CN103051608B - A kind of method and apparatus of movable equipment access monitoring - Google Patents
A kind of method and apparatus of movable equipment access monitoring Download PDFInfo
- Publication number
- CN103051608B CN103051608B CN201210520765.9A CN201210520765A CN103051608B CN 103051608 B CN103051608 B CN 103051608B CN 201210520765 A CN201210520765 A CN 201210520765A CN 103051608 B CN103051608 B CN 103051608B
- Authority
- CN
- China
- Prior art keywords
- movable equipment
- access
- information
- described movable
- control server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012544 monitoring process Methods 0.000 title claims description 19
- 239000000284 extract Substances 0.000 claims description 7
- 230000009385 viral infection Effects 0.000 abstract description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000002775 capsule Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Abstract
The invention discloses a kind of access method for supervising and device of movable equipment, wherein, described method comprises: the list of preset legal movable equipment information in safety control server; Described safety control server is for controlling the safety of coupled client, and the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access; When client control is to when having an access of movable equipment, calculate the unique identifier of described movable equipment; Described unique identifier is sent to safety control server, judges whether described unique identifier is present in the list of described legal movable equipment information, if so, then allows the access of described movable equipment by safety control server; If not, then the access of described movable equipment is refused.The present invention accurately can follow the trail of source and the whereabouts of data, prevents by virus infections, improves the fail safe that movable equipment uses, and ensures the safety of the network information.
Description
Technical field
The present invention relates to field of information security technology, be specifically related to the method for a kind of movable equipment access monitoring, and, a kind of device of movable equipment access monitoring.
Background technology
At present; popularizing and facilitate the transmission of data and carry along with movable equipment; movable equipment is widely used in daily life with work; and in enterprise, often can encounter the problem that file divulges a secret; one of channel of mainly divulging a secret is exactly movable equipment, is a very large threat for holding the enterprise of loss of data of daring not accept, leakage.
In order to protect the capsule information of enterprises, some enterprise can at enterprises use safety management software, and force encryption automatically when document creation, editor, such file just can only use in enterprises; Also some enterprise has various mode and manages movable equipment, such as some enterprise takes closed USB interface that movable equipment cannot be used to reach the object of divulging a secret preventing data, but these ways bring inconvenience, the demand of enterprise's normal communication information can not be met.
Therefore, those skilled in the art's technical problem in the urgent need to address is: provide a kind of movable equipment to access the method and apparatus of monitoring, accurately can follow the trail of source and the whereabouts of data, prevent by virus infections, improve the fail safe that movable equipment uses, ensure the network information, the especially safety of inner-mesh network information.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the method for a kind of movable equipment access monitoring solved the problem at least in part and the device of corresponding a kind of movable equipment access monitoring.
According to one aspect of the present invention, provide a kind of access method for supervising of movable equipment, comprising:
The list of preset legal movable equipment information in safety control server; Described safety control server is for controlling the safety of coupled client, and the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access;
When client control is to when having an access of movable equipment, calculate the unique identifier of described movable equipment;
Described unique identifier is sent to safety control server, judges whether described unique identifier is present in the list of described legal movable equipment information, if so, then allows the access of described movable equipment by safety control server; If not, then the access of described movable equipment is refused.
Alternatively, described when client control is to when having an access of movable equipment, the step calculating the unique identifier of described movable equipment comprises:
Obtain the hardware attributes information of described movable equipment;
Judge whether there is signature identification in described movable equipment;
If so, then from described movable equipment, signature identification is extracted;
If not, then according to described hardware attributes information calculated characteristics mark, and by described signature identification write movable equipment;
The unique identifier of described movable equipment is calculated according to the hardware attributes information of described movable equipment and signature identification.
Alternatively, described method also comprises:
If when described signature identification is write the operation failure in movable equipment, the information of said write operation failure is sent to safety control server;
Described safety control server, according to the information of said write operation failure, refuses the access of described movable equipment.
Alternatively, described safety control server presets the time interval that movable equipment allows access, and described method also comprises:
Judge whether described movable equipment accesses in the time interval of access described permission;
If described movable equipment accesses in the time interval of access described permission, then safety control server allows the access of described movable equipment;
If described movable equipment is not access in the time interval of access described permission, then safety control server refuses the access of described movable equipment.
Alternatively, described method also comprises:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information that said write operates is sent to safety control server.
Alternatively, described hardware attributes information comprises movable equipment mark, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
Alternatively, described according to hardware attributes information calculated characteristics mark, and the step in described signature identification write movable equipment is comprised:
Described movable equipment is identified, and hardware attributes information combination is the first character string;
Message Digest 5 MD5 is adopted to calculate the signature identification of described movable equipment according to described first character string;
The signature identification of described movable equipment is write in described movable equipment.
Alternatively, the step calculating the unique identifier of described movable equipment according to the hardware attributes information of described movable equipment and signature identification comprises:
By the signature identification of described movable equipment, and hardware attributes information combination is the second character string;
Message Digest 5 MD5 is adopted to calculate the unique identifier of described movable equipment according to described second character string.
Alternatively, the access of described movable equipment is monitored by the default driving in client.
Alternatively, described access comprises readable access, the access that can write and the non-readable access write.
According to another aspect of the present invention, provide a kind of access supervising device of movable equipment, comprising:
Preset legitimate list module, is positioned at safety control server, and for controlling the safety of coupled client, the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access;
Unique identifier computing module, is positioned at client, for when the access monitoring movable equipment, calculates the unique identifier of described movable equipment;
Unique identifier sending module, is positioned at client, for described unique identifier is sent to safety control server;
Unique identifier judge module, is positioned at safety control server, for judging whether described unique identifier is present in the list of described legal movable equipment information, if so, then calls clearance module, if not, then calls refusal module;
Clearance module, for allowing the access of described movable equipment;
Refusal module, for refusing the access of described movable equipment.
Alternatively, described unique identifier computing module comprises:
Hardware attributes acquisition of information submodule, for obtaining the hardware attributes information of described movable equipment;
Signature identification judges submodule, for judging whether have signature identification in described movable equipment; If so, then call signature identification and extract submodule, if not, then call signature identification calculating sub module;
Signature identification extracts submodule, for extracting signature identification from described movable equipment;
Signature identification calculating sub module, for identifying according to described hardware attributes information calculated characteristics, and by described signature identification write movable equipment;
Unique identifier calculating sub module, for calculating the unique identifier of described movable equipment according to the hardware attributes information of described movable equipment and signature identification.
Alternatively, described device also comprises:
Write failure information sending module, is positioned at client, if for during by operation failure in described signature identification write movable equipment, the information of said write operation failure is sent to safety control server;
Refusal access module, is positioned at safety control server, for the information according to said write operation failure, refuses the access of described movable equipment.
Alternatively, described safety control server presets the time interval that movable equipment allows access, and described device also comprises:
Time interval judge module, is positioned at safety control server, for judging whether described movable equipment accesses in the time interval of access described permission; If so, then access module is allowed in allocating time interval, if not, then refusal access module allocating time interval in; Allow access module in time interval, be positioned at safety control server, if be access in the time interval of access described permission for described movable equipment, then allow the access of described movable equipment;
In time interval, refusal access module, is positioned at safety control server, if be not access in the time interval of access described permission for described movable equipment, then refuses the access of described movable equipment.
Alternatively, described device also comprises:
Access monitoring module, is positioned at client, for when allowing the access of described movable equipment, monitors the write operation of described movable equipment;
Written information sending module, is positioned at client, is sent to safety control server for information said write operated.
Alternatively, described hardware attributes information comprises movable equipment mark, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
Alternatively, described signature identification calculating sub module comprises:
First character string combinations unit, for being identified by described movable equipment, and hardware attributes information combination is the first character string;
Second computing unit, for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described first character string;
Signature identification writing unit, for writing the signature identification of described movable equipment in described movable equipment.
Alternatively, described unique identifier calculating sub module comprises:
Second character string combinations unit, for the signature identification by described movable equipment, and hardware attributes information combination is the second character string;
Second computing unit, for adopting Message Digest 5 MD5 to calculate the unique identifier of described movable equipment according to described second character string.
Alternatively, the access of described movable equipment is monitored by the default driving in client.
Alternatively, described access comprises readable access, the access that can write and the non-readable access write.
The method that a kind of movable equipment access according to the present invention is monitored and device can judge whether to allow the access of movable equipment by the unique identifier that whether there is movable equipment in the list of the preset legal movable equipment information of safety control server, the write operation of monitoring movable equipment when movable equipment allows access, solve the problem of divulging a secret of the movable equipment that enterprise often can encounter thus, achieve source and the whereabouts that accurately can follow the trail of data, prevent by virus infections, improve the fail safe that movable equipment uses, ensure the network information, especially the beneficial effect of the safety of inner-mesh network information.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the flow chart of steps of the embodiment of the method for a kind of according to an embodiment of the invention movable equipment access monitoring;
Fig. 2 shows the structured flowchart of the device embodiment of a kind of according to an embodiment of the invention movable equipment access monitoring.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
One of core idea of the embodiment of the present invention is, the unique identifier that whether there is movable equipment in list by the preset legal movable equipment information of safety control server judges whether the access allowing movable equipment, the write operation of monitoring movable equipment when movable equipment allows access, accurately can follow the trail of source and the whereabouts of data thus, improve the fail safe that movable equipment uses, ensure the network information, the especially safety of inner-mesh network information.
With reference to Fig. 1, show the flow chart of steps of the embodiment of the method for a kind of movable equipment access monitoring of the present invention, specifically can comprise the following steps:
Step 101, the list of preset legal movable equipment information in safety control server; Described safety control server is for controlling the safety of coupled client, and the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access;
With at the PC (PersonalComputer installing privately owned cloud client, PC) upper application the present invention is example, the PC having installed privately owned cloud client can monitor file, prevent by virus infections, can carry out alternately, some information of local computing being sent to safety control server with corresponding safety control server simultaneously.Whether whether PC can also monitor new equipment access, the type of access device, be movable equipment etc.
It should be noted that, in the embodiment of the present invention, described safety control server and client form master control and controlled relation, described safety control server for controlling the safety of coupled client, such as, the server in local area network (LAN) and client.
In specific implementation, need the list of preset legal movable equipment information in safety control server, the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access, judging whether that the unique identifier with the movable equipment accessed is consistent for contrasting, judging that whether the access of movable equipment is legal with this.
Step 102, when client control is to when having an access of movable equipment, calculates the unique identifier of described movable equipment;
In one preferred embodiment of the invention, the access of described movable equipment can be monitored by the default driving in client.
Driving by installing to preset in client, utilizing all write operation of this driving needle to movable equipment to monitor.When driving monitors the access of movable equipment, by application layer that relevant information is thrown to.Whether application layer, after getting information, sends information inquiry to safety control server and can access.
In a kind of preferred exemplary of the embodiment of the present invention, because privately owned cloud client is resident, so can the access of movable equipment be monitored by Message function WMDEVICECHANGE and exit, also can use driving to monitor.Preferably, if safety control server query timeout, also can eject this movable equipment, avoid taking resource.In one preferred embodiment of the invention, described step 102 can comprise following sub-step:
Sub-step S11, obtains the hardware attributes information of described movable equipment;
Sub-step S12, judges whether have signature identification in described movable equipment; If so, then perform sub-step S13, if not, then perform sub-step S14;
Sub-step S13, if so, then extracts signature identification from described movable equipment;
Sub-step S14, if not, then according to described hardware attributes information calculated characteristics mark, and by described signature identification write movable equipment;
Sub-step S15, calculates the unique identifier of described movable equipment according to the hardware attributes information of described movable equipment and signature identification.
When movable equipment is linked into the PC having installed privately owned cloud client, get hardware attributes information and the signature identification of the movable equipment of access client, wherein, described hardware attributes information can comprise the intrinsic hardware attributes of movable equipment, and, the follow-up hardware attributes added of movable equipment.The signature identification of movable equipment is calculate gained according to the hardware attributes information of movable equipment, described signature identification can do further mark to movable equipment in the hardware attributes information of movable equipment, and unique identifier calculates gained according to the hardware attributes information of movable equipment and signature identification, even if the hardware attributes information of movable equipment is identical, also this movable equipment is not necessarily allowed to access, to ensure the network information, the especially safety of corporate intranet information.
In one preferred embodiment of the invention, described hardware attributes information can comprise movable equipment mark, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
In one preferred embodiment of the invention, the step of described sub-step S14 can comprise following sub-step:
Sub-step S21, identifies described movable equipment, and hardware attributes information combination is the first character string;
Sub-step S22, adopts Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described first character string;
Sub-step S23, writes the signature identification of described movable equipment in described movable equipment.
In specific implementation, when client control to have movable equipment access after, obtain the mark of this movable equipment, manufacturer's information of movable equipment, the space size of movable equipment be combined into one group of character string, then adopt MD5 algorithm to calculate the signature identification of this movable equipment according to this.Be well known that, MD5 (MessageDigestAlgorithm, Message Digest Algorithm 5) be the widely used a kind of hash function of computer safety field, data operation is another fixed-length value by it, Information Compression is become a kind of secret form.
Such as, movable equipment be designated 5001, manufacturer's information of movable equipment is patriot, the space size of movable equipment is 1000000K, can be combined into one group of character string is: 5001 patriots 1000000, be: B64D19F84EEEF997453CDD25738C082C then the signature identification calculating gained is write the signature identification that this character string adopts MD5 algorithm can calculate unique movable equipment of 32 in this movable equipment.
In one preferred embodiment of the invention, described step 102 can also comprise following sub-step:
If when described signature identification is write the operation failure in movable equipment, the information of said write operation failure is sent to safety control server;
Described safety control server, according to the information of said write operation failure, refuses the access of described movable equipment.
Preferably, if will the signature identification write movable equipment operation failure of gained be calculated, by client, the information of write operation failure can be sent to safety control server, the information of safety control server foundation operation failure can refuse the access of this movable equipment, the further guarantee network information, the especially safety of inner-mesh network information.
In one preferred embodiment of the invention, the step of described sub-step S15 can comprise following sub-step:
Sub-step S31, by the signature identification of described movable equipment, and hardware attributes information combination is the second character string;
Sub-step S32, adopts Message Digest 5 MD5 to calculate the unique identifier of described movable equipment according to described second character string.
Such as, movable equipment be designated 5001, manufacturer's information of movable equipment is patriot, the space size of movable equipment is 1000000K, the signature identification of movable equipment is B64D19F84EEEF997453CDD25738C082C, can be combined into one group of character string is: B64D19F84EEEF997453CDD25738C082C5001 patriot 1000000, is: 45B51AE3C3445170E39801CA9ACD564D by the unique identifier that this character string adopts MD5 algorithm can calculate the movable equipment of 32.
Certainly, in actual applications, be not limited to MD5 algorithm, those skilled in the art can also with MD5 algorithm for principle, and the algorithm selecting other suitable generates signature identification and the unique identifier of movable equipment, and the present invention is not restricted this.
Step 103, sends to safety control server by described unique identifier, judges whether described unique identifier is present in the list of described legal movable equipment information by safety control server; If so, then perform step 104, if not, then perform step 105;
Step 104, allows the access of described movable equipment;
Step 105, refuses the access of described movable equipment.
The movable equipment of the incidence relation management access client between client and safety control server is utilized in the embodiment of the present invention.If the unique identifier of the movable equipment of access client is present in the list of legal movable equipment information in safety control server, then represent that the access of this movable equipment is legal, then safety control server allows the access of described movable equipment.If the unique identifier of the movable equipment of access client is not present in the list of the legal movable equipment information of safety control server, then represent that the access of this movable equipment is illegal, safety control server refuses the access of described movable equipment.
In one preferred embodiment of the invention, in described safety control server, all right preset movable equipment allows the time interval of access, and in this case, described method can also comprise the steps:
Judge whether described movable equipment accesses in the time interval of access described permission;
If described movable equipment accesses in the time interval of access described permission, then safety control server allows the access of described movable equipment;
If described movable equipment is not access in the time interval of access described permission, then safety control server refuses the access of described movable equipment.
By arranging for the movable equipment of permission access the time interval allowing access, make this movable equipment only can access in client and run in the time interval allowing access, the access allowing the time interval of access then to refuse this movable equipment outward, further the network information is ensured, especially the safety of inner-mesh network information with this.In practice, identification title can also be set for allowing the movable equipment of access, facilitate the identification of keeper and follow-up management.
In specific implementation, can arrange and allow the movable equipment of access to be that have can the access of read right, having can the access of write permission, or have non-readable can the access of write permission, described movable equipment runs in the client according to the authority of its correspondence.
In one preferred embodiment of the invention, described method can also comprise the steps:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information that said write operates is sent to safety control server.
Preferably, after movable equipment allows access normally to use, safety control server monitors the write operation of this movable equipment, and the situation each being written to movable equipment issues safety control server.The operation write comprises the operation that file is saved in movable equipment and is saved in local disk from movable equipment, as long as to source path or destination path be movable equipment all carry out recording and sending to safety control server, accurately can follow the trail of source and the whereabouts of data like this, prevent by virus infections, improve the fail safe that movable equipment uses.
After movable equipment associative operation in the client completes, when needing to exit this movable equipment, can be unloaded by SetupDiDestroyDeviceInfoList, destroy movable equipment information aggregate, and the related internal memory of release, ring3 (CPU Least Privilege rank) ejects movable equipment, also can use driving to unload in addition.
It should be noted that, for embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
With reference to Fig. 2, show the structured flowchart of the device embodiment of a kind of movable equipment access monitoring of the present invention, specifically can comprise as lower module:
Preset legitimate list module 201, is positioned at safety control server, and for controlling the safety of coupled client, the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access;
Unique identifier computing module 202, is positioned at client, for when the access monitoring movable equipment, calculates the unique identifier of described movable equipment;
In one preferred embodiment of the invention, the access of described movable equipment can be monitored by the default driving in client.
In one preferred embodiment of the invention, described unique identifier computing module 202 can comprise following submodule:
Hardware attributes acquisition of information submodule, for obtaining the hardware attributes information of described movable equipment;
Signature identification judges submodule, for judging whether have signature identification in described movable equipment; If so, then call signature identification and extract submodule, if not, then call signature identification calculating sub module;
Signature identification extracts submodule, for extracting signature identification from described movable equipment;
Signature identification calculating sub module, for identifying according to described hardware attributes information calculated characteristics, and by described signature identification write movable equipment;
Unique identifier calculating sub module, for calculating the unique identifier of described movable equipment according to the hardware attributes information of described movable equipment and signature identification.
In one preferred embodiment of the invention, described device can also comprise as lower module:
Write failure information sending module, is positioned at client, if for during by operation failure in described signature identification write movable equipment, the information of said write operation failure is sent to safety control server;
Refusal access module, is positioned at safety control server, for the information according to said write operation failure, refuses the access of described movable equipment.
In one preferred embodiment of the invention, described safety control server presets the time interval that movable equipment allows access, and described device can also comprise as lower module:
Time interval judge module, is positioned at safety control server, for judging whether described movable equipment accesses in the time interval of access described permission; If so, then access module is allowed in allocating time interval, if not, then refusal access module allocating time interval in;
Allow access module in time interval, be positioned at safety control server, if be access in the time interval of access described permission for described movable equipment, then allow the access of described movable equipment;
In time interval, refusal access module, is positioned at safety control server, if be not access in the time interval of access described permission for described movable equipment, then refuses the access of described movable equipment.
In one preferred embodiment of the invention, described hardware attributes information can comprise movable equipment mark, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
In one preferred embodiment of the invention, described signature identification calculating sub module can comprise as lower unit:
First character string combinations unit, for being identified by described movable equipment, and hardware attributes information combination is the first character string;
Second computing unit, for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described first character string;
Signature identification writing unit, for writing the signature identification of described movable equipment in described movable equipment.
In one preferred embodiment of the invention, described unique identifier calculating sub module can comprise as lower unit:
Second character string combinations unit, for the signature identification by described movable equipment, and hardware attributes information combination is the second character string;
Second computing unit, for adopting Message Digest 5 MD5 to calculate the unique identifier of described movable equipment according to described second character string.
Unique identifier sending module 203, is positioned at client, for described unique identifier is sent to safety control server;
Unique identifier judge module 204, is positioned at safety control server, for judging whether described unique identifier is present in the list of described legal movable equipment information, if so, then calls clearance module 205, if not, then calls refusal module 206;
Clearance module 205, for allowing the access of described movable equipment;
Refusal module 206, for refusing the access of described movable equipment.
In one preferred embodiment of the invention, described access can comprise readable access, the access that can write and the non-readable access write.
In one preferred embodiment of the invention, described device can also comprise as lower module:
Access monitoring module, is positioned at client, for when allowing the access of described movable equipment, monitors the write operation of described movable equipment;
Written information sending module, is positioned at client, is sent to safety control server for information said write operated.
For the device embodiment of Fig. 2, due to the embodiment of the method basic simlarity of itself and Fig. 1, thus describe fairly simple, relevant part illustrates see the part of embodiment of the method.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize the some or all parts in the equipment monitored according to a kind of movable equipment access of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (16)
1. an access method for supervising for movable equipment, comprising:
The list of preset legal movable equipment information in safety control server; Described safety control server is for controlling the safety of coupled client, and the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access;
When client control is to when having an access of movable equipment, calculate the unique identifier of described movable equipment;
Described unique identifier is sent to safety control server, judges whether described unique identifier is present in the list of described legal movable equipment information, if so, then allows the access of described movable equipment by safety control server; If not, then the access of described movable equipment is refused;
Described when client control is to when having an access of movable equipment, the step calculating the unique identifier of described movable equipment comprises:
Obtain the hardware attributes information of described movable equipment;
Judge whether there is signature identification in described movable equipment;
If so, then from described movable equipment, signature identification is extracted;
If not, then according to described hardware attributes information calculated characteristics mark, and by described signature identification write movable equipment;
The unique identifier of described movable equipment is calculated according to the hardware attributes information of described movable equipment and signature identification.
2. the method for claim 1, also comprises:
If when described signature identification is write the operation failure in movable equipment, the information of said write operation failure is sent to safety control server;
Described safety control server, according to the information of said write operation failure, refuses the access of described movable equipment.
3. the method for claim 1, described safety control server presets the time interval that movable equipment allows access, and described method also comprises:
Judge whether described movable equipment accesses in the time interval of access described permission;
If described movable equipment accesses in the time interval of access described permission, then safety control server allows the access of described movable equipment;
If described movable equipment is not access in the time interval of access described permission, then safety control server refuses the access of described movable equipment.
4. the method for claim 1, also comprises:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information that said write operates is sent to safety control server.
5. the method for claim 1, described hardware attributes information comprises movable equipment mark, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
6. the method as described in claim 1 or 5, described according to hardware attributes information calculated characteristics mark, and the step in described signature identification write movable equipment is comprised:
Described movable equipment is identified, and hardware attributes information combination is the first character string;
Message Digest 5 MD5 is adopted to calculate the signature identification of described movable equipment according to described first character string;
The signature identification of described movable equipment is write in described movable equipment.
7. the method as described in claim 1 or 5, the step calculating the unique identifier of described movable equipment according to the hardware attributes information of described movable equipment and signature identification comprises:
By the signature identification of described movable equipment, and hardware attributes information combination is the second character string;
Message Digest 5 MD5 is adopted to calculate the unique identifier of described movable equipment according to described second character string.
8. the method for claim 1, the access of described movable equipment is monitored by the default driving in client.
9. the method for claim 1, described access comprises readable access, the access that can write and the non-readable access write.
10. an access supervising device for movable equipment, comprising:
Preset legitimate list module, is positioned at safety control server, and for controlling the safety of coupled client, the list of described legal movable equipment information comprises the unique identifier of the movable equipment allowing access;
Unique identifier computing module, is positioned at client, for when the access monitoring movable equipment, calculates the unique identifier of described movable equipment;
Unique identifier sending module, is positioned at client, for described unique identifier is sent to safety control server;
Unique identifier judge module, is positioned at safety control server, for judging whether described unique identifier is present in the list of described legal movable equipment information, if so, then calls clearance module, if not, then calls refusal module;
Clearance module, for allowing the access of described movable equipment;
Refusal module, for refusing the access of described movable equipment;
Described unique identifier computing module comprises:
Hardware attributes acquisition of information submodule, for obtaining the hardware attributes information of described movable equipment;
Signature identification judges submodule, for judging whether have signature identification in described movable equipment; If so, then call signature identification and extract submodule, if not, then call signature identification calculating sub module;
Signature identification extracts submodule, for extracting signature identification from described movable equipment;
Signature identification calculating sub module, for identifying according to described hardware attributes information calculated characteristics, and by described signature identification write movable equipment;
Unique identifier calculating sub module, for calculating the unique identifier of described movable equipment according to the hardware attributes information of described movable equipment and signature identification.
11. devices as claimed in claim 10, also comprise:
Write failure information sending module, is positioned at client, if for during by operation failure in described signature identification write movable equipment, the information of said write operation failure is sent to safety control server;
Refusal access module, is positioned at safety control server, for the information according to said write operation failure, refuses the access of described movable equipment.
12. devices as claimed in claim 10, described safety control server presets the time interval that movable equipment allows access, and described device also comprises:
Time interval judge module, is positioned at safety control server, for judging whether described movable equipment accesses in the time interval of access described permission; If so, then access module is allowed in allocating time interval, if not, then refusal access module allocating time interval in;
Allow access module in time interval, be positioned at safety control server, if be access in the time interval of access described permission for described movable equipment, then allow the access of described movable equipment;
In time interval, refusal access module, is positioned at safety control server, if be not access in the time interval of access described permission for described movable equipment, then refuses the access of described movable equipment.
13. devices as claimed in claim 10, also comprise:
Access monitoring module, is positioned at client, for when allowing the access of described movable equipment, monitors the write operation of described movable equipment;
Written information sending module, is positioned at client, is sent to safety control server for information said write operated.
14. devices as claimed in claim 10, described hardware attributes information comprises movable equipment mark, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
15. devices as described in claim 10 or 14, described signature identification calculating sub module comprises:
First character string combinations unit, for being identified by described movable equipment, and hardware attributes information combination is the first character string;
Second computing unit, for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described first character string;
Signature identification writing unit, for writing the signature identification of described movable equipment in described movable equipment.
16. devices as described in claim 10 or 14, described unique identifier calculating sub module comprises:
Second character string combinations unit, for the signature identification by described movable equipment, and hardware attributes information combination is the second character string;
Second computing unit, for adopting Message Digest 5 MD5 to calculate the unique identifier of described movable equipment according to described second character string.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210520765.9A CN103051608B (en) | 2012-12-06 | 2012-12-06 | A kind of method and apparatus of movable equipment access monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210520765.9A CN103051608B (en) | 2012-12-06 | 2012-12-06 | A kind of method and apparatus of movable equipment access monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103051608A CN103051608A (en) | 2013-04-17 |
| CN103051608B true CN103051608B (en) | 2015-11-25 |
Family
ID=48064107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210520765.9A Active CN103051608B (en) | 2012-12-06 | 2012-12-06 | A kind of method and apparatus of movable equipment access monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103051608B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580116B (en) * | 2013-10-25 | 2018-09-14 | 新华三技术有限公司 | A kind of management method and equipment of security strategy |
| JP6739036B2 (en) * | 2015-08-31 | 2020-08-12 | パナソニックIpマネジメント株式会社 | controller |
| CN110188079B (en) * | 2019-04-03 | 2020-05-12 | 特斯联(北京)科技有限公司 | External equipment management method based on distributed storage database |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364986A (en) * | 2008-09-19 | 2009-02-11 | 广东南方信息安全产业基地有限公司 | Credible equipment authentication method under network environment |
| CN102710588A (en) * | 2011-09-23 | 2012-10-03 | 新奥特(北京)视频技术有限公司 | Method, device, server and system for identifying code in data safety monitoring and controlling |
-
2012
- 2012-12-06 CN CN201210520765.9A patent/CN103051608B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364986A (en) * | 2008-09-19 | 2009-02-11 | 广东南方信息安全产业基地有限公司 | Credible equipment authentication method under network environment |
| CN102710588A (en) * | 2011-09-23 | 2012-10-03 | 新奥特(北京)视频技术有限公司 | Method, device, server and system for identifying code in data safety monitoring and controlling |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103051608A (en) | 2013-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10938854B2 (en) | Systems and methods for preventive ransomware detection using file honeypots | |
| EP3378007B1 (en) | Systems and methods for anonymizing log entries | |
| US10685111B2 (en) | File-modifying malware detection | |
| US10079835B1 (en) | Systems and methods for data loss prevention of unidentifiable and unsupported object types | |
| US10664592B2 (en) | Method and system to securely run applications using containers | |
| US10614233B2 (en) | Managing access to documents with a file monitor | |
| US10154066B1 (en) | Context-aware compromise assessment | |
| US9652597B2 (en) | Systems and methods for detecting information leakage by an organizational insider | |
| CN104662517A (en) | Techniques for detecting a security vulnerability | |
| US9323930B1 (en) | Systems and methods for reporting security vulnerabilities | |
| CN101667232B (en) | Terminal credible security system and method based on credible computing | |
| US9405904B1 (en) | Systems and methods for providing security for synchronized files | |
| CA2915068C (en) | Systems and methods for directing application updates | |
| US20090328210A1 (en) | Chain of events tracking with data tainting for automated security feedback | |
| CN104573530A (en) | Security reinforcing system for server | |
| US9659182B1 (en) | Systems and methods for protecting data files | |
| CN113132318A (en) | Active defense method and system for information safety of power distribution automation system master station | |
| US9519780B1 (en) | Systems and methods for identifying malware | |
| CN102663313B (en) | Method for realizing information security of computer system | |
| CN103051608B (en) | A kind of method and apparatus of movable equipment access monitoring | |
| Johnson | Barriers to the use of intrusion detection systems in safety-critical applications | |
| CN103023651B (en) | Be used for the method and apparatus of the access of monitoring movable equipment | |
| Kang et al. | A strengthening plan for enterprise information security based on cloud computing | |
| US11651313B1 (en) | Insider threat detection using access behavior analysis | |
| US10938849B2 (en) | Auditing databases for security vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20161212 Address after: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee before: Beijing Qihoo Technology Co., Ltd. Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |