CN109981684A - A kind of implementation method based on application proxy coutroi velocity - Google Patents

A kind of implementation method based on application proxy coutroi velocity Download PDF

Info

Publication number
CN109981684A
CN109981684A CN201910295077.9A CN201910295077A CN109981684A CN 109981684 A CN109981684 A CN 109981684A CN 201910295077 A CN201910295077 A CN 201910295077A CN 109981684 A CN109981684 A CN 109981684A
Authority
CN
China
Prior art keywords
access
module
application proxy
application
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910295077.9A
Other languages
Chinese (zh)
Inventor
李威
李健俊
章志华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Tobacco Zhejiang Industrial Co Ltd
Original Assignee
China Tobacco Zhejiang Industrial Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Tobacco Zhejiang Industrial Co Ltd filed Critical China Tobacco Zhejiang Industrial Co Ltd
Priority to CN201910295077.9A priority Critical patent/CN109981684A/en
Publication of CN109981684A publication Critical patent/CN109981684A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a kind of implementation methods based on application proxy coutroi velocity, comprising the following steps: when system initialization, the service of monitoring is opened in system loads itself application strategy configuration, configuration, and application proxy module receives cross-border access information;Application proxy module obtains the application message of access, judges the legitimacy of access;Application proxy module obtains the main body of access, object information, provides judgment basis for access control module, and according to the judgement of access control module, carry out the legitimacy of detection information request;Application proxy module obtains the identity information of access, judgment basis is provided for identity identification module, and according to the judgement of identity identification module, to detect the legitimacy of connection;The reception and transmission of application message and the corresponding filtration treatment of information.The present invention is a kind of mode of new coutroi velocity, no longer needs to control flow velocity by additional module, directlys adopt the mode of application proxy, and more quick in service deployment mode.

Description

A kind of implementation method based on application proxy coutroi velocity
Technical field
The present invention relates to a kind of implementation methods based on application proxy coutroi velocity.
Background technique
In the mode of current various control protocol flow velocitys, have based on driving, also have based on kernel and protocol stack come into Row control, but in application layer rank, the control of flow velocity is realized especially by the mode of application proxy, there are no one Detailed solution.
Summary of the invention
In order to solve the above technical problems, the object of the present invention is to provide a kind of realities based on application proxy coutroi velocity Existing method, this method are a kind of modes of new coutroi velocity, no longer need to control flow velocity by additional module, directly adopt It is more quick with the mode of application proxy, and in service deployment mode.
To achieve the goals above, present invention employs technical solutions below:
A kind of implementation method based on application proxy coutroi velocity realizes that this method needs application proxy module and is included in Identity identification module and access control module in application proxy module, comprising the following steps:
When system initialization, system loads itself application strategy configuration, configuration open monitor service, application proxy module receive across Boundary access information;
Application proxy module obtains the application message of access, judges the legitimacy of access;
Application proxy module obtains the main body of access, object information, provides judgment basis for access control module, and according to access The judgement of control module carrys out the legitimacy of detection information request;
Application proxy module obtains the identity information of access, provides judgment basis for identity identification module, and identify according to identity The judgement of module, to detect the legitimacy of connection;
The reception and transmission of application message and the corresponding filtration treatment of information;
Access behavior is monitored, that is, monitors all security-related access attempts, it is ensured that access attempts are not tampered, and safety interconnects It is not bypassed.
As a preferred solution: access control module in the step 3), determines according to the result of flow control decision-making module ruling It is fixed that the access to object resource whether is allowed to carry out flow control.
As a preferred solution: the control decision strategy of flow control decision-making module includes self contained navigation in the step 3) Strategy, Mandatory Access Control and grade change strategy.
As a preferred solution: flow control decision-making module receives master, the visitor that application proxy module is sent in the step 3) After body information, self contained navigation strategy is first carried out, meets self contained navigation strategy and result is then submitted into application proxy Module allows the access of resource, otherwise sends pressure flow control module for resource access request;
After forcing flow control module to receive resource access request, invocation flags submodule obtains the safety post of subject and object Note carries out airworthiness compliance;It is executed in airworthiness compliance and forces flow control policy, force asking for flow control policy for meeting It asks and is sent directly to application proxy module the flow velocity of its access to resource is allowed to control, otherwise transmit the request to flow velocity Grade changes module;
Flow velocity level adjustment checks that module executes level adjustment inspection policy, i.e. privilege revocation to resource access request, and resource is visited Ask that request transmits the request to application proxy module if meeting privilege revocation and allows to access simultaneously coutroi velocity, otherwise refusal money Source access request.
As a preferred solution: flow control module audits resource access operations by submodule of auditing.
The present invention is responsible for receiving, send and handling the information of cross-domain access by application proxy module, mentions for other services For all kinds of judgement information foundations, the mutually coordinated interaction of submodule is transmitted by internal agreement between internal each module, is completed The control action of boundary information.
The present invention is a kind of mode of new coutroi velocity, no longer needs to control flow velocity by additional module, directly It is more quick by the way of application proxy, and in service deployment mode.
Detailed description of the invention
Fig. 1 is flow diagram of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
A kind of implementation method based on application proxy coutroi velocity as shown in Figure 1 realizes that this method needs application proxy Module and include identity identification module and access control module in application proxy module, comprising the following steps:
When system initialization, system loads itself application strategy configuration, configuration open monitor service, application proxy module receive across Boundary access information;
Application proxy module obtains the application message of access, judges the legitimacy of access;
Application proxy module obtains the main body of access, object information, provides judgment basis for access control module, and according to access The judgement of control module carrys out the legitimacy of detection information request;
Application proxy module obtains the identity information of access, provides judgment basis for identity identification module, and identify according to identity The judgement of module, to detect the legitimacy of connection;
The reception and transmission of application message and the corresponding filtration treatment of information;
Access behavior is monitored, that is, monitors all security-related access attempts, it is ensured that access attempts are not tampered, and safety interconnects It is not bypassed.
Access control module in the step 3) decides whether to allow to visitor according to the result of flow control decision-making module ruling The access of body resource carries out flow control.The control decision strategy of flow control decision-making module includes autonomous access in the step 3) Control strategy, Mandatory Access Control and grade change strategy.
After flow control decision-making module receives the master that application proxy module sends, object information in the step 3), first Self contained navigation strategy is executed, meets self contained navigation strategy and result is then submitted into application proxy module, allow resource Access, otherwise send pressure flow control module for resource access request;
After forcing flow control module to receive resource access request, invocation flags submodule obtains the safety post of subject and object Note carries out airworthiness compliance;It is executed in airworthiness compliance and forces flow control policy, force asking for flow control policy for meeting It asks and is sent directly to application proxy module the flow velocity of its access to resource is allowed to control, otherwise transmit the request to flow velocity Grade changes module;
Flow velocity level adjustment checks that module executes level adjustment inspection policy, i.e. privilege revocation to resource access request, and resource is visited Ask that request transmits the request to application proxy module if meeting privilege revocation and allows to access simultaneously coutroi velocity, otherwise refusal money Source access request.
Flow control module audits resource access operations by submodule of auditing.
Application proxy module of the invention can be configured according to system initial policy, generated a series of application mirror and listened, be The reception of information, which is sent, provides transmission mode, and specific completion function is as follows: reception, which is sent, to be flowed through the data information on boundary, controlled Master needed for filtering application service data, obtaining access control, the identity information of object acquisition of information access, control connection and data Transmission.
The access information of application proxy module of the present invention capture main object resource, and by the visit of main body, object resource It asks that information carries out decision judgement, and the result of judgement is supplied to application proxy module, the processing of packet is carried out with this.
It should be pointed out that above embodiments are only representative examples of the invention.The present invention can also there are many deformations.It is all Any simple modification, equivalent change and modification to the above embodiments of essence according to the present invention are considered as belonging to this The protection scope of invention.

Claims (5)

1. a kind of implementation method based on application proxy coutroi velocity, which is characterized in that realize that this method needs application proxy mould Block and include identity identification module and access control module in application proxy module, comprising the following steps:
When system initialization, system loads itself application strategy configuration, configuration open monitor service, application proxy module receive across Boundary access information;
Application proxy module obtains the application message of access, judges the legitimacy of access;
Application proxy module obtains the main body of access, object information, provides judgment basis for access control module, and according to access The judgement of control module carrys out the legitimacy of detection information request;
Application proxy module obtains the identity information of access, provides judgment basis for identity identification module, and identify according to identity The judgement of module, to detect the legitimacy of connection;
The reception and transmission of application message and the corresponding filtration treatment of information;
Access behavior is monitored, that is, monitors all security-related access attempts, it is ensured that access attempts are not tampered, and safety interconnects It is not bypassed.
2. a kind of implementation method based on application proxy coutroi velocity according to claim 1, it is characterised in that: the step It is rapid 3) in access control module, according to the result of flow control decision-making module ruling decide whether to allow the access to object resource into Row flow control.
3. a kind of implementation method based on application proxy coutroi velocity according to claim 2, it is characterised in that: the step It is rapid 3) in the control decision strategy of flow control decision-making module include self contained navigation strategy, Mandatory Access Control and grade Change strategy.
4. a kind of implementation method based on application proxy coutroi velocity according to claim 3, it is characterised in that: the step It is rapid 3) in after flow control decision-making module receives the master that application proxy module sends, object information, autonomous access control is first carried out System strategy, meets self contained navigation strategy and result is then submitted to application proxy module, allow the access of resource, otherwise will money Source access request is sent to pressure flow control module;
After forcing flow control module to receive resource access request, invocation flags submodule obtains the safety post of subject and object Note carries out airworthiness compliance;It is executed in airworthiness compliance and forces flow control policy, force asking for flow control policy for meeting It asks and is sent directly to application proxy module the flow velocity of its access to resource is allowed to control, otherwise transmit the request to flow velocity Grade changes module;
Flow velocity level adjustment checks that module executes level adjustment inspection policy, i.e. privilege revocation to resource access request, and resource is visited Ask that request transmits the request to application proxy module if meeting privilege revocation and allows to access simultaneously coutroi velocity, otherwise refusal money Source access request.
5. a kind of implementation method based on application proxy coutroi velocity according to claim 3, it is characterised in that: flow control Module audits resource access operations by submodule of auditing.
CN201910295077.9A 2019-04-12 2019-04-12 A kind of implementation method based on application proxy coutroi velocity Pending CN109981684A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910295077.9A CN109981684A (en) 2019-04-12 2019-04-12 A kind of implementation method based on application proxy coutroi velocity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910295077.9A CN109981684A (en) 2019-04-12 2019-04-12 A kind of implementation method based on application proxy coutroi velocity

Publications (1)

Publication Number Publication Date
CN109981684A true CN109981684A (en) 2019-07-05

Family

ID=67084446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910295077.9A Pending CN109981684A (en) 2019-04-12 2019-04-12 A kind of implementation method based on application proxy coutroi velocity

Country Status (1)

Country Link
CN (1) CN109981684A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101727545A (en) * 2008-10-10 2010-06-09 中国科学院研究生院 Method for implementing mandatory access control mechanism of security operating system
CN107277023A (en) * 2017-06-28 2017-10-20 中国科学院信息工程研究所 A kind of thin terminal access control method of movement based on Web, system and thin terminal
US20180337887A1 (en) * 2017-05-19 2018-11-22 Vmware, Inc. Prioritizing application traffic through network tunnels
CN109600399A (en) * 2019-02-02 2019-04-09 北京奇安信科技有限公司 API Access control method and API Access agent apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101727545A (en) * 2008-10-10 2010-06-09 中国科学院研究生院 Method for implementing mandatory access control mechanism of security operating system
US20180337887A1 (en) * 2017-05-19 2018-11-22 Vmware, Inc. Prioritizing application traffic through network tunnels
CN107277023A (en) * 2017-06-28 2017-10-20 中国科学院信息工程研究所 A kind of thin terminal access control method of movement based on Web, system and thin terminal
CN109600399A (en) * 2019-02-02 2019-04-09 北京奇安信科技有限公司 API Access control method and API Access agent apparatus

Similar Documents

Publication Publication Date Title
JP7170780B2 (en) Fraud detection rule update method, fraud detection electronic control unit, and in-vehicle network system
US20180308344A1 (en) Vehicle-to-infrastructure (v2i) accident management
CN105717920A (en) Rescue method and device for unmanned vehicle
CN109584383B (en) Parking charging system, method and device and electronic equipment
CN106875724A (en) The processing method of car accident, method and rescue system that rescue service is provided
CN110324219A (en) Block the system and method to the computer attack of means of transport
CN106156865A (en) One is registered control method and hospital registration system
CN106792681B (en) Intrusion detection method, device and equipment for Internet of vehicles
CN110892675B (en) Method and apparatus for monitoring block chains
Hasan et al. Cognitive internet of vehicles: motivation, layered architecture and security issues
WO2018179536A1 (en) Information processing device, information processing method, program, and recording medium on which said program is stored
CN110113378A (en) Vehicle authentication method and its device
CN113544649A (en) Data storage method and device, computer equipment and computer readable storage medium
CN114514731A (en) Vehicle log transmission device, vehicle log collection system, vehicle log transmission method, and storage priority changing device
KR20190003112A (en) Method and System for detecting bypass hacking attacks based on the CAN protocol
CN109981684A (en) A kind of implementation method based on application proxy coutroi velocity
US11926348B2 (en) Method and device for controlling applications distributed between a vehicle and a cloud
US20220157090A1 (en) On-vehicle security measure device, on-vehicle security measure method, and security measure system
CN112217634B (en) Authentication method, equipment and system applied to intelligent vehicle
US9511743B2 (en) Method of determining if a vehicle has been stolen and a system therefor
KR101498367B1 (en) Maintenance system of car digital tachograph and method of the same
KR102204655B1 (en) A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time
CN116582905A (en) Vehicle data transmission method and device, electronic equipment and storage medium
CN110557312A (en) communication method, device, storage medium and equipment for vehicle control
TW201800290A (en) Vehicle active safety system and control method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190705