33results about How to "Effective defense against attacks" patented technology

The embodiment of the present application discloses a session entry processing method and device in a multi-core system. After the forwarding core receives the first handshake message or the second handshake message, when the embodiment of the present application receives the message, First determine whether the message is safe. When the message is an unsafe first handshake message or an unsafe second handshake message, the session timeout item of the message is added to the linked list array, and the linked list array is used to process the session of the message Timeout item, so as to avoid using the timer of the forwarding core to process the session timeout item of the attack message when the received message is an attack message, which not only effectively defends against attacks, but also saves the processing resources of the forwarding core timer, so that the forwarding core It can process security packets normally and improve the overall forwarding performance. In addition, each forwarding core is configured with a linked list array, so as to realize lock-free processing of the multi-core system.

An identity authentication method based on N-dimensional sphere is provided by the present invention. An authentication server accepts a user registration and an identity verification after initialization; when a new user registers, the user computes a vector via a security one-way function according to a password selected by himself and submits it to the authentication server, the authentication server appoints an IDg as an identifier of the user identity for the user; the authentication server determines a N-dimensional sphere by combining its own secret vectors and the vector submitted by the user; the authentication server selects several different points on the N-dimensional sphere randomly, forms an encrypted file with them and sends it to the user via a security channel; when requiring for identity authentication, the user performs computation by using his own password and the encrypted file containing the identity authentication identifier, and transmits the result to the authentication server. After performing computation, the authentication server verifies and determines whether the user identity should be accepted. The present invention can reduce the storing information and the calculation amount of the authentication server efficiently, and can prevent fake authentication servers.

The invention discloses an authentication method for network signaling between quantum safety network equipment. The authentication method includes the following steps: creating synchronous signaling key stores used for signaling authentication for both sides between the communicated network equipment, wherein the synchronous signaling key stores are divided into an encrypting signaling key store and a decrypting signaling key store, and setting a read indicator and a write indicator for each signaling key store; a sending end calculating related hash operation message authentication codes H of keys based on key data and a read indicator offset address of the encrypting signaling key store of the sending end, and sending a corresponding signaling data packet to a receiving end; the receiving end receiving the signaling data packet, acquiring a read indicator offset address in the signaling data packet, and judging whether the key data of the read indicator offset address of the decrypting signaling key store of the receiving end is already used or not; and if the key data is not used, calculating H and verifying the content of the signaling data packet. The authentication method for the network signaling between the quantum safety network equipment has the advantages that the authentication is fast, and the method has a certain preventive effect on distributed denial of service (DDoS) attacks, can achieve true one-time-one-key encrypting authentication and is absolutely safe theoretically.

The invention discloses an SDN-based SDP security group implementation method and a security system, and the method achieves SPA single-packet authorization service logic through adoption of a flow table method of an SDN network, and carries out the planning and identity authentication of access authorities of different users through combining with the IAM user management of a cloud platform. According to the invention, the security of the cloud platform security group function is enhanced; accurate control of the security group on external authorization is realized; in combination with the identity authentication technology of the cloud platform and the SDN cloud network, the additional cost of the SDP gateway and the SDP controller is reduced, the SDP technology and the cloud computing security technology are fused, meanwhile, attacks from an internal network can be effectively defended, and comprehensive defense of flow in all directions of the cloud platform can be achieved.

The invention provides a netfilter-based address and port hopping communication implementation method, which comprises the steps of 1) initially deploying; 2) configuring the hopping parameters of a server, generating a hopping key, storing the hopping key, and distributing the hopping parameters to an authentication and distribution agent by means of the server; 3) acquiring the hopping parameters of the server by means of a client after the authentication process of the client by an authentication and distribution center; 4) synchronizing the clocks of the client, the server and an address hopping gateway, calculating the current hopping address and the current hopping port of the server, and modifying addresses and ports corresponding to data messages sent and received by a local computer so as to realize the communication; 5) receiving communication messages received by the address hopping gateway from the client and the server, and acquiring the hopping address of the server by an address hopping engine according to the above address hopping parameters, and modifying addresses corresponding to the above messages to complete the message forwarding process; 6) realizing the port hopping function through a port hopping engine by the server, modifying ports corresponding to the messages of an importer / exporter to complete the communication. The method is simple in principle, easy to realize and popularize, and good in safety.

The present invention discloses a low-altitude node identity authentication and privacy protection method based on a Hash chain. The method comprises the steps of: when a vehicle node enters a space-air-ground integral network at the first time, taking unique and undeniable wireless signal fingerprints which cannot be cloned as identity features of the vehicle node, and creating a Hash block for the vehicle node while performing identity registration of the vehicle node by an authentication center; when communication of the vehicle node is performed in an area, performing identity authentication based on block content by a management node; in order to protect the identity privacy, employing a pseudonym generated by the management node to perform communication by the vehicle node; and recording key motions or information of different nodes at different time in the area by the management node, and recording the key motions or the information of the vehicle node itself at different areasat different time by the vehicle node. The method can effectively defense various attacks such as the sybil attack, the denial of service attack and the replay attack. Besides, the data safety of thenetwork is guaranteed, namely, the confidentiality, integrity, availability and non-repudiation of the data in the network.

The invention relates to an array honey pot cooperative control method based on a block chain. The method comprises the following steps: constructing a private chain by using an Ethereum platform, andrealizing de-centralized cooperative operation thought of a honey pot host cluster through a mining way; constructing a topological structure consistent with the Ethereum platform starting from a P2Pnetworking model, and realizing the communication through web3J. Each host in the array executes the mining, the host acquiring an accounting charging right can holds the post of a honey pot serviceconversion task at one periodic time, conversion information is sent through an encryption mechanism, and other host receives and executes the corresponding conversion instruction. Furthermore, external port request access data is stored in the block chain by using the tamper resistance of the block chain information, thereby obtaining the digital evidence for implementing the attack by an attacker. Through the method disclosed by the invention, the cooperative operation of the array honey pot host cluster is guaranteed, thereby trapping the attacker by using the true-false service in dynamicconversion, and the network security active defense aim is realized.