[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107360182A - One kind is used for Embedded Active Networks system of defense and its defence method - Google Patents

One kind is used for Embedded Active Networks system of defense and its defence method Download PDF

Info

Publication number
CN107360182A
CN107360182A CN201710659375.2A CN201710659375A CN107360182A CN 107360182 A CN107360182 A CN 107360182A CN 201710659375 A CN201710659375 A CN 201710659375A CN 107360182 A CN107360182 A CN 107360182A
Authority
CN
China
Prior art keywords
message
network
module
defense
fire wall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710659375.2A
Other languages
Chinese (zh)
Other versions
CN107360182B (en
Inventor
李孝成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Wing Fai Information Technology Co Ltd
Original Assignee
Nanjing Wing Fai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Wing Fai Information Technology Co Ltd filed Critical Nanjing Wing Fai Information Technology Co Ltd
Priority to CN201710659375.2A priority Critical patent/CN107360182B/en
Publication of CN107360182A publication Critical patent/CN107360182A/en
Application granted granted Critical
Publication of CN107360182B publication Critical patent/CN107360182B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses one kind to be used for Embedded Active Networks system of defense, including network protocol stack module and active network defense module, active network defense module is divided into fire wall upper layer module and fire wall bottom module, and the fire wall upper strata includes packet check module and exception processing module;The systemic defence method includes 1, installation Active Networks system of defense;2nd, packet check module, which to the network message received analyze, judges that message whether there is problem, if without directly incoming protocol stack, if entering in next step;3rd, can exception processing unit confirm that it is attack message to exception message, if it is confirmed that, then enter in next step, if do not confirmed, send the true environment of request message inquiry network, return to step 2;4th, current message is abandoned, white black list is set, opens bottom filter.The present invention has proactive identification and defence feature, the common built-in network attack that embedded device can be defendd to be subjected to, so as to play a part of protecting embedded device network security.

