CN114301690B - Dynamic network isolation method and device, storage medium and terminal equipment - Google Patents
Dynamic network isolation method and device, storage medium and terminal equipment Download PDFInfo
- Publication number
- CN114301690B CN114301690B CN202111640731.9A CN202111640731A CN114301690B CN 114301690 B CN114301690 B CN 114301690B CN 202111640731 A CN202111640731 A CN 202111640731A CN 114301690 B CN114301690 B CN 114301690B
- Authority
- CN
- China
- Prior art keywords
- identity
- network
- path planning
- network node
- data processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 58
- 238000012545 processing Methods 0.000 claims abstract description 65
- 238000012795 verification Methods 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 32
- 238000004891 communication Methods 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 9
- 230000002441 reversible effect Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 6
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000007480 spreading Effects 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to the technical field of network security, and in particular relates to a dynamic network isolation method, a dynamic network isolation device, a storage medium and terminal equipment. The method comprises the following steps: receiving a data processing request of a transmitting end; wherein the data processing request includes: a transmitting end identity and a target end identity; carrying out identity verification on the sender identity and the target identity by using a blockchain; when the identity verification is passed, receiving an operation instruction of a transmitting end, and analyzing the operation instruction to obtain a network node sequence table; and carrying out path planning based on the network node sequence table to obtain a routing table, and establishing a tunnel network between a receiving end and a target end according to the routing table. The present disclosure enables dynamic isolation of a network.
Description
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a dynamic network isolation method, a dynamic network isolation device, a storage medium and terminal equipment.
Background
In the existing network isolation scheme, the traditional static network isolation method can only take a computer or a virtual instance as a unit to construct an isolation network, and is difficult to realize for east-west traffic in the same network because of high isolation cost, so that the lateral spreading of threat cannot be effectively prevented. However, as the number of assets on an enterprise cloud increases rapidly, the flow pressure of centralized identity management increases significantly, which can bring hidden danger to usability; in addition, distributed identity management, while guaranteeing usability issues, also increases security risks.
Accordingly, there is a need in the art to provide an effective network isolation scheme.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to a dynamic network isolation method, a dynamic network isolation device, a storage medium, and a terminal device, which are capable of implementing dynamic isolation of a network, thereby overcoming, at least to some extent, drawbacks due to limitations and drawbacks of the related art.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to a first aspect of the present disclosure, there is provided a dynamic network isolation method, the method comprising:
receiving a data processing request of a transmitting end; wherein the data processing request includes: a transmitting end identity and a target end identity;
carrying out identity verification on the sender identity and the target identity by using a blockchain;
when the identity verification is passed, receiving an operation instruction of a transmitting end, and analyzing the operation instruction to obtain a network node sequence table;
and carrying out path planning based on the network node sequence table to obtain a routing table, and establishing a tunnel network between a receiving end and a target end according to the routing table.
In an exemplary embodiment of the present disclosure, the performing identity verification on the sender identity and the target identity by using a blockchain includes:
pulling identity information files of a sending end and a target end from the blockchain according to the sending end identity and the target identity;
identity verification is carried out by utilizing the identity information files of the sending end and the target end; wherein, the identity information file includes: any one or a combination of any multiple of identity, de-centralized identity DID, service port information and key information.
In an exemplary embodiment of the disclosure, the performing path planning based on the network node sequence table to obtain a routing table includes:
calculating the limit of the sub-network node in a reverse search mode by taking the target end as a starting point, and selecting the sub-network node corresponding to the minimum value of the limit to be configured as the next network node; repeating the calculation mode to complete the path planning.
In an exemplary embodiment of the present disclosure, the calculating the limitation of the sub-network node includes:
K=min(g(v),rhs(v))+h(v,v start )
wherein g (v) is the cost of the current network node to the end of the path rule; rhs (v) represents the minimum cost for the endpoint of the path plan to reach the current network node from the parent node; h (v, v) start ) Representing the minimum cost of the current network node to each communication application without regard to the communication order.
In an exemplary embodiment of the present disclosure, the method further comprises:
the proxy and the identity are deployed for the network node in advance.
According to a second aspect of the present disclosure, there is provided a dynamic network isolation method, the method comprising:
transmitting a data processing request to a dynamic network path planning center; wherein the data processing request includes: a transmitting end identity and a target end identity;
after receiving the identification verification passing feedback information sent by the dynamic network path planning center, sending an operation instruction to the dynamic network path planning center for the dynamic network path planning center to analyze the operation instruction, carrying out path planning based on an analysis result, and constructing tunnel networks of the receiving end and the target end;
and carrying out data transmission based on the tunnel network.
According to a third aspect of the present disclosure, there is provided a dynamic network isolation device, the device comprising:
the data processing request receiving module is used for receiving a data processing request of the transmitting end; wherein the data processing request includes: a transmitting end identity and a target end identity;
the identity verification module is used for carrying out identity verification on the sending end identity and the target identity by using a blockchain;
the operation instruction analysis module is used for receiving the operation instruction of the transmitting end and analyzing the operation instruction to acquire a network node sequence table when the identity verification is passed;
and the path planning module is used for carrying out path planning based on the network node sequence table to obtain a routing table, and establishing a tunnel network between a receiving end and a target end according to the routing table.
According to a fourth aspect of the present disclosure, there is provided a dynamic network isolation device, the device comprising:
the data processing request sending module is used for sending a data processing request to the dynamic network path planning center; wherein the data processing request includes: a transmitting end identity and a target end identity;
the operation instruction sending module is used for sending an operation instruction to the dynamic network path planning center after the dynamic network path planning center passes the identity verification, analyzing the operation instruction by the dynamic network path planning center, planning a path based on an analysis result, and constructing tunnel networks of the receiving end and the target end;
and the data transmission module is used for carrying out data transmission based on the tunnel network.
According to a fifth aspect of the present disclosure, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the dynamic network isolation method in the first aspect described above.
According to a sixth aspect of the present disclosure, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the dynamic network isolation method in the above second aspect.
According to a seventh aspect of the present disclosure, there is provided a terminal device comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the dynamic network isolation method of the first aspect described above via execution of the executable instructions.
According to an eighth aspect of the present disclosure, there is provided a terminal device comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the dynamic network isolation method of the second aspect described above via execution of the executable instructions.
In the dynamic network isolation method provided by the embodiment of the disclosure, when a data processing request of a transmitting end is received, firstly, the identities of the transmitting end and a target end can be verified according to the identity information in the data processing request; when the identity verification is passed, receiving an operation instruction of a transmitting end, and analyzing the operation instruction to obtain a network node sequence table; and path planning is carried out according to network nodes to obtain a routing table and update the routing table so as to switch on the network, thereby establishing a tunnel network between a transmitting end and a target end and realizing dynamic network isolation.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
FIG. 1 schematically illustrates a schematic diagram of a dynamic network isolation method performed by a dynamic network path planning center in an exemplary embodiment of the present disclosure;
FIG. 2 schematically illustrates a system architecture diagram in an exemplary embodiment of the present disclosure;
fig. 3 schematically illustrates a schematic diagram of a dynamic network isolation method performed by a terminal in an exemplary embodiment of the present disclosure;
FIG. 4 schematically illustrates a schematic diagram of a dynamic network isolation device configured in a dynamic network path planning center in an exemplary embodiment of the present disclosure;
fig. 5 schematically illustrates a schematic diagram of a dynamic network isolation device configured in a terminal according to an exemplary embodiment of the present disclosure;
fig. 6 schematically illustrates a composition diagram of a terminal device in an exemplary embodiment of the present disclosure;
fig. 7 schematically illustrates a schematic diagram of a storage medium in an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
In the related art, the conventional static network isolation method can only take a computer or a virtual instance as a unit to construct an isolated network, and is difficult to realize for east-west traffic in the same network because of high isolation cost, so that the lateral spreading of the threat cannot be effectively prevented. Meanwhile, as the number of assets on the enterprise cloud is rapidly increased, the flow pressure of centralized identity management is obviously increased, and hidden danger is brought to usability; distributed identity management, while guaranteeing usability problems, also increases security risks.
In view of the foregoing disadvantages and shortcomings of the prior art, a dynamic network isolation method is provided in the present exemplary embodiment. Referring to fig. 1, the dynamic network isolation method described above may include the steps of:
step S11, receiving a data processing request of a transmitting end; wherein the data processing request includes: a transmitting end identity and a target end identity;
step S12, carrying out identity verification on the sender identity and the target identity by using a blockchain;
step S13, when the identity verification passes, receiving an operation instruction of a transmitting end, and analyzing the operation instruction to obtain a network node sequence table;
and step S14, path planning is carried out based on the network node sequence table to obtain a routing table, and a tunnel network is established between a receiving end and a target end according to the routing table.
In the dynamic network isolation method provided in this example embodiment, when a data processing request of a transmitting end is received, identity of the transmitting end and identity of a target end may be verified according to identity information in the data processing request; when the identity verification is passed, receiving an operation instruction of a transmitting end, and analyzing the operation instruction to obtain a network node sequence table; and path planning is carried out according to network nodes to obtain a routing table and update the routing table so as to switch on the network, thereby establishing a tunnel network between a transmitting end and a target end and realizing dynamic network isolation.
The steps of the dynamic network isolation method in the present exemplary embodiment will be described in more detail with reference to the accompanying drawings and examples.
In some exemplary embodiments, referring to the system architecture shown in fig. 2, a dynamic network path planning center 201 may be provided, which may be a distributed service server, or a network device such as a cloud server. The server can be used for deploying Agent network communication and managing identity identification to each communication node in advance, and the identity identification is required to be stored in the blockchain when the communication application is first accessed to the network, and an identity information file Document corresponding to the identity identification is generated. Or, when a user creates a new container in the cloud or a terminal creates a new application instance, the user can automatically remove the endorsement signature from the center of the identification of the new instance and store the identification of the new instance and Document on the blockchain.
In step S11, a data processing request of a transmitting end is received; wherein the data processing request includes: a sender identity and a target identity.
In this example embodiment, the dynamic network isolation method described above may be performed at a server side carrying a dynamic network path planning center. Referring to fig. 2, the sending end 202 may be an intelligent terminal device on the user side; for example, the data processing request may be request information for requesting a verification code from a service server in a login process of an application program or in a process of processing other services. Alternatively, the sender may be an IoT (Internet of Things ) device; for example, the data processing request may be a control instruction from one IoT device to another IoT device in the internet of things. Of course, in other exemplary embodiments of the present disclosure, the sending end may also be other terminal devices, for example, may be a service server; the data processing request may be an update instruction of an application program sent by the service server to the user side intelligent terminal device; etc. Alternatively, as shown in fig. 2, the target end may be one or more application instances of the cloud end. The specific form of the receiving end, the transmitting end, and the specific content of the data processing request are not particularly limited in the present disclosure.
For the transmitting end, when determining that communication is currently required according to actual communication requirements, the transmitting end may first send a data processing request to the dynamic network path planning center. For the dynamic network path planning center, the data processing request uploaded by each transmitting end can be received. The data processing request at least comprises a sending end identity and a target end identity. The target terminal is a counterpart terminal for which the transmitting terminal desires to communicate.
In step S12, the blockchain is used to perform identity verification on the sender identity and the target identity.
In this example embodiment, the step S12 may include:
step S121, the identity information files of the sending end and the target end are pulled to the blockchain according to the sending end identity and the target identity;
step S122, identity verification is carried out by using the identity information files of the sending end and the target end; wherein, the identity information file includes: any one or a combination of any multiple of identity, de-centralized identity DID, service port information and key information.
Specifically, referring to fig. 2, the blockchain may identify the storage chain 203 for storing the terminal identity information file. After receiving the data processing request, the dynamic network path planning center can extract the identity identification information of the sending end and the identity identification information of the target end from the data processing request, then interact with the blockchain, pull the identity information files of the sending end and the target end by using the identity identification information, and check the identity information files. Specifically, if the identity information file is successfully pulled from the blockchain by using the identity, the primary verification of the sending end and the target end is successful, and the identities of the two communication parties can be trusted; at this time, if the dynamic network path planning center fails to pull the identity information file to the blockchain, a feedback message that the identity information file does not exist is sent to the sending end.
For example, in the identity information file, an identity of the terminal may be included; the DID can be a document identification of the identity information file; in addition, public key information of the DID, a service interface, and a network address and interface plan corresponding to the DID may also be included.
For the acquired identity information files corresponding to the sending end and the target end, service port data can be verified first, and whether the port data are compliant or not is judged. Secondly, the off-center avatar identification DID may also be verified. In addition, the key information can be used for encrypting, decrypting and verifying the identity information. After each item of content in the identity information file passes verification, determining that the identities of the sending end and the target end are legal. At this time, if any one of the authentication in the identity information file fails, feedback information of the authentication failure is sent to the sending end.
Alternatively, in some exemplary real-time modes, the data processing request sent by the sender may further include an encrypted data string. After extracting the key data from the identity information file, the dynamic network path planning center can decrypt and verify the encrypted data string by using the key data.
In step S13, when the authentication passes, an operation instruction of the transmitting end is received, and the operation instruction is parsed to obtain a network node sequence table.
In this example embodiment, after the dynamic network path planning center successfully verifies the identities of the sending end and the target end, the dynamic network path planning center may send feedback information that passes the verification to the sending end. After receiving the verification passing feedback information of the dynamic network path planning center, the transmitting end can transmit an operation instruction to the dynamic network path planning center, wherein the operation instruction can comprise a control instruction from the transmitting end to the target end. After receiving the operation instruction, the dynamic network path planning center can analyze the instruction content, determine the network node IP and the port through which the operation instruction needs to pass, and determine the network node sequence table according to the network nodes. For example, after determining the network nodes that need to pass through, the network nodes may be marked in a network node resource pool to obtain the position order of the network nodes on the entire network when the current operation instruction is transmitted.
Or in some exemplary embodiments, the sending end may generate a data processing request from the identification information and the operation instruction of the target end, and send the data processing request to the dynamic network path planning center.
In step S14, path planning is performed based on the network node sequence table to obtain a routing table, and a tunnel network is established between the receiving end and the destination end according to the routing table.
In the present exemplary embodiment, when path planning is performed, since the cloud platform network has the characteristics of rapid change and complex topology, and there are multiple path points in sequence during path planning, a new path planning algorithm needs to be designed. Specifically, the target end is used as a starting point, the limit of the sub-network node is calculated in a reverse search mode, and the sub-network node corresponding to the minimum value of the limit is selected to be configured as the next network node; and repeating the calculation mode to complete path planning, and calculating the shortest and the most unobstructed network path of the two or more parties. The calculation formula may include:
K=min(g(v),rhs(v))+h(v,v start )
wherein g (v) is the cost of the current network node to the end of the path rule; rhs (v) represents the minimum cost for the endpoint of the path plan to reach the current network node from the parent node; h (v, v) start ) Representing the minimum cost of the current network node to each communication application without considering the communication sequence, the cost is calculated by the product of the distance, the bandwidth and the inverse loss rate.
The algorithm adopts a reverse search mode to search the optimal path from the end point to the starting point. After the v sub-node has the limit k calculated, the node with the smallest k is planned as the next network node, i.e. v=min (k 1 ,…k n ) Then, repeated calculations are performed.
In the present exemplary embodiment, a dynamic network isolation method is provided, which may be performed at a terminal side. Referring to fig. 3, the unified network isolation method may include:
step S31, a data processing request is sent to a dynamic network path planning center; wherein the data processing request includes: a transmitting end identity and a target end identity;
step S32, after receiving the feedback information for verifying the identity sent by the dynamic network path planning center, sending an operation instruction to the dynamic network path planning center for the dynamic network path planning center to analyze the operation instruction, carrying out path planning based on the analysis result, and constructing tunnel networks of the receiving end and the target end;
and step S33, carrying out data transmission based on the tunnel network.
In this exemplary embodiment, the terminal device of the transmitting end may actively initiate a data processing request to the dynamic network path planning center. The request may include a sender identifier of the terminal and a target identifier of the communication peer. The dynamic network path planning center can verify the identity after receiving the data processing. After the verification is successful, the dynamic network path planning center feeds back the identification verification passing feedback information to the sending end. After receiving the information, the transmitting end can transmit an operation instruction to the dynamic network path planning center. The operation instruction may include control information for the target terminal. The process of path planning by the dynamic network path planning center is described in the above embodiment, and this embodiment is not repeated. After the tunnel networks of the receiving end and the target end are established, data transmission can be performed based on the tunnel networks.
In some exemplary embodiments, referring to fig. 2, the data processing request and the operation instruction of the sender 202, and the data such as the routing table update data may all store the log data in the database 205 through the log server 204 by the gateway device 208. Gateway device 208 may send the operation instructions for instance operations to application instance 209. In addition, the resource pool 206 can be managed by the resource management server 207. For example, a plurality of application resources are stored in the resource pool 206, and when the current data processing request of the terminal specifically relates to a certain application, the application can be called into the resource pool.
According to the dynamic network isolation method, a dynamic network path planning center is set, and the dynamic network path planning center can be laid out in a cloud; and generates a de-centralized identification DID for each communication application. After a transmitting end initiates a data processing request to a dynamic network path planning center, firstly, the identity of a terminal is verified. By utilizing the blockchain to carry out identity verification, the identity authentication of the decentralised identity is realized, the dependence on centralized identity management is canceled, and the efficiency and the accuracy of the identity authentication are improved. After the terminal authentication is successful, the dynamic network path planning center automatically performs path planning, thereby realizing fine-granularity network isolation. When path planning is carried out, adopting a reverse search mode, starting from the end point, and searching the optimal path from the start point; and dynamic planning of network paths is realized according to the constraints of IP, ports and communication sequence of communication. The dynamic network path planning center calculates a network path with the minimum communication cost according to a path planning algorithm, and updates a corresponding routing table to connect the network; two or more parties to the communication use Agent agents to establish a tunnel network. The method disclosed by the invention realizes the automatic construction of the fine-grained isolation network, and basically solves the problem of transverse expansion of the network threat. The method effectively solves the problems of high cost, insufficient safety of identity authentication availability and the like of the traditional static network isolation method in the east-west direction.
It is noted that the above-described figures are only schematic illustrations of processes involved in a method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Further, referring to fig. 4, in this exemplary embodiment, a dynamic network isolation device 40 is further provided, which may be configured in a dynamic network path planning center; the dynamic network isolation device 40 may include: a data processing request receiving module 401, an identity verification module 402, an operation instruction analysis module 403 and a path planning module 404. Wherein,
the data processing request receiving module 401 may be configured to receive a data processing request from a transmitting end; wherein the data processing request includes: a sender identity and a target identity.
The identity verification module 402 may be configured to use a blockchain to perform identity verification on the sender identity and the target identity.
The operation instruction parsing module 403 may be configured to receive an operation instruction of a transmitting end when the identity verification is passed, and parse the operation instruction to obtain a network node sequence table.
The path planning module 404 may be configured to perform path planning based on the network node sequence table to obtain a routing table, and establish a tunnel network between a receiving end and a destination end according to the routing table.
In some exemplary embodiments, the identity verification module 402 may be configured to pull identity information files of the sender and the target from the blockchain according to the sender identity and the target identity; identity verification is carried out by utilizing the identity information files of the sending end and the target end; wherein, the identity information file includes: any one or a combination of any multiple of identity, de-centralized identity DID, service port information and key information.
In some exemplary embodiments, the path planning module 404 may be configured to calculate the limitation of the sub-network node by using the target end as a starting point and in a reverse search manner, and select the sub-network node corresponding to the minimum value of the limitation to be configured as the next network node; repeating the calculation mode to complete the path planning.
In some exemplary embodiments, the computing the limit of the sub-network node comprises:
K=min(g(v),rhs(v))+h(v,v start )
wherein g (v) is the cost of the current network node to the end of the path rule; rhs (v) represents the minimum cost for the endpoint of the path plan to reach the current network node from the parent node; h (v, v) start ) Representing the minimum cost of the current network node to each communication application without regard to the communication order.
In some exemplary embodiments, the dynamic network isolation device 40 may further include: the network node deploys the module.
The network node deployment module may be configured to deploy agents and identities for the network nodes.
Further, referring to fig. 5, in this exemplary embodiment, there is further provided a dynamic network isolation device 50, which may be disposed in a terminal device; comprising the following steps: a data processing request sending module 501, an operation instruction sending module 502 and a data transmission module 503. Wherein,
the 501 data processing request sending module may be configured to send a data processing request to a dynamic network path planning center; wherein the data processing request includes: a sender identity and a target identity.
The operation instruction sending module 502 may be configured to send an operation instruction to the dynamic network path planning center after the dynamic network path planning center verifies the identity, so that the dynamic network path planning center analyzes the operation instruction, performs path planning based on the analysis result, and constructs the tunnel networks of the receiving end and the target end.
The data transmission module 503 may be configured to perform data transmission based on the tunnel network.
The specific details of each module in the above dynamic network isolation device are described in detail in the corresponding dynamic network isolation method, so that the details are not repeated here.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
In an exemplary embodiment of the present disclosure, a computer system capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
A terminal device 600 according to this embodiment of the present invention is described below with reference to fig. 6. The terminal device 600 shown in fig. 6 is only an example, and should not impose any limitation on the functions and scope of use of the embodiments of the present invention.
As shown in fig. 6, the terminal device 600 is in the form of a general purpose computing device. Components of computer system 600 may include, but are not limited to: the at least one processing unit 610, the at least one memory unit 620, and a bus 630 that connects the various system components, including the memory unit 620 and the processing unit 610.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs steps according to various exemplary embodiments of the present invention described in the above-described "exemplary methods" section of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1 or fig. 3.
The storage unit 620 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 6201 and/or cache memory unit 6202, and may further include Read Only Memory (ROM) 6203.
The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 630 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The computer system 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the computer system 600, and/or any devices (e.g., routers, modems, etc.) that enable the computer system 600 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 650. A display unit 640 is also connected through an input/output (I/O) interface 650. Moreover, computer system 600 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 660. As shown, network adapter 660 communicates with other modules of computer system 600 over bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with computer system 600, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
Referring to fig. 7, a program product 100 for implementing the above-described method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (9)
1. A method of dynamic network isolation, the method comprising:
receiving a data processing request of a transmitting end; wherein the data processing request includes: a transmitting end identity and a target end identity;
carrying out identity verification on the sending end identity and the target end identity by using a blockchain;
when the identity verification is passed, receiving an operation instruction of a transmitting end, and analyzing the operation instruction to obtain a network node sequence table;
path planning is carried out based on the network node sequence table to obtain a routing table, and a tunnel network is established between a receiving end and a target end according to the routing table;
wherein performing path planning based on the network node order table comprises:
calculating the limit of the sub-network node in a reverse search mode by taking the target end as a starting point, and selecting the sub-network node corresponding to the minimum value of the limit to be configured as the next network node; repeating the calculation mode to complete the path planning.
2. The dynamic network isolation method according to claim 1, wherein the performing identity verification on the sender identity and the target identity by using a blockchain includes:
pulling identity information files of a sending end and a target end from the blockchain according to the sending end identity and the target end identity;
identity verification is carried out by utilizing the identity information files of the sending end and the target end; wherein, the identity information file includes: any one or a combination of any multiple of identity, de-centralized identity DID, service port information and key information.
3. The dynamic network isolation method of claim 1, wherein said calculating the limit of the sub-network node comprises:
K=min(g(v),rhs(v))+h(v,v start )
wherein g (v) is the cost of the current network node to the end of the path rule; rhs (v) represents the minimum cost for the endpoint of the path plan to reach the current network node from the parent node; h (v, v) start ) Representing the minimum cost of the current network node to each communication application without regard to the communication order.
4. The dynamic network isolation method of claim 1, wherein the method further comprises:
and deploying the proxy and the identity for the network node.
5. A method of dynamic network isolation, the method comprising:
transmitting a data processing request to a dynamic network path planning center; wherein the data processing request includes: a transmitting end identity and a target end identity;
after receiving the identification verification passing feedback information sent by the dynamic network path planning center, sending an operation instruction to the dynamic network path planning center for the dynamic network path planning center to analyze the operation instruction, carrying out path planning based on an analysis result, and constructing tunnel networks of a receiving end and a target end;
carrying out data transmission based on the tunnel network;
the analyzing result comprises obtaining a network node sequence table, and the path planning based on the analyzing result comprises the following steps:
calculating the limit of the sub-network node in a reverse search mode by taking the target end as a starting point, and selecting the sub-network node corresponding to the minimum value of the limit to be configured as the next network node; repeating the calculation mode to complete the path planning.
6. A dynamic network isolation device, the device comprising:
the data processing request receiving module is used for receiving a data processing request of the transmitting end; wherein the data processing request includes: a transmitting end identity and a target end identity;
the identity verification module is used for carrying out identity verification on the sending end identity and the target end identity by using a blockchain;
the operation instruction analysis module is used for receiving the operation instruction of the transmitting end and analyzing the operation instruction to acquire a network node sequence table when the identity verification is passed;
the path planning module is used for carrying out path planning based on the network node sequence table to obtain a routing table, and establishing a tunnel network between a receiving end and a target end according to the routing table;
wherein the path planning module is configured to: calculating the limit of the sub-network node in a reverse search mode by taking the target end as a starting point, and selecting the sub-network node corresponding to the minimum value of the limit to be configured as the next network node; repeating the calculation mode to complete the path planning.
7. A dynamic network isolation device, the device comprising:
the data processing request sending module is used for sending a data processing request to the dynamic network path planning center; wherein the data processing request includes: a transmitting end identity and a target end identity;
the operation instruction sending module is used for sending an operation instruction to the dynamic network path planning center after the dynamic network path planning center passes the identity verification, analyzing the operation instruction by the dynamic network path planning center, planning a path based on an analysis result, and constructing a tunnel network of a receiving end and a target end;
the data transmission module is used for carrying out data transmission based on the tunnel network;
the analysis result comprises a network node sequence table, and the process of path planning based on the analysis result by the operation instruction sending module is configured to: calculating the limit of the sub-network node in a reverse search mode by taking the target end as a starting point, and selecting the sub-network node corresponding to the minimum value of the limit to be configured as the next network node; repeating the calculation mode to complete the path planning.
8. A storage medium having stored thereon a computer program which when executed by a processor implements the dynamic network isolation method according to any of claims 1 to 5.
9. A terminal device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the dynamic network isolation method of any one of claims 1 to 5 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111640731.9A CN114301690B (en) | 2021-12-29 | 2021-12-29 | Dynamic network isolation method and device, storage medium and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111640731.9A CN114301690B (en) | 2021-12-29 | 2021-12-29 | Dynamic network isolation method and device, storage medium and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301690A CN114301690A (en) | 2022-04-08 |
| CN114301690B true CN114301690B (en) | 2024-02-23 |
Family
ID=80971556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111640731.9A Active CN114301690B (en) | 2021-12-29 | 2021-12-29 | Dynamic network isolation method and device, storage medium and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301690B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110602114A (en) * | 2019-09-19 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain-based identity authentication method and device, storage medium and electronic equipment |
| CN112003877A (en) * | 2020-09-03 | 2020-11-27 | 上海优扬新媒信息技术有限公司 | Network isolation method and device, electronic equipment and storage medium |
| WO2021060856A1 (en) * | 2019-09-24 | 2021-04-01 | 프라이빗테크놀로지 주식회사 | System and method for secure network access of terminal |
| CN112910917A (en) * | 2021-02-25 | 2021-06-04 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
-
2021
- 2021-12-29 CN CN202111640731.9A patent/CN114301690B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110602114A (en) * | 2019-09-19 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain-based identity authentication method and device, storage medium and electronic equipment |
| WO2021060856A1 (en) * | 2019-09-24 | 2021-04-01 | 프라이빗테크놀로지 주식회사 | System and method for secure network access of terminal |
| CN112003877A (en) * | 2020-09-03 | 2020-11-27 | 上海优扬新媒信息技术有限公司 | Network isolation method and device, electronic equipment and storage medium |
| CN112910917A (en) * | 2021-02-25 | 2021-06-04 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301690A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11546167B2 (en) | System and method for using a distributed ledger gateway | |
| US9591064B2 (en) | Method and apparatus for dynamic provisioning of communication services | |
| US7991864B2 (en) | Network element discovery using a network routing protocol | |
| EP3886475A1 (en) | Enhanced hop by hop security | |
| US10616106B2 (en) | Establishing virtual network routes in a computer network | |
| CN112187491A (en) | Server management method, device and equipment | |
| CN103209108A (en) | Dynamic virtual private network (DVPN)-based route generation method and equipment | |
| CN108833251A (en) | Method and apparatus for controlling the network interconnection | |
| CN110971498B (en) | Communication method, communication device, electronic apparatus, and storage medium | |
| CN104662839A (en) | Linked identifiers for multiple domains | |
| CN111404801B (en) | Data processing method, device and system for cross-cloud manufacturer | |
| CN114828140B (en) | Service flow message forwarding method and device, storage medium and electronic equipment | |
| CN113965508B (en) | Dual path data transmission method, electronic device, and computer-readable storage medium | |
| CN114301690B (en) | Dynamic network isolation method and device, storage medium and terminal equipment | |
| KR101953584B1 (en) | NFV service provider, VNF service provider, system for extending service chaining including them and method for extending service chaining | |
| US8532101B2 (en) | System and method for providing co-signaled return label switch paths | |
| US9749224B2 (en) | Method and apparatus for cloud provisioning of communication services | |
| CN114840739B (en) | Information retrieval method, device, electronic equipment and storage medium | |
| CN114297083A (en) | Agent test method, device, electronic equipment and readable medium | |
| CN114553701B (en) | Slice identifier management method, device, equipment and medium | |
| CN113709196B (en) | Data extraction method, apparatus, computer device, medium, and program product | |
| KR102249697B1 (en) | System and method for communicating using content delivery network and edge computing in a complex network environment | |
| CN116827418A (en) | Satellite service function link-in method and device, electronic equipment and storage medium | |
| CN117880257A (en) | Method and system for solving continuous delivery on cloud of cross-tenant VPC | |
| CN117130893A (en) | Test method, test device, test equipment and test medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |