responsible for to receive above two kinds of message, handles different message calling different processing procedures; " information processing " is the security message of handling from other reliable information processor; The output of " result " information process is as the input of decision process; " end main frame integrity information obtains " is the integrity information that is used to obtain the end main frame that requires access network; " end main frame integrity information " is the data of obtaining from the end main frame; " the credible access assessed " is the credibility that is used to assess the end main frame; " assessment result " is the credible output that inserts evaluation process, as the input of decision-making; " decision-making " is that assessment result and result are made a strategic decision; " the formation result of decision " is that the result who makes a strategic decision is formed the form that credible access controller can be carried out, the i.e. result of decision; " result of decision " is the output that forms result of decision process; " result of decision sends TAC " is that the result of decision is sent to credible access controller.
Shown in the accompanying drawing 4 is network behavior watch-dog workflow, and wherein, " flow data collector " is the network traffics data that are used in the territory of collection network behavior monitoring device monitoring; " data on flows " is the result of flow data collector; " data analysis " analyzed the data of flow collection; " analysis result " mainly is unusual result data, is used for the discovery of safety problem; " safety problem discovery " is that the data analysis result is handled, so that find safety problem, "No" is meant does not find safety problem, can proceed data acquisition, and "Yes" is meant has found safety problem, handle this safety problem; " the terminal network condition information obtains " is the network condition that is used to obtain the end main frame that is found safety problem; " analysis data " are meant result data and the terminal network status data that safety problem is found, the input of Fen Xiing as a comparison; " comparative analysis " compares processing to analyzing data; " analysis result " be the result of comparative analysis; " safety problem is determined " determined whether safety problem according to analysis result, and "No" is meant does not have safety problem, can proceed data acquisition, and "Yes" has been meant safety problem, carries out safety problem and handles; " sending message to other NBM " is if find safety problem, sends security message to adjacent networks behavior monitoring device; " the formation result of decision " forms the result of decision according to the result of front; " result of decision " is a decision-making, can be carried out by credible access controller; " sending the result of decision to TAC " is to send a decision-making to credible access controller; " NBM message " is the security message from other network behavior watch-dog; " receiving other NBM message " is the security message of accepting from other network behavior watch-dog, calls corresponding function and handles it; " message content " is meant the particular content from the security message of other network behavior watch-dog, as the input of message analysis processing procedure; " message analysis " analyzes the generation analysis result to security message; " analysis result " is meant the conclusion whether safety problem is arranged; " local security problem " is to call different processes to handle whether safety problem is arranged, "Yes" has been meant safety problem, then turn to the terminal network condition information to obtain processing procedure, "No" is meant does not have safety problem, then turns to other NBM to send processing procedures such as the message and the formation result of decision.
This cover kernel devices of credible network can be realized trustable network, cooperates mutually between them and finishes two main work:
1. credible access procedure, complete workflow is as follows:
A) trusted terminal is when each the startup, and the TIP client sends connection request to the TIP server,
This request is specially issued the TIP server by TAC;
B) the TIP server is handed to complete letter with this solicited message and is measured checker;
C) the integrity measurement checker is handled the back and is sent message to the TIP server, requires trusted terminal that the integrity measurement information of oneself is provided, and the TIP server is transmitted this message by TAC to trusted terminal;
D) the TIP client is accepted this message, and this message is handed to the integrity measurement information collector;
E) the integrity measurement information collector is collected the integrity measurement information of trusted terminal, gives TIP client, measures checker by TAC to complete letter by the TIP client and transmits these information;
F) complete letter is measured the integrity measurement information that checker is handled trusted terminal, sends the result of decision via the TIP server to TAC;
G) TAC accepts this result of decision, forms strategy, adds the policy library of oneself;
H) mobile trusted terminal is wanted access network in other territory, can finish credible the access by TIP server in the territory and local TIP server communication.
2. credible security monitoring and management, complete workflow is as follows:
A) the network behavior watch-dog is analyzed the current network safe state of main frame in this territory by high-speed data acquisition card collection network data on flows by the unusual checker of network;
B) if find that the terminal in this territory is attacked, the unusual checker of network will send the information of attack source by the NBM server to adjacent NBM; Send decision information to TAC simultaneously, block all packets from this attack source;
C) if find that the external attack of terminal is arranged in this territory, at first can send the result of decision, all correspondence with foreign countries of blocking-up TAC to TAC; The unusual checker of network sends message via the NBM server to trusted terminal, requires to provide the running state information of terminal, and this message is transmitted by TAC; NBM client on the terminal receives this message, and this message is given to the running state information gatherer; The running state information gatherer is collected the running state information of current terminal, and the NBM client sends to the NBM server with these information; The NBM server gives network unusual checker these message; The unusual checker of network is analyzed the attack that this terminal of determining whether in this territory is initiated, and forms the result of decision, and this result of decision is sent to TAC goes to carry out;
D), check that at first this attack source message whether receiving in a period of time recently, if receive, just do not carry out interior processing, otherwise just check that this attack source is whether in this territory if NBM receives the attack source information of adjacent NBM report; If in this territory, then set by step 3) handle; If not in this territory, then form the result of decision earlier, block all data from the attack source, carry out this decision-making by TAC, send this message to other adjacent NBM simultaneously about the attack source.
Claims (4)
1 one covers are realized the nucleus equipment of trustable network, be used to realize that user's credibility inserts and inserts and afterwards user behavior is monitored, this cover nucleus equipment comprises: credible access controller (TAC), reliable information processor (TIP) and network behavior watch-dog (NBM).Credible access controller links to each other with other credible access controller, communicates with reliable information processor and network behavior controller in this territory; The reliable information processor is communicated by letter with the credible access controller in other reliable information processor and this territory; The network behavior watch-dog is communicated by letter with the credible access controller in other network behavior watch-dog and this territory.
2 nucleus equipments according to the described trustable network of claim 1 is characterized in that: credible access controller is the execution unit of the result of decision, and whether finally carry out main frame by it can access network and the decision of correspondence with foreign country.In addition, credible access controller also carries out normal data flow transmission.
3 nucleus equipments according to the described trustable network of claim 1 is characterized in that: the reliable information processor supports TNC to connect standard comprehensively, finishes credible access procedure with credible access controller; Communicate with other credible access controller, support credible access the in the mobile network appliance moving process.
4 nucleus equipments according to the described trustable network of claim 1, it is characterized in that: the network behavior watch-dog is in conjunction with data on flows analysis result and current network conditions, judge whether main frame has abnormal conditions in current network or this territory,, generate the abnormal conditions result if abnormal conditions are arranged; Require to collect mainframe network data on flows information with the main-machine communication that abnormal conditions are arranged, compare with the abnormal conditions that obtain before again and draw the result of decision; The result of decision is sent to credible access controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101376830A CN100426755C (en) | 2006-11-06 | 2006-11-06 | Kernel devices of credible network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101376830A CN100426755C (en) | 2006-11-06 | 2006-11-06 | Kernel devices of credible network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1960286A true CN1960286A (en) | 2007-05-09 |
| CN100426755C CN100426755C (en) | 2008-10-15 |
Family
ID=38071788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101376830A Expired - Fee Related CN100426755C (en) | 2006-11-06 | 2006-11-06 | Kernel devices of credible network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100426755C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065003A (en) * | 2010-08-24 | 2011-05-18 | 吉林大学 | Method, system and equipment for realizing trusted secure routing of vehicular information system |
| US8424060B2 (en) | 2007-11-16 | 2013-04-16 | China Iwncomm Co., Ltd. | Trusted network access controlling method based on tri-element peer authentication |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5954797A (en) * | 1997-05-14 | 1999-09-21 | Ncr Corporation | System and method for maintaining compatibility among network nodes connected to a computer network |
| US7437721B2 (en) * | 2004-09-29 | 2008-10-14 | Microsoft Corporation | Isolating software deployment over a network from external malicious intrusion |
| CN100358303C (en) * | 2005-02-28 | 2007-12-26 | 联想(北京)有限公司 | A method for monitoring apparatus being managed |
| CN100493088C (en) * | 2005-09-23 | 2009-05-27 | 北京交通大学 | Method for applying cooperative enhancement mechanism to adhoc network |
| CN100534044C (en) * | 2005-09-26 | 2009-08-26 | 深圳市深信服电子科技有限公司 | Method for realizing safety accessing of external network for user in gateway, gate bridge |
-
2006
- 2006-11-06 CN CNB2006101376830A patent/CN100426755C/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8424060B2 (en) | 2007-11-16 | 2013-04-16 | China Iwncomm Co., Ltd. | Trusted network access controlling method based on tri-element peer authentication |
| CN102065003A (en) * | 2010-08-24 | 2011-05-18 | 吉林大学 | Method, system and equipment for realizing trusted secure routing of vehicular information system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100426755C (en) | 2008-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Modi et al. | A survey of intrusion detection techniques in cloud | |
| US9628508B2 (en) | Discovery of suspect IP addresses | |
| US9386036B2 (en) | Method for detecting and preventing a DDoS attack using cloud computing, and server | |
| US20060129810A1 (en) | Method and apparatus for evaluating security of subscriber network | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| US11601457B2 (en) | Network traffic correlation engine | |
| Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
| CN1656731A (en) | Multi-method gateway-based network security systems and methods | |
| WO2009132552A1 (en) | Intrusion detection method, system and apparatus | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN1744607A (en) | System and method for blocking worm attack | |
| CN1725709A (en) | Method of linking network equipment and invading detection system | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
| CN1411209A (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN116938507A (en) | Electric power internet of things security defense terminal and control system thereof | |
| CN100426755C (en) | Kernel devices of credible network | |
| CN1367434A (en) | Intraconnection network computer and Internet unauthorized connection monitoring system and its method | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| Gad et al. | Hierarchical events for efficient distributed network analysis and surveillance | |
| CN102136956A (en) | Monitoring method and system for detecting network communication behaviors | |
| Day et al. | CONDOR: A hybrid ids to offer improved intrusion detection | |
| CN111107035B (en) | Security situation sensing and protecting method and device based on behavior identification | |
| JP2012014437A (en) | Data transfer device and access analysis method | |
| KR20090116206A (en) | System for defending client distribute denial of service and method therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081015 Termination date: 20091207 |