CN202103697U - Anti-attack security linkage system - Google Patents
Anti-attack security linkage system Download PDFInfo
- Publication number
- CN202103697U CN202103697U CN2010206409071U CN201020640907U CN202103697U CN 202103697 U CN202103697 U CN 202103697U CN 2010206409071 U CN2010206409071 U CN 2010206409071U CN 201020640907 U CN201020640907 U CN 201020640907U CN 202103697 U CN202103697 U CN 202103697U
- Authority
- CN
- China
- Prior art keywords
- module
- client
- service end
- attack
- system management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The utility model discloses an anti-attack security linkage system, belongs to the technical field of network communication, and mainly solves the problem that in the prior art, a network service terminal is too weak in self-protection capability. The anti-attack security linkage system comprises a service terminal, a client terminal in mapping relation with the service terminal, and a subscriber host in mapping relation with the client terminal, wherein a system management module, an exception handling module, a protocol processing module and a data memory are embedded in the service terminal, an instruction execution module is embedded in the client terminal, the system management module, the exception handling module and the protocol processing module are communicated in order via bidirectional buses, and the data memory and the instruction execution module are respectively connected with the system management module directly. The anti-attack security linkage system realizes active linkage defense and attack of the service terminal and the client terminal, improves the self-protection capability of the service terminal, and has a high use value.
Description
Technical field
The utility model relates to the attack protection safety system in the network service, specifically, relates to a kind of attack protection safety interaction system.
Background technology
In present architectures of communication networks, router generally is to work in the 3rd layer of ISO/RM, i.e. network layer; Switch then works in the second layer; Be data link layer, the router that is in the 3rd layer can't be assigned instruction, control or manage being in the switch of the second layer; In this case, the self-protection function of router is very limited.
If want a large amount of switches is carried out unified management; Then need be by network management technologys such as SNMP or TR069; Use independently Control Software or service end, but also need all equipment all to support above-mentioned agreement, also need be information such as all equipment disposition IP, port in advance; Very loaded down with trivial details, establishment and maintenance cost are all very high; The more important thing is that operation such as all configuration of IP, port is accomplished by manual work, if information configuration is made mistakes, will cause managerial confusion, the purpose of the unified management that can't realize being scheduled to.
In addition, present network attack major part comes from Intranet, and existing client only has few part to have certain safety function, only can attack data to the part of Intranet and tackle, and perhaps flow is limited.If occur the attack source in the network to service end, service end can only Passive Defence, can not carry out active attack, perhaps the attack source is isolated, and perhaps takes other processing modes, and this will bring great potential safety hazard to network service.
The utility model content
The purpose of the utility model is to provide a kind of attack protection safety interaction system; It is poor to the control ability of network to overcome in the prior art service end; Problems such as the ability of defensive attack is weak realize the client unified management, and under the situation that does not influence service end self work; Improve its control ability, with self-protection ability to network.
To achieve these goals, the technical scheme of the utility model employing is following:
Attack protection safety interaction system; Comprise service end; Become the client of mapping relations with service end, and become the subscriber's main station of mapping relations, wherein with client; Said service end is embedded with system management module, abnormality processing module, protocol process module and data storage, and client is embedded with the instruction Executive Module; This system management module, abnormality processing module, protocol process module are communicated with through bidirectional bus in order, and data storage, instruction Executive Module directly are connected with system management module respectively.
Further, for the ease of the management of service end to client, said protocol process module is embedded with the double layer network protocol module, and service end and client are directly carried out exchanges data through the double layer network agreement.
In order to realize that system management module reads the information of data memory, and the exchanges data between the and instruction Executive Module, said data storage, instruction Executive Module directly are connected with system management module through bidirectional bus respectively.
Specifically, said service end is a router, and client is a switch.Wherein, between service end and user side, multistage client can be set, but comprise the L 1 customer end at least; The quantity of client is at least one in each grade; Instruction to guarantee service end can be carried out through client smoothly, and acts on user side, simultaneously; Make the information of user side pass service end smoothly back, supply service end to use through client.
The design principle of the utility model: poor to service end self-protection ability in the prior art, to the problem a little less than its bottom subscriber's main station control ability; Utilize system management module to realize direct management to lower floor's client according to the function of protocol process module; Simultaneously; Utilize client to bottom subscriber's main station execution punishment operation, reach the initiative defence and the attack that under the situation that does not influence the service end operate as normal, realize subscriber's main station.
Compared with prior art, the utlity model has following beneficial effect:
One. utilize the double layer network agreement to realize service end and client-side session, utilize system management module to realize direct unified management client, for service end do not influence carry out under the situation of self work active defence and attack laid realize basic.
Two. service end is to the unified management of client; Need not be by other NMPs; Need not dispose complicated information such as IP address, port and ICP/IP protocol address; Only can realize, simplify hypervisor greatly, avoid because of the too numerous and diverse problem that causes managerial confusion of configuration information according to procotol.
Three. the network configuration configuration is simple, easy to operate, greatly reduces the organizing cost and the maintenance cost of system.
Four. service end is brought in the punishment operation of execution to subscriber's main station through the client; Do not influence self work situation under realized control and management to subscriber's main station; The active operation property of service end is improved greatly, improved the active defence capability and the attacking ability of service end.
Five. realize the initiative interlock defence and attack of service end and client, improved the security reliability of whole network greatly.
The utility model is mainly used in the computer network communication, has very high practical value and promotional value.
Description of drawings
Fig. 1 be in the utility model in service end and the client embedded module be connected sketch map.
Fig. 2 is the system block diagram of the attack protection safety interaction system of the utility model-embodiment one.
Fig. 3 is the system block diagram of the attack protection safety interaction system of the utility model-embodiment two.
Embodiment
Below in conjunction with accompanying drawing and embodiment the utility model is described further.
Embodiment one
Present embodiment comprises that with service end the two-stage client that echelon connects is that example describes the utility model.
Like Fig. 1~shown in Figure 2, attack protection safety interaction system mainly comprises a service end, and a L 1 customer end that is connected with this service end, and this L 1 customer end is divided into three secondary clients, and each secondary client is divided into two subscriber's main stations.Wherein, said service end is embedded with system management module, abnormality processing module, protocol process module and data storage, and L 1 customer end and secondary client all are embedded with the instruction Executive Module.The implementation method of this system is following:
One. service end realizes unified management to all clients
1. client registration: for realizing management to client; Service end is regularly sent scan instruction by system management module; And utilize protocol process module to transfer to clients at different levels; All clients in its lower floor's network scan, and upgrade client-side information, as upgrading the client terminal quantity that is connected with service end; After the instruction Executive Module of L 1 customer end receives scan instruction, when oneself is carried out scan operation, send this scan instruction to all secondary clients.Whether all clients detect self and in the system management module of service end, register after receiving scan instruction, if register, then scan instruction finishes, otherwise, then send register requirement, and transmit the close spoon of session at random to system management module; After system management module receives register requirement, client is registered, and beamed back the affirmation information of registration to client.
2. subscriber's main station registration: the instruction Executive Module by client is passed the MAC Address of its all subscriber's main stations of lower floor back service end through protocol process module, and is stored in the data storage.
3. whether all subscriber's main stations are online in the affirmation network: subscriber's main station regularly sends heartbeat packet to the system management module of service end, and with it accordingly, system management module makes regular check on whether receive heartbeat packet; If receive, the Counter Value that then upgrades the subscriber's main station corresponding with this heartbeat packet is predefined maximum, otherwise the Counter Value of the subscriber's main station corresponding with this heartbeat packet subtracts 1; If the Counter Value of subscriber's main station is 0, then the state of this subscriber's main station of service end record is an off-line.The Counter Value of subscriber's main station and its MAC Address direct correlation, and be stored in the data storage.
In the present embodiment; The counter maximum of predefined subscriber's main station is 3; If promptly continuous three service ends are not all received the heartbeat packet from certain subscriber's main station, service end is thought this subscriber's main station off-line so, and service end is carried out record to the state of this subscriber's main station.
4. the client-side information configuration is formulated with security strategy: the system management module of service end is formulated configuration information and security strategy according to the last state of client and subscriber's main station; And it is sent to all clients through protocol process module, accomplish the automatic configuration of client-side information.In addition, the information configuration work of client also can be by configuration manually in the utility model.
So far, service end is accomplished the unified management to all clients through protocol process module, for service end initiatively defends to have laid attainable basis with attack.
Two. service end is to the active defence and attack of subscriber's main station
Service end is passed through the source that the abnormality processing module analysis is also confirmed the attack data, and to client transmit operation instruction, by the instruction Executive Module execution of client the active of subscriber's main station is defendd and attack.
1. confirm the attack source
System management module preestablishes the standard of normal data in the network, and this standard comprises standard and the built-in intrusion feature database of system management module that subscriber's main station is set; Client is back to the abnormality processing module with the real data that receives through protocol process module, by the abnormality processing module it and predefined standard is compared, and judges whether it is unusual; If confirm this data exception, system management module is traced the transmission link of this abnormal data at once, and will it with data storage in the MAC Address of the subscriber's main station that writes down compare, thereby the source of definite this abnormal data.
As shown in Figure 2, confirm in the present embodiment that the attack source is from a subscriber's main station in the undernet of a secondary client.
2. service end is carried out the active defence to the attack source and is attacked
After system management module is confirmed the attack source, send the punishment instruction, and through transferring to and the direct-connected secondary client in this attack source behind the L 1 customer end, this punishment refers to include the filtering instructions of filtering object by the abnormality processing module; The instruction Executive Module of this secondary client filters according to the data that the filtering instructions that receives sends this attack source, up to meeting this secondary client current security strategy; After filtering data was up to standard, this instruction Executive Module was back to the abnormality processing module with filtered data through the L 1 customer end, and the abnormality processing module is analyzed these data once more; If these data belong to normal data; Then guarantee the normal transmission of these data, otherwise, then send the blocking-up instruction to this secondary client through the L 1 customer end; The network that breaks off this attack source according to the blocking-up instruction by its instruction Executive Module connects; Thereby cut off its transmission path, attack data service end is attacked, realize the initiatively purpose of defence capability of service end to prevent its transmission.On the other hand, service end realizes data filter, the attended operation of disconnection network to the attack source through under the secondary client, sending instructions, and promptly is one of active attack mode to this attack source, has improved the ability of service end active attack to a certain extent.
Embodiment two
Like Fig. 1, shown in Figure 3, attack protection safety interaction system mainly comprises a service end, and three L 1 customer ends that are connected with this service end, and each L 1 customer end is divided into two subscriber's main stations.Wherein, said service end is embedded with system management module, abnormality processing module, protocol process module and data storage, and all L 1 customer ends are embedded with the instruction Executive Module.
For implementation method, the main distinction of two embodiment is, in the present embodiment; When service end is carried out the active defence and is attacked the attack source; The abnormality processing module is directly issued operational order and the direct-connected L 1 customer end in attack source, and other client transmissions data are no longer passed through in the centre, and this L 1 customer end is after filtering the data of attack source transmission; Other clients are no longer passed through in also directly passback when service end passback data.Other implementation procedures are all identical, repeat no more at this.
According to the foregoing description, just can realize the utility model well.The foregoing description is merely two kinds of situation of the utility model, is not the whole circumstances, and the protection range of the utility model includes but not limited to the foregoing description.
Claims (7)
1. attack protection safety interaction system; Comprise service end; Become the client of mapping relations with service end, and become the subscriber's main station of mapping relations, it is characterized in that with client; Said service end is embedded with system management module, abnormality processing module, protocol process module and data storage, and client is embedded with the instruction Executive Module; This system management module, abnormality processing module, protocol process module are communicated with through bidirectional bus in order, and data storage, instruction Executive Module directly are connected with system management module respectively.
2. attack protection safety interaction according to claim 1 system is characterized in that said protocol process module is embedded with the double layer network protocol module.
3. attack protection safety interaction according to claim 2 system is characterized in that, said data storage, instruction Executive Module directly are connected with system management module through bidirectional bus respectively.
4. attack protection safety interaction according to claim 3 system is characterized in that said service end is a router.
5. attack protection safety interaction according to claim 4 system is characterized in that said client is a switch.
6. attack protection safety interaction according to claim 5 system is characterized in that, between service end and user side, comprises the L 1 customer end at least.
7. attack protection safety interaction according to claim 6 system is characterized in that the quantity of client is at least one in each grade.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010206409071U CN202103697U (en) | 2010-12-03 | 2010-12-03 | Anti-attack security linkage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010206409071U CN202103697U (en) | 2010-12-03 | 2010-12-03 | Anti-attack security linkage system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN202103697U true CN202103697U (en) | 2012-01-04 |
Family
ID=45389694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010206409071U Expired - Lifetime CN202103697U (en) | 2010-12-03 | 2010-12-03 | Anti-attack security linkage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN202103697U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106982188A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | The detection method and device in malicious dissemination source |
| CN107172085A (en) * | 2017-06-30 | 2017-09-15 | 江苏华信区块链产业研究院有限公司 | Active defense method and node based on the intelligent contract of block chain |
-
2010
- 2010-12-03 CN CN2010206409071U patent/CN202103697U/en not_active Expired - Lifetime
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106982188A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | The detection method and device in malicious dissemination source |
| CN107172085A (en) * | 2017-06-30 | 2017-09-15 | 江苏华信区块链产业研究院有限公司 | Active defense method and node based on the intelligent contract of block chain |
| CN107172085B (en) * | 2017-06-30 | 2018-06-22 | 浙江华信区块链科技服务有限公司 | Active defense method and node based on block chain intelligence contract |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102316160B (en) | Website system and communication method thereof | |
| US20120236859A1 (en) | Method & apparatus for configuring a link aggregation group on a stacked switch | |
| CN102594814A (en) | Terminal-based network access control system | |
| CN103152282A (en) | Single logical network interface for advanced load balancing and fail-over functionality | |
| CN103236949A (en) | Monitoring method, device and system for server cluster | |
| CN102006307A (en) | Application proxy-based network management system isolation control device | |
| CN105141571A (en) | Distributed virtual firewall device and method | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN103108294A (en) | Data forwarding processing method and gateway equipment and communication system | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN103532863B (en) | Method and device for realizing software stacking | |
| CN104898435B (en) | Home services system and its fault handling method, household appliance, server | |
| CN102638374B (en) | Method for maintaining optical transmission network based on telnet protocol | |
| CN103067359A (en) | System and method based on connection multiplexing and capable of improving server concurrent processing capacity | |
| CN102088455A (en) | ASN (attack security interaction) and implementation method thereof | |
| CN202103697U (en) | Anti-attack security linkage system | |
| CN104270452B (en) | A kind of tele-medicine data management system and its wireless network communication method | |
| CN103973762A (en) | Method for communication between host and intelligent terminal of intelligent home system | |
| US20140204953A1 (en) | Communication System and Network Relay Device | |
| CN104618491B (en) | A kind of proxy server and data forwarding method | |
| CN112543232A (en) | Remote control method and system for industrial equipment | |
| CN102281195B (en) | Switch and switch system | |
| CN202351855U (en) | Upgrading system for IO (Input/Output) expansion board | |
| CN202094936U (en) | Fire alarm image-text system | |
| CN103944886A (en) | Method and system for achieving safety of port |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: CHENGDU FEIYUXING TECHNOLOGY CO., LTD. Free format text: FORMER NAME: CHENGDU VOLANS TECHNOLOGY DEVELOPMENT CORPORATION. |
|
| CP03 | Change of name, title or address |
Address after: The middle high tech Zone Yizhou road in Chengdu city of Sichuan province 610000 No. 1800 Tianfu Software Park G District 4 Building 7-8F Patentee after: VOLANS TECHNOLOGY DEVELOPMENT CORPORATION Address before: 610000, No. 12-13, building 6, D zone, Tianfu Software Park, 216 century South Road, Tianfu District, Chengdu, Sichuan Patentee before: Chengdu VOLANS Technology Development Corporation. |
|
| CX01 | Expiry of patent term |
Granted publication date: 20120104 |
|
| CX01 | Expiry of patent term |