CN101449553B - System and method determining character set codes for decoding request submission in the gateway - Google Patents

System and method determining character set codes for decoding request submission in the gateway Download PDF

Info

Publication number
CN101449553B
CN101449553B CN2006800548039A CN200680054803A CN101449553B CN 101449553 B CN101449553 B CN 101449553B CN 2006800548039 A CN2006800548039 A CN 2006800548039A CN 200680054803 A CN200680054803 A CN 200680054803A CN 101449553 B CN101449553 B CN 101449553B
Authority
CN
China
Prior art keywords
request
gateway
network
application
character code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2006800548039A
Other languages
Chinese (zh)
Other versions
CN101449553A (en
Inventor
R·米拉尼
S·H·王
A·乔汉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Citrix Systems Inc
Original Assignee
Citrix Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Citrix Systems Inc filed Critical Citrix Systems Inc
Publication of CN101449553A publication Critical patent/CN101449553A/en
Application granted granted Critical
Publication of CN101449553B publication Critical patent/CN101449553B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • G06F15/161Computing infrastructure, e.g. computer clusters, blade chassis or hardware partitioning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mathematical Physics (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a system and a method determining character set codes submitted by a request captured by a gateway for decoding the request using the character set codes. A gateway (105) receives a request, comprising code content, such as request of URL code, from clients (101a-101n), and determines the generation of the request or the request-related applications (110A-100N). According to the applications determined, the gateway recognizes character code schemes related to or used by the applications, and consequently decodes the request using the recognized character code schemes and applies some rules and policies to the request. In some embodiments, the gateway is used as application firewall or security control system to apply policies to the coded application network traffics and decode the network traffics according to the code scheme associated with each application.

Description

For the system and method for determining character set encoding is submitted in the request in the decoding gateway to
Invention field
(1) present invention relates in general to determine character set encoding for the request of application program.Or rather, the present invention relates to be used to decoding to determine the system and method for character set encoding by the request to using of gateway submission.
Background technology
(2) be to be called as " list " technology (form) from ten thousand well-known approach tieing up the user's obtaining information on the computer networks that are commonly called the Internet, " list " is the page that the one or more fields that will fill are provided to the user of browser.But, have a lot of different character codes can pass through submission of sheet, and in request, can't indicate which character set should be used for this request.Used different character set (" the character set ") submission of sheet of decoding can cause server to refusal or the misunderstanding of list when using with the preparation list.For intermediary network device, for example be deployed in the application firewall between server and the client computer, this problem is more serious, because the network equipment can not be accessed the applied logic of being responsible for producing and processing list.
A kind of technology of (3) having attempted solving this Character Sets Problem depends on records the network equipment that produces list and list is sent to the employed character set of client computer.But, when list fully when client computer produces with (for example) Javascript, this technology can't be worked.This network equipment is also attempted by supposing that all form request all use the coding that is called " utf-8 " to solve this problem, but this method has obvious defective.
(4) system and method for the present invention provides a solution, be used for effectively and process healthy and strongly, decode and analyze may the comprising by the content of different coding or with the request of the content of the character set encoding of None-identified of self-application, and do not need to record server application or client browser.Described technology can also be expanded to allow request is applied strategy in order to use different character set for different situations.Therefore, can check that submission of sheet between server and the client computer and other ask that (for example SQL injects request) is allowed to arrive the server application to guarantee not having malicious requests with minimum rate of false alarm.
(5) on the one hand, the present invention relates to be used to the character-coded method of determining the request of decoding.The present invention includes the request of receiving and determine that in a plurality of application programs this asks corresponding application program.The method identifies the character code relevant with determined application program, and with the character code inspection request that identifies.
(6) in one embodiment, the method determines that from an attribute of request this request is corresponding to a plurality of application programs which.In some embodiments, this attribute of request comprises: 1) source identifier, 2) object identifier, 3) port identifiers, 4) protocol identifier, 5) header or 6) the URL(uniform resource locator) address.In another embodiment, the method uses the cookie (cookies) that comprises in the request receive to determine that request is corresponding in a plurality of application programs which.
(7) in other embodiments, the method uses a file identification that comprises the association between character code and the application to go out the character code that is associated with the application program of determining.In some embodiments, the method uses a database that comprises association between character code and the application to identify the character code that is associated with determined application program.
(8) in one embodiment, the method comprises second request of reception, determines corresponding the second application program of this second request in a plurality of application programs, and identifies the second character code that is associated with determined the second application program.In another embodiment, the method comprises the request that subscribing client produces.The method uses an attribute of client computer to determine that this request is corresponding in a plurality of application programs which.In another embodiment, the method comprises that the forms pages according to institute's buffer memory receives request.
(9) on the other hand, the present invention relates to be identified for the character-coded gateway of the request of decoding.This system comprises by network and client communication and receives the receiver of request from client computer.This system also comprises the character set engine of communicating by letter with receiver.Character set engine identifies the character code that is associated with the request corresponding to an application that receives (this request will be sent to this application) and uses the character set that identifies to check this request.
(10) in one embodiment, gateway and a plurality of client communication.In some embodiments, one of lower Column Properties that comprises in the gateway use request determines which application program this request will be referred to: 1) source identifier, 2) object identifier, 3) port identifiers, 4) protocol identifier, 5) identifier, or 6) the URL(uniform resource locator) address.In another embodiment, character set engine comprises a database that character code and association are got up.In other embodiments, character set engine comprises a file that character code and association are got up.
(11) on the other hand, the present invention relates to for the method that the client requests of coded portion is arranged by the gateway inspection.The method comprises by the request of gateway reception from the application program on the client computer.The method also comprises by gateway determines this request corresponding to in a plurality of application programs which, and identifies the character code that is associated with determined application program.The method also comprises by gateway uses the character code the identify part of this request of decoding, and checks or analyze the part of decoding of this request.
(12) in an embodiment of this method, gateway uses an attribute of request to determine that this request is corresponding in a plurality of application programs which.In another embodiment, gateway uses an attribute of client computer to determine that this request is corresponding in a plurality of application programs which.In another embodiment, the gateway basis applies a strategy to the inspection of the part of the decoding of request to this request.
(13) in some embodiments, the method comprises that receiving second by gateway from the second application program on one of client computer or second client computer asks.In a plurality of application programs which gateway determine this second request corresponding to, and identify the second character code that is associated with determined application program.Gateway uses the second character code that identifies that the part of the second request is decoded.In some embodiments, gateway inspection or analyze the part of decoding of the second request.In another embodiment, the method comprises by gateway and according to the part of the decoding of the second request a strategy is used in the second request.
(14) accompanying drawing and below explanation in set forth the details of different embodiments of the invention.
Summary of drawings
(15) will understand and understand better aforementioned and other target, aspect, characteristic and advantage of the present invention with reference to following explanation in conjunction with the drawings, in the accompanying drawings:
Figure 1A is the block diagram of example network environment of the gateway of arrangement (system with character set encoding of determine using);
Figure 1B is the block diagram that is deployed on client computer and/or the server system with another network environment of the system of the character set encoding determining to use;
Fig. 1 C and 1D are the block diagrams of embodiment of computing equipment of realizing the example embodiment of system of the present invention;
Fig. 2 determines that the character set encoding of application is to be used for decoding and analysis from the block diagram of the system of the request of client computer;
Fig. 3 be at the embodiment that realizes a kind of technology with the character set encoding of determining application program to be used for decoding and to analyze the flow chart of the step that the request of client computer adopted.
(16) from following detailed description of setting forth and will understand characteristic of the present invention and advantage by reference to the accompanying drawings, same Reference numeral indicates corresponding element from start to finish in the accompanying drawings.In the accompanying drawings, same Reference numeral ordinary representation identical, similar element on the similar and/or structure on the function.
Specific embodiments is described
(17) the following describes some illustrative embodiment of the present invention.But what pay particular attention to is that the present invention is not limited to these embodiment, also is included within the scope of the invention and be intended that the additional and modification that the embodiment that offers some clarification on is carried out here.In addition, the feature that is appreciated that various different embodiment described herein is not mutually exclusive, but under prerequisite without departing from the spirit and scope of the present invention, may reside in the various permutation and combination, even these permutation and combination here do not offer some clarification on.
(18) Figure 1A has described and has had arrangement and use the block diagram of network environment of the gateway of character set encoding and check system 120.As shown in Figure 1A, this example network environment comprises a plurality of client computer 101a-101n, a plurality of server 106a-106n and gateway 105, and gateway 105 also can be called as device, gateway apparatus, gateway server or gateway device.Server 106a-106n management provides application, database and the other information systems of the content of asking to client computer 101a-101n.Among client computer 101a-101n and the server 106a-106n each can be the computing equipment of any type and form, the computing equipment 100. that for example is described in more detail below in conjunction with Fig. 1 C and 1D for example, among the client computer 101a-101n any one can be mobile computing device, electronic communication equipment (such as mobile phone or personal digital assistant) for example, or on knee or notebook computer, and the desktop computer of any type.
(19) each among the client computer 101a-101n links to each other by 105 communications of network 104 and gateway, and gateway 105 is communicated by letter with server 106a-106n by network 104 ' and linked to each other.In one embodiment, network 104 comprises the internet, and network 104 ' comprises a private data communication network, for example enterprise network.Network 104,104 ' can be the network of any type and form, public, privately owned or other, in some cases they in addition can be same network.
(20) although Fig. 1 shows the network 104 and 104 ' between client computer 101a-101n and the server 106a-106n, client computer 101a-101n and server 106a-106n also can be on consolidated network 104 or 104 '.Network 104 and 104 ' can be the network of same type or dissimilar networks.Network 104 and 104 ' can be local area network (LAN) (LAN) (for example company intranet), metropolitan area network (MAN) or wide area network (WAN) (for example internet or World Wide Web (WWW)).Network 104 and 104 ' can be the network of any type and/or form, and can comprise following random network type: point to point network, radio network, wide area network, local area network (LAN), communication network, data communication network, computer network, ATM (asynchronous transfer mode) network, SONET (synchronous optical network) network, SDH (SDH (Synchronous Digital Hierarchy)) network, wireless network and cable network.Network 104 and 104 ' topology can be type trunk, star or loop network topology.Network 104 and 104 ' and network topology can be any such network or the network topology that can support operation described herein known to those of skill in the art.
(21) as shown in Figure 1A, gateway 105 is deployed between first network 104 (for example public data communication network) and the second network 104 ' (for example private data communication network).In other embodiments, gateway 105 can be positioned on first network 104 or the second network 104 '.In other embodiments, gateway 105 can be to be positioned at the part of any each client computer 101a-101n on same or the heterogeneous networks 104 or any part of each server 106a-106n, as client computer 102a-102n.Like this, gateway 105 can network or the arbitrfary point in the network communication path between client computer 101a-101n and server 106a-106n on.
(22) application 110a-110n can be carried out, moves or be provided to each among the client computer 101a-101n, here being collectively referred to as and using 110. application 110 can be software, program or the executable instruction of any type and/or form, for example the web-browsing device of any type and/or form, based on the client of web, client-server use, the thin client computing client, ActiveX control or Java Applet, any other type that perhaps can carry out at client computer 101a-101n and/or the executable instruction of form.In some embodiments, use 110a-110n and can be based on server, or representative client 101a-101n server 106a-106n carry out based on long-range application.In one embodiment, server 106a-106n can use thin client or remote display protocol (for example by being positioned at Ft.Lauderdale, independent counting system structure (ICA) agreement that the Citrix Systems company of Florida produces and by being positioned at Redmond, the RDP RDP that the Microsoft company of Washington produces) with output display to client computer 101a-101n.
(23) in some embodiments, server 106a-106n or server farm can be moved one or more application 110, for example provide the application program of thin client computing or long-range demonstration to show application.In one embodiment, server 106a-106n or server farm are with the Citrix Access Suite of CitrixSystems company TMIn arbitrary portion (for example MetaFrame or Citrix Presentation Server TM) and/or the Microsoft of Microsoft company TMArbitrary portion among the Windows Terminal Services is carried out as using 110.In one embodiment, using 110 is by being positioned at Ft.Lauderdale, the ICA client of the CitrixSystems company exploitation of Florida.In other embodiments, using 110 comprises by being positioned at Redmond, remote desktop (RDP) client of the Microsoft company exploitation of Washington.In other embodiments, server 106a-106n can spread application 110 and be passed to client computer 101a-101n.Server 106a-106n also can move and use 230, it for example can provide E-mail service (for example by being positioned at Redmond, the Microsoft Exchange of the Microsoft company exploitation of Washington) application server, web or Internet server, perhaps desktop share service device or collaboration server.In some embodiments, any one that use in 110 can comprise the service of boarding type or the product of any type, for example by being positioned at SantaBarbara, the GoToMeeting that the Citrix Online Division of California provides TM, by being positioned at Santa Clara, the WebEx that the WebEx of California provides TM, perhaps by being positioned at Redmond, the Microsoft Office Live Meeting that the Microsoft company of Washington provides.
(24) according to an embodiment, gateway 105 comprises application character set encoding and check system 120. as below illustrating in greater detail, and this system 120 receives the request of the content that comprises coding from client computer 101a-101n.For example, client computer 101 can be submitted HTTP list or the request that comprises encoded content (for example URL coded portion) to.In one case, can not know from request the type of encoding scheme.System 120 determines this request of generation or the application that is associated with this request.For example, system 120 can identify IP address and/or the port that is associated with an application from this request.According to the application of determining, system 120 identifies the character coding method that is associated with this application or is used for this application.For example, this encoding scheme can be searched from database, configuration information or from policy engine by system 120.Then, system 120 uses the character coding method that identifies that the part of this request is decoded and certain rule or tactful is used in this request.In some embodiments, application firewall or the safety control system that applies strategy to the application network flow of coding serves as in system 120, and it can be according to the encoding scheme that is associated with each application these network traffics of decoding.
(25) although total being described as gateway 105, gateway can be the computing equipment 100 of following any type and form, for example device, the network equipment or server.In some embodiments, gateway 105 is set up or is provided the virtual private networks between first network 104 and the second network 104 ' to connect.In one embodiment, gateway 105 is set up security socket layer (SSL) the VPN connection between network 104 and 104 '.In another embodiment, the first transport layer that gateway 105 is set up between client computer 101a-101n and the gateway 105 connects, and for example TCP connects, and the second transport layer of setting up between gateway 105 and the server 106a-106n connects.In another embodiment, the encryption session between client computer 101a-101n and the server 106a-106n is also set up or provided to gateway 105.In one embodiment, gateway 105 also uses certain merging and/or multiplexed interconnection technique to connect the transmission of accelerating to be applied to client computer 101a-101n by transport layer in transmission or application layer.In another embodiment, the one or more network services between gateway 105 compression client computer 101a-101n and the server 106a-106n or some part wherein.In other embodiments, gateway 105 can also comprise for any one or the buffer storage of a plurality of network service or some part wherein between buffer memory client computer 101a-101n and the server 106a-106n.
(26) although total use being represented as in the gateway 105 that is deployed in Figure 1A of character set encoding/check system 120, but system 120 also can be deployed in any computing equipment 100.For example, referring now to Figure 1B, use character set encoding/check system 120 can be deployed among the client computer 101a-101n any one or a plurality of in, client computer 101a for example.In one embodiment, after passing through the request of gateway 105 subscribing clients 101 accesses network 104, gateway can provide system 120 to be installed on the client computer 101.In some embodiments, system 120 after gateway 105 receives by client computer 101 Auto-mountings.In another embodiment, use character set encoding/check system 120 and can be deployed among any server 106a-106n, for example server 106b.In another embodiment, system 120 can be distributed on client computer 101, gateway 105 and/or the server 106 and allow any one part or a plurality of part carry out on them.In one embodiment, the Multi-instance of system 120 can be carried out on the combination in any of client computer 101, gateway 105 and/or server 106.
(27) Fig. 1 C and 1D have described the block diagram of computing equipment 100, computing equipment 100 is also referred to as in some embodiments the network equipment, network equipment or installs 100, can be used for realizing the embodiment of application character set encoding/check system 120 described herein.As shown in Fig. 1 C and 1D, each computing equipment 100 comprises CPU 10 and main memory unit 122. shown in Fig. 1 C, and typical computing equipment 100 can comprise visual display device 124, keyboard 126 and/or positioning equipment 127, for example mouse.Each computing equipment 100 can also comprise extra selectable unit, for example one or more input-output apparatus 130a-130b (total use Reference numeral 130 expression) and the cache memory 140. of communicating by letter with CPU 102
(28) CPU 102 is responses and processes from any logical circuit of the instruction of main memory unit 122 taking-ups.In a lot of embodiment, CPU is provided by microprocessor unit, for example: by being positioned at Mountain View, the microprocessor that the Intel Company of California makes; By being positioned at Schaumburg, the processor that the motorola inc of Illinois produces; By being positioned at Santa Clara, the processor that the Transmeta Company of California produces; By being positioned at White Plains, the processor that the IBM Corporation of New York produces; Perhaps by being positioned at Sunnyvale, the processor that the AMD of California produces.Computing equipment 100 can be based in these processors any one, perhaps can be according to such any other processor that moves described herein.
(29) main memory unit 122 can be can store data and allow microprocessor 102 directly one or more storage chips of any memory location of access, for example static access memory (SRAM), pulse (Burst) SRAM or lock-out pulse (SynchBurst) SRAM (BSRAM), dynamic RAM (DRAM), fast page mode DRAM (FPM DRAM), enhancement mode DRAM (EDRAM), growth data output RAM (EDO RAM), growth data output DRAM (EDO DRAM), pulse expansion data output DRAM (BEDO DRAM), enhancement mode DRAM (EDRAM), synchronous dram (SDRAM), JEDEC SRAM, PC100SDRAM, double data rate SDRAM (DDR SDRAM), enhancement mode SDRAM (ESDRAM), synchronization link DRAM (SLDRAM), DirectRambus DRAM (DRDRAM) or ferroelectric RAM (FRAM).Main storage 122 can be based on any one of above-mentioned storage chip, any other storage chip that perhaps can move as described herein.In Fig. 1 C illustrated embodiment, processor 102 is communicated by letter with main storage 122 by system bus 150 (below more detailed description is arranged).Fig. 1 C has illustrated that processor is by the embodiment of port memory 103 with the computing equipment 100 of main storage 122 direct communications.For example, in Fig. 1 D, main storage 122 can be DRDRAM.
(30) Fig. 1 D has illustrated that primary processor 102 is by the embodiment of secondary bus (sometimes being also referred to as back side bus) with cache memory 140 direct communications.In other embodiments, primary processor 102 uses system bus 150 to communicate by letter with cache memory 140.Cache memory 140 had usually than main storage 122 response time faster, was usually provided by SRAM, BSRAM or EDRAM.
(31) in Fig. 1 C illustrated embodiment, processor 102 is communicated by letter with various I/O equipment 130 by local system bus 150.Can use various bus that CPU 102 is connected to any I/O equipment 130, comprise VESA VL bus, isa bus, eisa bus, MCA (MCA) bus, pci bus, PCI-X bus, PCI-Express bus or NuBus.Be the embodiment of video display 124 for I/O equipment, processor 102 can use Accelerated Graphics Port (AGP) to communicate by letter with display 124.Fig. 1 D has illustrated the embodiment of primary processor 102 by super transmission (HyperTransport), quick I/O or the direct computer 100 of communicating by letter with I/O equipment 130b of InfiniBand.Fig. 1 D has also illustrated the embodiment that has mixed local bus and direct communication: processor 102 uses local interconnection to communicate by letter with I/O equipment 130a, but directly communicates by letter with I/O equipment 130b.
(32) computing equipment 100 can be supported the erection unit 116 of any appropriate, for example be used for to receive tape drive, USB device, the hard disk drive of floppy disk, CD-ROM drive, CD-R/RW driver, the DVD-ROM driver of 3.5 inches, 5.25 inches or ZIP dish, various forms or is used for any miscellaneous equipment of mounting software and program (for example any software 120 relevant with using character set encoding/check system 120 or part wherein).Computing equipment 100 can also comprise memory device 128, for example one or more hard disk drives or RAID array, be used for storage operating system and other related software and be used for the storage Application Software Program, for example the random procedure relevant with using character set encoding/check system 120.Any one that perhaps, can use erection unit 116 is as memory device 128.
(33) in addition, computing equipment 100 can comprise that network interface 118 is (to include but not limited to standard telephone line, LAN or wide-area network link (for example 802.11 by multiple connection, T1, T3,56kb, X.25), broadband connection (such as ISDN, frame relay, ATM), wireless connections or above-mentioned some any or whole combinations) be connected to local area network (LAN) (LAN), wide area network (WAN) or internet.Network interface 118 can comprise built-in network adapter, network interface unit, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modulator-demodulator or be applicable to computing equipment 100 is connected to any miscellaneous equipment of the network of any type that can communicate by letter and carry out operation described herein.
(34) a large amount of various I/O equipment 130a-130n can appear in the computing equipment 100.Input equipment comprises keyboard, mouse, track pad, trace ball, microphone and drawing board.Output equipment comprises video display, loud speaker, ink-jet printer, laser printer and dye-sublimation printer.I/O equipment can be by I/O controller 123 controls shown in Fig. 1 C.The I/O controller can be controlled one or more I/O equipment, for example keyboard 126 and positioning equipment 127 (such as mouse or light pen).In addition, I/O equipment can also provide storage 128 and/or medium 116. is installed in other embodiments for computing equipment 100, computing equipment 100 can provide USB to connect to receive hand-held USB memory device, for example by being positioned at Los Alamitos, the USB flash memory driver line of the equipment that the Twintech Industry company of California produces.
(35) in a further embodiment, I/O equipment 130 can be the bridge 170. between system bus 150 and the external communication bus (, SCSI bus connected in series such as usb bus, Apple desktop bus, RS-232, FireWire bus, FireWire800 bus, industry ethernet, AppleTalk bus, thousand M position industry ethernets, asynchronous transfer mode bus, HIPPI bus, super HIPPI bus, SerialPlus bus, SCI/LAMP bus, FibreChannel (fiber channel) bus or tandem SCSI bus)
(36) computing equipment 100 of Fig. 1 C and 1D shown type moves under the control of operating system usually, the scheduling of operating system control task and to the access of system resource.Computing equipment 100 may operate on any operating system, the various version of Microsoft Windows operating system for example, Unix or the (SuSE) Linux OS of different distribution versions, the MacOS that is used for any version of macintosh computer, any embedded OS, arbitrary network operating system, any real time operating system, any open source operating system, any proprietary operating systems, the any operating system that is used for mobile computing device or the network equipment perhaps can operate in this computing equipment and finish any other operating system of operation described herein.Typical operating system has: WINDOWS3.x, and WINDOWS 95, and WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, and WINDOWSNT 4.0, WINDOWS CE and WINDOWS XP, all these is by being positioned at Redmond, and the Microsoft company of Washington provides; By being positioned at Cupertino, the MacOS that the Apple company of California provides; By being positioned at Armonk, the OS/2 that the IBM Corporation of New York provides and by being positioned at Salt Lake City, the free operating system Linux of the Caldera company issue of Utah, perhaps the Unix operating system of any type and/or form and other operating system.
(37) in other embodiments, computing equipment 100 can have different processors, operating system and the input equipment consistent with it.Computing equipment 100 can be work station, desktop computer, on knee or notebook computer, server, handheld computer, mobile phone or other portable communication device, apparatus for media playing, unit equipment, the special equipment of special specific customization of making or can communicate by letter and have enough processor abilities and memory span to finish any other type of operation of the present invention described herein and/or calculating or the communication equipment of form.
(38) referring now to Fig. 2, an embodiment of application character set encoding/check system 120 has been described.System 120 can reside and/or be executed on the computing equipment 100 of any type and form, for example the network equipment, device, gateway, client computer or server apparatus.Briefly, system 120 comprises receiver 215, transmitter 220, and character set engine 225, and rule or policy engine 250. receivers 215 and transmitter 220 can be used for receiving with sending by network 104 or between network 104 and 104 ' and communicate by letter.Character set engine 225 is used for processing network service (for example request) with type and/or the form of the coding of the application that is identified for being associated with network service.The network service that 250 pairs of systems of rule/policy engine 120 process applies one or more rules or strategy.For example, according to being defined as by character set engine 225 and using the type of coding that is associated, policy engine 250 can be controlled, limits or stop by transmitter 220 and send network services.In one embodiment, policy engine 250 makes system 120 can serve as fire compartment wall or safety control device.In addition, policy engine 250 can provide strategy with determine and control to the employed coding of decoded content and the action taked.
(39) receiver 215 can comprise that software, hardware or any combination thereof receive signal with the connection medium that arrives network 104 by equipment 100.Equally, transmitter 220 can comprise that software, hardware or any combination thereof are to arrive the connection medium transmitted signal of network 104 by equipment 100.Network 104 and network connection can comprise the transmission medium of any type between any computing equipment 100a-100n, and for example electric wire or cable, optical fiber, electromagnetic wave maybe can be supported the transmission medium of any other type of operation described herein.In one embodiment, receiver 215 receives one or more signals by the medium of the first kind.In some embodiments, transmitter 220 sends one or more signals by the medium of Second Type.In other embodiments, receiver 215 and transmitter 220 receive and transmitted signal at the medium of same type.In another embodiment, transceiver comprises that receiver 215 and transmitter 220 are to receive and transmitted signal by medium.
(40) equipment 100 and/or system 120 comprise network protocol stack 210. in some embodiments, receiver 215 and/or transmitter 220 can comprise network protocol stack 210. in other embodiments, and receiver 215 and/or transmitter 220 can comprise a plurality of network protocol stacks.In another embodiment, receiver 215 and/or transmitter 220 join with one or more network protocol stacks 210, integrated or communicate by letter.Network protocol stack 210 can comprise software, hardware or their combination of any type and form, is used for being provided to connection and and the network service of network.In one embodiment, network protocol stack 210 comprises the software realization of network protocol suite.Network protocol stack 210 can comprise one or more network layers, for example the arbitrary network layer in the known open system interconnection of those skilled in the art (OSI) traffic model.The agreement that can comprise like this, any type and form for the arbitrary levels network protocol stack 210 in the following OSI pattern: 1) physical link layer, 2) data link layer, 3) network layer, 4) transport layer, 5) session layer, 6) presentation layer and 7) application layer.In one embodiment, network protocol stack 210 can comprise transmission control protocol (TCP) on network layer protocol IP, be commonly referred to TCP/IP.In some embodiments, ICP/IP protocol can be implemented on the Ethernet protocol, Ethernet protocol can comprise any protocol suite in IEEE wide area network (WAN), local area network (LAN) (LAN) protocol suite, those agreements that for example covered by IEEE 802.3.In some embodiments, network protocol stack 210 comprises the wireless protocols of any type and form, for example IEEE 802.11 and/or Mobile IP.
(41) consider embodiment based on the network 104 of TCP/IP, in one embodiment, can use any agreement based on TCP/IP, for example messages application edition interface (MAPI) (Email), file transfer protocol (FTP) (FTP), HTML (Hypertext Markup Language) (HTTP), CIFS (CIFS) agreement (file transfer), independent counting system structure (ICA) agreement, RDP (RDP) WAP (wireless application protocol) (WAP), mobile IP protocol and ip voice phone (VoIP) agreement.In another embodiment, network protocol stack 210 comprises the transmission control protocol of any type and form, amended transmission control protocol for example, affairs TCP (TCP/IP) for example, with the TCP (TCP-SACK) that selects to confirm, with the TCP (TCP-LW) of large window, congestion prediction agreement (for example TCP-Vegas agreement) and TCP fraud protocol.In other embodiments, network protocol stack 210 also can use the User Datagram Protoco (UDP) (UDP) of any type and form, and for example the UDP on the IP is used for voice communication or real-time data communication etc.
(42) in addition, network protocol stack 210 can comprise one or more layers network driver of one or more supports, for example TCP driver or network layer driver.Network driver can be used as a part or the arbitrary network interface card of computing equipment 100 or the part of other network insertion assembly of the operating system of computing equipment 100.In some embodiments, can customize, revise or rewrite the arbitrary network driver of network protocol stack 210 with the customization of the network protocol stack 210 of any technology of the present invention described herein that provides support or the part of modification.In other embodiments, system 120 is designed and constructs in conjunction with being moved or work by the operating system installation of equipment 100 or the network protocol stack 210 that provides.
(43) still referring to Fig. 2, character set engine 225 comprises that logic, function and operation for any type of determining character set encoding and form is to be associated with application.Character set engine 225 and arbitrary portion wherein can comprise software, hardware or any combination thereof.Briefly, character set engine 225 comprises resolver 230, use the assuring mechanism 235 and analyzer 240. in some embodiments, and character set engine 225 receives or interception is gone to or from the network service of application program (example is used 110a-110b as shown in Figure 1A and 1B).For example, the application 110a on the client computer 100a can send request to server 110d by network 104.In one embodiment, character set engine 225 links to each other with receiver 215, transmitter 220 and/or network protocol stack 220 or communicates by letter.
(44) in some embodiments, the resolver 230 of character set engine comprises that logic, function or operation are to resolve the arbitrary network communication that is received or intercepted by equipment 100.The arbitrary portion of in one embodiment, resolver 230 identifications, parsing, extraction and/or Sampling network communication.In one embodiment, resolver 230 parses any application layer protocol communication, for example HTML (Hypertext Markup Language) (HTTP), extendible markup language (XML) agreement or Simple Mail Transfer protocol (SMTP).For example, a plurality of fields of submitting to server 100d by list (for example HTTP submission of sheet) from client computer 100a can be identified and resolve or extract to resolver 230.In another example, any attribute, cookie, name-value can be identified, resolve or be extracted to resolver to the arbitrary portion of, URL, serial data, object or request, for example HTTP submission of sheet.
(45) in one embodiment, resolver 230 identifies the data element of attribute, header, field or sign content type (such as text, image, mixed data type etc.) in request.For example, in an embodiment of http protocol, content-type header is used to medium type and the subtype of data in the specify message body and specifies the native representations of this data.In some embodiments, resolver 230 part that identifies request is encoded.For example, in an embodiment of http protocol, the part that content-type header can identify the URL request is encoded.In another embodiment, resolver 230 identifies sign and is used for coding or decodes that this asks the character set of a part of content in request.
Arbitrary part of (46) in one embodiment, resolver 230 analytical propagation layer protocols grouping (for example TCP or UDP grouping).In some embodiments, resolver 230 is from transport layer network packet identification and parse following arbitrary fields: 1) source IP address, 2) target ip address, 3) source port, 4) target port, 5) arbitrary data of the header of identity protocol and/or grouping pay(useful) load, and 5) arbitrary fields of packet header.In another embodiment, analyzer 230 is for the network service of resolving or the network service element that identifies creates or provide object model to represent, or object-based API.
(47) use any logic, function and/or the operation that the assuring mechanism 235 comprises definite application that is associated with network service (for example message or request).In one embodiment, application the assuring mechanism 235 is communicated by letter with resolver 230 or is attached thereto, and obtains the information of one or more parsings from network service.In some embodiments, use the assuring mechanism 235 from type, name or the sign of the definite application that is associated with this request of any information of request or expression request.In one embodiment, use the type of coding that the assuring mechanism 235 identifies this application program and/or this request.This coded message can be used for decoding, check, analyze or processing this request.
(48) in some embodiments, use that the assuring mechanism 235 is configured to name, type or the identifier that will use and one or more data elements (for example source IP address and/or port, perhaps target ip address and/or target port) of network service are associated together.For example, the network service from specific client can be associated in together with an application.In another example, system 120 can be associated with network service the one or more servers in the IP address field, perhaps uses port or port range.In other embodiments, using the assuring mechanism 235 is configured to name, type or the identifier of encoding scheme, character set or encoding mechanism and one or more data elements of network service (any field of resolving that is for example provided by resolver 230) are associated together.In another embodiment, use the assuring mechanism 235 by the parsing of network service (information of for example being carried by the payload of network packet) being determined type, name or the sign of application and/or encoding scheme.
(49) in some embodiments, use the configuration information that the assuring mechanism 235 usage data storehouses, file, object, data structure or out of Memory storage medium stores are associated with network service or arbitrary portion wherein application and/or encoding scheme.For example, application can be mapped to one or more IP address and/or port.In another example, use the assuring mechanism 235 and can from the look-up table of any type and form, search one or more data elements or the application associated therewith that identifies in Network Based the communication.In one embodiment, using the assuring mechanism 235 can be by the interface configuration of one or more users by any type and form, for example Command Line Interface or graphic user interface.In another embodiment, using the assuring mechanism 235 is disposed by API by another program, script, application or system.
(50) after determining the application that is associated with network service (for example request), the type of coding that system 120 determines, identifies or obtains arbitrary coded portion of network service is decoded.In one embodiment, system 120 (for example using the assuring mechanism 235 and/or analyzer 240) identifies type of coding from arbitrary portion or the data element of network service self.For example, system 120 can identify type of coding from the element (for example data the pay(useful) load of network packet) of any parsing of network service.In another embodiment, the type of coding that obtains application is inquired about or searched in system 120 from (such as passing through API) his-and-hers watches, database file, object, data structure or other storage medium or configuration mechanism with this information.
(51) in another embodiment, system 120 identifies or obtains encoding scheme from rule/policy engine 250.For example, use the assuring mechanism 235 and/or analyzer 240 can query strategy engine 250 to obtain the type of coding of given application.In some embodiments, according to state, historical information and/or the statistical information etc. of temporal information, client information, user profile, facility information, network state, any system, an application can have a plurality of type of codings associated.In one embodiment, system 120 is according to the one or more type of codings of using to rule/policy engine 250 requests in the above-mentioned information type.For example, the first type of coding can be used or be allowed to use to first first day or very first time that is applied in a week, and use the second type of coding in second day or second time in a week.In an example, system 120 can be with the application that identifies and temporal information query strategy engine 250 type of coding with the network service that is identified for processing this application.
(52) analyzer 240 comprises any logic, function and/or the operation of phase-split network communication or arbitrary portion wherein.In one embodiment, in the analyzer 240 decoding network communications (for example request) by that part with character set encoding.In some embodiments, analyzer 240 can obtain the encoding scheme for application program from any other parts (for example resolver 230 or application the assuring mechanism 235) of character set engine 225.In other embodiments, analyzer 240 obtains the encoding scheme of application from rule/policy engine 250.In one embodiment, analyzer 230 or application the assuring mechanism 235 provide network service to analyzer 240, and the coded portion of this network service is used to the type of coding decoding of this application.
(53) in one embodiment, analyzer 240 uses the content of the sign of using and/or the type of coding inspection that is associated or phase-split network communication.In some embodiments, the network traffic flow that receives in system 120 of analyzer 240 is carried out unidirectional and two-way analysis.For example, analyzer 240 can carry out the deep stream inspection in each network packet.At other embodiment, analyzer 240 checks and analyzes HTTP and HTML header and pay(useful) load.In one embodiment, system 120 can carry out complete HTML and resolve, and for example by resolver 230, analyzer 240 can check and the arbitrary portion of analyzing HTML and communicating by letter.In another embodiment, analyzer 240 signs, the session of safeguarding and follow the tracks of the network traffics that receive and process by system 120 and the state of session.
(54) still with reference to figure 2, system 120 can also comprise the rule/policy engine that inspection, filtration or the analysis of network service is applied one group of one or more strategy for basis.In one embodiment, policy engine 250 comprise with use can accesses network 204 the relevant strategy of date, time or timetable.In another kind of embodiment, policy engine 250 comprises can be by the relevant strategy of date, time or timetable that the user of the computing equipment through being identified or sign uses with application.In another embodiment, policy engine 250 comprises the strategy date, time or the timetable that are used to maybe to be used for use is relevant with encoding scheme.For example, rule or strategy that the user can configuration-system 120 use the first encoding scheme with the time period that allows first first day that is applied in a week or first appointment, and use the second encoding scheme in second day or second fixed time section in a week.
(55) in one embodiment, system 120 comprises end-point detection and scan mechanism, and one or more attributes or the feature of client computer identified and determined to this mechanism.For example, system 120 can identify and determine in the following client terminal attribute any one or a plurality of: the 1) version of operating system and/or operating system, 2) services package of operating system, 3) operation service, 4) operation process and 5) file.System 120 also can identify and determine in the following client terminal attribute any one or a plurality of: 1) anti-viral software, 2) personal firewall software, 3) anti-spam software, and 4) the Internet security software.Policy engine 250 can according to the attribute of client computer or feature or client terminal attribute in any one or a plurality of one or more strategies are arranged.In some embodiments, policy engine 250 can be specified with the type of using the encoding scheme that is associated or for the decoding type of using according to arbitrary Client Attributes.For example, policy engine 250 can comprise a strategy: if client computer just at the version of the language-specific of operation system, the encoding scheme that is associated with this language-specific so coded request from operating in the application on that client computer that just is used to decode.
(56) in some embodiments; rule/policy engine 240 comprises that one or more application firewall or safety control strategy are used for providing the protection based on the weakness of web or the Internet to various different stages and type; one or more in for example following: 1) buffer overflow; 2) the CGI-BIN parameter is handled; 3) list/hiding field is handled; 4) force to browse; 5) cookie or session are poisoned; 6) destroyed Access Control List (ACL) (ACL) or weak password, 7) cross site scripting processing (XSS), 8) the order injection; 9) SQL injects; 10) erroneous trigger sensitive information leakage, 11) the dangerous use to encrypting, 12) the server error configuration; 13) back door and debugging option; 14) alter the website, and 15) platform or operating system weakness, and 16) zero sky reparation.In one embodiment; system 120 is with to the network service inspection or analyze following one or more form HTML form fields protection is provided: 1) field of request is returned; 2) there is not added field to be allowed to; 3) read-only and hiding field enforcement; 4) drop-down list and radio button field consistency, and 5) list-field length enforcement.In some embodiments, system 120 guarantees that cookie is not modified.In other embodiments, system 120 forces to browse by forcing legal URL to resist.
(57) in other embodiments still, the arbitrary confidential information that comprises in system's 120 protecting network communications.System 120 can check according to the tactful or rule of engine 250 or analyze arbitrary network communication with any confidential information in any field of recognition network grouping.In some embodiments, system 120 identifies credit card account, password, Social Security Number, name, patient identification code, contact details and the one or more appearance in the age in network service.The coded portion of network service can comprise these appearance or confidential information.In one embodiment, according to these appearance, system 120 can take policy action in network service, for example stops the transmission of network service.In another embodiment, system 120 can rewrite, removes or shield identified like this appearance or confidential information.
(58) each application code sign and decoding function of use system 120, analyzer 240 and policy engine 250 can apply application firewall and security control to the network service of the coding of a plurality of application, and wherein each is used and uses simultaneously or sequentially one or more different type of codings.The granularity of the encoding scheme that is associated with this application that can determine with type, name or the example used and according to the operation of system described herein like this, applies the rule of configuration in the rule/policy engine 250 and tactful.In addition, system 120 allows do not knowing in the situation of encoding scheme that the coded portion to the network service that can not decode, check and analyze analyzes.Like this, system 120 can apply strategy (for example application firewall and security strategy) to the coded portion (request that for example has the URL encoded content) of network service based on each application and/or each encoding scheme.
(59) although resolver 230, use the assuring mechanism 235 and analyzer 240 and be shown as being included in the character set engine 225 among Fig. 2, resolver 230, the arbitrary portion of using any one or they in the assuring mechanism 235 or the analyzer 240 can be resident, operation or carry out at equipment 100 or use in the arbitrary portion of character set encoding/decode system 120.In addition, although be shown as single logic entity or assembly, but using character set encoding/check system 120 can also move with distributed way, first operates on the first equipment 100a (for example client computer), and second portion operates on the second equipment 100b (for example server or gateway).In another embodiment, a plurality of application character set encoding/check systems (for example 120,120 ' etc.) can cooperate with each other or jointly operation think that one or more application, gateway, client computer or server provide function and technology described herein.
The operation of (60) using character set encoding/check system 120 can support the encoding scheme of any type and form or character code to gather (character set).In some embodiments, use character set encoding/check system 120 with the Unicode scheme operation of any type and form, for example comprise UTF-7, UTF-8, CESU-8, UTF-16/UCS-2, UTF-32/UCS-4, UTF-EBCDIC, SCSU, Punycode, GB 18030.Unicode is character coding method or the character code set that can allow character from West Europe language, Eastern Europe language, Cyrillic language, Greek, Arabic, Hebrew, Chinese, Japanese, Korean, Thai, Urdu, Hindi and all other main universal languages (live or dead language) be encoded and concentrate into single character.In one embodiment, character set is 16.In other embodiment of a kind of encoding scheme, character set can be 67,8,10,12,20,24,32 or 64, perhaps the figure place of any other quantity.The Unicode standard also comprises the standard compression scheme and supports the required a large amount of composition information of language all over the world.In one embodiment, use character set encoding/check system 120 and use the operation of ISO 10646 standard series, this standard series has defined several character code forms for unified character set.In some embodiments, use character set encoding/check system 120 and use the ASCII encoding scheme.In other embodiments, use the request that character set encoding/check system 120 is processed non-ASCII coding, perhaps wherein some part.In another embodiment, using character set encoding/check system 120 uses ANSI or WGL4 character set to finish its operation in request.
(61) in some embodiments, with the language supporting or be used for representing any type and form (for example use character set encoding/check system 120, Japanese, Korean, Russian or Chinese comprise any dialect and difference in them) encoding scheme, character set or character set and any one or the operation of a plurality of encoding scheme of therefore using.For example (but be not for any mode limit or repel), for Russian, system 120 can adopt encoding scheme or the character set operation of following type: 1) Cyrillic (CP1251), 2) KOI8r, KOI-8Alternative, KOI-8 Unified, perhaps KOI-8RU, 3) Unicode or UTF-8,4) DosCytrillicRussian (CP866), 5) ISO-8859-5, and 6) ECMA-Cyrillic (ISO-IR-111).
(62) for example (but be not for any mode limit or repel), for Japanese, system 120 can use following encoding scheme, character code set or character set operation: 1) UTF-8,2) JIS (Japanese Industry Standard, Japanese Industrial Standards), 3) shift_jis (being also referred to as SJIS, X-SJIS or MS Kanji), 4) EUC/EUC-JP (expansion Unix coding), 5) EBDIC, 6) ISO2022/ISO2022-JP, 7) ANSI Z39.64,8) CCCII, 9) DEC Kanji, 10) GTCode, 11) IBM DBCS, 12) JEF (Japanese ExtendedFeatures, the Japanese extended attribute), 13) CCCII, 14) ISO-8850,15) JIS X 0201 (JISROMAN), 16) JIS X 0208 (JIS C 6226), 17) JIS X 0212, JISX 0213, or JIS X 0221, and 18) Mojikyo.For example (but be not for any mode limit or repel), concerning Korean, system 120 can be with any one operation in following encoding scheme or the character set: 1) UTF-8,2) EUC or EUC-KR, 3) KEIS, 4) ANSI Z39.64,5) ISO-2022 or ISO-2022-KR, 6) CCCII, 7) Unified HangulCode (CP949), 8) GB12052,9) IBM DBCS, 10) JOHAB, 11) KS C5601,12) KS C 5636 (KS ROMAN), 13) KSC 5657,14) KS C 5700 and 15) Mojikyo.
(63) for example (but be not for any mode limit or repel), concerning Chinese, system 120 can be with following encoding scheme or character set operation: 1) UTF-8,2) ANSI Z39.64,3) Big5, Big5+, Big5ETen or Big5-HKSCS, 4) CCCII, 5) CNS 11643,6) GBK (CP936), 7) CP90,8) EUC/EUC-CN/EUC-TW, 9) GB 12050/12052,10) GB13000-1,11) GB13134,12) GB16959,13) GB18030,14) GB1988,15) GB2312,16) GB7589,17) GB7590,18) GB8045,19) GB/T 12345, GB/T 13131 or GBT/13132,20) HZ, 21) ISO2022/2002-CN/CN-EXT and 22) Mojikyo.
(64) system 120 can use multilingual and the operation of Multi-encoding scheme at any time, mutually sequentially or concurrently moves.In some embodiments, system 120 can use the operation of same-code scheme to multilingual, for example Japanese, Korean and Chinese are used identical coding, perhaps all use different encoding schemes to every kind in the multilingual, for example to Japanese, Korean and Chinese different encoding scheme separately.
(65) referring now to Fig. 3, the embodiment that is used for definite method with using the type of coding that is associated or the technology of utilizing system 120 has been described.See simply method 300, in step 310, use character set encoding/check system 120 and receive a request.In step 315, system 120 confirms that this request is corresponding in a plurality of application which.In step 320, system 120 identifies the encoding scheme that is associated with determined application.In step 325, system 120 uses the encoding scheme that identifies to decode, check and/or analyze this request.After decoding and having analyzed this request, in step 330, system 120 can apply one or more strategies to this request.
(66) in more detail, in step 310, system 120 can receive or tackle a network service by any device and/or mechanism, for example request.In one embodiment, receiver 210 receives this request from client computer 101.In another embodiment, when this request be passed to server 106 or when server 106 spreads out of receiver 210 intercept it from network protocol stack 210.In some embodiments, system 120 (for example receiver 210) comprises that network driver, filter or hook mechanism are used for the request of interception network protocol stack 210.In some embodiments, arrangement the gateway 105 of system 120 receive or tackle this request.In another embodiment, client computer 101 is configured to send request to the agency's who serves as client computer 101 gateway 105.In other embodiments, arrangement the client computer 101 of system 120 server 106 receives or interception from the request of client computer 101.In some embodiments, system 120 receives the forms pages of buffer memory.In another embodiment, 120 use systems 120 of system or arrangement the forms pages of the buffer memory stored in the buffer memory of the equipment of system 120 (for example gateway 105).
(67) in some embodiments, system 120 should not ask the priori of employed encoding scheme.In one embodiment, this request self does not identify the employed encoding scheme of coded portion of this request.For example, in one embodiment, this request comprises the submission of the list (such as the HTML list) of the content type that use list-URL-encodes.In another kind of embodiment, this request does not provide mark to come the identification character coding.In other embodiments, this request comprises the sign of coded system.In another embodiment, system 120 is by using heuristic rule or logic conjecture type of coding to understand the encoding scheme of this request.In some embodiments, system 120 can determine encoding scheme according to the behavior of application or client computer.In one embodiment, this system determines encoding scheme according to known encoding scheme between system 120, gateway 105, server 106 and/or the client computer 101.
(68) in step 315, system 120 determines that this request is corresponding in a plurality of application programs which.In one embodiment, use the assuring mechanism 235 and determine this application according to one or more data elements of for example from request, identifying and/or parse by resolver 230.In some embodiments, from database, form, file, object, data structure or other storage medium, use the assuring mechanism 235 by this request of generation or the application that is associated with this request are determined to the look-up table of respective application in IP address and/or port mapping.In one embodiment, the data element of using the assuring mechanism 235 name, type or example of this application of sign from the pay(useful) load of request is determined this application program.
(69) in step 320, system 120 (for example character set engine 225) identifies encoding scheme or the character set of the application of determining in step 315.In one embodiment, character set engine 225 (for example by using the assuring mechanism 235 or analyzer 240) maybe is mapped to application inquiry in other storage mediums of one or more encoding schemes or searches the encoding scheme of this application in database, form, file, object, data structure.In another kind of embodiment, character set engine 225 is determined the encoding scheme of application from arbitrary part of request.In one embodiment, character set engine 225 identifies encoding scheme from the one or more data elements that identified or parsed by resolver 230.In some embodiments, character set engine 225 identifies the encoding scheme of this application from high-speed cache, memory or the memory element of having stored the encoding scheme that is associated with application.For example, in one embodiment, character set engine 225 was followed the tracks of before this was used the encoding scheme of using.Still in other embodiments, the encoding scheme used from the network service of information with the identification character collection response of client requests (for example to) identification of character set engine 225.For example, in one embodiment, system 120 identifies and resolves such information from the network service of server.
(70) in some embodiments, character set 225 (for example by using the assuring mechanism 235 or analyzer 240) is obtained encoding scheme for this application from rule/policy engine 250.For example, policy engine 250 can be specified the encoding scheme that is used for application according to relevant with request arbitrarily temporal information (for example date and time).In another example, policy engine 250 can be specified according to any system information of the client computer that sends this request or attribute and is used for the encoding scheme used.In one embodiment, 120 pairs of client computer of system are carried out one or more attributes or the feature of end-point detection and scanning and definite client computer.Policy engine 250 can apply one or more strategies to request or to the coded portion of asking of decoding according to any attribute of client computer.For example, if policy engine 250 can specify client computer just application to be used the encoding scheme of the first type in the operating system of certain type of operation.
(71) in step 325, system 120 uses the coded portion of the encoding scheme decoding request that identifies.In one embodiment, character set engine 250 (for example by resolver 230), use the encoding scheme that the coded portion application identification of the assuring mechanism 235 and/or 240 pairs of requests of analyzer goes out.Like this, analyzer 240 just can be by analyzer 240 inspections or data element, text or the string analyzed with the partial decoding of h one-tenth of coding.For example, in one embodiment, the part of the decoding of this request can form will be in the sql command of server 106 execution or the order of other type.In some embodiments, analyzer 240 inspections or analysis comprise whether the request of the content of decoding is satisfied with definite this request or arbitrary rule and/or the strategy that rule/policy engine 250 disposes passed through in violation.As illustrated in conjunction with Fig. 2; analyzer 240 can be carried out any logic, function and operation, and for example two-way analysis, deep stream inspection, HTML check, session status is managed, the HTML form fields is protected, cookie poisons protection, force browser to be protected and the web defective is protected.
(72) in step 330, system 120 applies one or more rules or strategy according to the analysis to decoded request to this request.In one embodiment, for in the transmission on the network 104 (the perhaps further transmission on network 104) if a strategy of policy engine 250 is not satisfied in this request, this request can be refused or abandon in system 120 (for example being deployed in the system 120 in the gateway 105).In another kind of embodiment, if certain strategy is not satisfied in this request, system 120 can to this application maybe the user of this application isolate.In another embodiment, if certain strategy is not satisfied in this request, system 120 can demote or limit the access to netwoks of this application program.In other embodiments, system 120 can disconnect client computer to the connection of network 104, and the SSL VPN that for example disconnects client computer connects.In some embodiments, if certain strategy is not satisfied in this request, system 120 can disconnect or stop utility cession.
(73) although the technology of method 300 total be in the context of the request that comes self-application, to be illustrated, but also can for mutual serial and/or parallel a plurality of application execution methods 300. systems 120 can step 310 receive or interception from a plurality of requests of different application, as Another application, each has the coded portion that uses identical or different encoding scheme.For example, system 120 can be deployed on the gateway 105 of a plurality of client computer of service and application.Each request in a plurality of requests, system 120 is in the definite application that is associated with this request of step 315, determine the character set encoding that this application is used in step 320, at the coded portion of this request of step 325 decoding and analyze decoded request, apply relevant strategy in step 330 pair this request.Like this, in some embodiments, system 120 is to the technology of each application executing method 300, and each request is applied relevant encoding scheme.In one embodiment, system 120 can use the first encoding scheme to the application in the first request, to second and subsequent request on same application use second and different encoding schemes.
Example
(74) use in (having a plurality of application of use kinds of characters collection or the encoding scheme) gateway or network equipment that coding/check system 120 can be deployed in enterprise network 104.For example, gateway 105 can be application firewall and the safety control device that has Japanese user's enterprise network by arrangement.On the first client computer 101a first uses the first character set that 110a can use UTF-8.The second application program 110b on the first client computer 101a or the second client computer 101b can use the second character set of JIS.The first client computer 101a or the second client computer 101b the 3rd application 110c upper or the 3rd client computer 101c can use MS Kanji three-character doctrine collection.
(75) first each that use among 110a, the second application 110b and the 3rd application 110c are submitted one or more requests by gateway 105 to one or more server 106a-106n.Use 110a-110c and can comprise the web-browsing device of submitting HTTP, HTML and/or XML request to web server 106a-106n to.In these requests any one or a plurality of submission that can comprise list-URL-coding, wherein the sign of character set is not the part of the data submitted to.There are some intactly to be generated in the request or from the javascript on the browser or other script.In addition, the one or more technology generations that can use based on AJAX or asynchronous JavaScript and XML in the request.Like this, for any one or a plurality of such request, gateway 105 can have the priori of the used character set of certain part of coding request.
(76) consider structure, function and the operation of said system 120, gateway 105 can apply application firewall and safety control strategy to the coded portion of request.For each request that receives, gateway 105 is determined application associated with it and the encoding scheme that is associated with this application.In this example, gateway 105 determines that the first request receives from the first application 110a, and identifies the UTF-8 encoding scheme that is associated with this first application 110a.Gateway 105 usefulness UTF-8 encoding schemes decoding the first request is analyzed decoded request and this request is applied certain strategy.Gateway 105 determines that second request receives from the second application 110b, and identifies with second and use the JIS encoding scheme that 110b is associated.JIS encoding scheme decoding the first request that gateway 105 usefulness identify is analyzed decoded request and this request is applied certain strategy.Equally, gateway 105 determines that the 3rd request receives from the 3rd application 110c, identifies with the 3rd and uses the MS Kanji encoding scheme that 110c is associated.MS Kanji encoding scheme decoding the first request that gateway 105 usefulness identify is analyzed decoded request and this request is applied certain strategy.
(77) in some cases, use 110a and switch to or use different encoding schemes, when for example in another time period or another day, starting another example.For example, first uses 110a can use JIS character set rather than UTF-8. in these cases in second example, gateway 105 determines that subsequent request receives from the first application 110a, and identifies with first and use the UTF-8 encoding scheme that 110a is associated.For example, policy engine 250 can identify at the appointed time section and should use the UTF-8 encoding scheme that 110a uses to first.Gateway 105 is decoded with the UTF-8 encoding scheme that identifies subsequently, and this is asked subsequently, analyzes decoded request and this request is applied certain strategy.
(78) adopt gateway 105 described herein, gateway can decode, analyze from the request of the application of a plurality of use different encoding schemes and to them and apply certain strategy.Gateway 105 for by use and by request provide decoding mechanism provide very large flexibility with to arrangement the environment of application of a plurality of kinds of characters collection codings apply strategy, for example can in the network environment of Japanese, Korean, Russian or the Chinese user's arrangement used, find (encoding scheme of application).Gateway 105 can apply to the network service of different coding application firewall and safety control device and not be subjected to the defective that may find and the impact of worrying safely with the protecting network environment in encoded content.
(79) those skilled in the art can much change and revise under prerequisite without departing from the spirit and scope of the present invention.Therefore, must know that illustrative embodiment shown in the understanding only is for the demonstration purpose, and should not be considered as limiting the invention that the present invention is limited by following claim.These claims will be considered and comprise not only what they were set forth on literal, also comprise those isovalent elements of non-substantive difference, although they on other side and above explanation in shown and describe incomplete same.

Claims (22)

1. character-coded method that is used for determining the request of decoding, the method comprises the following steps:
(a) receive request;
(b) determine that this request is corresponding in a plurality of application programs which;
(c) identify the character code that is associated with determined application program;
(d) use the character code that identifies to check this request.
2. the process of claim 1 wherein that step (b) comprises from the attribute of this request determines that it is corresponding to a plurality of application programs which.
3. the method for claim 2, wherein this attribute comprises one of following: source identifier; The purpose identifier; Port identifiers; Protocol identifier; Header information; Perhaps URL(uniform resource locator) address.
4. the process of claim 1 wherein that step (b) comprises with the cookie that comprises in the request that receives determines that this request is corresponding in a plurality of application programs which.
5. the process of claim 1 wherein step (c) comprise use comprise character code and use between the character code that is associated with determined application program of the file identification of association.
6. the process of claim 1 wherein step (c) comprise use comprise character code and use between the character code that is associated with determined application program of the database identification of association.
7. the method for claim 1 also comprises the following steps:
(e) receive the second request;
(f) determine that this second request is corresponding in a plurality of application programs which;
(g) identify the second character code that is associated with determined the second application program.
8. the process of claim 1 wherein that step (a) comprises the request that subscribing client produces.
9. the method for claim 8, wherein step (b) comprises that the attribute that uses client computer determines that this request is corresponding in a plurality of application programs which.
10. in the method for claim 1, wherein step (a) comprises that the forms pages according to buffer memory receives request.
11. the character-coded gateway that can determine the request of decoding, this gateway comprises:
Receiver, it is by network and client communication and receive request from this client computer;
Character set engine, it is communicated by letter with receiver, according to the request that receives for application identify the character code that is associated with this request, and check this request with the character code that identifies.
12. the gateway of claim 11, wherein this receiver and a plurality of client communication.
13. the gateway of claim 11, wherein use one of following field of comprising in the request determine this request for application program: source identifier; The purpose identifier; Port identifiers; Protocol identifier; Header information; Or URL(uniform resource locator) address.
14. the gateway of claim 11, wherein character set engine comprises character code and association database together.
15. the gateway of claim 11, wherein character set engine comprises character code and association file together.
16. one kind be used for to check the method for the request that comprises coded portion that receives from client computer by gateway, the method comprises the following steps:
(a) by the request of gateway reception from an application program on the client computer;
(b) determine that by this gateway this request is corresponding in a plurality of application programs which;
(c) identify the character code that is associated with determined application program by this gateway;
(d) by this gateway with the decode part of this request of the character code that identifies;
(e) checked the decoded part of this request by this gateway.
17. the method for claim 16 comprises by gateway and determines that with the attribute of request this request is corresponding in a plurality of application programs which.
18. the method for claim 16 comprises by gateway and determines that with the attribute of client computer this request is corresponding in a plurality of application programs which.
19. the method for claim 16 comprises by gateway applying a strategy according to the inspection to the part of the decoding of this request to this request.
20. the method for claim 16 comprises
(f) by second request of this gateway reception from the second application program on one of this client computer or second client computer;
(g) determine that by this gateway this second request is corresponding in a plurality of application programs which;
(h) identify the second character code that is associated with determined application program by this gateway;
(i) by the part of this gateway with the second character code decoding the second request that identifies.
21. the method for claim 20 comprises the part by the decoding of this gateway inspection the second request.
22. the method for claim 21 comprises by this gateway basis the inspection of the part of the decoding of the second request is applied a strategy to this second request.
CN2006800548039A 2006-05-31 2006-05-31 System and method determining character set codes for decoding request submission in the gateway Active CN101449553B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2006/021067 WO2007139552A1 (en) 2006-05-31 2006-05-31 Systems and methods for determining the charset encoding for decoding a request submission in a gateway

Publications (2)

Publication Number Publication Date
CN101449553A CN101449553A (en) 2009-06-03
CN101449553B true CN101449553B (en) 2013-04-17

Family

ID=37708569

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006800548039A Active CN101449553B (en) 2006-05-31 2006-05-31 System and method determining character set codes for decoding request submission in the gateway

Country Status (5)

Country Link
JP (1) JP4862079B2 (en)
KR (1) KR101265920B1 (en)
CN (1) CN101449553B (en)
HK (1) HK1133964A1 (en)
WO (1) WO2007139552A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8234379B2 (en) 2006-09-14 2012-07-31 Afilias Limited System and method for facilitating distribution of limited resources
US8254381B2 (en) 2008-01-28 2012-08-28 Microsoft Corporation Message processing engine with a virtual network interface
EP2253110A4 (en) * 2008-03-10 2011-10-19 Afilias Ltd Alternate e-mail address configuration
CN102750185B (en) * 2011-04-18 2018-05-22 腾讯科技(深圳)有限公司 A kind of data adaptive output method and system
CN102395057B (en) * 2011-06-30 2017-10-13 中兴通讯股份有限公司 A kind of collocation method and device of port locations form
KR102289418B1 (en) * 2014-12-10 2021-08-13 한국전자통신연구원 Apparatus and method for data encryption
US9779066B2 (en) 2015-05-21 2017-10-03 Umm Al-Qura University Method and system for converting punycode text to ASCII/unicode text

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2352850A (en) * 1999-03-31 2001-02-07 Ibm Simulating web cookies for non-cookie capable browsers
CN1615477A (en) * 2003-05-17 2005-05-11 微软公司 Mechanism for use of conversion in multiple files

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3203544B2 (en) * 1996-01-31 2001-08-27 日本電信電話株式会社 Text maximum likelihood decoding method and maximum likelihood decoding device, and data communication network device
JPH09319545A (en) * 1996-05-30 1997-12-12 Mitsubishi Electric Corp Character input device
JPH1020989A (en) * 1996-07-08 1998-01-23 Hitachi Ltd Character input device
JP2000132480A (en) * 1998-10-27 2000-05-12 Nippon Telegr & Teleph Corp <Ntt> Method and device for internet browsing, and record medium where internet browsing program is recorded
JP2000132449A (en) * 1998-10-27 2000-05-12 Nippon Telegr & Teleph Corp <Ntt> Proxy access method, device therefor and record medium recorded with proxy access program
JP3278406B2 (en) * 1998-12-10 2002-04-30 富士通株式会社 Document search mediation device, document search system, and recording medium recording document search mediation program
WO2001033752A1 (en) * 1999-11-03 2001-05-10 Measurecast, Inc. Direct tracking of viewers of selected content in audio and video programming provided over a computer network
US6944760B2 (en) * 2001-05-24 2005-09-13 Openwave Systems Inc. Method and apparatus for protecting identities of mobile devices on a wireless network
JP2003203032A (en) * 2002-01-08 2003-07-18 Fujitsu Ltd Web server mediation device, method and conversation type web server mediation portal server
US20040073811A1 (en) * 2002-10-15 2004-04-15 Aleksey Sanin Web service security filter
US7716726B2 (en) * 2004-02-13 2010-05-11 Microsoft Corporation System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2352850A (en) * 1999-03-31 2001-02-07 Ibm Simulating web cookies for non-cookie capable browsers
CN1615477A (en) * 2003-05-17 2005-05-11 微软公司 Mechanism for use of conversion in multiple files

Also Published As

Publication number Publication date
HK1133964A1 (en) 2010-04-09
KR20090031350A (en) 2009-03-25
JP2009539176A (en) 2009-11-12
KR101265920B1 (en) 2013-05-20
JP4862079B2 (en) 2012-01-25
CN101449553A (en) 2009-06-03
WO2007139552A1 (en) 2007-12-06

Similar Documents

Publication Publication Date Title
CN101449553B (en) System and method determining character set codes for decoding request submission in the gateway
US10462247B2 (en) Web content customization via adaptation web services
US8381276B2 (en) Safe URL shortening
KR100884714B1 (en) Application layer security method and system
EP1361723B1 (en) Maintaining authentication states for resources accessed in a stateless environment
US9411900B2 (en) Integrated adaptive URL-shortening functionality
US9479343B2 (en) Engine for processing content rules associated with locations in a page
CN101091155B (en) Method and system for intelligent processing of electronic information
US8250082B2 (en) Cross domain communication
AU756650B2 (en) An internet interface system
US20070094156A1 (en) User defined components for content syndication
US20070050376A1 (en) System And Methods For Secure Service Oriented Architectures
US20050154741A1 (en) Methods and computer systems for workflow management
US10447633B2 (en) Method and system for optimizing and preventing failure of sender policy framework (SPF) lookups
CN109104456A (en) A kind of user tracking based on browser fingerprint and propagating statistics analysis method
US8407766B1 (en) Method and apparatus for monitoring sensitive data on a computer network
CN104243475B (en) The method and system of dynamic obfuscation based on WEB reverse proxys
US20170104791A1 (en) Method, system and computer program product for enforcing access controls to features and subfeatures on uncontrolled web application
CN112118238B (en) Method, device, system, equipment and storage medium for authenticating login
WO2022220352A1 (en) Open api service system for providing multimedia disaster information
US20100114860A1 (en) Apparatus for searching internet-based information
CN111414642B (en) Link generation method and device based on gateway, server and storage medium
CN115348317B (en) Method, device and system for realizing instant messaging of web system
Orrin The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats
Sakurada et al. Extracting user posting behavior using HTTP flow

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1133964

Country of ref document: HK

C14 Grant of patent or utility model
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1133964

Country of ref document: HK