CN108259509A - Network access verifying method, system, computer equipment and storage medium - Google Patents

Network access verifying method, system, computer equipment and storage medium Download PDF

Info

Publication number
CN108259509A
CN108259509A CN201810161590.4A CN201810161590A CN108259509A CN 108259509 A CN108259509 A CN 108259509A CN 201810161590 A CN201810161590 A CN 201810161590A CN 108259509 A CN108259509 A CN 108259509A
Authority
CN
China
Prior art keywords
data packet
network access
information
user terminal
mirror image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810161590.4A
Other languages
Chinese (zh)
Inventor
王风玲
曾庆坚
毛绍嵘
刘号召
张颖
潘浩
高保庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CENTURY DRAGON INFORMATION NETWORK Co Ltd
Original Assignee
CENTURY DRAGON INFORMATION NETWORK Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CENTURY DRAGON INFORMATION NETWORK Co Ltd filed Critical CENTURY DRAGON INFORMATION NETWORK Co Ltd
Priority to CN201810161590.4A priority Critical patent/CN108259509A/en
Publication of CN108259509A publication Critical patent/CN108259509A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application involves a kind of network access verifying method, system, computer equipment and storage mediums.The method includes:Obtain the mirror image data packet of network access equipment, mirror image data packet is that the network insertion that network access equipment reception user terminal is sent requests to generate, parse mirror image data packet, obtain the five-tuple information of user terminal, five-tuple information is sent to bypass server to verify that user terminal whether there is history access information, if receive the verification result there is no history access information of server return, according to five-tuple information, structure redirects data packet, data packet will be redirected, user terminal is sent to by network access equipment, with triggering at user terminal interface generation network access authentication interface.Using this method when carrying out network access authentication, iptables processing is needed not move through, so as to improve the efficiency of network access authentication on the whole.

Description

Network access verifying method, system, computer equipment and storage medium
Technical field
This application involves technical field of network security, more particularly to a kind of network access verifying method, system, computer Equipment and storage medium.
Background technology
With the development of network technology, there is network access authentication technology, network access authentication refers to that user is visiting Before asking the network that server provides, server needs to be authenticated the identity of user, and certification is by the way that later, user could just Normal online.Usually, the request of network access authentication is forwarded by network access equipment, is then connect by being integrated in network Enter WiFidog in equipment etc. forms data interaction between authentication means, with server, WiFidog realizes user terminal certification Redirect and control, server is used to implement certification and the management process of user identity, however, existing network access authentication is equal It needs to realize that poor-performing integrally reduces network access equipment by iptables (IP packet filtrations system) mode Processing data packets speed, so as to make the efficiency of whole network access authentication low.
Invention content
Based on this, it is necessary to which for above-mentioned technical problem, providing a kind of can solve the low online of network access authentication efficiency and recognize Card method, system, computer equipment and storage medium.
A kind of network access verifying method, the method includes:
Obtain the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network access equipment receives use What the network insertion that family end is sent requested to generate;
The mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple information is sent to Bypass server with verify the user terminal whether there is history access information;
If receiving the verification result there is no history access information of server return, according to the five-tuple information, Structure redirects data packet, and the redirection data packet is sent to user terminal by the network access equipment, is existed with triggering User terminal interface generation network access authentication interface.
Above-mentioned network access verifying method, by obtaining mirror image data packet from network access equipment, so as to obtain user The information of network insertion request that end is sent, is then parsed by the five-tuple to mirror image data packet, can obtain network insertion The five-tuple information of request then by five-tuple information, verifies that the user terminal connects with the presence or absence of history in bypass server Enter information, if it is not, needing the authentication of progress network insertion, specifically, according to five-tuple information, weight can be built Directional data packet will redirect data packet and be sent to user terminal, triggering user terminal interface generation network access authentication interface.User Can realize the certification of network insertion by inputting account information at network access authentication interface, the embodiment of the present invention, without through Iptables processing is crossed, so as to improve the efficiency of network access authentication on the whole.
In one of the embodiments, according to the five-tuple information, structure, which redirects data packet, to be:According to advance The interface that data packet is redirected for structure of setting, recombinates the five-tuple information, obtains described reset To data packet;Wherein, it is included in the interface and redirects data packet construction interface for building.
The five-tuple information, which is recombinated, in one of the embodiments, to be:The redirection data are set The source IP of packet is the destination IP of the five-tuple information, and it is the five-tuple information to set the destination IP for redirecting data packet Source IP;
The destination interface that the source port for redirecting data packet is set to be the five-tuple information, sets the redirection The destination interface of data packet is the source port of the five-tuple information;
The ack values that the seq values for redirecting data packet is set to be the five-tuple information, set the redirection data The value of the ack of packet is removed plus the mirror image data packet for the value of the seq of the five-tuple information and is actually passed except protocol header The length of defeated data.
The network insertion request includes URL information in one of the embodiments,;The mirror image data can also be parsed Packet, obtains the five-tuple information and the URL information;
Can be according to the step of five-tuple information architecture redirection data packet:According to the URL information and institute Five-tuple information is stated, structure redirects data packet.
The mirror image data packet can be parsed in the following manner in one of the embodiments, obtain the URL letters Breath:According to the application layer message included in the mirror image data packet, by string matching, the URL is obtained in TCP process layers Information.
The mirror image data packet of network access equipment can be obtained in the following manner in one of the embodiments,:In advance The Port Mirroring function of the network access equipment is configured;Wherein, the Port Mirroring function is to lead to the mirror image data packet Source port is crossed to be forwarded to designated port;Receive the mirror image data packet that source port is sent.
A kind of network access authentication system is additionally provided, the system comprises:
Receiving module, for obtaining the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network connects Enter equipment and receive what the network insertion that user terminal is sent requested to generate;
Parsing module for parsing the mirror image data packet, obtains the five-tuple information of the user terminal;By described five yuan Group information is sent to bypass server to verify that the user terminal whether there is history access information;
Authentication module, if for receiving the verification result there is no history access information of server return, according to institute Five-tuple information is stated, structure redirects data packet, and the redirection data packet is sent to use by the network access equipment Family end, with triggering at user terminal interface generation network access authentication interface.
Above-mentioned network access authentication system, receiving module by from network access equipment obtain mirror image data packet, so as to The information of the network insertion request of user terminal transmission is obtained, then the five-tuple of mirror image data packet is parsed by parsing module, The five-tuple information of network insertion request can be obtained, by five-tuple information, verifies that the user terminal is in bypass server It is no there are history access information, if it is not, need authentication module carry out network insertion authentication, specifically, according to Five-tuple information can build redirection data packet, will redirect data packet and be sent to user terminal, the generation of triggering user terminal interface Network access authentication interface.User can realize recognizing for network insertion by inputting account information at network access authentication interface Card, the embodiment of the present invention need not move through iptables processing, so as to improve the efficiency of network access authentication on the whole.
A kind of internet behavior monitoring method based on network access authentication is also provided, this method includes:
Obtain the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network access equipment receives use What the network insertion that family end is sent requested to generate;
The mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple information is sent to Bypass server with verify the user terminal whether there is history access information;
If receiving the verification result there is no history access information of server return, according to the five-tuple information, Structure redirects data packet, and the redirection data packet is sent to user terminal by the network access equipment, is existed with triggering User terminal interface generation network access authentication interface;
The account information that user terminal inputs at the network access authentication interface is received, verifies that the account information passes through Afterwards, the internet behavior of the user terminal by network access authentication is monitored.
The above-mentioned internet behavior monitoring method based on network access authentication, since mirror can be obtained from network access equipment It, can be by mirror image data packet to user terminal as data packet, therefore when user terminal realizes that network insertion carries out internet behavior Internet behavior is monitored, and this method is on the basis of network access authentication system, without increasing extras, can both be realized User terminal internet behavior volume is monitored.
A kind of computer equipment can be run on a memory and on a processor including memory, processor and storage Computer program, the processor realize following steps when performing the computer program:
Obtain the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network access equipment receives use What the network insertion that family end is sent requested to generate;
The mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple information is sent to Bypass server with verify the user terminal whether there is history access information;
If receiving the verification result there is no history access information of server return, according to the five-tuple information, Structure redirects data packet, and the redirection data packet is sent to user terminal by the network access equipment, is existed with triggering User terminal interface generation network access authentication interface.
Above computer equipment, by the computer program run on the processor, when carrying out network access authentication, Iptables processing is needed not move through, so as to improve the efficiency of network access authentication on the whole.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor Following steps are realized during row:
Obtain the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network access equipment receives use What the network insertion that family end is sent requested to generate;
The mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple information is sent to Bypass server with verify the user terminal whether there is history access information;
If receiving the verification result there is no history access information of server return, according to the five-tuple information, Structure redirects data packet, and the redirection data packet is sent to user terminal by the network access equipment, is existed with triggering User terminal interface generation network access authentication interface.
Above computer readable storage medium storing program for executing, by the computer program stored thereon, when carrying out network access authentication, Iptables processing is needed not move through, so as to improve the efficiency of network access authentication on the whole.
Description of the drawings
Fig. 1 is the applied environment figure of network access verifying method in one embodiment;
Fig. 2 is the flow diagram of network access verifying method in one embodiment;
Fig. 3 is the flow diagram of network access verifying method in another embodiment;
Fig. 4 is the flow diagram of network access verifying method in a specific embodiment;
Fig. 5 is the structure diagram of network access authentication system in one embodiment;
Fig. 6 is the flow diagram of the internet behavior monitoring method based on network access authentication in an embodiment
Fig. 7 is the internal structure chart of one embodiment Computer equipment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the object, technical solution and advantage for making the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not For limiting the application.
The network access verifying method that the application provides, can be applied in application environment as shown in Figure 1.Wherein, eventually When end 102 needs to access network, the network insertion that server 106 receives terminal 102 by network access equipment 104 is asked, right The network insertion request of terminal 102 is parsed, and server 106 verifies analysis result, judges whether the terminal 102 has Access record if not provided, the feedback of network access equipment 104 redirects data packet to terminal 102, generates at 102 interface of terminal Network access authentication interface, terminal 102 input account information in network access authentication interface, and server 106 is to terminal 102 Account information is authenticated, and by rear, terminal 102 can access network for certification.Wherein, terminal 102 can be, but not limited to be each Kind personal computer, laptop, smart mobile phone, tablet computer and portable wearable device, network access equipment 104 can To be router, interchanger etc., server 106 can use the server set that the either multiple servers of independent server form Group realizes.
In one embodiment, as shown in Fig. 2, providing a kind of network access verifying method, in this way to bypass mould Formula is applied to illustrate in Fig. 1, includes the following steps:
Step 202, the mirror image data packet of network access equipment is obtained;Wherein, the mirror image data packet is that network insertion is set It is standby to receive what the network insertion that user terminal is sent requested to generate.
Wherein, in bypass mode, bypass mode is also referred to as By Pass mode (skipping over pattern), general for this method work Refer in the normal flow of a system, there is a pile to check mechanism, and bypass mode is exactly when the mechanism of checking is abnormal, it can not When being excluded during short, system job is enable to check mechanism around these, enable a system to the work pattern continued to execute. In this step, core inspection mechanism can be the network access equipment in Fig. 1 application environments.
Specifically, during user terminal request access network, a network insertion request is generated, network insertion request is sent to net After network access device, the supervisor engine under bypass mode obtains mirror image data packet, in this step, net from network access equipment Network access device substantially only plays the role of forwarding, then it will also be lost by being deployed in authentication means in network access equipment Effect, if long-term work is in bypass mode, then can not also need to dispose additional certification work in network access equipment Tool, therefore the method for the present embodiment can be applied in the network there are network access equipment by simply handling, improve this The appropriate of embodiment.
Step 204, the mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple is believed Breath is sent to bypass server to verify that the user terminal whether there is history access information.
Wherein, the five-tuple in step 204 refers to source IP address, source port, purpose IP address, destination interface and transmission Layer protocol contains the above- mentioned information of five-tuple in the network authentication request that user terminal is sent.History access information refers to using Family end had been successfully accessed the bypass server network before this.
Specifically, the information of five-tuple is contained in the network insertion request that user terminal is sent, by being obtained in step 202 Mirror image data packet, can parse to obtain the five-tuple information of user terminal.So as to be realized by supervisor engine to mirror image data packet Five-tuple parsing.
Step 206, if the verification result there is no history access information of server return is received, according to described five yuan Group information, structure redirect data packet, and the redirection data packet is sent to user terminal by the network access equipment, with Triggering is at user terminal interface generation network access authentication interface.
Wherein, it redirects and refers to a various network requests again fixed direction are gone to other positions by various methods, In step 206, data packet is redirected, is in response to the network insertion request that user terminal sends out, it can be with according to data packet is redirected At user terminal interface pop-up network access authentication interface.
Specifically, after parsing obtains five-tuple information, it can build according to the five-tuple information of user terminal and redirect number According to packet, compared to the redirection data packet of network access equipment feedback, the redirection data packet of the embodiment of the present invention is to pass through prison It controls what engine was forged, but network access authentication interface can also be popped up in user terminal according to the redirection data packet.
In above-mentioned network access verifying method, by obtaining mirror image data packet from network access equipment, so as to be used The information of network insertion request that family end is sent, is then parsed by the five-tuple to mirror image data packet, can obtain network and connect Enter the five-tuple information of request, then by five-tuple information, verify that the user terminal whether there is history in bypass server Access information if it is not, needing the authentication of progress network insertion, specifically, according to five-tuple information, can be built Data packet is redirected, data packet will be redirected and be sent to user terminal, triggering user terminal interface generation network access authentication interface.With Family can realize the certification of network insertion by inputting account information at network access authentication interface, the embodiment of the present invention, without By iptables processing, so as to improve the efficiency of network access authentication on the whole.
It in one embodiment, in step 206, can be in the following manner according to the five-tuple information, structure weight The step of directional data packet structure redirects data packet includes:According to the pre-set interface that data packet is redirected for structure Function library recombinates the five-tuple information, obtains the redirection data packet;Wherein, it is wrapped in the interface Interface is constructed containing data packet is redirected for structure.
In the present embodiment, the structure of the redirection data packet of network access equipment structure can be obtained in advance, then basis The structure of packet is redirected, corresponding interface is set, wherein, data configuration interface is contained in interface, upper After the completion of stating preparation, after user terminal five-tuple information is obtained, can data packet be redirected according to five-tuple information Forgery, process be exactly according to redirect data packet structure, carry out the filling of data, then obtain being generated by supervisor engine Redirection data packet.
In one embodiment, interface can be libnet low profile interface function libraries, and libnet is write with C language Into providing construction, processing and the sending function of lower layer network data packet, the technology of the present embodiment made to be more prone to realize.
In one embodiment, the five-tuple information can be recombinated in the following manner:The redirection is set The source IP of data packet is the destination IP of the five-tuple information, and it is the five-tuple to set the destination IP for redirecting data packet The source IP of information;The destination interface that the source port for redirecting data packet is the five-tuple information is set, and setting is described heavy The destination interface of directional data packet is the source port of the five-tuple information;It is institute to set the seq values for redirecting data packet The ack values of five-tuple information are stated, the value of the ack for redirecting data packet is set to add for the value of the seq of the five-tuple information The upper mirror image data packet removes the length of the data of actual transmissions except protocol header.
It is Android system or IOS (operating system of apple equipment) in user terminal in addition, after above-mentioned setting is carried out During system, it is also necessary to which the transport protocol content for redirecting data packet is set;Wherein, the transport protocol content includes: http/1.0.For example, following code " HTTP/1.0302Found " is written in data packet is redirected.
In above-described embodiment, redirect data packet and redirect data packet for 302, in the structure for completing redirection data packet Afterwards, at the interface of user terminal generation network access authentication interface, account information is inputted at the network authentication interface, is then passed through CGI (Common Gateway Interface, common gateway interface) parses account information, and the account of certification user terminal input Whether information is correct, and authentication is by the way that later, bypass server sends 200 data packets to user terminal, is shown at user terminal interface Show authentication by the page.
It in one embodiment, after step 204, can also be by the five-tuple information that parses, in the server Confirm whether the user is logged, the user terminal is logged if confirming, directly 200 data packets is sent to user terminal, in user Hold interface display authentication by information.
In one embodiment, supervisor engine can carry out mirror image data by pcap (process characteristic analysis software package) interface The crawl of packet.
In one embodiment, a kind of specific network access verifying method is also provided, as shown in figure 3, including the following steps:
Step 302, the mirror image data packet of network access equipment is obtained;Wherein, the mirror image data packet is that network insertion is set It is standby to receive what the network insertion that user terminal is sent requested to generate.
Step 304, the mirror image data packet is parsed, obtains the five-tuple information of the user terminal and URL (Uniform Resource Locator, uniform resource locator) information;The five-tuple information is sent to bypass server to verify User terminal is stated with the presence or absence of history access information.
Step 306, if the verification result there is no history access information of server return is received, according to described five yuan Group information and the URL information, structure redirect data packet, and the redirection data packet is sent out by the network access equipment It send to user terminal, with triggering at user terminal interface generation network access authentication interface.
In the present embodiment, generation network insertion request can be triggered by way of opening webpage, then network connects Enter in request just comprising URL information, then after network insertion is verified, can be automatically brought to pointed by the URL information Webpage.
In one embodiment, for the parsing of URL information, can be believed according to the application layer included in the mirror image data packet Breath by string matching, is obtained in TCP (Transmission Control Protocol transmission control protocols) process layer The address of the webpage.
In the present embodiment, under bypass mode, 302 redirection data packets are more faster than 200 data packets that server returns Be sent to user terminal, therefore, the URL information of webpage obtained in TCP process layers, it is possible to reduce http protocol parsing it is spent when Between.As for the URL that webpage is obtained in TCP layer, can be stored in application layer message by the application layer message in mirror image data packet The URL information, then passes through string matching, it is possible to obtain the URL information of webpage.So as to reduce the loss of hardware, carry The efficiency of high URL information parsing.
In one embodiment, for step 202, the mirror image data of network access equipment can be obtained in the following manner Packet:It is pre-configured with the Port Mirroring function of the network access equipment;Wherein, the Port Mirroring function is by the mirror image number It is forwarded according to packet by source port to designated port;Receive the mirror image data packet that source port is sent.
In the present embodiment, Port Mirroring (port Mirroring) function is by network access equipment, by one Or the data traffic of multiple source ports is forwarded to some designated port to realize the monitoring to network, designated port is referred to as " mirror port " or " destination interface " is normally handled up in the case of flow not seriously affecting source port, can pass through mirror image end Mouth is monitored analysis to the flow of network.The configuration of Port Mirroring can be configured on network access equipment by ordering. It has been configured after the Port Mirroring function of network access equipment, it is possible to specify be sent to the mirror image data packet of network access equipment Supervisor engine, so as to fulfill the acquisition to network access equipment data packet.
Clearly illustrated below by way of a specific embodiment, Fig. 4 is network access verifying method in another embodiment Schematic flow chart, as shown in figure 4, the network access authentication flow of the present embodiment is as follows:
User terminal and server are established after connection, and user opens web page trigger network insertion flow, are generated in user terminal Network insertion is asked, and supervisor engine collects the mirror image data packet of network access equipment by pcap ports, and parsing data packet obtains Five-tuple information and URL information, the URL information are directed to the address of webpage.Bypass server verifies whether the user is authenticated, If so, bypass server sends 200 data packets to user terminal, successful message is logged in user terminal interface display, user can be with Online;If receiving the verification result there is no history access information of server return, supervisor engine is according to five-tuple information Data packet is redirected with URL information structure 302, user terminal parsing 302 redirects data packet and generates network access authentication at interface Interface, user are authenticated in network access authentication interface input account information, and user terminal obtains account information input by user, Supervisor engine parses to obtain account information information, the certification of account information correctness is carried out by cgi script, if account information is just Really, then the operation of two steps is carried out, first is to preserve the MAC Address, account information and IP address of user terminal, so as to The certification of next time, second is that supervisor engine returns to 200 data packets for carrying URL information, at this point, user terminal can access network, And automatic jump to the webpage of URL information meaning.
In above example, supervisor engine can use Suricata, Suricata be a high performance network ids, IPS and network security monitoring engine.It is a system increased income.Therefore technology is realized more convenient, can be risen with fast construction It is used to implement the system of present invention method.In addition it is not limited to using other supervisor engines, such as:Snort detections are drawn It holds up.
It should be understood that although each step in Fig. 2-4 flow charts is shown successively according to the instruction of arrow, this A little steps are not that the inevitable sequence indicated according to arrow performs successively.Unless expressly state otherwise herein, these steps It performs there is no the limitation of stringent sequence, these steps can perform in other order.Moreover, at least one in Fig. 2-4 Can including multiple sub-steps step by step, either these sub-steps of multiple stages or stage are held in synchronization Row is completed, but can be performed at different times, the execution sequence in these sub-steps or stage be also not necessarily successively into Row, but can either the sub-step of other steps or at least part in stage are held in turn or alternately with other steps Row.
In one embodiment, as shown in figure 5, providing a kind of network access authentication system, including:Receiving module 402, Parsing module 404 and authentication module 406, wherein:
Receiving module 402, for obtaining the mirror image data packet of network access equipment;Wherein, the mirror image data packet is net Network access device receives what the network insertion that user terminal is sent requested to generate.
Parsing module 404 for parsing the mirror image data packet, obtains the five-tuple information of the user terminal;By described in Five-tuple information is sent to bypass server to verify that the user terminal whether there is history access information.
Authentication module 406, if for receiving the verification result there is no history access information of server return, according to The five-tuple information, structure redirect data packet, and the redirection data packet is sent to by the network access equipment User terminal, with triggering at user terminal interface generation network access authentication interface.
Above-mentioned network access authentication system, receiving module by from network access equipment obtain mirror image data packet, so as to The information of the network insertion request of user terminal transmission is obtained, then the five-tuple of mirror image data packet is parsed by parsing module, The five-tuple information of network insertion request can be obtained, by five-tuple information, verifies that the user terminal is in bypass server It is no there are history access information, if it is not, need authentication module carry out network insertion authentication, specifically, according to Five-tuple information can build redirection data packet, will redirect data packet and be sent to user terminal, the generation of triggering user terminal interface Network access authentication interface.User can realize recognizing for network insertion by inputting account information at network access authentication interface Card, the embodiment of the present invention need not move through iptables processing, so as to improve the efficiency of network access authentication on the whole.
In one embodiment, the authentication module 406 is additionally operable to redirect data packet according to pre-set for building Interface, the five-tuple information is recombinated, obtains the redirection data packet;Wherein, the interface function It is included in library and redirects data packet construction interface for building.
In one embodiment, it is described five that the authentication module 406, which is additionally operable to set the source IP for redirecting data packet, The destination IP of tuple information sets the source IP that the destination IP for redirecting data packet is the five-tuple information;Described in setting The source port for redirecting data packet is the destination interface of the five-tuple information, sets the destination interface for redirecting data packet Source port for the five-tuple information;The ack values that the seq values for redirecting data packet are the five-tuple information are set, The value of the ack for redirecting data packet is set to be removed for the value of the seq of the five-tuple information plus the mirror image data packet The length of the data of actual transmissions except protocol header.
In one embodiment, the authentication module 406 is additionally operable to set the transport protocol content for redirecting data packet; Wherein, the transport protocol content includes:http/1.0.
In one embodiment, the network insertion request includes URL information;The parsing module 404 is additionally operable to parsing institute Mirror image data packet is stated, obtains the five-tuple information and the URL information, the authentication module 406 is additionally operable to according to the URL Information and the five-tuple information, structure redirect data packet.
In one embodiment, the authentication module 406 is additionally operable to be believed according to the application layer included in the mirror image data packet By string matching, the URL information is obtained in TCP process layers for breath.
In one embodiment, the receiving module 402 is additionally operable to be pre-configured with the Port Mirroring of the network access equipment Function;Wherein, the Port Mirroring function is to be forwarded the mirror image data packet to designated port by source port;It receives The mirror image data packet that source port is sent.
In addition, as shown in fig. 6, also provide a kind of internet behavior monitoring method based on network access authentication, this method root After above for user terminal access network in network access verifying method, the internet behavior monitoring method that can realize, specifically Step is as follows:
Step 502, the mirror image data packet of network access equipment is obtained;Wherein, the mirror image data packet is that network insertion is set It is standby to receive what the network insertion that user terminal is sent requested to generate.
Step 504, the mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple is believed Breath is sent to bypass server to verify that the user terminal whether there is history access information.
Step 506, if the verification result there is no history access information of server return is received, according to described five yuan Group information, structure redirect data packet, and the redirection data packet is sent to user terminal by the network access equipment, with Triggering is at user terminal interface generation network access authentication interface.
Step 508, the account information that user terminal inputs at the network access authentication interface is received, verifies the account letter After breath passes through, the internet behavior of the user terminal by network access authentication is monitored.
The above-mentioned internet behavior monitoring method based on network access authentication, since mirror can be obtained from network access equipment It, can be by mirror image data packet to user terminal as data packet, therefore when user terminal realizes that network insertion carries out internet behavior Internet behavior is monitored, and this method is on the basis of network access authentication system, without increasing extras, can both be realized User terminal internet behavior volume is monitored.
Specific restriction about network access authentication system may refer to the limit above for network access verifying method Fixed, details are not described herein.Modules in above-mentioned network access authentication system can fully or partially through software, hardware and its It combines to realize.Above-mentioned each module can be embedded in or in the form of hardware independently of in the processor in computer equipment, can also It is stored in a software form in the memory in computer equipment, in order to which processor calls execution more than modules corresponding Operation.
In one embodiment, a kind of computer equipment is provided, which can be server, internal junction Composition can be as shown in Figure 7.The computer equipment include the processor connected by system bus, memory, network interface and Database.Wherein, the processor of the computer equipment is for offer calculating and control ability.The memory packet of the computer equipment Include non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program and data Library.The built-in storage provides environment for the operating system in non-volatile memory medium and the operation of computer program.The calculating The database of machine equipment is used to store user ID data.The network interface of the computer equipment is used to pass through with external terminal Network connection communicates.To realize a kind of network access verifying method when the computer program is executed by processor.
It will be understood by those skilled in the art that structure shown in Fig. 6, only part knot relevant with application scheme The block diagram of structure does not form the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It can include either combining certain components than components more or fewer shown in figure or be arranged with different components.
In one embodiment, a kind of computer equipment is provided, including memory, processor and storage on a memory And the computer program that can be run on a processor, processor realize following steps when performing computer program:
Step 602, the mirror image data packet of network access equipment is obtained;Wherein, the mirror image data packet is that network insertion is set It is standby to receive what the network insertion that user terminal is sent requested to generate.
Step 604, the mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple is believed Breath is sent to bypass server to verify that the user terminal whether there is history access information.
Step 606, if the verification result there is no history access information of server return is received, according to described five yuan Group information, structure redirect data packet, and the redirection data packet is sent to user terminal by the network access equipment, with Triggering is at user terminal interface generation network access authentication interface.
Above computer equipment, by the computer program run on the processor, when carrying out network access authentication, Iptables processing is needed not move through, so as to improve the efficiency of network access authentication on the whole.
In one embodiment, following steps are also realized when processor performs computer program:
According to pre-set for building the interface for redirecting data packet, weight is carried out to the five-tuple information Group obtains the redirection data packet;Wherein, it includes in the interface and is connect for building redirection data packet construction Mouthful.
In one embodiment, following steps are also realized when processor performs computer program:
The destination IP that the source IP for redirecting data packet is set to be the five-tuple information, sets the redirection data The destination IP of packet is the source IP of the five-tuple information;
The destination interface that the source port for redirecting data packet is set to be the five-tuple information, sets the redirection The destination interface of data packet is the source port of the five-tuple information;
The ack values that the seq values for redirecting data packet is set to be the five-tuple information, set the redirection data The value of the ack of packet is removed plus the mirror image data packet for the value of the seq of the five-tuple information and is actually passed except protocol header The length of defeated data.
In one embodiment, following steps are also realized when processor performs computer program:
The transport protocol content for redirecting data packet is set;Wherein, the transport protocol content includes:http/ 1.0。
In one embodiment, the network insertion request includes URL information, and processor goes back reality when performing computer program Existing following steps:
The mirror image data packet is parsed, obtains the five-tuple information and the URL information;According to the URL information with And the five-tuple information, structure redirect data packet.
In one embodiment, following steps are also realized when processor performs computer program:
According to the application layer message included in the mirror image data packet, by string matching, institute is obtained in TCP process layers State URL information.
In one embodiment, following steps are also realized when processor performs computer program:
It is pre-configured with the Port Mirroring function of the network access equipment;Wherein, the Port Mirroring function be will be described Mirror image data packet is forwarded by source port to designated port;
Receive the mirror image data packet that source port is sent.
In one embodiment, a kind of computer readable storage medium is provided, is stored thereon with computer program, is calculated Machine program realizes following steps when being executed by processor:
Step 702, the mirror image data packet of network access equipment is obtained;Wherein, the mirror image data packet is that network insertion is set It is standby to receive what the network insertion that user terminal is sent requested to generate.
Step 704, the mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple is believed Breath is sent to server to verify that the user terminal whether there is history access information.
Step 706, if the verification result there is no history access information of server return is received, according to described five yuan Group information, structure redirect data packet, and the redirection data packet is sent to user terminal by the network access equipment, with Triggering is at user terminal interface generation network access authentication interface.
Above computer readable storage medium storing program for executing, by the computer program stored thereon, when carrying out network access authentication, Iptables processing is needed not move through, so as to improve the efficiency of network access authentication on the whole.
In one embodiment, following steps are also realized when computer program is executed by processor:
According to pre-set for building the interface for redirecting data packet, weight is carried out to the five-tuple information Group obtains the redirection data packet;Wherein, it includes in the interface and is connect for building redirection data packet construction Mouthful.
In one embodiment, following steps are also realized when computer program is executed by processor:
The destination IP that the source IP for redirecting data packet is set to be the five-tuple information, sets the redirection data The destination IP of packet is the source IP of the five-tuple information;
The destination interface that the source port for redirecting data packet is set to be the five-tuple information, sets the redirection The destination interface of data packet is the source port of the five-tuple information;
The ack values that the seq values for redirecting data packet is set to be the five-tuple information, set the redirection data The value of the ack of packet is removed plus the mirror image data packet for the value of the seq of the five-tuple information and is actually passed except protocol header The length of defeated data.
In one embodiment, following steps are also realized when computer program is executed by processor:
The transport protocol content for redirecting data packet is set;Wherein, the transport protocol content includes:http/ 1.0。
In one embodiment, the network insertion request includes URL information, when computer program is executed by processor also Realize following steps:
The mirror image data packet is parsed, obtains the five-tuple information and the URL information;According to the URL information with And the five-tuple information, structure redirect data packet.
In one embodiment, following steps are also realized when computer program is executed by processor:
According to the application layer message included in the mirror image data packet, by string matching, institute is obtained in TCP process layers State URL information.
In one embodiment, following steps are also realized when computer program is executed by processor:
It is pre-configured with the Port Mirroring function of the network access equipment;Wherein, the Port Mirroring function be will be described Mirror image data packet is forwarded by source port to designated port;
Receive the mirror image data packet that source port is sent.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer In read/write memory medium, the computer program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, Any reference to memory, storage, database or other media used in each embodiment provided herein, Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above example can be combined arbitrarily, to make description succinct, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield is all considered to be the range of this specification record.
Embodiment described above only expresses the several embodiments of the application, and description is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that those of ordinary skill in the art are come It says, under the premise of the application design is not departed from, various modifications and improvements can be made, these belong to the protection of the application Range.Therefore, the protection domain of the application patent should be determined by the appended claims.

Claims (10)

1. a kind of network access verifying method, the method includes:
Obtain the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network access equipment receives user terminal What the network insertion of transmission requested to generate;
The mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple information is sent to service Device with verify the user terminal whether there is history access information;
If receiving the verification result there is no history access information of server return, according to the five-tuple information, structure Data packet is redirected, the redirection data packet is sent to user terminal by the network access equipment, to trigger in user Hold interface generation network access authentication interface.
2. network access verifying method according to claim 1, which is characterized in that it is described according to the five-tuple information, The step of structure redirection data packet, includes:
According to the pre-set interface that data packet is redirected for structure, the five-tuple information is recombinated, Obtain the redirection data packet;Wherein, it is included in the interface and redirects data packet construction interface for building.
3. network access verifying method according to claim 2, which is characterized in that described to be carried out to the five-tuple information The step of recombination, includes:
The destination IP that the source IP for redirecting data packet is the five-tuple information is set, the redirection data packet is set Destination IP is the source IP of the five-tuple information;
The destination interface that the source port for redirecting data packet is set to be the five-tuple information, sets the redirection data The destination interface of packet is the source port of the five-tuple information;
The ack values that the seq values for redirecting data packet are the five-tuple information are set, the redirection data packet is set The value of ack removes actual transmissions except protocol header for the value of the seq of the five-tuple information plus the mirror image data packet The length of data.
4. according to the network access verifying method described in claims 1 to 3 any one, which is characterized in that the network insertion Request includes URL information;
The network access verifying method further includes:
The mirror image data packet is parsed, obtains the five-tuple information and the URL information;
It is described according to the five-tuple information, the step of structure redirects data packet, further include:
According to the URL information and the five-tuple information, structure redirects data packet.
5. network access verifying method according to claim 4, which is characterized in that parse the mirror image data packet, obtain The step of URL information, including:
According to the application layer message included in the mirror image data packet, by string matching, described in the acquisition of TCP process layers URL information.
6. according to the network access verifying method described in claims 1 to 3 any one, which is characterized in that the acquisition network The step of mirror image data packet of access device, including:
It is pre-configured with the Port Mirroring function of the network access equipment;Wherein, the Port Mirroring function is by mirror image data Packet is forwarded to designated port by source port;
Receive the mirror image data packet that source port is sent.
7. a kind of network access authentication system, which is characterized in that the system comprises:
Receiving module, for obtaining the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network insertion is set It is standby to receive what the network insertion that user terminal is sent requested to generate;
Parsing module for parsing the mirror image data packet, obtains the five-tuple information of the user terminal;The five-tuple is believed Breath is sent to bypass server to verify that the user terminal whether there is history access information;
Authentication module, if for receiving the verification result there is no history access information of server return, according to described five Tuple information, structure redirect data packet, and the redirection data packet is sent to user terminal by the network access equipment, With triggering at user terminal interface generation network access authentication interface.
8. a kind of internet behavior monitoring method based on network access authentication, which is characterized in that including:
Obtain the mirror image data packet of network access equipment;Wherein, the mirror image data packet is that network access equipment receives user terminal What the network insertion of transmission requested to generate;
The mirror image data packet is parsed, obtains the five-tuple information of the user terminal;The five-tuple information is sent to bypass Server with verify the user terminal whether there is history access information;
If receiving the verification result there is no history access information of server return, according to the five-tuple information, structure Data packet is redirected, the redirection data packet is sent to user terminal by the network access equipment, to trigger in user Hold interface generation network access authentication interface;
The account information that user terminal inputs at the network access authentication interface is received, verifies the account information by rear, it is right It is monitored by the internet behavior of the user terminal of network access authentication.
9. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes any one of claim 1 to 6 institute when performing the computer program The step of network access verifying method stated.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program The step of network access verifying method according to any one of claims 1 to 6 is realized when being executed by processor.
CN201810161590.4A 2018-02-27 2018-02-27 Network access verifying method, system, computer equipment and storage medium Pending CN108259509A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810161590.4A CN108259509A (en) 2018-02-27 2018-02-27 Network access verifying method, system, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810161590.4A CN108259509A (en) 2018-02-27 2018-02-27 Network access verifying method, system, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN108259509A true CN108259509A (en) 2018-07-06

Family

ID=62745382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810161590.4A Pending CN108259509A (en) 2018-02-27 2018-02-27 Network access verifying method, system, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN108259509A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055385A (en) * 2021-03-12 2021-06-29 绍兴文理学院元培学院 WiFi network management method and system
CN114257390A (en) * 2020-09-22 2022-03-29 华为技术有限公司 Authentication method, network device, authentication server, user device, and storage medium
CN115348334A (en) * 2021-05-13 2022-11-15 中移(上海)信息通信科技有限公司 Data analysis method and device and related equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110239285A1 (en) * 2010-03-29 2011-09-29 Denso International America, Inc. Authentication bypass method
CN105516197A (en) * 2016-01-19 2016-04-20 上海斐讯数据通信技术有限公司 Network access authentication system
CN106658499A (en) * 2016-12-07 2017-05-10 安徽尚果信息科技有限公司 Wireless authentication service management mode
CN107342903A (en) * 2017-07-18 2017-11-10 杭州敦崇科技股份有限公司 One kind bypass certification and auditing method
CN107623661A (en) * 2016-07-15 2018-01-23 阿里巴巴集团控股有限公司 Block system, the method and device of access request, server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110239285A1 (en) * 2010-03-29 2011-09-29 Denso International America, Inc. Authentication bypass method
CN105516197A (en) * 2016-01-19 2016-04-20 上海斐讯数据通信技术有限公司 Network access authentication system
CN107623661A (en) * 2016-07-15 2018-01-23 阿里巴巴集团控股有限公司 Block system, the method and device of access request, server
CN106658499A (en) * 2016-12-07 2017-05-10 安徽尚果信息科技有限公司 Wireless authentication service management mode
CN107342903A (en) * 2017-07-18 2017-11-10 杭州敦崇科技股份有限公司 One kind bypass certification and auditing method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257390A (en) * 2020-09-22 2022-03-29 华为技术有限公司 Authentication method, network device, authentication server, user device, and storage medium
CN113055385A (en) * 2021-03-12 2021-06-29 绍兴文理学院元培学院 WiFi network management method and system
CN115348334A (en) * 2021-05-13 2022-11-15 中移(上海)信息通信科技有限公司 Data analysis method and device and related equipment
CN115348334B (en) * 2021-05-13 2023-10-27 中移(上海)信息通信科技有限公司 Data analysis method and device and related equipment

Similar Documents

Publication Publication Date Title
CN109815013A (en) Business data processing method, device, computer equipment and storage medium
CN112039824B (en) Communication method, system, device and computer readable storage medium
CN109788032A (en) Acquisition methods, device, computer equipment and the storage medium of image file
CN108259509A (en) Network access verifying method, system, computer equipment and storage medium
CN109842617A (en) Ad blocking method, apparatus and storage medium
CN108776923A (en) Order method of payment, system, computer equipment and storage medium
CN103401836A (en) Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not
CN105260318A (en) Automatic testing method and device based on web pages
CN110995956B (en) Image transmission method and device based on LoRa, computer equipment and storage medium
CN110474959A (en) Data interactive method, device, computer equipment and storage medium
CN107436873A (en) A kind of network address jump method, device and transferring device
CN110430288A (en) Node visit method, apparatus, computer equipment and storage medium
CN107801052A (en) A kind of cloud desktop browsers video reorientation method
CN110109656A (en) Interface analogy method, device, computer equipment and storage medium
CN112491659A (en) Flow playback test method and device, computer equipment and storage medium
CN109391618A (en) A kind of method for building up and system of communication link
CN107547213A (en) A kind of recognition methods of business rule and device
CN110166450A (en) Data transmission method, device and communication equipment based on Industrial Ethernet
CN110493064A (en) Firewall management method, apparatus, computer equipment and storage medium
CN109816502A (en) Batch pays out method, apparatus, computer equipment and storage medium
CN109446093A (en) A kind of expansion platform interface test method and device
CN110474814A (en) Electric power local area network method for diagnosing faults, device
CN114238978A (en) Vulnerability scanning system, vulnerability scanning method and computer equipment
CN112686568B (en) Operation and maintenance strategy generation processing method, device, system, equipment and storage medium
WO2024007965A1 (en) Service rule detection method and device, electronic device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180706