CN100464548C - System and method for blocking worm attack - Google Patents
System and method for blocking worm attack Download PDFInfo
- Publication number
- CN100464548C CN100464548C CNB2005101127104A CN200510112710A CN100464548C CN 100464548 C CN100464548 C CN 100464548C CN B2005101127104 A CNB2005101127104 A CN B2005101127104A CN 200510112710 A CN200510112710 A CN 200510112710A CN 100464548 C CN100464548 C CN 100464548C
- Authority
- CN
- China
- Prior art keywords
- worm
- access control
- port
- information
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000001514 detection method Methods 0.000 claims abstract description 16
- 238000011217 control strategy Methods 0.000 claims description 11
- 238000005538 encapsulation Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 230000008878 coupling Effects 0.000 claims description 5
- 238000010168 coupling process Methods 0.000 claims description 5
- 238000005859 coupling reaction Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000006855 networking Effects 0.000 claims description 3
- 238000013475 authorization Methods 0.000 claims description 2
- 238000011835 investigation Methods 0.000 claims description 2
- 238000012546 transfer Methods 0.000 claims description 2
- 241000700605 Viruses Species 0.000 abstract description 32
- 230000036541 health Effects 0.000 abstract description 2
- 230000003993 interaction Effects 0.000 abstract 1
- 230000001902 propagating effect Effects 0.000 abstract 1
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 208000015181 infectious disease Diseases 0.000 description 3
- 230000007480 spreading Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 230000001524 infective effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000035558 fertility Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003211 malignant effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000010534 mechanism of action Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000024241 parasitism Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000007482 viral spreading Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The system is composed of client end for collecting information of worm, device for blocking out worm and access control device for matching information of worm. After the worm detection device detects host infected by network worm virus, considering information of worm as security health fingerprint for an access host, the method carries out access control based on port for host. Through interaction between device for blocking out worm and access control device, the access control server down sends strategy of access control aimed at access port of the host. Under condition of other hosts and devices can normally access network, the method can block out the host infected by network worm virus to access network so as to prevent worm virus from propagating and flooding on network. The invention also can make patches on hosts infected by network worm virus for users in time.
Description
Technical field
The present invention relates to a kind of system and method for blocking worm attack, exactly, relate to a kind ofly, belong to the network security technology field of data communication based on the conduct interviews system and method for blocking worm attack of control of port.
Background technology
Since worm-type virus in 1988 came out, computer-based worms constantly brought disaster to network world with its quick, diversified circulation way.Particularly since 1999, the continuous appearance of high-risk network worm (Worm) virus, make World Economics suffered light then tens, the massive losses of hundred million dollars of heavy then hundreds ofs.
Network worm is a kind of malignant virus that spreads through the internet, it had both had many general character of virus, as propagated, disguised, destructive or the like, the while has some features of oneself again, as not utilizing file parasitism (what have only is present in the internal memory), network is caused denial of service, and combines or the like with hacking technique! Therefore, network worm virus is actually " malicious code " of hacking technique and virus technology fusion back formation.This virus has thoroughly changed traditional virus in the haunting impression of people.Everybody thought that the propagation and the destruction of virus were passive types in the past, only otherwise use pirated CDs, do not open of unknown origin mail, do not download some dangerous programs, generally can infective virus, just usually said " do not eat unclean food just not can fall ill " is the same.But this fusion virus with two kinds of technology of hacker in the characteristics that one forms " active malicious code of new generation " is: have the automatic fertility of self-replacation, utilize the automatic invasion of various leaks of system or network service to propagate; Can utilize and optimize method for scanning at the utmost point in the short time, infect ten hundreds of leaky computer systems.
The main harm of worm-type virus is to produce huge network attack flow, and the significant wastage network bandwidth causes the normal unobstructed operation of network to have a strong impact on.Its mechanism of action is: the computer system that infects worm-type virus can find at first that there is the computer system of leak in other on the network by search in large area, and this will produce a large amount of network traffic datas; After worm is successfully invaded other computer system, can on infected computer, produce a plurality of copies of self, each copy starts search utility again and seeks the new attack target, thereby forms the network traffics of flood tide, causes whole network congestion even paralysis.
At present, mainly utilize and in network, dispose intruding detection system (IDS, Intrusion DetectionSystem) network traffics analysis is found that network worm attacks, and carry out certain processing.Because intruding detection system is connected in parallel in the network, can only detect network passively and suffer which kind of attack, ability that its blocking-up is attacked is very limited, generally can only be by sending TCP reset (TCP replacement) bag or stoping attack with firewall linkage.If intruding detection system adopts the mode that sends TCP reset bag to stop worm propagation, will further increase network traffics again, the emphasis network burden.If it is the mode of employing and firewall linkage only can stop the worm attack flow from the outside, then powerless to the worm attack flow that stops network internal.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of based on the conduct interviews system and method for blocking worm attack of control of port, the present invention is after the worm checkout gear is found to infect the main frame of network worm virus, stop this main frame access network at access interface, infect worm-type virus with other main frame that prevents network internal, the main frame that also can stop network internal to infect worm-type virus starts worm attack to outer net, thereby ensure rapidly, spreading unchecked of blocking worm virus targetedly, the safety of network system.
In order to achieve the above object, the invention provides a kind of system of blocking worm attack, it is characterized in that: this system comprises at least:
Client, its inside are equipped with the client software of gathering place network worm information, carry out matching treatment so that worm information is sent to access control apparatus via the worm occluding device;
The worm occluding device is provided with anti-control port that module, a plurality of user insert and the network element that respective service is provided looked into of port for the user provides the network equipment of access, its inside; Each control port is made up of a control unit and a controlled cell, and the different network elements that controlled cell connected can provide different services; After receiving the access control instruction that access control apparatus returns, corresponding control port is carried out associative operation;
Access control apparatus comprises access control server at least, and this access control server inside is provided with two databases, distinguishes the worm type known in the storage networking and the port access control strategy of worm occluding device; Wherein the port access control strategy be at different control ports and with each port access control policy file one to one, each access control policy file comprises many access control policies; This device reads worm information, and in worm types of database and port access control strategy database, search coupling with worm type in the worm information and relevant information, beam back corresponding access control instruction according to matching result to the worm occluding device again.
The described worm information content comprises: the source MAC, source IP address and the worm type that infect the main frame of worm.
Described client is the intrusion detection device that the client software of gathering worm information is installed.
The function of respectively forming member in the described worm occluding device is:
The anti-module of looking into of port is responsible for the interface with client, receives worm information and carries out at wherein source MAC and/or source IP address that port is counter to be looked into from client, again according to the control unit of the anti-result who looks into of port with worm direct information control corresponding port;
Control unit sends to the access control apparatus of coupling worm with worm information, and is responsible for receiving the access control instruction that access control apparatus is beamed back, and the while is according to the operation of access control commands for controlling controlled cell;
Controlled cell is an authorisation device, and enter three kinds of operating states respectively according to the access control instruction: licensing status, coupled main frame can be visited all network elements that this port connects, and then obtain the various services that these network elements provide; The part licensing status allows to insert part or the special network element that this port of host access connects; Unauthorized state stops and inserts this port of host access;
Provide the network element of service, the Internet resources that can visit for the main frame that is connected with the worm occluding device.
Described worm occluding device is a switch, and this moment, described network was an internal lan.
Described access control apparatus further comprises certificate server, so that adopt the user identity that usemame/password is docked into main frame to authenticate.
In order to achieve the above object, the present invention also provides a kind of method that network worm is attacked of blocking, and it is characterized in that: comprise the steps: at least
(1) whether its place intrusion detection device of client software poll detects the discovery worm attack, in case discovery worm attack, client software extracts the relevant information of this worm attack, after the encapsulation of " type, length, content " form, use network communication protocol that this worm packets of information is sent to the worm occluding device;
(2) the worm occluding device is earlier delivered to the anti-anti-reason of investigating and prosecuting of module of looking into of port with worm information, find out the user access port corresponding with source MAC and/or source IP address in the worm information after, transfer worm information to this access interface corresponding control unit;
(3) described control unit sends to access control apparatus by the interface with access control apparatus with worm information;
(4) access control apparatus mates worm type information in the worm information and worm types of database, if find occurrence, then from corresponding port access control policy file, select the corresponding ports access control policy, and after being encapsulated as the access control instruction with the form of the procotol of communicating by letter between access control apparatus and the worm occluding device, send to the control unit of worm occluding device; If do not find occurrence, the then direct access control that sends acquiescence is instructed to the control unit of worm occluding device;
(5) control unit read access control command is provided with the licensing status of corresponding controlled cell according to this instruction: if the access control of acquiescence instruction, then corresponding controlled cell is set to unauthorized state; If comprise concrete access control policy in the access control instruction, then with the controlled cell of this policy configurations to correspondence.
The network communication protocol that client software transmission worm packets of information is used in the described step (1) comprises transmission control protocol TCP (Transport Control Protocol), User Datagram Protoco (UDP) UDP (User DatagramProtocol), Internet Control Message Protocol ICMP (Internet Control Message Protocol), local area network (LAN) Extensible Authentication Protocol EAPOL (Extensible Authentication Protocol Over LAN).
Type field in described step (1) encapsulation format is the sign of 3bit, wherein bright this packet of first bit bit table is the worm packets of information, latter two bit position is used to determine the anti-anti-mode of looking into of the employed port of module of looking into of worm occluding device middle port, and the acquiescence mode is for to look into according to source MAC is counter.
Described step (2) middle port is counter looks into the anti-investigation reason that module carries out three kinds of selective anti-modes of looking into, and is respectively:
Look into according to source MAC is counter: the MAC Address database of storing in source MAC in the worm information and the worm occluding device is compared, this MAC Address database is indicated the corresponding relation of MAC Address and each control port of worm occluding device, if in the MAC Address database, find this source MAC, then with the worm message transport to the control port corresponding with this source MAC; Otherwise, abandon this worm packets of information;
Look into according to source IP address is counter: the request of the source IP address broadcast address analysis protocol ARP (Address Resolution Protocol) in worm information earlier, if do not receive the response of ARP request, promptly do not receive the MAC Address response corresponding, abandon this worm packets of information with this source IP address; If receive the MAC Address corresponding response with this source IP address, then this MAC Address and MAC Address database are compared, if in the MAC Address database, find this source MAC, then with the worm message transport to the control corresponding port; Otherwise, abandon this worm packets of information;
According to MAC Address with the IP address is counter looks into: look into according to the source MAC of worm information is counter earlier, if do not find this source MAC in the MAC Address database, then further the source IP address by this worm information carries out counter the looking into of the port second time.
The present invention is a kind of based on the conduct interviews system and method for blocking worm attack of control of port, has the following advantages:
Validity: after finding worm-type virus, the present invention can in time stop or limit the main frame or the device access network of infective virus, has blocked it and has infected the approach of other network equipments, thereby effectively prevented spreading unchecked of worm attack in the network.Simultaneously can be in controlled cell the configuration access control strategy, the main frame of feasible infection worm-type virus or equipment only are allowed to the patch server in the accesses network, make this main frame or equipment in time stamp patch and repair leak, thereby reduce the possibility that infects worm-type virus once more.
Targetedly: the present invention is based on the port control that conducts interviews, directly will insert the main frame or the equipment of this port and isolate, and the access device of other ports is unaffected to the visit of network.Dispose the access control policy of a plurality of different ports in the access control server, can send corresponding access control instruction at different access devices.
Invest less: structure of the present invention is quite simple, client only need be collected worm information and be sent to the worm occluding device with certain form, function is comparatively simple, only needs to add in existing worm checkout gear (as intrusion detection device) client software during actual enforcement.The worm occluding device can utilize the existing network equipment of supporting the IEEE802.1x agreement and having the port inverse check function, and only need are developed accordingly the function of control unit and expanded.
In sum, the method of blocking worm attack of the present invention is that worm information is come main frame is carried out access control based on port as a kind of safety and Health fingerprint that inserts main frame, issue access control policy by access control server at the concrete access interface of this network equipment, can be under the situation of other main frames or the normal accesses network of equipment, effectively stop worm-type virus spreading in network, spread unchecked, simultaneously by reasonably being provided with, can also make the user in time stamp patch, reduce the possibility that infects worm-type virus again for the main frame or the equipment that infect worm-type virus.Therefore, the present invention can be widely used in the Prevention-Security of corporate intranet, and effectively the isolation network worm greatly reduces the influence of network worm attack to main frame and network.
Description of drawings
Fig. 1 is that the conduct interviews system configuration of blocking worm attack of control of the present invention is formed schematic diagram.
Fig. 2 is the conduct interviews method flow block diagram of blocking worm attack of control of the present invention.
Fig. 3 is that the example structure of the system of blocking worm attack of the present invention is formed schematic diagram.
Fig. 4 is the deployment architecture schematic diagram of embodiment in network shown in Figure 3.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and Examples.
Working mechanism of the present invention is: the main frame in the network connects other network segments or Internet via switch usually, isolates if directly will infect the main frame of worm-type virus on switch, just effective blocking worm attack.Because IEEE802.1x can stop the not customer access network by verifying based on the access-control protocol of port, the present invention is improved on the basis of this protocol function and principle and is expanded realized the preventing infections main frame of worm-type virus or the expectation function of device access network.
Referring to Fig. 1, introduce the composition structure of system of the present invention, it is to realize goal of the invention by the worm occluding device and with two interfaces of client and access control apparatus.Its main member includes:
Its middle port is counter to be looked into module and is responsible for interface with client, receive worm information and carry out at wherein source MAC and/or source IP address that port is counter to be looked into from client, then according to the anti-result who looks into of port with worm direct information control corresponding unit k, undertaken alternately by control unit and access control apparatus.
Control unit sends to access control apparatus with worm information, and is responsible for receiving the access control instruction that access control apparatus is beamed back, and the while is according to the operation behavior of access control commands for controlling controlled cell.
Controlled cell is an authoring system, and under normal circumstances controlled cell is in licensing status, and main frame that is attached thereto or equipment can be visited all services that this port provides; But controlled cell also Be Controlled unit is set to other two states: unauthorized state-prevention inserts the service that this port of host access provides; Part licensing status-permission inserts the part service that this port of host access provides, as visiting patch server etc.
Referring to Fig. 2, in case when the worm attack incident took place, the present invention can in time block spreading of attack and spread unchecked, concrete grammar and step are:
(1) whether its place intrusion detection device of client software poll detects the discovery worm attack, in case discovery worm attack, client software extracts the relevant information of this worm attack, after the encapsulation of " type, length, content " form, use TCP, UDP, network communication protocols such as ICMP, EAPOL that this worm packets of information is sent to the worm occluding device;
(2) the worm occluding device is delivered to the anti-anti-reason of investigating and prosecuting of module of looking into of port with worm information earlier, after finding out the user access port corresponding, again worm information is transferred to this access interface corresponding control unit with source MAC and/or source IP address in the worm information;
(3) described control unit sends to access control apparatus by the interface with access control apparatus with worm information;
(4) access control apparatus mates worm type information in the worm information and worm types of database, if find occurrence, then from corresponding port access control policy file, select the corresponding ports access control policy, and after the form encapsulation with the procotol of communicating by letter between access control apparatus and the worm occluding device, send to the control unit of worm occluding device; If do not find occurrence, the then direct access control that sends acquiescence is instructed to the control unit of worm occluding device;
(5) control unit read access control command is provided with the licensing status of corresponding controlled cell according to this instruction: if the access control of acquiescence instruction, then corresponding controlled cell is set to unauthorized state; If comprise concrete access control policy in the access control instruction, then with the controlled cell of this policy configurations to correspondence.
1., 2., 3. represent operating process separately in client, worm occluding device and the access control apparatus respectively among Fig. 2.
The present invention can implement test on the basis of IEEE802.1x based on the access control technology of port, following mask body is introduced the situation of this embodiment.
Referring to Fig. 3, the embodiment of system of the present invention forms structure and mainly comprises four parts: client 1 (intrusion detection device), worm occluding device 2, certificate server 31 and access control server 32.
In IEEE 802.1x access authentication system generally with user terminal as client 1, this terminal is installed a client software usually, the user initiates authenticating user identification by starting this client software, and Verification System allows according to authentication result or the prevention customer access network.
In the present embodiment, intrusion detection device is equivalent to client 1, client software of the present invention wherein has been installed, when intrusion detection device is found worm attack, this software obtains worm information automatically, and becomes the verify data packet format of IEEE 802.1x agreement to send to worm occluding device 2 with the EAPOL protocol encapsulation this information.Authentication data packet encapsulates with " type, length, content " form, wherein type field is the special identifier of 3bit, wherein bright this authentication data packet of first bit bit table is the worm packets of information of being sent by intrusion detection device, and latter two bit position is used to determine the anti-anti-mode of looking into of the employed port of module of looking into of worm occluding device middle port.
Usually support the network equipment of IEEE 802.1x authentication mode two logic ports to be arranged: controlled ports and unconfined end mouth corresponding to the port of different user (physical port, or the MAC Address of subscriber equipment, VLAN, IP etc.).The unconfined end mouth is in the diconnected state all the time, is mainly used to transmit the EAPOL protocol frame, can guarantee that client 1 can send or accept authentication all the time.Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service.If by authentication, then controlled ports is not in unauthorized state to the user, the service that the user can't access authentication system provides.User's controlled ports is in unauthorized state during beginning, can't visit any Internet resources, and through behind the authenticating user identification, controlled ports is set as licensing status.Worm occluding device 2 is exactly the network equipment-switch-realization of employing support IEEE 802.1x agreement in the present embodiment, controlled ports wherein is the controlled cell among the present invention, uncontrolled port still need improve uncontrolled port and could satisfy the requirement of the present invention to control unit as the control unit among the present invention.
Because intrusion detection device passes through the flow of multiple host in the mirror port monitor network usually, only include the information that infects the worm-type virus main frame in the worm information that monitors, the information that does not have the network access equipment port, and the present invention requires to control based on access port, therefore, present embodiment need increase also in the network access equipment of supporting IEEE 802.1x agreement that port is counter looks into the designing requirement that module could satisfy worm occluding device 2 among the present invention.The anti-module of looking into of port unpacks analysis to the EAPOL protocol frame that comprises worm information that client software sends, find out and wherein MAC Address or IP address information corresponding port, and worm information is encapsulated as the EAPOL protocol frame again at the control unit of this port, send to certificate server 31 with radius protocol then.
Because the EAPOL agreement is that IEEE 802.1x agreement is defined, usually support the equipment of IEEE 802.1x agreement can both support the EAPOL agreement, therefore, present embodiment introducing certificate server 31 is used for exchange message between worm occluding device 2 and the access control server 32.Certificate server 31 is except the user identity that adopts usemame/password and dock main frame authenticates, also to be responsible for and to extract with the worm information in the EAPOL protocol frame of radius protocol encapsulation, send to access control server 32 with the encapsulation of RADIUS packet format again then.Certificate server 31 uses the radius protocol of standard to communicate by letter with access control server 32, and in this process, certificate server 31 is as the client of RADIUS, and access control server 32 is as the server end of RADIUS.The content of worm finger print information is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make four can understand the implication of this specific fields by client 1, worm occluding device 2, certificate server 31 and access control server 32 4 unified Definition.
Wherein certificate server 31 and access control server 32 have been formed the access control apparatus 3 among the present invention program jointly.
The deployment architecture of present embodiment in network as shown in Figure 4, each main frame of internal lan is connected into external network by switch, the switching equipment at this place is the worm occluding device described in the present invention.
At this moment, if certain host A has infected worm-type virus in the Intranet, when intrusion detection device is found the constantly outside transmitted traffic of host A, thereby after identifying this worm attack, worm information is sent to the worm occluding device, and this worm information comprises MAC Address, the IP address of host A, type of worm attack etc.After by certificate server and access control server this information being handled then, the result is fed back to the worm occluding device.At last by the worm occluding device according to this flow of outwards sending of main control system A as a result, thereby avoided worm-type virus further to infect other main frames in the network.
Claims (10)
1. the system of a blocking worm attack, it is characterized in that: this system comprises at least:
Client, its inside are equipped with the client software of gathering place network worm information, carry out matching treatment so that worm information is sent to access control apparatus via the worm occluding device;
The worm occluding device is provided with anti-control port that module, a plurality of user insert and the network element that respective service is provided looked into of port for the user provides the network equipment of access, its inside; Each control port is made up of a control unit and a controlled cell, and the different network elements that controlled cell connected can provide different services; After receiving the access control instruction that access control apparatus returns, corresponding control port is carried out associative operation;
Access control apparatus comprises access control server at least, and this access control server inside is provided with two databases, distinguishes the worm type known in the storage networking and the port access control strategy of worm occluding device; Wherein the port access control strategy be at different control ports and with each port access control policy file one to one, each access control policy file comprises many access control policies; This device reads worm information, and in worm types of database and port access control strategy database, search coupling with worm type in the worm information and relevant information, beam back corresponding access control instruction according to matching result to the worm occluding device again.
2. the system of blocking worm attack according to claim 1, it is characterized in that: the described worm information content comprises: the source MAC, source IP address and the worm type that infect the main frame of worm.
3. the system of blocking worm attack according to claim 1 is characterized in that: described client is the intrusion detection device that the client software of gathering worm information is installed.
4. the system of blocking worm attack according to claim 1, it is characterized in that: the function of respectively forming member in the described worm occluding device is:
The anti-module of looking into of port is responsible for the interface with client, receives worm information and carries out at wherein source MAC and/or source IP address that port is counter to be looked into from client, again according to the control unit of the anti-result who looks into of port with worm direct information control corresponding port;
Control unit sends to the access control apparatus of coupling worm with worm information, and is responsible for receiving the access control instruction that access control apparatus is beamed back, and the while is according to the operation of access control commands for controlling controlled cell;
Controlled cell is an authorisation device, and enter three kinds of operating states respectively according to the access control instruction: licensing status, coupled main frame can be visited all network elements that this port connects, and then obtain the various services that these network elements provide; The part licensing status allows to insert part or the special network element that this port of host access connects; Unauthorized state stops and inserts this port of host access;
Provide the network element of service, the Internet resources that can visit for the main frame that is connected with the worm occluding device.
5. according to the system of claim 1 or 4 described blocking worm attacks, it is characterized in that: described worm occluding device is a switch, and this moment, described network was an internal lan.
6. the system of blocking worm attack according to claim 1, it is characterized in that: described access control apparatus further comprises certificate server, so that adopt the user identity that usemame/password is docked into main frame to authenticate.
7. a method that adopts the system blocking network worm attack of the described blocking worm attack of claim 1 is characterized in that: comprise the steps: at least
(1) whether its place intrusion detection device of client software poll detects the discovery worm attack, in case discovery worm attack, client software extracts the relevant information of this worm attack, after the encapsulation of " type, length, content " form, use network communication protocol that this worm packets of information is sent to the worm occluding device;
(2) the worm occluding device is earlier delivered to the anti-anti-reason of investigating and prosecuting of module of looking into of port with worm information, find out the user access port corresponding with source MAC and/or source IP address in the worm information after, transfer worm information to this access interface corresponding control unit;
(3) described control unit sends to access control apparatus by the interface with access control apparatus with worm information;
(4) access control apparatus mates worm type information in the worm information and worm types of database, if find occurrence, then from corresponding port access control policy file, select the corresponding ports access control policy, and after being encapsulated as the access control instruction with the form of the procotol of communicating by letter between access control apparatus and the worm occluding device, send to the control unit of worm occluding device; If do not find occurrence, the then direct access control that sends acquiescence is instructed to the control unit of worm occluding device;
(5) control unit read access control command is provided with the licensing status of corresponding controlled cell according to this instruction: if the access control of acquiescence instruction, then corresponding controlled cell is set to unauthorized state; If comprise concrete access control policy in the access control instruction, then with the controlled cell of this policy configurations to correspondence.
8. the method that blocking-up network worm according to claim 7 is attacked is characterized in that: the network communication protocol that client software transmission worm packets of information is used in the described step (1) comprises transmission control protocol TCP, User Datagram Protoco (UDP) UDP, Internet Control Message Protocol ICMP, local area network (LAN) Extensible Authentication Protocol EAPOL.
9. the method that blocking-up network worm according to claim 7 is attacked, it is characterized in that: the type field in described step (1) encapsulation format is the sign of 3bit, wherein bright this packet of first bit bit table is the worm packets of information, latter two bit position is used to determine the anti-anti-mode of looking into of the employed port of module of looking into of worm occluding device middle port, and the acquiescence mode is for to look into according to source MAC is counter.
10. the method for attacking according to claim 7 or 9 described blocking-up network worms is characterized in that: described step (2) middle port is counter looks into the anti-investigation reason that module carries out three kinds of selective anti-modes of looking into, and is respectively:
Look into according to source MAC is counter: the MAC Address database of storing in source MAC in the worm information and the worm occluding device is compared, this MAC Address database is indicated the corresponding relation of MAC Address and each control port of worm occluding device, if in the MAC Address database, find this source MAC, then with the worm message transport to the control port corresponding with this source MAC; Otherwise, abandon this worm packets of information;
Look into according to source IP address is counter: the request of the source IP address broadcast address analysis protocol ARP in worm information earlier, if do not receive the response of ARP request, promptly do not receive the MAC Address response corresponding with this source IP address, abandon this worm packets of information; If receive the MAC Address corresponding response with this source IP address, then again this MAC Address and MAC Address database are compared, if in the MAC Address database, find this source MAC, then with the worm message transport to the control corresponding port; Otherwise, abandon this worm packets of information;
According to MAC Address with the IP address is counter looks into: look into according to the source MAC of worm information is counter earlier, if do not find this source MAC in the MAC Address database, then further the source IP address by this worm information carries out counter the looking into of the port second time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101127104A CN100464548C (en) | 2005-10-10 | 2005-10-10 | System and method for blocking worm attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101127104A CN100464548C (en) | 2005-10-10 | 2005-10-10 | System and method for blocking worm attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1744607A CN1744607A (en) | 2006-03-08 |
| CN100464548C true CN100464548C (en) | 2009-02-25 |
Family
ID=36139798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101127104A Expired - Fee Related CN100464548C (en) | 2005-10-10 | 2005-10-10 | System and method for blocking worm attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100464548C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895543A (en) * | 2010-07-12 | 2010-11-24 | 江苏华丽网络工程有限公司 | Method for effectively defending flood attack based on network switching equipment |
| CN101917438A (en) * | 2010-08-23 | 2010-12-15 | 浪潮(北京)电子信息产业有限公司 | Access control method and system in network communication system |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7948977B2 (en) * | 2006-05-05 | 2011-05-24 | Broadcom Corporation | Packet routing with payload analysis, encapsulation and service module vectoring |
| CN101197809B (en) * | 2006-12-08 | 2010-09-08 | 北京大学 | A method for blocking worm propagation and a device for realizing the method |
| CN101022459B (en) * | 2007-03-05 | 2010-05-26 | 华为技术有限公司 | System and method for preventing virus from invading network |
| CN101414914B (en) * | 2008-11-26 | 2012-01-25 | 北京星网锐捷网络技术有限公司 | Method and apparatus for filtrating data content, finite state automata and conformation apparatus |
| US8561182B2 (en) * | 2009-01-29 | 2013-10-15 | Microsoft Corporation | Health-based access to network resources |
| CN102082810B (en) * | 2009-11-30 | 2014-05-07 | 中国移动通信集团广西有限公司 | Method, system and device for user terminal to access internet |
| CN101815076B (en) * | 2010-02-05 | 2012-09-19 | 浙江大学 | A Method for Detecting Intranet Worm Hosts |
| CN101950336B (en) * | 2010-08-18 | 2015-08-26 | 北京奇虎科技有限公司 | A kind of method and apparatus removing rogue program |
| CN101917440B (en) * | 2010-08-24 | 2013-07-31 | 北京北信源软件股份有限公司 | Control method and system for computer to receive management after computer accesses local area network |
| CN102231678A (en) * | 2011-06-27 | 2011-11-02 | 华为终端有限公司 | Method, device and system for equipment management |
| CN107832605A (en) * | 2017-11-22 | 2018-03-23 | 江苏神州信源系统工程有限公司 | A kind of method and apparatus for protecting terminal security |
| DE102018100629A1 (en) * | 2018-01-12 | 2019-07-18 | Krohne Messtechnik Gmbh | System with an electrical device |
| CN113630415A (en) * | 2021-08-10 | 2021-11-09 | 工银科技有限公司 | Network admission control method, apparatus, system, device, medium and product |
| CN115001804B (en) * | 2022-05-30 | 2023-11-10 | 广东电网有限责任公司 | Bypass access control system, method and storage medium applied to field station |
| CN117240623B (en) * | 2023-11-13 | 2024-02-02 | 杭州海康威视数字技术股份有限公司 | Worm virus blocking system, method and device for guaranteeing service continuity |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030191966A1 (en) * | 2002-04-09 | 2003-10-09 | Cisco Technology, Inc. | System and method for detecting an infective element in a network environment |
| CN1549126A (en) * | 2003-05-16 | 2004-11-24 | 北京爱迪安网络技术有限公司 | Method for detecting worm virus and delaying virus spreading |
| WO2005006710A1 (en) * | 2003-07-03 | 2005-01-20 | Arbor Networks, Inc. | Method and system for reducing scope of self-propagating attack code in network |
| CN1571362A (en) * | 2004-05-14 | 2005-01-26 | 清华大学 | Early stage prewarning method for Internet worm virus |
| WO2005064854A1 (en) * | 2003-12-29 | 2005-07-14 | Dacom Corporation | System for integrated security management based on the network |
| CN1668015A (en) * | 2004-12-20 | 2005-09-14 | 华中科技大学 | Large-Scale Network Security Defense System Based on Cooperative Intrusion Detection |
-
2005
- 2005-10-10 CN CNB2005101127104A patent/CN100464548C/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030191966A1 (en) * | 2002-04-09 | 2003-10-09 | Cisco Technology, Inc. | System and method for detecting an infective element in a network environment |
| CN1549126A (en) * | 2003-05-16 | 2004-11-24 | 北京爱迪安网络技术有限公司 | Method for detecting worm virus and delaying virus spreading |
| WO2005006710A1 (en) * | 2003-07-03 | 2005-01-20 | Arbor Networks, Inc. | Method and system for reducing scope of self-propagating attack code in network |
| WO2005064854A1 (en) * | 2003-12-29 | 2005-07-14 | Dacom Corporation | System for integrated security management based on the network |
| CN1571362A (en) * | 2004-05-14 | 2005-01-26 | 清华大学 | Early stage prewarning method for Internet worm virus |
| CN1668015A (en) * | 2004-12-20 | 2005-09-14 | 华中科技大学 | Large-Scale Network Security Defense System Based on Cooperative Intrusion Detection |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895543A (en) * | 2010-07-12 | 2010-11-24 | 江苏华丽网络工程有限公司 | Method for effectively defending flood attack based on network switching equipment |
| CN101895543B (en) * | 2010-07-12 | 2012-12-05 | 江苏华丽网络工程有限公司 | Method for effectively defending flood attack based on network switching equipment |
| CN101917438A (en) * | 2010-08-23 | 2010-12-15 | 浪潮(北京)电子信息产业有限公司 | Access control method and system in network communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1744607A (en) | 2006-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100464548C (en) | System and method for blocking worm attack | |
| US7207061B2 (en) | State machine for accessing a stealth firewall | |
| US7797436B2 (en) | Network intrusion prevention by disabling a network interface | |
| AU2002324631B2 (en) | Active intrusion resistant environment of layered object and compartment keys | |
| US8661250B2 (en) | Remote activation of covert service channels | |
| JP4174392B2 (en) | Network unauthorized connection prevention system and network unauthorized connection prevention device | |
| US7370354B2 (en) | Method of remotely managing a firewall | |
| Chao-Yang | DOS attack analysis and study of new measures to prevent | |
| US7213265B2 (en) | Real time active network compartmentalization | |
| KR100358518B1 (en) | Firewall system combined with embeded hardware and general-purpose computer | |
| CN115378625B (en) | Cross-network information security interaction method and system | |
| US20030140248A1 (en) | Undetectable firewall | |
| AU2002324631A1 (en) | Active intrusion resistant environment of layered object and compartment keys | |
| JP2004302538A (en) | Network security system and network security management method | |
| WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| Meena et al. | HyPASS: Design of hybrid-SDN prevention of attacks of source spoofing with host discovery and address validation | |
| RU2163745C2 (en) | Protective system for virtual channel of corporate network using authentication router and built around shared communication network channels and switching facilities | |
| WO2005026872A2 (en) | Internal lan perimeter security appliance composed of a pci card and complementary software | |
| JP2006099590A (en) | Access controller, access control method and access control program | |
| WO2024066059A1 (en) | Industrial internet security system and method based on sdp and edge computing | |
| Song et al. | Formal reasoning about a specification-based intrusion detection for dynamic auto-configuration protocols in ad hoc networks | |
| JP3609381B2 (en) | Distributed denial of service attack prevention method, gate device, communication device, and program | |
| US20060225141A1 (en) | Unauthorized access searching method and device | |
| CN114301693B (en) | Hidden channel security defense system for cloud platform data | |
| Ghosh et al. | Analysis of Network Security Issues and Threats Analysis on 5G Wireless Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD. Free format text: FORMER OWNER: CHINA TELECOMMUNICATION STOCK CO., LTD. GUANGDONG ACADEME Effective date: 20091030 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee |
Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD. GUANGDONG Free format text: FORMER NAME: GUANGDONG PROVINCE TELECOMMUNICATION CO., LTD. RESEARCH INSTITUTE |
|
| CP03 | Change of name, title or address |
Address after: 20, building 109, West Zhongshan Avenue, Tianhe District, Guangzhou, Guangdong Patentee after: GUANGDONG RESEARCH INSTITUTE, CHINA TELECOM Co.,Ltd. Address before: No. 109, Zhongshan Avenue, Tianhe District, Guangdong, Guangzhou Patentee before: Guangdong Telecommunication Co.,Ltd. Institude |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20091030 Address after: No. 31, Finance Street, Beijing, Xicheng District Patentee after: CHINA TELECOM Corp.,Ltd. Address before: 20, building 109, West Zhongshan Avenue, Tianhe District, Guangzhou, Guangdong Patentee before: GUANGDONG RESEARCH INSTITUTE, CHINA TELECOM Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090225 Termination date: 20141010 |
|
| EXPY | Termination of patent right or utility model |