CN113132381B - Computer network information safety controller - Google Patents
Computer network information safety controller Download PDFInfo
- Publication number
- CN113132381B CN113132381B CN202110419756.XA CN202110419756A CN113132381B CN 113132381 B CN113132381 B CN 113132381B CN 202110419756 A CN202110419756 A CN 202110419756A CN 113132381 B CN113132381 B CN 113132381B
- Authority
- CN
- China
- Prior art keywords
- data
- layer
- physical connection
- open network
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a computer network information security controller, which comprises a first port, a second port, a physical connection layer, a data processing layer, a security identification layer, an application filter layer and a data transmission layer, wherein the first port is connected with the second port; the data processing layer is communicated with the physical connection layer, and periodically acquires time data streams from the open network based on the physical connection layer; the safety identification layer is in parallel asynchronous communication with the data processing layer and the physical connection layer; the filtering database is pre-stored with data attribute standards of security matching equipment or security matching application of the computer, and the data attribute standards comprise a data generation cycle, a data generation period range, an equipment data mark and an equipment data block size range. The technical scheme of the invention can ensure the safety of the data exchange of the computer host communicated with the open network.
Description
Technical Field
The invention belongs to the technical field of computer network information security, and particularly relates to a computer network information security controller.
Background
Due to the closure of the traditional network architecture, rapid and effective deployment and expansion of the traditional network architecture are difficult to perform when the traditional network architecture faces massive network applications and network services. Therefore, in recent years, with the rise of virtualization and cloud computing technologies, more and more network application services are migrating toward data center networks. But also brings explosive growth of network traffic, and puts higher requirements on the dynamic property and the safety of the network.
Software Defined Networking (SDN) is a new trend of Network development, which decouples a traditional closed Network system into a data plane, a control plane and an application plane, and logically implements centralized control and management of the Network. The OpenFlow protocol is an interaction protocol between a control plane and a data plane, and can forward data of a data plane by sending control data from a controller of the control plane. With the rapid development of the SDN, security issues of the SDN also receive more and more attention, such as that important data of the controller/host is stolen, the controller/host is down due to a malicious Distributed Denial of Service (DDoS) attack, and malicious applications are installed, which brings great challenges to security and stability of the SDN.
In order to solve the problems, the chinese patent application No. cn201810507739.x proposes a network scheduling method, including: the SDN security controller acquires a physical network topology structure of a network security cloud, wherein the network security cloud is used for providing network security service in a cloud environment; when a user request is detected, scheduling target network traffic corresponding to the user request based on a physical network topology structure of the network security cloud; and transmitting the target network traffic to a virtual security device. In addition, the main idea of the solution is to introduce traditional network security devices such as a firewall and an intrusion detection system to solve the SDN security problem, and such solutions can indeed solve part of the security problems; but requires the security devices to be deployed in areas with exact boundaries, which violates the flexible, programmable, and separate core-directed ideas of SDN architecture.
Disclosure of Invention
In order to solve the technical problem, the invention provides a computer network information security controller, which comprises a first port, a second port, a physical connection layer, a data processing layer, a security identification layer, an application filter layer and a data transmission layer, wherein the first port is connected with the second port; the data processing layer is communicated with the physical connection layer, periodically acquires time data streams from the open network based on the physical connection layer, and performs data type identification on the time data streams; the security identification layer is in parallel asynchronous communication with the data processing layer and the physical connection layer, and based on a security identification result, the interface state of the physical connection layer and/or the acquisition period of the data processing layer for acquiring the time data stream are/is changed; the application filter layer filters out application data meeting the safety standard from the time data stream based on the safety identification result and sends the application data to the data transmission layer; and the data transmission layer sends the application data to the computer through the second port.
The technical scheme of the invention is concretely realized as follows:
a computer network information security controller, the security controller comprising a first port and a second port, the first port in communication with an open network, the second port connected to a computer;
the method is characterized in that:
the safety controller comprises a physical connection layer, a data processing layer, a safety identification layer, an application filter layer and a data transmission layer;
the physical connection layer comprises a south interface and a north interface, wherein the south interface is an interface facing equipment, and the north interface is an interface facing application;
the data processing layer comprises a plurality of data identification protocols, the data processing layer is communicated with the physical connection layer, the time data stream is periodically acquired from the open network based on the physical connection layer, and the data type identification is carried out on the time data stream through the data identification protocols, wherein the data type comprises a short-period time data stream and a long-period time data stream;
the safety identification layer performs parallel asynchronous communication with the data processing layer and the physical connection layer, performs safety identification on the time data stream identified by the data processing layer and the time data stream acquired by the physical connection layer from the open network, and changes the interface state of the physical connection layer and/or the acquisition period of the time data stream acquired by the data processing layer based on the safety identification result;
the filtering database is pre-stored with data attribute standards of security matching equipment or security matching application of the computer, and the data attribute standards comprise a data generation cycle, a data generation period range, an equipment data mark and an equipment data block size range.
In this case, the application filter layer filters out application data meeting the security standard from the time data stream based on the security identification result, and sends the application data to the data transmission layer, and the application filter layer further includes:
updating the filtering database based on application data in the temporal data stream that does not meet data attribute criteria of the filtering database.
In this case, the security identification layer of the security controller further includes a trusted computing module, where the trusted computing module performs trusted computing on the time data stream acquired by the physical connection layer from the open network, and changes an interface state of the physical connection layer based on a result of the trusted computing.
In this case, the southbound interface includes a device level security data model; the northbound interface includes an application secure access network model.
In the scheme, the first port passively acquires open network data from the open network in real time and transmits the open network data to the safety controller;
after the computer sends feedback data to the safety controller through the second port, the safety controller sends the feedback data to the open network through the first port;
wherein the first port does not passively perform operations of passively acquiring open network data from the open network and transmitting the feedback data to the open network at the same time.
Drawings
FIG. 1 is a diagram of the main architecture of a computer network information security controller according to an embodiment of the present invention
FIG. 2 is a schematic diagram of the connection of the computer network information security controller of FIG. 1
FIG. 3 is a schematic diagram of data interaction between the security controller and the host and between the security controller and the open network shown in FIG. 1
FIG. 4 is a schematic diagram of the internal data interaction processing of the security controller shown in FIG. 1
FIG. 5 is a schematic diagram of a process for data security identification performed by the security controller of FIG. 1
Detailed Description
Referring to fig. 1, a main structural architecture diagram of a computer network information security controller according to an embodiment of the present invention is shown.
In fig. 1, it is shown in outline that the security controller comprises a first port communicating with the open network and a second port connected to a computer.
In various embodiments of the present invention, the open network is based on an open standard (e.g., OpenFlow protocol) and bare computer hardware, and network resources implemented by a network Operating System (OS) can be flexibly selected. The method aims to realize the separation of software and hardware and provide a flexible, expandable and programmable network to adapt to the application requirements of different scenes. Therefore, the user using the open network can freely select the operating system.
Based on the open network computing environment, distributed services of a heterogeneous distributed computing environment can be established. The computers (also called hosts) mentioned in the various embodiments of the present invention may act as a distributed service node for the heterogeneous distributed computing environment.
Thus, the security controller of the present embodiment is particularly suitable for use with computers in heterogeneous distributed computing environments.
On the basis of fig. 1, see fig. 2. Fig. 2 is a schematic connection diagram of the computer network information security controller shown in fig. 1.
In fig. 2, the security controller includes a physical connection layer, a data processing layer, a security identification layer, an application filtering layer, and a data transmission layer;
the physical connection layer comprises a south interface and a north interface, wherein the south interface is an interface facing equipment, and the north interface is an interface facing application;
more specifically, the southbound interface includes a device level security data model; the northbound interface includes an application secure access network model.
As a more specific key example, the device level security data model adopted by the present embodiment is a model that provides differentiated security services according to different security levels of device users; completing user authentication on the device;
on the other hand, the application security access network model adopted in the embodiment is designed by combining NFV and SDN.
In fig. 2, the data processing layer includes a plurality of data identification protocols, the data processing layer communicates with the physical connection layer, periodically obtains a time data stream from the open network based on the physical connection layer, and performs data type identification on the time data stream through the data identification protocols, where the data types include a short-period time data stream and a long-period time data stream;
in a specific implementation mode of the present invention, the long period and the short period are determined relative to a data generation mode of a device and an application, and the specific length can be determined by a person skilled in the art according to actual situations. For example, for a hot application, the time period for which the application generates data is short, generally in units of days, if the data generation period exceeds one day as a result of data type identification, the data is a long-period time data stream, and conversely, the data is a short-period time data stream, but the invention is not limited to this.
The safety identification layer performs parallel asynchronous communication with the data processing layer and the physical connection layer, performs safety identification on the time data stream identified by the data processing layer and the time data stream acquired by the physical connection layer from the open network, and changes the interface state of the physical connection layer and/or the acquisition period of the time data stream acquired by the data processing layer based on the safety identification result;
thus, as a key improvement of the above-mentioned overall technical approach, in fig. 2, different acquisition periods correspond to different data identification protocols.
The application filtering layer filters out application data meeting the safety standard from the time data stream based on the safety identification result and sends the application data to the data transmission layer;
and the data transmission layer transmits the application data to the computer through the second port.
In fig. 2, although not shown, the secure identification layer of the secure controller further includes a trusted computing module that performs trusted computing on the time data stream acquired by the physical connection layer from the open network, and changes an interface state of the physical connection layer based on a result of the trusted computing.
Referring next to fig. 3, fig. 3 is a schematic diagram illustrating data interaction between the security controller and the host and between the security controller and the open network in fig. 1.
In fig. 3, the first port passively acquires open network data from the open network in real time for transmission to the security controller;
real-time, passive means that data generated from the open network cannot be rejected by the computer as long as it is intended for the computer, since the computer is a distributed node of the open network and must receive it.
In the prior art, the safety thereof cannot be considered.
Based on the improvement of the invention, a security controller is arranged between a computer as a distributed node and an open network, and the security controller is provided with a first port.
Therefore, the computer cannot reject data generated from the open network as long as the data is intended for the computer, but the data is received by the first port at this time.
After the computer sends feedback data to the safety controller through the second port, the safety controller sends the feedback data to the open network through the first port;
however, it is particularly important that the first port does not perform passively acquiring open network data from the open network and transmitting the feedback data to the open network at the same time.
By the arrangement, the computer at the end facing the open network can passively receive data in real time, but does not send feedback data at the same time, so that data distribution is ensured.
In fig. 3, the first port is represented by a solid arrow and a dashed arrow, which indicate that the two are not simultaneously generated, i.e. the first port is a single-pass unidirectional data interface; and the second port is a bi-directional synchronous data interface.
Reference is next made to fig. 4.
The data processing layer acquires a time data stream from the open network according to a first acquisition cycle, and performs data type identification on the time data stream through the data identification protocol;
the security identification layer changes the first acquisition period of the data processing layer for acquiring the time data stream based on a security identification result;
the different first acquisition periods correspond to different data identification protocols.
Based on fig. 4, the security identification layer performs security identification on the time data stream identified by the data processing layer and the time data stream acquired by the physical connection layer from the open network, and changes the interface state of the physical connection layer based on a security identification result, which specifically includes:
if the time data stream identified by the data processing layer has a time period attribute or tends to the time period attribute, closing the southbound interface; otherwise, closing the northbound interface.
The branching shown in fig. 4 shows that the first acquisition period of the data processing layer acquisition time data stream is changed simultaneously.
On the basis of fig. 4, further reference is made to fig. 5.
The application filter layer is in communication with a filtering database;
the filtering database is pre-stored with data attribute standards of security matching equipment or security matching application of the computer, and the data attribute standards comprise a data generation cycle, a data generation period range, an equipment data mark and an equipment data block size range.
The application filtering layer filters out application data meeting the safety standard from the time data stream based on the safety identification result, and sends the application data to the data transmission layer, and the application filtering layer specifically comprises:
and sending the application data meeting the data attribute standard of the filtering database in the time data stream to the data transmission layer.
As mentioned above, the application data in the temporal data stream that meets the data attribute criteria of the filtering database is sent to the data transport layer.
Referring to fig. 5, the method further includes: updating the filtering database based on application data in the temporal data stream that does not meet data attribute criteria of the filtering database.
The technical scheme of the invention ensures the system security of the host in the open network when receiving data, and ensures that the feedback data can be updated to the filtering database from the suitability through various data processing processes, thereby ensuring that the subsequent security identification process is more effective.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (4)
1. A computer network information security controller, the security controller comprising a first port in communication with an open network and a second port connected to a computer;
the method is characterized in that:
the safety controller comprises a physical connection layer, a data processing layer, a safety identification layer, an application filter layer and a data transmission layer;
the physical connection layer comprises a south interface and a north interface, wherein the south interface is an interface facing equipment, and the north interface is an interface facing application;
the data processing layer comprises a plurality of data identification protocols, the data processing layer is communicated with the physical connection layer, the time data stream is periodically acquired from the open network based on the physical connection layer, and the data type identification is carried out on the time data stream through the data identification protocols, wherein the data type comprises a short-period time data stream and a long-period time data stream;
the safety identification layer performs parallel asynchronous communication with the data processing layer and the physical connection layer, performs safety identification on the time data stream identified by the data processing layer and the time data stream acquired by the physical connection layer from the open network, and changes the interface state of the physical connection layer and/or the acquisition period of the time data stream acquired by the data processing layer based on the safety identification result;
changing the interface state of the physical connection layer specifically includes: if the time data stream identified by the data processing layer has a time period attribute or tends to the time period attribute, closing the southbound interface; otherwise, closing the northbound interface;
a data attribute standard of a security matching device or a security matching application of the computer is prestored in a filtering database, wherein the data attribute standard comprises a data generation cycle, a data generation time period range, a device data mark and a device data block size range;
the first port passively acquires open network data from the open network in real time and transmits the open network data to the safety controller;
after the computer sends feedback data to the safety controller through the second port, the safety controller sends the feedback data to the open network through the first port;
wherein the first port does not passively perform operations of passively acquiring open network data from the open network and transmitting the feedback data to the open network at the same time.
2. The computer network information security controller of claim 1, wherein:
the application filter layer filters out application data meeting the safety standard from the time data stream based on the safety identification result and sends the application data to the data transmission layer, and the application filter layer further comprises:
updating the filtering database based on application data in the temporal data stream that does not meet data attribute criteria of the filtering database.
3. The computer network information security controller of claim 1, wherein:
the security identification layer of the security controller further comprises a trusted computing module, the trusted computing module performs trusted computing on the time data stream acquired by the physical connection layer from the open network, and changes the interface state of the physical connection layer based on the result of the trusted computing.
4. The computer network information security controller of claim 1, wherein:
the southbound interface includes a device level security data model;
the northbound interface includes an application secure access network model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110419756.XA CN113132381B (en) | 2021-04-19 | 2021-04-19 | Computer network information safety controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110419756.XA CN113132381B (en) | 2021-04-19 | 2021-04-19 | Computer network information safety controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113132381A CN113132381A (en) | 2021-07-16 |
| CN113132381B true CN113132381B (en) | 2022-08-02 |
Family
ID=76777703
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110419756.XA Active CN113132381B (en) | 2021-04-19 | 2021-04-19 | Computer network information safety controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132381B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830456A (en) * | 2019-10-22 | 2020-02-21 | 苏州凸现信息科技有限公司 | Computer network safety system based on shift register |
| CN110912875A (en) * | 2019-11-08 | 2020-03-24 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN111526089A (en) * | 2020-04-14 | 2020-08-11 | 北京交通大学 | Data fusion transmission and scheduling device based on variable-length granularity |
| CN111866154A (en) * | 2020-07-25 | 2020-10-30 | 重庆电子工程职业学院 | Big data information intelligent communication method based on Internet of things |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140143864A1 (en) * | 2012-11-21 | 2014-05-22 | Snoopwall Llc | System and method for detecting, alerting and blocking data leakage, eavesdropping and spyware |
| US11003468B2 (en) * | 2018-11-07 | 2021-05-11 | Citrix Systems, Inc. | Preloading of application on a user device based on content received by the user device |
-
2021
- 2021-04-19 CN CN202110419756.XA patent/CN113132381B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830456A (en) * | 2019-10-22 | 2020-02-21 | 苏州凸现信息科技有限公司 | Computer network safety system based on shift register |
| CN110912875A (en) * | 2019-11-08 | 2020-03-24 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN111526089A (en) * | 2020-04-14 | 2020-08-11 | 北京交通大学 | Data fusion transmission and scheduling device based on variable-length granularity |
| CN111866154A (en) * | 2020-07-25 | 2020-10-30 | 重庆电子工程职业学院 | Big data information intelligent communication method based on Internet of things |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113132381A (en) | 2021-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Nguyen et al. | Search: A collaborative and intelligent nids architecture for sdn-based cloud iot networks | |
| OConnor et al. | HomeSnitch: Behavior transparency and control for smart home IoT devices | |
| Yousuf et al. | Internet of things (IoT) security: current status, challenges and countermeasures | |
| Mahmoud et al. | Internet of things (IoT) security: Current status, challenges and prospective measures | |
| Flauzac et al. | SDN based architecture for IoT and improvement of the security | |
| Razouk et al. | A new security middleware architecture based on fog computing and cloud to support IoT constrained devices | |
| CN107947357B (en) | Power distribution automation data acquisition device and method based on safety access area | |
| CN104301321B (en) | A kind of method and system for realizing distributed network security protection | |
| EP3149582B1 (en) | Method and apparatus for a scoring service for security threat management | |
| Boudi et al. | Assessing lightweight virtualization for security-as-a-service at the network edge | |
| CN101753553B (en) | Safety isolating and message switching system and method | |
| CN104348914B (en) | A kind of tamper resistant systems file syn chronizing system and its method | |
| CN104580222A (en) | DDoS attack distributed detection and response system and method based on information entropy | |
| CN103607399A (en) | Special IP network safety monitor system and method based on hidden network | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| WO2023065969A1 (en) | Access control method, apparatus, and system | |
| CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
| KR20220125251A (en) | Programmable Switching Device for Network Infrastructures | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| CN113132381B (en) | Computer network information safety controller | |
| CN113132382B (en) | Intelligent computer network information safety controller | |
| Sharma et al. | SCADA Communication Protocols: Modbus & IEC 60870–5 | |
| Altayaran et al. | Security threats of application programming interface (API's) in internet of things (IoT) communications | |
| CN212463237U (en) | Gateway for controlling access to Internet of things based on block chain | |
| Qiu et al. | A software-defined security framework for power IoT cloud-edge environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221207 Address after: 710043 Room 2905, Block D, Qujiang, Wangzuo, Yanxiang Road, Qujiang New District, Xi'an, Shaanxi Patentee after: Xi'an Smart Times Information Technology Co.,Ltd. Address before: 400000 Fengyang village, Baqiao Town, Dadukou District, Chongqing Patentee before: He Wengang |