CN112653609B - VPN identification application method, device, terminal and storage medium - Google Patents

VPN identification application method, device, terminal and storage medium Download PDF

Info

Publication number
CN112653609B
CN112653609B CN202011474203.6A CN202011474203A CN112653609B CN 112653609 B CN112653609 B CN 112653609B CN 202011474203 A CN202011474203 A CN 202011474203A CN 112653609 B CN112653609 B CN 112653609B
Authority
CN
China
Prior art keywords
port
vpn
application
request
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011474203.6A
Other languages
Chinese (zh)
Other versions
CN112653609A (en
Inventor
汪应
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhizhangyi Technology Co ltd
Original Assignee
Beijing Zhizhangyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhizhangyi Technology Co ltd filed Critical Beijing Zhizhangyi Technology Co ltd
Priority to CN202011474203.6A priority Critical patent/CN112653609B/en
Publication of CN112653609A publication Critical patent/CN112653609A/en
Application granted granted Critical
Publication of CN112653609B publication Critical patent/CN112653609B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The embodiment of the invention discloses a VPN identification application method, a VPN identification application device, a VPN identification application terminal and a VPN identification application storage medium. The method comprises the following steps: when a network communication request is sent to a VPN (virtual private network) end, a set hook function is called, and port information of a source port corresponding to the network communication request is recorded in a memory through the set hook function; when a port source request sent by a VPN (virtual private network) end is received, whether port information of a source port in the port source request exists in a memory is inquired; and if so, sending a feedback message containing the application identifier to the VPN terminal to indicate the VPN terminal to determine the sandbox application terminal to which the source port belongs in the port source request according to the application identifier in the feedback message. The embodiment of the invention allocates the source port to the network communication by calling the hook function recording system, and inquires whether the source port belongs to the sandbox application end according to the port information in the port source request sent by the VPN end, thereby realizing that the equipment-level VPN can accurately identify the application without activating the MDM and without passing through a VPN server.

Description

VPN identification application method, device, terminal and storage medium
Technical Field
The embodiment of the invention relates to a communication technology, in particular to a VPN identification application method, a VPN identification application device, a VPN identification application terminal and a VPN identification application storage medium.
Background
An interface based on a Virtual Private Network (VPN) in an apple Mobile Device operating system (iOS) system can only identify an application to which an Internet Protocol (IP) datagram belongs when a MDM (Mobile Device Management) is activated, and for a general VPN application, it cannot identify which application the current IP datagram comes from, and it can only control an IP address. However, in this case, different Applications (APPs) may access the same IP address or port, and this method may have a recognition error, so that data that should not go through the VPN is transmitted to the VPN server, which may increase the pressure on the VPN server, and the applications may not be used normally after passing through the VPN server.
In addition, because MDM has a high requirement on the user, a common scheme is to issue a policy through a server, identify data in an IP address and port manner, and forward data satisfying policy conditions through a VPN. However, in this case, if there is a situation where an application to be identified accesses multiple service servers, policy configuration of a specific IP address or port is easily missed, thereby causing a risk that the application is unavailable or even information is leaked.
Therefore, how to realize the device-level VPN accurate identification application without activating the MDM and without going through a VPN server becomes an urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention provides a VPN identification application method, a device, a terminal and a storage medium, which can realize equipment-level VPN accurate identification application under the condition that MDM is not required to be activated and a VPN server is not needed.
In a first aspect, an embodiment of the present invention provides a VPN identification application method, applied to a sandbox application end, including:
when a network communication request is sent to a VPN (virtual private network) end, a set hook function is called, and port information of a source port corresponding to the network communication request is recorded in a memory through the set hook function;
when a port source request sent by the VPN terminal is received, inquiring whether port information of a source port in the port source request exists in the memory;
and if so, sending a feedback message containing the application identifier to the VPN terminal so as to indicate the VPN terminal to determine the sandbox application terminal to which the source port belongs in the port source request according to the application identifier in the feedback message.
In a second aspect, an embodiment of the present invention further provides a VPN identification application method, applied to a VPN side, including:
reading an IP datagram from a VPN interface, and analyzing the IP datagram based on a transport layer protocol to obtain port information of a source port;
sending a port source request containing the port information to each application end, so as to inquire whether the port information of the source port exists in a memory of the application end through each application end, and sending a feedback message containing an application identifier to the VPN end when the port information exists;
and if a feedback message containing an application identifier is received, determining a sandbox application end to which the source port belongs according to the application identifier in the feedback message.
In a third aspect, an embodiment of the present invention further provides a sandbox application end device, which is applied to a sandbox application end, and includes:
the port recording module is used for calling a set hook function when a network communication request is sent to a VPN (virtual private network) end, and recording port information of a source port corresponding to the network communication request in a memory through the set hook function;
a port query module, configured to query whether port information of a source port in a port source request exists in the memory when the port source request sent by the VPN end is received;
and the message feedback module is used for sending a feedback message containing the application identifier to the VPN terminal if the port source request exists so as to indicate the VPN terminal to determine the sandbox application terminal to which the source port belongs in the port source request according to the application identifier in the feedback message.
In a fourth aspect, an embodiment of the present invention further provides a sandbox application end device, which is applied to a VPN end, and includes:
the datagram analysis module is used for reading the IP datagram from the VPN interface and analyzing the IP datagram based on a transport layer protocol to obtain port information of a source port;
a request sending module, configured to send a port source request including the port information to each application end, so as to query, by each application end, whether the port information of the source port exists in a memory of the application end, and send a feedback message including an application identifier to the VPN end when the port information exists;
and the port determining module is used for determining the sandbox application end to which the source port belongs according to the application identifier in the feedback message if the feedback message containing the application identifier is received.
In a fifth aspect, an embodiment of the present invention further provides a mobile terminal, where the mobile terminal includes:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a VPN identification application method as provided by any of the embodiments of the invention.
In a sixth aspect, embodiments of the present invention further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the VPN identification application method according to any of the embodiments of the present invention.
The method comprises the steps of calling a set hook function when a network communication request is sent to a VPN (virtual private network) end, recording port information of a source port corresponding to the network communication request in a memory through the set hook function, inquiring whether the port information of the source port in the port source request exists in the memory when the port source request sent by the VPN end is received, and sending a feedback message containing an application identifier to the VPN end if the port source request exists so as to indicate the VPN end to determine a sandbox application end to which the source port in the port source request belongs according to the application identifier in the feedback message. The embodiment of the invention allocates the source port to the network communication by calling the hook function recording system, and inquires whether the source port belongs to the sandbox application end according to the port information in the port source request sent by the VPN end, so that the device-level VPN can accurately identify the application without activating MDM and without going through the VPN server, and the pressure of the VPN server is reduced because the VPN server is not involved in the interaction process, and the information leakage risk possibly caused by complicated policy configuration of the VPN server is avoided.
Drawings
Fig. 1 is a flowchart of a VPN identification application method according to an embodiment of the present invention;
fig. 2 is a flowchart of another VPN identification application method according to the second embodiment of the present invention;
fig. 3 is a flowchart of another VPN identification application method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a VPN identification application apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of another VPN identification application apparatus according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a mobile terminal according to a sixth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an application method for VPN identification according to an embodiment of the present invention, where this embodiment is applicable to a case where an application is identified by a system VPN in a scenario such as a business on a self-contained Device (BYOD), and the method may be executed by a VPN identification application Device on a sandbox application side, and the Device may be implemented in a software and/or hardware manner. The device can be configured in a mobile terminal. As shown in fig. 1, the method includes:
step S110, when sending the network communication request to the VPN side, calling the set hook function, and recording the port information of the source port corresponding to the network communication request in the memory through the set hook function.
The VPN terminal may be a virtual private network established on the mobile terminal, and is configured to forward a network communication request of the application terminal. For example, a VPN end may be established on the mobile terminal in a software manner, and an application end on the mobile terminal may forward the network communication request through the VPN end. The mobile terminal can be a mobile phone, a tablet computer or a computer and other terminal equipment.
The sandbox application may be an application that has been processed through Hook (Hook) techniques. For example, the sandbox application may be an application that is of significant interest to the user, is not trusted, or has historical internet violations.
The network communication request can be a communication request sent by the sandbox application end to the VPN when the sandbox application end establishes network communication with the VPN end. For example, the network communication request may be a network connection request or a data transmission request sent by the sandbox application to the VPN side, so as to establish a connection with the VPN side or forward data through the VPN side. And ensuring the safe transmission of the network communication request at the sandbox application end and the VPN end based on a transport layer protocol. The transport layer Protocol includes, but is not limited to, a HyperText Transfer Protocol (HTTP) -based network communication request, a Transmission Control Protocol (TCP) -based network communication request, a User Datagram Protocol (UDP) -based or a Transmission Control Protocol/Internet Protocol (TCP/IP) -based network communication request, and the like.
The set hook function can be used for recording the port information of the source port allocated to the current network communication by the system in the memory when the sandbox application end establishes the network communication with the VPN end. A source port is a system resource of a mobile terminal, and at a certain time, the source port can be occupied by only one network communication. Port information is information for identifying a source port. For example, the set hooking function may be a set hooking function for a kernel function used for parsing a network communication request to obtain a source port corresponding to the network communication request. The system can be understood as a configuration system of the mobile terminal, for example, the system can be an iOS system or an android system.
The memory may be a running memory of the sandbox application for storing port information of the source port. Each sandbox application end can record the port information of the source port distributed to the network communication by the system in the respective memory through the set hook function.
Exemplarily, when an untrusted sandbox application sends a network connection request or a data transmission request to a VPN end, a set hook function is called, and port information of a source port corresponding to the network connection request or the data transmission request is recorded in a memory through the set hook function, so that the VPN end can analyze the port information of the source port in an IP datagram when receiving the IP datagram of the sandbox application, and recognize that the IP datagram comes from the untrusted sandbox application according to a feedback message of the sandbox application when sending a port source request to the sandbox application, thereby achieving an effect that an apparatus-level VPN achieves an application-level VPN.
