CN107360182B - Embedded active network defense system and defense method thereof - Google Patents

Embedded active network defense system and defense method thereof Download PDF

Info

Publication number
CN107360182B
CN107360182B CN201710659375.2A CN201710659375A CN107360182B CN 107360182 B CN107360182 B CN 107360182B CN 201710659375 A CN201710659375 A CN 201710659375A CN 107360182 B CN107360182 B CN 107360182B
Authority
CN
China
Prior art keywords
message
network
module
firewall
defense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710659375.2A
Other languages
Chinese (zh)
Other versions
CN107360182A (en
Inventor
李孝成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Yihui Information Technology Co ltd
Original Assignee
Nanjing Yihui Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Yihui Information Technology Co ltd filed Critical Nanjing Yihui Information Technology Co ltd
Priority to CN201710659375.2A priority Critical patent/CN107360182B/en
Publication of CN107360182A publication Critical patent/CN107360182A/en
Application granted granted Critical
Publication of CN107360182B publication Critical patent/CN107360182B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an embedded active network defense system, which comprises a network protocol stack module and an active network defense module, wherein the active network defense module is divided into a firewall upper-layer module and a firewall bottom-layer module; the system defense method comprises the steps of 1, installing an active network defense system; 2. the message detection module analyzes the received network message to judge whether the message has a problem, if the message is not directly transmitted into a protocol stack, the next step is carried out; 3. the abnormal processing unit can confirm whether the abnormal message is an attack message or not, if so, the next step is carried out, if not, a request message is sent to inquire the real environment of the network, and the step 2 is returned; 4. discarding the current message, setting a white/black list, and opening a bottom filter. The method has the characteristics of active identification and defense, and can defend the embedded equipment from common embedded network attacks, thereby playing a role in protecting the network security of the embedded equipment.

Description

Embedded active network defense system and defense method thereof
Technical Field
The invention belongs to the field of embedding, and particularly relates to an embedded active network defense system and a defense method thereof.
Background
With the rapid development of embedded devices, more and more embedded devices are being connected to networks in their application fields, such as automotive electronic devices, medical devices, and power devices. When these devices are able to access the network, they are vulnerable to network attacks if adequate security issues are not considered. Without some corresponding security measures, these attacks may damage the functionality of the device, the system and the information inside the device.
Today, there are many network firewalls on the market, but such firewalls are mostly used in the server, enterprise and personal PC domains. There are relatively few network firewalls for embedded devices.
The existing embedded network firewall has the following defects:
1. the firewall has poor usability: in the embedded field, for an embedded device running an operating system, the start of a firewall is mostly started along with the system, and meanwhile, some functional modules and defense parameters in the firewall also need to be configured by a developer from the beginning. After the system is started, the parameters are difficult to be correspondingly adjusted according to the actual network condition.
2. Firewall fault tolerance is not high: in the embedded network, some special network messages appear according to the application scene of the embedded device, and meanwhile, the content of the network messages changes due to the change of the network configuration parameters of the embedded device. For such situations, the existing embedded network firewall cannot well judge whether the embedded network firewall operates normally or is in a network abnormal state, which may cause the phenomenon that the firewall may operate incorrectly on such messages.
3. The firewall has simple abnormal processing mode: some existing embedded network firewalls have too single processing method for detecting abnormal conditions on the network, and when the abnormal conditions are found, the embedded network firewalls directly close the network and reject messages in order to protect the own equipment from being influenced by the network. This does allow the system, etc. to be unaffected by the attack, but it also affects its own network traffic.
4. The firewall itself occupies too much resources: most of the current embedded network firewalls exist in an operating system in a single individual mode, and detection and filtering are realized in the firewall. For the embedded device with low performance, when the embedded device is under network attack, the firewall occupies a large amount of CPU resources, thereby affecting other tasks of the system that need the CPU resources to operate.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problems in the prior art, the invention provides an embedded active network defense system and a defense method thereof, which can not only detect the network message received by the embedded device, but also actively send a request message and judge whether the operation is suspicious aiming at the suspicious message, and can occupy less resources of the system and do not influence the normal operation of other tasks of the system when the system is attacked by the network.
The technical scheme is as follows: in order to solve the technical problems, the invention provides an embedded active network defense system, which comprises a network protocol stack module and an active network defense module, wherein the active network defense module is divided into a firewall upper layer module and a firewall bottom layer module, the firewall bottom layer module is positioned in a network card drive, and the firewall upper layer comprises a message detection module and an exception handling module;
the message detection module is used for analyzing and processing the received network message; the network message comprises a network message of normal communication of the embedded equipment and a response message of other equipment after a request message sent by a firewall actively;
the exception handling module is used for carrying out exception handling after the message detection finds a problem, wherein the exception handling method comprises two steps: for the first kind of network message that can definitely determine the occurrence of a problem, such as SYN flooding, network storm, distributed denial of service attack, etc., the exception handling module notifies the firewall filter of the driver layer to start the corresponding filtering operation on the network message received by the embedded device; in the second method, for network messages which cannot accurately judge problems, such as ARP spoofing, replay attack and the like, an exception handling module actively sends out a request message to inquire equipment communicating with the exception handling module so as to determine whether a problem occurs.
A defense method for an embedded active network defense system as described above, comprising the steps of:
1) installing an active network defense system in an embedded equipment system;
2) the message detection module analyzes the received network message and judges whether the message has problems, if no problem exists, the message is judged to be directly transmitted to a protocol stack, and if the message has problems, the message is judged not to pass, and the next step is carried out;
3) the abnormal processing unit can confirm whether the abnormal message is an attack message or not, if so, the next step is carried out, if not, a request message is sent to inquire the real environment of the network, and the step 2 is returned;
4) discarding the current message and setting a white/black list to open a bottom filter.
Further, the network message in step 2 includes a network message of normal communication of the embedded device, and a response message of other devices after the request message is actively sent by the firewall.
Further, the analyzing of the received problem message by the exception handling unit in step 3 is divided into two cases:
3.1) first case: the real network condition can be determined according to the network message;
3.2) second case: the actual network situation cannot be determined from the network packet, and the current device may be attacked or may be a change in the network environment.
Further, in the first case in step 3, when the real network condition can be determined according to the network packet, the exception handling module sets a white/black list, and meanwhile, actively opens the firewall bottom filter to perform filtering operation on the next packet, and discards the currently processed packet.
Further, in the second case of step 3, the exception handling module confirms the real status of the network by sending a request message, the first processed message is also stored by the system and cannot be transmitted to the protocol stack, then after the request message is sent, the message detection module receives a corresponding response, if the response is correct, the previous message is transmitted to the protocol stack, otherwise, the previous message is discarded.
Further, after the firewall bottom filter is opened in step 4, when the packet is filtered by referring to the white/black list, the network flow is analyzed, if the network flow is lower than a value set by a user, the system actively closes the filter, and if the network flow is closed, the packet detection module detects a problem, the filter is opened again.
Compared with the prior art, the invention has the advantages that:
1. the use is convenient and flexible: the whole system is implemented and tested in a SylixOS large real-time operating system. And finally, the display is in the form of a kernel module. When a network firewall is needed in the embedded equipment of a user, the whole system can be added into the system only by dynamic loading. Meanwhile, each functional module and configuration parameters thereof in the firewall can also dynamically add and delete settings through a shell command according to the requirements of users.
2. The accuracy of message identification and detection is high: different from the prior embedded network firewall, when finding the suspicious message, the invention can directly filter, when finding the suspicious message, the invention can actively send out the request message to judge whether the current embedded equipment is really attacked by the network. Therefore, misoperation of the firewall on correct messages can be greatly reduced.
3. The system has high interception rate to abnormal messages: the whole system uses a frame with one on top and one on bottom, the driving filter at the bottom layer is also actively opened by the firewall, and then the two layers of filtering mechanisms can accurately intercept the message, thereby ensuring the safety of the embedded equipment.
4. The system resource occupancy rate is low: under the framework of one-up-and-one-down, when the embedded device is in a secure network environment, only the upper layer works. The bottom filtration is actively opened when a problem is found. At this time, for high-bandwidth network attacks such as SYN flooding, the underlying driver filters the network attacks, and a large amount of system resources are not occupied, so that normal work of other system tasks is guaranteed.
5. Under the abnormal condition, normal network communication can be ensured not to be influenced: the active network defense system adopts a white list and black list mode for filtering, so that normal communication messages can be effectively transmitted to a protocol stack through the filter in an abnormal network environment.
For common embedded network attacks, the method mainly has the following advantages:
for ARP spoofing: the binding of MAC and IP does not need to be carried out manually, an ARP information table is maintained in the invention, and when new equipment is added, the table entry can be automatically added in the ARP information table. The method can identify the current ARP spoofing or the abnormal conditions that the MAC or IP address of other equipment is indeed changed and the like, and can perform corresponding operation on the two conditions.
For a network storm: equipment generating storms and storm types can be automatically identified; when a storm occurs, the embedded device can not influence the functions of communication, system operation and the like of the embedded device due to low performance, and can filter storm messages.
For replay attacks: the communication messages or logic of the application itself need not be modified, i.e. no additional code is added to the application code. And therefore does not affect network utilization.
For flooding attacks such as TCP SYN: the number of SYN messages received in each second can be detected and controlled. When the SYN flooding attack flow is large, the functions of the embedded device such as communication and system operation cannot be influenced by the performance of the embedded device, and meanwhile, the embedded device can be ensured to continue to communicate with the device which is successfully connected previously.
Drawings
FIG. 1 is a schematic structural view of the present invention;
FIG. 2 is an overall flow diagram of the present invention;
FIG. 3 is a flowchart of a first embodiment;
FIG. 4 is a flowchart of the second embodiment.
Detailed Description
The invention is further elucidated with reference to the drawings and the detailed description.
An embedded active network defense system comprises a network protocol stack module and an active network defense module, wherein the active network defense module is divided into a firewall upper-layer module and a firewall bottom-layer module, the firewall bottom-layer module is positioned in a network card drive, and the firewall upper-layer module comprises a message detection module and an exception handling module;
the message detection module is used for analyzing and processing the received network message; the network message comprises a network message of normal communication of the embedded equipment and a response message of other equipment after a request message sent by a firewall actively;
the exception handling module is used for carrying out exception handling after the message detection finds a problem, wherein the exception handling method comprises two steps: for the first kind of network message that can definitely determine the occurrence of a problem, such as SYN flooding, network storm, distributed denial of service attack, etc., the exception handling module notifies the firewall filter of the driver layer to start the corresponding filtering operation on the network message received by the embedded device; in the second method, for network messages which cannot accurately judge problems, such as ARP spoofing, replay attack and the like, an exception handling module actively sends out a request message to inquire equipment communicating with the exception handling module so as to determine whether a problem occurs.
At present, several common attack modes in the embedded network attack are as follows: ARP spoofing, network storms, TCP flooding, replay attacks, denial of service attacks, and the like.
According to the invention, through the integrated frame with two layers, the upper layer module and the lower layer module, the opening and closing of the bottom layer driving filter can be actively controlled.
The first embodiment is as follows: as shown in fig. 3, aiming at ARP spoofing, the defense method of the active network defense system of the present invention specifically comprises the following steps:
1. the interior of the system can maintain an ARP information table, when an ARP response message is received, whether related table entries exist in the current table or not can be detected, if not, the related table entries are added, and the message is transmitted to a protocol stack through detection.
2. If the table entry exists, whether the content of the currently received message is consistent with the description of the table entry or not is judged. If yes, step 3 is entered to judge whether the current table entry is in an abnormal state. If not, the flag bit of the current table entry is set, which indicates that it generates an exception and the process also proceeds to step 3.
3. When detecting the abnormal state of the table entry, if the flag bit shows that the table entry is not in the abnormal state, the message is directly passed through and transmitted to the protocol stack. Otherwise, whether the embedded device is attacked or the network environment is changed can be judged according to the entry attempt.
4. If the embedded equipment can not be confirmed whether to be attacked or not, the ARP request message is sent.
5. If yes, setting a white/black list and starting firewall filtering, otherwise, entering step 6.
6. If the abnormal reason is the real situation such as the change of the MAC or IP of the communication equipment, the firewall resets the table entry, then considers that the message is the real and correct message and transmits the message to the protocol stack.
As the above description, in conjunction with fig. 3, the most important part of the protection against ARP spoofing is the judgment of the current network environment, the present invention adopts a difference comparison method for judgment.
The specific process is as follows:
firstly, an ARP information table is maintained inside a firewall, and the main functions of each member in the ARP information table are as follows:
original MAC address: for saving the current correct MAC address.
Original MAC address counter: and the method is used for recording the number of messages pointing to the original MAC in the received APP response message when the MAC conflict occurs.
New MAC address: for saving the MAC address that generates the collision.
New MAC address counter: and the method is used for recording the number of messages pointing to the new MAC in the received APP response message when the MAC conflict occurs.
A status flag bit: indicating the status of the current ARP entry.
And (3) filtering time: for recording the time when the ARP message causing the MAC collision is filtered.
When the embedded device receives the first ARP response, a list item is created, and the current MAC and IP addresses are recorded. In the subsequent communication process, if the equipment receives an ARP response message containing a new MAC address, the new MAC address is recorded on a field of the new MAC in the table entry, and the flag bit is set as a sign of MAC conflict. At the same time, the system of the present invention will send an ARP broadcast request message to inquire the MAC address of the current IP.
Thereafter, if the ARP spoofing occurs, an ARP reply message corresponding to its MAC is returned regardless of the true host or the spoofed host. When the system receives the two responses in the abnormal state of the table entry, the corresponding counters are accumulated, and the ARP broadcast request is sent again, so that the cycle is continued. And after the two accumulated values are both larger than a limit, the firewall considers that the current network environment is attacked by ARP spoofing, and at the moment, the firewall blackens the equipment corresponding to the new MAC in the ARP list item and sets blacking time.
If the current actual situation is that the MAC address of the equipment on the network is changed, the received ARP message only contains the new MAC address, and the ARP list item only contains the accumulator count of the new MAC. When the difference between the two MAC accumulators exceeds a user-set limit, the firewall assumes that the MAC address of the communication device has indeed changed, at which point the entry is updated and a new ARP reply is passed to the protocol stack.
Example two: as shown in fig. 4, the defense method of the active network defense system of the present invention for the attack of network storm and SYN flood includes the following specific steps:
1. firstly, receiving a network message and judging whether the network message is a broadcast packet, if the network message is the broadcast packet, entering the next step, if the network message is not the broadcast packet, further judging whether an IP message header exists, if the IP message header exists, entering the next step, and if the IP message header does not exist, judging that the current message allows passing;
2. setting a detection flag bit according to the message type, judging whether the equipment information exists in an equipment information table, if not, newly building equipment item information, and then entering the next step, and if so, directly entering the next step;
3. performing corresponding accumulated counting judgment according to the flag bit, judging whether the number of the received messages in one second is greater than a set threshold value, if so, entering the next step, and if not, judging that the current message is allowed to pass;
4. and discarding the current message, pulling the equipment into a blacklist, and starting a drive filtering operation.
After the system is loaded, when a user needs storm defense, 4 configuration parameters of default storm detection need to be manually set or used, and the four parameters are as follows:
1. broadcast packet number threshold: at most the number of broadcast messages allowed to be received per second.
2. Number threshold of IP type message: in addition to TCP and UDP packet types, at most the number of packets per second that are allowed to be received, including IP headers.
3. TCP message number threshold: the maximum number of TCP messages allowed to be received per second. The TCP packet herein refers to a TCP packet that a destination port of a header of a received TCP packet is not opened in the current device.
4. The threshold value of the number of UDP messages is as follows: the maximum number of UDP messages allowed to be received per second. Similarly, the UDP packet herein also refers to a UDP packet received without opening a corresponding port locally.
After the user sets the 4 configuration parameters, all network messages received by the device are transmitted from the driver layer to the protocol stack through a network storm detection mechanism, and the storm detection mechanism acquires the device information of the transmitting end from the received messages and stores the device information into a communication device information table of the device. Meanwhile, the received message is subjected to corresponding counting judgment operation according to the protocol type. If the number of messages received by a certain device within one second is larger than the previously set threshold value, the information of the sending device is stored in the blacklist, and meanwhile, the driving filtering mechanism is also opened.
After that, when the driver receives the message, the source MAC address of the received message is compared with the information in the blacklist. If the MAC address of the received message source exists in the blacklist, the driving layer filters the message.
For some suspicious messages, the invention can actively send out network messages to detect the processing mode of the current real network environment; the invention adopts a filtering processing mode combining the white list and the black list, and ensures that correct messages can be communicated while problem messages are filtered; the invention puts the filtering operation main body in the network drive, and ensures that the network attack with high bandwidth can influence other tasks of the embedded device to a minimum extent.
The invention mainly comprises the following special processing modes for common embedded network attacks:
ARP spoofing: the active network firewall autonomously sends an ARP request to judge whether the current network environment is ARP spoofing or the MAC address of the embedded equipment is changed indeed.
Network storm: the firewall is provided with a set of detection mechanisms to analyze the current network flow, judge whether a network storm occurs according to the user configuration information and detect the type of the storm. For embedded equipment in a network storm, a firewall has a set of filtering mechanism, which can prevent the functions of communication, system operation and the like of the firewall from being influenced by the performance of the embedded equipment.
TCP SYN flood attacks: a SYN message table and a white list are maintained inside the firewall. Aiming at the TCP SYN flood attack with large flow, the firewall has a set of filtering mechanism, which can prevent the functions of communication, system operation and the like of the firewall from being influenced by the performance of embedded equipment.
Replay attacks: the firewall uses a set of ingenious method, uses the ID field of the IP message header as the basis of replay attack detection, and simultaneously uses the characteristic of the firewall being active, so that whether the received message is a replay attack message can be accurately and effectively judged, and the corresponding defense is performed on the attack message.
Distributed denial of service attacks: the firewall maintains a table of information to hold TCP connections. The firewall can modify the port limit connection number at any time and can check the current port connection state at any time.

Claims (4)

1. A defense method for an embedded active network defense system is characterized by comprising the following steps:
1) installing an active network defense system in an embedded equipment system;
2) the message detection module analyzes the received network message and judges whether the message has problems, if no problem exists, the message is judged to be directly transmitted to a protocol stack, and if the message has problems, the message is judged not to pass, and the next step is carried out;
3) the abnormal processing unit can confirm whether the abnormal message is an attack message or not, if so, the next step is carried out, if not, a request message is sent to inquire the real environment of the network, and the step 2 is returned;
4) discarding the current message and setting a white/black list to open a bottom filter;
the abnormal processing unit in step 3 analyzes the received problem message, and the time division is divided into two conditions:
3.1) first case: the real network condition can be determined according to the network message;
3.2) second case: the real network condition can not be determined according to the network message, and the current equipment can be attacked or the network environment can be changed;
in the first situation in the step 3, when the real network situation can be determined according to the network message, the exception handling module sets a white/black list, and meanwhile, actively opens a firewall bottom filter to perform filtering operation on the next message, and discards the currently processed message;
in the second case of step 3, the exception handling module confirms the real status of the network by sending a request message, the message processed first is also stored by the system and cannot be transmitted to the protocol stack, then after the request message is sent, the message detection module receives a corresponding response, if the response is correct, the previous message is transmitted to the protocol stack, otherwise, the previous message is discarded.
2. The defense method for an embedded active network defense system according to claim 1, characterized in that: the network message in step 2 includes a network message of normal communication of the embedded device and a response message of other devices after the request message sent by the firewall actively.
3. The defense method for an embedded active network defense system according to claim 2, characterized in that: and 4, after the firewall bottom filter is opened in the step 4, when the message is filtered by referring to the white/black list, analyzing the network flow, if the network flow is lower than a value set by a user, actively closing the filter by the system, and if the network flow is closed, and the message detection module detects a problem, then opening the filter again.
4. An embedded active network defense system using a defense method according to claim 1, characterized in that: the network card driver comprises a network protocol stack module and an active network defense module, wherein the active network defense module is divided into a firewall upper layer module and a firewall bottom layer module, the firewall bottom layer module is positioned in the network card driver, and the firewall upper layer comprises a message detection module and an exception handling module;
the message detection module is used for analyzing and processing the received network message; the network message comprises a network message of normal communication of the embedded equipment and a response message of other equipment after a request message sent by a firewall actively;
the exception handling module is used for carrying out exception handling after the message detection finds a problem, wherein the exception handling method comprises two steps: firstly, aiming at the network message which can definitely judge the problem, the abnormal processing module informs a firewall filter of a driving layer to start to perform corresponding filtering operation on the network message received by the embedded equipment; in the second method, for a network message in which a problem cannot be accurately determined, the exception handling module actively sends a request message to inquire equipment in communication with the exception handling module to determine whether the problem occurs.
CN201710659375.2A 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof Active CN107360182B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710659375.2A CN107360182B (en) 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710659375.2A CN107360182B (en) 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof

Publications (2)

Publication Number Publication Date
CN107360182A CN107360182A (en) 2017-11-17
CN107360182B true CN107360182B (en) 2020-05-01

Family

ID=60286259

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710659375.2A Active CN107360182B (en) 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof

Country Status (1)

Country Link
CN (1) CN107360182B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3512179B1 (en) 2018-01-15 2021-03-03 Carrier Corporation Cyber security framework for internet-connected embedded devices
CN110290098B (en) 2018-03-19 2020-12-25 华为技术有限公司 Method and device for defending network attack
CN108632280A (en) * 2018-05-08 2018-10-09 国家计算机网络与信息安全管理中心 Flow processing method, apparatus and system, fire wall and server
CN111343206B (en) * 2020-05-19 2020-08-21 上海飞旗网络技术股份有限公司 Active defense method and device for data flow attack
CN114513343B (en) * 2022-01-26 2022-10-04 广州晨扬通信技术有限公司 Hierarchical intercepting method and device for signaling firewall, computer equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440604A (en) * 2000-07-03 2003-09-03 智谋有限公司 Firewall system combined with embedded hardware and general-purpose computer
CN1855929A (en) * 2005-04-27 2006-11-01 华为技术有限公司 Method for preventing from wild ARP attacks
CN101217547A (en) * 2008-01-18 2008-07-09 南京邮电大学 A flood request attaching filtering method based on the stateless of open source core
CN102646173A (en) * 2012-02-29 2012-08-22 成都新云软件有限公司 Safety protection control method and system based on white and black lists
CN102843362A (en) * 2012-08-08 2012-12-26 江苏华丽网络工程有限公司 Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory)
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN103973700A (en) * 2014-05-21 2014-08-06 成都达信通通讯设备有限公司 Mobile terminal preset networking address firewall isolation application system
CN104780139A (en) * 2014-01-09 2015-07-15 北京东土科技股份有限公司 Defense system based on MAC (Medium/Media Access Control) address attack and system
CN106549972A (en) * 2016-11-25 2017-03-29 合肥海亚信息科技有限公司 A kind of firewall system of embedded intrusion detection feature

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440604A (en) * 2000-07-03 2003-09-03 智谋有限公司 Firewall system combined with embedded hardware and general-purpose computer
CN1855929A (en) * 2005-04-27 2006-11-01 华为技术有限公司 Method for preventing from wild ARP attacks
CN101217547A (en) * 2008-01-18 2008-07-09 南京邮电大学 A flood request attaching filtering method based on the stateless of open source core
CN102646173A (en) * 2012-02-29 2012-08-22 成都新云软件有限公司 Safety protection control method and system based on white and black lists
CN102843362A (en) * 2012-08-08 2012-12-26 江苏华丽网络工程有限公司 Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory)
CN104780139A (en) * 2014-01-09 2015-07-15 北京东土科技股份有限公司 Defense system based on MAC (Medium/Media Access Control) address attack and system
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN103973700A (en) * 2014-05-21 2014-08-06 成都达信通通讯设备有限公司 Mobile terminal preset networking address firewall isolation application system
CN106549972A (en) * 2016-11-25 2017-03-29 合肥海亚信息科技有限公司 A kind of firewall system of embedded intrusion detection feature

Also Published As

Publication number Publication date
CN107360182A (en) 2017-11-17

Similar Documents

Publication Publication Date Title
CN107360182B (en) Embedded active network defense system and defense method thereof
JP4545647B2 (en) Attack detection / protection system
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
US7832009B2 (en) Techniques for preventing attacks on computer systems and networks
JP4174392B2 (en) Network unauthorized connection prevention system and network unauthorized connection prevention device
US20080253380A1 (en) System, method and program to control access to virtual lan via a switch
JP2008165796A (en) Network security element utilizing end point resource
CN105227515A (en) Network intrusions blocking-up method, Apparatus and system
CN101227289A (en) Uniform intimidation managing device and loading method of intimidation defense module
EP1540921B1 (en) Method and apparatus for inspecting inter-layer address binding protocols
KR100479202B1 (en) System and method for protecting from ddos, and storage media having program thereof
US9455953B2 (en) Router chip and method of selectively blocking network traffic in a router chip
CN104125213A (en) Distributed denial of service DDOS attack resisting method and device for firewall
US11252184B2 (en) Anti-attack data transmission method and device
KR101593897B1 (en) Network scan method for circumventing firewall, IDS or IPS
WO2019096104A1 (en) Attack prevention
CN104079563A (en) Control method and device resistant to DDOS attacks
WO2005026872A2 (en) Internal lan perimeter security appliance composed of a pci card and complementary software
CN110995586A (en) BGP message processing method and device, electronic equipment and storage medium
CN113079180B (en) Execution context based firewall fine-grained access control method and system
US7873731B1 (en) Use of per-flow monotonically decreasing TTLs to prevent IDS circumvention
CN104348785B (en) The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets
CN114679309A (en) Message detection method and device
CN114268458A (en) Protection method of safety protection module for terminal public network safety communication
US9208311B2 (en) Detection of a threat in a communications network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant