CN101938459A

Movatterモバイル変換

Info

Publication number: CN101938459A
Application number: CN2010102057398A
Authority: CN
Inventors: 苟仲武
Original assignee: BEIJING HOSUN SCIENCE AND TECHNOLOGY Co Ltd
Current assignee: Beijing Netinorder Technology Co.,Ltd.
Priority date: 2010-06-22
Filing date: 2010-06-22
Publication date: 2011-01-05

Abstract

The invention discloses a CRNET (China Railcom Net) safe cooperative defense system for a whole course communication network, comprising a safety analysis control center, cooperative defense devices arranged at the key parts of various network nodes and a flow data detection subsystem arranged at an outer port of the network nodes. wWherein each cooperative defense device is internally provided with a flow monitoring function unitcomponent, the cooperative defense function unitcomponent and a plurality of safety function unitcomponents, such as a fireproof wall, the flow monitoring function component unit is used for informing, receiving, analyzing and processing a data flow collected by a detection system, the cooperative defense function unitcomponent is used for generating or receiving a strategy submitted by the safety analysis control center and implementing safe management and control according to the strategy, the safety analysis control center is used for integrally configuring, monitoring and managing the plurality of presidial cooperative defense devices, and the flow data detection subsystem is used for collecting the data flows of the preliminarily entering network nodes pre-entering the network. The invention can flexibly configure according to practical use, establishes a multi-level network safety strategy control system based on the safety analysis control center, the cooperative defense devices and the flow data detection subsystems for global network safety defense and management and effectively improves the whole safety defense strength and the management flexibility of thea network.

Description

Full process and full network safety composite defense system

[technical field]

The present invention relates to the Internet and computer network security technology field, relate in particular to the network cooperating defence safety system of the integrative coordinated defence of computer network security.

[background technology]

The develop rapidly of computer network brings great convenience for people's production and life, and the level of informatization of every profession and trade and enterprise is improved rapidly.We also have to be faced with the challenge of diverse network safety problem: virus, worm, wooden horse, malicious attack, unauthorized access, illegal external connection, spam etc. when having benefited from computer network and developing the huge opportunity of being brought rapidly.These network security threats bring very big inconvenience and loss not only for individual's work and life, more give enterprise, and government is brought tremendous influence.

In the face of these threats, people have proposed multiple safeguard procedures: fire compartment wall, anti-virus, intrusion detection, Virtual Private Network, anti-rubbish mail etc.But these network safety systems are isolated single on function, can only resist known attack mostly, lack the processing to factors such as network system failures and human operational errors.This traditional network safety system is based on the Passive Defence model that the static security technology is set up, the Prevention-Security strategy that has no basis unified carries out system to each aspect of network system comprehensively to be defendd, it is external additional that negative response and afterwards repairing improves, passive defence, fail to solve this fragile source problem, more can't tackle have various, at random, the attack and the destruction of characteristics such as hidden and propagation, and the safe and reliable of safety system self do not guarantee.This defence system can not adapt to current network environment demand for security complicated and changeable.

The variation of active computer network security product makes the mutual cooperation and the management of whole system become difficult point, and management cost that equipment control, operational management bring and difficulty have directly restricted the validity of Prevention-Security system.For cooperation and the problem of management that solves various network device, (Unified Treatment Management, mode UTM) merge multiple network security control ability to have proposed UTM in recent years, carry out unified management, realize that defence is integrated.This kind defense mechanism is for simplifying security solution, and evading the equipment compatibility problem provides effective way.But solution now or be software and hardware module independently to be embedded into realize piling up of function in a system or the cabinet, be that a certain function is carried out particular processing, can not accomplish to effectively integrate in the face of each layer of network and simplify processing from architecture layers, UTM equipment and system are also immature, and defensive measure is the isolated mode of " individual is from sweeping snow in front of the door ", that is, just carry out Passive Defence at single-point.The fact shows, the unsafe factor of computer network usually be not isolated and is separating, and more and more become group feature trend, isolated Passive Defence theory based on the computer network security system of defense of prior art obviously can't effectively defend the group network safety event (to spread as virus, distributed ddos attack etc.), can not fundamentally solve network security problem.

[summary of the invention]

The invention provides a kind of full process and full network safety composite defense system, propose the collaborative solution of overall formula network integration safety, realize that network integration of overall importance works in coordination with Prevention-Security.

In order to solve problem such as single safety function or multi-functional single-point Prevention-Security in the above-mentioned network, the invention provides a kind of full process and full network safety composite defense system.This full process and full network safety composite defense system comprises:

Be arranged at the data on flows detection subsystem of computer network node external port, described data on flows detection subsystem is caught pre-data traffic through network node;

Be arranged at the composite defense equipment of each network node of computer network, the built-in safety function assembly of described composite defense equipment, traffic monitoring functional unit and collaborative prevention and control functional unit, the data traffic that described traffic monitoring functional unit notice, reception, analysis and processing data on flows detection subsystem are obtained; Described collaborative prevention and control functional unit is controlled the information transmission between each composite defense equipment, generates or receives the strategy of safety analysis control centre and implement security management and control by strategy; And

Safety analysis control centre, centralized configuration, many composite defense equipment of monitoring and administrative institute's administration, built-in data center of described safety analysis control centre, data center carries out the storage of composite defense device gateway daily record and flow information, analyze and the audit processing, after composite defense equipment is transferred to the data center of safety analysis control centre with the data on flows of being put in order, unify to distinguish and analyze through safety analysis control centre, or the incident with general character and the warning of extracting each composite defense device discovery, unify to analyze the new security strategy of back generation in conjunction with default security strategy of safety analysis control centre and Internet resources, be distributed to each composite defense equipment, upgrade and the enforcement security strategy.

Built-in traffic monitoring functional unit and the composite defense functional unit that can be used for the data traffic analysis of described coordinated management equipment, can implement the generation and the strategy of discretionary security strategy deploys to ensure effective monitoring and control of illegal activities, and strategy can be reported and submitted with the territory in other composite defense equipment and carry out long-range deploying to ensure effective monitoring and control of illegal activities, thereby realize the double mechanism of management of composite defense equipment autonomously and coordinated management.

Described composite defense management system is based on server-agency's pattern, safety analysis control centre carries out secure communication by Agent and the composite defense equipment that is deployed on the composite defense equipment, local monitor plug-in unit in the Agent is according to the instruction of safety analysis control centre, and indication composite defense equipment is finished corresponding collaborative tactical management action.

Described composite defense equipment collaboration tactical management action comprises: state information and the performance data of returning current each composite defense equipment; Indicate each composite defense equipment under specific situation, as detect a large amount of abnormal flows etc., screening is the interior security component log information of section sometime, and these information are aggregated into safety analysis control centre; Each network security assembly in the composite defense equipment is unified to upgrade and control, transfer the security component collaborative work in many composite defense equipment; Composite defense device security assembly, security strategy and collaborative strategy are upgraded in upgrading.

Described composite defense equipment is managed in the mode of grouping, is that unit carries out long-range unified configuration operation with the group, and the composite defense equipment of management is organized into synergetic structure.

Described safety analysis control centre and each composite defense equipment are the tree network topological structure.

Described each composite defense equipment comprises first order composite defense equipment and second level composite defense equipment, described first order composite defense equipment is connected with safety analysis control centre respectively, and described first order composite defense equipment is connected with a plurality of second level composite defense equipment respectively.

Be stelliform connection topology configuration between described safety analysis control centre and each the composite defense equipment, be peer-to-peer network lattice network topological structure between each composite defense equipment.

Described arbitrary composite defense monitoring of tools after the information of new security incident and the information synchronization between other composite defense equipment comprise dual mode: the one, this composite defense equipment sends to safety analysis control centre with information, is transmitted to other composite defense equipment by safety analysis control centre; The 2nd, this composite defense equipment sends the circular content to other composite defense equipment, the circular content comprises the relevant information of security incident and the countermeasure information of this composite defense equipment self, and sends the summary of the information of circular content to safety analysis control centre.

Be peer-to-peer network lattice network topological structure between described safety analysis control centre and each the composite defense equipment.

Described safety analysis control centre is the composite defense equipment of highest weight limit.

The network node external port of computer network of the present invention is provided with the data on flows detection subsystem, and key positions such as node are provided with composite defense equipment.Described network traffics data snooping subsystem is caught the data on flows in the preadmission ingress, and sends the data to composite defense equipment; Composite defense equipment is therefrom analyzed and security incident such as recording exceptional flow, the original strategy of foundation or the New Policy of formation or the strategy that the safety analysis center sends over are handled security incident, and send to safety analysis control centre such as security incident, strategy, event handling result and diary thereof; Control centre receives and inner data center is controlled in the incident of transmission relevant information to safety analysis, control centre makes administrative decision after unifying to analyze by analysis, check each composite defense equipment, understand system operation situation, upgrade the composite defense strategy of each composite defense equipment then, each functional unit to composite defense equipment carries out unified plan, and by the audit diary source control is carried out in security incident, realizes the integrative coordinated Prevention-Security to network safety event.This individual system can be according to the flexible deployment scheme of real network topology demand.According to network size and application requirements, carry out topology deployment such as tree-shaped, starlike, and this deployment can be carried out any local area network (LAN), metropolitan area network and wide area network are expanded, foundation is the integrative coordinated system of defense of safety analysis control centre with security centre or each composite defense equipment, to carry out relevant inquiring, operation etc., thereby realize flexibly of overall importance and multi-level realization computer network security policy control.

As mentioned above, multiple safety function assembly, traffic monitoring functional unit and collaborative prevention and control functional unit such as composite defense equipment built-in firewall of the present invention; The data traffic that described traffic monitoring functional unit notice, reception, analysis and processing detection system are gathered; Described collaborative prevention and control functional unit generates or receives the strategy that safety analysis control centre issues, and implements security management and control by strategy; Many composite defense equipment of described safety analysis control centre centralized configuration, monitoring and administrative institute's administration, its built-in data center is the background process center that interior composite defense equipment magnanimity information is administered by institute; The data traffic that described data on flows detection subsystem is gone into the network node to preadmission is gathered.The present invention can be deployed as topological structures such as star-like, tree-shaped according to actual needs, and can carry out any local area network (LAN), metropolitan area network and wide area network are expanded, foundation effectively improves computer network general safety defensive strength and managerial flexibility based on the carried out global network Prevention-Security of safety analysis control centre, each composite defense equipment and data on flows detection subsystem and the multi-layer network security strategy hierarchy of control of management.

Full process and full network safety composite defense of the present invention system is according to the data on flows of data on flows detection subsystem monitoring computer network, analysis result according to safety analysis control centre, control each composite defense equipment collaboration defence, increase the globality defence and the collaborative defending performance of network, be convenient to network design and management, be applicable to government department, ecommerce and bank, so that safe and reliable network security protection system to be provided to the network security requirement strictness.

[description of drawings]

Fig. 1 is the theory diagram of the defense function of computer network security composite defense system.

Fig. 2 is the theory diagram of the collaborative tactical management of computer network security composite defense system.

Fig. 3 is the structure chart of the computer network security composite defense system of hierarchy schema.

Fig. 4 is the structure chart of the computer network security composite defense system of integrative Structure Mode.

Fig. 5 is the structure chart of the computer network security composite defense system of peering structure pattern.

[embodiment]

Reach technological means and the effect that predetermined purpose is taked for further setting forth the present invention, below in conjunction with drawings and Examples, embodiment, architectural feature and effect thereof to the method for full process and full network safety composite defense system of the present invention and composite defense are described in detail as follows.

Computer network composite defense of the present invention (Collabatative Threat Management, CTM, composite defense) system is based on existing UTM (Unified Treatment Management, the computer network security technology of unified defence Threat Management UTM) increases collaborative prevention and control function on the basis of UTM.

The present invention is the integrative coordinated defence of the collaborative unified management mechanism realization computer network of basic thought by utilization on network with " camera+traffic lights+unified monitoring administrative center ", improves the general safety defending performance of computer network.The present invention includes safety analysis control centre, composite defense equipment (composite defense equipment, easy for describing, be called for short CTM equipment below) and the data on flows detecting devices, the data on flows detection system places computer network node external port, preadmission being gone into the data traffic of network node catches, the network key position that composite defense equipment is arranged on computer network is network node etc. for example, the built-in data on flows of each composite defense equipment is surveyed supervisory control system to survey data on flows and can analyze, management control assembly and composite defense assembly also are set simultaneously, the data on flows detection subsystem is caught and the security incident (playing " camera " effect that is equivalent to) of CTM analytic record is transmitted to safety analysis control centre, after the information that safety analysis control centre receives each composite defense equipment is unified to analyze, generate the defence decision-making, and the unified CTM equipment (being equivalent to " unified scheduling ") that sends to each network node, upgrade the defence policies of the CTM equipment of each network node, realize the composite defense (being equivalent to " traffic lights " control) of the overall network security incident of computer network.

Data on flows detection subsystem of the present invention is arranged at outside the network node, and the data on flows of the network of network node is gone in the monitoring preadmission, and data monitored is sent to composite defense equipment.

Composite defense equipment of the present invention (Collabatative Threat Management, CTM, composite defense), be arranged at key positions such as network node, multiple safety function assembly such as built-in firewall, the flow that detection system is obtained carries out monitor component and collaborative prevention and control functional unit.The data on flows that composite defense device analysis detection system is brought, security incidents such as recording exceptional flow, and send security incident to safety analysis control centre.The strategy of composite defense renewal of the equipment safety analysis control centre distribution, and mission control center is to the redeploying of its each functional unit, and can realize information transmission and functional unit adjusting between its and other CTM equipment.Portion C TM equipment is loading data center and analysis and Control center also, does analysis and Control and uses, thereby increase the entire system coordination ability, reduces the burden at analysis and Control center.CTM equipment is at threats such as malicious attack, unlawful activities and Internet resources abuses, realizes highly reliable, the high-performance of composite defense, manageable gateway security equipment.

Safety analysis of the present invention control centre is management and dispose each composite defense equipment Surveillance center that line data handles that goes forward side by side.The CTM Equipment Inspection to security event information be transferred to its built-in data center after, control centre is unified by analysis analyzes, and generates corresponding countermeasure, is distributed to each CTM equipment.The security incident with general character that simultaneously can also discrimination analysis goes out each CTM monitoring of equipment is reported to the police, and generates configuration suggestion, respectively each CTM equipment is configured renewal.The keeper also can be provided with according to analysis result and manually upgrade each CTM equipment disposition.The built-in data center in analysis and Control center is the background process center of magnanimity information, mainly finishes the gateway daily record of CTM equipment and storage, analysis, audit and the processing capacity of flow information, realizes information evidence obtaining function in case of necessity.

The collaborative prevention and control assembly of the CTM equipment of full process and full network safety composite defense of the present invention system provides CTM equipment to be connected to the interface of safety analysis control centre, so that by the unified management of safety analysis control centre and many CTM equipment of configuration, in time check and monitor the safe condition and the operation information of each CTM gateway in the realization computer network.After the collaborative prevention and control function of each CTM equipment is opened, be connected to the safety analysis control centre of far-end by computer network, safety analysis control centre obtains each CTM system status information, flow information and version information, is used to carry out the equipment state demonstration of computer network.Equally, in the situation of not disposing independently safety analysis control centre, can utilize collaborative prevention and control assembly to finish strategy generation, distribution and the adjustment of each functional module each other between the CTM between the CTM equipment.Simultaneously, each CTM equipment of computer network can be managed in the mode of grouping, with the group is that unit carries out operations such as long-range unified configuration, upgrading, and the CTM equipment of management can be organized into synergetic structure according to certain strategy, cooperation between the realization equipment makes the threat of security incident controlled in the source.

The collaborative prevention and control function of full process and full network safety composite defense of the present invention system provides the IP address of safety analysis control centre, under each CTM equipment collaboration prevention and control function open mode, each CTM equipment is connected to the safety analysis control centre of far-end automatically, each Secure Application of current C TM equipment and running status and other security information of service module are transferred to safety analysis control centre, with centralized displaying, each CTM equipment is accepted the configuration-direct that safety analysis control centre beams back simultaneously, disposes accordingly.

Full process and full network safety composite defense system of the present invention default multiple respectively security policy manager action in safety analysis control centre and CTM equipment; can tackle the multiple network security threat; and pass through the renewal of the program of each CTM equipment; add new plug-in card program; can realize the expansion of collaborative tactical management action; make the user to protect local network better easily according to the collaborative tactical management action of the customized own needs of network condition.In order to guarantee the communication security of safety analysis control centre and each CTM equipment, whole communication process adopts SSL (Security Socket Layer,) encrypt, the Agent of each CTM equipment is with the identity at authenticating security analysis and Control center simultaneously, only the collaborative tactical management order from particular ip address just can obtain carrying out, can each the CTM equipment that participate in collaborative tactical management be set by administrator right, by opening or close the collaborative tactical management assembly switch on the CTM equipment, the network security coordinated management that realization flexibly can be customized.

Collaborative computer defence management system of the present invention can be provided with the unit administrative mechanism, can or under keeper's allotment, be on the defensive and adjust the Prevention-Security strategy according to the administrative mechanism of each CTM apparatus settings security incident, also go for distributed earth deployment secure analysis and Control center and CTM equipment in large-scale network, the management control ability of configuration network safety provides the powerful data analysis ability.

The principle of the defense function of full process and full network safety composite defense of the present invention system as shown in Figure 1, the data on flows that network inside is gone into by 3 pairs of preadmission of data on flows detection subsystem by safetyanalysis control centre 1 among Fig. 1 is gathered; The monitoring result of 2 pairs of flow data snoopings ofCTM equipment subsystem 3 and detection flow are controlled and are managed.The present invention can adopt the mode of grouping to manage eachCTM equipment 2, with the group is that unit carries out operations such as long-range unified configuration, upgrading, and each CTM equipment of management can be organized into synergetic structure according to certain strategy, cooperation between the realization equipment makes network security threats controlled in the source.Data onflows detection subsystem 3 and eachCTM equipment 2 mainly are responsible for network information intercepting by traffic monitoringfunctional unit 21 and collaborative prevention and controlfunctional unit 22 and security incident is handled, safetyanalysis control centre 1 built-inanalysis engine 11,policy engine 12,feature engine 13 andbackup module 14, safetyanalysis control centre 1 is responsible for information and security incident analysis, enforcement is handled regulation and control, the strategy of eachCTM equipment 2, and upgrades and the important information backup.The interface that the traffic monitoringfunctional unit 21 thatCTM equipment 2 is provided with is provided with, make things convenient for the network manager that the CTM equipment of being disposed 2 is carried out centralized efficient supervision, comprise current network environment and security component state information, performance data etc.,CTM equipment 2 is provided with network safety event and log information query function and collaborative tactical management controlled function, make the keeper can grasp the current network safe condition, and network security threats is responded fast and handles.

When full process and full network safety composite defense of the present invention system has set up each CTM equipment and has managed independently as unit, also by carrying out the dual command mechanism that coordinated management combines with connecting between each CTM equipment, for the user provides centralized CTM equipment performance and Stateful Inspection, unified security component management and the Macro or mass analysis mechanism of network event daily record, realized the collaborative tactical management of many CTM equipment on this basis.

Computer network coordination management system of the present invention manages authentication to the keeper, security gateway to computer network can carry out policy configurations by network usually, therefore authentication safe in utilization, avoid unauthorized user to enter the safety function system without authorization, distort even destroy the security strategy of computer network.Each CTM equipment provides the authentication management based on the role, the system manager of safety analysis control centre and CTM equipment can define all kinds of administrator roles neatly, can carry out checking of log information as certain role, but can not carry out the modification of security strategy etc., any behavior for the keeper, CTM equipment all carries out the daily record audit, guarantees the Administrative Security of each CTM equipment self.

The principle of the coordinated management strategy of collaborative computer defence management system of the present invention as shown in Figure 2.Full process and full network safety composite defense of the present invention system adopts server-factorage pattern, the agency of factorage pattern makes CTM equipment have certain computational resource and local behavior controlling mechanism, can not have under the extraneous direct operated situation, according to its internal state and network environment information, determine and control self behavior.Safetyanalysis control centre 1 carries out secure communication by being deployed in every Agent and everyCTM equipment 2 on theCTM equipment 2, local monitor plug-in module in the Agent of CTM equipment is according to the instruction of safety analysis control centre, indication CTM equipment is finished corresponding collaborative tactical management action and is comprised: return the state information and the performance data of current each CTM equipment, make the network manager can grasp current network condition; Indicate each CTM equipment according to imposing a condition, for example, setting detects a large amount of abnormal flows as imposing a condition, screening is the interior security component log information of section sometime, and these information are aggregated into the data center of safety analysis control centre, make the network manager to respond fast at certain network security threats; Perhaps each network security assembly in the CTM equipment is unified to upgrade and control, make that the security component in many CTM equipment can carry out to collaborative work; Program version upgrading and the security policy database of perhaps realizing the security component of CTM equipment upgrades, the renewal of collaborative tactical management action.

Full process and full network safety composite defense of the present invention system is aggregated into safety analysis control centre with state and performance data, network event and the log information that all participate in the CTM equipment of composite defenses management, deposit the database of safety analysis control centre in, make things convenient for network to carry out unified data analysis and network log inquiry and management.When intrusion event takes place, safety analysis control centre finds the source according to the data that CTM equipment gathers, carry out source control, the CTM equipment that inserts is carried out the strategy reorganization, thoroughly cut off transmission channel, attacked end, initiatively close related channel program, send by attack information to safety analysis control centre by cooperation protocol simultaneously, thereby be implemented in source, transmission channel and the control of destination end multiple spot, realize the steady and orderly function of computer network.

Full process and full network safety composite defense of the present invention system sets up software upgrading mechanism, is divided into software release upgrade, the upgrading of intrusion prevention feature database and the upgrading of anti-virus feature database from the upgrading content; Be divided into auto-update and manually upgrading from the upgrading mode.

Auto-update is meant the address of specifying upgrade server in composite defense management system of the present invention, when there is available renewal in the feature databases such as virus of all CTM equipment or when reaching the update time of user's appointment, operation more newly downloaded, that upgrading is verified and upgraded in renewal that the upgrading engine carries out automatically guarantees that the feature database of this system remains up-to-date.Auto-update is mainly used in the situation that this system gateway is deployed in the internet, communicates with specifying upgrade server by the internet.

Manually upgrading is meant the user regularly from the upgrade server download and upgrade file of appointment, a kind of pattern of by manual mode the CTM equipment of composite defense management system of the present invention being carried out software agent, intrusion prevention feature database and the upgrading of anti-virus feature database by the user.Manually upgrading is mainly used in the CTM deployed with devices of working as composite defense management system of the present invention and requires very high applied environment at corporate intranet or to real-time.

The software upgrading function of composite defense management system of the present invention is provided with the automatic recovery ability functional module after correctness inspection of upgrading preceding document and the upgrading, promptly before upgrading, upgrade file is carried out integrality, correctness verification, have only qualified just beginning of verification to upgrade, if upgrading or upgrade file that current system defence management system can not compatible this kind form are impaired, then are prompted to the user automatically and indicate type of error.Upgrading is failed, and for example runs into power down or network connection failure or the system loads failure of upgrading back in the escalation process, and system keeps and give tacit consent to the normal operation of original version, can not cause each equipment of computer network to use because of the staging error failure.

For specifying the structure and the principle of full process and full network safety composite defense of the present invention system, be described in detail below in conjunction with specific embodiment and accompanying drawing.

Fig. 3 is the hierarchical structure ideograph of full process and full network safety composite defense of the present invention system.The safetyanalysis control centre 1 of present embodiment connects and manages several first order CTM equipment, and each CTM equipment is managed several second level CTM equipment again.Therefore, in this specific embodiment, the network topology structure between safety analysis control centre and first, second grade CTM equipment is tree topology.In this specific embodiment, safetyanalysis control centre 1 can connect and manage the CTM equipment of a plurality of levels, forms the tree network topological structure of hierarchy management.The composite defense method of the composite defense system of this specific embodiment comprises the steps:

1), after the new security incident of arbitrary second level CTM device discovery, the directly first order CTM device report of the upper level under it;

2) after, first order CTM equipment is received report, if this first order CTM equipment is according to predefined security strategy of institute and database, can handle this security incident, then enterstep 3, if this first order CTM equipment (main territory) can not be handled this security incident according to self institute predefined security strategy and database, enter step 4):

3) this first order CTM equipment generate response policy and be distributed under each CTM equipment subdomain, again with the summary info of the result of this first order CTM equipment to the report of safety analysis control centre, enter step 5;

4) this first order CTM equipment is reported this security incident to safety analysis control centre, undertaken after the analyzing and processing and with response policy and be transmitted to each first order CTM equipment by safety analysis control centre, and the functional module of unified each first order of regulation and control, second level CTM equipment and upgrade the policy data of each first, second grade CTM equipment.

5 finish.

In this specific embodiment, scale according to computer network, safety analysis control centre is not limited to the CTM equipment of set two levels of first, second grade CTM equipment, the CTM Device Domain of a plurality of levels can also be set, for example, can a plurality of third level CTM equipment be set downwards at each second level CTM equipment, each third level CTM equipment is provided with a plurality of fourth stage CTM equipment downwards, down analogize the CTM equipment that a plurality of levels is set according to the scale and the application of computer network successively.The accommodation of this programme is wider, and being mainly used in needs centralized management, the tangible network management system of equipment control levels at different levels.

Fig. 4 is the integrative Structure Mode figure of full process and full network safety composite defense of the present invention system.System configuration in this specific embodiment comprises an analysis and Control center and a plurality of CTM equipment.Be hub-and-spoke configuration between safety analysis control centre and the CTM equipment, be peer-to-peer between each CTM equipment, constitute the grid network topological structure.The composite defense method of the composite defense management system of this specific embodiment comprises the steps, after new security incident takes place in arbitrary CTM equipment, CTM equipment carries out information synchronization and comprises following dual mode: the one, and CTM equipment sends to safety analysis control centre with the information of security incident, is transmitted to other CTM equipment by safety analysis control centre; The 2nd, CTM equipment sends circular with security incident ground information to other CTM, the circular content comprises the countermeasure information of the CTM equipment self of the security incident that the relevant information of security incident and this discovery are new, realize sharing synchronously of each CTM security strategy, while CTM equipment will be circulated a notice of the information of content and report to safety analysis control centre with the summary form.In order to protect the safety of CTM equipment; the policy deployment of CTM equipment, place gateway traffic conditions and basic status information thereof safeguard that by safety analysis control centre is unified each CTM equipment can obtain other CTM equipment for information about by safety analysis control centre.Simultaneously, because safety analysis control centre holds the up-to-date security policy information of the overall situation, each CTM equipment can initiatively obtain up-to-date security strategy from other CTM equipment in the mode of P2P (Peer-to-Peer, point-to-point distributed network framework), realizes the global synchronization of computer network.The scheme of this specific embodiment is primarily aimed at the catenet security deployment.

Fig. 5 is the peering structure management mode schematic diagram of full process and full network safety composite defense system.The network configuration management mode of this specific embodiment does not need to dispose independently safety analysis control centre, safety analysis control centre is other CTM equipment of authority at the highest level level, can be implemented the analyzing and processing and the unified coordinated management function of safety analysis control centre by other CTM equipment of this authority at the highest level level.In this specific embodiment, all CTM equipment exists in the mode of equity, each CTM equipment can carry out the circular of self security information seizure and processing and security incident, can also receive simultaneously other CTM equipment and circulate a notice of security event information and countermeasure information to it, and according to self (storage) data center the incident that receives is carried out analysis and Control and handle, or after carrying out the corresponding strategies analysis and plan strategies for by the keeper, CTM is handled the security strategy that generates send to other CTM equipment, and simultaneously other each functional units of CTM equipment are regulated and control, thereby realize the comprehensive collaborative prevention and control of each CTM equipment.Therefore, the network grid type topological structure that is equity between each CTM equipment of this specific embodiment, arbitrary CTM Equipment Inspection is to new security incident and handle the generation security strategy, the CTM equipment that the security strategy of its generation can be given other by Network Transmission is to strengthen the security strategy reply of other CTM equipment, thus, making can composite defense reply security incident between each CTM equipment of whole computer network.The scheme of this specific embodiment is at mininet, or catenet is disposed.

The method of carrying out composite defense between each CTM equipment of the full process and full network safety composite defense system in this specific embodiment comprises the steps:

1) the data on flows detection subsystem that is deployed in the external port of computer network continue to receive and gathers the flow that enters the computer-internal network in advance, handing these data traffics over to CTM analyzes, confirm not comprise the flow of abnormal movement and unusual content on inspection, by the another one port data on flows is sent to the computer network built-in system again;

2) monitoring result that is sent when CTM device analysis data on flows detection subsystem, if find that data on flows has unusually, then execution instep 3 operations;

3) after CTM equipment receives data, carry out analyzing and processing, for example can directly delete detected virus according to predefined strategy and analysis mechanisms;

4) not unusual if the CTM device analysis is found its data on flows, then the data flow that receives is continued monitoring, and result is sent and Strategy Center;

5) if finding the data traffic that is received, the CTM device analysis has unusually, the analysis mechanisms that sets according to self can be handled, then respond this data traffic and recording events, upgrade it simultaneously and handle the security strategy that generates, and the security strategy that generates sent other CTM equipment, so that other CTM equipment can carry out the adjustment of functional unit separately;

6) if the data traffic that the CTM device discovery is received is unusual, can't handle, send the request report for other CTM equipment, ask other CTM equipment and keeper's associated treatment thereof according to the analysis mechanisms that predefined analyzing and processing mechanism sets;

7) other CTM equipment or keeper receive the information and the analyzing and processing of the CTM equipment transmission of the security incident that detects data traffic at first, then the processing policy that generates is distributed to other CTM equipment, and the functional unit and the flow control of unified other CTM equipment of regulation and control, the global planning and the Collaborative Control of all the CTM equipment in the realization computer network.The scheme of this specific embodiment is primarily aimed at the mininet security deployment.

In sum, full process and full network safety composite defense system coordination of the present invention management department is deployed on the CTM equipment of key positions such as computer network node, by of the collection of data on flows detection subsystem to network traffic data, data traffic analysis, the processing of composite defense equipment and analysis and Control center to gathering, use multi-level analysis of strategies and coordinated management mechanism, make up comprehensive multi-level network security defense system, increase the overall network Prevention-Security of computer network, improve safety and the anti-virus and the attack protection of computer network.Full process and full network safety composite defense of the present invention system comprises safety analysis control centre, composite defense equipment and data on flows detection subsystem, composite defense equipment comprises flow analysis and management that detection system is surveyed and collaborative prevention and control function, internal correlation data center of safety analysis control centre, the data traffic that the network node is gone into to preadmission by the traffic probe system is caught, after send and coordinated management equipment.The data on flows detection system places the computer network edge, preadmission being gone into the data traffic of network catches, composite defense equipment is arranged on the computer network key position, the built-in data on flows of each composite defense equipment is surveyed supervisory control system to survey data on flows and can analyze, management control assembly and composite defense assembly also are set simultaneously, the data on flows detection subsystem is caught and the security incident of CTM analytic record is transmitted to safety analysis control centre, after the information that safety analysis control centre receives each composite defense equipment is unified to analyze, generate the defence decision-making, and the unified CTM equipment that sends to each network node, upgrade the defence policies of the CTM equipment of each network node, and by the audit diary source is carried out in security incident and control, can also by with keeper's associated treatment at different levels, realize the composite defense of the overall network security incident of computer network.

Claims

1. a full process and full network safety composite defense system is characterized in that, comprising:

2. full process and full network safety composite defense as claimed in claim 1 system, it is characterized in that, the traffic monitoring functional unit of described composite defense equipment and composite defense functional unit are carried out the data traffic analysis to flow data snooping subsystem, implementing the generation and the strategy of discretionary security strategy deploys to ensure effective monitoring and control of illegal activities, strategy reported and submitted to other composite defense equipment carry out long-range deploying to ensure effective monitoring and control of illegal activities, realize the double mechanism of management of composite defense equipment autonomously and coordinated management.

3. full process and full network safety composite defense as claimed in claim 1 system, it is characterized in that, described composite defense management system is based on server-agency's pattern, safety analysis control centre carries out secure communication by Agent and the composite defense equipment that is deployed on the composite defense equipment, local monitor plug-in unit in the Agent is according to the instruction of safety analysis control centre, and indication composite defense equipment is finished corresponding collaborative tactical management action.

4. full process and full network safety composite defense as claimed in claim 3 system is characterized in that, described composite defense equipment collaboration tactical management action comprises: state information and the performance data of returning current each composite defense equipment; Indicate each composite defense equipment under specific situation, screening is the interior security component log information of section sometime, and these information are aggregated into safety analysis control centre; Each network security assembly in the composite defense equipment is unified to upgrade and control, transfer the security component collaborative work in many composite defense equipment; Composite defense device security assembly, security strategy and collaborative strategy are upgraded in upgrading.

5. full process and full network safety composite defense as claimed in claim 1 system is characterized in that, described composite defense equipment is managed in the mode of grouping, is that unit carries out long-range unified configuration operation with the group, and the composite defense equipment of management is organized into synergetic structure.

6. full process and full network safety composite defense as claimed in claim 1 system is characterized in that described safety analysis control centre and each composite defense equipment are the tree network topological structure.

7. full process and full network safety composite defense as claimed in claim 6 system, it is characterized in that, described each composite defense equipment comprises first order composite defense equipment and second level composite defense equipment, described first order composite defense equipment is connected with safety analysis control centre respectively, and described first order composite defense equipment is connected with a plurality of second level composite defense equipment respectively.

8. full process and full network safety composite defense as claimed in claim 1 system is characterized in that, is stelliform connection topology configuration between described safety analysis control centre and each the composite defense equipment, is peer-to-peer network lattice network topological structure between each composite defense equipment.

9. full process and full network safety composite defense as claimed in claim 8 system, it is characterized in that, described arbitrary composite defense monitoring of tools after the information of new security incident and the information synchronization between other composite defense equipment comprise dual mode: the one, this composite defense equipment sends to safety analysis control centre with information, is transmitted to other composite defense equipment by safety analysis control centre; The 2nd, this composite defense equipment sends the circular content to other composite defense equipment, the circular content comprises the relevant information of security incident and the countermeasure information of this composite defense equipment self, and sends the summary of the information of circular content to safety analysis control centre.

10. full process and full network safety composite defense as claimed in claim 1 system is characterized in that, is peer-to-peer network lattice network topological structure between described safety analysis control centre and each the composite defense equipment.

11. full process and full network safety composite defense as claimed in claim 10 system is characterized in that, described safety analysis control centre is the composite defense equipment of highest weight limit.