CN111212086A - Computer network protection method and system - Google Patents
Computer network protection method and system Download PDFInfo
- Publication number
- CN111212086A CN111212086A CN202010048308.9A CN202010048308A CN111212086A CN 111212086 A CN111212086 A CN 111212086A CN 202010048308 A CN202010048308 A CN 202010048308A CN 111212086 A CN111212086 A CN 111212086A
- Authority
- CN
- China
- Prior art keywords
- access request
- network access
- white list
- requester
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供了一种计算机网络防护方法及系统,其中,计算机网络防护方法包括:在检测到请求方发送的网络访问请求时,判断所述请求方是否在白名单中,其中,所述网络访问请求包括所述请求方的标识信息及数据包;当确定所述请求方不处于白名单中时,向指定监控终端发送认证请求,并根据认证结果确定是否响应所述网络访问请求;当确定所述请求方处于白名单时,对所述网络访问请求中的数据包进行加密处理,并响应所述网络访问请求。通过本发明的技术方案,能够有效防止非法请求方入侵网络,提高网络的安全性。
The present invention provides a computer network protection method and system, wherein the computer network protection method includes: when a network access request sent by a requester is detected, judging whether the requester is in a whitelist, wherein the network access request The request includes the identification information and data packets of the requesting party; when it is determined that the requesting party is not in the whitelist, an authentication request is sent to the designated monitoring terminal, and whether to respond to the network access request is determined according to the authentication result; When the requester is in the whitelist, encrypt the data packets in the network access request, and respond to the network access request. The technical scheme of the present invention can effectively prevent illegal requesting parties from invading the network and improve the security of the network.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a computer network protection method, a computer network protection system and computer equipment.
Background
The development and application of computer network technology have changed modern office means, management and management, such as management information system, office automation system, etc., through which centralized management of daily work can be realized, thereby improving work efficiency and increasing economic benefits. However, in the development of computer network technology, various threats and attacks are encountered, and it is necessary to enhance protection to ensure the reliability of the network, and the current network protection technology is relatively deficient, and improvements are needed.
Disclosure of Invention
Based on at least one of the above technical problems, the present invention provides a new computer network protection scheme, which can effectively prevent an illegal requester from invading the network and improve the security of the network.
In view of the above, the present invention provides a new computer network protection method, including: when a network access request sent by a requester is detected, judging whether the requester is in a white list, wherein the network access request comprises identification information and a data packet of the requester; when the requesting party is determined not to be in the white list, sending an authentication request to a specified monitoring terminal, and determining whether to respond to the network access request according to an authentication result; and when the requester is determined to be in the white list, encrypting the data packet in the network access request, and responding to the network access request.
In the foregoing technical solution, preferably, the white list includes a plurality of identification information, and the step of determining whether the requesting party is in the white list specifically includes: extracting identification information of the requester from the network access request; and judging whether the identification information of the requesting party is in the white list, and if so, indicating that the requesting party is in the white list.
In any one of the foregoing technical solutions, preferably, the step of sending an authentication request to a designated monitoring terminal and determining whether to respond to the network access request according to an authentication result specifically includes: detecting whether authentication passing information fed back by the specified monitoring terminal is acquired within preset time; if the authentication passing information is received, responding to the network access request; and if the authentication passing information is not received within the preset time, forbidding the network access request, and adding the requesting party into a blacklist.
According to a second aspect of the present invention, there is provided a computer network defense system, comprising: the device comprises a judging unit, a processing unit and a processing unit, wherein the judging unit is used for judging whether a request party is in a white list or not when a network access request sent by the request party is detected, and the network access request comprises identification information and a data packet of the request party; the first processing unit is used for sending an authentication request to a specified monitoring terminal when the requesting party is determined not to be in a white list, and determining whether to respond to the network access request according to an authentication result; and the second processing unit is used for encrypting the data packet in the network access request and responding to the network access request when the requester is determined to be in the white list.
In the foregoing technical solution, preferably, the white list includes a plurality of identification information, and the determining unit is specifically configured to: extracting identification information of the requester from the network access request; and judging whether the identification information of the requesting party is in the white list, and if so, indicating that the requesting party is in the white list.
In any one of the above technical solutions, preferably, the first processing unit is specifically configured to: detecting whether authentication passing information fed back by the specified monitoring terminal is acquired within preset time; if the authentication passing information is received, responding to the network access request; and if the authentication passing information is not received within the preset time, forbidding the network access request, and adding the requesting party into a blacklist.
According to a third aspect of the invention, there is provided a computer device comprising: a processor; and a memory communicatively coupled to the processor; wherein the memory stores readable instructions which, when executed by the processor, implement the method of any of the above aspects.
According to a fourth aspect of the present invention, a computer readable storage medium is presented, having stored thereon a computer program, which when executed, performs the method according to any of the previous claims.
Through the technical scheme, when a requester has a network access requirement, whether the requester is legal is detected, whether the requester is in a white list is specifically judged, if the requester is in the white list, the requester is allowed to access the network, if the requester is not in the white list, the requester is required to be further authenticated through a designated monitoring terminal, the access is prohibited if the authentication passes through the permission of the requester and does not pass through the permission of the requester, and therefore the security of the network is ensured.
Drawings
FIG. 1 shows a flow diagram of a computer network securing method according to an embodiment of the invention;
FIG. 2 shows a schematic block diagram of a computer network defense system according to an embodiment of the invention;
FIG. 3 shows a schematic block diagram of a computer device according to an embodiment of the invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Referring to fig. 1, the method for protecting a computer network according to an embodiment of the present invention specifically includes the following steps:
step S102, when a network access request sent by a requester is detected, judging whether the requester is in a white list, wherein the network access request comprises identification information and a data packet of the requester.
Specifically, the white list has a plurality of identification information, and the specific determination process is as follows: and extracting the identification information of the requesting party from the network access request, judging whether the identification information of the requesting party is in a white list, and if so, indicating that the requesting party is in the white list.
And step S104, when the requesting party is determined not to be in the white list, sending an authentication request to the appointed monitoring terminal, and determining whether to respond to the network access request according to an authentication result.
And step S106, when the requesting party is determined to be in the white list, encrypting the data packet in the network access request, and responding to the network access request.
Further, step S104 specifically includes: detecting whether authentication passing information fed back by a specified monitoring terminal is acquired within preset time; if the authentication passing information is received, responding to the network access request; and if the authentication passing information is not received within the preset time, forbidding the network access request, and adding the requesting party into the blacklist.
As shown in fig. 2, a computer network defense system 200 according to an embodiment of the invention includes: a judging unit 202, a first processing unit 204 and a second processing unit 206.
The determining unit 202 is configured to determine whether a requester is in a white list when a network access request sent by the requester is detected, where the network access request includes identification information and a data packet of the requester; the first processing unit 204 is configured to send an authentication request to the designated monitoring terminal when it is determined that the requesting party is not in the white list, and determine whether to respond to the network access request according to an authentication result; the second processing unit 206 is configured to perform encryption processing on the data packet in the network access request and respond to the network access request when it is determined that the requesting party is on the white list.
Further, there are a plurality of identification information in the white list, and the determining unit 202 is specifically configured to: extracting identification information of a requester from the network access request; and judging whether the identification information of the requesting party is in a white list or not, and if so, indicating that the requesting party is in the white list.
Further, the first processing unit 204 is specifically configured to: detecting whether authentication passing information fed back by a specified monitoring terminal is acquired within preset time; if the authentication passing information is received, responding to the network access request; and if the authentication passing information is not received within the preset time, forbidding the network access request, and adding the requesting party into the blacklist.
When a requester has a network access requirement, detecting whether the requester is legal, specifically judging whether the requester is in a white list, if so, allowing the requester to access the network, if not, further authenticating by a specified monitoring terminal, allowing the requester to access the network by authentication, and forbidding access if not, thereby ensuring the security of the network.
As shown in fig. 3, a computer apparatus 300 according to an embodiment of the present invention includes: a memory 302, a processor 304, and a communication bus 306. Wherein the memory 302 is configured to store executable instructions; the processor 304 is configured to execute the stored instructions to implement the steps of the method according to any of the above embodiments, so as to have all the technical effects of the data analysis method, which will not be described herein again.
In particular, the memory 302 described above may include mass storage for data or instructions. By way of example, and not limitation, memory 302 may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 302 may include removable or non-removable (or fixed) media, where appropriate. The memory 302 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 302 is a non-volatile solid-state memory. In a particular embodiment, the memory 302 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these. The processor 304 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more integrated circuits implementing embodiments of the present invention. The communication bus 306 is used to enable connection communication between the signal processor 304 and the memory 302. The communication bus 306 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.
An embodiment of the fourth aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when being executed by a processor, implements the steps of the method according to any of the above technical solutions, so as to have all the technical effects of the data analysis method, and therefore, the details are not repeated herein. Computer readable storage media may include any medium that can store or transfer information. Examples of computer readable storage media include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. A method of computer network protection, comprising:
when a network access request sent by a requester is detected, judging whether the requester is in a white list, wherein the network access request comprises identification information and a data packet of the requester;
when the requesting party is determined not to be in the white list, sending an authentication request to a specified monitoring terminal, and determining whether to respond to the network access request according to an authentication result;
and when the requester is determined to be in the white list, encrypting the data packet in the network access request, and responding to the network access request.
2. The method according to claim 1, wherein the white list includes a plurality of identification information, and the step of determining whether the requester is on the white list specifically includes:
extracting identification information of the requester from the network access request;
and judging whether the identification information of the requesting party is in the white list, and if so, indicating that the requesting party is in the white list.
3. The method according to claim 1, wherein the step of sending an authentication request to the designated monitoring terminal and determining whether to respond to the network access request according to an authentication result specifically comprises:
detecting whether authentication passing information fed back by the specified monitoring terminal is acquired within preset time;
if the authentication passing information is received, responding to the network access request;
and if the authentication passing information is not received within the preset time, forbidding the network access request, and adding the requesting party into a blacklist.
4. A computer network protection system, comprising:
the device comprises a judging unit, a processing unit and a processing unit, wherein the judging unit is used for judging whether a request party is in a white list or not when a network access request sent by the request party is detected, and the network access request comprises identification information and a data packet of the request party;
the first processing unit is used for sending an authentication request to a specified monitoring terminal when the requesting party is determined not to be in a white list, and determining whether to respond to the network access request according to an authentication result;
and the second processing unit is used for encrypting the data packet in the network access request and responding to the network access request when the requester is determined to be in the white list.
5. The computer network protection system according to claim 4, wherein the white list includes a plurality of identification information, and the determining unit is specifically configured to:
extracting identification information of the requester from the network access request;
and judging whether the identification information of the requesting party is in the white list, and if so, indicating that the requesting party is in the white list.
6. The computer network defense system of claim 4, wherein the first processing unit is specifically configured to:
detecting whether authentication passing information fed back by the specified monitoring terminal is acquired within preset time;
if the authentication passing information is received, responding to the network access request;
and if the authentication passing information is not received within the preset time, forbidding the network access request, and adding the requesting party into a blacklist.
7. A computer device, comprising:
a processor; and
a memory communicatively coupled to the processor;
wherein the memory stores readable instructions which, when executed by the processor, implement the method of any one of claims 1 to 3.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed, carries out the method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010048308.9A CN111212086A (en) | 2020-01-16 | 2020-01-16 | Computer network protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010048308.9A CN111212086A (en) | 2020-01-16 | 2020-01-16 | Computer network protection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111212086A true CN111212086A (en) | 2020-05-29 |
Family
ID=70787330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010048308.9A Pending CN111212086A (en) | 2020-01-16 | 2020-01-16 | Computer network protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111212086A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520742A (en) * | 2022-02-21 | 2022-05-20 | 中国农业银行股份有限公司 | Access request processing method, device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7698442B1 (en) * | 2005-03-03 | 2010-04-13 | Voltage Security, Inc. | Server-based universal resource locator verification service |
| CN101895855A (en) * | 2009-05-18 | 2010-11-24 | 中国移动通信集团公司 | Access method, base station and access system of mobile terminal |
| CN104506510A (en) * | 2014-12-15 | 2015-04-08 | 百度在线网络技术(北京)有限公司 | Method and device for equipment authentication and authentication service system |
| CN105141621A (en) * | 2015-09-16 | 2015-12-09 | 北京星网锐捷网络技术有限公司 | Network access monitoring method and device |
| CN107295017A (en) * | 2017-08-10 | 2017-10-24 | 四川长虹电器股份有限公司 | CC means of defences based on user authentication |
| CN107896228A (en) * | 2017-12-22 | 2018-04-10 | 北京明朝万达科技股份有限公司 | A kind of data leakage prevention method and system |
| CN108512784A (en) * | 2018-06-21 | 2018-09-07 | 珠海宏桥高科技有限公司 | Authentication method based on gateway routing forwarding |
-
2020
- 2020-01-16 CN CN202010048308.9A patent/CN111212086A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7698442B1 (en) * | 2005-03-03 | 2010-04-13 | Voltage Security, Inc. | Server-based universal resource locator verification service |
| CN101895855A (en) * | 2009-05-18 | 2010-11-24 | 中国移动通信集团公司 | Access method, base station and access system of mobile terminal |
| CN104506510A (en) * | 2014-12-15 | 2015-04-08 | 百度在线网络技术(北京)有限公司 | Method and device for equipment authentication and authentication service system |
| CN105141621A (en) * | 2015-09-16 | 2015-12-09 | 北京星网锐捷网络技术有限公司 | Network access monitoring method and device |
| CN107295017A (en) * | 2017-08-10 | 2017-10-24 | 四川长虹电器股份有限公司 | CC means of defences based on user authentication |
| CN107896228A (en) * | 2017-12-22 | 2018-04-10 | 北京明朝万达科技股份有限公司 | A kind of data leakage prevention method and system |
| CN108512784A (en) * | 2018-06-21 | 2018-09-07 | 珠海宏桥高科技有限公司 | Authentication method based on gateway routing forwarding |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520742A (en) * | 2022-02-21 | 2022-05-20 | 中国农业银行股份有限公司 | Access request processing method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112291279B (en) | Router intranet access method, system and equipment and readable storage medium | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US11283810B2 (en) | Communication control method and communication control device for substituting security function of communication device | |
| CA2968327C (en) | Systems and methods for malicious code detection accuracy assurance | |
| EP1895738A2 (en) | Intelligent network interface controller | |
| CN112165455A (en) | Data access control method and device, computer equipment and storage medium | |
| CN109167780B (en) | Method, device, system and medium for controlling resource access | |
| US9300674B2 (en) | System and methods for authorizing operations on a service using trusted devices | |
| EP1630711A1 (en) | Client apparatus, server apparatus and authority control method | |
| CN106982188B (en) | Malicious propagation source detection method and device | |
| CN110971407A (en) | Internet of things security gateway communication method based on quantum key | |
| CN113923021A (en) | Sandbox-based encrypted traffic processing method, system, device and medium | |
| CN116743460A (en) | Data exchange isolation method, system, equipment and storage medium for internal and external network | |
| CN111212086A (en) | Computer network protection method and system | |
| US11722493B2 (en) | Access analysis system and access analysis method | |
| CN101826991A (en) | Method and system for identifying illegal data packet | |
| KR101881279B1 (en) | Apparatus and method for inspecting the packet communications using the Secure Sockets Layer | |
| CN106878233B (en) | Method for reading security data, security server, terminal and system | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN114500005B (en) | ModbusTcp instruction protection method, device, terminal and storage medium | |
| CN113347203B (en) | Network attack detection method and device, electronic equipment and storage medium | |
| KR101893100B1 (en) | Scada control system for building facilities management and method for managing security policies of the system | |
| CN115242775B (en) | Resource file acquisition method, device, equipment, medium and product | |
| CN111064731B (en) | Identification method and identification device for access authority of browser request and terminal | |
| JP6635029B2 (en) | Information processing apparatus, information processing system, and communication history analysis method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200529 |
|
| RJ01 | Rejection of invention patent application after publication |