Description

One kind is used for Embedded Active Networks system of defense and its defence method
Technical field
It is more particularly to a kind of to be used for Embedded Active Networks system of defense and its defence the invention belongs to built-in field Method.
Background technology
With developing rapidly for embedded device, increasing embedded device its application scenario with network phase Even, such as vehicle electronics, Medical Devices and power equipment.When these equipment have access to network, if do not examined Consider enough safety problems, then they will be easily subject to network attack for this.If without some corresponding safety measures, These information for attacking the function that may make equipment, system and device interior wreck.
Nowadays, network firewall is many on the market, but this class firewall is mostly used for server, enterprises and individuals PC necks Domain.Network firewall for embedded device is then relatively fewer.
Existing built-in network fire wall presently, there are some following defects:
1st, fire wall ease for use is poor:In built-in field, for the embedded device for running operating system, fire wall Startup opened mostly with system, while its some internal functional module and defence parameter are also to need developer one It is initially configured.After system starts, this kind of parameter is difficult to do corresponding adjustment further according to real network situation.
2nd, fire wall fault-tolerance is not high:In built-in network, it is special to be occurred according to the scene of embedded device application for some Network message, meanwhile, also having the change of embedded device network configuration parameters causes the situation of network message content change. Pair with such situation, present built-in network fire wall can not judge normal operating or Network Abnormal well, This may result in fire wall can make the phenomenon of maloperation to such message.
3rd, fire wall processing anomalous mode is simple:Some present built-in network fire walls go out for detecting on network Processing method during existing abnormal conditions is excessively single, and it is in the case where found the abnormal situation in order to protect oneself equipment not by network shadow Ring, can directly close network, reject message.It is this really system etc. to be allowed not influence under fire, but can also influence its own Network service.
4th, it is excessive to account for resource in itself for fire wall:Operation be present mostly with single individual in present built-in network fire wall In system, it is detected oneself realizes with filtering inside by fire wall.This is not that very high embedded device comes for performance Say, when it is by network attack, fire wall can take a large amount of cpu resources, and so as to have influence on system, other need cpu resource to transport Capable task.
The content of the invention
Goal of the invention:For problems of the prior art, the present invention, which provides one kind, can not only detect embedded device The network message received, and suspicious message can be directed to, actively send request message and determine whether suspicious operation, may be used also When system is by network attack, to take the less resource of system, being used for for other task normal operations of system is not influenceed Embedded Active Networks system of defense and its defence method.
Technical scheme:In order to solve the above technical problems, the present invention, which provides one kind, is used for Embedded Active Networks defence system System, including network protocol stack module and active network defense module, active network defense module are divided into fire wall upper strata mould Block and fire wall bottom module, the fire wall bottom module are located in trawl performance, and the fire wall upper strata is examined including message Survey module and exception processing module;
Packet check module, for being analyzed and processed to the network message received;Wherein network message includes insertion The response message of other equipment after the request message that network message, the fire wall of formula equipment proper communication are actively sent;
Exception processing module, the method for carrying out abnormality processing, wherein abnormality processing after packet check is pinpointed the problems It is divided into two kinds:The first, which is directed to, can clearly judge the network message of generation problem, as SYN floods, network storm, distribution Formula Denial of Service attack etc., the firewall filters of exception processing module notice driving layer, starts what embedded device was received Filter operation corresponding to network message progress;Second for being unable to the network message that accurate judgement goes wrong, as ARP deceptions, Replay Attack etc., exception processing module actively sends request message, inquires the equipment communicated with, it is determined whether problem occurs.
A kind of defence method for being used for Embedded Active Networks system of defense as described above, comprises the following steps:
1) Active Networks system of defense is installed in embedded device system;
2) packet check module is analyzed the network message received, and judges that message whether there is problem, if Have no problem, judge message by being directly passed to protocol stack, it is next to judge that message can not enter if if problematic Step;
3) can exception processing unit confirm that it is attack message to exception message, if it is confirmed that, then enter in next step, such as Fruit does not confirm, then sends the true environment of request message inquiry network, return to step 2;
4) abandon current message and set white black list to open bottom filter.
Further, the network message in the step 2 includes network message, the fire wall of embedded device proper communication The response message of other equipment after the request message actively sent.
Further, the problem of exception processing unit is to receiving in the step 3 message is divided into two kinds when analyzing Situation:
3.1) the first situation:Live network situation can be determined according to network message;
3.2) second of situation:Live network situation can not be determined according to network message, current device may be under attack It is also likely to be change of network environment.
Further, the first situation in the step 3, it is different when live network situation can be determined according to network message Normal processing module sets white black list, while actively opens fire wall bottom filter and carry out filtering behaviour to ensuing message Make, abandon currently processed message.
Further, second of situation in the step 3, exception processing module is by sending the form of request message, really Recognize network real conditions, the message handled first can also be preserved by system, will not pass to protocol stack, and then request message is sent Afterwards, packet check module receives corresponding response, if correct before message pass to protocol stack, the report before otherwise abandoning Text.
Further, after fire wall bottom filter is opened in the step 4, in reference white/blacklist to packet filtering When, while network traffics are analyzed, if network traffics are less than the value that user is set, system actively closes filter, if turned off Afterwards, packet check module detection is gone wrong, and filter is again turned on.
Compared with prior art, the advantage of the invention is that:
1st, it is easy to use flexible:Whole system is realized and tested in the large-scale real time operating systems of SylixOS.Finally It is to be showed in the form of kernel module.When needing network firewall in the embedded device of user, dynamic load is only needed, so that it may So that whole system to be added in system.Meanwhile each functional module inside fire wall and its configuration parameter can also roots According to the demand of user, deleted and set by shell-command dynamic addition.
2nd, it is high to the accuracy of message recognition detection:Built-in network fire wall different from the past, finding suspicious report Wen Shi, directly filter, the present invention can actively send request message when finding suspicious message, go to judge that currently embedded sets For whether really by network attack.Maloperation situation of the fire wall to correct message can so be greatly reduced.
3rd, system is high to exception message interception rate:Whole system uses framework one on the other, the driving of bottom Filter is also actively to be opened by fire wall, afterwards this two layers of strobe utility, can accurately intercept and can be ensured embedded with message The safety of equipment.
4th, system resource occupancy is low:Under framework one on the other, when embedded device be in safety network environment, only There is upper strata working.When pinpointing the problems, bottom filtering just can be actively opened.Now, for the network attack of high bandwidth, such as SYN floods, and will be filtered in bottom layer driving, can't take substantial amounts of system resource, ensure that other systems task Normal work.
5th, under abnormal conditions, it is ensured that normal network service is unaffected:The filtering of active network system of defense is adopted It is the mode that white list blackens list, can effectively ensures in abnormal network environment, normal communication message can be with By filter, pass in protocol stack.
Attacked for common built-in network, the present invention mainly has the advantage that:
Cheated for ARP:MAC and IP binding need not be carried out manually, and the present invention is internal oneself to safeguard an ARP information Table, when adding new equipment, list item can be added in ARP information table automatically.Can identify be currently ARP deception or other The MAC or IP address of equipment can do corresponding operation really there occurs the abnormal conditions such as changing to both of these case.
For network storm:The equipment and storm type for producing storm can be automatically identified;It is embedded when producing storm Equipment will not have influence on the functions such as the communication of itself, system operation because performance is low, while storm message can also be carried out Filter operation.
For Replay Attack:Application program communication message in itself or logic need not be changed, that is, is not had in application program Additional code is added in code.Therefore network utilization is not interfered with yet.
For extensive aggressions such as TCP SYN:It can detect and control the SYN message numbers of interior reception per second.When SYN floods When attack traffic is very big, embedded device will not have influence on the functions such as its communication, system operation because of self performance, also simultaneously It can guarantee that and continue to communicate with being successfully established the equipment being connected before.
Brief description of the drawings
Fig. 1 is the structural representation of the present invention;
Fig. 2 is the overview flow chart of the present invention;
Fig. 3 is the flow chart of embodiment one;
Fig. 4 is the flow chart of embodiment two.
Embodiment
With reference to the accompanying drawings and detailed description, the present invention is furture elucidated.
One kind is used for Embedded Active Networks system of defense, including network protocol stack module and active network defence mould Block, active network defense module are divided into fire wall upper layer module and fire wall bottom module, the fire wall bottom module position In in trawl performance, the fire wall upper strata includes packet check module and exception processing module;
Packet check module, for being analyzed and processed to the network message received;Wherein network message includes insertion The response message of other equipment after the request message that network message, the fire wall of formula equipment proper communication are actively sent;
Exception processing module, the method for carrying out abnormality processing, wherein abnormality processing after packet check is pinpointed the problems It is divided into two kinds:The first, which is directed to, can clearly judge the network message of generation problem, as SYN floods, network storm, distribution Formula Denial of Service attack etc., the firewall filters of exception processing module notice driving layer, starts what embedded device was received Filter operation corresponding to network message progress;Second for being unable to the network message that accurate judgement goes wrong, as ARP deceptions, Replay Attack etc., exception processing module actively sends request message, inquires the equipment communicated with, it is determined whether problem occurs.
There is common several attack patterns in built-in network attack at present:ARP deceptions, network storm, TCP flood, again Put attack and refusal service formula attack etc..
For the present invention by the general frame of double level one on the other, fire wall upper layer module can be with active control bottom layer driving The opening of filter and closing.
Embodiment one:As shown in figure 3, cheated for ARP, the defence method of Active Networks system of defense of the invention, tool Body step is as follows:
1st, internal system can safeguard an ARP information table, when receiving arp reply message, can first go to detect in current table Whether there are relevant entries, if it is not, adding wherein, and allow message to pass to protocol stack by detection.
2nd, if list item, then it can judge to be currently received message content and whether list item description is consistent.If consistent, enter Enter step 3, judge whether current entry is in abnormality.If it is inconsistent, current list item flag bit, explanation can be set It produces exception and likewise enters step 3.
When the 3rd, detecting list item abnormality, if it is not abnormality that flag bit, which is shown, message is directly allowed by passing to Protocol stack.Otherwise, can according to list item attempt can judge that embedded device is to be attacked, or really network environment there occurs Change.
If the 4, not can confirm that whether embedded device is under attack, ARP request message can be sent.
5th, if it has been confirmed that if can judge abnormal cause whether be ARP deception, if it is, set white black list, And firewall filtering is opened, otherwise into step 6.
The 6th, if abnormal cause is because truth, the fire walls such as communication equipment MAC or IP change can be again List item is set, and it is true correct message then to think this message, and passes it to protocol stack.
As above it is exactly the judgement to current network conditions that statement, which combines Fig. 3 defence ARP and cheats most important part, of the invention Judged using the method for difference comparsion.
Detailed process is as follows:
First, an ARP information table can be safeguarded inside fire wall, the major function of each member is respectively in information table:
Former MAC Address:For preserving current correct MAC Address.
Former MAC Address counter:When producing MAC conflicts for recording, the report that former MAC is pointed in APP response messages is received Literary number.
New MAC Address:The MAC Address of conflict is produced for preserving.
New MAC Address counter:When producing MAC conflicts for recording, the report that new MAC is pointed in APP response messages is received Literary number.
State flag bit:Show the state of current arp entry.
Filtration time:The time filtered for recording the ARP messages for causing MAC to conflict.
When embedded device receives first arp reply, a list item can be created, and records current MAC and IP Address., can will be new if this equipment receives an arp reply message for including new MAC Address during subsequent communications MAC Address record is in the table entry in new MAC field, and set flag bit as MAC collision flags occur.At the same time, this hair Bright system can send an ARP broadcast request message, go to inquire current IP MAC Address.
Hereafter, if the situation of ARP deceptions occurs, then either real main frame, or the main frame of deception, can all return Return correspondence its own MAC arp reply message.When system receives the two responses under list item abnormality, all can Corresponding counter is done it is cumulative, and again send ARP broadcast requests, with this constantly circulate.Until two aggregate-values are all higher than After one boundary, fire wall will be considered that current network conditions have ARP spoofing attacks, and now, fire wall can be by ARP In, equipment drawing is black corresponding to new MAC, and sets and draw the black time.
Changed if current actual conditions are strictly the MAC Address for having equipment on network, then now receive ARP messages can only include new MAC Address, the accumulator count for also there was only new MAC in ARP.When two MAC accumulators During the boundary that more than one user of difference is set, fire wall will be considered that the MAC Address of communication equipment is changed really, now List item can be updated, and protocol stack is passed in new arp reply.
Embodiment two:As shown in figure 4, network storm is directed to, and SYN extensive aggressions, Active Networks system of defense of the invention Defence method, comprise the following steps that:
1st, it is firstly received network message and determines whether broadcast packet, if broadcast packet then enters in next step, if It is not that broadcast packet has then further determined whether IP headings, if if IP headings then do not have IP messages into next step Head then judges that current message allows to pass through;
2nd, detection flag bit is set according to type of message, and judges whether there is this facility information in facility information table, if No then newly-built device entry information is subsequently into next step, if being then directly entered in next step;
3rd, corresponding accumulated counts are done according to flag bit to judge, and judges to receive whether message number is more than setting threshold in one second Value, if greater than then entering in next step, judge that current message allows to pass through if being not more than;
4th, current message is abandoned, this equipment is pulled in into blacklist, opens driving filter operation.
Wherein after system loads, it is necessary to set or detected using the storm of acquiescence manually when user needs the storm to defend 4 configuration parameters, this four parameters are as follows:
1st, broadcast packet number threshold value:At most allow the number of broadcasting packet received each second.
2nd, IP type messages number threshold value:In addition to TCP, UDP type of message, at most allow each second to receive reports comprising IP The message number of literary head.
3rd, TCP message number threshold value:The TCP message number per second at most allowing to receive.Here TCP message refers to receiving The TCP message that the target port on the TCP message head arrived is not opened in current device.
4th, UDP message numbers threshold value:The UDP message numbers per second at most allowing to receive.Likewise, UDP messages here What is also referred to receives the local UDP messages for being not turned on corresponding ports.
After user sets this 4 configuration parameters, the all-network message that following equipment receives is past from driving layer Protocol stack can all first pass through the testing mechanism of network storm when transmitting, storm testing mechanism can obtain from the message for receive message Sending ending equipment information, it is stored in the communication equipment information table of oneself.Meanwhile the message to receiving is done correspondingly according to protocol type Counting judge operation.If the message number of a certain equipment received in one second is more than the threshold value set before, the transmission The information of equipment will be deposited into blacklist, meanwhile, driving strobe utility can also be opened.
After this, when driving receives message, can be compared with the information in the source MAC and blacklist that receive message Compared with.If receiving message source MAC to be present in blacklist, driving layer will be by this packet filtering.
The present invention can actively send the processing that network message goes the current really network environment of detection for some suspicious messages Mode;The filtration treatment mode that the present invention is combined using white and black list, while ensureing filtration problem message, correct report Text can also communicate;Filter operation main body is placed in network-driven by the present invention, ensures that the network attack of high bandwidth can be with minimum journey Other tasks of the influence embedded device of degree.
The specially treated mode that the present invention attacks for common built-in network, mainly has:
ARP is cheated:Active network fire wall independently sends ARP request, to judge that current network conditions are that ARP deceptions are gone back Be embedded device MAC Address really there occurs change situations such as.
Network storm:Fire wall has a set of testing mechanism, to analyze current network traffics, and is matched somebody with somebody according to user Confidence breath judges whether that network storm occurs and makes detection to storm type.Set for embedded in network storm Standby, fire wall has a set of strobe utility, can prevent from having influence on the communication of itself, system operation because of embedded device performance Etc. function.
TCP SYN extensive aggressions:Fire wall internal maintenance one SYN message informations table and a white list.For big The TCP SYN extensive aggressions of flow, fire wall have a set of strobe utility, can prevent from having influence on because of embedded device performance The functions such as itself communication, system operation.
Replay Attack:Fire wall has used a set of cleverly method, using the id field of IP headings, is used as playback and attacks The foundation of detection is hit, while utilizes this active feature of fire wall, the message that accurately and effectively be able to can judge to receive is No is Replay Attack message, and corresponding defence is done to attack message.
Distributed denial of service attack:Fire wall internal maintenance one preserves the information table that TCP establishes connection.Fire wall Port limitation connection number can be changed at any time, can check present port connection status at any time.

Claims (7)

1. one kind is used for Embedded Active Networks system of defense, it is characterised in that:Including network protocol stack module and active Cyber-defence module, active network defense module are divided into fire wall upper layer module and fire wall bottom module, the fire wall Bottom module is located in trawl performance, and the fire wall upper strata includes packet check module and exception processing module;
Packet check module, for being analyzed and processed to the network message received;Wherein network message includes embedded set The response message of other equipment after the request message that network message, the fire wall of standby proper communication are actively sent;
Exception processing module, for carrying out abnormality processing after packet check is pinpointed the problems, the method for wherein abnormality processing is divided into Two kinds:The first is directed to the network message that can clearly judge generation problem, and exception processing module notice driving layer is prevented Wall with flues filter, start the network message that is received to embedded device carry out corresponding to filter operation;Second for can not be accurate Really judge the network message to go wrong, exception processing module actively sends request message, inquires the equipment communicated with, it is determined that being No generation problem.
A kind of 2. defence method for being used for Embedded Active Networks system of defense as claimed in claim 1, it is characterised in that Comprise the following steps:
1) Active Networks system of defense is installed in embedded device system;
2) packet check module is analyzed the network message received, and judges that message whether there is problem, if do not had Problem then judges message by being directly passed to protocol stack, judges that message can not enter in next step if if problematic;
3) can exception processing unit confirm that it is attack message to exception message, if it is confirmed that, then enter in next step, if not Confirm, then send the true environment of request message inquiry network, return to step 2;
4) abandon current message and set white black list to open bottom filter.
3. the defence method according to claim 2 for Embedded Active Networks system of defense is characterized in that:Institute Stating the network message in step 2 includes the request message that the network message of embedded device proper communication, fire wall are actively sent The response message of other equipment afterwards.
4. the defence method according to claim 2 for Embedded Active Networks system of defense is characterized in that:Institute State and be divided into two kinds of situations when the problem of exception processing unit is to receiving in step 3 message is analyzed:
3.1) the first situation:Live network situation can be determined according to network message;
3.2) second of situation:Live network situation can not be determined according to network message, current device under attack also may may be used It can be change of network environment.
5. the defence method according to claim 4 for Embedded Active Networks system of defense is characterized in that:Institute The first situation in step 3 is stated, when live network situation can be determined according to network message, exception processing module sets white black List, while actively open fire wall bottom filter and filter operation is carried out to ensuing message, abandon currently processed report Text.
6. the defence method according to claim 4 for Embedded Active Networks system of defense is characterized in that:Institute State second of situation in step 3, exception processing module confirms network real conditions, first by sending the form of request message The message of processing can also be preserved by system, will not pass to protocol stack, and after then request message is sent, packet check module receives pair The response answered, if correct before message pass to protocol stack, the message before otherwise abandoning.
7. the defence method according to claim 2 for Embedded Active Networks system of defense is characterized in that:Institute State in step 4 after fire wall bottom filter opens, when reference white/blacklist is to packet filtering, while analyze network traffics, If network traffics are less than the value that user is set, system actively closes filter, and if turned off rear, packet check module detects Then filter is again turned on problem.
CN201710659375.2A 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof Active CN107360182B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710659375.2A CN107360182B (en) 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710659375.2A CN107360182B (en) 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof

Publications (2)

Publication Number Publication Date
CN107360182A true CN107360182A (en) 2017-11-17
CN107360182B CN107360182B (en) 2020-05-01

Family

ID=60286259

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710659375.2A Active CN107360182B (en) 2017-08-04 2017-08-04 Embedded active network defense system and defense method thereof

Country Status (1)

Country Link
CN (1) CN107360182B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632280A (en) * 2018-05-08 2018-10-09 国家计算机网络与信息安全管理中心 Flow processing method, apparatus and system, fire wall and server
CN110290098A (en) * 2018-03-19 2019-09-27 华为技术有限公司 A kind of method and device of defending against network attacks
CN111343206A (en) * 2020-05-19 2020-06-26 上海飞旗网络技术股份有限公司 Active defense method and device for data flow attack
US11075926B2 (en) 2018-01-15 2021-07-27 Carrier Corporation Cyber security framework for internet-connected embedded devices
CN114513343A (en) * 2022-01-26 2022-05-17 广州晨扬通信技术有限公司 Method, device, system, equipment and storage medium for hierarchical interception of signaling firewall

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440604A (en) * 2000-07-03 2003-09-03 智谋有限公司 Firewall system combined with embedded hardware and general-purpose computer
CN1855929A (en) * 2005-04-27 2006-11-01 华为技术有限公司 Method for preventing from wild ARP attacks
CN101217547A (en) * 2008-01-18 2008-07-09 南京邮电大学 A flood request attaching filtering method based on the stateless of open source core
CN102646173A (en) * 2012-02-29 2012-08-22 成都新云软件有限公司 Safety protection control method and system based on white and black lists
CN102843362A (en) * 2012-08-08 2012-12-26 江苏华丽网络工程有限公司 Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory)
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN103973700A (en) * 2014-05-21 2014-08-06 成都达信通通讯设备有限公司 Mobile terminal preset networking address firewall isolation application system
CN104780139A (en) * 2014-01-09 2015-07-15 北京东土科技股份有限公司 Defense system based on MAC (Medium/Media Access Control) address attack and system
CN106549972A (en) * 2016-11-25 2017-03-29 合肥海亚信息科技有限公司 A kind of firewall system of embedded intrusion detection feature

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440604A (en) * 2000-07-03 2003-09-03 智谋有限公司 Firewall system combined with embedded hardware and general-purpose computer
CN1855929A (en) * 2005-04-27 2006-11-01 华为技术有限公司 Method for preventing from wild ARP attacks
CN101217547A (en) * 2008-01-18 2008-07-09 南京邮电大学 A flood request attaching filtering method based on the stateless of open source core
CN102646173A (en) * 2012-02-29 2012-08-22 成都新云软件有限公司 Safety protection control method and system based on white and black lists
CN102843362A (en) * 2012-08-08 2012-12-26 江苏华丽网络工程有限公司 Method for carrying out ARP (Address Resolution Protocol) defense by using TCAM (Ternary Content Addressable Memory)
CN104780139A (en) * 2014-01-09 2015-07-15 北京东土科技股份有限公司 Defense system based on MAC (Medium/Media Access Control) address attack and system
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN103973700A (en) * 2014-05-21 2014-08-06 成都达信通通讯设备有限公司 Mobile terminal preset networking address firewall isolation application system
CN106549972A (en) * 2016-11-25 2017-03-29 合肥海亚信息科技有限公司 A kind of firewall system of embedded intrusion detection feature

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11075926B2 (en) 2018-01-15 2021-07-27 Carrier Corporation Cyber security framework for internet-connected embedded devices
CN110290098A (en) * 2018-03-19 2019-09-27 华为技术有限公司 A kind of method and device of defending against network attacks
US11570212B2 (en) 2018-03-19 2023-01-31 Huawei Technologies Co., Ltd. Method and apparatus for defending against network attack
CN108632280A (en) * 2018-05-08 2018-10-09 国家计算机网络与信息安全管理中心 Flow processing method, apparatus and system, fire wall and server
CN111343206A (en) * 2020-05-19 2020-06-26 上海飞旗网络技术股份有限公司 Active defense method and device for data flow attack
CN114513343A (en) * 2022-01-26 2022-05-17 广州晨扬通信技术有限公司 Method, device, system, equipment and storage medium for hierarchical interception of signaling firewall
CN114513343B (en) * 2022-01-26 2022-10-04 广州晨扬通信技术有限公司 Hierarchical intercepting method and device for signaling firewall, computer equipment and storage medium

Also Published As

Publication number Publication date
CN107360182B (en) 2020-05-01

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN107360182A (en) One kind is used for Embedded Active Networks system of defense and its defence method
JP4545647B2 (en) Attack detection / protection system
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
US7200866B2 (en) System and method for defending against distributed denial-of-service attack on active network
US7100201B2 (en) Undetectable firewall
US7051369B1 (en) System for monitoring network for cracker attack
AU2004289001B2 (en) Method and system for addressing intrusion attacks on a computer system
Ganesh Kumar et al. Improved network traffic by attacking denial of service to protect resource using Z-test based 4-tier geomark traceback (Z4TGT)
US20090077663A1 (en) Score-based intrusion prevention system
CN111010384A (en) Self-security defense system and security defense method for terminal of Internet of things
CN108768917A (en) A kind of Botnet detection method and system based on network log
CN106992955A (en) APT fire walls
EP1833227B1 (en) Intrusion detection in an IP connected security system
DE202022102631U1 (en) Intelligent defense system against distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) networks
WO2005026872A2 (en) Internal lan perimeter security appliance composed of a pci card and complementary software
Dressler et al. Attack detection using cooperating autonomous detection systems (CATS)
KR20070119382A (en) Intrusion prevention system and controlling method
CN113079180B (en) Execution context based firewall fine-grained access control method and system
CN114268458A (en) Protection method of safety protection module for terminal public network safety communication
KR20130022507A (en) Apparatus and method of blocking network attack
CN112134845A (en) Rejection service system
CN114500083B (en) Terminal network behavior sniffing monitoring method
CN115225297B (en) Method and device for blocking network intrusion
CN118555121A (en) Control method and device for server network attack, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant