CN113411296B - Situation awareness virtual link defense method, device and system - Google Patents
Situation awareness virtual link defense method, device and system Download PDFInfo
- Publication number
- CN113411296B CN113411296B CN202110492985.4A CN202110492985A CN113411296B CN 113411296 B CN113411296 B CN 113411296B CN 202110492985 A CN202110492985 A CN 202110492985A CN 113411296 B CN113411296 B CN 113411296B
- Authority
- CN
- China
- Prior art keywords
- virtual
- network
- node
- link
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a situation awareness virtual link defense method, device and system, and relates to the technical field of network security. The defense method comprises the following steps: collecting log information of network nodes and sending the log information to a situation awareness system; when detecting that the network node is attacked by the network, setting a virtual node for the network node; establishing a virtual link between the network node, the virtual node and a network node associated with the network node; when a plurality of virtual nodes or associated network nodes are provided, a plurality of virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link shunting, link aggregation and/or link isolation mode; and storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system for security analysis. The invention establishes the virtual link by using the virtual node, changes the communication path of the data information, prevents an attacker from stealing the private data and ensures the data security.
Description
Technical Field
The invention relates to the technical field of network security, in particular to situation-aware virtual link defense.
Background
Network situation awareness aims at obtaining, understanding and displaying security elements capable of causing network situation changes in a large-scale network environment and conducting delay prediction of recent development trends so as to make decisions and actions.
The existing technology is very delicate in attacking nodes, and an attacker further attacks other hosts by taking a host as a foundation after breaking through the host, and the attack means is also various, for example, the other hosts in the same network are attacked by using a network monitoring method, or other hosts are attacked by IP spoofing and host trust relationship.
The attack mode of the network attack is mainly realized by an attacker pretending an external computer to be another legal machine. The purpose is to trick other machines in the network into mistaking the attacker's external computer for acceptance as a legitimate machine, enticing other machines to send data to it, or allowing modification of data. Since attack strategies of attackers in network attack are various, how to make a situation awareness system give a proper defense strategy for coping with the attack when the network attack is detected is a big difficulty at present. Meanwhile, when a network environment is threatened, how to guarantee information security in a data communication process is also a technical problem which needs to be solved urgently at present.
Disclosure of Invention
The invention aims to: the method overcomes the defects of the prior art, sets virtual nodes by using a network topology structure, establishes virtual links for data communication, transfers a transmission path of data communication between network nodes when a situation awareness system detects network attacks, realizes network security dynamic defense, and ensures the secure communication of data information under a network environment.
In order to solve the prior technical problem, the invention provides the following technical scheme:
a situation-aware virtual link defense method, the method comprising the steps of:
collecting log information of network nodes and sending the log information to a situation awareness system;
when detecting that the network node is attacked by the network, setting a virtual node for the network node;
establishing a virtual link between the network node, the virtual node and a network node associated with the network node; when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and/or link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation;
and storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system for security analysis.
Further, the virtual link is a bidirectional link or a unidirectional link.
Further, the link shunt is used for classifying data information transmitted on the virtual link according to a channel corresponding to the virtual node, and each virtual node corresponds to the processing of one type of data information;
the link aggregation is used for distributing data information between the network nodes and the associated network nodes based on the shared virtual nodes so as to distribute tasks according to the current load of the downstream nodes;
the link isolation is used for carrying out protocol control on a link layer when the virtual node is detected to be abnormal and isolating the abnormal virtual node.
Furthermore, the admission/exit control is set for the user access in the network node and/or the virtual node, and when the network attack is detected, the selective admission/exit control is set for the user access in the network node and/or the virtual node which is attacked by the network.
Further, when an admission/exit control mode is adopted, data transmission is carried out according to the trust degree between nodes, wherein the trust degree comprises an admission trust degree and an exit trust degree; the trust-in degree and the trust-out degree are respectively 0 or 1, wherein 1 represents trust, 0 represents distrust, data input is allowed when the trust-in degree of the nodes which are communicated with each other is 1, and data output is allowed when the trust-out degree of the nodes which are communicated with each other is 1.
Further, setting initial trust degrees for the network nodes and the virtual nodes, and defaulting the initial trust degree entering and leaving values to be 1;
detecting the safety of the network nodes and the virtual nodes through the situation awareness system based on a preset time period, wherein the safety is measured through a preset safety index value;
when the safety of the virtual nodes reaches an early warning standard, adjusting the values of the access trust level and the output trust level of each network node and each virtual node;
and controlling the input and/or output of the data according to the adjusted trust level value.