Step S120, when a port source request sent by the VPN side is received, querying whether port information of a source port in the port source request exists in a memory, if so, performing step S130, otherwise, performing step S140.
The port source request may be a request containing port information of the source port sent by the VPN side, and is used to query an affiliation between the source port and the application side in the port source request.
Specifically, when a port source request sent by the VPN end is received, port information of a source port in the port source request is obtained, and the port information is compared with port information stored in the memory to determine whether the port information exists in the memory. If the port information exists in the internal memory of the sandbox application end, the source port belongs to the sandbox application end, and if the port information does not exist in the internal memory of the sandbox application end, the source port does not belong to the sandbox application end.
Step S130, sending a feedback message containing the application identifier to the VPN end, so as to instruct the VPN end to determine, according to the application identifier in the feedback message, a sandbox application end to which the source port in the port source request belongs.
The application identification may be used to uniquely identify the sandbox application.
Specifically, if the memory of the sandbox application end has the port information in the port source request, that is, the sandbox application end has recorded the port information historically, the source port corresponding to the port information belongs to the sandbox application end. The sandbox application end may send a feedback message to the VPN end, where the feedback message includes an application identifier of the sandbox application end, and the feedback message may be used to instruct the VPN end to determine, according to the application identifier, that the source port in the port source request belongs to the sandbox application end.
For example, when the VPN side needs to identify which application side the source port belongs to, a port source request may be sent to each application side. If the sandbox application end inquires that the source port belongs to the sandbox application end, the sandbox application end can send a feedback message containing the application identifier to the VPN end. And the VPN terminal can determine that the source port belongs to the sandbox application terminal according to the application identifier in the feedback message.
For example, when the VPN side needs to determine whether the source port belongs to a specific sandboxed application side, the VPN side may directionally send a port source request to the specific sandboxed application side. If the source port belongs to the sandbox application end, the sandbox application end can send a feedback message to the VPN end to indicate that the VPN end source port belongs to the sandbox application end.
And step S140, ending.
Alternatively, if the port information in the port source request does not exist in the memory, a non-home-end feedback message including the application identifier may be sent to the VPN end, so as to instruct the VPN end to determine that the source port in the port source request does not belong to the sandbox application end according to the application identifier in the non-home-end feedback message.
Illustratively, when the VPN side needs to identify to which application side the source port belongs, a port source request may be sent to each application side. If the sandbox application end inquires that the source port does not belong to the sandbox application end, the sandbox application end can send a non-local-end feedback message to the VPN end. If the VPN end obtains the non-home-end feedback messages of all the sandbox application ends, the VPN end can conveniently obtain that the source port does not belong to each sandbox application end.
For example, when the VPN side needs to determine whether the source port belongs to a specific sandbox application side, the VPN side may directionally send a port source request to the specific sandbox application side. And if the source port does not belong to the sandbox application end, the sandbox application end sends a non-local-end feedback message to the VPN end so as to indicate that the VPN end source port does not belong to the sandbox application end. By sending the feedback message or the non-home terminal feedback message to the VPN terminal, the VPN terminal can know whether the source port belongs to the specific sandbox application terminal.
The method comprises the steps of calling a set hook function when a network communication request is sent to a VPN (virtual private network) end, recording port information of a source port corresponding to the network communication request in a memory through the set hook function, inquiring whether the port information of the source port in the port source request exists in the memory when the port source request sent by the VPN end is received, and sending a feedback message containing an application identifier to the VPN end if the port information of the source port in the port source request exists, so as to indicate the VPN end to determine a sandbox application end to which the source port in the port source request belongs according to the application identifier in the feedback message. The embodiment of the invention allocates the source port to the network communication by calling the hook function recording system, and inquires whether the source port belongs to the sandbox application end according to the port information in the port source request sent by the VPN end, so that the device-level VPN can accurately identify the application without activating MDM and without going through the VPN server, and the pressure of the VPN server is reduced because the VPN server is not involved in the interaction process, and the information leakage risk possibly caused by complicated policy configuration of the VPN server is avoided.
Example two
Fig. 2 is a flowchart of another VPN identification application method according to a second embodiment of the present invention, where the present embodiment performs optimization based on the foregoing embodiment, and as shown in fig. 2, the method includes:
step S210, when sending the network communication request to the VPN side, calling the set hook function, and recording the port information of the source port corresponding to the network communication request in the memory through the set hook function.
Optionally, when a network communication request is sent to the VPN side, a set hook function is called, a kernel function of the network connection request or the data transmission request is obtained through the hook function, the kernel function is analyzed to obtain a source port corresponding to the network connection request or the data transmission request, and port information of the source port is stored in the memory.
The network communication request may include a network connection request and a data transfer request. The network connection request can be used for establishing connection between the sandbox application end and the VPN end. The data transmission request may be for forwarding data through the VPN side.
The kernel function may be a subprogram which is arranged inside the system and is used for implementing various system functions, so as to be called by the application terminal. For example, the kernel function of the network connection request may be a connection function, and the kernel function of the data transfer request may be a transfer function. The connection function of the network connection request can call a subprogram used for realizing the function of connecting the VPN terminal in the system. The transfer function of the data transfer request may call a subroutine in the system for implementing a function of transferring data using the VPN side.
Illustratively, when sending a network connection request or a data transmission request to a VPN side, a sandbox application side calls a hook function of a kernel function for processing the network connection request or the data transmission request, parses the kernel function to obtain a source port corresponding to the network connection request or the data transmission request, and stores port information of the source port in a memory of the sandbox application side. In the embodiment, a hook function is used for analyzing a kernel function of a network connection request or a data transmission request, a time for establishing network connection or transmitting data at a sandbox application end is recorded and port information distributed to a source port of the current network communication by a system, and the characteristic that the source port is used as a system resource and can only be occupied by one network communication at a certain time is utilized, so that the application which the network data belongs to can be identified by the source port is creatively provided.
Alternatively, when a network connection request or a data transmission request is sent to the VPN end, a kernel function of the network connection request or the data transmission request is tracked, when the kernel function is detected to be called, a set hook function corresponding to the kernel function is called, the kernel function is analyzed through the hook function to obtain a source port corresponding to the network connection request or the data transmission request, and port information of the source port is stored in the memory.
Specifically, the sandbox application may not obtain the kernel function of the network connection request or the data transmission request through the hook function, but only track the kernel function, and directly call the set hook function corresponding to the kernel function when detecting that the kernel function is called, that is, the sandbox application sends the network connection request or the data transmission request to the VPN side, so as to speed up the calling of the set hook function by the sandbox application.
Step S220, associate the storage port information and the request identifier of the network communication request in the memory.
The request identification is used to uniquely identify the network communication request. After the port information of the source port corresponding to the network communication request is recorded in the memory through the set hook function, the port information and the request identifier of the network communication request are stored in the memory in an associated manner, so that the VPN terminal can inquire which application terminal the source port comes from and which network communication request the source port comes from.
Optionally, when the port information and the request identifier of the network communication request are stored in the memory in an associated manner, the method further includes:
associating the storage request identifier and the corresponding process information in the memory;
when a process query request sent by a VPN (virtual private network) end is received, acquiring process information corresponding to a request identifier in the process query request from a memory;
and sending a process feedback message containing the process information to the VPN terminal.
The process information may be information related to each process in the network communication request. For example, the process information may include a process name, a process path, an execution parameter of the process, a user group corresponding to the process, a user name, a process start time, and the like.
Illustratively, the sandbox application may store the request identifier and the corresponding process information in a memory in association with each other. After the VPN side has determined that the source port in the port source request belongs to the sandbox application side, the VPN side may send a process query request to the sandbox application side. When receiving a process query request sent by a VPN (virtual private network) end, a sandbox application end acquires process information corresponding to a request identifier in the process query request from a memory and feeds process feedback information containing the process information to the VPN end. In the embodiment, the process information corresponding to the network communication request is stored in the memory, so that the VPN terminal can further query the process information of the network communication request.
Step S230, when a port source request sent by the VPN side is received, it is queried whether the port information of the source port in the port source request exists in the memory, if so, step S240 is executed, otherwise, step S250 is executed.
Step S240, determining a corresponding request identifier according to the port information of the source port in the port source request, and sending a feedback message including the application identifier and the request identifier to the VPN end, so as to instruct the VPN end to determine that the source port in the port source request is occupied by the network communication request corresponding to the request identifier in the sandbox application end corresponding to the application identifier according to the application identifier and the request identifier in the feedback message.
Specifically, the sandbox application may determine a corresponding request identifier according to port information of the source port in the port source request, obtain the request identifier from the memory, and send both the application identifier and the request identifier to the VPN side based on the feedback message. The VPN end may determine, according to the application identifier in the feedback message, that the source port belongs to the sandbox application end corresponding to the application identifier, and may further determine, according to the request identifier in the feedback message, that the source port is occupied by the network communication request corresponding to the request identifier in the sandbox application end.
Illustratively, the sandbox application a sends a feedback message including an application identifier a1 and a request identifier a2 to the VPN side, where the application identifier a1 is used to uniquely identify the sandbox application a, and the request identifier a2 is used to uniquely identify the network connection request a2 sent by the sandbox application a to the VPN side. The VPN end receives the feedback message, and determines that the source port is occupied by the network connection request a2 in the sandbox application end a according to the application identifier a1 and the request identifier a2 in the feedback message.
And step S250, ending.
When a network communication request is sent to a VPN (virtual private network) end, the port information of a source port corresponding to the network communication request is recorded through a set hook function, the port information and a request identifier of the network communication request are stored in a memory in an associated mode, when the port source request sent by the VPN end is received, whether the port information of the source port in the port source request exists in the memory is inquired, if the port information exists, the corresponding request identifier is determined according to the port information of the source port in the port source request, a feedback message containing the application identifier and the request identifier is sent to the VPN end, and the VPN end is indicated to determine that the source port in the port source request is occupied by the network communication request corresponding to the request identifier in a sandbox application end corresponding to the application identifier according to the application identifier and the request identifier in the feedback message. The embodiment of the invention allocates the source port of the network communication to the source port by calling the hook function recording system, associates and stores the port information and the request identifier, and sends the feedback message containing the application identifier and the request identifier to the VPN terminal if the source port belongs to the application end of the sandbox, thereby realizing that the common device-level VPN terminal can identify the application-level data without activating MDM. The method solves the problem that the VPN server easily misses specific strategy configuration due to frequent interaction among the servers when the application end needing to be identified accesses a plurality of service servers, and enables the VPN end to realize accurate identification of application-level data, so that network data transmission on the mobile terminal is more accurate, and stable network access of the application end is ensured.
EXAMPLE III
Fig. 3 is a flowchart of another VPN identification application method according to a third embodiment of the present invention, where this embodiment is applicable to a case of system VPN identification application in a scenario of a self-contained office of equipment (BYOD), and the like, and the method may be executed by a VPN identification application Device on a VPN side, and the Device may be implemented in a software and/or hardware manner. The device can be configured in the mobile terminal. As shown in fig. 3, the method includes:
step S310, reading the IP datagram from the VPN interface, and analyzing the IP datagram based on the transport layer protocol to obtain the port information of the source port.
The VPN interface may be a virtual network interface at the VPN side. The VPN side may read IP datagrams from the VPN interface.
Transport layer protocols may be used to provide a protocol basis for parsing IP datagrams. For example, transport layer protocols may include, but are not limited to, TCP, UDP, and TCP/IP, among others. The VPN side may parse the IP datagram based on a transport layer protocol, and may obtain port information of a source port in the IP datagram.
Step S320, sending a port source request including the port information to each application end, so as to query whether the memory of the application end has the port information of the source port or not through each application end, and sending a feedback message including the application identifier to the VPN end when the port information exists.
The application end may be an application on the mobile terminal, and may include a sandbox application end and other application ends. Other application terminals may be application terminals that are not of major interest to the user, are trusted, or have good historical internet behavior, etc.
Specifically, the VPN side sends a port source request to each application side, where the port source request at least includes the analyzed port information. Each application terminal can inquire whether the port information exists in the memory of the application terminal according to the port information in the port source request, if the port information can be inquired, the application terminal is a sandbox application terminal, and the sandbox application terminal can send a feedback message containing an application identifier to the VPN terminal.
Step S330, if a feedback message containing the application identifier is received, determining the sandbox application end to which the source port belongs according to the application identifier in the feedback message.
Specifically, if the VPN end receives a feedback message including an application identifier, it may determine that the IP datagram is from the sandbox application end according to the feedback message, and further determine, according to the application identifier in the feedback message, a sandbox application end to which the source port in the IP datagram belongs.
Optionally, after determining the sandbox application end corresponding to the source port according to the application identifier in the feedback message, the method further includes:
judging whether the application identifier of the sandbox application end is in an application white list or not, and determining whether the IP datagram of the sandbox application end is illegal data needing to be intercepted or not according to a judgment result;
if the application identification of the sandbox application end is not in the application white list, intercepting the IP datagram of the sandbox application end;
and if the application identifier of the sandbox application end is in the application white list, correspondingly processing the IP datagram of the sandbox application end.
The application whitelist may be used to store application identifications of trusted applications. In this embodiment, the obtained application identifier is filtered through the application white list, and for the sandbox application end corresponding to the application identifier in the application white list, corresponding processing is performed according to the obtained IP datagram, for example, data is forwarded based on the IP datagram. And for the sandbox application end corresponding to the application identifier which is not in the application white list, the IP datagram of the sandbox application end is intercepted, so that the potential safety hazard of a communication network is reduced, and the safety of data forwarding of the VPN end is improved.
The embodiment of the invention obtains the port information of a source port by reading the IP datagram from the VPN interface and analyzing the IP datagram based on a transport layer protocol, sends a port source request containing the port information to each application end so as to inquire whether the port information of the source port exists in the memory of the application end or not through each application end, sends a feedback message containing an application identifier to the VPN end when the port information exists, and determines the sandbox application end to which the source port belongs according to the application identifier in the feedback message if the feedback message containing the application identifier is received. In the prior art, the source of the IP datagram read by the VPN end is unknown, and on the same mobile terminal, when the VPN end receives at least two IP datagrams and both access the same address, the VPN end cannot distinguish the application end to which the IP datagram belongs. In the embodiment, the port information of the source port in the IP datagram is analyzed, the sandbox application end to which the source port belongs is determined according to the feedback message sent by the sandbox application end, the problem that the device-level VPN cannot be distinguished when different application ends access the same address on the same mobile terminal is solved, the device-level VPN can accurately identify the application without activating the MDM and without passing through the VPN server is realized, the pressure of the VPN server is reduced because the VPN server is not involved in the interaction process, and the information leakage risk possibly caused by complicated strategy configuration of the VPN server is avoided.
Example four
Fig. 4 is a schematic structural diagram of a VPN identification application apparatus according to a fourth embodiment of the present invention. The device can be realized by software and/or hardware, is applied to a sandbox application end, can be generally integrated in a mobile terminal, and can realize the accurate identification application of the device-level VPN under the condition that MDM is not required to be activated and a VPN server is not needed by executing a VPN identification application method. As shown in fig. 4, the apparatus includes:
a port recording module 410, configured to call a set hook function when sending a network communication request to a VPN side, and record port information of a source port corresponding to the network communication request in a memory through the set hook function;
a port query module 420, configured to, when a port source request sent by the VPN side is received, query whether port information of a source port in the port source request exists in the memory;
and a message feedback module 430, configured to send a feedback message including an application identifier to the VPN side, if the feedback message exists, so as to instruct the VPN side to determine, according to the application identifier in the feedback message, a sandbox application side to which the source port in the port source request belongs.
Optionally, the port recording module 410 is specifically configured to:
and acquiring a kernel function of the network connection request or the data transmission request through the hook function, analyzing the kernel function to acquire a source port corresponding to the network connection request or the data transmission request, and storing port information of the source port in a memory.
Optionally, the apparatus further comprises:
a request identifier storage module, configured to, after recording, in a memory, port information of a source port corresponding to the network communication request through the set hook function, associate and store, in the memory, the port information and a request identifier of the network communication request;
correspondingly, the message feedback module 430 is specifically configured to:
and determining a corresponding request identifier according to port information of a source port in the port source request, and sending a feedback message containing an application identifier and the request identifier to the VPN terminal so as to indicate the VPN terminal to determine that the source port in the port source request is occupied by a network communication request corresponding to the request identifier in a sandbox application terminal corresponding to the application identifier according to the application identifier and the request identifier in the feedback message.
Optionally, the apparatus further comprises:
the process storage module is used for storing the request identifier and the corresponding process information in the memory in a correlation manner when the port information and the request identifier of the network communication request are stored in the memory in a correlation manner;
the process query module is used for acquiring process information corresponding to a request identifier in a process query request from the memory when the process query request sent by the VPN terminal is received;
and the process message sending module is used for sending a process feedback message containing the process information to the VPN terminal.
The VPN identification application device provided by the embodiment of the invention can execute the VPN identification application method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 5 is a schematic structural diagram of another VPN identification application apparatus according to a fifth embodiment of the present invention. The device can be realized by software and/or hardware, is applied to a VPN end, can be generally integrated in a mobile terminal, and can realize the equipment-level VPN accurate identification application under the condition of not activating an MDM and not passing through a VPN server by executing a VPN identification application method. As shown in fig. 5, the apparatus includes:
a datagram parsing module 510, configured to read an IP datagram from a VPN interface, parse the IP datagram based on a transport layer protocol, and obtain port information of a source port;
a request sending module 520, configured to send a port source request including the port information to each application end, so as to query whether the port information of the source port exists in a memory of the application end through each application end, and send a feedback message including an application identifier to the VPN end when the port information exists;
the port determining module 530 is configured to determine, if a feedback message including an application identifier is received, a sandbox application end to which the source port belongs according to the application identifier in the feedback message.
Optionally, the apparatus further comprises:
a white list judgment module, configured to judge whether an application identifier of the sandbox application end is in an application white list after determining the sandbox application end corresponding to the source port according to the application identifier in the feedback message, and determine whether an IP datagram of the sandbox application end is violation data that needs to be intercepted according to a judgment result;
and the datagram interception processing is used for intercepting the IP datagram of the sandbox application end if the application identifier of the sandbox application end is not in the application white list.
The VPN identification application device provided by the embodiment of the invention can execute the VPN identification application method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example six
Fig. 6 is a schematic structural diagram of a mobile terminal according to a sixth embodiment of the present invention, as shown in fig. 6, the mobile terminal includes a processor 600, a memory 610, an input device 620, and an output device 630; the number of the processors 600 in the mobile terminal may be one or more, and one processor 600 is taken as an example in fig. 6; the processor 600, the memory 610, the input device 620 and the output device 630 in the mobile terminal may be connected by a bus or other means, and are exemplified by being connected by a bus in fig. 6.
The memory 610 may be used as a computer-readable storage medium for storing software programs, computer-executable programs, and modules, such as program instructions and/or modules corresponding to the VPN identification application method in the embodiment of the present invention (for example, the port recording module 410, the port query module 420, and the message feedback module 430 in the VPN identification application device applied to the sandbox application side, and the datagram parsing module 510, the request transmission module 520, and the port determination module 530 in the VPN identification application device applied to the VPN side). The processor 600 executes various functional applications and data processing of the mobile terminal by executing software programs, instructions and modules stored in the memory 610, that is, implements the VPN identification application method described above.
The memory 610 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 610 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 610 may further include memory located remotely from the processor 600, which may be connected to the mobile terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 620 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the mobile terminal. The output device 630 may include a display device such as a display screen.
EXAMPLE seven
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a VPN identification application method, including:
when a network communication request is sent to a VPN (virtual private network) end, a set hook function is called, and port information of a source port corresponding to the network communication request is recorded in a memory through the set hook function;
when a port source request sent by the VPN terminal is received, inquiring whether port information of a source port in the port source request exists in the memory;
and if so, sending a feedback message containing the application identifier to the VPN terminal so as to indicate the VPN terminal to determine the sandbox application terminal to which the source port belongs in the port source request according to the application identifier in the feedback message.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the VPN identification application method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the VPN identification application apparatus, the included units and modules are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, the specific names of the functional units are only for the convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing description is only exemplary of the invention and that the principles of the technology may be employed. Those skilled in the art will appreciate that the present invention is not limited to the particular embodiments described herein, and that various obvious changes, rearrangements and substitutions will now be apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A VPN identification application method is characterized in that the method is applied to a sandbox application end and comprises the following steps:
when a network communication request is sent to a Virtual Private Network (VPN) end, a set hook function is called, and port information of a source port corresponding to the network communication request is recorded in a memory through the set hook function;
when a port source request sent by the VPN terminal is received, inquiring whether port information of a source port in the port source request exists in the memory;
and if so, sending a feedback message containing the application identifier to the VPN terminal so as to indicate the VPN terminal to determine the sandbox application terminal to which the source port belongs in the port source request according to the application identifier in the feedback message.
2. The method of claim 1, wherein the recording port information of the source port corresponding to the network communication request in a memory through the set hook function comprises:
and acquiring a kernel function of the network connection request or the data transmission request through the hook function, analyzing the kernel function to acquire a source port corresponding to the network connection request or the data transmission request, and storing port information of the source port in a memory.
3. The method of claim 1, further comprising, after recording port information of a source port corresponding to the network communication request in a memory through the set hook function, the method further comprising:
the port information and the request identification of the network communication request are stored in a memory in a correlated mode;
correspondingly, the sending a feedback message including an application identifier to the VPN terminal to instruct the VPN terminal to determine, according to the application identifier in the feedback message, a sandbox application terminal to which the source port in the port source request belongs, includes:
and determining a corresponding request identifier according to port information of a source port in the port source request, and sending a feedback message containing an application identifier and the request identifier to the VPN terminal so as to indicate the VPN terminal to determine that the source port in the port source request is occupied by a network communication request corresponding to the request identifier in a sandbox application terminal corresponding to the application identifier according to the application identifier and the request identifier in the feedback message.
4. The method of claim 3, wherein, when the port information and the request identifier of the network communication request are stored in the memory in an associated manner, the method further comprises:
the request identification and the corresponding process information are stored in a memory in an associated mode;
when a process query request sent by the VPN terminal is received, acquiring process information corresponding to a request identifier in the process query request from the memory;
and sending a process feedback message containing the process information to the VPN terminal.
5. A VPN identification application method is applied to a VPN end and comprises the following steps:
reading an internet Interconnection Protocol (IP) datagram from a Virtual Private Network (VPN) interface, and analyzing the IP datagram based on a transport layer protocol to obtain port information of a source port;
sending a port source request containing the port information to each application end, so as to inquire whether the port information of the source port exists in a memory of the application end through each application end, and sending a feedback message containing an application identifier to the VPN end when the port information exists;
and if a feedback message containing an application identifier is received, determining a sandbox application end to which the source port belongs according to the application identifier in the feedback message.
6. The method of claim 5, wherein after determining the sandboxed application corresponding to the source port according to the application identifier in the feedback message, further comprising:
judging whether the application identifier of the sandbox application end is in an application white list or not, and determining whether the IP datagram of the sandbox application end is illegal data needing to be intercepted or not according to a judgment result;
and if the application identifier of the sandbox application end is not in the application white list, intercepting the IP datagram of the sandbox application end.
7. A sandbox application end device is applied to a sandbox application end, and comprises the following components:
the port recording module is used for calling a set hook function when a network communication request is sent to a VPN (virtual private network) end, and recording port information of a source port corresponding to the network communication request in a memory through the set hook function;
a port query module, configured to query whether port information of a source port in a port source request exists in the memory when the port source request sent by the VPN end is received;
and the message feedback module is used for sending a feedback message containing the application identifier to the VPN terminal if the port source request exists so as to indicate the VPN terminal to determine the sandbox application terminal to which the source port belongs in the port source request according to the application identifier in the feedback message.
8. A sandbox application end device is applied to a VPN end, and comprises the following components:
the datagram analysis module is used for reading the IP datagram from the VPN interface and analyzing the IP datagram based on a transport layer protocol to obtain port information of a source port;
a request sending module, configured to send a port source request including the port information to each application end, so as to query, by each application end, whether the port information of the source port exists in a memory of the application end, and send a feedback message including an application identifier to the VPN end when the port information exists;
and the port determining module is used for determining the sandbox application end to which the source port belongs according to the application identifier in the feedback message if the feedback message containing the application identifier is received.
9. A mobile terminal, characterized in that the mobile terminal comprises:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the VPN identification application method of any of claims 1-6.
10. A storage medium containing computer-executable instructions for performing the VPN identification application method according to any one of claims 1-6 when executed by a computer processor.
CN202011474203.6A 2020-12-14 2020-12-14 VPN identification application method, device, terminal and storage medium Active CN112653609B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011474203.6A CN112653609B (en) 2020-12-14 2020-12-14 VPN identification application method, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011474203.6A CN112653609B (en) 2020-12-14 2020-12-14 VPN identification application method, device, terminal and storage medium

Publications (2)

Publication Number Publication Date
CN112653609A CN112653609A (en) 2021-04-13
CN112653609B true CN112653609B (en) 2022-05-27

Family

ID=75354032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011474203.6A Active CN112653609B (en) 2020-12-14 2020-12-14 VPN identification application method, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN112653609B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037572B (en) * 2022-05-24 2023-11-14 成都天空卫士网络安全技术有限公司 Application request identification method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014047168A1 (en) * 2012-09-18 2014-03-27 Citrix Systems, Inc. Mobile device management and security
CN108509802A (en) * 2018-02-28 2018-09-07 郑州信大捷安信息技术股份有限公司 A kind of application data divulgence prevention method and device
CN108667708A (en) * 2018-04-19 2018-10-16 国家计算机网络与信息安全管理中心 The acquisition analysis system and capturing analysis method of one kind of multiple VPN flows
CN111800490A (en) * 2020-06-23 2020-10-20 深信服科技股份有限公司 Method and device for acquiring network behavior data and terminal equipment

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2264956B1 (en) * 2004-07-23 2017-06-14 Citrix Systems, Inc. Method for securing remote access to private networks
US8990901B2 (en) * 2012-05-05 2015-03-24 Citrix Systems, Inc. Systems and methods for network filtering in VPN
US8997208B2 (en) * 2013-08-15 2015-03-31 Mocana Corporation Gateway device for terminating a large volume of VPN connections
US9735943B2 (en) * 2015-05-11 2017-08-15 Citrix Systems, Inc. Micro VPN tunneling for mobile platforms
US9906560B2 (en) * 2015-08-28 2018-02-27 Nicira, Inc. Distributing remote device management attributes to service nodes for service rule processing
CN105323261A (en) * 2015-12-15 2016-02-10 北京奇虎科技有限公司 Data detection method and device
CN108063712B (en) * 2016-11-09 2021-01-08 北京国双科技有限公司 Method and device for sending network request
CN110300045A (en) * 2018-03-23 2019-10-01 腾讯科技(深圳)有限公司 Network accelerating method, device, equipment and the readable medium of application program
US10742595B2 (en) * 2018-04-20 2020-08-11 Pulse Secure, Llc Fully qualified domain name-based traffic control for virtual private network access control
CN109347817B (en) * 2018-10-12 2021-06-25 厦门安胜网络科技有限公司 Method and device for network security redirection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014047168A1 (en) * 2012-09-18 2014-03-27 Citrix Systems, Inc. Mobile device management and security
CN108509802A (en) * 2018-02-28 2018-09-07 郑州信大捷安信息技术股份有限公司 A kind of application data divulgence prevention method and device
CN108667708A (en) * 2018-04-19 2018-10-16 国家计算机网络与信息安全管理中心 The acquisition analysis system and capturing analysis method of one kind of multiple VPN flows
CN111800490A (en) * 2020-06-23 2020-10-20 深信服科技股份有限公司 Method and device for acquiring network behavior data and terminal equipment

Also Published As

Publication number Publication date
CN112653609A (en) 2021-04-13

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN106936791B (en) Method and device for intercepting malicious website access
US9185093B2 (en) System and method for correlating network information with subscriber information in a mobile network environment
US20210144120A1 (en) Service resource scheduling method and apparatus
US10862854B2 (en) Systems and methods for using DNS messages to selectively collect computer forensic data
CN110519265B (en) Method and device for defending attack
US20120030351A1 (en) Management server, communication cutoff device and information processing system
US9338657B2 (en) System and method for correlating security events with subscriber information in a mobile network environment
CN113301012B (en) Network threat detection method and device, electronic equipment and storage medium
CN108429739B (en) Method, system and terminal equipment for identifying honeypots
CN109246078B (en) Data interaction method and server
CN112653609B (en) VPN identification application method, device, terminal and storage medium
US9942766B1 (en) Caller validation for end service providers
CN111064729B (en) Message processing method and device, storage medium and electronic device
CN114070624A (en) Message monitoring method and device, electronic equipment and medium
CN113259386A (en) Malicious request intercepting method and device and computer equipment
CN110768983B (en) Message processing method and device
CN113923008B (en) Malicious website interception method, device, equipment and storage medium
CN117294672A (en) Method, device, medium and equipment for parallel network communication of same IP address
CN110098982B (en) Link state providing method, device, router and computer readable storage medium
KR20120012229A (en) Apparatus and method for dropping transmission and reception of unnecessary packets
CN116132136A (en) Network debugging method, device, system and electronic equipment
CN115643079A (en) Data packet security risk detection method and device, electronic equipment and storage medium
CN117527655A (en) NAT type detection method and device and electronic equipment
CN117336215A (en) Network data auditing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant