Research On BP-based Computer Network Security Defense Architecture

The finance and securities industry has already completely entered the era of "large data concentration " after it took centralized network building and process reorganization since 2003, the network security is becoming more and more noticeable, and once a security problem appears,the large economic loss and fame harm will follow. Furthermore, the chances that the network is attacked maliciously are becoming more and more. In addition, another causes from fault network itself, to the business by network, so come the problems of the business interruption caused by which the data loses, network breaks down, data transfer interrupts. The business process'(BP) reliability and continuity propose higher request.The multidimensional defense system constructed by traditional network antivirus system, IDS (Intrusion Detection System), hole sweeping system etc. is built on the basis of passive strategies, its effect is not desirable if the BP's security isn't regarded as not strengthening the BP, the Operation System and the computer hosts, it only depends on the computer drills with the thread codes to achieve effect. This paper draws lessons from immunology principle to propose the notions of "self", "non-self", and a new security defense concept with protecting "self" and rejecting "non-self" is adopted. According to the "meta-net (MN)" be brought first by the paper, the OA network, the exchang network and the backup network are designed based the BP. The aim to ensure BP continuity and reliability is achieved to protect key network devices, hosts, business applications programs and network connections between hosts to form an integrated network security system on BP (BPNSS).BPNSS is made up of the BP network design based on the MN and the software system.A new dynamic immune security model named MPR-RPDRR (Management Policy/Risk Analysis, Request/Protection, Detection, Response, and Restore) is set up by integrating the traditional PPDR (Protection, Prevention, Detection, and Response) security model with the security concept of the self-protection and the self-immune enhancement. The MPR-RPDRR is described formally and provide theoretical guide for the function design of BPNSS'software system. According to the security authentic domain, the notion of Meta-Net is proposed and described formally; the discussions of its design rules confirm the thought of the network isolation between the office automation (OA) and the business perfectly. The new network can be further designed by the consideration of the BP's significance according to the Meta-Net.The BPNSS'software system includes six modules: the process filtering module (to verify the integrity of the programs, before the running of the programs), the processs protection module (to verify the legality of the programs); the network packet filtering module (to verify the legality of the process); the system monitoring module (to monitor the key network equipments, hosts and process); the system recovery module; the security management center (SMC). SMC's polices include the program safe codes, process identification codes, the packet filtering rules, system monitoring object definitions, and the recovery rules. The SMC's polices need to be added or adjusted according to the BP by the computer managers, because the self-protection needn't study through drills, but depend on "accumulation" of the known things.In the BPNSS, we adopt the Agent technique to carry out each function, communication and cooperation between every Agent and SMC. In order to reduce the net flow, each Agent has an own strategy library that synchronizes with the SMC. The communication between Agents adopts user-defined protocol SUDP based on UDP, in respect to TCP, the SUDP can penetrate through NAT,transfer fast, support security control and can control speed to send messages dynamically according to the loss rate of the packages and network speed.This paper brings forward the self-protection security concept to set up a security defense architecture-BPNSS which is described by the formalized language Z and the Petri Net model, it realizes the process filtering system, process recognition system, packet filtering system and the monitoring /recovery system by using the Agent technique, and a network design by the Meta-Net is given to ensure the BP's continuity and reliability.