Further, when a selective admission/egress control mode is adopted, when a network node is attacked, the admission/egress control behavior is limited based on a preset data screening rule, and when the service type corresponding to the data does not belong to the preset service type, the admission/egress request is prohibited.
Further, setting a buffer area, a normal area and an isolation area for the virtual node;
after the virtual node receives the data, the received data is stored in a buffer area for security detection; and when the data is judged to be abnormal data, the abnormal data is transferred to the isolated area and an abnormal instruction is sent to the situation awareness system to trigger the situation awareness system to process the abnormal state of the network.
A situation-aware virtual link defense apparatus, comprising structure:
the information acquisition unit is used for acquiring the log information of the network node and sending the log information to the situation awareness system;
the node setting unit is used for setting a virtual node for the network node when detecting that the network node is attacked by a network;
a virtual link establishing unit, configured to establish a virtual link between the network node and a network node associated with the virtual node; when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and/or link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation;
and the information analysis unit is used for storing the data information of the network node into the virtual node and sending the data information to a situation awareness system for safety analysis.
A situation-aware virtual link defense system, the system comprising:
a network node for transceiving data;
the situation awareness system is used for carrying out security analysis on the data information;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: collecting log information of network nodes and sending the log information to a situation awareness system; when detecting that the network node is attacked by a network, setting a virtual node for the network node, and establishing a virtual link of the network node, the virtual node and a network node related to the network node; storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system;
when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and/or link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation.
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects as examples: the invention sets virtual nodes by utilizing a network topological structure, establishes virtual links for data communication, changes the transmission path of data communication between network nodes when a situation awareness system detects network attacks, and performs link distribution, link aggregation and/or link isolation means on the virtual links according to user access requirements on the communication links, thereby realizing network security dynamic defense and ensuring data security and the secure communication of data information under a network environment.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is a network structure diagram according to an embodiment of the present invention.
Fig. 3 is a network structure diagram of a network node under a network attack according to an embodiment of the present invention.
Fig. 4 is another flow chart provided by the embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 6 is a schematic structural diagram of a system according to an embodiment of the present invention.
Description of reference numerals:
virtual nodes 121-a, 121-b, 121-c;
the device comprises a device S200, an information acquisition unit S201, a node setting unit S202, a virtual link establishing unit S203 and an information analysis unit S204;
the system comprises a system S300, a network node S301, a situation awareness system S302 and a system server S303.
Detailed Description
The situation-aware virtual link defense method, apparatus, and system disclosed in the present invention are further described in detail with reference to the accompanying drawings and specific embodiments. It should be noted that technical features or combinations of technical features described in the following embodiments should not be considered as being isolated, and they may be combined with each other to achieve better technical effects. In the drawings of the embodiments described below, the same reference numerals appearing in the respective drawings denote the same features or components, and may be applied to different embodiments. Thus, once an item is defined in one drawing, it need not be further discussed in subsequent drawings.
It should be noted that the structures, proportions, sizes, and other dimensions shown in the drawings and described in the specification are only for the purpose of understanding and reading the present disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, and any modifications of the structures, changes in the proportions and adjustments of the sizes and other dimensions, should be construed as falling within the scope of the invention unless the function and objectives of the invention are affected. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be executed out of order from that described or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flow chart S100 is provided in accordance with the present invention. The method comprises the following implementation steps:
and S101, collecting log information of the network nodes and sending the log information to a situation awareness system.
The network node refers to a terminal with an independent network address and data processing function in a network environment, and the network node can be a workstation, a client, a network user or a personal computer, and can also be a server, a printer and other network connected devices. The whole network environment comprises a plurality of network nodes, and the network nodes are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
The data processing functions include, but are not limited to, functions for transmitting data, receiving data, and/or analyzing data. The data processing includes but is not limited to the following situations: the influence on the system caused by the activity condition of a destination port, a destination node, a source IP, the relationship between the port and a protocol and the like; the influence of network traffic data on alarm evaluation; the influence of the random open port on the network vulnerability; the impact of malicious activities on existing system countermeasures and protection schemes; the impact of different attack patterns on the asset; the impact of the associated event on the expected alert evaluation; the impact of the damaged node on the health status of the system; the influence of false alarm information.
In this embodiment, the log information includes, but is not limited to, the following information:
the duration of the connection, whose value is in seconds, may be, for example, in the range: [0, 58329 ];
protocol types including but not limited to TCP, UDP, ICMP;
a network service type of the target host;
a connected normal or wrong state;
the number of bytes of data from the source host to the target host may range, for example, from: [0,1379963888 ];
the number of bytes of data from the target host to the source host may range, for example, from: [0,1309937401 ];
whether the connection is from the same host or not and whether the connection has the same port or not;
the number of erroneous segments, for example, may range from: [0,3];
the number of urgent packets, for example, may range from: [0,14].
The situation awareness system can integrate a plurality of data information systems such as antivirus software, a firewall, an intrusion monitoring system, a security audit system and the like so as to realize the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
Preferably, the situation awareness system can include, but is not limited to, data acquisition, feature extraction, situation assessment, and security precaution.
Preferably, the data acquisition may be to extract data of the current whole network state, including but not limited to performing overall arrangement on a plurality of data such as a website security log, a vulnerability database, a malicious code database, and the like, or may be to establish an information database of the data acquisition device itself, and perform data acquisition according to data attributes.
Preferably, the feature extraction can extract data collected in the data acquisition process, and further, data cleaning is performed on the data to guarantee data integrity and operability and complete data preprocessing operation.
Preferably, the situation assessment may perform data fusion processing through an association event, including but not limited to performing association identification from multiple aspects such as time, space, protocol, and the like, and further, perform risk assessment on the current time and determine the risk level of the event by combining data information.
Preferably, the safety early warning may be that after the data acquisition, the feature extraction, and the situation evaluation processes, the network environment is evaluated and predicted according to a specified standard, and further, safety state early warning processing is given.
S102, when detecting that the network node is attacked by the network, setting a virtual node for the network node.
In this embodiment, the network attack is an attack on the system and the resource by using vulnerabilities and security flaws existing in the network information system, and may be any type of attack action for a computer information system, an infrastructure, a computer network, or a personal computer device. For a network environment, the network attack may be to destroy, expose, modify, disable software or services, steal or access data of any computer without authorization, so as to destroy, spoof, steal data information, and the like.
Preferably, the network attack includes, but is not limited to, tampering with a data stream, generating a dummy data stream, tampering with, forging message data, and terminal denial of service, tapping, analyzing traffic, breaking a weakly encrypted data stream, password intrusion, trojan horse, hacking software, security loophole, and other attack modes.
Preferably, the virtual node may be an entity terminal, or may be a virtual terminal (also referred to as a virtual server) having a network address and capable of performing data processing, and may be configured to store data information of the network node, and have a data information storage space and a network address. The network address is used for accessing the virtual terminal and can be website name, IP address and Port number information.
S103, establishing a virtual link of the network node, the virtual node and a network node related to the network node; when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and/or link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation.
In this embodiment, the virtual link may be a data link generated between the network node and the virtual node or between the virtual nodes to implement communication and transmission of data. The data link may be a general term for a physical transmission path and a logical transmission channel from a transmitting end to a receiving end via a communication line. The communication protocols that the data link may employ include, but are not limited to, TCP, UDP, ICMP, HTTP protocols.
And S104, storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system for safety analysis.
As a preferred implementation manner of this embodiment, the security analysis includes physical security risk analysis, system security risk analysis, network platform security risk analysis, managed security risk analysis, application security risk analysis, other security risk analysis, and the like.
Preferably, the physical security risk analysis carries out risk analysis on the physical security of the network, wherein the physical security includes environmental security, equipment security, media security and the like. The physical safety risk analysis can analyze the conditions of power supply faults, environmental accidents, man-made operation errors or errors, damaged and stolen equipment, electromagnetic interference, intercepted circuits, dual-computer dual-redundancy design, highly-configured network hardware, the environment of a data center machine room and the like caused by flood disasters, earthquakes, fires and other factors.
Preferably, the system security risk analysis performs risk analysis on the security of the operating system of the network, and can improve the security of the system by configuring the existing operating platform safely, strictly controlling the access authority of the operator, performing operations such as encryption on the authentication in the login process, and the like, so as to ensure the legitimacy of all users, and control the operations to be completed within the minimum range.
Preferably, the network platform security risk analysis performs risk analysis on security of a network structure of the network. The security of the network structure includes, but is not limited to, the environment of the network, the topology of the network, and the routing conditions of the network.
Preferably, the managed security risk analysis analyzes a risk that may cause the managed security in response to a situation such as a regulatory confusion, a regulatory weakness, or a lack of operability existing in the network.
Preferably, the security risk analysis of the application performs security risk analysis on the application system related to the specific application, including but not limited to dynamic security of the application system, security association of the application system to information and/or data, and the like.
Preferably, the other security risk analysis is a sum of security risk analyses for conditions that may threaten the security of the network environment, in addition to the security risk analysis described above. The other security risk analysis can analyze risks to the network by other means including, but not limited to, hacking, using a universal gateway interface vulnerability, using malicious code, infecting viruses, unauthorized access, destroying data integrity, losing or leaking information, denial of service attacks, network-transmitted viruses, and the like.
In this embodiment, the virtual link may be one of a bidirectional link and a unidirectional link. In the data communication process, bidirectional data transmission between nodes can be performed, and unidirectional data transmission between nodes can also be performed, so that the data communication safety is ensured.
As a preferred implementation manner of this embodiment, the link offload is used to classify data information transmitted on a virtual link according to a channel corresponding to a virtual node, where each virtual node corresponds to processing of a class of data information. At this time, when different service requirements are considered, for example, different service requirements such as reading, writing, logging, downloading and the like occur in a network environment, the service requirements may be classified and data transmission may be performed to prevent link congestion.
Referring to fig. 2, a network structure is composed of network nodes 121, 122, 123, 124, 125 and communication links between the network nodes.
When the network node 121 is under a network attack, as shown in fig. 3, virtual nodes 121-a, 121-b, and 121-c are set, where the virtual nodes 121-a, 121-b, and 121-c are all nodes that store data information of the network node 121. At this time, according to the service requirement, three virtual links may be divided for a communication path from network node 121 to network node 122, where the communication path is network node 121-virtual node 121-a-network node 122, network node 121-virtual node 121-a-virtual node 121-b-network node 122, and network node 121-virtual node 121-a-virtual node 121-c-network node 122, and link splitting is correspondingly implemented by taking virtual node 121-a as a virtual node shared by the three virtual links.
Preferably, the link aggregation is configured to distribute data information between the network node and the associated network node based on the common virtual node, so as to distribute tasks according to the current load of the downstream node.
Referring to fig. 3, it should be noted that, for the aforementioned link aggregation case, the virtual node 121-a is a virtual node shared by three virtual links, and the downstream nodes are the virtual nodes 121-b and 121-c and the network node 122, respectively.
At this time, the task of data transmission between nodes may be allocated with reference to the load situation of data transmission between the downstream node and the virtual node 121-a, for example, when the load on the network node 121-virtual node 121-a-virtual node 121-b-network node 122 is too large, the load on the network node 121-virtual node 121-a-network node 122 and the load on the network node 121-virtual node 121-a-virtual node 121-c-network node 122 are small on the communication path from the network node 121 to the network node 122, the data transmission task originally divided on the network node 121-virtual node 121-a-virtual node 121-b-network node 122 may be allocated to the network node 121-virtual node 121-a-network node 122, and/or network node 121-virtual node 121-a-virtual node 121-c-network node 122.
Preferably, the link isolation is configured to, when detecting that the virtual node is abnormal, perform protocol control at a link layer to isolate the abnormal virtual node. The anomalies include, but are not limited to, instantaneous congestion, early warning, downtime, etc.
As a preferred implementation of this embodiment, admission/egress control may also be set for user access in the network node and/or the virtual node, and when a network attack is detected, selective admission/egress control may be set for user access in the network node and/or the virtual node that is under the network attack.
Preferably, the admission control means that it is possible to ensure that a user is trusted before accessing the network, whereas an unauthorized device cannot enter the network. The admission control includes but is not limited to access restriction, active control, dynamic adjustment.
Optionally, the access restriction may require that the user meets the security requirement of the network environment before entering the network environment, so as to avoid that the network security hidden danger of a single user threatens the entire network environment.
Optionally, the active control may actively detect the security states of the user and the network environment, and trigger a control feedback to adjust the security states of the user and the network environment when the network environment is found not to be in the security state, so as to ensure the secure operation of the entire network.
Optionally, the dynamic adjustment is to perform security scanning on an environment where the entire network is located, and dynamically and intelligently adjust an operation state of the network node for real-time security change of the network environment, so as to ensure that the entire network environment is in a security state.
Preferably, the permission control detects log information when the user accesses the network node after the user finishes accessing the network node and before exiting the whole network environment, and simultaneously detects information such as the used flow and the occupied outlet bandwidth in the user access, thereby ensuring the stable operation of the network.
Preferably, upon detection of a network attack, selective admission/egress control is set for user access in the network node and/or virtual node subject to the network attack. That is, by imposing constraints and limitations on the behavior of the aforementioned admission/egress control, when the network environment is abnormal, the normal operation of the associated network node can still be guaranteed, including but not limited to access, storage, editing, and the like.
Preferably, when an admission/exit control mode is adopted, data transmission is carried out according to the trust level between nodes, wherein the trust level comprises an admission trust level and an exit trust level; the values of the trust-in degree and the trust-out degree are 0 or 1, wherein 1 represents trust, 0 represents distrust, data input is allowed when the trust-in degree of the nodes which are communicated with each other is 1, and data output is allowed when the trust-out degree of the nodes which are communicated with each other is 1.
