CN100536386C - Method for updating security related information in associated response system - Google Patents
Method for updating security related information in associated response system Download PDFInfo
- Publication number
- CN100536386C CN100536386C CNB2006100349291A CN200610034929A CN100536386C CN 100536386 C CN100536386 C CN 100536386C CN B2006100349291 A CNB2006100349291 A CN B2006100349291A CN 200610034929 A CN200610034929 A CN 200610034929A CN 100536386 C CN100536386 C CN 100536386C
- Authority
- CN
- China
- Prior art keywords
- security
- related information
- portable terminal
- information
- association server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The correlation response system includes following parts: security correlation agent (SCA) located at mobile terminal; network access controller or application service controller for controlling mobile terminals; and security correlation server (SCS) for controlling mobile terminal, network access controller and application service controller. The method includes following steps: (1) SCA collects security correlation information (SCI), and reports it to SCS; (2) analyzing SCI reported from SCA, the security correlation server returns response for SCI back to SCA. In the invention, SCA collects, arranges, reports SCI of mobile terminal, and SCS updates access control and service control for mobile terminals based on reported SCI from SCA. Advantages are: not need of user to take part in, convenient use for users, helpful to promote correlation response system.
Description
Technical field
The invention belongs to the communications field, relate in particular in the associated response system, the update method of security related information.
Background technology
Associated response system (Correlative Reacting System, CRS) be a kind of by the dangerous terminal of control, promptly do not meet the security strategy of network appointment, the access of the terminal of security breaches or infective virus is for example arranged, avoid the mobile network to suffer the system of the security threat of dangerous terminal.CRS controls the network insertion of portable terminal by the safety interaction of portable terminal and network side, and the access to its application service simultaneously limits, thereby network and the mobile phone users security immunization power to virus, worm, network attack etc. is provided.
Fig. 1 shows the structure of associated response system, comprise portable terminal (Mobile Terminal, MT) security correlative agent of side (Security Correlative Agent, SCA), security association server (SecurityCorrelative Server, SCS) and network insertion controller (the NetworkAccess Controller that is connected with portable terminal, SCS, NAC) and the application service controller (Application Service Controller, ASC).On specific implementation, NAC and ASC can be two independently systems, or two independent functional units in system.A SCS can connect a plurality of NAC/ASC, and a NAC/ASC can control the network insertion/application service of a plurality of portable terminals.
Secure Application software (Security Application Software, SAS) and SCA all be mobile terminal operating system (Terminal Operating System, TOS) application software, the interface by definition between SCA and SAS and the mobile terminal operating system carries out the bi-directional of information.
SCS is the control unit and the analysis and processing unit of CRS system, is responsible for receiving, analyzes, stores the security information that SCA reports, and carries out association analysis, sends the CRS control command to NAC, ASC or SCA.The SCS database (SCS Database, SDB) the storage security relevant information (Security CorrelativeInformation, SCI), (CRS Security Policy CSP) waits information of mobile terminal and user's control strategy to the CRS security strategy.
NAC is an equipment of realizing network insertion control.SCS by with the interlock of NAC, utilize flow control, limiting access, service quality (Quality of Service, QoS) technological means such as reshuffle, realization is to the restriction of the data total flow of user access network, to prevent that dangerous terminal from taking the unreasonable of Internet resources, stop malice virus in network, to be propagated.For from the applications service provider (ApplicationService Provider, dangerous ISP's ASP) access, CRS also can by with the interlock of NAC, the flow shielding of layer Network Based is provided.
ASC is an equipment of realizing application service control.SCS by with the interlock of ASC, utilizes user's restriction or ban use of technological means such as particular application services, thereby the protection mobile network avoids the security risk that dangerous service brings.For access from the dangerous ISP of outside ASP, CRS also can by with the interlock of ASC, the service shielding based on application layer is provided.
More contents of relevant associated response system are referring to ITU-T SG17 X.CRS, and " CorrelativeReacting System in mobile data communication system ", the present invention quotes at this, repeats no more.
In the CRS system, SCA utilizes the SCI that collects portable terminal with the interface of the operating system of portable terminal and SAS, and the arrangement of responsible SCI, report and with SCS, NAC and ASC between communicate by letter.SCI is the information such as safe condition of mobile terminal operating system and Secure Application software thereof, and the SCI of portable terminal gives SCS by the SCA collecting and reporting.At present, for the collection of portable terminal SCI, put in order, report, analyze and renewal etc. is controlled in the access of portable terminal and still lack concrete implementation according to SCI.
Summary of the invention
The object of the present invention is to provide the method for upgrading security related information in a kind of associated response system, be intended to solve the collection of portable terminal SCI, the problem of putting in order, report, analyzing and the access of portable terminal is controlled renewal according to SCI.
The present invention realizes like this, upgrade the method for security related information in a kind of associated response system, described associated response system comprises the security correlative agent that is positioned at portable terminal, network insertion controller or application service controller that portable terminal is controlled, and the security association server that portable terminal, network insertion controller and application service controller are controlled, described method comprises the steps:
A. security correlative agent is collected the security related information of portable terminal, reports the security association server;
B. the security association server is analyzed the security related information that security correlative agent reports, and returns the security related information response to security correlative agent.
Described step B comprises:
B2. the security association server carries out association analysis to described security related information;
B4. the security association server returns the security related information response according to the result of described association analysis to security correlative agent, and described security related information responds the security control information of associated server safe to carry to the security correlative agent feedback.
Described steps A further comprises the steps:
A1. security correlative agent is collected the security related information of portable terminal by the software interface of portable terminal;
A2. security correlative agent is put described security related information in order, selects the information content that reports to the security association server;
A3. security correlative agent by and the security association server between security information transmit passage and send the security related information report to the security association server, carry the information content that described selection reports to the security association server.
The information content that described selection reports to the security association server is the full detail or the partial information of the security related information of the portable terminal collected of security correlative agent.The report of described security related information is regularly reported, triggers security correlative agent by the security incident of portable terminal and report to the security association server to the security association server by security correlative agent, perhaps by security association server active inquiry.
Described security related information report further includes security related information report message sequence number, security correlative agent sign, user ID or security association server identification.
Described step B further comprises the steps:
B1. the security association server carries out validity check to the security related information that security correlative agent reports;
B3. the security association server upgrades the security related information of the local portable terminal of preserving according to the result of described association analysis.
Described association analysis is the association analysis of single user information correlation analysis and multi-user's analog information.
Before described step B4, described step B further comprises the steps:
F1. the security association server judges whether to upgrade the safety control strategy of portable terminal according to the result of described association analysis, is execution in step F2 then, otherwise execution in step B4;
F2. the security association server by and network insertion controller or application service controller between security information transmit passage and send the safety control strategy update request to network insertion controller or application service controller, related agent identification safe to carry, user ID and upgrade after safety control strategy information;
F3. network insertion controller or application service controller transmit passage by described security information and return safety control strategy renewal response to the security association server, and the safety control strategy of notice security association server portable terminal upgrades the result.
Described security association server includes the safety control strategy lastest imformation of portable terminal in the security control information of security correlative agent feedback.
Described method further comprises the steps:
C. security correlative agent is preserved the security related information response that up-to-date security related information, security related information report content, security related information reporting strategy and the security association server of portable terminal returns.
Described method further comprises the steps:
D. security correlative agent generates portable terminal safe condition assessment report or safety instruction information according to the security related information of the portable terminal of collecting and the security related information response that the security association server returns.
Described method further comprises the steps:
E. security correlative agent responds Secure Application software or the operating system of upgrading portable terminal according to the security related information that the security association server returns.
By the present invention, can realize SCA to the automatic collection of portable terminal SCI, put in order, report, and the SCI that SCS reports according to SCA upgrades mobile terminal access control and service control, do not need the user to participate in, be user-friendly to, help the popularization of associated response system.
Description of drawings
Fig. 1 is the structure chart of associated response system;
Fig. 2 is the realization flow figure that SCI provided by the invention upgrades.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
In the present invention, SCA compiles the SCI of portable terminal, and reports SCS.After SCS obtains the SCI of portable terminal, carry out association analysis with information such as the Access Control Policy of mobile phone users, service control strategies, the security situation of assessment portable terminal is upgraded mobile terminal access control strategy and service control strategy.Simultaneously, SCA is according to the security related information of portable terminal and the SCS association analysis result to SCI, for the user generates the report of terminal security condition evaluation.
The SCI of portable terminal is mainly used in the safe condition that SCS determines portable terminal, and SCS is stored in the SCI of portable terminal among the SDB.The SCI of portable terminal mainly comprises following information:
(1) leak of mobile terminal operating system, patch information;
(2) mobile terminal operating system security log, warning information;
Whether (3) the fail-safe software mount message of portable terminal has for example installed anti-viral software or firewall software etc.;
(4) whether carried out information such as scanning and viral discovery situation comprehensively behind the version of portable terminal fail-safe software, database date, virus scan strategy, the renewal virus base;
(5) mobile terminal user identity information is used for SCS the user is distinguished;
(6) SCA reports the strategy of security related information report (SCI Report) to SCS, for example SCA regularly reports safety message etc. to the Event triggered that SCS sends security related information report, SCS active inquiry safety message or portable terminal, and for example the terminal anti-viral software finds that virus, terminal fire compartment wall detect the network attack of terminal etc.
The present invention supposes between SCA and the SCS and has set up the safe information transfer channel between SCS and the NAC/ASC, be that SCI renewal process among the present invention occurs in security information and transmits passage and set up after the process, SCI report, response message and safety control strategy update request, response message encrypted transmission in the information transfer channel of safety is with consistency, integrality and the non repudiation of guarantee information.
Fig. 2 shows the realization flow that SCI provided by the invention upgrades:
1, SCA by with the interface real-time collecting portable terminal security related information of softwares such as the TOS of portable terminal and SAS, for example information such as strategy of the SCI Report that sends to SCS of the version of the leak/patch information of mobile terminal operating system, mobile terminal operating system security log and warning information, portable terminal fail-safe software and database date, mobile phone users identity or SCA.
2, SCA carries out edit and filtration to the portable terminal security related information of collecting, and according to the safety message strategy of SCS regulation, selects to send content and suitable transmission reports SCS opportunity accordingly.SCA preserves the up-to-date SCI of portable terminal, the information content, the safety message strategy that send among the SCI Report several times recently or the security related information response information such as (SCI Response) that receives from SCS.
As one embodiment of the present of invention, SCA can be at every turn reports SCS with whole SCI of the portable terminal of collecting;
As a preferred embodiment of the present invention, SCA does not need whole security related informations of collecting to be sent to SCS at every turn, but the safety message strategy of formulating according to SCS sends.The safety message strategy is formulated by SCS and is handed down to SCA, and for example SCA can only send the information that changes between the SCI Report twice.As one embodiment of the present of invention, SCA is after the user is connected to data network by authentication, need to comprise whole SCI information among the SCI Report that sends for the first time, later SCI Report only need send the lastest imformation of SCI according to the safety message strategy or only send the feedback information of the execution result of the SCI Response that last SCS is returned.
3, when the transmission that arrives safety message strategy regulation during opportunity, SCA selects content corresponding to transmit passage by security information and sends SCI Report to SCS.The content of SCI Report can also comprise information such as message SN, SCA ID or SCS ID except the relevant SCI of portable terminal.SCA ID, message SN and SCS ID are used for a SCI Report of unique identification message, SCS utilizes these information to discern whether to be among the information of repetition, the SCI Report that twice receives whether SCI information dropout is arranged, and whether SCS is legal receiving terminal etc.
4, after SCS receives SCI Report, wherein SCI is carried out validity check, confirm whether it is correct, effectively, and carry out association analysis according to security strategy.For example SCS can compare canned data among relevant information among the SCI Report and the local SDB, and for example whether SCA ID, message SN, SCSID etc. are effectively correct, and whether SCS ID is accurate etc.
Association analysis comprises the association analysis of single user's various information and the association analysis of multi-user's analog information, analyzes the security situation of a portable terminal and the interior a plurality of portable terminals of net respectively, thus phase-split network general safety state.Security strategy is pre-defined and be stored among the SDB of SCS by system.
5, SCS compares according to the SCI information that the SCI of portable terminal and association analysis result and SCS are stored among the SDB, SDB is upgraded, to keep the up-to-date SCI of memory mobile terminal among the SDB.
6, SCS determines whether the network insertion control strategy or the application service control strategy of portable terminal are upgraded according to the association analysis result.If do not need to upgrade, just directly forward step 9 to.
7, upgrade the network insertion control or the application service control strategy of portable terminal if desired, then SCS transmits passage by security information and sends the safety control strategy update request to NAC or ASC, carry SCA ID, the user ID of controlled portable terminal and upgrade after information such as safety control strategy information.The safety control strategy update request transmits encrypted transmission in the passage by the security information between SCS and the NAC/ASC, this security information transmits passage can utilize existing security mechanism, Transport Layer Security (Transport Layer Security for example, TLS), general open policy service protocol agreement (Common Open PolicyService Protocol, COPS) etc., also can be the self-built security mechanism of CRS.
8, NAC or ASC transmit passage by security information and return safety control strategy renewal response to SCS, and the renewal of the safety control strategy of feedback portable terminal is situation as a result.
9, SCS selects the content to the SCI Response of SCA feedback according to the more new situation of association analysis result and safety control strategy.
As one embodiment of the present of invention, SCS can not send SCI Response to SCA at every turn yet after receiving the SCIReport that SCA reports, for example SCA regularly reports SCI Report to SCS, and SCS carries out thinking that not needing to carry out safety control strategy upgrades and software upgrading after the association analysis that SCS can select to send a SCI Response and respond several SCI Report that SCA reports at this moment.
10, SCS transmits passage by security information and sends SCI Response to SCA, carry the security control information of SCS to SCA feedback, for example the upgrading address of the patch that need install of mobile terminal operating system and download address thereof, portable terminal fail-safe software, SCS require the safety control strategy lastest imformation of (comprising SCA reports safety message strategy from SCI Report to SCS) or portable terminal etc. to the security strategy of SCA.
Upgrading for softwares such as terminal operating system, SCA and Secure Application softwares is upgraded, the different level of securitys that SCS upgrades at upgrading can define various strategies, for example install immediately and upgrade, install and upgrade preceding cancellation or limiting network visit or service access authority, install immediately and upgrade, open network visit or service access authority between installation period, renewal is installed at some particular point in times or before the time period, otherwise exceeds the time limit cancellation or limiting network visit or service access authority etc.
As one embodiment of the present of invention, the content of the SCI Response message that SCA can return to SCA according to the SCI of the portable terminal of collecting and SCS generates portable terminal safe condition assessment report, for the mobile phone users inquiry, and can be in the SCI renewal process, provide corresponding safety instruction information to the user, for example in the SCA process is installed, give user prompt permission agreement information, when user's access to netwoks or service access are limited, cancel or open again, to user prompt relevant information etc.
As one embodiment of the present of invention, after said process finishes, portable terminal can be according to content in the SCIResponse message or indication, initiate the renewal of SCA software or other Secure Application software, mobile terminal operating system, for example SCA is from the SCI Response of SCS, obtain the software content that needs renewal, and the address of update content, thereby carry out corresponding software upgrading.After software upgrading is finished, then may also need to repeat again once or repeatedly above-mentioned SCI new technological process more, so that SCS upgrades mobile terminal access control, service control or confirms the effect of software upgrading, the content that this moment, SCA was comprised in the SCIReport that SCS reports can only be about the affirmation information of software upgrading effect between SCA and the SCS.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1, upgrades the method for security related information in a kind of associated response system, described associated response system comprises the security correlative agent that is positioned at portable terminal, network insertion controller or application service controller that portable terminal is controlled, and the security association server that portable terminal, network insertion controller and application service controller are controlled, it is characterized in that described method comprises:
A. security correlative agent is collected the security related information of portable terminal, and described security related information is sent to the security association server;
B. the security association server is analyzed the security related information that security correlative agent sends, and returns the security related information response to security correlative agent;
Described step B comprises:
B2. the security association server carries out association analysis to described security related information;
B4. the security association server returns the security related information response according to the result of described association analysis to security correlative agent, and described security related information responds the security control information of associated server safe to carry to the security correlative agent feedback.
2, the method for claim 1 is characterized in that,
Described steps A comprises:
A1. security correlative agent is collected the security related information of portable terminal by the software interface of portable terminal;
A2. security correlative agent is put described security related information in order, selects the information content that sends to the security association server;
A3. security correlative agent by and the security association server between security information transmit passage and send the security related information report to the security association server, the information content that described selection sends to the security association server is carried in this security related information report.
3, method as claimed in claim 2 is characterized in that, the information content that described selection sends to the security association server is the full detail or the partial information of the security related information of the portable terminal collected of security correlative agent.
4, method as claimed in claim 2, it is characterized in that, the report of described security related information is regularly sent, triggers security correlative agent by the security incident of portable terminal and send to the security association server to the security association server by security correlative agent, perhaps by security association server active inquiry.
5, method as claimed in claim 2 is characterized in that, described security related information report further includes security related information report message sequence number, security correlative agent sign or security association server identification.
6, the method for claim 1 is characterized in that, in described step B, further comprises before the B2:
B1. the security association server carries out validity check to the security related information that security correlative agent sends;
Further comprise after the B2:
B3. the security association server upgrades the security related information of the local portable terminal of preserving according to the result of described association analysis.
7, method as claimed in claim 6 is characterized in that, described association analysis comprises: the association analysis of single user information correlation analysis and multi-user's analog information.
8, method as claimed in claim 6 is characterized in that, before described step B4, described step B further comprises:
F1. the security association server judges whether to upgrade the safety control strategy of portable terminal according to the result of described association analysis, is execution in step F2 then, otherwise execution in step B4;
F2. the security association server by and network insertion controller or application service controller between security information transmit passage and send the safety control strategy update request to network insertion controller or application service controller, related agent identification safe to carry, user ID and upgrade after safety control strategy information;
F3. network insertion controller or application service controller transmit passage by described security information and return safety control strategy renewal response to the security association server, and the safety control strategy of notice security association server portable terminal upgrades the result.
9, method as claimed in claim 7 is characterized in that, described security association server includes the safety control strategy lastest imformation of portable terminal in the security control information of security correlative agent feedback.
10, the method for claim 1 is characterized in that, described method further comprises:
C. security correlative agent is preserved the security related information response that up-to-date security related information, security related information report content, security related information reporting strategy and the security association server of portable terminal returns.
11, the method for claim 1 is characterized in that, described method further comprises:
D. security correlative agent generates portable terminal safe condition assessment report or safety instruction information according to the security related information of the portable terminal of collecting and the security related information response that the security association server returns.
12, the method for claim 1 is characterized in that, described method further comprises:
E. security correlative agent responds Secure Application software or the operating system of upgrading portable terminal according to the security related information that the security association server returns.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100349291A CN100536386C (en) | 2006-04-06 | 2006-04-06 | Method for updating security related information in associated response system |
| US11/580,591 US7933584B2 (en) | 2005-10-15 | 2006-10-13 | Method for implementing security update of mobile station and a correlative reacting system |
| EP06804927A EP1860898A4 (en) | 2005-10-15 | 2006-10-13 | A method for realizing mobile station secure update and correlative reacting system |
| PCT/CN2006/002703 WO2007045155A1 (en) | 2005-10-15 | 2006-10-13 | A method for realizing mobile station secure update and correlative reacting system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100349291A CN100536386C (en) | 2006-04-06 | 2006-04-06 | Method for updating security related information in associated response system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1874219A CN1874219A (en) | 2006-12-06 |
| CN100536386C true CN100536386C (en) | 2009-09-02 |
Family
ID=37484507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100349291A Expired - Fee Related CN100536386C (en) | 2005-10-15 | 2006-04-06 | Method for updating security related information in associated response system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100536386C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719914B (en) * | 2009-11-10 | 2012-09-05 | 中国科学院计算技术研究所 | Security event source integrated system and implementing method thereof |
| CN102413011B (en) * | 2011-11-18 | 2015-09-30 | 北京奇虎科技有限公司 | A kind of method and system of LAN safety assessment |
| CN106993083B (en) * | 2017-02-21 | 2020-12-04 | 北京奇虎科技有限公司 | Method and device for recommending operation prompt information of intelligent terminal |
-
2006
- 2006-04-06 CN CNB2006100349291A patent/CN100536386C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1874219A (en) | 2006-12-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7933584B2 (en) | Method for implementing security update of mobile station and a correlative reacting system | |
| CN100361456C (en) | Terminal equipment managing method | |
| CN100571157C (en) | A kind of method and system thereof that realizes the travelling carriage security control | |
| CN101542429B (en) | Apparatus and methods for detection and management of unauthorized executable instructions on a wireless device | |
| CN101917431A (en) | Method and device for preventing illegal invasion of internal network of intelligent home | |
| CN101223800A (en) | Apparatus and methods for protecting data on a wireless device | |
| CN102893574A (en) | System and method for preventing an attack on a networked vehicle | |
| CN103108320A (en) | Method and system for monitoring application program of mobile device | |
| CN101361316A (en) | Message broadcasting admission control system and method | |
| WO2015065013A1 (en) | Method and apparatus for multi-users registering home network supporting application based device | |
| CN101355415A (en) | Method and system for implementing safety access public network of network terminal as well as special network access controller thereof | |
| CN102724208A (en) | System and method for controlling access to network resources | |
| CN105550584A (en) | RBAC based malicious program interception and processing method in Android platform | |
| CN101562541A (en) | Unified management method and device thereof | |
| CN101127634B (en) | A method and system for secure update and upgrade of mobile station | |
| CN100536386C (en) | Method for updating security related information in associated response system | |
| JP2004333186A (en) | Remote support system of analyzer | |
| CN1661982B (en) | Method and system for automatically configuring access control | |
| CN111327602B (en) | Equipment access processing method, equipment and storage medium | |
| EP2291016A1 (en) | Wireless control system using an apparatus with a mobile telephone | |
| CN101924645B (en) | Device management method, device and system | |
| CN101170733B (en) | An authentication and charging control method, device and system for WAP service | |
| CN101161004A (en) | Method of implementing safety updating of mobile station and related response system | |
| EP3769554A1 (en) | Method and system for authorising the communication of a network node | |
| KR101480596B1 (en) | Method and device for obtaining real name register status, and terminal thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160426 Address after: California, USA Patentee after: SNAPTRACK, Inc. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090902 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |