WO2015149669A1 - Trusted network attack filtering device and network attack filtering method - Google Patents

Trusted network attack filtering device and network attack filtering method Download PDF

Info

Publication number
WO2015149669A1
WO2015149669A1 PCT/CN2015/075441 CN2015075441W WO2015149669A1 WO 2015149669 A1 WO2015149669 A1 WO 2015149669A1 CN 2015075441 W CN2015075441 W CN 2015075441W WO 2015149669 A1 WO2015149669 A1 WO 2015149669A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
control module
security control
network
sequence number
Prior art date
Application number
PCT/CN2015/075441
Other languages
French (fr)
Chinese (zh)
Inventor
吕卓
张威
莫坚松
张之刚
Original Assignee
国家电网公司
国网河南省电力公司电力科学研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国家电网公司, 国网河南省电力公司电力科学研究院 filed Critical 国家电网公司
Publication of WO2015149669A1 publication Critical patent/WO2015149669A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the present invention relates to the field of network security defense, and in particular, to a network attack filtering device and a network attack filtering method capable of accurately identifying network IP data packets and accurately filtering illegal IP data packets based on the identification.
  • mainstream network security defense devices include firewalls, intrusion detection, and encrypted VPNs. Each device can play a certain security role, but it also has drawbacks.
  • the firewall is mainly based on IP packet filtering technology to defend against network attacks.
  • the firewall checks the IP packet according to the preset filtering rules, releases the allowed IP data packet, and discards the forbidden IP data packet. Based on the above principles, the firewall can defend against many attacks, but the attacker can spoof and bypass the firewall or directly attack the firewall by constructing IP packets that conform to the filtering rules.
  • Intrusion detection is mainly based on feature detection and anomaly detection to determine attacks. In essence, it analyzes, synthesizes, and extracts certain network behavior patterns or rules based on the activity rules of network IP packets, and then judges IP packets according to the behavior patterns or rules. Whether it is invasive. However, in the above two ways, it is possible to determine that a normal IP data packet is an intruded IP data packet or an intrusion IP data packet as a legitimate IP data packet, and it is difficult to perform accurate detection by intrusion detection.
  • Encrypted VPN communicates by establishing an encrypted secure channel on both sides of the network communication. Because of the cryptographic principle, it is possible to accurately distinguish IP packets and distinguish between attack packets and legitimate packets. However, the implementation of the device itself is complicated, and the correctness and security of the device itself cannot be guaranteed in principle. The device itself may be compromised. At the same time, in actual applications, encrypting the data may reduce the data throughput rate of the network. And many applications do not have encryption requirements, increasing deployment costs.
  • the network IP data packet itself has no trusted identifier, and it is easy to avoid spoofing or tampering with the IP data packet to avoid the network security defense device.
  • the phenomenon of attacking the target is achieved.
  • the security of the current high-cost VPN device reduces the security defense level of the VPN device. Therefore, a network defense device with low deployment cost and high security is required. Identify the source of IP packets, distinguish between legitimate IP packets and attack packets, and achieve effective protection of network devices.
  • the object of the present invention is to provide a trusted network attack filtering device and a network attack filtering method, which can accurately identify network IP data packets and accurately filter illegal IP data packets based on the identification, thereby realizing effective protection of network devices.
  • a trusted network attack filtering device comprising a network interface module and a security control module
  • the network interface module is configured to complete transmission and reception of an IP data packet
  • the network interface module includes an external network interface module and an internal network interface module;
  • the external network interface module is connected to the security control module and the external communication network, and is configured to receive external communication.
  • the IP data packet sent by the network is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network;
  • the intranet network interface module is connected to the protected computer and the security control module in the internal network. And receiving the IP data packet sent by the security control module and transmitting it to the protected computer in the internal network, and receiving the IP data packet sent by the protected computer in the internal network and transmitting the IP data packet to the security control module;
  • the security control module is configured to identify the IP data packet sent by the received protected computer and analyze and discriminate the IP data packet sent by the received external communication network; the security control module stores the corresponding destination address. The key corresponding to the source address, the transmission sequence number, and the reception sequence number.
  • the security control module receives the IP data packet sent by the protected computer in the intranet, the security control module reads the IP data packet and extracts the IP data. The destination address, obtain the corresponding key and the transmission sequence number according to the destination address, place the transmission sequence number at the end of the IP data packet, perform a digest operation on the IP data packet and the transmission sequence number by using the key, and attach the summary operation result to the transmission.
  • the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the external communication network through the external network interface module; when the security control module receives the external communication network, When the IP packet is received, the security control module reads the IP packet and extracts the IP packet source address. According to the IP packet source address, the corresponding key and the receiving serial number are obtained, and the security control module uses the key to perform digest operation on the protected content and the sending serial number in the IP data packet, and the operation result and the IP data packet are included in the IP data packet. The summary operation results are compared. If the results are inconsistent, the IP data packet is considered to be falsified and forged, and the IP data packet is discarded.
  • the IP data packet is not falsified and forged, and the comparison is continued from the IP data packet.
  • the size of the transmitted transmission sequence and the received serial number are considered to be valid if the transmission sequence number is greater than the received sequence number, and the security control module receives the IP data packet and sends the IP data packet to the protected network. Computer; if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal and the IP packet is discarded.
  • the security control module includes a security processing chip and an external memory connected to the security processing chip.
  • the security processing chip is further connected with a switch module and a serial port communication module, wherein the signal output end of the switch module is connected to the signal input end of the security processing chip, and the switch module is used for inputting a high level or low level signal to the security processing chip, and the security is
  • the processing chip enters the IP data packet identification and the analysis and discrimination working mode or the configuration program operation mode according to different signals sent by the receiving switch module. In the configuration program running mode, the security processing chip communicates with the outside world only through the serial communication module.
  • the network interface module adopts an interface chip supporting an IEEE802.3 Ethernet specification.
  • the switch module adopts a circuit switch.
  • the serial communication module adopts an asynchronous serial communication interface chip supporting the RS232 standard.
  • A Connect a network attack filtering device between the protected computer in each intranet and the external communication network.
  • the security control module in a network attack filtering device receives the IP data packet, it determines the source of the IP data packet. If the received IP data packet source is the computer connected to the network attack filtering device, proceed to step B; if receiving When the IP packet source is another network attack filtering device, proceed to step F;
  • step B the security control module reads the IP data packet and extracts the IP data packet destination address, and then proceeds to step C;
  • step C the security control module obtains the corresponding key and the transmission serial number according to the destination address of the IP data packet, and then proceeds to step D;
  • the security control module places the transmission sequence number at the end of the IP data packet, performs a digest operation on the IP data packet and the transmission sequence number by using the key, attaches the digest operation result to the transmission sequence number, and adjusts the IP header information according to the current length.
  • the length indication information in, and then proceeds to step E;
  • the security control module sends the identified IP data packet to the external communication network through the external network interface module, completes the IP packet identification operation, and then returns to step A;
  • step F the security control module reads the IP data packet and extracts the IP packet source address, and then proceeds to step G;
  • step G the security control module obtains the corresponding key and the receiving serial number according to the IP packet source address, and then proceeds to step H;
  • the security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and if the results are consistent, the IP is judged.
  • the data packet has not been tampered with and forged, and then proceeds to step I; if the result is inconsistent, the IP data packet is considered to be tampered with and forged, the IP data packet is discarded, and then returns to step A;
  • the security control module reads the transmission sequence number and the reception sequence number in the IP data packet, and compares the transmission sequence number and the reception sequence number size. If the transmission sequence number is greater than the reception sequence number, the IP data packet is considered to be legal, and the IP is received. The data packet is sent to the protected computer in the intranet; if the transmission sequence number is less than or equal to the receiving serial number, the IP data packet is considered illegal, the IP data packet is discarded, and then the process returns to step A.
  • the IP data packet sent by the protected computer in the internal network When the IP data packet sent by the protected computer in the internal network is sent out, the IP data packet and the transmission sequence number are digested by the key, and the digest operation result and the transmission sequence number are attached as identifiers to the IP data packet. Then, the IP data packet containing the identifier is sent to the external communication network through the external network interface module; when receiving the IP data packet sent by the external communication network, the security control module obtains the corresponding key pair IP data packet according to the source address.
  • the protected content and the transmitted serial number are digested, and the operation result is compared with the digest operation result in the IP data packet to determine whether the IP data packet has been tampered with and forged, accurately distinguishing between legal and illegal data packets, and filtering
  • the attack from the outside of the system uses the security control module to read and compare the transmission sequence number and the reception sequence number in the IP data packet, and can resist the replay attack issued by the attacker, thereby effectively implementing network device protection.
  • the present invention utilizes a hardware switch to isolate two operating logics of the security processing chip, and the security processing chip execution configuration program is not performed through the network, and can only be performed through the serial communication module, which can effectively prevent the security processing chip itself initiated by the network interface module. The attack is greatly improved.
  • FIG. 1 is a schematic block diagram of a trusted network attack filtering device according to the present invention.
  • FIG. 2 is a schematic flowchart of a network attack filtering method according to the present invention.
  • IP packet identification principle is a schematic diagram of an IP packet identification principle
  • FIG. 4 is a schematic block diagram of data communication between two computers through a network attack filtering device.
  • the present invention includes a network interface module for performing transmission and reception of IP data packets, and a security control module for identifying IP data packets sent by the received protected computer and The IP packet sent by the received external communication network is analyzed and discriminated.
  • the network interface module includes an external network interface module and an internal network interface module, and the external network interface module is connected to the security control module and the external communication network, and is configured to receive the IP data packet sent by the external communication network and transmit the security data packet to the security control.
  • the intranet network interface module is connected to the protected computer and the security control module in the internal network, and is used for receiving the IP data sent by the security control module.
  • the packet is transmitted to the protected computer in the internal network, and the IP data packet sent by the protected computer in the internal network is received and transmitted to the security control module.
  • the security control module comprises a security processing chip and an external memory connected to the security processing chip.
  • the security chip has a ROM, an EFLASH, a RAM storage unit, and the internal storage unit of the security chip stores a key and a transmission sequence corresponding to the corresponding destination address and the source address. And receiving the serial number, when the security control module receives the IP data packet sent by the protected computer in the internal network, the security control module reads the IP data packet and extracts the destination address of the IP data packet, and obtains the corresponding address according to the destination address.
  • the transmission sequence number is placed at the end of the IP data packet, and the IP data packet and the transmission sequence number are digested by the key, and the digest operation result is attached to the transmission sequence number, and the IP is adjusted according to the current length.
  • the length indication information in the header information is sent to the external communication network through the external network interface module.
  • the schematic diagram of the IP packet identification principle is shown in Figure 3.
  • the security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, discarding this IP packet; if the result is consistent, it is judged that the IP packet has not been tampered with and forged, and continues to compare the size of the transmission sequence number and the reception sequence number read from the IP packet, if the sequence is transmitted If the number is greater than the receiving sequence number, the IP packet is considered valid.
  • the security control module receives the IP packet and sends the IP packet to the protected computer in the intranet. If the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered. Illegal, discard this IP packet.
  • a secure processing chip configuration program is stored in the external memory connected to the security processing chip.
  • the security processing chip is also connected with a switch module and a serial communication module.
  • the signal output end of the switch module is connected to the signal input end of the security processing chip, and the switch module is used to
  • the security processing chip inputs a high level or low level signal, and the security processing chip enters the IP data packet receiving processing working mode or the configuration program running mode according to different signals sent by the receiving switch module, and the security processing chip only passes the configuration program running mode.
  • the serial communication module communicates with the outside world.
  • the security processing chip executes the IP packet receiving processing mode
  • the security processing chip is internally activated, that is, the security processing chip reads the program from the internal storage unit and executes, and the security processing chip cannot access the external memory, thereby ensuring that the external device is not falsified.
  • the program in the store ensures the security of the configuration program.
  • the security processing chip executes the configuration program running mode
  • the security processing chip reads the configuration program from the external memory and executes, the configuration program runs in the user's computer, and the user computer communicates with the security processing chip through the serial communication module.
  • the configuration program is run in the processing chip to form a C/S working mode with the user's computer.
  • the invention utilizes the hardware switch to isolate the two operating logics of the security processing chip, and the security processing chip execution configuration program does not go through the network, and can effectively prevent the attack against the security processing chip itself initiated by the network interface module, regardless of the configuration procedure of the security processing chip No loopholes, the attacker can not modify the configuration program of the security processing chip, and the security is greatly improved.
  • the network interface module adopts an interface chip supporting an Ethernet specification such as IEEE802.3, which is called a network card chip, and can support transmission and reception of Ethernet data packets.
  • the network card chip selects domestic chips.
  • the security processing chip refers to a control chip with security function.
  • the security function refers to the ability to perform cryptographic operations and has strong anti-multiple attack measures.
  • the cryptographic operation can use digest operations, and its own anti-attack measures include multiple layers of chips. Special layout design, voltage detection, storage area encryption protection, light detection, MPU (memory protection unit) and other protection measures against physical attacks and software attacks.
  • the switch module can adopt a circuit switch, and the opening and closing of the circuit switch can send two different control signals of low level and high level to the security processing chip.
  • the serial communication module can adopt the asynchronous serial communication interface chip supporting the RS232 standard. The communication requires a dedicated serial cable to connect the asynchronous serial communication interface chip and the asynchronous serial communication interface chip on the user configuration computer (generally called COM). mouth).
  • the external memory can adopt a FLASH chip, and the FLASH chip is a general-purpose memory chip. When the data is saved in the case of power failure, the FLASH chip can be read, written, erased, etc. through the external interface of the FLASH chip.
  • the network attack filtering method of the present invention includes the following steps:
  • A Connect a network attack filtering device between the protected computer in each intranet and the external communication network.
  • the security control module in a network attack filtering device receives the IP data packet, it determines the source of the IP data packet. If the received IP data packet source is the computer connected to the network attack filtering device, proceed to step B; if receiving When the IP packet source is another network attack filtering device, proceed to step F;
  • step B the security control module reads the IP data packet and extracts the IP data packet destination address, and then proceeds to step C;
  • step C the security control module obtains the corresponding key and the transmission serial number according to the destination address of the IP data packet, and then proceeds to step D;
  • the security control module places the transmission sequence number at the end of the IP data packet, performs a digest operation on the IP data packet and the transmission sequence number by using the key, attaches the digest operation result to the transmission sequence number, and adjusts the IP header information according to the current length.
  • the length indication information in, and then proceeds to step E;
  • the security control module sends the identified IP data packet to the external communication network through the external network interface module, completes the IP packet identification operation, and then returns to step A;
  • step F the security control module reads the IP data packet and extracts the IP packet source address, and then proceeds to step G;
  • step G the security control module obtains the corresponding key and the receiving serial number according to the IP packet source address, and then proceeds to step H;
  • the security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and if the results are consistent, the IP is judged.
  • the data packet has not been tampered with and forged, and then proceeds to step I; if the result is inconsistent, the IP data packet is considered to be tampered with and forged, the IP data packet is discarded, and then returns to step A;
  • the security control module reads the transmission sequence number and the reception sequence number in the IP data packet, and compares the transmission sequence number and the reception sequence number size. If the transmission sequence number is greater than the reception sequence number, the IP data packet is considered to be legal, and the IP is received. The data packet is sent to the protected computer in the intranet; if the transmission sequence number is less than or equal to the receiving serial number, the IP data packet is considered illegal, the IP data packet is discarded, and then the process returns to step A.
  • the IP data packet in the present invention is composed of a header and two parts of data, and the source address and the destination address included in the header are IP protocol addresses.
  • the digest operation in the present invention is one of the basic algorithms in cryptography, and is also called a hash algorithm or a hash algorithm.
  • the network attack filtering method of the present invention is further described below in conjunction with specific embodiments.
  • the first computer is connected to the external communication network through the first network attack filtering device
  • the second computer is connected to the external communication network through the second network attack filtering device.
  • the first computer When the first computer needs to send the IP data packet to the second computer, the first computer first sends an IP data packet to the first network attack filtering device, and the security control module of the first network attack filtering device reads the IP data packet and extracts the IP packet.
  • the destination address of the data packet that is, the address of the second computer, and then the security control module obtains the corresponding key and the transmission sequence number according to the destination address of the IP data packet, and places the transmission sequence number at the end of the IP data packet, using the key pair IP data packet.
  • the packet is sent to the second computer through the external network through the external network interface module to complete the IP packet identification operation;
  • the second network attack filtering device external network interface module receives the IP data packet and sends the IP data packet to the second network attack filtering device for security control.
  • the module, the security control module of the second network attack filtering device reads the IP data packet and extracts the IP data packet source address, obtains the corresponding key and the receiving serial number according to the IP packet source address, and then the second network attacks the filtering device.
  • the security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent.
  • the security control module of the second network attack filtering device reads the transmission sequence number and the receiving sequence in the IP packet. Number, and compare the sending serial number and the receiving serial number size, if the sending serial number is greater than the receiving serial number The IP data packet is considered to be legal.
  • the security control module of the second network attack filtering device receives the IP data packet and sends the IP data packet to the second computer. If the sending serial number is less than or equal to the receiving serial number, the IP data packet is considered illegal.
  • the security control module of the second network attack filtering device discards the IP data packet.
  • the invention adds the summary information and the serial number information in the IP data packet, and the calculation of the summary information is based on the key and the cryptographic algorithm, and theoretically can ensure the tampering and forgery of the data packet through the abstract; the serial number information Determined to be able to defend against replay attacks by attackers.
  • the present invention can accurately distinguish between legal and illegal data packets, and filter attacks from outside the system.
  • the present invention does not adopt the current complex network password security protocol, and has the functions of simple and convenient implementation. The specific implementation can be verified by a formal method to ensure the correctness and security of the implementation itself.
  • the invention also utilizes the hardware switch to isolate the two operating logics of the security processing chip, and the security processing chip execution configuration program does not go through the network, and can only be performed through the serial communication module, which can effectively prevent the attack against the security processing chip itself initiated by the network interface module. The safety is greatly improved.

Abstract

Disclosed are a trusted network attack filtering device and a network attack filtering method, comprising a network interface module and a security control module; the network interface module is used to receive and transmit an IP data packet; the security control module is used to identify the received IP data packet transmitted by a protected computer, and to parse and judge the received IP data packet transmitted by an external communication network. The present invention utilizes summary calculation to determine whether an IP data packet has been tampered with or forged, precisely differentiate between authorized and unauthorized data packets, and filter attacks from outside the system; in addition, the present invention can defend against replay attacks initiated by attackers by comparing sent serial numbers and received serial numbers, thus efficiently protecting network devices.

Description

一种可信的网络攻击过滤装置及网络攻击过滤方法  Trusted network attack filtering device and network attack filtering method
技术领域Technical field
本发明涉及网络安全防御领域,尤其涉及一种能够精确标识网络IP数据包并在标识的基础上精确过滤非法IP数据包的网络攻击过滤装置及网络攻击过滤方法。The present invention relates to the field of network security defense, and in particular, to a network attack filtering device and a network attack filtering method capable of accurately identifying network IP data packets and accurately filtering illegal IP data packets based on the identification.
背景技术Background technique
网络通信的发展大大推动了整个社会的发展,各个行业均不同程度地采用网络进行信息通信。但是,当前基于IP的网络通信在设计之初并没有充分考虑安全因素,因此网络设备经常受到来自网络的攻击,这些攻击造成了很大危害。因此,为提高网络安全性,防火墙、入侵检测、加密VPN等设备相继推出,在一定程度上提高了网络安全性。The development of network communication has greatly promoted the development of the whole society, and various industries have adopted networks for information communication to varying degrees. However, current IP-based network communications are not designed with security in mind, so network devices are often attacked by the network, and these attacks are very harmful. Therefore, in order to improve network security, devices such as firewalls, intrusion detection, and encrypted VPNs have been introduced one after another, which has improved network security to some extent.
目前,主流的网络安全防御设备有防火墙、入侵检测和加密VPN等,每种设备均能起到一定的安全作用,但也存在弊端。At present, mainstream network security defense devices include firewalls, intrusion detection, and encrypted VPNs. Each device can play a certain security role, but it also has drawbacks.
防火墙主要基于IP数据包过滤技术来抵御网络攻击,当网络IP数据包到达防火墙时,防火墙根据预先设定的过滤规则检查IP数据包,放行允许的IP数据包,丢弃禁止的IP数据包。基于上述原理,防火墙能够抵御很多攻击,但是攻击者能够通过构造合乎过滤规则的IP数据包来欺骗并绕过防火墙或直接攻击防火墙。The firewall is mainly based on IP packet filtering technology to defend against network attacks. When the network IP packet arrives at the firewall, the firewall checks the IP packet according to the preset filtering rules, releases the allowed IP data packet, and discards the forbidden IP data packet. Based on the above principles, the firewall can defend against many attacks, but the attacker can spoof and bypass the firewall or directly attack the firewall by constructing IP packets that conform to the filtering rules.
入侵检测主要基于特征检测和异常检测来确定攻击,本质上是基于网络IP数据包的活动规律来分析、综合、提取某种网络行为模式或规律,然后根据该行为模式或规律来判断IP数据包是否具有入侵性。 但上述两种方式在原理上存在将正常IP数据包判断为入侵IP数据包或者入侵IP数据包当做合法IP数据包的可能,入侵检测很难做出精准的检测。Intrusion detection is mainly based on feature detection and anomaly detection to determine attacks. In essence, it analyzes, synthesizes, and extracts certain network behavior patterns or rules based on the activity rules of network IP packets, and then judges IP packets according to the behavior patterns or rules. Whether it is invasive. However, in the above two ways, it is possible to determine that a normal IP data packet is an intruded IP data packet or an intrusion IP data packet as a legitimate IP data packet, and it is difficult to perform accurate detection by intrusion detection.
加密VPN通过在网络通信双方建立加密的安全通道来进行通信,由于采用了密码学原理,因此可以做到对IP数据包的精确辨别,区分攻击包与合法包。但是设备本身的实现较为复杂,导致设备程序自身的正确性与安全性在原理上不能保证,存在设备本身被攻破的可能,同时在实际应用中,对数据进行加密会降低网络的数据吞吐率,且很多应用没有加密需求,增加了部署成本。Encrypted VPN communicates by establishing an encrypted secure channel on both sides of the network communication. Because of the cryptographic principle, it is possible to accurately distinguish IP packets and distinguish between attack packets and legitimate packets. However, the implementation of the device itself is complicated, and the correctness and security of the device itself cannot be guaranteed in principle. The device itself may be compromised. At the same time, in actual applications, encrypting the data may reduce the data throughput rate of the network. And many applications do not have encryption requirements, increasing deployment costs.
从上述设备的分析可以看出,因为IP网络协议设计之初没有充分考虑安全因素,网络IP数据包自身没有可信的标识,容易发生通过伪造或篡改IP数据包以躲过网络安全防御装置,进而达到攻击目的的现象;同时,当前成本较高的VPN设备的复杂性导致的自身安全性问题降低了其安全防御级别,因此需要一种部署成本低、自身高度安全的网络防御设备,通过精确判别IP数据包的来源,区分合法IP数据包与攻击包,实现网络设备的有效保护。It can be seen from the analysis of the above equipment that because the IP network protocol design does not fully consider the security factor at the beginning, the network IP data packet itself has no trusted identifier, and it is easy to avoid spoofing or tampering with the IP data packet to avoid the network security defense device. In addition, the phenomenon of attacking the target is achieved. At the same time, the security of the current high-cost VPN device reduces the security defense level of the VPN device. Therefore, a network defense device with low deployment cost and high security is required. Identify the source of IP packets, distinguish between legitimate IP packets and attack packets, and achieve effective protection of network devices.
发明内容Summary of the invention
本发明的目的是提供一种可信的网络攻击过滤装置及网络攻击过滤方法,能够精确标识网络IP数据包,并在标识的基础上精确过滤非法IP数据包,实现网络设备的有效保护。The object of the present invention is to provide a trusted network attack filtering device and a network attack filtering method, which can accurately identify network IP data packets and accurately filter illegal IP data packets based on the identification, thereby realizing effective protection of network devices.
本发明采用下述技术方案:The invention adopts the following technical solutions:
一种可信的网络攻击过滤装置, 包括网络接口模块和安全控制模块;A trusted network attack filtering device, comprising a network interface module and a security control module;
所述的网络接口模块用于完成IP数据包的收发,网络接口模块包括外网网络接口模块和内网网络接口模块;外网网络接口模块连接安全控制模块和外部通信网络,用于接收外部通讯网络所发送的IP数据包并传送给安全控制模块,以及接收安全控制模块所发送的IP数据包并通过外部通信网络进行发送;内网网络接口模块连接内网中被保护的计算机和安全控制模块,用于接收安全控制模块所发送的IP数据包并传送给内网中被保护的计算机,以及接收内网中被保护的计算机所发送的IP数据包并传送给安全控制模块;The network interface module is configured to complete transmission and reception of an IP data packet, the network interface module includes an external network interface module and an internal network interface module; the external network interface module is connected to the security control module and the external communication network, and is configured to receive external communication. The IP data packet sent by the network is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network; the intranet network interface module is connected to the protected computer and the security control module in the internal network. And receiving the IP data packet sent by the security control module and transmitting it to the protected computer in the internal network, and receiving the IP data packet sent by the protected computer in the internal network and transmitting the IP data packet to the security control module;
所述的安全控制模块用于对所接收的被保护的计算机发送的IP数据包进行标识以及对所接收的外部通讯网络发送的IP数据包进行解析判别;安全控制模块内存储有与相应目的地址和来源地址对应的密钥、发送序列号及接收序列号,当安全控制模块接收到内网中被保护的计算机所发送的IP数据包时,安全控制模块读取该IP数据包并提取IP数据包目的地址,根据目的地址获取对应的密钥和发送序列号,将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,然后将添加标识后的IP数据包通过外网网络接口模块发送至外部通讯网络;当安全控制模块接收到外部通讯网络所发送的IP数据包时,安全控制模块读取该IP数据包并提取IP数据包来源地址,根据IP数据包来源地址获取对应的密钥和接收序列号,安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃;如果结果比较一致则判断IP数据包没有被篡改和伪造,继续比较从IP数据包中读取的发送序列号和接收序列号的大小,若发送序列号大于接收序列号则认为IP数据包合法,安全控制模块接收该IP数据包并将此IP数据包发送至内网中被保护的计算机;如果发送序列号小于等于接收序列号则认为IP数据包非法,将此IP数据包丢弃。The security control module is configured to identify the IP data packet sent by the received protected computer and analyze and discriminate the IP data packet sent by the received external communication network; the security control module stores the corresponding destination address. The key corresponding to the source address, the transmission sequence number, and the reception sequence number. When the security control module receives the IP data packet sent by the protected computer in the intranet, the security control module reads the IP data packet and extracts the IP data. The destination address, obtain the corresponding key and the transmission sequence number according to the destination address, place the transmission sequence number at the end of the IP data packet, perform a digest operation on the IP data packet and the transmission sequence number by using the key, and attach the summary operation result to the transmission. After the serial number, the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the external communication network through the external network interface module; when the security control module receives the external communication network, When the IP packet is received, the security control module reads the IP packet and extracts the IP packet source address. According to the IP packet source address, the corresponding key and the receiving serial number are obtained, and the security control module uses the key to perform digest operation on the protected content and the sending serial number in the IP data packet, and the operation result and the IP data packet are included in the IP data packet. The summary operation results are compared. If the results are inconsistent, the IP data packet is considered to be falsified and forged, and the IP data packet is discarded. If the results are consistent, the IP data packet is not falsified and forged, and the comparison is continued from the IP data packet. The size of the transmitted transmission sequence and the received serial number are considered to be valid if the transmission sequence number is greater than the received sequence number, and the security control module receives the IP data packet and sends the IP data packet to the protected network. Computer; if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal and the IP packet is discarded.
所述的安全控制模块包括安全处理芯片和与安全处理芯片连接的外部存储器。The security control module includes a security processing chip and an external memory connected to the security processing chip.
所述的安全处理芯片还连接有开关模块和串口通信模块,开关模块的信号输出端连接安全处理芯片的信号输入端,开关模块用于向安全处理芯片输入高电平或低电平信号,安全处理芯片根据接收到开关模块发送的不同信号分别进入IP数据包标识和解析判别工作模式或配置程序运行模式,配置程序运行模式下安全处理芯片仅通过串口通信模块与外界进行通信。The security processing chip is further connected with a switch module and a serial port communication module, wherein the signal output end of the switch module is connected to the signal input end of the security processing chip, and the switch module is used for inputting a high level or low level signal to the security processing chip, and the security is The processing chip enters the IP data packet identification and the analysis and discrimination working mode or the configuration program operation mode according to different signals sent by the receiving switch module. In the configuration program running mode, the security processing chip communicates with the outside world only through the serial communication module.
所述的网络接口模块采用支持IEEE802.3的以太网规范的接口芯片。The network interface module adopts an interface chip supporting an IEEE802.3 Ethernet specification.
所述的开关模块采用电路开关。The switch module adopts a circuit switch.
所述的串口通信模块采用支持RS232标准的异步串行通信接口芯片。The serial communication module adopts an asynchronous serial communication interface chip supporting the RS232 standard.
一种利用如权利要求1所述的可信的网络攻击过滤装置实现的网络攻击过滤方法,包括以下步骤:A network attack filtering method implemented by using the trusted network attack filtering device according to claim 1, comprising the following steps:
A:将每一台内网中被保护的计算机与外部通信网络之间连接一个网络攻击过滤装置, 当某一个网络攻击过滤装置中的安全控制模块接收到IP数据包时判断IP数据包来源,如果接收到的IP数据包来源为与此网络攻击过滤装置连接的计算机时,进入步骤B;如果接收到的IP数据包来源为另一个网络攻击过滤装置时,进入步骤F;A: Connect a network attack filtering device between the protected computer in each intranet and the external communication network. When the security control module in a network attack filtering device receives the IP data packet, it determines the source of the IP data packet. If the received IP data packet source is the computer connected to the network attack filtering device, proceed to step B; if receiving When the IP packet source is another network attack filtering device, proceed to step F;
B:安全控制模块读取该IP数据包并提取IP数据包目的地址,然后进入步骤C;B: the security control module reads the IP data packet and extracts the IP data packet destination address, and then proceeds to step C;
C:安全控制模块根据IP数据包目的地址获取对应的密钥和发送序列号,然后进入步骤D;C: the security control module obtains the corresponding key and the transmission serial number according to the destination address of the IP data packet, and then proceeds to step D;
D:安全控制模块将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,然后进入步骤E;D: The security control module places the transmission sequence number at the end of the IP data packet, performs a digest operation on the IP data packet and the transmission sequence number by using the key, attaches the digest operation result to the transmission sequence number, and adjusts the IP header information according to the current length. The length indication information in, and then proceeds to step E;
E:安全控制模块将标识后的IP数据包通过外网网络接口模块发送至外部通讯网络,完成IP数据包标识操作,然后返回步骤A;E: the security control module sends the identified IP data packet to the external communication network through the external network interface module, completes the IP packet identification operation, and then returns to step A;
F:安全控制模块读取该IP数据包并提取IP数据包来源地址,然后进入步骤G;F: the security control module reads the IP data packet and extracts the IP packet source address, and then proceeds to step G;
G:安全控制模块根据IP数据包来源地址获取对应的密钥和接收序列号,然后进入步骤H;G: the security control module obtains the corresponding key and the receiving serial number according to the IP packet source address, and then proceeds to step H;
H:安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较一致则判断IP数据包没有被篡改和伪造,然后进入步骤I;如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃,然后返回步骤A;H: The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and if the results are consistent, the IP is judged. The data packet has not been tampered with and forged, and then proceeds to step I; if the result is inconsistent, the IP data packet is considered to be tampered with and forged, the IP data packet is discarded, and then returns to step A;
I:安全控制模块读取IP数据包中的发送序列号和接收序列号,并比较发送序列号和接收序列号大小,如果发送序列号大于接收序列号,则认为IP数据包合法,接收该IP数据包并将此IP数据包发送至内网中被保护的计算机;如果发送序列号小于等于接收序列号,则认为IP数据包非法,将此IP数据包丢弃,然后返回步骤A。I: The security control module reads the transmission sequence number and the reception sequence number in the IP data packet, and compares the transmission sequence number and the reception sequence number size. If the transmission sequence number is greater than the reception sequence number, the IP data packet is considered to be legal, and the IP is received. The data packet is sent to the protected computer in the intranet; if the transmission sequence number is less than or equal to the receiving serial number, the IP data packet is considered illegal, the IP data packet is discarded, and then the process returns to step A.
本发明在内网中被保护的计算机向外发送的IP数据包时,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果和发送序列号作为标识附于IP数据包后部,然后将包含标识的IP数据包通过外网网络接口模块发送至外部通讯网络;在接收外部通讯网络所发送的IP数据包时,安全控制模块根据来源地址获取对应的密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较判断IP数据包是否被篡改和伪造,精确区分合法与非法的数据包,过滤来自系统外部的攻击;同时,本发明利用安全控制模块读取并比较IP数据包中的发送序列号和接收序列号大小,能够抵御攻击者发出的重放攻击,有效地实现网络设备保护。进一步的,本发明利用硬件开关隔离安全处理芯片两种运行逻辑,安全处理芯片执行配置程序不通过网络进行,只能通过串口通信模块进行,能够有效阻止通过网络接口模块发起的针对安全处理芯片本身的攻击,安全性大为提高。When the IP data packet sent by the protected computer in the internal network is sent out, the IP data packet and the transmission sequence number are digested by the key, and the digest operation result and the transmission sequence number are attached as identifiers to the IP data packet. Then, the IP data packet containing the identifier is sent to the external communication network through the external network interface module; when receiving the IP data packet sent by the external communication network, the security control module obtains the corresponding key pair IP data packet according to the source address. The protected content and the transmitted serial number are digested, and the operation result is compared with the digest operation result in the IP data packet to determine whether the IP data packet has been tampered with and forged, accurately distinguishing between legal and illegal data packets, and filtering The attack from the outside of the system; at the same time, the present invention uses the security control module to read and compare the transmission sequence number and the reception sequence number in the IP data packet, and can resist the replay attack issued by the attacker, thereby effectively implementing network device protection. Further, the present invention utilizes a hardware switch to isolate two operating logics of the security processing chip, and the security processing chip execution configuration program is not performed through the network, and can only be performed through the serial communication module, which can effectively prevent the security processing chip itself initiated by the network interface module. The attack is greatly improved.
附图说明DRAWINGS
图1为本发明所述可信的网络攻击过滤装置的原理框图;1 is a schematic block diagram of a trusted network attack filtering device according to the present invention;
图2为本发明所述网络攻击过滤方法的流程示意图;2 is a schematic flowchart of a network attack filtering method according to the present invention;
图3为IP数据包标识原理示意图;3 is a schematic diagram of an IP packet identification principle;
图4为两台计算机分别通过网络攻击过滤装置进行数据通信的原理框图。FIG. 4 is a schematic block diagram of data communication between two computers through a network attack filtering device.
具体实施方式detailed description
如图1所示,本发明包括网络接口模块和安全控制模块,网络接口模块用于完成IP数据包的收发,安全控制模块用于对所接收的被保护的计算机发送的IP数据包进行标识以及对所接收的外部通讯网络发送的IP数据包进行解析判别。As shown in FIG. 1 , the present invention includes a network interface module for performing transmission and reception of IP data packets, and a security control module for identifying IP data packets sent by the received protected computer and The IP packet sent by the received external communication network is analyzed and discriminated.
所述的网络接口模块包括外网网络接口模块和内网网络接口模块,外网网络接口模块连接安全控制模块和外部通信网络,用于接收外部通讯网络所发送的IP数据包并传送给安全控制模块,以及接收安全控制模块所发送的IP数据包并通过外部通信网络进行发送;内网网络接口模块连接内网中被保护的计算机和安全控制模块,用于接收安全控制模块所发送的IP数据包并传送给内网中被保护的计算机,以及接收内网中被保护的计算机所发送的IP数据包并传送给安全控制模块。The network interface module includes an external network interface module and an internal network interface module, and the external network interface module is connected to the security control module and the external communication network, and is configured to receive the IP data packet sent by the external communication network and transmit the security data packet to the security control. The module, and receiving the IP data packet sent by the security control module and transmitting through the external communication network; the intranet network interface module is connected to the protected computer and the security control module in the internal network, and is used for receiving the IP data sent by the security control module. The packet is transmitted to the protected computer in the internal network, and the IP data packet sent by the protected computer in the internal network is received and transmitted to the security control module.
安全控制模块包括安全处理芯片和与安全处理芯片连接的外部存储器,安全芯片具有ROM、EFLASH、RAM存储单元,安全芯片内部存储单元内存储有与相应目的地址和来源地址对应的密钥、发送序列号及接收序列号,当安全控制模块接收到内网中被保护的计算机所发送的IP数据包时,安全控制模块读取该IP数据包并提取IP数据包目的地址,根据目的地址获取对应的密钥和发送序列号,将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,然后将添加标识后的IP数据包通过外网网络接口模块发送至外部通讯网络。 IP数据包标识原理示意图如图3所示。当安全控制模块接收到外部通讯网络所发送的IP数据包时,安全控制模块读取该IP数据包并提取IP数据包来源地址,根据IP数据包来源地址获取对应的密钥和接收序列号,安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃;如果结果比较一致则判断IP数据包没有被篡改和伪造,继续比较从IP数据包中读取的发送序列号和接收序列号的大小,若发送序列号大于接收序列号则认为IP数据包合法,安全控制模块接收该IP数据包并将此IP数据包发送至内网中被保护的计算机;如果发送序列号小于等于接收序列号则认为IP数据包非法,将此IP数据包丢弃。The security control module comprises a security processing chip and an external memory connected to the security processing chip. The security chip has a ROM, an EFLASH, a RAM storage unit, and the internal storage unit of the security chip stores a key and a transmission sequence corresponding to the corresponding destination address and the source address. And receiving the serial number, when the security control module receives the IP data packet sent by the protected computer in the internal network, the security control module reads the IP data packet and extracts the destination address of the IP data packet, and obtains the corresponding address according to the destination address. Key and transmission sequence number, the transmission sequence number is placed at the end of the IP data packet, and the IP data packet and the transmission sequence number are digested by the key, and the digest operation result is attached to the transmission sequence number, and the IP is adjusted according to the current length. The length indication information in the header information is sent to the external communication network through the external network interface module. The schematic diagram of the IP packet identification principle is shown in Figure 3. When the security control module receives the IP data packet sent by the external communication network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, discarding this IP packet; if the result is consistent, it is judged that the IP packet has not been tampered with and forged, and continues to compare the size of the transmission sequence number and the reception sequence number read from the IP packet, if the sequence is transmitted If the number is greater than the receiving sequence number, the IP packet is considered valid. The security control module receives the IP packet and sends the IP packet to the protected computer in the intranet. If the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered. Illegal, discard this IP packet.
安全处理芯片所连接的外部存储器内存储有安全处理芯片配置程序,安全处理芯片还连接有开关模块和串口通信模块,开关模块的信号输出端连接安全处理芯片的信号输入端,开关模块用于向安全处理芯片输入高电平或低电平信号,安全处理芯片根据接收到开关模块发送的不同信号分别进入IP数据包接收处理工作模式或配置程序运行模式,配置程序运行模式下安全处理芯片仅通过串口通信模块与外界进行通信。当安全处理芯片执行IP数据包接收处理工作模式时,安全处理芯片从内部启动,即安全处理芯片从内部存储单元中读取程序并执行,安全处理芯片不能访问外部存储器,能够保证不会篡改外部存储中的程序,进而保证了配置程序的安全。当安全处理芯片执行配置程序运行模式时,安全处理芯片从外部存储器中读取配置程序并执行,配置程序在用户的计算机中运行,用户计算机通过串口通信模块与安全处理芯片进行通信,此时安全处理芯片中运行配置程序,与用户的计算机形成C/S的工作模式。本发明利用硬件开关隔离安全处理芯片两种运行逻辑,安全处理芯片执行配置程序不通过网络进行,能够有效阻止通过网络接口模块发起的针对安全处理芯片本身的攻击,不论安全处理芯片的配置程序有无漏洞,攻击者均不能修改安全处理芯片的配置程序,安全性大为提高。A secure processing chip configuration program is stored in the external memory connected to the security processing chip. The security processing chip is also connected with a switch module and a serial communication module. The signal output end of the switch module is connected to the signal input end of the security processing chip, and the switch module is used to The security processing chip inputs a high level or low level signal, and the security processing chip enters the IP data packet receiving processing working mode or the configuration program running mode according to different signals sent by the receiving switch module, and the security processing chip only passes the configuration program running mode. The serial communication module communicates with the outside world. When the security processing chip executes the IP packet receiving processing mode, the security processing chip is internally activated, that is, the security processing chip reads the program from the internal storage unit and executes, and the security processing chip cannot access the external memory, thereby ensuring that the external device is not falsified. The program in the store, in turn, ensures the security of the configuration program. When the security processing chip executes the configuration program running mode, the security processing chip reads the configuration program from the external memory and executes, the configuration program runs in the user's computer, and the user computer communicates with the security processing chip through the serial communication module. The configuration program is run in the processing chip to form a C/S working mode with the user's computer. The invention utilizes the hardware switch to isolate the two operating logics of the security processing chip, and the security processing chip execution configuration program does not go through the network, and can effectively prevent the attack against the security processing chip itself initiated by the network interface module, regardless of the configuration procedure of the security processing chip No loopholes, the attacker can not modify the configuration program of the security processing chip, and the security is greatly improved.
本实施例中,网络接口模块采用支持IEEE802.3等以太网规范的接口芯片,称为网卡芯片,能够支持以太网数据包的收发。为提高整体安全性,网卡芯片选择国产芯片。安全处理芯片,指具有安全功能的控制芯片,安全功能指能够进行密码运算且自身具有较强的防多种攻击措施,密码运算可采用摘要运算,自身具有的防攻击措施包括芯片具有的多层特殊版图设计、电压检测、存储区加密保护、光照检测、MPU(内存保护单元)等防范物理攻击、软件攻击的保护措施。开关模块可采用电路开关,电路开关的开合可以向安全处理芯片发出低电平、高电平两种不同的控制信号。串口通信模块可采用支持RS232标准的异步串行通信接口芯片,通信时需要专用的串口电缆分别连接该异步串行通信接口芯片与用户配置用计算机上的异步串行通信接口芯片(一般称为COM口)。外部存储器可采用FLASH芯片,FLASH芯片为通用的一种存储芯片,在掉电情况下保存数据,可以通过FLASH芯片的外部接口对FLASH芯片进行读、写、擦除等操作。In this embodiment, the network interface module adopts an interface chip supporting an Ethernet specification such as IEEE802.3, which is called a network card chip, and can support transmission and reception of Ethernet data packets. In order to improve the overall security, the network card chip selects domestic chips. The security processing chip refers to a control chip with security function. The security function refers to the ability to perform cryptographic operations and has strong anti-multiple attack measures. The cryptographic operation can use digest operations, and its own anti-attack measures include multiple layers of chips. Special layout design, voltage detection, storage area encryption protection, light detection, MPU (memory protection unit) and other protection measures against physical attacks and software attacks. The switch module can adopt a circuit switch, and the opening and closing of the circuit switch can send two different control signals of low level and high level to the security processing chip. The serial communication module can adopt the asynchronous serial communication interface chip supporting the RS232 standard. The communication requires a dedicated serial cable to connect the asynchronous serial communication interface chip and the asynchronous serial communication interface chip on the user configuration computer (generally called COM). mouth). The external memory can adopt a FLASH chip, and the FLASH chip is a general-purpose memory chip. When the data is saved in the case of power failure, the FLASH chip can be read, written, erased, etc. through the external interface of the FLASH chip.
如图2所示,本发明所述的网络攻击过滤方法,包括以下步骤:As shown in FIG. 2, the network attack filtering method of the present invention includes the following steps:
A:将每一台内网中被保护的计算机与外部通信网络之间连接一个网络攻击过滤装置, 当某一个网络攻击过滤装置中的安全控制模块接收到IP数据包时判断IP数据包来源,如果接收到的IP数据包来源为与此网络攻击过滤装置连接的计算机时,进入步骤B;如果接收到的IP数据包来源为另一个网络攻击过滤装置时,进入步骤F;A: Connect a network attack filtering device between the protected computer in each intranet and the external communication network. When the security control module in a network attack filtering device receives the IP data packet, it determines the source of the IP data packet. If the received IP data packet source is the computer connected to the network attack filtering device, proceed to step B; if receiving When the IP packet source is another network attack filtering device, proceed to step F;
B:安全控制模块读取该IP数据包并提取IP数据包目的地址,然后进入步骤C;B: the security control module reads the IP data packet and extracts the IP data packet destination address, and then proceeds to step C;
C:安全控制模块根据IP数据包目的地址获取对应的密钥和发送序列号,然后进入步骤D;C: the security control module obtains the corresponding key and the transmission serial number according to the destination address of the IP data packet, and then proceeds to step D;
D:安全控制模块将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,然后进入步骤E;D: The security control module places the transmission sequence number at the end of the IP data packet, performs a digest operation on the IP data packet and the transmission sequence number by using the key, attaches the digest operation result to the transmission sequence number, and adjusts the IP header information according to the current length. The length indication information in, and then proceeds to step E;
E:安全控制模块将标识后的IP数据包通过外网网络接口模块发送至外部通讯网络,完成IP数据包标识操作,然后返回步骤A;E: the security control module sends the identified IP data packet to the external communication network through the external network interface module, completes the IP packet identification operation, and then returns to step A;
F:安全控制模块读取该IP数据包并提取IP数据包来源地址,然后进入步骤G;F: the security control module reads the IP data packet and extracts the IP packet source address, and then proceeds to step G;
G:安全控制模块根据IP数据包来源地址获取对应的密钥和接收序列号,然后进入步骤H;G: the security control module obtains the corresponding key and the receiving serial number according to the IP packet source address, and then proceeds to step H;
H:安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较一致则判断IP数据包没有被篡改和伪造,然后进入步骤I;如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃,然后返回步骤A;H: The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and if the results are consistent, the IP is judged. The data packet has not been tampered with and forged, and then proceeds to step I; if the result is inconsistent, the IP data packet is considered to be tampered with and forged, the IP data packet is discarded, and then returns to step A;
I:安全控制模块读取IP数据包中的发送序列号和接收序列号,并比较发送序列号和接收序列号大小,如果发送序列号大于接收序列号,则认为IP数据包合法,接收该IP数据包并将此IP数据包发送至内网中被保护的计算机;如果发送序列号小于等于接收序列号,则认为IP数据包非法,将此IP数据包丢弃,然后返回步骤A。I: The security control module reads the transmission sequence number and the reception sequence number in the IP data packet, and compares the transmission sequence number and the reception sequence number size. If the transmission sequence number is greater than the reception sequence number, the IP data packet is considered to be legal, and the IP is received. The data packet is sent to the protected computer in the intranet; if the transmission sequence number is less than or equal to the receiving serial number, the IP data packet is considered illegal, the IP data packet is discarded, and then the process returns to step A.
本发明中的IP数据包由首部和数据两部分组成,首部中包含的来源地址和目的地址均为IP协议地址。本发明中的摘要运算为密码学中的基础算法之一,也称为哈希(Hash)算法或散列算法。The IP data packet in the present invention is composed of a header and two parts of data, and the source address and the destination address included in the header are IP protocol addresses. The digest operation in the present invention is one of the basic algorithms in cryptography, and is also called a hash algorithm or a hash algorithm.
以下结合具体实施例,进一步说明本发明所述的网络攻击过滤方法。本实施例中,如图4所示,第一计算机通过第一网络攻击过滤装置与外部通信网络连接,第二计算机通过第二网络攻击过滤装置与外部通信网络连接。The network attack filtering method of the present invention is further described below in conjunction with specific embodiments. In this embodiment, as shown in FIG. 4, the first computer is connected to the external communication network through the first network attack filtering device, and the second computer is connected to the external communication network through the second network attack filtering device.
当第一计算机需要向第二计算机发送IP数据包时,第一计算机首先向第一网络攻击过滤装置发送IP数据包,第一网络攻击过滤装置的安全控制模块读取该IP数据包并提取IP数据包目的地址,即第二计算机的地址,然后安全控制模块根据IP数据包目的地址获取对应的密钥和发送序列号,将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,最后第一网络攻击过滤装置的安全控制模块将标识后的IP数据包通过外网网络接口模块利用外部通讯网络发送至第二计算机,完成IP数据包标识操作;When the first computer needs to send the IP data packet to the second computer, the first computer first sends an IP data packet to the first network attack filtering device, and the security control module of the first network attack filtering device reads the IP data packet and extracts the IP packet. The destination address of the data packet, that is, the address of the second computer, and then the security control module obtains the corresponding key and the transmission sequence number according to the destination address of the IP data packet, and places the transmission sequence number at the end of the IP data packet, using the key pair IP data packet. And sending a sequence number to perform a digest operation, attaching the digest operation result to the transmission sequence number, and adjusting the length indication information in the IP header information according to the current length, and finally the IP data of the first network attack filtering device is identified by the security control module. The packet is sent to the second computer through the external network through the external network interface module to complete the IP packet identification operation;
当第一计算机发送的IP数据包到达第二网络攻击过滤装置时,第二网络攻击过滤装置外网网络接口模块接收此IP数据包并此IP数据包发送至第二网络攻击过滤装置的安全控制模块,第二网络攻击过滤装置的安全控制模块读取该IP数据包并提取IP数据包来源地址,根据IP数据包来源地址获取对应的密钥和接收序列号,然后第二网络攻击过滤装置的安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃;如果结果比较一致则判断IP数据包没有被篡改和伪造,第二网络攻击过滤装置的安全控制模块读取IP数据包中的发送序列号和接收序列号,并比较发送序列号和接收序列号大小,如果发送序列号大于接收序列号,则认为IP数据包合法,第二网络攻击过滤装置的安全控制模块接收该IP数据包并将此IP数据包发送至第二计算机;如果发送序列号小于等于接收序列号,则认为IP数据包非法,第二网络攻击过滤装置的安全控制模块将此IP数据包丢弃。When the IP data packet sent by the first computer reaches the second network attack filtering device, the second network attack filtering device external network interface module receives the IP data packet and sends the IP data packet to the second network attack filtering device for security control. The module, the security control module of the second network attack filtering device reads the IP data packet and extracts the IP data packet source address, obtains the corresponding key and the receiving serial number according to the IP packet source address, and then the second network attacks the filtering device. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, discarding this IP packet; if the result is consistent, it is judged that the IP packet has not been tampered with and forged, and the security control module of the second network attack filtering device reads the transmission sequence number and the receiving sequence in the IP packet. Number, and compare the sending serial number and the receiving serial number size, if the sending serial number is greater than the receiving serial number The IP data packet is considered to be legal. The security control module of the second network attack filtering device receives the IP data packet and sends the IP data packet to the second computer. If the sending serial number is less than or equal to the receiving serial number, the IP data packet is considered illegal. The security control module of the second network attack filtering device discards the IP data packet.
本发明通过在IP数据包中增加摘要信息和序列号信息,摘要信息的计算建立在密钥与密码算法基础之上,在理论上能够确保通过摘要判断数据包的篡改和伪造;序列号信息的判断能够抵御攻击者发出的重放攻击。本发明通过上述机制能够精确区分合法与非法的数据包,过滤来自系统外部的攻击。本发明没有采用当前复杂的网络密码安全协议,功能简单,方便实现,具体实现可以通过形式化方法验证,确保实现本身的正确与安全。本发明还利用硬件开关隔离安全处理芯片两种运行逻辑,安全处理芯片执行配置程序不通过网络进行,只能通过串口通信模块进行,能够有效阻止通过网络接口模块发起的针对安全处理芯片本身的攻击,安全性大为提高。The invention adds the summary information and the serial number information in the IP data packet, and the calculation of the summary information is based on the key and the cryptographic algorithm, and theoretically can ensure the tampering and forgery of the data packet through the abstract; the serial number information Determined to be able to defend against replay attacks by attackers. Through the above mechanism, the present invention can accurately distinguish between legal and illegal data packets, and filter attacks from outside the system. The present invention does not adopt the current complex network password security protocol, and has the functions of simple and convenient implementation. The specific implementation can be verified by a formal method to ensure the correctness and security of the implementation itself. The invention also utilizes the hardware switch to isolate the two operating logics of the security processing chip, and the security processing chip execution configuration program does not go through the network, and can only be performed through the serial communication module, which can effectively prevent the attack against the security processing chip itself initiated by the network interface module. The safety is greatly improved.

Claims (7)

  1. 一种可信的网络攻击过滤装置,其特征在于:包括网络接口模块和安全控制模块;A trusted network attack filtering device, comprising: a network interface module and a security control module;
    所述的网络接口模块用于完成IP数据包的收发,网络接口模块包括外网网络接口模块和内网网络接口模块;外网网络接口模块连接安全控制模块和外部通信网络,用于接收外部通讯网络所发送的IP数据包并传送给安全控制模块,以及接收安全控制模块所发送的IP数据包并通过外部通信网络进行发送;内网网络接口模块连接内网中被保护的计算机和安全控制模块,用于接收安全控制模块所发送的IP数据包并传送给内网中被保护的计算机,以及接收内网中被保护的计算机所发送的IP数据包并传送给安全控制模块;The network interface module is configured to complete transmission and reception of an IP data packet, the network interface module includes an external network interface module and an internal network interface module; the external network interface module is connected to the security control module and the external communication network, and is configured to receive external communication. The IP data packet sent by the network is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network; the intranet network interface module is connected to the protected computer and the security control module in the internal network. And receiving the IP data packet sent by the security control module and transmitting it to the protected computer in the internal network, and receiving the IP data packet sent by the protected computer in the internal network and transmitting the IP data packet to the security control module;
    所述的安全控制模块用于对所接收的被保护的计算机发送的IP数据包进行标识以及对所接收的外部通讯网络发送的IP数据包进行解析判别;安全控制模块内存储有与相应目的地址和来源地址对应的密钥、发送序列号及接收序列号,当安全控制模块接收到内网中被保护的计算机所发送的IP数据包时,安全控制模块读取该IP数据包并提取IP数据包目的地址,根据目的地址获取对应的密钥和发送序列号,将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,然后将添加标识后的IP数据包通过外网网络接口模块发送至外部通讯网络;当安全控制模块接收到外部通讯网络所发送的IP数据包时,安全控制模块读取该IP数据包并提取IP数据包来源地址,根据IP数据包来源地址获取对应的密钥和接收序列号,安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃;如果结果比较一致则判断IP数据包没有被篡改和伪造,继续比较从IP数据包中读取的发送序列号和接收序列号的大小,若发送序列号大于接收序列号则认为IP数据包合法,安全控制模块接收该IP数据包并将此IP数据包发送至内网中被保护的计算机;如果发送序列号小于等于接收序列号则认为IP数据包非法,将此IP数据包丢弃 。The security control module is configured to identify the IP data packet sent by the received protected computer and analyze and discriminate the IP data packet sent by the received external communication network; the security control module stores the corresponding destination address. The key corresponding to the source address, the transmission sequence number, and the reception sequence number. When the security control module receives the IP data packet sent by the protected computer in the intranet, the security control module reads the IP data packet and extracts the IP data. The destination address, obtain the corresponding key and the transmission sequence number according to the destination address, place the transmission sequence number at the end of the IP data packet, perform a digest operation on the IP data packet and the transmission sequence number by using the key, and attach the summary operation result to the transmission. After the serial number, the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the external communication network through the external network interface module; when the security control module receives the external communication network, When the IP packet is received, the security control module reads the IP packet and extracts the IP packet source address. According to the IP packet source address, the corresponding key and the receiving serial number are obtained, and the security control module uses the key to perform digest operation on the protected content and the sending serial number in the IP data packet, and the operation result and the IP data packet are included in the IP data packet. The summary operation results are compared. If the results are inconsistent, the IP data packet is considered to be falsified and forged, and the IP data packet is discarded. If the results are consistent, the IP data packet is not falsified and forged, and the comparison is continued from the IP data packet. The size of the transmitted transmission sequence and the received serial number are considered to be valid if the transmission sequence number is greater than the received sequence number, and the security control module receives the IP data packet and sends the IP data packet to the protected network. Computer; if the sending sequence number is less than or equal to the receiving serial number, the IP packet is considered illegal and the IP packet is discarded. .
  2. 根据权利要求1所述的可信的网络攻击过滤装置,其特征在于:所述的安全控制模块包括安全处理芯片和与安全处理芯片连接的外部存储器。The trusted network attack filtering device according to claim 1, wherein the security control module comprises a security processing chip and an external memory connected to the security processing chip.
  3. 根据权利要求2所述的可信的网络攻击过滤装置,其特征在于:所述的安全处理芯片还连接有开关模块和串口通信模块,开关模块的信号输出端连接安全处理芯片的信号输入端,开关模块用于向安全处理芯片输入高电平或低电平信号,安全处理芯片根据接收到开关模块发送的不同信号分别进入IP数据包标识和解析判别工作模式或配置程序运行模式,配置程序运行模式下安全处理芯片仅通过串口通信模块与外界进行通信。The trusted network attack filtering device according to claim 2, wherein the security processing chip is further connected with a switch module and a serial communication module, and the signal output end of the switch module is connected to the signal input end of the security processing chip. The switch module is configured to input a high level or low level signal to the security processing chip, and the security processing chip respectively enters the IP data packet identifier and the analytical discriminating working mode or the configuration program running mode according to different signals sent by the receiving switch module, and the configuration program runs. In the mode, the security processing chip communicates with the outside world only through the serial communication module.
  4. 根据权利要求3所述的可信的网络攻击过滤装置,其特征在于:所述的网络接口模块采用支持IEEE802.3的以太网规范的接口芯片。The trusted network attack filtering device according to claim 3, wherein the network interface module adopts an interface chip supporting an IEEE802.3 Ethernet specification.
  5. 根据权利要求4所述的可信的网络攻击过滤装置,其特征在于:所述的开关模块采用电路开关。The trusted network attack filtering device according to claim 4, wherein the switch module adopts a circuit switch.
  6. 根据权利要求5所述的可信的网络攻击过滤装置,其特征在于:所述的串口通信模块采用支持RS232标准的异步串行通信接口芯片。The trusted network attack filtering device according to claim 5, wherein the serial communication module adopts an asynchronous serial communication interface chip supporting the RS232 standard.
  7. 一种利用如权利要求1所述的可信的网络攻击过滤装置实现的网络攻击过滤方法,其特征在于,包括以下步骤:A network attack filtering method implemented by using the trusted network attack filtering device according to claim 1, comprising the following steps:
    A:将每一台内网中被保护的计算机与外部通信网络之间连接一个网络攻击过滤装置, 当某一个网络攻击过滤装置中的安全控制模块接收到IP数据包时判断IP数据包来源,如果接收到的IP数据包来源为与此网络攻击过滤装置连接的计算机时,进入步骤B;如果接收到的IP数据包来源为另一个网络攻击过滤装置时,进入步骤F;A: Connect a network attack filtering device between the protected computer in each intranet and the external communication network. When the security control module in a network attack filtering device receives the IP data packet, it determines the source of the IP data packet. If the received IP data packet source is the computer connected to the network attack filtering device, proceed to step B; if receiving When the IP packet source is another network attack filtering device, proceed to step F;
    B:安全控制模块读取该IP数据包并提取IP数据包目的地址,然后进入步骤C;B: the security control module reads the IP data packet and extracts the IP data packet destination address, and then proceeds to step C;
    C:安全控制模块根据IP数据包目的地址获取对应的密钥和发送序列号,然后进入步骤D;C: the security control module obtains the corresponding key and the transmission serial number according to the destination address of the IP data packet, and then proceeds to step D;
    D:安全控制模块将发送序列号置于IP数据包尾部,利用密钥对IP数据包和发送序列号进行摘要运算,将摘要运算结果附于发送序列号之后,并根据当前长度调整IP首部信息中的长度指示信息,然后进入步骤E;D: The security control module places the transmission sequence number at the end of the IP data packet, performs a digest operation on the IP data packet and the transmission sequence number by using the key, attaches the digest operation result to the transmission sequence number, and adjusts the IP header information according to the current length. The length indication information in, and then proceeds to step E;
    E:安全控制模块将标识后的IP数据包通过外网网络接口模块发送至外部通讯网络,完成IP数据包标识操作,然后返回步骤A;E: the security control module sends the identified IP data packet to the external communication network through the external network interface module, completes the IP packet identification operation, and then returns to step A;
    F:安全控制模块读取该IP数据包并提取IP数据包来源地址,然后进入步骤G;F: the security control module reads the IP data packet and extracts the IP packet source address, and then proceeds to step G;
    G:安全控制模块根据IP数据包来源地址获取对应的密钥和接收序列号,然后进入步骤H;G: the security control module obtains the corresponding key and the receiving serial number according to the IP packet source address, and then proceeds to step H;
    H:安全控制模块利用密钥对IP数据包中被保护的内容和发送序列号进行摘要运算,并将运算结果与IP数据包中自带的摘要运算结果进行比较,如果结果比较一致则判断IP数据包没有被篡改和伪造,然后进入步骤I;如果结果比较不一致则认为IP数据包被篡改和伪造,将此IP数据包丢弃,然后返回步骤A;H: The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and if the results are consistent, the IP is judged. The data packet has not been tampered with and forged, and then proceeds to step I; if the result is inconsistent, the IP data packet is considered to be tampered with and forged, the IP data packet is discarded, and then returns to step A;
    I:安全控制模块读取IP数据包中的发送序列号和接收序列号,并比较发送序列号和接收序列号大小,如果发送序列号大于接收序列号,则认为IP数据包合法,接收该IP数据包并将此IP数据包发送至内网中被保护的计算机;如果发送序列号小于等于接收序列号,则认为IP数据包非法,将此IP数据包丢弃,然后返回步骤A。I: The security control module reads the transmission sequence number and the reception sequence number in the IP data packet, and compares the transmission sequence number and the reception sequence number size. If the transmission sequence number is greater than the reception sequence number, the IP data packet is considered to be legal, and the IP is received. The data packet is sent to the protected computer in the intranet; if the transmission sequence number is less than or equal to the receiving serial number, the IP data packet is considered illegal, the IP data packet is discarded, and then the process returns to step A.
PCT/CN2015/075441 2014-04-03 2015-03-31 Trusted network attack filtering device and network attack filtering method WO2015149669A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410133919.8A CN103905452A (en) 2014-04-03 2014-04-03 Credible network attack filter device and method
CN201410133919.8 2014-04-03

Publications (1)

Publication Number Publication Date
WO2015149669A1 true WO2015149669A1 (en) 2015-10-08

Family

ID=50996606

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/075441 WO2015149669A1 (en) 2014-04-03 2015-03-31 Trusted network attack filtering device and network attack filtering method

Country Status (2)

Country Link
CN (1) CN103905452A (en)
WO (1) WO2015149669A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107347052A (en) * 2016-05-05 2017-11-14 阿里巴巴集团控股有限公司 The method and device of storehouse attack is hit in detection
CN115314188A (en) * 2022-10-11 2022-11-08 北京紫光青藤微系统有限公司 Decoding device, authentication method for decoding device and mobile terminal

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905452A (en) * 2014-04-03 2014-07-02 国家电网公司 Credible network attack filter device and method
CN105072104B (en) * 2015-07-30 2019-06-07 积成电子股份有限公司 The switch system and processing method of function are distorted with anti-IEEE1588
DE102017209557A1 (en) * 2017-06-07 2018-12-13 Robert Bosch Gmbh Method for protecting a vehicle network against manipulated data transmission
CN109842595A (en) * 2017-11-28 2019-06-04 中天安泰(北京)信息技术有限公司 Prevent the method and device of network attack
CN109842597A (en) * 2017-11-28 2019-06-04 中天安泰(北京)信息技术有限公司 Communication uplink data reconstruction method and component
CN109842604A (en) * 2017-11-28 2019-06-04 中天安泰(北京)信息技术有限公司 Communication downlink data reconstruction method and component
CN108306858A (en) * 2017-12-26 2018-07-20 成都卫士通信息产业股份有限公司 The anti-fake guard method of Ethernet data and system
CN108712371A (en) * 2018-04-02 2018-10-26 浙江远望信息股份有限公司 A method of network safety prevention is carried out to internet of things equipment
CN109194607B (en) * 2018-07-16 2019-12-10 杨俊佳 local-based data transmission chip and electronic equipment comprising same
CN111277449B (en) * 2018-12-05 2021-08-13 中国移动通信集团广西有限公司 Safety testing method and device for voice service equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040047308A1 (en) * 2002-08-16 2004-03-11 Alan Kavanagh Secure signature in GPRS tunnelling protocol (GTP)
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN103118363A (en) * 2011-11-17 2013-05-22 中国电信股份有限公司 Method, system, terminal device and platform device of secret information transmission
CN103905452A (en) * 2014-04-03 2014-07-02 国家电网公司 Credible network attack filter device and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8548166B2 (en) * 1995-04-03 2013-10-01 Anthony J. Wasilewski Method for partially encrypting program data
CN100571124C (en) * 2005-06-24 2009-12-16 华为技术有限公司 Prevent the method for Replay Attack and guarantee the unduplicated method of message SN
CN100488168C (en) * 2005-12-13 2009-05-13 华为技术有限公司 Method for safety packaging network message
CN101159718B (en) * 2007-08-03 2010-06-16 重庆邮电大学 Embedded type industry ethernet safety gateway

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040047308A1 (en) * 2002-08-16 2004-03-11 Alan Kavanagh Secure signature in GPRS tunnelling protocol (GTP)
CN102065067A (en) * 2009-11-11 2011-05-18 杭州华三通信技术有限公司 Method and device for preventing replay attack between portal server and client
CN103118363A (en) * 2011-11-17 2013-05-22 中国电信股份有限公司 Method, system, terminal device and platform device of secret information transmission
CN103905452A (en) * 2014-04-03 2014-07-02 国家电网公司 Credible network attack filter device and method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107347052A (en) * 2016-05-05 2017-11-14 阿里巴巴集团控股有限公司 The method and device of storehouse attack is hit in detection
CN107347052B (en) * 2016-05-05 2020-07-14 阿里巴巴集团控股有限公司 Method and device for detecting database collision attack
CN115314188A (en) * 2022-10-11 2022-11-08 北京紫光青藤微系统有限公司 Decoding device, authentication method for decoding device and mobile terminal
CN115314188B (en) * 2022-10-11 2022-12-09 北京紫光青藤微系统有限公司 Decoding device, authentication method for decoding device and mobile terminal

Also Published As

Publication number Publication date
CN103905452A (en) 2014-07-02

Similar Documents

Publication Publication Date Title
WO2015149669A1 (en) Trusted network attack filtering device and network attack filtering method
KR100952350B1 (en) Intelligent network interface controller
CN108965215B (en) Dynamic security method and system for multi-fusion linkage response
US8413248B2 (en) Method for secure single-packet remote authorization
Hayes et al. Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol
CN101795271B (en) Network secure printing system and printing method
US20070271360A1 (en) Network vulnerability assessment of a host platform from an isolated partition in the host platform
JP2015518320A (en) Network intrusion detection using decoy encryption key
US8671451B1 (en) Method and apparatus for preventing misuse of a group key in a wireless network
CN111988289B (en) EPA industrial control network security test system and method
CN110971407B (en) Internet of things security gateway communication method based on quantum key
Elgargouri et al. Analysis of cyber-attacks on IEC 61850 networks
Wara et al. New replay attacks on zigbee devices for internet-of-things (iot) applications
Auliar et al. Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures
CN116321136A (en) Stealth gateway design method supporting multi-factor identity authentication
WO2020067734A1 (en) Non-address network equipment and communication security system using same
CN108282337B (en) Routing protocol reinforcing method based on trusted password card
KR20060044049A (en) Security router system and method for authentication of the user who connects the system
Rasheed et al. Detecting and optimizing internet worm traffic signature
Gromov et al. Tackling Multiple Security Threats in an IoT Environment
CN110492994B (en) Trusted network access method and system
RU183015U1 (en) Intrusion detection tool
Hareesh et al. Passive security monitoring for IEC-60870-5-104 based SCADA systems
KR101628094B1 (en) Security apparatus and method for permitting access thereof
CN116880319B (en) Method, system, terminal and medium for identifying upper computer in industrial control system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15774133

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15774133

Country of ref document: EP

Kind code of ref document: A1