For illustration, referring to fig. 3, a communication path of network node 121-virtual node 121-a-network node 122 is taken as an example. On the communication path, when the out-trust degree and the in-trust degree of each node are matched and are both 1, data transmission between the nodes can be completed. For example, when the out-trust level of the virtual node 121-a has a value of 1 and the in-trust level of the network node 122 has a value of 1, the data transmission from the virtual node 121-a to the network node 122 is completed on the communication path. When the out-trust level of the network node 122 has a value of 1 and the in-trust level of the virtual node 121-a has a value of 1, data transmission from the network node 122 to the virtual node 121-a can be realized on the communication path. When the values of the ingress and egress trust levels in the virtual node 121-a and/or the network node 122 are 0, then both nodes cannot implement data transmission.
In addition to the above examples, data transmission between virtual nodes or between network nodes may be matched according to the out-trust value and the in-trust value. When the out-trust level value of one node and the in-trust level value of the other node are both 1, the node with the out-trust level value of 1 can transmit data to the node with the in-trust level value of 1.
Referring to fig. 4, another flowchart S110 provided in the embodiment of the present invention includes the following specific implementation steps:
and S111, setting initial trust degrees for the network nodes and the virtual nodes, and defaulting the initial trust degree entering and leaving values to be 1.
And S112, detecting the safety of the network nodes and the virtual nodes through the situation awareness system based on a preset time period, wherein the safety is measured through a preset safety index value, and executing the step S113.
S113, when the safety of the virtual nodes reaches the early warning standard, the values of the trust-in degree and the trust-out degree of each network node and each virtual node are adjusted.
And S114, controlling the input and/or output of data according to the adjusted trust degree value.
As a preferred embodiment, and still referring to fig. 3, in a network structure, it is composed of network nodes 121, 122, 123, 124, 125, virtual nodes 121-a, 121-b, 121-c, and communication links between the network nodes. And detecting the network environment by a situation awareness system, and when the values of the trust-in degree and the trust-out degree between the nodes in the network structure are both 1, keeping the whole network environment in a normal data communication transmission state.
And for the network structure, detecting the safety of the network nodes and the virtual nodes through the situation awareness system based on a preset time period, wherein the safety is measured through a preset safety index value.
The preset time period can be one time period interval per second, and the detection time period can also be set in a self-defined mode. The value of the preset safety index can be calculated based on a trust degree function in the prior art.
When the network environment is abnormal, namely the safety of the virtual nodes 121-a, 121-b or 121-c reaches the early warning standard, the situation awareness system adjusts the values of the trust-in degree and the trust-out degree of each network node and each virtual node in the network structure, and controls the input and/or output of data according to the adjusted values of the trust degrees.
The early warning standard can be divided according to national standards of network security, and can also be divided in a user-defined manner according to the importance degree of data or network requirements such as access authority of users.
By way of example and not limitation, when it is detected that the security of the virtual node 121-a reaches the warning criterion, the value of the trust level of the virtual node 121-a is adjusted, and the value of the trust-in level and/or the trust-out level of the virtual node 121-a is adjusted according to the situation that the security of the node is warned. If the outbound trust level of virtual node 121-a is changed to 0, the value of the inbound trust level of virtual nodes 121-b and 121-c located downstream of virtual node 121-a remains 1, and for the adjusted value of the trust level, data transmission between virtual node 121-a and virtual nodes 121-b and 121-c cannot be performed at this time. When the virtual node 121-a is not in the abnormal state, the value of the trust level thereof is changed from 0 to 1, and then data transmission between the virtual node 121-a and the virtual nodes 121-b and 121-c can be performed.
As a preferred embodiment of the present invention, when a selective admission/egress control manner is adopted, for a situation that a network node is attacked, the admission/egress control behavior may be limited based on a preset data screening rule, and when a service type corresponding to the data does not belong to a preset service type, an admission/egress request is prohibited.
The data filtering rules may filter out useful data from a stack of data to identify network admission/egress control activities including, but not limited to, reading, writing, accessing, editing, and the like.
As a preferred embodiment, a buffer area, a normal area and an isolation area may be set for the virtual node; after the virtual node receives the data, storing the received data in a buffer area for security detection; and when the data is judged to be abnormal data, the abnormal data is transferred to the isolated area and an abnormal instruction is sent to the situation awareness system to trigger the situation awareness system to process the abnormal state of the network.
Optionally, in this embodiment, during the communication process, data security is guaranteed by adopting a data encryption form for the aforementioned node, where the data encryption includes, but is not limited to, link encryption, node encryption, and end-to-end encryption. And the data encryption is carried out to ensure the data security of the nodes in the communication process under the network environment.
Optionally, in this embodiment, the identity of the user accessing the network is authenticated.
The identity authentication may include, but is not limited to, information such as MAC address, IP address, username, password, access device port, etc.
It should be noted that, in the process of accessing the network by the user, security check is performed on the network environment of the user and the accessed network nodes, including but not limited to various antivirus software versions, terminal patch vulnerabilities, black, white, and red list detection of application software, abnormal traffic, sensitive operation behavior detection, and the like; or security check may be performed on the associated network node to ensure security and stability of the entire network.
The technical scheme is particularly suitable for judging the node attack condition when the situation awareness system aims at network attack, and establishes the virtual link by setting the virtual node so as to ensure the safe and stable operation of the network.
Other technical features are referred to in the previous embodiments and are not described herein.
In another embodiment of the present invention, referring to fig. 5, there is provided a situation-aware virtual link defense apparatus S200, the apparatus comprising:
the information acquisition unit S201 is used for acquiring the log information of the network node and sending the log information to the situation awareness system;
a node setting unit S202, configured to set a virtual node for the network node when detecting that the network node is under a network attack;
a virtual link establishing unit S203, configured to establish a virtual link between the network node and a network node associated with the virtual node; when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and/or link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation;
and the information analysis unit S204 is used for storing the data information of the network node into the virtual node and sending the data information to the situation awareness system for security analysis.
Other technical features are referred to in the previous embodiments and are not described herein.
The present invention also provides an embodiment, which provides a situation-aware virtual link defense system S300, the system includes:
a network node S301 for transceiving data;
the situation awareness system S302 is used for carrying out security analysis on the data information;
the system server S303 is connected with the network node and the situation awareness system;
the system server is configured to: collecting log information of network nodes and sending the log information to a situation awareness system; when detecting that the network node is attacked by a network, setting a virtual node for the network node, and establishing a virtual link of the network node, the virtual node and a network node related to the network node; storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system;
when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and/or link isolation mode, at least one shared virtual node is provided on the multiple virtual links, and the shared virtual node is used for performing link distribution, link aggregation and link isolation.
Other technical features are referred to in the previous embodiment and are not described in detail herein.
In the description above, the various components may be selectively and operatively combined in any number within the intended scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be interpreted as inclusive or open-ended, rather than exclusive or closed-ended, by default, unless explicitly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs unless defined otherwise. Common terms found in dictionaries should not be interpreted too ideally or too realistically in the context of related art documents unless the present disclosure expressly limits them to that.
While exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is by way of description of the preferred embodiments of the present disclosure only, and is not intended to limit the scope of the present disclosure in any way, which includes additional implementations in which functions may be performed out of the order of presentation or discussion. Any changes and modifications of the present invention based on the above disclosure will be within the scope of the appended claims.
Claims (9)
1. A situation-aware virtual link defense method, the method steps are:
collecting log information of network nodes and sending the log information to a situation awareness system;
when detecting that the network node is attacked by the network, setting a virtual node for the network node;
establishing a virtual link between the network node, the virtual node and a network node associated with the network node; when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution, link aggregation and link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation;
storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system for security analysis;
the link distribution is used for classifying data information transmitted on the virtual link according to a channel corresponding to the virtual node, and each virtual node corresponds to the processing of one type of data information; the link aggregation is used for distributing data information between the network nodes and the associated network nodes based on the shared virtual nodes so as to distribute tasks according to the current load of the downstream nodes; and the link isolation is used for carrying out protocol control on a link layer and isolating the abnormal virtual nodes when the virtual nodes are detected to be abnormal.
2. The method of claim 1, wherein the virtual link is a bidirectional link or a unidirectional link.
3. A method according to claim 1, characterized in that admission/exit control is arranged for user access in the network nodes and/or virtual nodes, and that when a network attack is detected, selective admission/exit control is arranged for user access in the network nodes and/or virtual nodes that are subject to the network attack.
4. The method according to claim 3, characterized in that when an admission/egress control mode is adopted, data transmission is performed according to the trust level between nodes, wherein the trust level comprises an admission trust level and an egress trust level; the values of the trust-in degree and the trust-out degree are 0 or 1, wherein 1 represents trust, 0 represents distrust, data input is allowed when the trust-in degree of the nodes which are communicated with each other is 1, and data output is allowed when the trust-out degree of the nodes which are communicated with each other is 1.
5. The method according to claim 4, characterized in that an initial trust level is set for the network node and the virtual node, and the initial trust-in and trust-out values default to 1;
detecting the safety of the network nodes and the virtual nodes through the situation awareness system based on a preset time period, wherein the safety is measured through a preset safety index value;
when the safety of the virtual nodes reaches an early warning standard, adjusting the values of the access trust level and the output trust level of each network node and each virtual node;
and controlling the input and/or output of the data according to the adjusted trust level value.
6. A method according to claim 3, characterized in that when a selective admission/egress control mode is adopted, when a network node is attacked, the behavior of the admission/egress control is restricted based on a preset data screening rule, and when the traffic type corresponding to the data does not belong to a preset traffic type, the admission/egress request is prohibited.
7. The method of claim 1, wherein a buffer area, a normal area and an isolation area are provided for the virtual node;
after the virtual node receives the data, the received data is stored in a buffer area for security detection; and when the data is judged to be abnormal data, the abnormal data is transferred to the isolated area and an abnormal instruction is sent to the situation awareness system to trigger the situation awareness system to process the abnormal state of the network.
8. A situation-aware virtual link defense apparatus implementing the method of any one of claims 1-7, comprising the structure:
the information acquisition unit is used for acquiring log information of the network nodes and sending the log information to the situation awareness system;
the node setting unit is used for setting a virtual node for the network node when detecting that the network node is attacked by the network;
a virtual link establishing unit, configured to establish a virtual link between the network node and a network node associated with the virtual node; when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution mode, a link aggregation mode and a link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation; the link shunt is used for classifying data information transmitted on a virtual link according to a channel corresponding to a virtual node, and each virtual node corresponds to the processing of one type of data information; the link aggregation is used for distributing data information between the network nodes and the associated network nodes based on the shared virtual nodes so as to distribute tasks according to the current load of the downstream nodes; the link isolation is used for carrying out protocol control on a link layer when the virtual node is detected to be abnormal and isolating the abnormal virtual node;
and the information analysis unit is used for storing the data information of the network node into the virtual node and sending the data information to a situation awareness system for safety analysis.
9. A situation-aware virtual link defense system to implement the method of any one of claims 1-7, comprising:
a network node for transceiving data;
the situation awareness system is used for carrying out security analysis on the data information;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: collecting log information of network nodes and sending the log information to a situation awareness system; when detecting that the network node is attacked by a network, setting a virtual node for the network node, and establishing a virtual link of the network node, the virtual node and a network node related to the network node; storing the data information of the network node into the virtual node, and sending the data information to a situation awareness system;
when the number of the virtual nodes is multiple or the number of the associated network nodes is multiple, multiple virtual links are established among the network nodes, the virtual nodes and the associated network nodes in a link distribution mode, a link aggregation mode and a link isolation mode, at least one shared virtual node is arranged on the multiple virtual links, and the shared virtual node is used for carrying out link distribution, link aggregation and link isolation; the link shunt is used for classifying data information transmitted on a virtual link according to a channel corresponding to a virtual node, and each virtual node corresponds to the processing of one type of data information; the link aggregation is used for distributing data information between the network nodes and the associated network nodes based on the shared virtual nodes so as to distribute tasks according to the current load of the downstream nodes; the link isolation is used for carrying out protocol control on a link layer when the virtual node is detected to be abnormal, and isolating the abnormal virtual node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110492985.4A CN113411296B (en) | 2021-05-07 | 2021-05-07 | Situation awareness virtual link defense method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110492985.4A CN113411296B (en) | 2021-05-07 | 2021-05-07 | Situation awareness virtual link defense method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113411296A CN113411296A (en) | 2021-09-17 |
| CN113411296B true CN113411296B (en) | 2022-08-26 |
Family
ID=77678048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110492985.4A Active CN113411296B (en) | 2021-05-07 | 2021-05-07 | Situation awareness virtual link defense method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113411296B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114758434A (en) * | 2022-03-16 | 2022-07-15 | 江苏彩诚亿智能科技有限公司 | Intelligent electric control lock remote control system based on mobile phone terminal |
| CN118300861A (en) * | 2024-04-17 | 2024-07-05 | 中国人民解放军61660部队 | Protection method for unknown loopholes |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457422A (en) * | 2010-10-20 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for realizing cross-node aggregated link in packet switching network |
| CN108616386A (en) * | 2018-03-29 | 2018-10-02 | 西安交通大学 | A kind of construction method and SDN virtual network environments of SDN virtual network environments |
| CN112187907A (en) * | 2020-09-22 | 2021-01-05 | 远光软件股份有限公司 | Data processing method for edge calculation, communication method for Internet of things and electronic equipment |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103716252A (en) * | 2012-09-29 | 2014-04-09 | 中兴通讯股份有限公司 | Flow-distribution link aggregation and device |
| US9106565B2 (en) * | 2013-01-04 | 2015-08-11 | International Business Machines Corporation | Loop avoidance for event-driven virtual link aggregation |
| WO2015177789A1 (en) * | 2014-05-20 | 2015-11-26 | B. G. Negev Technologies And Application Ltd., At Ben-Gurion Universitiy | A method for establishing a secure private interconnection over a multipath network |
| CN105992272A (en) * | 2015-01-27 | 2016-10-05 | 中国移动通信集团公司 | Data transmitting and receiving method, device and data transmission system |
| US9800595B2 (en) * | 2015-09-21 | 2017-10-24 | Ixia | Methods, systems, and computer readable media for detecting physical link intrusions |
| CN105791288B (en) * | 2016-03-02 | 2018-12-04 | 中国人民解放军信息工程大学 | Crucial virtual link means of defence based on parallel duplex diameter |
| US10257088B2 (en) * | 2016-04-14 | 2019-04-09 | Robin Systems, Inc. | Virtual network overlays for multipath datacenters |
| CN106357538A (en) * | 2016-11-17 | 2017-01-25 | 迈普通信技术股份有限公司 | Data forwarding method and device |
| CN107612914B (en) * | 2017-09-20 | 2020-06-02 | 重庆邮电大学 | Ad Hoc network security trust method based on reference node strategy |
| CN109104327B (en) * | 2018-06-08 | 2022-03-22 | 创新先进技术有限公司 | Service log generation method, device and equipment |
| CN109889476A (en) * | 2018-12-05 | 2019-06-14 | 国网冀北电力有限公司信息通信分公司 | A kind of network safety protection method and network security protection system |
| CN111787349B (en) * | 2020-05-19 | 2023-12-12 | 视联动力信息技术股份有限公司 | Data caching method, device, equipment and medium |
| CN112291116A (en) * | 2020-11-23 | 2021-01-29 | 迈普通信技术股份有限公司 | Link fault detection method and device and network equipment |
-
2021
- 2021-05-07 CN CN202110492985.4A patent/CN113411296B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457422A (en) * | 2010-10-20 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for realizing cross-node aggregated link in packet switching network |
| CN108616386A (en) * | 2018-03-29 | 2018-10-02 | 西安交通大学 | A kind of construction method and SDN virtual network environments of SDN virtual network environments |
| CN112187907A (en) * | 2020-09-22 | 2021-01-05 | 远光软件股份有限公司 | Data processing method for edge calculation, communication method for Internet of things and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113411296A (en) | 2021-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Birkinshaw et al. | Implementing an intrusion detection and prevention system using software-defined networking: Defending against port-scanning and denial-of-service attacks | |
| EP2555486B1 (en) | Multi-method gateway-based network security systems and methods | |
| US10097578B2 (en) | Anti-cyber hacking defense system | |
| KR101045362B1 (en) | Active network defense system and method | |
| Verba et al. | Idaho national laboratory supervisory control and data acquisition intrusion detection system (SCADA IDS) | |
| US9253153B2 (en) | Anti-cyber hacking defense system | |
| AU2003222180A1 (en) | System and method for detecting an infective element in a network environment | |
| JP7499262B2 (en) | Method, system, and computer-readable medium for dynamically modifying security system entities | |
| EP3433749B1 (en) | Identifying and trapping wireless based attacks on networks using deceptive network emulation | |
| US10693904B2 (en) | System and method for information security threat disruption via a border gateway | |
| CN113411296B (en) | Situation awareness virtual link defense method, device and system | |
| Miller et al. | Traffic classification for the detection of anonymous web proxy routing | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Singh | Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) For Network Security: A Critical Analysis | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| Patel et al. | A Snort-based secure edge router for smart home | |
| Kfouri et al. | Design of a Distributed HIDS for IoT Backbone Components. | |
| CN113206852A (en) | Safety protection method, device, equipment and storage medium | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Holik | Protecting IoT Devices with Software-Defined Networks | |
| KR20080035724A (en) | Method and apparatus for detecting and blocking network attack without attack signature | |
| Saraswathi et al. | An Improved Approach towards Network Security of an Organization | |
| CN118214591A (en) | Zero trust proxy method, device, electronic equipment and storage medium | |
| Kao et al. | Security management of mutually trusted domains through cooperation of defensive technologies | |
| Brar | Study and Detection of Jamming attacks in Wireless Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 200441 floor 11, No. 2, Lane 99, Changjiang South Road, Baoshan District, Shanghai Applicant after: SHANGHAI NIUDUN TECHNOLOGY Co.,Ltd. Address before: 200433 floor 11, building A5, Lane 1688, Guoquan North Road, Yangpu District, Shanghai Applicant before: SHANGHAI NIUDUN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |