CN103051608A - Access monitoring method and device of movable equipment - Google Patents
Access monitoring method and device of movable equipment Download PDFInfo
- Publication number
- CN103051608A CN103051608A CN2012105207659A CN201210520765A CN103051608A CN 103051608 A CN103051608 A CN 103051608A CN 2012105207659 A CN2012105207659 A CN 2012105207659A CN 201210520765 A CN201210520765 A CN 201210520765A CN 103051608 A CN103051608 A CN 103051608A
- Authority
- CN
- China
- Prior art keywords
- movable equipment
- access
- information
- control server
- described movable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses an access monitoring method and an access monitoring device of movable equipment. The method comprises the following steps of: presetting a list of legal movable equipment information in a security control server, wherein the security control server is used for controlling security of a client connected with the security control server, and the list of the legal movable equipment information comprises unique identifiers of the movable equipment allowed to be accessed; calculating the unique identifier of one movable equipment when the client monitors that the movable equipment is accessed; and transmitting the unique identifier to the security control server, judging whether the unique identifier exists in the list of the legal movable equipment information by the security control server, allowing access of the movable equipment if the unique identifier exists in the list of the legal movable equipment information, and refusing the access of the movable equipment if the unique identifier does not exist in the list of the legal movable equipment information. According to the access monitoring method and the access monitoring device, the source and the destination of data can be accurately tracked, the data can be prevented from being infected by virus, the security for use of the movable equipment is improved, and the security of network information is guaranteed.
Description
Technical field
The present invention relates to field of information security technology, be specifically related to a kind of method of movable equipment access monitoring, and, a kind of device of movable equipment access monitoring.
Background technology
At present; popularizing and make things convenient for the transmission of data and carry along with movable equipment; movable equipment is widely used in daily life and work; and in enterprise, often can run into the problem that file is divulged a secret; one of channel of mainly divulging a secret is exactly movable equipment, is a very large threat for the enterprise of holding the loss of data of daring not accept, leakage.
In order to protect the capsule information of enterprises, some enterprise can use safety management software in enterprises, forces automatically to encrypt in document creation, editor, and file just can only use in enterprises like this; Also some enterprise has variety of way management movable equipment, taking to seal USB interface such as some enterprise can't use movable equipment to reach the purpose of divulging a secret of the data of preventing, but these ways have been brought inconvenience, can not satisfy the demand of the normal exchange of information of enterprise.
Therefore, those skilled in the art's technical problem in the urgent need to address is: the method and apparatus that a kind of movable equipment access monitoring is provided, can accurately follow the trail of source and the whereabouts of data, prevent by virus infections, improve the fail safe that movable equipment uses, guarantee the network information, the especially safety of inner-mesh network information.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to provide a kind of method of a kind of movable equipment access monitoring that overcomes the problems referred to above or address the above problem at least in part and the device of corresponding a kind of movable equipment access monitoring.
According to one aspect of the present invention, a kind of access method for supervising of movable equipment is provided, comprising:
In the security control server, preset the tabulation of legal movable equipment information; Described security control server is used for controlling the safety of coupled client, comprises unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
When client control when the access of movable equipment is arranged, calculate unique identification marking of described movable equipment;
Described unique identification marking is sent to the security control server, judge by the security control server whether described unique identification marking is present in the tabulation of described legal movable equipment information, if then allow the access of described movable equipment; If not, then refuse the access of described movable equipment.
Alternatively, described when client control when the access of movable equipment is arranged, the step of calculating unique identification marking of described movable equipment comprises:
Obtain the hardware attributes information of described movable equipment;
Judge and whether have signature identification in the described movable equipment;
If then from described movable equipment, extract signature identification;
If not, write in the movable equipment then according to described hardware attributes information calculations signature identification, and with described signature identification;
According to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
Alternatively, described method also comprises:
If when described signature identification is write operation failure in the movable equipment, the information of said write operation failure is sent to the security control server;
Described security control server is refused the access of described movable equipment according to the information of said write operation failure.
Alternatively, described security control server presets the time interval that movable equipment allows access, and described method also comprises:
Judge whether described movable equipment accesses in the time interval of described permission access;
If described movable equipment is to access in the time interval of described permission access, then the security control server allows the access of described movable equipment;
If described movable equipment is not to access in the time interval of described permission access, then the security control server is refused the access of described movable equipment.
Alternatively, described method also comprises:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information of said write operation is sent to the security control server.
Alternatively, described hardware attributes information comprises the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
Alternatively, described according to hardware attributes information calculations signature identification, and the step that described signature identification is write in the movable equipment comprises:
With described movable equipment sign, and the hardware attributes information combination is the first character string;
Adopt Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification of described movable equipment is write in the described movable equipment.
Alternatively, comprise according to the hardware attributes information of described movable equipment and the step of unique identification marking that signature identification calculates described movable equipment:
With the signature identification of described movable equipment, and the hardware attributes information combination is the second character string;
Adopt Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Alternatively, the access of described movable equipment is monitored by the default driving in the client.
Alternatively, described access comprises readable access, the access that can write and the non-readable access of writing.
According to another aspect of the present invention, a kind of access supervising device of movable equipment is provided, comprising:
Preset the legitimate list module, be positioned at the security control server, be used for controlling the safety of coupled client, comprise unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
Unique identification marking computing module is positioned at client, is used for calculating unique identification marking of described movable equipment when the access that monitors movable equipment;
Unique identification marking sending module is positioned at client, is used for described unique identification marking is sent to the security control server;
Unique identification marking judge module is positioned at the security control server, is used for judging whether described unique identification marking is present in the tabulation of described legal movable equipment information, if, then call the clearance module, if not, then call the refusal module;
The clearance module is used for allowing the access of described movable equipment;
The refusal module is used for refusing the access of described movable equipment.
Alternatively, described unique identification marking computing module comprises:
Hardware attributes acquisition of information submodule is for the hardware attributes information of obtaining described movable equipment;
Signature identification is judged submodule, is used for judging whether described movable equipment has signature identification; If, then call signature identification and extract submodule, if not, then call the signature identification calculating sub module;
Signature identification extracts submodule, is used for extracting signature identification from described movable equipment;
The signature identification calculating sub module is used for according to described hardware attributes information calculations signature identification, and described signature identification is write in the movable equipment;
Unique identification marking calculating sub module is used for according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
Alternatively, described device also comprises:
Write the failure information sending module, be positioned at client, if when being used for that described signature identification write the operation failure of movable equipment, the information of said write operation failure is sent to the security control server;
The refusal access module is positioned at the security control server, is used for the information according to the said write operation failure, refuses the access of described movable equipment.
Alternatively, described security control server presets the time interval that movable equipment allows access, and described device also comprises:
The time interval judge module is positioned at the security control server, is used for judging whether described movable equipment accesses in the time interval of described permission access; If, then allow access module in the allocating time interval, if not, then refuse access module in the allocating time interval; Allowing access module in the time interval, be positioned at the security control server, is to access in the time interval of described permission access if be used for described movable equipment, then allows the access of described movable equipment;
The refusal access module is positioned at the security control server in the time interval, is not to access in the time interval of described permission access if be used for described movable equipment, then refuses the access of described movable equipment.
Alternatively, described device also comprises:
The access monitoring module is positioned at client, is used for monitoring the write operation of described movable equipment when allowing the access of described movable equipment;
The writing information sending module is positioned at client, is used for the information of said write operation is sent to the security control server.
Alternatively, described hardware attributes information comprises the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
Alternatively, described signature identification calculating sub module comprises:
The first character string assembled unit be used for described movable equipment sign, and the hardware attributes information combination is the first character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification writing unit is used for the signature identification of described movable equipment is write described movable equipment.
Alternatively, described unique identification marking calculating sub module comprises:
The second character string assembled unit be used for the signature identification with described movable equipment, and the hardware attributes information combination is the second character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Alternatively, the access of described movable equipment is monitored by the default driving in the client.
Alternatively, described access comprises readable access, the access that can write and the non-readable access of writing.
The access that the method that a kind of movable equipment access according to the present invention is monitored and device can judge whether to allow by the unique identification marking that whether has movable equipment in the tabulation of presetting legal movable equipment information at the security control server movable equipment; the write operation of monitoring movable equipment when movable equipment allows access; solved thus the problem of divulging a secret of the movable equipment that enterprise often can run into; source and the whereabouts of the data of can accurately following the trail of have been obtained; prevent by virus infections; improve the fail safe that movable equipment uses; guarantee the network information, the especially beneficial effect of the safety of inner-mesh network information.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention flow chart of steps of embodiment of the method for movable equipment access monitoring;
Fig. 2 shows the structured flowchart of a kind of according to an embodiment of the invention device embodiment of movable equipment access monitoring.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
One of core idea of the embodiment of the invention is, preset the unique identification marking that whether has movable equipment in the tabulation of legal movable equipment information by the security control server and judge whether to allow the access of movable equipment, the write operation of monitoring movable equipment when movable equipment allows access, can accurately follow the trail of thus source and the whereabouts of data, improve the fail safe that movable equipment uses, guarantee the network information, the especially safety of inner-mesh network information.
With reference to Fig. 1, show the flow chart of steps of the embodiment of the method for a kind of movable equipment access monitoring of the present invention, specifically can may further comprise the steps:
With at the PC that privately owned cloud client has been installed (Personal Computer, PC) upward using the present invention is example, the PC that privately owned cloud client has been installed can monitor file, prevent by virus infections, can carry out alternately with corresponding security control server simultaneously, some information of local computing are sent to the security control server.PC can also monitor whether new equipment access is arranged, the type of access device, whether movable equipment etc.
Need to prove that in the embodiment of the invention, described security control server and client form master control and controlled relation, described security control server is for the safety of controlling coupled client, for example, and the server in the local area network (LAN) and client.
In specific implementation, need in the security control server, preset the tabulation of legal movable equipment information, the unique identification marking that comprises the movable equipment that allows access in the tabulation of described legal movable equipment information, be used for contrast judge whether consistent with unique identification marking of the movable equipment that accesses, whether legal with this access of judging movable equipment.
In a preferred embodiment of the present invention, the access of described movable equipment can be monitored by the default driving in the client.
By default the driving is installed in client, utilize this driving needle that all write operations of movable equipment are monitored.When driving monitors the access of movable equipment, with the application layer of throwing on the relevant information.Whether application layer sends information inquiry to the security control server and can access after getting access to information.
In a kind of preferred exemplary of the embodiment of the invention because privately owned cloud client resides, so the access that can monitor movable equipment by Message function WM DEVICECHANGE with withdraw from, also can monitor with driving.Preferably, if the security control server lookup is overtime, also can eject this movable equipment, avoid taking resource.In a preferred embodiment of the present invention, described step 102 can comprise following substep:
Substep S11 obtains the hardware attributes information of described movable equipment;
Substep S12 judges whether have signature identification in the described movable equipment; If, then carry out substep S13, if not, then carry out substep S14;
Substep S13 is if then extract signature identification from described movable equipment;
Substep S14 if not, writes in the movable equipment then according to described hardware attributes information calculations signature identification, and with described signature identification;
Substep S15 is according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
When movable equipment is linked into the PC that privately owned cloud client has been installed, get access to hardware attributes information and the signature identification of the movable equipment of access client, wherein, described hardware attributes information can comprise the intrinsic hardware attributes of movable equipment, and, the hardware attributes of the follow-up adding of movable equipment.The signature identification of movable equipment is according to the hardware attributes information calculations gained of movable equipment, described signature identification can be done further mark to movable equipment on the hardware attributes information of movable equipment, and unique identification marking is to calculate gained according to the hardware attributes information of movable equipment and signature identification, even the hardware attributes information of movable equipment is identical, also not necessarily allow this movable equipment access, to guarantee the network information, the especially safety of corporate intranet information.
In a preferred embodiment of the present invention, described hardware attributes information can comprise the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
In a preferred embodiment of the present invention, the step of described substep S14 can comprise following substep:
Substep S21, with described movable equipment sign, and the hardware attributes information combination is the first character string;
Substep S22 adopts Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
Substep S23 writes the signature identification of described movable equipment in the described movable equipment.
In specific implementation, when client control after movable equipment access is arranged, obtain sign, the movable equipment of this movable equipment manufacturer's information, movable equipment space size and be combined into one group of character string, then adopt the MD5 algorithm to calculate the signature identification of this movable equipment according to this.Be well known that MD5 (Message Digest Algorithm, Message Digest Algorithm 5) is the widely used a kind of hash function of computer safety field, it is another fixed-length value with data operation, and Information Compression is become a kind of secret form.
For example, movable equipment be designated 5001, manufacturer's information of movable equipment is the patriot, the space size of movable equipment is 1000000K, can be combined into one group of character string is: 5001 patriots 1000000, the signature identification that adopts the MD5 algorithm can calculate unique movable equipment of 32 this character string is: B64D19F84EEEF997453CDD25738C082C, the signature identification that then will calculate gained writes in this movable equipment.
In a preferred embodiment of the present invention, described step 102 can also comprise following substep:
If when described signature identification is write operation failure in the movable equipment, the information of said write operation failure is sent to the security control server;
Described security control server is refused the access of described movable equipment according to the information of said write operation failure.
Preferably, write the movable equipment operation failure if will calculate the signature identification of gained, can the information of write operation failure be sent to the security control server by client, the security control server can be refused the access of this movable equipment according to the information of operation failure, further the assurance network information, the especially safety of inner-mesh network information.
In a preferred embodiment of the present invention, the step of described substep S15 can comprise following substep:
Substep S31, with the signature identification of described movable equipment, and the hardware attributes information combination is the second character string;
Substep S32 adopts Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
For example, movable equipment be designated 5001, manufacturer's information of movable equipment is the patriot, the space size of movable equipment is 1000000K, the signature identification of movable equipment is B64D19F84EEEF997453CDD25738C082C, can be combined into one group of character string is: B64D19F84EEEF997453CDD25738C082C 5001 patriots 1000000, the unique identification marking that adopts the MD5 algorithm can calculate 32 movable equipment this character string is: 45B51AE3C3445170E39801CA9ACD564D.
Certainly, in actual applications, be not limited to the MD5 algorithm, those skilled in the art can also select other suitable algorithm to generate signature identification and unique identification marking of movable equipment take the MD5 algorithm as principle, and the present invention is not restricted this.
Step 103 sends to the security control server with described unique identification marking, judges by the security control server whether described unique identification marking is present in the tabulation of described legal movable equipment information; If then execution in step 104, if not, then execution in step 105;
Step 104 allows the access of described movable equipment;
Step 105 is refused the access of described movable equipment.
Utilize the movable equipment of the incidence relation management access client between client and the security control server in the embodiment of the invention.If unique identification marking of the movable equipment of access client is present in the tabulation of legal movable equipment information in the security control server, the access that then represents this movable equipment is legal, and then the security control server allows the access of described movable equipment.If unique identification marking of the movable equipment of access client is not present in the tabulation of security control server legitimacy movable equipment information, the access that then represents this movable equipment is illegal, and the security control server is refused the access of described movable equipment.
In a preferred embodiment of the present invention, can also preset the time interval that movable equipment allows access in the described security control server, in this case, described method can also comprise the steps:
Judge whether described movable equipment accesses in the time interval of described permission access;
If described movable equipment is to access in the time interval of described permission access, then the security control server allows the access of described movable equipment;
If described movable equipment is not to access in the time interval of described permission access, then the security control server is refused the access of described movable equipment.
By the time interval that allows access is set for the movable equipment that allows access, so that this movable equipment is only can and move in the client access in the time interval that allows access, outside the time interval that allows access, then refuse the access of this movable equipment, further guarantee the network information with this, especially the safety of inner-mesh network information.In practice, can also the identification title be set for the movable equipment that allows access, make things convenient for keeper's identification and follow-up management.
In specific implementation, to allow the movable equipment of access be the access that read right is arranged but can arrange, but the access of write permission is arranged, but or the access of non-readable write permission is arranged, described movable equipment moves in client according to its corresponding authority.
In a preferred embodiment of the present invention, described method can also comprise the steps:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information of said write operation is sent to the security control server.
Preferably, after movable equipment allows access normally to use, the write operation of this movable equipment of security control server monitoring, and each situation that is written to movable equipment issued the security control server.The operation that writes comprises that file is saved in movable equipment and is saved in the operation of local disk from movable equipment, as long as to source path or destination path be movable equipment all carry out recording and sending to the security control server, can accurately follow the trail of like this source and the whereabouts of data, prevent by virus infections, improved the fail safe that movable equipment uses.
After the associative operation of movable equipment in client finished, in the time of need to withdrawing from this movable equipment, can unload by SetupDiDestroyDeviceInfoList, destroy the movable equipment information aggregate, and discharge related internal memory, eject movable equipment at ring3 (CPU Least Privilege rank), also can unload with driving in addition.
Need to prove, for embodiment of the method, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the specification all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
With reference to Fig. 2, show the structured flowchart of the device embodiment of a kind of movable equipment access monitoring of the present invention, specifically can comprise such as lower module:
Preset legitimate list module 201, be positioned at the security control server, be used for controlling the safety of coupled client, comprise unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
Unique identification marking computing module 202 is positioned at client, is used for calculating unique identification marking of described movable equipment when the access that monitors movable equipment;
In a preferred embodiment of the present invention, the access of described movable equipment can be monitored by the default driving in the client.
In a preferred embodiment of the present invention, described unique identification marking computing module 202 can comprise following submodule:
Hardware attributes acquisition of information submodule is for the hardware attributes information of obtaining described movable equipment;
Signature identification is judged submodule, is used for judging whether described movable equipment has signature identification; If, then call signature identification and extract submodule, if not, then call the signature identification calculating sub module;
Signature identification extracts submodule, is used for extracting signature identification from described movable equipment;
The signature identification calculating sub module is used for according to described hardware attributes information calculations signature identification, and described signature identification is write in the movable equipment;
Unique identification marking calculating sub module is used for according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
In a preferred embodiment of the present invention, described device can also comprise such as lower module:
Write the failure information sending module, be positioned at client, if when being used for that described signature identification write the operation failure of movable equipment, the information of said write operation failure is sent to the security control server;
The refusal access module is positioned at the security control server, is used for the information according to the said write operation failure, refuses the access of described movable equipment.
In a preferred embodiment of the present invention, described security control server presets the time interval that movable equipment allows access, and described device can also comprise such as lower module:
The time interval judge module is positioned at the security control server, is used for judging whether described movable equipment accesses in the time interval of described permission access; If, then allow access module in the allocating time interval, if not, then refuse access module in the allocating time interval;
Allowing access module in the time interval, be positioned at the security control server, is to access in the time interval of described permission access if be used for described movable equipment, then allows the access of described movable equipment;
The refusal access module is positioned at the security control server in the time interval, is not to access in the time interval of described permission access if be used for described movable equipment, then refuses the access of described movable equipment.
In a preferred embodiment of the present invention, described hardware attributes information can comprise the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
In a preferred embodiment of the present invention, described signature identification calculating sub module can comprise such as lower unit:
The first character string assembled unit be used for described movable equipment sign, and the hardware attributes information combination is the first character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification writing unit is used for the signature identification of described movable equipment is write described movable equipment.
In a preferred embodiment of the present invention, described unique identification marking calculating sub module can comprise such as lower unit:
The second character string assembled unit be used for the signature identification with described movable equipment, and the hardware attributes information combination is the second character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Unique identification marking sending module 203 is positioned at client, is used for described unique identification marking is sent to the security control server;
Unique identification marking judge module 204 is positioned at the security control server, is used for judging whether described unique identification marking is present in the tabulation of described legal movable equipment information, if, then call clearance module 205, if not, then call refusal module 206;
In a preferred embodiment of the present invention, described access can comprise readable access, the access that can write and the non-readable access of writing.
In a preferred embodiment of the present invention, described device can also comprise such as lower module:
The access monitoring module is positioned at client, is used for monitoring the write operation of described movable equipment when allowing the access of described movable equipment;
The writing information sending module is positioned at client, is used for the information of said write operation is sent to the security control server.
For the device embodiment of Fig. 2 because itself and the embodiment of the method basic simlarity of Fig. 1, so describe fairly simple, relevant part gets final product referring to the part explanation of embodiment of the method.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the equipment of a kind of movable equipment access monitoring of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (18)
1. the access method for supervising of a movable equipment comprises:
In the security control server, preset the tabulation of legal movable equipment information; Described security control server is used for controlling the safety of coupled client, comprises unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
When client control when the access of movable equipment is arranged, calculate unique identification marking of described movable equipment;
Described unique identification marking is sent to the security control server, judge by the security control server whether described unique identification marking is present in the tabulation of described legal movable equipment information, if then allow the access of described movable equipment; If not, then refuse the access of described movable equipment.
2. the method for claim 1, described when client control when the access of movable equipment is arranged, the step of calculating unique identification marking of described movable equipment comprises:
Obtain the hardware attributes information of described movable equipment;
Judge and whether have signature identification in the described movable equipment;
If then from described movable equipment, extract signature identification;
If not, write in the movable equipment then according to described hardware attributes information calculations signature identification, and with described signature identification;
According to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
3. method as claimed in claim 1 or 2 also comprises:
If when described signature identification is write operation failure in the movable equipment, the information of said write operation failure is sent to the security control server;
Described security control server is refused the access of described movable equipment according to the information of said write operation failure.
4. method as claimed in claim 1 or 2, described security control server preset the time interval that movable equipment allows access, and described method also comprises:
Judge whether described movable equipment accesses in the time interval of described permission access;
If described movable equipment is to access in the time interval of described permission access, then the security control server allows the access of described movable equipment;
If described movable equipment is not to access in the time interval of described permission access, then the security control server is refused the access of described movable equipment.
5. method as claimed in claim 1 or 2 also comprises:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information of said write operation is sent to the security control server.
6. method as claimed in claim 2, described hardware attributes information comprise the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
7. such as claim 2 or 6 described methods, described according to hardware attributes information calculations signature identification, and the step that described signature identification is write in the movable equipment comprises:
With described movable equipment sign, and the hardware attributes information combination is the first character string;
Adopt Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification of described movable equipment is write in the described movable equipment.
8. such as claim 2 or 6 described methods, comprise according to the hardware attributes information of described movable equipment and the step of unique identification marking that signature identification calculates described movable equipment:
With the signature identification of described movable equipment, and the hardware attributes information combination is the second character string;
Adopt Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
9. the method for claim 1, the access of described movable equipment is monitored by the default driving in the client.
10. the method for claim 1, described access comprises readable access, the access that can write and the non-readable access of writing.
11. the access supervising device of a movable equipment comprises:
Preset the legitimate list module, be positioned at the security control server, be used for controlling the safety of coupled client, comprise unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
Unique identification marking computing module is positioned at client, is used for calculating unique identification marking of described movable equipment when the access that monitors movable equipment;
Unique identification marking sending module is positioned at client, is used for described unique identification marking is sent to the security control server;
Unique identification marking judge module is positioned at the security control server, is used for judging whether described unique identification marking is present in the tabulation of described legal movable equipment information, if, then call the clearance module, if not, then call the refusal module;
The clearance module is used for allowing the access of described movable equipment;
The refusal module is used for refusing the access of described movable equipment.
12. device as claimed in claim 11, described unique identification marking computing module comprises:
Hardware attributes acquisition of information submodule is for the hardware attributes information of obtaining described movable equipment;
Signature identification is judged submodule, is used for judging whether described movable equipment has signature identification; If, then call signature identification and extract submodule, if not, then call the signature identification calculating sub module;
Signature identification extracts submodule, is used for extracting signature identification from described movable equipment;
The signature identification calculating sub module is used for according to described hardware attributes information calculations signature identification, and described signature identification is write in the movable equipment;
Unique identification marking calculating sub module is used for according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
13. such as claim 11 or 12 described devices, also comprise:
Write the failure information sending module, be positioned at client, if when being used for that described signature identification write the operation failure of movable equipment, the information of said write operation failure is sent to the security control server;
The refusal access module is positioned at the security control server, is used for the information according to the said write operation failure, refuses the access of described movable equipment.
14. such as claim 11 or 12 described devices, described security control server presets the time interval that movable equipment allows access, described device also comprises:
The time interval judge module is positioned at the security control server, is used for judging whether described movable equipment accesses in the time interval of described permission access; If, then allow access module in the allocating time interval, if not, then refuse access module in the allocating time interval;
Allowing access module in the time interval, be positioned at the security control server, is to access in the time interval of described permission access if be used for described movable equipment, then allows the access of described movable equipment;
The refusal access module is positioned at the security control server in the time interval, is not to access in the time interval of described permission access if be used for described movable equipment, then refuses the access of described movable equipment.
15. such as claim 11 or 12 described devices, also comprise:
The access monitoring module is positioned at client, is used for monitoring the write operation of described movable equipment when allowing the access of described movable equipment;
The writing information sending module is positioned at client, is used for the information of said write operation is sent to the security control server.
16. device as claimed in claim 12, described hardware attributes information comprise the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
17. such as claim 12 or 16 described devices, described signature identification calculating sub module comprises:
The first character string assembled unit be used for described movable equipment sign, and the hardware attributes information combination is the first character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification writing unit is used for the signature identification of described movable equipment is write described movable equipment.
18. such as claim 12 or 16 described devices, described unique identification marking calculating sub module comprises:
The second character string assembled unit be used for the signature identification with described movable equipment, and the hardware attributes information combination is the second character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210520765.9A CN103051608B (en) | 2012-12-06 | 2012-12-06 | A kind of method and apparatus of movable equipment access monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210520765.9A CN103051608B (en) | 2012-12-06 | 2012-12-06 | A kind of method and apparatus of movable equipment access monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103051608A true CN103051608A (en) | 2013-04-17 |
| CN103051608B CN103051608B (en) | 2015-11-25 |
Family
ID=48064107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210520765.9A Active CN103051608B (en) | 2012-12-06 | 2012-12-06 | A kind of method and apparatus of movable equipment access monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103051608B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015058680A1 (en) * | 2013-10-25 | 2015-04-30 | Hangzhou H3C Technologies Co., Ltd | Network access control |
| CN107925576A (en) * | 2015-08-31 | 2018-04-17 | 松下知识产权经营株式会社 | Controller, communication means and communication system |
| CN110188079A (en) * | 2019-04-03 | 2019-08-30 | 特斯联(北京)科技有限公司 | A kind of external equipment management method based on distributed storage database |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364986A (en) * | 2008-09-19 | 2009-02-11 | 广东南方信息安全产业基地有限公司 | Credible equipment authentication method under network environment |
| CN102710588A (en) * | 2011-09-23 | 2012-10-03 | 新奥特(北京)视频技术有限公司 | Method, device, server and system for identifying code in data safety monitoring and controlling |
-
2012
- 2012-12-06 CN CN201210520765.9A patent/CN103051608B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364986A (en) * | 2008-09-19 | 2009-02-11 | 广东南方信息安全产业基地有限公司 | Credible equipment authentication method under network environment |
| CN102710588A (en) * | 2011-09-23 | 2012-10-03 | 新奥特(北京)视频技术有限公司 | Method, device, server and system for identifying code in data safety monitoring and controlling |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015058680A1 (en) * | 2013-10-25 | 2015-04-30 | Hangzhou H3C Technologies Co., Ltd | Network access control |
| CN107925576A (en) * | 2015-08-31 | 2018-04-17 | 松下知识产权经营株式会社 | Controller, communication means and communication system |
| US10764275B2 (en) | 2015-08-31 | 2020-09-01 | Panasonic Intellectual Property Management Co., Ltd. | Controller, communication method, and communication system |
| CN107925576B (en) * | 2015-08-31 | 2021-12-10 | 松下知识产权经营株式会社 | Controller, communication method, and communication system |
| CN110188079A (en) * | 2019-04-03 | 2019-08-30 | 特斯联(北京)科技有限公司 | A kind of external equipment management method based on distributed storage database |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103051608B (en) | 2015-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11611586B2 (en) | Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots | |
| EP3316166B1 (en) | File-modifying malware detection | |
| US10154066B1 (en) | Context-aware compromise assessment | |
| US10614233B2 (en) | Managing access to documents with a file monitor | |
| US10079835B1 (en) | Systems and methods for data loss prevention of unidentifiable and unsupported object types | |
| US10326772B2 (en) | Systems and methods for anonymizing log entries | |
| US9652597B2 (en) | Systems and methods for detecting information leakage by an organizational insider | |
| US7606795B2 (en) | System and method for verifying the integrity and completeness of records | |
| WO2019226363A9 (en) | Small-footprint endpoint data loss prevention (dlp) | |
| US9405904B1 (en) | Systems and methods for providing security for synchronized files | |
| CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
| CN104662517A (en) | Techniques for detecting a security vulnerability | |
| KR20120050742A (en) | Apparatus and method for managing digital rights through hooking process of kernel native api | |
| US9432369B2 (en) | Secure data containers | |
| CN102932329A (en) | Method and device for intercepting behaviors of program, and client equipment | |
| CN105528553A (en) | A method and a device for secure sharing of data and a terminal | |
| CN105204973A (en) | Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform | |
| EP3251047B1 (en) | Protection against database injection attacks | |
| CN110807205B (en) | File security protection method and device | |
| US9519780B1 (en) | Systems and methods for identifying malware | |
| CN103051608B (en) | A kind of method and apparatus of movable equipment access monitoring | |
| CN103023651A (en) | Method and device for monitoring access of mobile device | |
| Johnson | Barriers to the use of intrusion detection systems in safety-critical applications | |
| US10169584B1 (en) | Systems and methods for identifying non-malicious files on computing devices within organizations | |
| US9430674B2 (en) | Secure data access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20161212 Address after: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee before: Beijing Qihoo Technology Co., Ltd. Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |