CN100356722C - Method for safety exchange of application protocol data - Google Patents

Method for safety exchange of application protocol data Download PDF

Info

Publication number
CN100356722C
CN100356722C CNB200410009063XA CN200410009063A CN100356722C CN 100356722 C CN100356722 C CN 100356722C CN B200410009063X A CNB200410009063X A CN B200410009063XA CN 200410009063 A CN200410009063 A CN 200410009063A CN 100356722 C CN100356722 C CN 100356722C
Authority
CN
China
Prior art keywords
data
exchange
application protocol
safety
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB200410009063XA
Other languages
Chinese (zh)
Other versions
CN1571330A (en
Inventor
林溯奕
杜栓柱
袁峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CNB200410009063XA priority Critical patent/CN100356722C/en
Publication of CN1571330A publication Critical patent/CN1571330A/en
Application granted granted Critical
Publication of CN100356722C publication Critical patent/CN100356722C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a method for safety exchange of application protocol data. The method comprises the following steps: a source terminal and a purpose terminal are established with a fundamental communication link; the link generates an application exchange conversation; data communication between both terminals is started; the safety of data is judged by a safety exchange gateway; the data which can not destroy the network safety is directly sent to the opposite terminal; the data which possibly destroys the network safety is inputted into a safety processing module to be inspected; if the data which is inspected is lawful, the data is sent to the opposite terminal; if the data which is inspected is not lawful, the data is modified and then is sent to the opposite terminal, or the data is directly discarded. The present invention overcomes the limitation of an agency safety processing mechanism and establishes the method for safety exchange of data for an application protocol. Data, files, e-mails, etc. transmitted by an advanced application protocol which uses a TCP/UDP communication protocol are safely controlled and processed, contents are filtered, and the problem of the safety of data transmission contents of an application protocol in a data exchange network is solved.

Description

The method of application protocol data secure exchange
Technical field:
The present invention relates to a kind of data security switching method, relate in particular to and a kind ofly particularly use data that senior application protocol transmitted on the TCP/UDP agreement in the TCP/IP protocol suite to carry out the method for secure data exchange the senior application protocol in the network.
Background technology:
Along with popularizing and the development rapidly of internet of electronic computer, the various safety problems in the Internet are on the rise, particularly viral wide-scale distribution harm computer system such as attacker, worm and network security at present; More there are various spams and invalid information to utilize the deficiency that senior application protocol such as HTTP, SMTP designs in the internet in network, to flee everywhere.According to statistics, there is the mail more than 55% to belong to spam in the mail of transmission over networks at home at present; And the whole world has the virus more than 95% to propagate by the webserver or security breaches now, and this not only has a strong impact on network performance, wastes a large amount of computer network resources, returns the computer user and brings great inconvenience and safety issue.
At present, the known method of these common illegal or harmful Web content transmission problems of processing is in network:
1, between the intranet and extranet of network that use a computer, sets up security gateway, the data flow through gateway is carried out filtration treatment.
2, the agent software of operation application protocol in gateway carries out ageng or Transparent Proxy, to carrying out the scanning of anti-virus or anti-rubbish mail through the data in the agency agreement, removes or delete spam, virus, the rogue program that transmits in the network.
3, the subnetwork service provider provides self safety filtering service of network environment at the network service system customized development safety system of oneself.
As shown in Figure 1, the user is connected with public network by gateway, public network is connected with the webserver by gateway again, if the transmission data are carried out safe handling, at the gateway place relevant treatment being set gets final product, when transfer of data, at first can detect, and then carry out exchanges data by public network and opposite end to data.
Above-mentioned network data processing mode is agent security and filters and processing method, the agent security model that on the TCP/IP network, can be summed up as, it can solve the Web content that is run into to a certain extent and handle problems, but virus, invalid information and spam that it transmits in handling network everywhere exist following deficiency:
As shown in Figure 2, it between originating end and destination agent service device, agent service device comprises the agency service end 224 that directly is connected with originating end 157, the agent client 225 and the safety check module 212 that directly are connected with destination 168, when originating end 157 is communicated by letter with destination 224, data are at first sent into safety check module 212, through after the safety inspection, abandon data or data are sent to the opposite end.Dotted line among the figure and solid line are respectively the data flow of originating end to the data flow of destination and destination to originating end, agency mechanism need be resolved communication request by parts 157 originating ends fully at its agency service end, with wherein data of filtration treatment, file, mail etc., but procotol generally possesses freedom significantly, and is just very many as the pattern of authentification of user mode in the mail user communication.And agent way generally only is confined to the realization of common protocol subset, realizes as the smtp protocol subclass, and a kind of agency mechanism that can adapt to agreement and expansion variation thereof fully can't be provided.
Agency mechanism is owing to can't be that parts 168 provide transparent characteristic to final access services, therefore generally can't prepositionly serve the webserver commonly used (group), this is because the common webserver needs reverse resolution visitor's domain name as mail server, checking fail safe and to stop mail, and agent client 225 can only provide single reference address to final access services.Be presented as the network address that the agency service use moves himself in TCP/IP protocol suite, that provide among Fig. 2 is 159.226.5.10, visits final ISP 168.The domain name that the webserver just can't the reverse resolution visitor like this, and corresponding security set also will be restricted.
The implementation of agent security mechanism is by setting up two unconnected data link, shown in Fig. 2, during communication, at first set up originating end 157 and arrive agency service end 224, agent client to 168 two links of destination end, article two, link is isolated fully, and this agent security mechanism has brought the network application agreement to prop up loss on the interaction performance to a great extent.
Summary of the invention:
Handle existing problem and shortage at above-mentioned existing complete proxy data, the purpose of this invention is to provide a kind of method of in application protocol, only the data that relate to network security being carried out the application protocol data secure exchange of filtration treatment.
The present invention is achieved in that a kind of method of application protocol data secure exchange, may further comprise the steps:
Set up basic communication link at source end and destination, and for this link generates the applications exchange session, and the data communication at beginning two ends;
The fail safe of secure exchange gateway judgment data, secure exchange gateway comprise service end, applications exchange conversation module and safe handling module, and wherein service end is used for the fail safe of judgment data, and carry out data communication with source end and destination; The applications exchange conversation module, be used to generate the session status of exchanges data, this session status comprises basic connection wait, request wait, Data Receiving, data transmission, exchanges data and connection closed, and the secure exchange gateway is for not relating to the opposite end that the data of destroying network security directly send to the data initial end;
The safe handling module thinks that to service end in the secure exchange gateway unsafe data detect, if legal after testing data then send to data the opposite end of data initial end; If illegal, then re-send to the opposite end of data initial end, or directly data are abandoned through revising.
Further, the described data of destroying network security that may relate to are being carried out in the processing procedure, the regular check LI(link interface) is if the overtime packet of not receiving that the data initial end sends then sends the opposite end of empty packet to the data initial end.
Further, the described data that the data of destroying network security are specially agreement transmission itself, the picture that in application protocol, transmits, video file or the data flow etc. of not relating to.
Further, the described data of destroying network security that may relate to are specially and contain grand document, program, mail, condensed document etc.
Further, described application protocol is meant the communications protocol of the various application in the data network, especially the senior application protocol on the TCP/UDP in the TCP/IP protocol suite.
Further, described senior application protocol is specially POP3, SMTP, http protocol.
The present invention has overcome the limitation of agent security treatment mechanism, for application protocol, create a kind of data security switching method, communications protocol family in the network is particularly carried out security control, safe handling and information filtering to the data that senior application protocol transmitted of using the TCP/UDP communications protocol, file, mail etc., to solve the application protocol data transmission content safety problem in the data switching networks.The present invention directly is transferred to the opposite end to the data that do not relate to network security, promptly for the agent service device that is located at originating end and destination, only provide passage if can not relate to the data of network security, data are not done any processing, only those data that can relate to network security are detected and carry out respective handling, this has quickened the transmission of network data, reduces the response time that communication link or service connect, and has improved bandwidth greatly.
The present invention can be applied to have in the data network in the various communication equipments of computing capability, comprises equipment such as network access server, gateway, bridge, switch.The universal network of setting up by the present invention is isolated the application such as preposition safe isolation processing of gateway (gas defence, anti-black), server and group, be applicable to the full isolation network of intranet and extranet of higher demand for security, isolation, safe handling that data switched network is intersegmental, can be widely used in small-to-medium business, government, bank, public security, army, Telecom Facilities, and the content safety construction aspect of various government and local cyber port network.
Description of drawings:
Below in conjunction with accompanying drawing, the present invention is made detailed description.
Fig. 1 is exchanges data schematic diagram commonly used;
Fig. 2 is existing safety detection data transmission structure schematic diagram;
Fig. 3 is a safety detection data transmission structure schematic diagram of the present invention;
Fig. 4 is a HTTP application protocol secure exchange secure session handling process schematic diagram of the present invention;
Fig. 5 is a POP3 application protocol secure exchange secure session handling process schematic diagram of the present invention.
Embodiment:
As shown in Figure 3, the present invention is by being provided with corresponding secure exchange gateway between user 157 and server end 168, this secure exchange gateway include with user 157 carry out exchanges data Exchange Service end 324, safe handling module 312, carry out the exchange client 325 and the applications exchange conversation module 301 of exchanges data with server end 168, wherein applications exchange conversation module 301 generates various data exchange sessions to communicate.Whether secure exchange gateway of the present invention at first judgment data can jeopardize network security, if network security is not had the data of influence, will directly transmit, if may jeopardize network security by link, then at first mail to safe handling module 312, pass through link transmission after handling again.Dotted line among the figure and solid line are respectively originating end and illustrate to the data flow of originating end to the data flow and the destination of destination.
Exchange client link correlation behavior collection and other exchanges data states that applications exchange conversation module 301 of the present invention comprises the Exchange Service end link correlation behavior collection that communicates with originating end, communicates with destination; Wherein Exchange Service end link correlation behavior collection comprises:
Service connects wait state: be used to wait for that the exchange session service link sets up, when link can with or session produce this state when makeing mistakes;
The service request wait state: be used to wait for that originating end parts 157 send data, refer generally to the service request of application protocol, when data can with or session produce this state when makeing mistakes;
Service data accepting state: be used to receive the data that originating end parts 157 send to, and be buffered in internal memory or the file, carrying out safe handling, when data finish receiving or this state is produced in session when makeing mistakes fully;
Serve local transmit status: the data that are used for sending the internal memory of buffering or file are to originating end parts 157, refer generally to send data or the file having finished safe handling and met safety requirements, when data are sent completely or this state is produced in session when makeing mistakes fully;
Service data swap status: be used for the data that receive from the Exchange Service link are directly exchanged to exchange client link, produce this state when direct exchange back or session make mistakes when finishing;
Service connection closed state: when also having the data of not sending in the Exchange Service link, send Deng pending data, close the Exchange Service link after finishing, and discharge the Exchange Service end resource of secure exchange session, this state is generally the application protocol secure exchange session final state of life cycle.
Exchange client link correlation behavior collection comprises:
The client connects wait state: be used to wait for exchange session client link establishment, when this state is produced in the link establishment success when also available or session makes mistakes;
The client feeds back wait state: be used to wait for that destination end pieces 168 sends data, refer generally to the service feedback data of application protocol, when data can with or session produce this state when makeing mistakes;
Customer data accepting state: be used to receive the data that destination end pieces 168 sends to, and be buffered in internal memory or the file, for safe handling, when data finish receiving or this state is produced in session when makeing mistakes fully;
The local transmit status of client: the data that are used for sending the internal memory of buffering or file are to destination end pieces 168, refer generally to send data or the file having finished safe handling and met safety requirements, when data are sent completely or this state is produced in session when makeing mistakes fully;
Customer data swap status: be used for the data that receive from exchange client link are directly exchanged to the Exchange Service link, produce this state when direct exchange back or session make mistakes when finishing;
Client's connection closed state: when also having the data of not sending in the exchange client link, wait pending data to send fully, close exchange client link after finishing, and discharge the exchange client resource of secure exchange session.
Other exchanges data states comprise:
Full data exchange state: when having data to receive in the Exchange Service link, the data that receive from the Exchange Service link are directly exchanged to exchange client link to send to the destination end pieces, when having data to receive in the exchange client link, the data that receive are directly exchanged to the Exchange Service link to send to the originating end parts from exchange client link;
Scanning connects wait state: the connection that is used for safe handling module 312 is set up, and produces this state when service connects available or makes mistakes;
Scanning feedback wait state: be used to wait for that safe handling module 312 returns the safe handling feedback data, refer generally to answer the data exchange processing request, when reply data can with or session produce this state when makeing mistakes;
Scan-data accepting state: be used to receive data or file after the finishing dealing with that safe handling module 312 sends it back, and be buffered in internal memory or the file, when data finish receiving or this state is produced in session when makeing mistakes fully;
Scanning of home transmit status: be used to send data or the file that needs handle through safe handling module 312 and connect, carry out safe handling, when data are sent completely or this state is produced in session when makeing mistakes fully for it to the safe handling service;
Scanning connection closed state: after waiting for the end of safe handling service request, closed safe is handled service and is connected, and discharges safe handling link use resource.
The present invention passes through to set up the data exchange safety system based on application protocol in switching network, for each senior communication link or the connection that produces in the data switching networks generates a protocol security exchange session, be responsible for handling data, file and the mail etc. that transmitted in this link or the connection by session, finish the transmission of data.To be treated to example with http protocol, the session of two senior application protocol secure exchange of POP3 agreement that on linux system, realizes below, to describe the present invention in detail.Wherein describe, only illustrate that the GET method of http protocol realizes for the step of simplifying http protocol.This execution mode can be widely used in the application protocol secure exchange of various senior application protocols, as the senior application protocol of private on puppy parcs such as SMTP, IMAP, FTP, the network etc.
The present invention is treated to example with the secure exchange session that realizes http protocol, two senior application protocols of POP3 agreement on the secure exchange gateway, and specific implementation step of the present invention is described.
Shown in Fig. 3,4, according to the http protocol standard, the http protocol request can be divided into request types such as GET, PUT, POST, the secure exchange session performing step when describing http protocol GET method below in detail.
Step 603 of the present invention is at first finished the initialization of HTTP applications exchange session (hereinafter to be referred as session), may further comprise the steps:
1, receives the HTTP connection request of link originating end 157, the Exchange Service end 324 of initialize session;
2, obtain IP address, the TCP request end slogan of originating end 157;
3, call the keyholed back plate interface of secure exchange gateway, obtain originating end 157 and wish the IP address of purpose of connecting ground end 168 and the port numbers of HTTP service;
4, the exchange client 325 of initialize session, and bind local IP available address and system can use tcp port number;
5, call the keyholed back plate interface of secure exchange gateway, step 4 exchange IP address, tcp port number that client is bound are provided, the port numbers of the end IP address, destination that originating end IP address, tcp port number that step 2 is obtained, step 3 obtain, HTTP service is set up the camouflage of exchange client link.
Session set up and the initialization success after, enter service request wait state 412, wait for that originating end 157 sends HTTP service request data, carry out parsing and preliminary treatment but enter step 606 to the HTTP request as the data time spent, its concrete steps are:
1, obtain current HTTP request header content, storage allocation is temporary in the session structure;
2, from the HTTP request header, obtain the HTTP requesting method, the HTTP service URL path of request;
3, start exchange client 325 and begin to connect the destination end, because the step 5 in above-mentioned 601 has been set up communication port, exchange client 324 communicates with IP address, TCP request end slogan and the opposite end of originating end 157.
After the connection that starts exchange guest room end, session is converted to the client and connects wait state 421, wait for destination end 168 being that the HTTP ISP is connected foundation, after this successful connection is set up, HTTP request temporary in the session is forwarded to destination end HTTP service, session is converted to the client and feeds back wait state 422, wait for the data feedback of destination end HTTP service, after HTTP service feedback data arrive, enter step 610, the HTTP request feedback of processing intent ground end, its concrete steps are:
If failure is returned in 1 request, enter customer data swap status 425;
If 2 ask successfully, and do not contain the HTTP file data of renewal, then enter customer data swap status 425;
If 3 ask successfully, the HTTP file data meets the safety requirements of safe handling strategy, can directly be passed to originating end 157, then changes customer data swap status 425 over to;
If 4 ask successfully, and have available HTTP file data need carry out safe handling, then head is fed back in buffer memory HTTP request in session structure, and opens or create the HTTP buffer culture, and session enters customer data accepting state 423.
HTTP feedback head and HTTP file data that customer data swap status 425 is used for the HTTP service is returned send to HTTP request initiating terminal through taking parts 157 through the 324 direct exchanges of Exchange Service end, enter client's connection closed state 426 after finishing.
Customer data accepting state 423 is used to wait for that reception by the HTTP file data that destination end HTTP sends, enters step 618 when data are arranged, and finishes the locally buffered of HTTP file data, and its specific implementation step is as follows:
1,, determines that the current data of current buffer-stored file is preserved the position according to session status;
2, preserve the current data that receive to buffer culture, increase the counting of the size of data of buffer-stored.
After the HTTP file data that receives stored buffer culture into, whether determining step 620 specified datas had finished buffering, if finish, then session enters step 620, carries out the safe handling of HTTP data file.
Step 628 is handled the HTTP data file after step 624 is called the scan service processing, and the mistake when comprising scanning is carried out record, and the result who scans is carried out record.When the HTTP data file did not meet the safe handling requirement, session was through entering client's connection closed state 426 after the following processing:
1, do not generate HTTP request feedback head according to meeting the result of system safety processing requirements or result that scan process is made mistakes, in the feedback head, generally return the HTTP error message of types such as disable access or authorization failure, also can fill the feedback head for being reoriented to the safety warning Web page that system provides aforementioned processing;
2, the HTTP request feedback head that generates is sent to HTTP request initiating terminal through taking parts 157 through Exchange Service end 324.
Successfully pass through the scan process of step 624 when the HTTP data file after, if data are revised in the safe handling process, as being removed virus etc. by step 624, then HTTP service feedback head to be made amendment according to revising the result, change territory wherein is to be fit to amended data file.The secure exchange session after the Exchange Service link is issued the HTTP request initiating terminal through taking, and enters the local transmit status 414 of service to HTTP service feedback head, sends the HTTP data file after the safe handling.
Step 632 judges that the current data file of whether having finished sends, if finished then enter client's connection closed state 426, closing and deleting of beginning session if do not finish, then enters the local transmit status 414 of service, continues to send the HTTP data file.
Client's connection closed state 426 is used to close exchange client link, and release exchange client 325 takies resource; Service connection closed state 416 is closed the Exchange Service link after waiting for that the data integrity on the Exchange Service link is sent completely, and release Exchange Service end 324 takies resource.
POP3 protocol processes process of the present invention will be described below.
According to the POP3 protocol specification, the reception of mail is finished in the POP3 session by request end and the session of service end process question and answer mode.Shown in Fig. 3,5, step 703 is finished the initialization of POP3 secure exchange session (hereinafter to be referred as session), may further comprise the steps:
1, receives the POP3 connection request of link originating end 157, the Exchange Service end 324 of initialize session;
2, obtain IP address, the TCP request end slogan of originating end 157;
3, call the keyholed back plate interface of secure exchange gateway, obtain originating end 157 and wish the IP address of purpose of connecting ground end 168 and the port numbers of POP3 service;
4, the exchange client 325 of initialize session, and bind local IP available address and system can use tcp port number;
5, call the keyholed back plate interface of secure exchange gateway, step 4 exchange IP address, tcp port number that client is bound are provided, the port numbers of the end IP address, destination that originating end IP address, tcp port number that step 2 is obtained, step 3 obtain, HTTP service is set up the exchange client and is pretended link.
Session enters step 705 after setting up also initialization success, and its concrete steps are:
1, starts exchange client 325 and connect the destination ends, serve with POP3 with IP address, the TCP request end slogan of originating end 157 according to the exchange guest room end 325 of the step 5 in the above-mentioned steps 701 and carry out communication;
2, change the client over to and connect wait state 421.
After the successful connection of exchange client link, session enters customer data swap status 425, wait for that destination end 168 is that the POP3 ISP sends POP3 greeting data, data enter customer data swap status 425 after arriving, and it is the POP3 service requester that POP3 service greeting data are switched directly to originating end parts 157.At this moment, the exchange link of finishing has been set up in session, enter service request wait state 412, wait for that the POP3 service requester sends the POP3 order, after receiving the POP3 order, if its command format is legal, then session changes service data swap status 415 over to, and it is the ISP that the POP3 order data is switched directly to destination end pieces 168.
After the direct exchange of POP3 request command was finished, determining step 712 determined whether the current commands belong to mail data querying commands such as RETR/HEAD, was then to begin the mail buffering to handle for safe handling module 312; Determining step 714 determines whether the current command belongs to POP3 service the finish commands such as QUIT, is then to enter the client through step 715 to feed back wait state 422, begins to prepare the termination of security exchange session.
The current command does not belong to when finishing service, enter the client through step 716 and feed back wait state 422, the client feeds back wait state 422 wait POP3 ISPs and feeds back the POP3 command processing result at this moment, when result data arrives, change customer data swap status 425 over to, form the circulation of session basic handling.
The visitor produces data receiving state 423 and waits for that the POP3 service sends mail data, but the mail data time spent enters its concrete steps of step 718. is:
1, current when not opening buffer culture, create mail buffered data file;
2, exchange the mail data that link receives from the client, search the mail end mark, to determine whether that can finish current buffering receives;
3, preserve the current effective mail data that receives to buffer culture.
Determining step 720 determines whether current mail finishes receiving, and is that then session enters step 724, carries out the security sweep of POP3 mail data; Step 728 is handled the POP3 mail data after step 724 is called the processing of mail scan service, and the mistake when it comprises scanning is carried out record, and the result who scans is carried out record.When gross error appears in data, enter client's connection closed state 426, with the termination of security exchange session; If data do not have mistake or do not have mistake after treatment, enter the local transmit status 414 of service, begin to send the mail after the safe handling, determining step 732 is used for determining whether mail data is sent completely fully, otherwise continues to enter the local transmit status 414 of service; Be that then session changes client's connection closed state 426 over to, wait for that the POP3 service requester sends next POP3 request command.Client's connection closed state 426 is used for waiting special exchange client link data to transmit, and transmits the exchange client link of closing the session of POP3 secure exchange after finishing, and discharges exchange client 325 and take resource.And after entering service connection closed state 416 and waiting for that data integrity on the Exchange Service links is sent completely, close the Exchange Service link, and discharge Exchange Service end 324 and take resource.
So far, a POP3 secure exchange session is handled and to be finished substantially, and session enters step 738, finishes exchange session and discharges and handle, and waits memory source as discharging between the buffer empty that session uses.

Claims (7)

1. the method for an application protocol data secure exchange is characterized in that, may further comprise the steps:
Set up basic communication link at source end and destination, and for this link generates the applications exchange session, and the data communication at beginning two ends;
The fail safe of secure exchange gateway judgment data, secure exchange gateway comprise service end, applications exchange conversation module and safe handling module, and wherein service end is used for the fail safe of judgment data, and carry out data communication with source end and destination; The applications exchange conversation module is used to generate the session status of exchanges data, this session status comprises basic connection wait, request wait, Data Receiving, data transmission, exchanges data and connection closed, the secure exchange gateway directly sends to the opposite end of data initial end for not relating to the data of destroying network security;
The safe handling module thinks that to service end in the secure exchange gateway unsafe data detect, if legal after testing data then send to data the opposite end of data initial end; If illegal, then re-send to the opposite end of data initial end, or directly data are abandoned through revising.
2. the method for application protocol data secure exchange as claimed in claim 1, it is characterized in that, the safe handling module is being carried out in the processing procedure the described data of destroying network security that may relate to, the regular check LI(link interface), if the overtime packet of not receiving that the data initial end sends then sends the opposite end of empty packet to the data initial end.
3. the method for application protocol data secure exchange as claimed in claim 1 is characterized in that, the described data that the data of destroying network security are specially agreement transmission itself, the picture that transmits in application protocol, video file or the data flow of not relating to.
4. the method for application protocol data secure exchange as claimed in claim 1 is characterized in that, the described data of destroying network security that may relate to are specially and contain grand document, program, mail, condensed document.
5. as the method for the described application protocol data secure exchange of arbitrary claim in the claim 1 to 4, it is characterized in that described application protocol is meant the communications protocol of the various application in the data network.
6. the method for application protocol data secure exchange as claimed in claim 5 is characterized in that, described communications protocol is the senior application protocol on the TCP/UDP in the TCP/IP protocol suite.
7. the method for application protocol data secure exchange as claimed in claim 6 is characterized in that, described senior application protocol is specially POP3, SMTP, http protocol.
CNB200410009063XA 2004-04-30 2004-04-30 Method for safety exchange of application protocol data Expired - Fee Related CN100356722C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB200410009063XA CN100356722C (en) 2004-04-30 2004-04-30 Method for safety exchange of application protocol data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB200410009063XA CN100356722C (en) 2004-04-30 2004-04-30 Method for safety exchange of application protocol data

Publications (2)

Publication Number Publication Date
CN1571330A CN1571330A (en) 2005-01-26
CN100356722C true CN100356722C (en) 2007-12-19

Family

ID=34477792

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB200410009063XA Expired - Fee Related CN100356722C (en) 2004-04-30 2004-04-30 Method for safety exchange of application protocol data

Country Status (1)

Country Link
CN (1) CN100356722C (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242324B (en) * 2007-02-09 2010-08-11 联想网御科技(北京)有限公司 A remote secure access method and system based on SSL protocol
CN102209039B (en) * 2011-06-27 2015-05-06 华为数字技术(成都)有限公司 Method and equipment for transmitting file
CN111355695B (en) * 2018-12-24 2022-07-01 中移(杭州)信息技术有限公司 Security agent method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
CN1435977A (en) * 2002-02-01 2003-08-13 联想(北京)有限公司 Method for detecting and responding of fire wall invasion

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
CN1435977A (en) * 2002-02-01 2003-08-13 联想(北京)有限公司 Method for detecting and responding of fire wall invasion

Also Published As

Publication number Publication date
CN1571330A (en) 2005-01-26

Similar Documents

Publication Publication Date Title
CN101175013B (en) Refused service attack protection method, network system and proxy server
US6003084A (en) Secure network proxy for connecting entities
KR100681486B1 (en) Apparatus for detecting spoofing communications, method and recording medium therefor
CN101378395B (en) Method and apparatus for preventing reject access aggression
CN101436958B (en) Method for resisting abnegation service aggression
CN101202742B (en) Method and system for preventing refusal service attack
DE602005000121T2 (en) Method and apparatus for reducing e-mail spam and spreading viruses in a communication network by authenticating the origin of e-mail messages
CN101771695A (en) Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment
CN101267437A (en) Packet access control method and system for network devices
CN101257450A (en) Network safety protection method, gateway equipment, client terminal as well as network system
CN101577729A (en) Method for blocking bypass by combining DNS redirection with Http redirection
CN104767748A (en) OPC server safety defending system
CN102326374A (en) Method and device for processing data in a network
CN100484107C (en) A method to screen the mail and device and system
CN110266678A (en) Security attack detection method, device, computer equipment and storage medium
CN101286978B (en) TCP connection separation with complete semantic, control method and system
CN101141396B (en) Packet processing method and network appliance
CN101304328A (en) Multicast authentication method, authentication equipment and multicast authentication server
CN108667829A (en) A kind of means of defence of network attack, device and storage medium
US10038660B2 (en) System and method for reducing unsolicited e-mails
CN101094235B (en) Method for preventing attack of address resolution protocol
CN100356722C (en) Method for safety exchange of application protocol data
CN106131039A (en) The processing method and processing device of SYN flood attack
CN103001966A (en) Processing and identifying method and device for private network IP
CN101273345A (en) System and method for preventing transmission of non-requested and needless electronic information through cryptographic key generation and comparison

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20071219

Termination date: 20130430