CN101895552A - Security gateway and method thereof for detecting proxy surfing - Google Patents
Security gateway and method thereof for detecting proxy surfing Download PDFInfo
- Publication number
- CN101895552A CN101895552A CN2010102336983A CN201010233698A CN101895552A CN 101895552 A CN101895552 A CN 101895552A CN 2010102336983 A CN2010102336983 A CN 2010102336983A CN 201010233698 A CN201010233698 A CN 201010233698A CN 101895552 A CN101895552 A CN 101895552A
- Authority
- CN
- China
- Prior art keywords
- detection
- time
- behalf
- packet
- security gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a security gateway and a method thereof for detecting proxy surfing, and the method comprises the following steps: using the security gateway to receive a data packet and obtain a proxy detection item which corresponds to source IP address of the data packet from a pre-configured policy table; leading the security gateway to detect whether ID number of the currently received data packet is larger than the ID number of the data packet which is received at the last time or not, if so, updating the ID number of the data packet which is received at the last time in the proxy detection item to the ID number of the current data packet; otherwise, determining that the ID number generates loop, detecting whether the time difference between the loop time at this time and the last loop time recorded in the detection item is larger than or equal to the preset tolerance time, if so, determining that no proxy surfing exists; otherwise, determining that the proxy surfing exists. The method can effectively judge the IP address using the proxy surfing in a network through the simple detection algorithm and provide the support for preventing the proxy surfing.
Description
Technical field
The present invention relates to network safety filed, relate in particular to the method for a kind of security gateway and detection proxy surfing thereof.
Background technology
At present network has been that our learn the to handle official business use of indispensable instrument, particularly broadband network is day by day popularized.Yet, in the actual business process of operator, such problem has appearred: be exactly some characteristics that some " technology master-hand " utilizes TCP/IP, installation agent server or network address translation software on the computer of oneself, make a plurality of resident families can utilize same monthly payment account number online, enterprise's office, even set up the Internet bar privately.In campus network, above-mentioned situation is very general.In the sub-district, also begin to occur and at rapid spread.The huge capital construction expense that causes operator to drop into the most at last is difficult to normal recovery.
Summary of the invention
The invention provides a kind of security gateway and detect the method for proxy surfing, in order to solve in the prior art problem that can not detect proxy surfing.
Concrete, the invention provides the method that a kind of security gateway detects proxy surfing, comprising:
Step 1, security gateway receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
Whether step 2, security gateway detect current ID number of receiving packet and act on behalf of ID number that received packet in the detection last time greater than described, if, execution in step 3; Otherwise, execution in step 4;
Step 3, described ID number of receiving packet the last time of acting on behalf of in the detection of security gateway renewal are ID number of current data packet, return step 1;
Step 4, security gateway are judged the generation winding ID number, detect this winding time and the described time difference of acting on behalf of winding time last time of writing down in the detection whether more than or equal to predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
In the method for the invention, among the described pre-configured Policy Table configuration corresponding with the current IP address that receives packet act on behalf of detection the time also comprise:
Described security gateway adds corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection;
Wherein, initialization procedure is specially: IP address to be detected be set be the current IP address that receives packet, be provided with corresponding with this IP address the ID that received packet last time number be zero, the time value that winding took place for ID number last time is set is zero.
In the method for the invention, described security gateway detects and takes place also to comprise behind the proxy surfing: described security gateway is deleted the current detection of acting on behalf of that receives the source IP address correspondence of packet from described Policy Table.
Further, described security gateway also comprises after detecting the generation proxy surfing:
Described security gateway reports this proxy surfing incident, and the current source IP address that receives packet is added in the pre-configured blacklist, perhaps opens pre-configured alarm switch.
In the method for the invention, described security gateway also comprises after proxy surfing does not take place detecting:
Be the winding time for the time that winding took place for ID number the last time in ID number of current data packet, update agent detection when felge forward in the described security gateway update agent detection the ID that received packet last time number.
Further, also comprise after the time of the ID number generation last time in described security gateway update agent detection winding: will respectively act on behalf of detection among the described Policy Table and arrange by winding time ascending order.
In the method for the invention, described security gateway is also when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether ID number that detects correspondence in the time of agreement winding does not take place, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
Wherein, described default timing is more than or equal to described patient time.
The present invention also provides a kind of security gateway, comprising:
Data reception module is used to receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
The ID comparison module is used for detecting and currently receives ID number of packet and whether received ID number of packet last time greater than the described detection of acting on behalf of, if trigger and act on behalf of the detection update module; Otherwise, trigger the proxy surfing detection module;
Act on behalf of the detection update module, be used for upgrading described ID number of receiving ID number of packet the last time of acting on behalf of detection for current data packet;
The proxy surfing detection module is used for detecting this winding time and describedly acts on behalf of the time difference of winding time last time that detection writes down whether more than or equal to predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
Wherein, described data reception module, also be used for not disposing corresponding with the current IP address that receives packet when acting on behalf of detection pre-configured Policy Table, add corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection.
Further, security gateway of the present invention also comprises:
Act on behalf of the detection recycling module, be used for when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether in the time of agreement winding does not take place ID number that detects correspondence, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
Wherein, described default timing is more than or equal to described patient time.
Compared with prior art, beneficial effect of the present invention is as follows:
Detection proxy surfing method provided by the invention can be effectively to using the IP address of proxy surfing to be judged, for anti-proxy surfing provides support by adopting simple detection algorithm in the network.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 detects network topological diagram in the embodiment of the invention;
Fig. 2 is the method flow diagram that a kind of security gateway provided by the invention detects proxy surfing;
A kind of security gateway that Fig. 3 provides for the embodiment of the invention detects the method flow diagram of proxy surfing;
Fig. 4 is a kind of security gateway structure chart provided by the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In order to solve problems of the prior art, the invention provides the method for a kind of security gateway and detection proxy surfing thereof.The Core Feature of this detection proxy surfing method is that illegal proxy surfing user is detected, and then the proxy surfing user who finds handled, can be provided with to system alarm, perhaps add disabled user IP to the system blacklist, with IP address disable a period of time of disabled user, the time can set up on their own.
The Changing Pattern that the detection principle of the method for the invention is based on its id field of IP packet that the Windows user sends out is 0->65535->0, be as the criterion so detect the mechanism of proxy user and be exactly according to the time interval that twice winding takes place for the ID in the User IP packet number, if it is interval greater than the patient time tolerate-time value of system's setting then think there is not proxy surfing, otherwise think it at proxy surfing, setting is handled according to system then.Illustrate as follows:
As shown in Figure 1, if the data packet stream of Client1 and two ping of Client2 will pass wall simultaneously, these two ping streams are transmitted from Router, and Router has done proxy surfing, these two ping streams will produce two id streams so, and alternately increase.If id stream is as follows: 12132435465.This is two id streams, and one is from 1 to 6, one is from 1 to 5, and under the default situations, the time interval of any two packets is 1 second for ping, and the time interval that just shows as two id of any one id stream here is 1 second; When two id streams were mixed into one, the time interval that is exactly any three id so was 1 second; We take out 2132 and explain, when packet to 1 the time, because 12 little than the front, anti-agency can think and produces a winding, notes the current winding time, when 3 come in, can not think when 2 come in, to produce winding again one time by the generation winding, at this moment more current winding and last time winding time difference whether less than tolerate-time, if less than, just think the generation proxy surfing.
The value of above-mentioned patient time tolerate-time is closely bound up with user's the network bandwidth and packet size, for the obtain manner of this tolerate-time clearly is described, describes below by a concrete example:
The network bandwidth with present domestic consumer is that 4Mbit/s is an example, and data packets for transmission is 256Byte, and then its packet rate is: 4*1024*1024/256*8=2048pps (packet per second); ID sequence length overall is 65536, and it is 65536/2048=32s that a winding time then takes place.
Be given under the situation of different bandwidth, packet rate the needed time value of a winding below by a form.Specifically as shown in Table 1:
Table one
| Family's bandwidth (Mbit) | Packet size (Byte) | Packet rate (pps) | The ID sequence length | The winding time (s) |
| 4M | 64 | 8192 | 65536 | 8 |
| 4M | 128 | 4096 | 65536 | 16 |
| 4M | 256 | 2048 | 65536 | 32 |
| 4M | 512 | 1024 | 65536 | 64 |
| 4M | 1024 | 512 | 65536 | 128 |
| 4M | 1500 | 349.5 | 65536 | 187.6 |
| 2M | 64 | 4096 | 65536 | 16 |
| 2M | 128 | 2048 | 65536 | 32 |
| 2M | 256 | 1024 | 65536 | 64 |
| 2M | 512 | 512 | 65536 | 128 |
| 2M | 1024 | 256 | 65536 | 256 |
| 2M | 1500 | 174.8 | 65536 | 374.9 |
| 1M | 64 | 2048 | 65536 | 32 |
| 1M | 128 | 1024 | 65536 | 64 |
| 1M | 256 | 512 | 65536 | 128 |
| 1M | 512 | 256 | 65536 | 256 |
| 1M | 1024 | 128 | 65536 | 512 |
| 1M | 1500 | 87.4 | 65536 | 749.8 |
Need to prove, what table one provided is the theoretical value of anti-proxy surfing patient time, with domestic consumer 4M flow is example, its minimum patient time is 8s, and the time interval that produces twice winding in the practical application can only be worth big than this, as long as just can further improve accuracy in detection greatly than this value, for example, default was 10s when the user was provided with.Thus, system can set patient time flexibly according to the above-mentioned theory value.
Below in conjunction with Fig. 2, provide the specific implementation process that security gateway provided by the invention detects the method for proxy surfing, may further comprise the steps:
Step S201, security gateway receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
Whether step S202, security gateway detect current ID number of receiving packet and act on behalf of ID number that received packet in the detection last time greater than described, if, execution in step S203; Otherwise, execution in step S204;
Step S203, described ID number of receiving packet the last time of acting on behalf of in the detection of security gateway renewal are ID number of current data packet, return step S201;
Step S204, security gateway are judged the generation winding ID number, detect this winding time and the described time difference of acting on behalf of winding time last time of writing down in the detection whether greater than predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
For clearer statement method provided by the invention, describe the implementation procedure of the method for the invention in detail below by a specific embodiment.
Security gateway is when detecting proxy surfing, and the pre-configured detection strategy of meeting is specially:
(1) adds the source address that detects; For example: source address is 192.168.8.24; That is:
TopsecOS#firewall?policy?add?src?192.168.8.24?action?accept?anti-proxy?on
(2) the patient time value of the anti-proxy surfing of configuration; For example: TopsecOS# network anti-proxytolerate-time 2;
Further, handle for the ease of the user to proxy surfing, security gateway can also be provided with blacklist, and then when the configuration detection strategy, also will dispose following parameter:
(3) the blacklist switch of proxy surfing;
TopsecOS#?network?anti-proxy?blacklist-handle?on
(4) blacklist list;
TopsecOS#?firewall?dynamic-policy?show
| Src/sport (source address/source port) | Dst/dport (destination address/destination interface) | Expires (forbidding time) | Comment (reason) | Hit-sessions (order number of times) |
| 192.168.8.24/0 | 0.0.0.0/0 | 3600 | anti-proxy | 123 |
Based on above-mentioned policy configurations, the inner corresponding data structure of security gateway is made following modification:
Security gateway need write down the parameter configuration of anti-proxy surfing in internal memory, be mainly the sustainable minimum winding of the anti-agency of global variable at interval; Certainly, preferred in order to cooperate processing to the proxy surfing user, go back configuration parameter: open the time interval that blacklist is handled switch, opened alarm switch and proxy surfing IP conductively-closed, do not allow proxy surfing IP communication in during this period of time; Specifically be expressed as follows:
Int blacklist_switch; // open blacklist to handle switch
Int alarm_switch; // unlatching alarm switch
Int tolerate_time; The sustainable minimum winding of // anti-agency at interval
Int blacklist_timeout; In the time interval of // proxy surfing IP conductively-closed, do not allow proxy surfing IP communication in during this period of time
Further, security gateway need define one for each detected IP and act on behalf of detection (following being expressed as prevents acting on behalf of the detection architecture body):
struct?antiproxy_record
{
struct?list_head?list;
_ u32ip_addr; The IP address of // these clauses and subclauses correspondence is exactly whether to detect the IP address of proxy surfing; Initial value is 0.
Int last_id; // last time detected ID number, find whether to have winding to take place by relatively last time and current difference, if current ID value takes place than the winding that greatly just do not have of last time, otherwise just think that the winding generation is arranged; Initial value is 0.
Unsigned long last_loop_time; Time value when // last time, winding took place; Initial value is 0.
};
Then, a global variable antiproxy_hash_table of definition (being above-mentioned Policy Table) is used for hash and links the IP structure struct antiproxy_record of all detected proxy surfings.
Below just based on above-mentioned collocation strategy, the implementation procedure of the method for the invention is set forth.
As shown in Figure 3, the anti-proxy surfing detection method flow chart of the security gateway that provides for the embodiment of the invention may further comprise the steps:
Step S301, security gateway receive packet, search the antiproxy_record structure that meets the IP address according to the source IP address of this packet in the antiproxy_hash_table table, if do not find execution in step S302; Otherwise, execution in step S303.
Step S302, the new antiproxy_record structure of security gateway application add this structure in the antiproxy_hash_table table to, and parameter is wherein carried out initialization.
Wherein, initialization procedure is:
record->ip_addr=IP;
Record->IP ID value of last_id=packet;
record->last_loop_time=0;
Step S303, judge that record->last_id is whether less than the ID value of packet IP head, if judge winding does not take place; Execution in step S304; Otherwise, judge winding, execution in step S305 take place.
Step S304, note new ID value (record->last_id=ID), return step S301.
Step S305, detect this winding time and winding time difference last time whether more than or equal to the value of global variable tolerate_time, if be judged to be and proxy surfing do not take place, execution in step S306; Otherwise, be judged to be the generation proxy surfing, execution in step SS307.
Step S306, the antiproxy_record structure of new data packets IP address correspondence more return step S301.
Wherein, upgrading the antiproxy_record structure is specially:
Record->IP ID value of last_id=packet;
This winding time of record->last_loop_time=.
Step S307, with the deletion from the antiproxy_hash_table table of the antiproxy_record structure of correspondence, discharge the internal memory that it takies.
Preferably, security gateway is when detecting proxy surfing, and proxy surfing has taken place reporting system, and according to pre-configured processing policy, this IP is added blacklist or reports to the police.
Preferably, in the described method of the embodiment of the invention, security gateway also has reclaim mechanism to antiproxy_record structure in the antiproxy_hash_table table, and then discharges it to the taking of internal memory, and its way of recycling is as follows:
Security gateway starts a timer, when the timing of setting arrives, security gateway begins traversal from first hash chain of antiproxy_hash_table table, whether the winding time in the detection antiproxy_hash_table table in each antiproxy_record structure satisfies default recovering condition, if, with the antiproxy_record structure deletion of correspondence; Otherwise, do not process.
Wherein, described recovering condition can be set flexibly, its core concept is whether the IP address of detecting in each antiproxy_record structure at long enough the ID winding did not take place in the time, if, then system has reason to judge that proxy surfing does not take place in this IP address, and then can reclaim the antiproxy_record structure of this IP address correspondence, the setting of this recovering condition is described below by an example:
The timing of setting is T, and this T is more than or equal to tolerate_time;
Then recovering condition can be set at: whether the difference of T and record->last_loop_time is more than or equal to 2*tolerate_time.
If this recovering condition is set up, illustrate that this record list item for a long time winding has not taken place, there is not proxy surfing, delete this antiproxy_record structure; Otherwise, do not process.
Need to prove, in order to reduce the operand of system, security gateway is when upgrading the last_loop_time in the antiproxy_record structure, preferably each antiproxy_record structure is arranged according to the last_loop_time ascending order, the time ascending order that winding just takes place is arranged.Because, security gateway is detecting one when not satisfying above-mentioned recovering condition, the antiproxy_record structure of its back does not satisfy too, so when reclaiming, can judge for the antiproxy_record structure that does not satisfy the recovering condition back, and then reduce system's operand.
Illustrate as follows: store in the antiproxy_hash_table table IP address 1, IP address 2 ... IP address n, its last_loop_time ascending order is arranged as 1,10,20,21 ....; The timing of setting is 25; Patient time is 5; Then security gateway is when reclaiming detection:
Have for IP address 1: (25-1) its result is greater than 2*5; Be judged to be and satisfy recovering condition, with antiproxy_record structure deletion from the antiproxy_hash_table table of IP address 1 correspondence;
Have for IP address 2: (20-10) its result is greater than 2*5; Be judged to be and satisfy recovering condition, with antiproxy_record structure deletion from the antiproxy_hash_table table of IP address 2 correspondences;
Have for IP address 3: (25-20) its result is less than 2*5; Be judged to be and do not satisfy recovering condition, then do not process;
Because the last_loop_time of IP address 4 to IP address n all greater than the last_loop_time of IP address 3, so certainty does not all satisfy recovering condition, and then can needn't detect follow-up IP address after detecting IP address 3.
Method provided by the invention can be effectively to using the IP address of proxy surfing to be judged, for anti-proxy surfing provides support by adopting simple detection algorithm in the network.
The present invention also provides a kind of security gateway, as shown in Figure 4, comprising:
Act on behalf of detection update module 430, be used for upgrading described ID number of receiving ID number of packet the last time of acting on behalf of detection for current data packet;
Proxy surfing detection module 440 is used for detecting this winding time and describedly acts on behalf of the time difference of winding time last time that detection writes down whether greater than predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
Wherein, data reception module 410, also be used for not disposing corresponding with the current IP address that receives packet when acting on behalf of detection pre-configured Policy Table, add corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection.
Further, described security gateway also comprises:
Act on behalf of detection recycling module 450, be used for when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether ID number that detects correspondence in the time of agreement winding does not take place, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
Wherein, described default timing is more than or equal to described patient time.
Implement device of the present invention, can be by adopting simple detection algorithm effectively to using the IP address of proxy surfing to be judged in the network, for anti-proxy surfing provides support.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (12)
1. the method for a security gateway detection proxy surfing is characterized in that, comprising:
Step 1, security gateway receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
Whether step 2, security gateway detect current ID number of receiving packet and act on behalf of ID number that received packet in the detection last time greater than described, if, execution in step 3; Otherwise, execution in step 4;
Step 3, described ID number of receiving packet the last time of acting on behalf of in the detection of security gateway renewal are ID number of current data packet, return step 1;
Step 4, security gateway are judged the generation winding ID number, detect this winding time and the described time difference of acting on behalf of winding time last time of writing down in the detection whether more than or equal to predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
2. the method for claim 1 is characterized in that, among the described pre-configured Policy Table configuration corresponding with the current IP address that receives packet act on behalf of detection the time also comprise:
Described security gateway adds corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection;
Wherein, initialization procedure is specially: IP address to be detected be set be the current IP address that receives packet, be provided with corresponding with this IP address the ID that received packet last time number be zero, the time value that winding took place for ID number last time is set is zero.
3. the method for claim 1 is characterized in that, described security gateway detects and takes place also to comprise behind the proxy surfing: described security gateway is deleted the current detection of acting on behalf of that receives the source IP address correspondence of packet from described Policy Table.
4. as claim 1 or 3 described methods, it is characterized in that described security gateway also comprises after detecting the generation proxy surfing:
Described security gateway reports this proxy surfing incident, and the current source IP address that receives packet is added in the pre-configured blacklist, perhaps opens pre-configured alarm switch.
5. the method for claim 1 is characterized in that, described security gateway also comprises after proxy surfing does not take place detecting:
Be the winding time for the time that winding took place for ID number the last time in ID number of current data packet, update agent detection when felge forward in the described security gateway update agent detection the ID that received packet last time number.
6. method as claimed in claim 5 is characterized in that, also comprises after the time of the ID number generation last time in described security gateway update agent detection winding: will respectively act on behalf of detection among the described Policy Table and arrange by winding time ascending order.
7. as claim 1 or 6 described methods, it is characterized in that, when described security gateway reaches at default timing, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether in the time of agreement winding does not take place ID number that detects correspondence, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
8. method as claimed in claim 7 is characterized in that, described default timing is more than or equal to described patient time.
9. a security gateway is characterized in that, comprising:
Data reception module is used to receive packet, in pre-configured Policy Table, obtain source IP address with described packet corresponding act on behalf of detection; The described detection of acting on behalf of comprises: IP address to be detected, based on the winding time of the ID that received packet last time number of this IP address and last time ID number winding taking place;
The ID comparison module is used for detecting and currently receives ID number of packet and whether received ID number of packet last time greater than the described detection of acting on behalf of, if trigger and act on behalf of the detection update module; Otherwise, trigger the proxy surfing detection module;
Act on behalf of the detection update module, be used for upgrading described ID number of receiving ID number of packet the last time of acting on behalf of detection for current data packet;
The proxy surfing detection module is used for detecting this winding time and describedly acts on behalf of the time difference of winding time last time that detection writes down whether more than or equal to predefined patient time, if be judged to be proxy surfing does not take place; Otherwise, be judged to be the generation proxy surfing.
10. security gateway as claimed in claim 9 is characterized in that,
Described data reception module, also be used for not disposing corresponding with the current IP address that receives packet when acting on behalf of detection pre-configured Policy Table, add corresponding with the current IP address that the receives packet detection of acting on behalf of extremely among the described Policy Table, and initialization this act on behalf of parameter in the detection.
11. security gateway as claimed in claim 9 is characterized in that, also comprises:
Act on behalf of the detection recycling module, be used for when default timing reaches, travel through and respectively act on behalf of detection among the described Policy Table, based on the winding time of respectively acting on behalf of in the detection, whether in the time of agreement winding does not take place ID number that detects correspondence, if the detection of acting on behalf of of correspondence is deleted; Otherwise, do not process.
12. security gateway as claimed in claim 11 is characterized in that, described default timing is more than or equal to described patient time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010233698.3A CN101895552B (en) | 2010-07-22 | 2010-07-22 | Security gateway and method thereof for detecting proxy surfing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010233698.3A CN101895552B (en) | 2010-07-22 | 2010-07-22 | Security gateway and method thereof for detecting proxy surfing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101895552A true CN101895552A (en) | 2010-11-24 |
| CN101895552B CN101895552B (en) | 2014-01-01 |
Family
ID=43104619
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010233698.3A Active CN101895552B (en) | 2010-07-22 | 2010-07-22 | Security gateway and method thereof for detecting proxy surfing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101895552B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223266A (en) * | 2011-06-17 | 2011-10-19 | 北京星网锐捷网络技术有限公司 | Method and device for detecting protocol agent |
| CN103986616A (en) * | 2014-04-15 | 2014-08-13 | 深信服网络科技(深圳)有限公司 | Method and device for recognizing number of machines having access to internet through proxy |
| WO2016082626A1 (en) * | 2014-11-25 | 2016-06-02 | 中兴通讯股份有限公司 | Internet user detection method and device |
| CN106921670A (en) * | 2017-03-22 | 2017-07-04 | 北京安博通科技股份有限公司 | A kind of method and device for acting on behalf of detection |
| CN107786622A (en) * | 2016-08-31 | 2018-03-09 | 阿里巴巴集团控股有限公司 | Recognition methods, device and the cloud platform of proxy server |
| CN110022334A (en) * | 2018-01-09 | 2019-07-16 | 香港理工大学深圳研究院 | A kind of detection method of proxy server, detection device and terminal device |
| CN114006832A (en) * | 2021-10-08 | 2022-02-01 | 福建天泉教育科技有限公司 | Method and terminal for detecting proxy service between client and server |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812394A (en) * | 2006-03-03 | 2006-08-02 | 清华大学 | Method for using immediate information software by data detection network address switching equipment |
| CN101286894A (en) * | 2008-05-07 | 2008-10-15 | 中国网络通信集团公司长沙市分公司 | Detection and control method for illegal connection to IP network |
| WO2009084083A1 (en) * | 2007-12-27 | 2009-07-09 | Fujitsu Limited | Gateway device and data transfer method |
-
2010
- 2010-07-22 CN CN201010233698.3A patent/CN101895552B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812394A (en) * | 2006-03-03 | 2006-08-02 | 清华大学 | Method for using immediate information software by data detection network address switching equipment |
| WO2009084083A1 (en) * | 2007-12-27 | 2009-07-09 | Fujitsu Limited | Gateway device and data transfer method |
| CN101286894A (en) * | 2008-05-07 | 2008-10-15 | 中国网络通信集团公司长沙市分公司 | Detection and control method for illegal connection to IP network |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223266A (en) * | 2011-06-17 | 2011-10-19 | 北京星网锐捷网络技术有限公司 | Method and device for detecting protocol agent |
| CN102223266B (en) * | 2011-06-17 | 2013-07-24 | 北京星网锐捷网络技术有限公司 | Method and device for detecting protocol agent |
| CN103986616A (en) * | 2014-04-15 | 2014-08-13 | 深信服网络科技(深圳)有限公司 | Method and device for recognizing number of machines having access to internet through proxy |
| CN103986616B (en) * | 2014-04-15 | 2017-05-10 | 深信服网络科技(深圳)有限公司 | Method and device for recognizing number of machines having access to internet through proxy |
| WO2016082626A1 (en) * | 2014-11-25 | 2016-06-02 | 中兴通讯股份有限公司 | Internet user detection method and device |
| CN105703962A (en) * | 2014-11-25 | 2016-06-22 | 中兴通讯股份有限公司 | Internet access user detection method and device |
| CN107786622A (en) * | 2016-08-31 | 2018-03-09 | 阿里巴巴集团控股有限公司 | Recognition methods, device and the cloud platform of proxy server |
| CN106921670A (en) * | 2017-03-22 | 2017-07-04 | 北京安博通科技股份有限公司 | A kind of method and device for acting on behalf of detection |
| CN110022334A (en) * | 2018-01-09 | 2019-07-16 | 香港理工大学深圳研究院 | A kind of detection method of proxy server, detection device and terminal device |
| CN110022334B (en) * | 2018-01-09 | 2022-01-11 | 香港理工大学深圳研究院 | Detection method and detection device of proxy server and terminal equipment |
| CN114006832A (en) * | 2021-10-08 | 2022-02-01 | 福建天泉教育科技有限公司 | Method and terminal for detecting proxy service between client and server |
| CN114006832B (en) * | 2021-10-08 | 2023-03-21 | 福建天泉教育科技有限公司 | Method and terminal for detecting proxy service between client and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101895552B (en) | 2014-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101895552B (en) | Security gateway and method thereof for detecting proxy surfing | |
| CN102594625B (en) | White data filtering method in a kind of APT intelligent detection and analysis platform and system | |
| US9270643B2 (en) | State-transition based network intrusion detection | |
| JP4759389B2 (en) | Packet communication device | |
| CN101616129B (en) | Method, device and system for network attack defense and traffic overload protection | |
| CN109450841B (en) | Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode | |
| CN104954367A (en) | Internet omnidirectional cross-domain DDoS (distributed denial of service) attack defense method | |
| WO2008002801A2 (en) | Detection of frequent and dispersed invariants | |
| CN101964804A (en) | Attack defense system under IPv6 protocol and implementation method thereof | |
| CN105207950A (en) | Communication data protection method based on SDN technology | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| CN105897610A (en) | Flow control method and device | |
| CN112073376A (en) | Attack detection method and device based on data plane | |
| CN100544304C (en) | The method and the device that enhance security features are provided in the PDU switched environment | |
| CN102035750A (en) | Peer-to-peer (P2P) flow recognizing method and device | |
| CN104038566B (en) | A kind of method of virtual swap device address learning, apparatus and system | |
| CN101582880A (en) | Method and system for filtering messages based on audited object | |
| CN103916489A (en) | Method and system for resolving single-domain-name multi-IP domain name | |
| CN103227733A (en) | Topology discovery method and topology discovery system | |
| CN103457934B (en) | Virus defense method based on gateway device, gateway device and server | |
| CN107124316B (en) | Hardware based quick switching action implementation method in a kind of data communications equipment | |
| CN101616080B (en) | Packet order preserving method of resilient packet ring, device and network equipment | |
| CN101662368A (en) | Network data filtering device capable of fighting against Trojan horse programs and corresponding method | |
| CN104394081B (en) | A kind of data processing method and device | |
| CN111866005A (en) | ARP spoofing attack defense method, system and device based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING TOPSEC TECHNOLOGY CO., LTD. Free format text: FORMER NAME: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES C Free format text: FORMER NAME: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |