CN100589425C - Public secure protection system and public secure protection method - Google Patents
Public secure protection system and public secure protection method Download PDFInfo
- Publication number
- CN100589425C CN100589425C CN200710130685A CN200710130685A CN100589425C CN 100589425 C CN100589425 C CN 100589425C CN 200710130685 A CN200710130685 A CN 200710130685A CN 200710130685 A CN200710130685 A CN 200710130685A CN 100589425 C CN100589425 C CN 100589425C
- Authority
- CN
- China
- Prior art keywords
- public safety
- security
- safety protector
- event information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a public safe protective system, which contains multiple public safe protective devices at the rim of internet, wherein each public safe protective device constitute public safe protective net through information interaction; the public safe protective device reserves the safe strategy according to the acquired local safe affair information, which is distributed to the goalpublic safe protective device according to the safe affair information; the self-reserved safe strategy controls the upward and/or downward flow. The invention also provides a public safe protectingmethod, which can be effective public safe protection for internet.
Description
Technical field
The present invention relates to network security technology, be specifically related to public safety guard system and public safety means of defence.
Background technology
The Internet is one of national important information infrastructure, becomes the rely important information environment of work and life of people.Present internet security protectiving scheme mainly contains fire compartment wall, intrusion detection etc., these security protection schemes all are specific to the particular network entity, personal user or for example such as enterprise customer's LAN subscriber, therefore be deployed in personal user's the main frame or enterprise customer's local area network side, these are protected the security protection that information and network a little are provided for personal user or enterprise customer.Below with existing be that the purpose security protection system is called the special protection system with protection by protection dot information and network security, be called for short " specially anti-" system.Security protection schemes such as existing fire compartment wall, intrusion detection all belong to " specially anti-" system, and the network entity that is provided with " specially anti-" system is called specially anti-point.
Fig. 1 is existing a kind of security protection scheme schematic diagram, and as described in Figure 1, the personal user carries out information interaction by Access Network and the Internet, enterprise network directly and the Internet carry out information interaction." specially anti-" system is set in personal user's the main frame and enterprise customer's local area network side, has guaranteed the safety of personal user and enterprise network.
Yet this at present " specially anti-" system has following deficiency:
At first, the needs that this " specially anti-" of implementing protected some side is based on personal user or enterprise customer adopt unidirectional protection that the flow that comes automatic network is monitored and controlled, and its objective is the safety that guarantees protected point, positive so-called " the rule people does not discipline oneself ".Whether to self is the attack source, and self whether can constitute security threat to the Internet and do not pay close attention to.As the personal user, when enterprise network is the attack source, the attack of its initiation will be in the Internet be propagated fast, makes the personal user or the enterprise network that are connected the Internet but security protection is not set become the target of being attacked.As seen, as the Internet of public network, whether it is directly connected to the personal user of networking and the safety of enterprise network safely.
Secondly, " specially anti-" scheme is just set up " safe isolated island " in " the dangerous ocean " of the Internet, is separate between each " specially anti-" system, and therefore himself protective capacities and protection level are depended in the fail safe of " specially anti-" system fully.Though there has been the associated safety protectiving scheme to propose to realize for example interlock between the fire compartment wall and intruding detection system in local area network (LAN) inside, but any contact does not take place between each " specially anti-" system in the safety interaction that this also just carries out in " specially anti-" internal system.Therefore, this " specially anti-" scheme based on " point " can not realize the interlock of each " specially anti-" system in the Internet scope.After certain " specially anti-" system discovery attack, can only in time formulate corresponding security strategy and upgrade self policy library, and therefore the protection safety protective capacities of other " specially anti-" system can not improve.This protection separately " specially anti-" scheme can't be made quick response to some security incidents that need jointly control in the Internet network-wide basis.
In addition, different " specially anti-" need to realize a lot of identical security protection ability, for example Bing Du protection.These repetitive works have improved the cost and the complexity of " specially anti-", are difficult to realize high efficiency safety management.
As seen, existing security protection scheme can not effectively realize the public safety protection of the Internet.
Summary of the invention
In view of this, the invention provides a kind of public safety guard system, can provide the public safety protection for the Internet.
This system is included in a plurality of public safety protectors that the edge, the Internet is provided with, and each public safety protector constitutes the public safety protection network by information interaction;
Described public safety protector, the security strategy that is used for obtaining according to the local security event information is preserved, and is distributed to the target public safety protector of determining according to security event information; Preserve being received from outside security strategy; According to the security strategy of self preserving the up and/or downlink traffic of flowing through is controlled;
Being operating as of described definite target public safety protector: source address and destination address according to security incident in the security event information are determined target public safety protector;
Perhaps be to determine target public safety protector according to the source address section or the destination address section of security incident in the security event information;
Perhaps be to determine target public safety protector according to the type of security incident in the security event information.
Wherein, when described public safety protector is the security event information of attack at definite local security event information, obtain security strategy according to the security event information of this attack;
Described public safety protector is in the time can't determining whether the local security event information is the security event information of attack, in predetermined described public safety protection network, provide the collaborative collaborative public safety protector of analyzing to initiate the collaborative analysis request of carrying described local security event information, receive the collaborative analysis result that described collaborative public safety protector returns; With the security strategy in the collaborative analysis result as the security strategy of obtaining according to the local security event information;
Preferably, described public safety protector further receives the collaborative analysis request that carries security event information from external equipment, collect relevant security event information, formulate security strategy according to what receive with the security event information of collecting, the security strategy of formulating is returned to the external equipment of initiating collaborative analysis request; Described external equipment is other public safety protectors in the described public safety protection network or the special-purpose security protection system that communicates with this public safety protector.
Preferably, described public safety protector is further used for when detecting the new attack pattern new attack pattern being kept at this locality, and is synchronized to other public safety protector in the public safety protection network.
Preferably, described public safety protector further carries out the security audit inspection to self, after judgement self is under attack, audit information according to local record returns to a last safe condition, and obtain in other public safety protector from the public safety protection network and recover the required security strategy in back, and preserve in this locality.
The present invention also provides a kind of public safety means of defence, can provide the public safety protection for the Internet.
A plurality of public safety protectors are set at the edge, the Internet, and each public safety protector constitutes the public safety protection network by information interaction, and this method comprises:
The public safety protector will be preserved according to the security strategy that the local security event information obtains, and be distributed to the target public safety protector of determining according to described security event information; Preserve being received from outside security strategy;
According to the security strategy of preserving the up and/or downlink traffic of this public safety protector of flowing through is controlled;
Being operating as of described definite target public safety protector: source address and destination address according to security incident in the security event information are determined target public safety protector; Perhaps be to determine target public safety protector according to the source address section or the destination address section of security incident in the security event information; Perhaps be to determine target public safety protector according to the type of security incident in the security event information.
Wherein, obtaining security strategy according to described local security event information is:
The real-time monitoring stream of public safety protector after detecting security incident, is a foundation with the information for supporting some decision of self preserving through the flow of self, and the security event information of detected this security incident is analyzed;
When definite described security incident is attack, formulate security strategy;
In the time can't determining whether described security incident is attack, provide the collaborative public safety protector of analyzing to initiate the collaborative analysis request of carrying described detected security event information to predetermined; The collaborative analysis result that reception provides the collaborative public safety protector of analyzing to return, with the security strategy in the collaborative analysis result as the security strategy of obtaining according to security event information.
The described security strategy that is received from the outside is:
The security strategy of other public safety protector distribution in the public safety protection network that receives;
Perhaps be the security strategy of the employed special protection system customization of the personal user of reception or LAN subscriber;
Perhaps be the security strategy that the safety management system of the Security Administration Department of reception sends;
Preferably, this method further comprises, receives the collaborative analysis request from external equipment, obtains the security event information that carries in the collaborative analysis request, obtains the collaborative required associated safety event information of analyzing from the outside according to collaborative analysis request; The information for supporting some decision of preserving with self is a foundation, the security event information and the required associated safety event information of described collaborative analysis that obtain from collaborative analysis request is analyzed, for security strategy is formulated in the security incident that is defined as attack.
Preferably, describedly determine that described security incident is after the attack, further comprise: when judging that described attack is the new attack pattern, the new attack pattern is kept at this locality, and is synchronized to other public safety protector in the public safety protection network.
Preferably, this method further comprises: the public safety protector carries out the security audit inspection to self, after judgement self is under attack, audit information according to local record returns to a last safe condition, and obtain in other public safety protector from the public safety protection network and recover the required security strategy in back, and preserve in this locality.
Preferably, this method further comprises: the source from the information of public safety protector outside is authenticated, when judging described information from legal source, allow this public safety protector to handle according to described information.
According to above technical scheme as seen, use the present invention and can provide the public safety protection for the Internet.Specifically, have following beneficial effect:
A plurality of public safety protectors are set at the edge, the Internet, and each public safety protector constitutes the public safety protection network by information interaction.Public safety protector in this public safety protection network is deployed in the network edge of the Internet, can so just can in the public safety protector, formulate the public safety demand that corresponding strategy satisfies country, operator and user by operator's operation.
The public safety protector can be distributed to other required public safety protector with the security strategy of self formulating, and also can receive the security strategy of other public safety protector distribution, thereby has realized the interlock between the public safety protector.Therefore, this strategy distribution and study mechanism based on immunity principle makes the public safety protection network ability with defence various attack rapidly and initiatively." specially anti-" the of the prior art system that solved is each other because of the separate defective of bringing.
In addition, this joint-action mechanism also not only is confined to public safety protection network inside, the public safety protector can also with " specially anti-" system interlink.Therefore, this linkage is in the whole the Internet scope, be between the public safety protector, or the interlock between public safety protector and " specially anti-" system, or the interlock between the safety management system of public safety protector and Security Administration Department, rather than existing " specially anti-" internal system interlock.
The public safety protector not only can initiatively be formulated security strategy, and can carry out the collaborative analysis of security event information by collaborative analysis mechanisms.The mechanism of this collaborative analysis makes the public safety protector when the foundation self-ability can't determine whether attack has taken place, requesting cooperative public safety protector is collaborative to be analyzed, the resource of the public safety protection network of utilization makes the public safety protector to respond fast attack fully.
Public safety protector in the public safety guard system can be to other safety device study security strategies.After some public safety protectors are attacked, can return to a last safe condition by the audit information of record, obtain in other public safety protector from the public safety protection network simultaneously and recover the required security strategy in back, and be kept in the described policy library, make it recover its ability to work rapidly.
Each public safety protector can be controlled the uplink and downlink flow, realizes two-way security protection.
After a public safety protector is found the new attack pattern, with new attack pattern synchronization other public safety protector in the public safety protection network, make the public safety protection network that obtains this attack mode also can correctly discern this type of attack.
To sum up, the effectively generation of defending against network attacks behavior of public safety protectiving scheme of the present invention is guaranteed the safety of network environment to have realized the public safety protection.
Description of drawings
Fig. 1 is existing a kind of security protection scheme schematic diagram.
Fig. 2 is the structural representation of public safety guard system in the embodiment of the invention.
Fig. 3 is the structural representation of public safety protector in the embodiment of the invention.
Fig. 4 is the indicative flowchart of public safety means of defence of the present invention.
Fig. 5 be in the embodiment of the invention public safety protector to the method flow diagram of the processing of local security incident.
Fig. 6 is the method flow diagram that the public safety protector is carried out collaborative analysis operation in the embodiment of the invention.
Embodiment
The present invention proposes the notion of public safety protection, be called for short " public anti-".The purpose of " public affairs are anti-" is the public safety of protection the Internet, and not launching a offensive to the on-line customer in the assurance the Internet, is not attacked by the on-line customer yet, realizes network-wide basis interior quick perception and response to security incident.
The entity of realizing the public safety protection is called the public safety protector, is called for short public anti-point.Be that with existing " specially anti-" system's difference public anti-point is deployed in the edge of public internet, each public anti-point is controlled the bidirectional traffics of flowing through, and can link by information interaction between each public anti-point.Specifically; for each the public anti-point that is deployed in the public internet edge; all need to bear two important public safety responsibilities: the safety at the public anti-point of first protection two ends; uplink and downlink flow to the public anti-point of flowing through is controlled; promptly can resist the attack that network is initiated, and not launch a offensive to network.It two is that each public anti-point can link, form public protection network, each public anti-point can be distributed to other relevant public anti-point after obtaining new security strategy, make each public anti-some ability that possesses defence various attack behavior rapidly and initiatively, thereby effectively ensure the safety of internet environment, realize the public safety protection.
The equipment of realizing the anti-point of these public affairs function is called the public safety protector.This public safety protector can be arranged in the network equipment that is in the edge, the Internet, also can be separately set in the edge, the Internet.
Below in conjunction with the accompanying drawing embodiment that develops simultaneously, describe the present invention.
Fig. 2 shows the structural representation of public safety guard system in the embodiment of the invention.As shown in Figure 2, this system comprises a plurality of public safety protectors 201.Each public safety protector 201 is realized interlock by interactive information.Each public safety protector can be preserved the security strategy of obtaining according to the local security event information, and is distributed to the target public safety protector of determining according to security event information; This public safety protector 201 will be received from outside security strategy and preserve; Also the uplink and downlink flow of this public safety protector of flowing through is controlled (solid line is a data traffic as shown in Figure 2) according to the security strategy of preserving.
Wherein, security event information is the information relevant with security incident, and security incident is meant the visit behavior or the data on flows that may cause security threat to the network entity at public safety protector two ends.
The Internet described here is by operator's operation " carrier network ", and it can be a metropolitan area network, and the also network that can be made up of a plurality of metropolitan area networks is as economizing net; The public safety protector can be arranged on the separate equipment at edge, the Internet, also can be arranged in the BAS Broadband Access Server or edge router or other network edge device at edge, the Internet; Realize that by signaling information interaction, signaling flow (as shown in phantom in Figure 2) make each public safety protector form the topology of full mesh, star-like or other version between each public safety protector.
The present invention is called public safety protection structure (IPSPA, InternetPublic Security Protection Architecture) with the public safety guard system, or the IPSPA system.Each public safety protector in the IPSPA system can work alone, also can collaborative work.
Public safety protector in the public safety guard system can work independently, also can collaborative work, can also with existing " specially anti-" system synergistic working.Fig. 2 also shows the relation that the public safety guard system combines with " specially anti-" system, as shown in Figure 2, can communicate by letter between public safety protector 201 and " specially preventing " system 202, and they also can work alone separately, undertake different responsibilities.After the combination of " public anti-" and " specially anti-", " specially preventing " can its security protection scheme of more efficient use, and being absorbed in for personal user or intranet user provides the particular safety protective capacities; And " public anti-" towards country, the demand for security of operator and user's public safety demand, in the public internet scope of operator's administration, for personal user or intranet user provide the public safety protective capacities.Therefore, effective combination of " public anti-" and " specially anti-" can be satisfied the demand for security of different subjects, and then form more complete internet security protection system.
The control that not only can link between each public safety protector can also be worked in coordination with analysis.Particularly, public safety protector 201 can be formulated security strategy according to the security event information of this attack after definite local security event information is the security event information of attack; When the public safety protector can't determine whether the local security event information is the security event information of attack, provide the collaborative collaborative public safety protector of analyzing to initiate the collaborative analysis request of carrying the local security event information to predetermined, and receive the collaborative analysis result that collaborative public safety protector returns; With the security strategy in the collaborative analysis result as the security strategy of obtaining according to the local security event information.
Can provide the collaborative public safety protector of analyzing 201 not only can assist other public safety protector to work in coordination with analysis, can also provide collaborative and analyze for " specially anti-" system.
Analyze or collaborative analytic process in, if the public safety protector when detecting the new attack pattern, is kept at this locality with the new attack pattern, and be synchronized to other public safety protector in the public safety protection network.
In addition, each public safety protector carries out the security audit inspection to self, after judgement self is under attack, not only can return to a last safe condition according to the audit information that preserve this locality, can also obtain the required security strategy in recovery back in other public safety protector from the public safety protection network, and preserve in this locality.
How the public safety protector is realized below in conjunction with the concrete composition of public safety protector functions such as above-mentioned interlock, collaborative analysis, attack mode renewal are elaborated.
Fig. 3 shows the structural representation of public safety protector in the embodiment of the invention.As shown in Figure 3, this public safety protector comprises security incident storehouse 305, decision support storehouse 306, policy library 303, information search module 307, analysis decision module 301, cooperative module 302 and defense controls module 304.
Wherein, security incident storehouse 305 is used for the storage security event information.These security event informations are that self collects, or obtain from other public safety protector, or " specially anti-" system sends, or the safety management system of Security Administration Department sends.
The security event information of security incident storehouse 305 storage comprises the analysis result of harmful grade, security incident of type, the security incident of subject and object, the security incident of date and time that security incident takes place, security incident and treatment state etc.Wherein, the subject and object of security incident comprises: the source address of security incident or source address section, the destination address of security incident or destination address section; The type of security incident comprises: denial of service (DoS, Deny of Service) is attacked, worm-type virus etc.; The harmful grade of security incident comprises: general danger, moderate risk, abnormally dangerous; The analysis result of security incident is meant the consequence that security incident may cause; The treatment state of security incident comprises: ignore this security incident, requesting cooperative analysis and wait for analysis result, formulate security strategy etc.These security event informations can be used for the location and the tracking of network enabled attacking system.
Below the situation that attack has taken place in judgement is described.After attack has taken place in judgement, carry out following operation:
1, carrying out security incident reports to the police.
Alarm operation can be configured to start or forbid, under the startup situation, can also dispose concrete alarm operation.
2, judge whether to need to formulate new security strategy.When judgement needs to formulate new security strategy, formulate new security strategy according to the security event information of this attack.According to the local security policy update rule security strategy in the policy library 303 is upgraded processing then.And after judgement needs this new security strategy of distribution, to the security event information of cooperative module 302 transmission attacks, and the security strategy of new formulation.
Wherein, when judging whether to need to formulate new security strategy, if this attack does not have corresponding security strategy, then being judged to be needs to formulate, otherwise does not need to formulate.When judging whether to need this new security strategy of distribution, judge according to the type of attack.For example, the attack that causes for virus then needs in the public safety protection network all other public safety protectors to distribute this security strategy; When a plurality of public safety protectors have been passed through in attack from the source to the purpose, the public safety protector of first process is a source public safety protector, so, when the public safety protector of judging this attack is not source public safety protector, then need to distribute the security strategy of its formulation, make source public safety protector can on the source, control this attack to source public safety protector; If judge the public safety protector of attack is source public safety protector, then can not distribute the security strategy of its formulation, this attack of control on the source.Need the rule of distributing security policies to set in advance for judging whether, concrete rule also is to set according to different security needs.
In addition, the security event information of the attack that sends to cooperative module 302 can be a part of attribute of security event information, for example security incident source address and destination address, source address section or destination address section and security incident type determine to carry out the target public safety protector of strategy distribution to assist cooperative module 302 according to these information.
3, judge whether the attack that takes place belongs to unknown attack mode; If, then obtain attack mode, according to local attack schema update rule, with the attack mode information obtained as information for supporting some decision, information for supporting some decision in the decision support storehouse 306 is upgraded, and sent the attack mode information of obtaining to cooperative module 302.This determining step does not have clear and definite order with judging whether the step and the alarming step that need to formulate new security strategy.
After work such as above-mentioned judgement, processing were finished, analysis decision module 301 also will be saved in analysis processing result in the security incident storehouse 305.Analysis processing result comprises the type of security incident, the analysis result of security incident, and the treatment state of security incident.
Above-mentioned security strategy update rule can be set to: acquiescence is inserted new security strategy automatically and, after the wait keeper affirmation new security strategy is further handled to security policy database or after sending warning information.The attack mode update rule can be set to: give tacit consent to and insert the new attack pattern automatically to decision support storehouse 306, or wait for after the keeper confirms the new attack pattern is further handled.And local security policy update rule and attack mode update rule can be arranged in the analysis decision module 301, also can be arranged in the public safety protector in the memory module.For example, in this public safety protector, increase a configuration information memory module, be used for storage such as processing rule and configuration informations such as security strategy update rule and attack mode update rules.
1) processing that distribution is operated to security strategy;
Here, determine being operating as of target public safety protector: determine target public safety protector according to the security incident source address in the security event information that receives and destination address, source address section or destination address section or security incident type, and send the security strategy dispatch messages.Give an example, public safety protector A finds from the address to be b according to the source and destination address section in the security event information, c, the flow of d flow through respectively public protection point B, C and D, launch a offensive to destination address a through the A point then, then this public safety protection point A is after formulating security strategy, need send the security strategy of its formulation to B, C and D, makes B, C and D can control correlative flow.Can also determine target public safety protector according to the type of security incident,, then need all the public safety protectors in the public safety protection network to send the new security strategy of formulating if for example this security incident is a virus.
2) processing that the attack mode information synchronization is operated;
After cooperative module 302 receives attack mode information from analysis decision module 301, generate the attack mode synchronization message that carries this attack mode information, send the attack mode synchronization message that generates to other public safety protector.Usually, attack mode simultaneous operation meeting is carried out in network-wide basis, to realize the renewal of the whole network protection point attack mode information.Here the whole network is meant the public safety protection network of being made up of the public safety protector.
Local security policy update rule described here and attack mode update rule can be arranged in the cooperative module 302, also can be arranged in the memory module in this public safety protector, for example the aforementioned arrangements information storage module.Usually, the security strategy update rule in the same public safety protector disparate modules can be configured to identical, and in like manner the attack mode update rule also can be configured to identical.If adopt the latter's scheme, so only need once configuration just can make cooperative module 302 share identical security strategy update rule and attack mode update rule with analysis decision module 301.
Defense controls module 304 is used for according to the security strategy of policy library 303 the uplink and downlink flow of this public safety protector of flowing through being controlled in real time.The defense controls function of this module also can dispose and specifically be set to uplink traffic or downlink traffic are carried out defense controls.
In practice, if analysis decision module 301 can't determine whether the security incident of analyzing is attack, then can determine the threat level that this security incident may cause according to the behavioural characteristic of security incident.For the security incident of different brackets, analysis decision module 301 can be handled according to predetermined mode of operation.For example, for the security incident with high threat level, analysis decision module 301 can be carried at the security event information with high threat level in the collaborative analysis request and send to cooperative module 302.
Collaborative public safety protector work in coordination with when analyzing, and is analysis decision module 301 realizations wherein.Below analysis decision module 301 in the collaborative public safety protector being worked in coordination with the operation of analyzing is described in detail.
The collaborative analysis operation of analysis decision module 301 can adopt one or more combinations in existing attack mode coupling, abnormal behaviour analysis and the data mining technology.The collaborative purpose of analyzing is to assist to initiate collaborative public safety protector of analyzing or " specially anti-" system or safety management system whether its security incident that provides is provided be attack and formulate corresponding security strategy.
Identical with above-mentioned " analysis result ", " collaborative analysis result " also comprises two kinds of situations.After being judged to be the generation attack, carry out the operation of reporting to the police, formulating security strategy and synchronization attack pattern, the distribution of not responsible security strategy.At last collaborative analyze finish after, the analysis processing result of security incident is saved in the security incident storehouse 305.For the security incident that collaborative analysis also can't be judged, then can further ask this collaborative public safety protector of working in coordination with the public safety protector correspondence of analyzing to work in coordination with analysis, wait for that perhaps the keeper handles.
Owing to be collaborative the analysis, analysis decision module 301 also needs the collaborative analysis result of the analysis processing result of incident safe to carry is sent to cooperative module 302 after collaborative analysis is finished, make it that this result is turned back to public safety protector or " specially anti-" system that initiates collaborative request, or safety management system.If judging the security incident of requirement analysis in collaborative analytic process is attack, and has formulated corresponding security strategy, the collaborative analysis result that then returns also comprises this security incident corresponding security strategy.
The associative operation that cooperative module 302 is carried out in collaborative analytic process is described in detail below.For collaborative situation about analyzing, as the cooperative module 302 of external interface, its concrete work is to handling from the inside and outside information relevant with collaborative analysis:
At first, for collaborative analysis request, cooperative module 302 is after the collaborative analysis request that receives from other public safety protector or " specially anti-" system or safety management system, from collaborative analysis request, obtain security event information, the information such as section correlation time, relevant IP address or related application of extracting from the security event information that obtains are analyzed, judge whether that need initiate collaborative security event information to other public safety protector obtains request, is used for the collaborative associated safety event information of analyzing to obtain; If be judged to be, then determine target public safety protector, the collaborative security event information that sends information such as carrying section correlation time, relevant IP address or related application to the target public safety protector of determining obtains request.After waiting for that target public safety protector returns associated safety event information or wait timeout, the security event information of collecting is saved in the security incident storehouse, sends the collaborative notice of analyzing of security incident to the analysis decision module simultaneously.Perhaps, the security event information of collecting is carried at collaborative the analysis in the notice of security incident and sends to analysis decision module 301.Judging whether and initiate collaborative security event information when obtaining request to other public safety protector, judge whether have in self the security incident storehouse 305 with collaborative analysis request in the relevant security event information of security event information that carries, obtain request if no, then need to initiate collaborative security event information to other public safety protector; Perhaps, whether the associated safety event information that security event information in the collaborative analysis request of basis for estimation and inherently safe event base 305 are preserved can carry out the judgement of attack, if could not would initiate collaborative security event information to other public safety protector and obtain request.
For collaborative analysis result, cooperative module 302 returns to this collaborative analysis result public safety protector or " specially anti-" system or safety management system of the request of initiation behind the collaborative analysis result that receives from analysis decision module 301.
In addition, obtain request for collaborative security event information, cooperative module 302 receives after collaborative security event information from other public safety protector obtains request, the information such as section correlation time in the request, relevant IP address or related application of obtaining according to collaborative security event information judge which security event information this extracts, from security incident storehouse 305, extract corresponding security event information according to judged result, the security event information that extracts is returned to the public safety protector of the request of initiation.When judging that this extracts which security event information, can obtain according to the time period, for example obtain in the past the security event information that takes place in 2 days, perhaps also can consider application type simultaneously, for example pass by to use the security event information of generation at a certain class in 2 days.If when not have the correlation of the security event information of being correlated with or security incident in the current public two-way prevention point that collaborative security event information is provided be not very strong, also can from other public safety protector, obtain relevant security event information.
As seen, the collaborative security event information of institute's foundation of analyzing is from a plurality of relevant public safety protectors.For ganging up against, need a plurality of relevant public safety protectors be provided for the collaborative security event information of analyzing, therefore, collaborative analysis of the present invention has realized the identification that gangs up against in the network.
In practice, the public safety protector also comprises audit information storehouse 311 and security audit module 312.
Step a) returns to a last safe condition according to the audit information in the audit information storehouse;
Step b) judges whether and need initiate the security policy synchronization request to other public safety protector, if then send the security policy synchronization request by cooperative module 302 to other public safety protector.Can carry temporal information and policing type information in this security policy synchronization request, temporal information shows to obtain from which constantly later security strategy, policing type information points out to obtain communication security policy, still is at the security strategy of this public safety protector.After other public safety protector receives this security policy synchronization request, obtain its temporal information of carrying and required policing type, later, relevant with security policy synchronization request promoter security strategy of the moment that this temporal information is indicated returns to the public safety protector of initiating the security policy synchronization request.Judging whether need be when other public safety protector be initiated the security policy synchronization request, can judge according to the policy synchronization judgment rule that sets in advance, for example, find at a last safe condition after the time by audit log information, carry out the security strategy change, then sent the security policy synchronization request.
Wherein, local security audit configuration comprises the time interval of auditing and checking.Security audit module 312 is regularly carried out above-mentioned security audit operation according to the time interval of examination of auditor.Local security audit configuration can be arranged in the security audit module, also can be arranged in the public safety protector in the memory module, for example the aforementioned arrangements information storage module.
In this case, information search module 307 also is used for the public safety protector is monitored in real time, the audit information that writes down is sent to audit information storehouse 311 preserve.Here, the public safety protector is monitored each module and the database that are meant this device inside in real time monitors, write down the audit information of this public safety protector, it is the situation of the activity carried out of public safety protector, for example, who has visited the public safety protector, the situation that database is changed, and the public safety protector has been carried out what operation etc.
Cooperative module 302 is determined target public safety protector after the security policy synchronization request that receives from security audit module 312, the security policy synchronization request is sent to definite target public safety protector, acquisition request security strategy.Here, the operation of determining target public safety protector can be determined according to configuration information and/or audit information.When determining according to configuration information, can be in advance the configuration of public safety protector is one or more provides the whole network communication security policy synchronous public safety protector for each, and be kept in the configuration information.The synchronous public safety device of the whole network communication security policy that provides of this configuration provides the whole network general security strategy for other public safety protector, for example viral control strategy.When determining according to audit information, audit information can be write down the public safety protector of the security strategy that once receive the distribution of this public safety protector as target public safety protector, perhaps with the public safety protector of Ceng Xiangben public safety protector distributing security policies as target public safety protector, and obtain the general security strategy of non-the whole network from the target public safety protector of determining according to audit information.For example, security audit module returns to public safety protector A the safe condition of 2007-6-2, but audit information shows, from 2007-6-2 to the current time, public safety protector A received the general security strategy of non-the whole network from public safety protector B, C, then public safety protector B and C was defined as carrying out the target public safety protector of security policy synchronization.
After cooperative module 302 receives security policy synchronization request from other public safety protector, from policy library 303, extract corresponding security strategy, the security strategy of extracting is carried in the security policy synchronization response, returns to the public safety protector of the request of initiation.
As seen, this device can also automatically restore to a safe condition after self is under attack, simultaneously by sending the security policy synchronization request, obtain the new security strategy of a last safe condition between the moment of recovering constantly and recovering, after guaranteeing to recover, still possess up-to-date attack defending ability, guaranteed the validity of public safety protection.
In practice, public safety protector of the present invention further comprises authentication database 322 and authentication management module 321, wherein,
As seen, being provided with of authentication management module 321 and authentication database 322 can guarantee that the public safety protector receives information from the public safety protector that can trust, " specially anti-" system and safety management system.
In practice, in order to satisfy different demands for security, one security strategy custom interface can be set in this cooperative module 302, this interface can receive the security strategy of customization, make the public safety protector can receive the security strategy of user or national security community customization, satisfy specific demand for security.For example, the public safety protector that is arranged on BAS Broadband Access Server can be accepted the security strategy of the filtration objectionable website of Access Layer customization.After this cooperative module 302 receives the security strategy of customization by the security strategy custom interface, the strategy that also needs to judge customization whether with policy library in security strategy conflict mutually, be judged to be when not conflicting,, be inserted in the policy library automatically or after administrative staff confirm according to the security strategy update rule.
Fig. 4 realizes the indicative flowchart of public safety means of defence for the present invention.As shown in Figure 4, this method may further comprise the steps,
Step 401: at the edge of the Internet the public safety protector is set in advance.
Step 402: the public safety protector will be preserved in this locality according to the security strategy that the local security event information obtains, and be distributed to the target public safety protector of determining according to security event information; Preserve in this locality being received from outside security strategy.
Step 403: the public safety protector is controlled the up and/or downlink traffic of this public safety protector of flowing through according to local security policy.By configuration, can be to the uplink traffic or the downlink traffic of this public safety protector of flowing through, or simultaneously the uplink and downlink flow is controlled.
From the angle of a public safety protector, its processing to the local security incident is described below.
Fig. 5 is the method flow of embodiment of the invention public safety protector to the processing of local security incident.As shown in Figure 5, this method comprises:
Step 501: monitor the public safety protector in real time, the record audit information; Monitoring stream is through the flow of public safety protector in real time.
The real-time continual execution of this step.
Step 502: judge to detect security incident.
Wherein judging whether to detect security incident is mature technique.For example, the access control behavior that can carry according to present flow rate and/or the behavior of present flow rate are judged.If find to have a large amount of visits, or find that present flow rate begins suddenly to continue to increase, then be judged to be and detected security incident same node point.At this moment, this security incident just is considered to the behavior of threat.
Step 503: the security event information of preserving detected security incident correspondence in this locality.
The detected information relevant with security incident in step 502, promptly security event information is to be used for the foundation that follow-up decision is analyzed, and therefore needs to preserve.
Step 504: obtain the security event information relevant from this locality, and obtain information for supporting some decision from this locality with detected security incident.
Wherein, the security event information relevant with security incident not only comprises the security event information that detected security incident is corresponding, also may comprise the security event information of the security incident correspondence that is associated that nearest one section incident takes place.
Step 505: judge whether to have taken place attack.If can judge the generation attack, then execution in step 506; If can't judge, then execution in step 520.
In this step 505, carry out analyses such as pattern matching, abnormal behaviour or data mining, judge whether to have taken place attack according to the security event information and the information for supporting some decision of collecting from this locality.
Step 506: attack and report to the police.
Step 507: the security event information according to the attack correspondence is formulated security strategy.
In this step,, then needn't formulate once more if this locality has possessed this attack corresponding security strategy.
Step 508: whether determination step 505 detected attacks are the new attack pattern.If then execution in step 509; Otherwise, execution in step 510.
Step 509: the attack mode information of attack as information for supporting some decision, is upgraded local information for supporting some decision, and with this attack mode information synchronization to other public safety protector.
In this step, simultaneous operation is carried out at the whole network.
After this step is carried out, receive the public safety protector of attack mode information,, upgrade the local attack pattern information according to local attack schema update rule.
The Synchronous Processing of attack mode has guaranteed that each public safety protector can in time obtain up-to-date attack mode information.Make each public safety protector have the ability of up-to-date identification attack automatically, make it initiatively possess the ability of resisting up-to-date attack.
Step 510: judge whether to need to upgrade local security policy; If then execution in step 511; Otherwise, execution in step 512.
In this step 510, according to the local security policy update rule to the security strategy formulated or collaboratively analyze the security strategy that the public safety protector returns and handle.For example, when the threaten degree of this attack is very low, ignore this security incident corresponding security strategy; The threaten degree of attack is medium or very high, and then judging needs to upgrade local security policy.
Step 511: upgrade local security policy.
The concrete renewal process of this step is also handled according to the local security policy update rule, for example will upgrade local security policy automatically, after the wait keeper further determines after the information that perhaps gives a warning, upgrades local security policy again.
Step 512: the security strategy that need to judge whether the distribution formulation; If then execution in step 513; Otherwise, execution in step 514.This estimative security strategy can be the local security strategy of formulating, and also can be the collaborative security strategy that the public safety protector returns of analyzing.
In this step 512, determine the security strategy whether needs are formulated to other public safety protector distribution according to the grade of security event information source and destination address, attack type and the security incident of attack correspondence.For example, the source and destination address of security incident is respectively a, b.Correlative flow through public safety protector A, public safety protector B, arrives destination node b from a.When public safety protector B found that a launches a offensive to b, judgement need be to the A distributing security policies.
In practice, judgement that can first execution in step 512, the judgement of execution in step 510 again.
Step 513: determine target public safety protector according to the security event information of attack, send the security strategy of formulating to target public safety protector.
After this step was carried out, the targeted security protector that receives the security strategy of being distributed upgraded the security strategy of its preservation according to himself security strategy update rule.
The distribution of security strategy has guaranteed that the public safety protection system can respond fast to attack, thereby realizes real-time protection.
Step 514: the analysis processing result of upgrading security incident in the local security event information.This flow process finishes.
Step 520: judge whether to initiate collaborative analysis request; If then execution in step 521; Otherwise, execution in step 530.
In this step, determine the threat level that this incident may cause, judge whether to initiate collaborative analysis request according to threat level according to the security event information that step 504 is obtained.For example, when threaten degree is very low or medium, judging does not need to initiate collaborative analysis request; If threaten degree is very high, and this public safety protector has predetermined collaborative public safety protector, and then judging needs to initiate collaborative analysis request.If this public safety protector does not have corresponding collaborative public safety protector, also can be judged to be and not initiate collaborative analysis request.
Step 521: initiate to carry the collaborative analysis request of security event information to collaborative public safety protector.
Step 522: receive the collaborative analysis result that returns.
Step 523: judge according to collaborative analysis result whether the security incident of requesting cooperative analysis is attack, and returned the security strategy of formulating for this attack with collaborative analysis result.If then execution in step 524; Otherwise, execution in step 514.
Step 524: attack and report to the police.Execution in step 510 then.
Step 530: the threat level according to security incident is handled security incident, and execution in step 514 then.
In this step, handle accordingly according to the threat level of security incident.For example, when the threaten degree of security incident is very low, ignore this security incident; If threaten degree is medium, then send warning message, wait for that the keeper handles or waits for after self temporal correlation security incident takes place and handling.Public safety protector for not collaborative public safety protector for the very high security incident of threaten degree, also can only send warning message, waits for that the keeper handles or waits for after self temporal correlation security incident takes place and handling.
So far, this flow process finishes.
After above-mentioned steps 501 was carried out, the public safety protector was preserved the audit information of record in this locality.According to local security audit configuration, regularly according to the audit information of preserving, self public safety protector is carried out the security audit inspection, whether be subjected to attack to judge self.If then return to a last safe condition according to the audit information in the audit information storehouse; Judge whether and to initiate the security policy synchronization request to other public safety protector, if, then determine target public safety protector, send the security policy synchronization request to the target public safety protector of determining, otherwise, wait pending security audit checked operation next time.
Receive the public safety protector of security policy synchronization request, from the security strategy that preserve this locality, obtain requested security strategy, the security strategy of obtaining is returned to the public safety protector of initiating the security policy synchronization request.
After above-mentioned steps 521 is carried out, provide the collaborative public safety protector of analyzing to receive collaborative analysis request, and work in coordination with analysis.The public safety protector also can receive other system, and for example the collaborative analysis request of " specially anti-" system or safety management system also can be carried out the collaborative operation of analyzing this moment.
Fig. 6 is the method flow diagram that the public safety protector is carried out collaborative analysis operation in the embodiment of the invention.As shown in Figure 6, this method comprises:
Step 601: the collaborative analysis request that receives event information safe to carry.
Step 602: the security event information according in the collaborative analysis request judges whether and need obtain relevant security event information from other public safety protector; If execution in step 603 then; Otherwise, execution in step 606.
In this step, judge according to information such as section correlation time in the security event information, relevant IP address or related applications.Here, need there be two kinds from the situation that other public safety protector obtains security event information: one, in the security event information that preserve this locality, not with collaborative analysis request in the relevant security event information of security event information that carries, then need to obtain relevant security event information from other public safety protector; Its two, when according to security event information in the collaborative analysis request and the local associated safety event information of preserving, can't whether be the judgement of attack, then obtain security event information to other public safety protectors.
Step 603: determine target public safety protector, send collaborative security event information to the target public safety protector of determining and obtain request.
After this step is carried out, receive collaborative security event information and obtain the public safety protector of request, extract the public safety protector that corresponding security event information returns to this request of initiation.
Step 604: judge whether to receive the collaborative security event information of analyzing that is used for that returns; If then execution in step 606; Otherwise, execution in step 605.
Step 605: judge whether to surpass the predefined time.If then return execution in step 604; Otherwise, execution in step 606.
Step 606: work in coordination with analysis according to the security event information and the local information for supporting some decision of collecting.
The step of step 505~509 among the collaborative analysis operation of this step and Fig. 5 is identical.In upgrading the local security event information, after the analysis processing result of security incident, continue execution in step 607.
Step 607: return collaborative analysis result to initiating the collaborative public safety protector of analyzing.
Wherein, the collaborative analysis of initiation can also be " specially anti-" system or safety management system.
So far, this flow process finishes.
Reliability for the guarantee information source, after above-mentioned steps 601 receives information from the outside, the public safety protector authenticates the source of the information of reception, when judging described information from legal source, allows this public safety protector to handle according to described information.Information from the outside in the step 601 is collaborative analysis request.This information can also be aforementioned security strategy dispatch messages, attack mode synchronization message, collaborative analysis result, the collaborative security event information request of obtaining, security policy synchronization request, or the like.
By the above as can be seen, public safety protectiving scheme provided by the present invention can provide the public safety protection, fulfils the public safety responsibility.The public safety protector that is arranged on network edge is realized interlock by Signalling exchange information, and the security solution of network has been extended to " net " from " point ", and promptly the public safety protection network has been realized the quick response to attack.
Secondly, the security strategy processing procedure based on generating, upgrading and distribute makes the public safety protector of the whole network can respond security incident fast fast, thereby makes the public safety protection network have real-time security protection ability.
Once more, can obtain security information mutually between different " public anti-" points, in the time can't judging security incident and be attack according to self detected security event information, can work in coordination with the collaborative analysis of other public safety protector, and receive the result who returns, thereby can realize identification to ganging up against.
The public safety protector designs according to functional module, in follow-up application process, can increase new module as required, with the satisfied relevant interface of mutual only needs between other modules.Therefore, can realize the flexible expansion of function.
Can form topology flexibly between the different public safety protectors, therefore be suitable for the system of protection network is expanded, that is to say to expand to the more situation of node.
In sum, more than be preferred embodiment of the present invention only, be not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1, a kind of public safety guard system is characterized in that, this system is included in a plurality of public safety protectors that the edge, the Internet is provided with, and each public safety protector constitutes the public safety protection network by information interaction;
Described public safety protector, the security strategy that is used for obtaining according to the local security event information is preserved, and is distributed to the target public safety protector of determining according to security event information; Preserve being received from outside security strategy; According to the security strategy of self preserving the up and/or downlink traffic of flowing through is controlled;
Being operating as of described definite target public safety protector: source address and destination address according to security incident in the security event information are determined target public safety protector;
Perhaps be to determine target public safety protector according to the source address section or the destination address section of security incident in the security event information;
Perhaps be to determine target public safety protector according to the type of security incident in the security event information.
2, the system as claimed in claim 1 is characterized in that, when described public safety protector is the security event information of attack at definite local security event information, obtains security strategy according to the security event information of this attack;
Described public safety protector is in the time can't determining whether the local security event information is the security event information of attack, in predetermined described public safety protection network, provide the collaborative collaborative public safety protector of analyzing to initiate the collaborative analysis request of carrying described local security event information, receive the collaborative analysis result that described collaborative public safety protector returns; With the security strategy in the collaborative analysis result as the security strategy of obtaining according to the local security event information;
Described public safety protector further receives the collaborative analysis request that carries security event information from external equipment, collect relevant security event information, formulate security strategy according to what receive with the security event information of collecting, the security strategy of formulating is returned to the external equipment of initiating collaborative analysis request; Described external equipment is other public safety protectors in the described public safety protection network or the special-purpose security protection system that communicates with this public safety protector.
3, the system as claimed in claim 1, it is characterized in that, described public safety protector is further used for when detecting the new attack pattern new attack pattern being kept at this locality, and is synchronized to other public safety protector in the public safety protection network.
4, the system as claimed in claim 1, it is characterized in that, described public safety protector further carries out the security audit inspection to self, after judgement self is under attack, audit information according to local record returns to a last safe condition, and obtain in other public safety protector from the public safety protection network and recover the required security strategy in back, and preserve in this locality.
5, a kind of method that realizes security protection is characterized in that, a plurality of public safety protectors are set at the edge, the Internet, and each public safety protector constitutes the public safety protection network by information interaction, and this method comprises:
The public safety protector will be preserved according to the security strategy that the local security event information obtains, and be distributed to the target public safety protector of determining according to described security event information; Preserve being received from outside security strategy;
According to the security strategy of preserving the up and/or downlink traffic of this public safety protector of flowing through is controlled;
Being operating as of described definite target public safety protector: source address and destination address according to security incident in the security event information are determined target public safety protector;
Perhaps be to determine target public safety protector according to the source address section or the destination address section of security incident in the security event information;
Perhaps be to determine target public safety protector according to the type of security incident in the security event information.
6, method as claimed in claim 5 is characterized in that, obtains security strategy according to described local security event information to be:
The real-time monitoring stream of public safety protector after detecting security incident, is a foundation with the information for supporting some decision of self preserving through the flow of self, and the security event information of detected this security incident is analyzed;
When definite described security incident is attack, formulate security strategy;
In the time can't determining whether described security incident is attack, provide the collaborative public safety protector of analyzing to initiate the collaborative analysis request of carrying described detected security event information to predetermined; The collaborative analysis result that reception provides the collaborative public safety protector of analyzing to return, with the security strategy in the collaborative analysis result as the security strategy of obtaining according to security event information;
The described security strategy that is received from the outside is:
The security strategy of other public safety protector distribution in the public safety protection network that receives;
Perhaps be the security strategy of the employed special protection system customization of the personal user of reception or LAN subscriber;
Perhaps be the security strategy that the safety management system of the Security Administration Department of reception sends.
7, method as claimed in claim 6, it is characterized in that this method further comprises, receives the collaborative analysis request from external equipment, obtain the security event information that carries in the collaborative analysis request, obtain the collaborative required associated safety event information of analyzing from the outside according to collaborative analysis request; The information for supporting some decision of preserving with self is a foundation, the security event information and the required associated safety event information of described collaborative analysis that obtain from collaborative analysis request is analyzed, for security strategy is formulated in the security incident that is defined as attack.
8, method as claimed in claim 6, it is characterized in that, describedly determine that described security incident is after the attack, further comprise: when judging that described attack is the new attack pattern, the new attack pattern is kept at this locality, and is synchronized to other public safety protector in the public safety protection network.
9, method as claimed in claim 5, this method further comprises: the public safety protector carries out the security audit inspection to self, after judgement self is under attack, audit information according to local record returns to a last safe condition, and obtain in other public safety protector from the public safety protection network and recover the required security strategy in back, and preserve in this locality.
10, as any described method of claim 5 to 9, this method further comprises: the source from the information of public safety protector outside is authenticated, when judging described information, allow this public safety protector to handle according to described information from legal source.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710130685A CN100589425C (en) | 2007-07-13 | 2007-07-13 | Public secure protection system and public secure protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710130685A CN100589425C (en) | 2007-07-13 | 2007-07-13 | Public secure protection system and public secure protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101079779A CN101079779A (en) | 2007-11-28 |
| CN100589425C true CN100589425C (en) | 2010-02-10 |
Family
ID=38907021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710130685A Active CN100589425C (en) | 2007-07-13 | 2007-07-13 | Public secure protection system and public secure protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100589425C (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9148381B2 (en) * | 2011-10-21 | 2015-09-29 | Qualcomm Incorporated | Cloud computing enhanced gateway for communication networks |
| CN103795713A (en) * | 2014-01-20 | 2014-05-14 | 中国建设银行股份有限公司 | System applied to preventing and controlling telecommunication fraud and intersystem information interaction method |
| CN111030929A (en) | 2015-10-16 | 2020-04-17 | 华为技术有限公司 | Route processing method, equipment and system |
| EP3402121B1 (en) * | 2016-02-06 | 2020-01-08 | Huawei Technologies Co., Ltd. | Method and device for policy transmission in nfv system |
| US10560487B2 (en) | 2017-07-26 | 2020-02-11 | International Business Machines Corporation | Intrusion detection and mitigation in data processing |
| CN108306857A (en) * | 2017-12-26 | 2018-07-20 | 努比亚技术有限公司 | Abnormal operation hold-up interception method, Network Security Device and computer readable storage medium |
| CN108521358A (en) * | 2018-04-11 | 2018-09-11 | 张建 | A kind of exclusive Local area network construction of individual and implementation |
| CN109005164B (en) * | 2018-07-20 | 2021-05-18 | 深圳市网心科技有限公司 | Network system, equipment, network data interaction method and storage medium |
| CN113596044B (en) * | 2021-08-03 | 2023-04-25 | 北京恒安嘉新安全技术有限公司 | Network protection method and device, electronic equipment and storage medium |
-
2007
- 2007-07-13 CN CN200710130685A patent/CN100589425C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101079779A (en) | 2007-11-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100589425C (en) | Public secure protection system and public secure protection method | |
| US6775657B1 (en) | Multilayered intrusion detection system and method | |
| KR100351306B1 (en) | Intrusion Detection System using the Multi-Intrusion Detection Model and Method thereof | |
| KR100838799B1 (en) | System and operating method of detecting hacking happening for complementary security management system | |
| US7281270B2 (en) | Attack impact prediction system | |
| CN109587174B (en) | Collaborative defense method and system for network protection | |
| CN101252441B (en) | Acquired safety control method and system based on target capable of setting information safety | |
| CN112153047B (en) | Block chain-based network security operation and maintenance and defense method and system | |
| CN108462714A (en) | A kind of APT systems of defense and its defence method based on system resilience | |
| CN105227559A (en) | The information security management framework that a kind of automatic detection HTTP actively attacks | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| Luiijf et al. | On the sharing of cyber security information | |
| CN109995794A (en) | A kind of security protection system, method, equipment and storage medium | |
| CN116827675A (en) | Network information security analysis system | |
| CN101370305A (en) | Method and system for protecting data traffic security | |
| WO2004051929A1 (en) | Audit platform system for application process based on components | |
| CN109150853A (en) | The intruding detection system and method for role-base access control | |
| US20120137362A1 (en) | Collaborative security system for residential users | |
| CN114339767A (en) | Signaling detection method and device, electronic equipment and storage medium | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| CN112422501B (en) | Forward and reverse tunnel protection method, device, equipment and storage medium | |
| Cerullo et al. | Critical Infrastructure Protection: having SIEM technology cope with network heterogeneity | |
| Muliński | ICT security in revenue administration-incidents, security incidents-detection, response, resolve | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor | |
| Lakhdhar et al. | An approach to a graph-based active cyber defense model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: INDUSTRY AND INFORMATION DEPARTMENT TELECOMMUNICAT Free format text: FORMER NAME: MINISTRY OF INFORMATION INDUSTRY INSTITUTE OF TELECOMMUNICATIONS TRANSMISSION |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100045 Beijing city Xicheng District Yuetan Nan Street 11 Patentee after: Research Institute of Telecommunications Transmission, Ministry of Industry and Information Technology Address before: 100045 Beijing city Xicheng District Yuetan Nan Street 11 Patentee before: Telecommunication Transmission Inst., Ministry of Information Industry |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211228 Address after: 100191 No. 40, Haidian District, Beijing, Xueyuan Road Patentee after: CHINA ACADEMY OF INFORMATION AND COMMUNICATIONS Address before: 100045 Beijing city Xicheng District Yuetan Nan Street 11 Patentee before: The Research Institute of Telecommunications Transmission MIIT |