According to the requirements of China's network security Law, network operators should strengthen the network security protection of information infrastructure and strengthen the network Construction of network security information coordination mechanism, means, and platform, strengthening the construction of network security incident emergency command capacity, and actively Develop the cybersecurity industry to move ahead and prevent problems before they happen;Implement the responsibility of critical information infrastructure protection, and industries and enterprises, as operators of critical information infrastructure, bear the main responsibility for protection。

Under the current security situation, the trend of industrialization and group application of network black products is obvious.The network has become the main way for some malicious organizations to launch attacks, and the types of network threats are more complex and changeable, and the existing security solutions are difficult to cope with advanced, persistent, collectified, and weaponized threats。Security intelligence has become an important means to solve complex network attacks, realize real-time threat warning and attack tracing。Further, the First Research Institute of the Ministry of Public Security based on the Threat Intelligence Center, real-time discovery and sharing of security intelligence information, developed a security intelligence-driven, with real-time border early warning and defense system platform network attack blocking system (Network Shield K01)。Network Shield K01 for the network border protection design, relying on the government website integrated protection system (referred to as network protection G01) about 50,000 protection end real-time perception of Internet security threats, using big data intelligence analysis。Multi-source fusion and other technical water research，Integrate industry-leading security intelligence capabilities for intelligence-based detection, early warning, and threat interception at the network border，The effective landing of intelligence and the forward movement of protection boundary are realized，And finally formed a security intelligence situation awareness, traceability portrait, bypass blocking and expert research and judgment functions in one of the integrated protection system，It has comprehensive intelligence discovery and application ability and flexible topology scenario adaptability，It can provide limited security protection in different service scenarios of various industries。

The network Shield K01 device is deployed at the Internet entrance and exit to automatically block the detected malicious attack sources, realizing the effect of monitoring one point and blocking the whole network. It is an effective means of network security linkage。The first source of the malicious attack came from the Ministry of Public Security - the thousands of anti-G01 system monitoring nodes deployed on the Internet,Extract, roll, and integrate malicious attack source IP for critical information infrastructure industries such as finance, power, energy, and transportation;The second is the malicious source IP from the network Shield K01 device that attacks the critical information system of the industry。Through multi-level deployment, centralized monitoring, and joint disposal, attacks can be quickly intercepted at all Internet entrances and exits, helping users to fully grasp the network attack situation。At the same time, fine-grained mapping of the source IP addresses of malicious attacks can solve the problems of false positives and tracing the source of attacks。The Network Shield K01 system has two modes of manual research and automatic blocking, supporting the import of third-party intelligence sources, which is simple and efficient, and is an effective measure to move forward the network security protection threshold。

Bypass blocking

In off-line mode, when the listener detects a threat, it can actively construct blocked packets and send them to the access end and the server through another communication link to block attacks。

Information aggregation

The threat intelligence Center aggregates data from multiple security intelligence sources through algorithm models such as intelligent fusion, sequential matching and weighted matching, and maintains frequent interaction with intelligence sources to ensure the freshness and accuracy of threat judgment basis。

Attack IP profile

Through big data technology, effective intelligence is extracted to form a complete network threat portrait library, showing clear attack portraits and details。The types of IP profile attacks include dark Web, network proxy, brute force cracking, Webshell attacks, malicious scanning, and Web attacks。

Information tracing

The Threat Intelligence Center can collect the network protection G01 protection data deployed on the Internet，Collect historical attack records of each intelligence IP address，The system can trace an attack source IP address，You can get its most recent attack history，For example, an IP address attacked a unit in a certain way at a certain time，Therefore, the intelligence IP can be further used for auxiliary judgment，Confirm its accuracy。

Automatic watch

The system can support both automatic duty and manual research and judgment modes to adapt to the disposal needs of different security protection levels。In automatic duty mode，The system blocks threat requests in real time，No manual configuration required;In manual evaluation mode，The system can combine other detection events and the status information of the business system to conduct comprehensive analysis and secondary screening of the intelligence detection results，The reliability of threat handling is improved by adding human confirmation。

Visual situation analysis

The system comes with visual statistical analysis module，The update status of intelligence data, geographical distribution and local intelligence detection situation can be visually displayed globally;TOP statistics of the attack source and target on the home page，It can quickly locate the main risk points of the current network，So that users can accurately grasp the security situation。

All kinds of attacks can be detected and identified through the network anti-G01 terminal deployed on the whole network. When any network anti-G01 terminal monitors attacks, it can be connected to the network shield K01 system deployed on the whole network border in real time to intercept and block, so as to achieve one point monitoring and block the whole network, and realize the protection idea of gateway forward。

Information discovery and joint disposal technology

The threat Intelligence center processes the attack and defense logs reported by anti-G01 terminals and shield K01 devices in real time, and uses big data technology to mine and use high-risk and fresh attack source intelligence for real-time reading and use by Shield K01 devices, thus realizing the discovery and joint disposal of attack source intelligence。

Attack profiling

Based on massive security alarm logs, a comprehensive multidimensional portrait analysis is carried out on the attack source, and portrait information such as means features, fingerprint features, target rules, and time rules is comprehensively extracted. On the one hand, the attack source is labeled to facilitate cluster management and behavior analysis. On the other hand, the threat score is calculated and analyzed。

Attack tracing technology

The attack tracing interface can be invoked to display the attack trajectory of the matched attack source intelligence in any traffic, so that users can determine the accuracy of the attack source intelligence and determine whether to block the access traffic of the attack source。

Attack traffic identification technology

Built-in attack detection engine，Checkpoints can be set up according to different protocols,Through machine learning, key parameters such as service, request, network and system are extracted from massive raw data for security modeling，Identify attack traffic，同时，Context-semantic association analysis is used to realize comprehensive decision making，Improve the accuracy of attack identification。

Active defense technique

In off-line deployment mode, the system can analyze and detect mirror traffic through the listening interface. When an attack is detected, the system simulates the communication mode and status details between the server and client, and actively constructs and sends blocking packets to interrupt subsequent sessions, thus blocking attacks。

Situational awareness technology

Shield K01 device through the threat intelligence center and network defense G01 terminal data linkage technology，Form a set of situational awareness and response system from the cloud to the border to the end，The process of security intelligence collection, analysis, sharing, emergency treatment and traceability is closed，And use the visual module to show the analysis，Drill into multiple dimensions such as attack trajectory, distribution and trend

Deployment feature

Supports series and off-line deployment and channel deployment. The interface works in trunk mode and supports MPLS and 802.1Q Network environment

Blocking characteristic

Supports intelligence matching and interception protection in series and off-line deployment, and blocks problematic access while detecting the off-line mirror

Source support

Support the aggregation of external intelligence sources to the local, with multi-source intelligence decision-making model, decision-making algorithms including aggregation, sequential matching and weighted matching

Built-in network anti-G01 intelligence source, update frequency is not less than 5 minutes;Supports custom adding intelligence sources, the interface can support FTP and API, and at least three kinds of intelligence sources can be added

Intelligence source data includes at least dark net attacks, botnets, network agents, brute force attacks, webshell attacks, malicious scanning, exploits, and malicious IP

Traceable portrait

Supports the mapping of intelligence source IP, can clearly trace the attack history time, attack type, attack target IP and attack target unit, and can trace at least 5 recent historical records for research and judgment assistance

Attack blocking support

It supports the attack blocking mode of automatic duty and manual research, and can set the blocking range according to different security levels, including a single IP address, the C segment, and the B segment, and supports the matching combination of blocking conditions by intelligence type

You can set the whitelist manually and import templates in batches

Statistical analysis

Supports visual display of overall attack situation，The information contains at least the statistics of TOP intelligence sources, TOP attacked targets, attack trends, and attack counts of the current and current week，And can be intuitive intelligence IP distribution view on the map，At the same time, manual research and judgment can be carried out directly in the data statistics interface，Actions involve at least trust and prohibition

Supports audit lists, such as log alarm, attack IP address analysis, and attack IP address analysis. You can perform detailed risk audit based on various combination filtering conditions

Serial deployment

The network shield K01 is deployed between egress and Intranet services in a serial manner. The following access modes are available: 1, transparent bridge access 2, Layer 2 vlan access 3, channel access

Off-line deployment

Shield K01 is deployed in off-line mode on the mirroring side of the egress routing switching device to monitor traffic in real time.At the same time, the communication line can be connected, and the data packet can be actively constructed for threat blocking. The following access modes are supported: 1. MPLS 2. 802.1Q

1. What are the protection features of Shield K01?

- Point monitoring, whole network blocking。The G01 system will report the detected security incident to the intelligence source，Each shield K01 retrieves intelligence IP from intelligence sources in real time,Once the access traffic initiated by the intelligence IP is detected，We will directly block and block it，So all of Shield K01's intelligence information is fresh and synchronized，In this way, any network anti-G01 node can find the problem IP，All border deployed shield K01 devices are notified in real time，Once the problem is discovered IP intrusion，Start plugging immediately，Achieve the effect of the whole network blocking。

2. What is the intelligence source in the characteristic protection of Shield K01?

The intelligence source includes various types of attack IP intelligence such as dark net IP, Tor node IP, proxy IP, illegal scanning, malicious IP and vulnerability exploitation，It is the real-time detection and statistics of the network anti-G01 system deployed by the whole network of the Ministry of Public Security，Reliable freshness and timeliness，It can provide the most direct detection basis for the attack protection of network shield K01。

3. Can SShield K01 be deployed in off-line mode?

可以。The K01 shield can be deployed in series or in off-line mode to block problematic traffic while monitoring and detecting, and the blocking efficiency can reach more than 80%。

4. What is the principle of Shield K01 bypass blocking?

During off-line monitoring, SShield K01 detects the traffic flowing through the peer device. If problematic traffic is detected, SShield K01 constructs a blocking packet through another interconnect interface and sends it to the source and target servers to interrupt the connection. In this way, the off-line blocking effect is realized。

5. If a large number of security devices have been deployed, is it still necessary to deploy network Shield K01?

The existing security protection equipment can only rely on its own rule base to detect attacks, and cannot directly identify the black and white of IP and the source of the water, nor can it share with the security events detected by other units, so it is easy to be camouflaged and latent, and it is very passive in the real security confrontation。As a gateway, the shield K01 directly moves forward to the border, covers the entire network, and can obtain the most reliable intelligence information of the whole network in real time, automatically identify and block the risk access, and realize the irreplaceable value of the gateway forward active protection。

Deployment scenario of a single unit

Intelligence perception:

Through real-time linkage with intelligence sources, the network Shield K01 system senses and obtains security intelligence information collected by the whole network anti-G01 system, identifies access sources through traffic, and identifies attack types such as dark Web, Webshell clients, and web attacks。

Automatic disposal:

Shield K01 detects attacks on traffic based on intelligence data, and directly blocks threat intelligence through IP addresses for automatic disposal。

I Industry coordinated deployment scenario

Centralized monitoring:

The K01 network shield system is deployed at the border of each branch node to protect the corresponding network area, and the cascaded monitoring system is used to display the situation in a centralized manner, comprehensively analyze the overall situation, and realize overall scheduling。