CN100414889C - Intermediate system used for distinguishing and tracing user - Google Patents
Intermediate system used for distinguishing and tracing user Download PDFInfo
- Publication number
- CN100414889C CN100414889C CNB2005101210864A CN200510121086A CN100414889C CN 100414889 C CN100414889 C CN 100414889C CN B2005101210864 A CNB2005101210864 A CN B2005101210864A CN 200510121086 A CN200510121086 A CN 200510121086A CN 100414889 C CN100414889 C CN 100414889C
- Authority
- CN
- China
- Prior art keywords
- sid
- user
- pid
- ckie
- ips
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides a technology for differentiating and tracking users quickly and securely, which is suitable for an intermediate system. The present invention comprises a user differentiating method disclosing the combination of long term labels and short term states, a carrying and recording method for the long term labels and the short term states, a managing and reusing method for memory used for recording states, a user activation method, a system realizing theory and security measures thereof, etc. The present invention is suitable for that the front end of a protected web server is built with a security defense system or a sorting control system, the quick and secure user differentiating technology provided by the present invention further realizes the track and the analysis for each user's behavior, and thereby, the distinctive services, rate control, filtration, etc. can be realized.
Description
Technical field
The invention belongs to the network security technology field, particularly relate to a kind of technology that the user who visits protected Web website is distinguished and follows the tracks of.Utilize this technology to make network safety system to carry out distinguishing control to user's visit behavior.
Technical background
Traditional method that the data flow that arrives the webserver is classified is to utilize elements such as order IP address, source in the packet, port numbers, agreement to distinguish, but is the user that can not distinguish in fire compartment wall, acting server, network address translater (NAT) back like this.The method that user session state is followed the tracks of commonly used is to adopt cookie, the dynamic page of application layer, perhaps plug-ins of browser (plug-in card program) etc., utilize them can see through fire compartment wall, acting server, address translator, can access the function of some information that user side sends again required information delivery user side.But these tracking modes all are so-called stateless tracking modes, promptly give user side user's session state information and keep, and server end does not keep these state informations, but expect that they can be taken back in the request that user side sends.Obviously, from the angle of safety, these stateless tracking modes are difficult to defend Replay Attack, have stopped the request of sending after the long period because the request and the user of victim playback can't distinguish in system.In addition, itself does not provide safety function these session status follow-up mechanism, promptly can not prevent assailant's legal session packet of forging or reset.For example, cookie need prevent to forge by the additional character signature way, and utilizes the mode of upgrading fast to prevent to reset.But cookie renewal fast can cause the cookie fast-aging, thereby is unfavorable for writing down the long behavior of browsing of free time.
Employing has the mode of status tracking, is promptly kept the mode of user's session status by server end, and server end can be found request package that reset or forgery at an easy rate.But serious problems that have the status tracking mode to face are how to keep a unlimited state of user information in limited memory space.Also to solve quick search and quick operating problem etc. to record.
So still there are the problem of aspects such as safety, efficient in existing differentiation and the technology of following the tracks of user session state.And these technology problem that mainly to be settlement server follow the tracks of visiting user's session status, be not suitable on intermediate systems such as intrusion detection and intrusion prevention system, adopting.
For this reason, the present invention proposes a kind of intermediate system technology that the user is distinguished and follows the tracks of fast and safely.One of its basic thought is in conjunction with stateless and the characteristics that status tracking is arranged, by user side and server end preserving sessions state simultaneously, and there is not movable (promptly most possibly having stopped) shared allocation of space of session status record to give new session use maximum duration at server end.So what server end kept is the User Status of carrying out session, be the final state of current session and user side keeps in a conversation end.So, if the victim playback is the request package of ongoing session, then the session status that is kept by server end just is easy to they are distinguished; If what reset is the request package of the session that finished, does not then have state to look in the system, thereby can distinguish yet.The request package of the session that has finished that these are reset has only wherein first may be thought by mistake be that an old user has begun a new conversation procedure after stopping action for a long time by system.Other bag of resetting will be fallen by system filtration, thereby can not have any impact to system.
Two temporary marks with user's unique and permanent sign and user's a session of basic thought of the present invention combine use.Its objective is to each user who once visited distributes a unique and permanent sign, comprise all users of Intranet user with differentiation.This system that makes can know which user is frequent access websites and normal user, and which is the strange even harmful user of behavior.But because number of users is huge, this permanent identification is not suitable for directly with the index of doing the User Status record.Distribute the interim sign that this locality is unique so the present invention returns each ongoing session, and be designated index, the record of this session is operated with this.With this reach quick differentiation to the user, to the quick indexing of conversation recording with to the efficient management of memory space.The sign of the session that has been through with can be reused for the session of other new beginning.Because this session identification is provisional, thus must cooperate permanent identification to use, otherwise when this user finishes a session and begins later a new session for a long time again, will with carry out other user of session and obscure.The benefit of combination also is like this, and this marriage relation is changing, thereby can prevent to a certain extent to forge and reset.
Summary of the invention
The objective of the invention is to overcome the deficiencies in the prior art, a kind of technology that the user is distinguished and follows the tracks of fast and safely that is suitable for that intermediate system adopts is provided.The present invention adopts the user to each visiting to distribute unique and permanent sign and distribute the mode of a temporary mark for each session, provide a kind of the user is carried out the mechanism that status tracking was followed the tracks of and had to stateless simultaneously, and realize user's tracking data record is operated and efficient management fast, prevent possible forgery and Replay Attack.This technology can be applied to intrusion detection and intrusion prevention system etc. and be connected on the intermediate system between user side and the server, realizes the user is had tracking, analysis and the control of differentiation.
In order to realize purpose of the present invention, the technical solution used in the present invention is:
Construct a kind of intermediate system that the user is distinguished and follows the tracks of fast and safely.It is connected in server front end, the client access server must through link on.The user of access server is distinguished and followed the tracks of to the mode that adopts long term identification PID and short-term sign SID to combine; with PID is that sign is carried out long-term follow to the user; with SID is that sign is distinguished fast to active user; with SID is that index is efficiently managed the user session state record; random number and digital signature with additional frequent variation; PID in the transmission course and SID are carried out integrity protection, and prevent Replay Attack.Described long term identification PID is that described intermediate system is composed the unique and nonvolatil sign of crossing the user of described server to each ever accessed; Described short-term sign SID is that described intermediate system is composed the temporary mark to each active user; Described active user be with the user of server session.
Described intermediate system adopts to be intercepted and captured the session data bag and the mode that part field is wherein rewritten is carried described long term identification PID and short-term sign SID between user side and server.Described session data bag is the packet that produces in seeing through user that fire compartment wall or acting server or network address translater carry out and the application layer conversation process between the server; Part field in the described packet is to arrive the content that user side returns from user side again in the application layer conversation process.
In fact, any fire compartment wall, acting server, NAT of can seeing through arrives user side, the application that can return by user side again, can be used for carrying by the present invention (SID, PID).For example, an embedded link is set all in each webpage, make it from see in form be one to dynamic content, link that promptly can not cache contents, but its URL be actually (SID, PID).Also can utilize the function of browser plug-ins plug-in card program, in each HTTP request, embed (SID, PID).But the easiest method is a cookie function of utilizing HTTP to be transmitted (SID, PID).
The method that the present invention distinguishes the user is according to whether carrying PID in the packet user to be divided into old user and Xin user, old user is again by bivector (SID, PID) be divided into movable and inactive user, by SID active user be subdivided into unique user again and follow the tracks of respectively.Described new user is the user who visits for the first time, does not also distribute PID and SID; Described active user is the user who is carrying out session with server, has effectively that (SID PID), and can be that index is checked fast with SID; Described inertia user is the user who does not send request package for a long time, and the SID that temporarily distributes to it has distributed to other active users.
In actual applications, do not contain in the request that user browser sends the most at first (SID, PID).Protected Web server is directly given in the request that this request meeting is used as new user by intermediate system.Protected Web server is given (SID, PID) the enough byte spaces of reservation therein when responding to this request.So, when middle system receives the described response that server sends here, distribute a permanent user ID PID and an interim session identification SID for this user.After the checksum that recomputates tcp and ip, issue the user.
When user browser receive (SID, after response PID), can with (SID PID) is retained in the browser, and in follow-up request, be with (SID, PID).Intermediate system will have (SID, old user's request is regarded in request PID) as, and according to wherein SID find in intermediate system, preserve (SID, PID).By relatively, can know whether this request is legal.If legal, then pass out to protected Web server.Protected Web server gives normal response to this request, and return at this response Central Plains belt transect (SID, PID).
If it is long-time that user stopped action, the conversation recording that then is kept at relevant this user in the intermediate system will be eliminated, and the resource that cleans out is used to write down other users' conversation procedure.Therefore; when after a user has crossed for a long time, browsing protected Web server again; (the SID that in intermediate system, finds by the SID index; PID) will with (the SID in this user request; PID) inconsistent, be that an inertia user is beginning a new conversation procedure so intermediate system can be judged this.
Intermediate system marks the user as active user when receiving that an inertia user newly begins first request package of conversation procedure.Specific practice is that its PID is noted, and is used to find follow-up playback bag, promptly those intermediate system can not find coupling (SID, PID) and PID is labeled as the request package of " active state ".In order to realize fast detecting, need to adopt the hash function that PID is mapped in the less set to user's " active state ".Here then simply the lower-order digit of PID is taken out, identical with the figure place of SID, for example 4, be designated as Last (PID).This considers that mainly PID is obtained by summary counter, so the new user that the same time occurs has lower-order digit inequality, but is that the possibility of active user is bigger simultaneously after them.For the active user that wherein has identical Last (PID), tabulate record with a linear search, as shown in the table.
The active user list inlet:
| Last(PID) | Inlet |
| LID | LID nxt(=SID) |
| ... | ... |
Active user list:
| SID | Movable PID | Last SID | Next SID |
| SID | PID | SID pre=BGN | SIDnxt(=SID 1) |
| SID 1 | PID 1 | SID 1.pre | SID 1nxt(=SID 2) |
| SID n | PID n | SID npre | SID nnxt=END |
Wherein: PID, PID
1, PID
2..., PID
nAll has identical Last (PID), i.e. inlet.Opening flag and the ending sign of representing this linear search chain with BGN and END.
In technical scheme of the present invention, described SID is used as the index of all recording operations, and the repeated use of the buffering area of put by SID manages.Described record is exactly the data that the user is followed the tracks of; Described management method is exactly to be determined the maximum number of SID by the length of the size of buffering area and every record, adopts storehouse that the use of SID is managed again; The management method of described SID storehouse is exactly earlier all SID to be pressed into storehouse successively, then when distributing a SID for active user at every turn, portion takes out a SID from bottom of stack, it is composed to the top that again it is pressed into storehouse after the active user, and when user record being operated at every turn, all the SID with this user takes out from storehouse, again it is pressed into the top of storehouse, make storehouse bottom the SID representative be that maximum duration does not have movable user, thereby can be reused.The constructive method of described SID storehouse is as follows:
TOP.dwn=SID
1,SID
1.dwn=SID
2,...,SID
n-1.dwn=SID
n,SID
n.dwn=BTM;
BTM.up=SID
n,SID
n.up=SID
n-1,...,SID
2.up=SID
1,SID
1.up=TOP
Wherein, TOP and BTM are two and the similar address of SID, but not in the SID set.For example, establish SID's
Set is 0001~9998, then can establish TOP=0000, BTM=9999.The structure of SID storehouse is as follows:
SID storehouse table
| SID | down | up |
| ... | ... | ... |
| SID | SID dwn | SID.up |
| ... | ... | ... |
So, utilize management can guarantee that intermediate system can too much not overflow because of concurrent session number to the SID storehouse.Concurrent session number is too much, the too fast influence that brings of generation frequency is to reduce the free time that makes each session to allow.
In technical scheme of the present invention, the method that prevents to forge SID and PID is to utilize SID often becomes and PID is constant characteristic with SID and PID binding use, by described intermediate system is that index is noted the legitimacy that is used for checking entrained SID of packet and PID with this bundle relation with SID, and abandons illegal packet.The characteristic that described SID often becomes is meant that each user becomes active state by inactive state and can be given an idle SID randomly.The frequency that the characteristic that described SID often becomes changes with increasing by the random number R that is connected in series a more frequent variation, an also additional digital signature DS protects its integrality and verifies.
(SID is a special character string with security attributes such as integrity protection and anti-replays with the character string that R and DS form PID), abbreviates ips_ckie here as.It is as shown in the table to utilize cookie to carry the mode of ips_ckie.Wherein the name of ips_ckie is special character string, for example a vErY_sPecIL_iPs_CoOkIE_NaME
*So, just can find whether contain ips_ckie in a HTTP request or the respond packet by this character string being carried out match search.Generally speaking, the head not oversize (for example less than 1500 bytes) of HTTP request and response, so that ips_ckie is segmented in two possibilities in the bag is smaller, thereby smaller by the possibility of intermediate system omission.As the ips_ckie from the request package that the user comes during by omission, this request package can be taken as the request that new user sends, and it is serviced together to be put into new user's request, so under normal circumstances to not influence of user; When from the ips_ckie in the response of protected Web server during, once upgrade and distribute new SID and the PID except missing, user also not influence by omission.But can be under possible situation to ips_ckie affix control effective time, like this can be so that by the ips_ckie of omission immediate cancel (time attribute Max-Age=wherein " 00000000 ") or make normal ips_ckie keep the sufficiently long time (for example, time attribute Max-Age=wherein " 86400000 ") at user side when arriving user side.
| Transmission direction | The cookies structure of ips_ckie |
| Server to IPS | Set-Cookie2:vErY_sPecIL_iPs_CoOkIE_NaME0=″0||0||0||0″;Version=″1″; Path=″/dynamic_content″;Max-Age=″00000000″ |
| Client to IPS to Server | Cookie:$Version==″1″;vErY_sPecIL_iPs_CoOkIE_NaME1=″SID||PID||R|| DS″;$Path=″/dynamic_content″ |
| IPS to Client | Set-Cookie2:vErY_sPecIL_iPs_CoOkIE_NaME1=″SID||PID||R||DS″; Version=″1″;Path=″/dynamic_content″;Max-Age=″86400000″ |
The anti-replay-attack method of technical scheme of the present invention be according to character string ips_ckie entrained in the packet it is divided into legal in out-of-date, and out-of-date packet filtered out, described legal packet is the packet that satisfies one of following two conditions: have current effective ips_ckie, perhaps had previous effective ips_ckie before current effective ips_ckie arrives user side.The described character string of current effective is after the time through a weak point, and intermediate system will upgrade it, with anti-replay-attack.Specific practice is, when middle system receives the response that has ips_ckie, check the difference of current time and update time last time, if it is greater than given threshold value (for example 1 minute), then this ips_ckie is upgraded, and former ips_ckie is kept as previous effective ips_ckie.Obviously, if given threshold value equals 0, then intermediate system will be done to upgrade incessantly to ips_ckie.The so-called renewal promptly produces a random number R again, recomputates digital signature DS, and recomputates the checksum of tcp and ip.
Described all methods of technical solution of the present invention all are based in the packet normal conversation process between user and the server there not being the read-write operation of the field of influence.Described not have the field of influence be byte space by the redundancy of protected server reserves, is responsible for inserting, reading and revises required content by described intermediate system.On specific implementation, with reduce as far as possible and protected server between interactive relationship.Here only require that protected Web server giving aspect the ips_ckie reserved byte space or webpage is provided with the aspect and gives a spot of cooperation.For example, require protected server that new user is provided with the ips_ckie or a virtual URL (length of=ips_ckie) of a sky, this can not influence protected Web server own required cookies is set arbitrarily.Because the name of ips_ckie is special, so intermediate system can be under the situation that not carry out the burst reorganization and HTTP is resolved, find the position at ips_ckie place, then to its assignment again by the name coupling.Further contemplate in the network acting servers at different levels and cache to the buffer memory effect of static content, also promptly to the effect of sharing of Web server load, native system only is provided with ips_ckie to dynamic content (dynamic content) and other un-cacheable content usually.
When requiring described intermediate system to be totally independent of protected Web server in the practical application; intermediate system need increase the function that application layer is resolved; comprising having reached MTU MTU in respond packet; for example during 1500 bytes; the ips_ckie that increases newly is handled as new burst, and the sequence number of synchronous TCP layer.In this case, the complexity of intermediate system and the time delay that respond packet is handled will be increased greatly in intermediate system, because need recombinate and resolve the agreement of all levels to burst.
Advantage of the present invention is to be applicable at protected Web server front end and makes up a safety defense system or a classification control system; utilize the safe differentiation technology to the user provided by the invention; further realize tracking and analysis to each user behavior; and then realize distinguishing service, rate controlled and filtration etc.; do not influence simultaneously Web server is provided with application such as cookie at user side convenience again; so, take into account convenient and safe performance simultaneously, be fit to promote the use of.
Description of drawings
Fig. 1 is the structural representation of fast and safely the intermediate system that the user is distinguished and follows the tracks of;
Fig. 2 is that client computer is to data in server bag classification process figure;
Fig. 3 is the process chart of protected Web server to ips_ckie;
Fig. 4 is the packet classification process chart of server to client computer;
Fig. 5 is the realization schematic diagram of ips_ckie;
Fig. 6 is the system module structure that client computer is handled to the classification of data in server bag;
Fig. 7 is the software module structure of protected Web server process user request;
Fig. 8 is the system module structure that server is handled to the packet classification of client computer.
Embodiment
The present invention is further illustrated below in conjunction with accompanying drawing.
The structural representation of the intermediate system that the user is distinguished and follows the tracks of fast and safely of the present invention as shown in Figure 1.The present embodiment emphasis is that the HTTP request package is handled, and for other packet, then can adopt the access list control that is similar to fire compartment wall and the mature technique such as abuse detection of intruding detection system, realization is to the detection and the filtration of order IP address, source, agreement, speed, process and key feature.From the packet of Internet through receive and classification after, isolate the HTTP request.After HTTP request process user's the short-term state and the checking and classification of long term identification, request illegal or that forge is filtered, and what pass through is new user's request and old user request, wherein has legal ips_ckie in old user's the request package.Old user's request filters out the request of resetting again through the anti-replay check, delivers to follow-up classification control system then.The classification control system will be index with SID, and different active users are followed the tracks of respectively and handled.New user's request and other legal packet are used as the stream employing different control mode dissimilar with old user in the classification control system.The classification control system can adopt methods such as intrusion detection, intrusion prevention, rate controlled, priority queueing, quality of service control to the classification control of new and old user's stream and all packets, makes accessed Web server be protected.Protected Web server must transfer to user side by this intermediate system with respond packet after request is responded.Packet from protected Web server at first also will filter out the http response bag via bag Receiving And Classification program at intermediate system; classify again, specifically be divided into the respond packet of the session that restarts to the respond packet of old user's ongoing session with to new user or old user.Must carry out the short-term state to the respond packet of old user's ongoing session and upgrade, promptly give new random number R and recomputate digital signature, attack to prevent the playback formula; Respond packet for new user is then distributed new PID and SID, and the session packet of newly beginning for old user keeps original PID and composes and give new SID.No matter be that old user begins new session or new user begins new session, all this user be labeled as active state, make it to be in the active user list.After forming ips_ckie and recomputating checksum, respond packet is sent back to the user by Internet at last.
Client computer to data in server bag classification process as shown in Figure 2, from the next packet of Internet, agreement protocol and port port according to IP is divided into HTTP request package and other packet earlier, for example the bag that connects of ICMP, UDP, TCP foundation/dismounting etc. makes this two classes packet to handle respectively.Because the HTTP request package is shorter usually, so do not need to carry out the burst reorganization usually.The HTTP request of separating is divided into request that ips_ckie is arranged and the request of not having ips_ckie through the search to ips_ckie.The request of no ips_ckie is counted as a new user's request, and this request also may be that Geju City user has removed the cookie that preserves in the browser or closed the request of sending after the cookie function of browser.For new user's request package, because this user's historical data can not judged its behavior, so system can only ask the general status of the stream formed to judge and control from all new users, for example total arrival rate of new user's request package is controlled, perhaps its source IP addresses is controlled, perhaps further these new user's request package are carried out profound level inspection, promptly each request package is carried out feature and rule detection, and the harmful request package of filtering.The request that ips_ckie is arranged is the request that old user sends.To its with ips_ckie to verify, be that index finds corresponding record to compare in the internal memory of system promptly with the SID among the ips_ckie, be in the comparison of request ips_ckie whether with system in the current and copy previous ips_ckie that keeps whether consistent, will have the request package of ips_ckie to be divided into three classes thus: with new ips_ckie, with old ips_ckie, non-registered.Wherein, the request with new ips_ckie is the request of sending in the ongoing navigation process in movable family.Can distinguish these users and session by wherein SID.For request with old ips_ckie, if before new ips_ckie arrives client, send, then be effective request, can put on an equal footing with request with new ips_ckie; If exceed transit time, then belong to illegal, should filtering.For non-registered request, because the not corresponding copy of its entrained ips_ckie is used for comparison, so must be by its legitimacy of its digital signature authentication of checking.If illegal, then this request might be a request that forgery is legal, should be abandoned.If legal,, would be that active user also is non-active user then to check this user by the collection of the PID search activities user among this ips_ckie.If be non-active user, then this request be by a legal old user after stopping to browse for a long time, a navigation process that newly begins, its ips_ckie with SID used by other user's conversation procedure.If active user, illustrate that then this user has begun a new conversation procedure, but this ips_ckie is old, it is only effective in the turnaround time of new ips_ckie arrival user side, otherwise just may be the request that victim is reset, thereby will be abandoned.
Protected Web server to the handling process of ips_ckie as shown in Figure 3.It will provide MIN cookie function.Comprising, to there not being user's request of ips_ckie, a new ips_ckie is set; For the request that ips_ckie is arranged, just simply it is copied in the response and take back.The name of new_ckie must be a special name, can be the same basically with the name of ips_ckie, have only the flag bit difference, so that system identification; Its value is inessential, can be complete 0, mainly is to be that system reserves enough byte lengths; But its path then requires to indicate page position, and is set to 0 its maximum effective time, to avoid new_ckie under system's omission situation, to the issuable influence of client.
Accompanying drawing 4 is classification process charts of the packet that makes progress of server to client-side.When the packet that comes from protected Web server arrives intermediate system; intermediate system takes to be similar to the method for client computer to the data in server classification, and packet is divided into: first request responding of other packet, the session that newly begins to new user's response, to old user, have the response of old ips_ckie, to the request responding of ongoing session.For other packet, system is left intact, and directly sends it back to the user; For new user's response, system should distribute a new user ID PID for this user by a summary counter, and is the same with the new session response then, obtains the SID that a maximum duration does not have use from the SID storehouse, as its session identification.Again SID and PID are recorded in the active user collection, make it become active user.For the response that has old ips_ckie, then this ips_ckie can not be sent back to user side, cover previous new ips_ckie to avoid it.So, should be from system will this new ips_ckie copy access, replace the old ips_ckie in this response, and then send back to the user.For the response of ongoing session, need to check whether its ips_ckie needs to upgrade.If do not need to upgrade, then directly send back to the user.Upgrade if desired, then should produce new ips_ckie, and new ips_ckie and the ips_ckie that just has been updated are recorded in the system, for use in follow-up examination.The operation of SID storehouse is the top that will be put into up-to-date used SID storehouse, makes that the SID of storehouse bottom is that maximum duration does not have used SID, thereby can be reused.
The realization principle of ips_ckie as shown in Figure 5.At first, the user browser request of sending does not have the ips_ckie of default.Protected Web server is directly given in the request that this request meeting is used as new user by system.Protected Web server is provided with a new_ckie therein when responding to this request.It mainly is to reserve enough byte spaces for system is provided with ips_ckie.So, when system receives this response that server sends here, distribute a permanent user ID PID and an interim session identification SID for this user.On with SID, PID serial connection after new random number that produces, calculate its digital signature DS with MD5 etc., obtain the value of ips_ckie thus.Then, make its Max-Age=" 86400000 ", with the new_ckie in alternative this response of ips_ckie,, issue the user again through recomputating after the checksum of tcp and ip.
User browser is received after the response that has ips_ckie, this ips_ckie can be retained in the browser, and be with this ips_ckie in follow-up request.When the request that has ips_ckie arrives system, system will regard this request as old user's request, and find copy in the system of being kept at according to the SID among the ips_ckie.By relatively, can know whether this ips_ckie is legal.If legal, then pass out to protected Web server.Protected Web server gives normal response to this request, and returns this ips_ckie at this response Central Plains belt transect.After time through a weak point, system can upgrade ips_ckie, with anti-replay-attack.Specific practice is, when system receives the response that has ips_ckie, check the difference of current time and update time last time, if it is greater than given threshold value, for example 1 minute, then this ips_ckie upgraded.Obviously, if this threshold value equals 0, then system will do to upgrade incessantly to ips_ckie.The so-called renewal promptly produces a random number again, and recomputates the digital signature of ips_ckie, after the checksum that recomputates tcp and ip, gives the user.
If it is long-time that user stopped action, the conversation recording that then is kept at relevant this user in the system will be eliminated, and the resource that cleans out is used to write down other users' conversation procedure.In other words, the number of SID is that the size by the memory capacity of system is determined, can the store session record number determined.Limited SID can guarantee that system can too much not overflow because concurrent session number.The influence that newly-increased session number too much produces is to reduce the free time that makes each session to allow.Therefore, when browsing protected Web server again after a user has crossed for a long time, system will compare less than the ips_ckie in the copy that keeps and this user request.So system can only verify the validity of its ips_ckie by certifying digital signature.Because the SID that has among the ips_ckie is out-of-date, it may be used to identify other user's conversation procedure, so, after ips_ckie is by checking, need to give this user to distribute a SID new, that be not used, be designated as SID ' here.System produce a random number again, calculate new digital signature and upgrade tcp and the checksum of ip after, send to user browser.
Client computer to server side to the system module structure handled of packet classification as shown in Figure 6.Packet receiver module 1 is the inlet of native system, will deposit jumbo memory dram 0 in from the packet that Internet comes, and the descriptor that this packet is relevant deposits speed in, and internal memory SRAM is standby faster.Separate HTTP module 2 and at first isolate the TCP bag,, isolate and have the http protocol port numbers again according to its port numbers according to the value of the protocol fields of packet, acquiescence be 80 HTTP bag.Then according to the form and the keyword of HTTP request, GET for example, HEAD, POST etc. make a distinction the HTTP request with other packet, and deliver to subsequent module and handle respectively.The coupling parsing module 4 of ips_ckie is by checking the name that whether contains default ips_ckie in DRAM 0 stored data packet, from DRAM 0 stored data packet, read corresponding SID ' then, PID ', R ', DS ' field, and be stored in the register these fields standby.
After finding ips_ckie, whether whether ips_ckie examination and sort module 6 will be checked its digital signature, or whole ips_ckie, promptly check user ID PID and random number R simultaneously, consistent with the copy of preserving in the system, perhaps consistent with previous copy.This considers that mainly before new ips_ckie arrived user side, some has the request of last ips_ckie may leave user browser, is coming native system.So in the transit time after upgrading ips_ckie, the request that transit time, control module 11 also allowed to have last ips_ckie is passed through.If the ips_ckie in not having in the system to copy and ask is consistent, then there is not record in the illustrative system about this user conversation.So this request will be given digital signature authentication module 8, to verify the legitimacy of its signature.
New and old ips_ckie examination table
| SID | new digital signature | previous digital signature | update time | random number | other records |
| ... | ... | ... | ... | ||
| SID | newDS | oldDS | upd_time | R | records |
| ... | ... | ... | ... |
Owing to have the request of the ips_ckie of legal digital signature, may be the request of the validated user of victim playback, so need do further to check, whether be the request of playback to determine it to this ips_ckie.Inspection method is earlier to check whether active user of these users by active user inspection module 9.Whether the PID that promptly with LID is inlet linear search this user is in the active user collection.If active user, illustrate that then this user has begun a new session, so its old ips_ckie only the ips_ckie after renewal in the turnaround time of browser effectively, promptly check by anti-replay time control module 10 how long new session has begun.If be non-active user, illustrate that then this user has begun once new navigation process after having stopped for a long time.At this moment, distribute a new SID can for this new session process, this user be added in the active user collection, and produce a new random number and a new digital signature for this user, form a new ips_ckie.But consider that native system must make identical change to the value of new_ckie in the response,, also, packet itself is not made any change here in a system in order to save access time to DRAM for the module that reduces identical function repeats.All HTTP request package all access and send to the port of going to protected Web server by sending module 12 from the DRAM 0 of system.
Accompanying drawing 7 is the software module structure schematic diagram of protected Web server process user request.Whether contain the special cookie that native system is provided with in the protected Web server 15 search subscriber requests, i.e. ips_ckie.If no, then be new user's request.If new user's request is dynamic content or can not cache contents, or other page that will follow the tracks of, then gives in this user's the response new_ckie that value equals complete 0 is set in server respond module 16.Can also comprise needed other cookies of protected Web server self in this response.If in user's request the set special cookie of native system is arranged, then be old user's request.For the ips_ckie in old user's request, protected Web server only is that the ips_ckie in the request is copied in the http response in server respond module 17.The name of new_ckie and ips_ckie is identical basically, has only the flag bit difference, so that the search of this character string.This character string should be the character string very special, difficult and other character string is obscured, for example a vErY_sPecIL_iPs_CoOkIE_NaME.The Cookie head of http response, according to RFC2965, for example: Set-Cookie2:cookie1, cookie2 ..., ips_ckie, cookie1 wherein, cookie2 ... be protected Web server according to self needs be provided with 0 to a plurality of cookies; New_ckie, ips_ckie are the required cookies of native system, and concrete example is as follows:
vErY_sPecIL_iPs_CoOkIE_NaME0=″00......0″;Version=″1″;Path=″/dynamic_content″
vErY_sPecIL_iPs_CoOkIIE_NaME1=″
12340123456789ABCDEF
random_numDigtal_signature″;
Version=″1″;Path=″/dynamic_content″,
Wherein, first is new_ckie, and second is ips_ckie, and their name is given special string vErY_sPecIL_iPs_CoOkIE_NaME, and difference is last position, is respectively 0,1.Wherein, the value of new_ckie is 46 0, mainly is to be used for to the actual assignment of value is left and taken enough byte numbers.The value of ips_ckie is "
12340123456789ABCDEF
Random_numDigtal_signature ", it comprises four parts, and 4 bytes in front are this user SID in native system, are 1234 here; 16 permanent identification PID that byte is the user then are 0123456789ABCDEF here; Being the random number of 10 bytes then, is random_num here; Be the digital signature of 16 bytes at last, be used for the legitimacy of this ips_ckie of system verification.
The system module structure that server to the packet classification of client computer is handled as shown in Figure 8, receiver module 21, separate http module 22, ips_ckie mates parsing module 23, ips_ckie checking and sort module 24, active user inspection module 27 and client computer to the function class of the respective modules of the processing procedure of server seemingly.When they receive from packet that protected Web server comes from link, at first check the source port number of packet, so that http response bag and other packet are made a distinction.If other packet then directly is forwarded to Internet; If the http response bag is then checked the specific name of the ips_ckie that whether contains the native system setting in this bag.If do not contain this name, then directly be forwarded to Internet; If contain this name, then further check the sign after this name, be new_ckie or ips_ckie to distinguish it.If ips_ckie then is to old user's request responding.So needing further to distinguish it is a Geju City ips_ckie before new ips_ckie, this ips_ckie that is carrying out session or an ips_ckie who can not find identical copies by the SID index.If the ips_ckie of sessionless record checks that then it is that active user also is non-active user.To be divided into five kinds from the packet that protected Web server comes thus, so that take different processing modes respectively.
Therefore if new_ckie illustrates that then this is the http response to a new user, need distribute user's permanent identification PID that is not used with SID module 29 obtaining new PID to this user.The distribution of PID is realized by a summary counter.Exactly obtain a new SID, and it is recorded in the active user collection then by active module 28 from the SID bottom of stack.By SID stack management module 30 rises to this SID that newly obtains the top of storehouse from the storehouse bottom simultaneously.
If be non-active user, show that then this is first request of a conversation procedure newly beginning of old user, should obtain the new SID of a SID from the SID bottom of stack obtaining new PID and SID module 29, and it be recorded in the active user collection at active module 28 as it.In SID stack management module 30 this SID that newly obtains is risen to the top of storehouse simultaneously from the storehouse bottom.
If have the active user of old ips_ckie, illustrate that then this user has just begun a conversation procedure, this request is that new ips_ckie arrives user side interior arrival transit time before.The same with the old ips_ckie that occurs in the ongoing session, system can not allow their entrained old ips_ckie get back to user side, in order to avoid the new ips_ckie that sends before covering.So, by trade-in module 26 old ips_ckie is replaced with new ips_ ckie.This can also improve the reliability that the ips_ckie of system is provided with to a certain extent.
If new ips_ckie, then whether it needs to upgrade by control module 25 inspections update time.Upgrade if desired, then carry out the operation of SID storehouse, be about to the top that this SID moves on to the SID storehouse in SID stack management module 30.If do not need to upgrade, then this ips_ckie directly can be sent it back the user.
New user, new session and the cookies that must upgrade will carry out the reorganization of ips_ckie, promptly after digital signature module 31 produces a random number again and recomputates digital signature, they are replaced to ips_ckie.After the checksum that replaces checksum that module 32 recomputates TCP and IP, sending module 34 passes out to Internet with these http response bags, makes it to arrive to send requesting users.
Claims (8)
1. intermediate system that the user is distinguished and follows the tracks of, be connected in server front end, the client access server must through link on, the user of access server is distinguished and followed the tracks of to the mode that it is characterized in that adopting long term identification PID and short-term sign SID to combine; Described long term identification PID is that described intermediate system is composed the unique and nonvolatil sign to the user of each access server, by PID the user is carried out long-term follow; Described short-term sign SID be described intermediate system compose to the temporary mark of each active user of server session, by SID active user is distinguished fast, and is that index is efficiently managed the user session state record with SID; By the random number and the digital signature of additional frequent variation, PID in the transmission course and SID are carried out integrity protection.
2. the intermediate system that the user is distinguished and follows the tracks of according to claim 1, it is characterized in that described intermediate system adopts intercepting and capturing session data bag between user side and server, and the mode that part field is wherein rewritten carried described long term identification PID and short-term sign SID, described session data bag is to see through fire compartment wall, or acting server, or institute's data packets for transmission in the user that carries out of network address translater and the application layer conversation process between the server, the part field in the described packet is to arrive the content that user side returns from user side again in the application layer conversation process.
3. the intermediate system that the user is distinguished and follows the tracks of according to claim 1 and 2, the method that it is characterized in that distinguishing the user is according to whether carrying PID in the packet user to be divided into old user and Xin user; Described new user visits for the first time, does not also distribute the user of PID and SID, and described old user carries PID and SID; Described intermediate system is by bivector (SID, PID) again old user is divided into movable and inactive user, described active user is the user who is carrying out session with server, it has efficient 2-d vector (SID, PID), and by SID is that index is checked fast, and described inertia user is the user who does not send request package for a long time, and its SID has been regained and distributed to other active users by intermediate system.
4. the intermediate system that the user is distinguished and follows the tracks of according to claim 3, it is characterized in that described intermediate system is when receiving that an inertia user begins first request of new session process, this user's PID is noted, be used for this user of mark and be in active state, and be used for fast detecting to the User Activity state, the method of described mark and fast detecting User Activity state is that the lower-order digit of PID is taken out, the lower-order digit of being taken out is identical with the figure place of SID, be designated as Last (PID), and for a series of active users with identical Last (PID), adopt a linear search to tabulate record, following form is adopted in described linear search tabulation:
The active user list inlet:
Active user list:
Wherein: PID, PID
1, PID
2..., PID
nAll have identical Last (PID), promptly inlet represents that with BGN and END the opening flag of this linear search chain and ending indicate.
5. the intermediate system that the user is distinguished and follows the tracks of according to claim 3, it is characterized in that described SID is used as the index of all recording operations, described record is exactly the data that the user is followed the tracks of, and the buffering area of put manages by the repeated use of SID, described management method is exactly to be determined the maximum number of SID by the length of the size of buffering area and every record, adopt storehouse that the use of SID is managed again, the management method of described SID storehouse is exactly earlier all SID to be pressed into storehouse successively, then when distributing a SID for active user at every turn, all take out a SID from bottom of stack, it is composed to the top that again it is pressed into storehouse after the active user, and when user record being operated at every turn, all the SID with this user takes out from storehouse, again it is pressed into the top of storehouse, make storehouse bottom the SID representative be that maximum duration does not have movable user, thereby be reused, the constructive method of described SID storehouse is as follows:
TOP.dwn=SID
1,SID
1.dwn=SID
2,...,SID
n-1.dwn=SID
n,SID
n.dwn=BTM;
BTM.up=SID
n,SID
n.up=SIDn
-1,...,SID
2.up=SID
1,SID
1.up=TOP
Wherein, TOP and BTM are two and the similar address of SID, but not in the SID set, the structure of SID storehouse is as follows:
SID storehouse table
6. the intermediate system that the user is distinguished and follows the tracks of according to claim 2; it is characterized in that PID is constant by utilizing SID often to become characteristic makes SID and PID binding is used for preventing to forge SID and PID; by described intermediate system is that the legitimacy that is used for checking entrained SID of packet and PID noted this bundle relation in index with SID; and abandon illegal packet; the characteristic that described SID often becomes is meant that each user becomes active state by inactive state and can be given an idle SID randomly; the frequency that the characteristic that described SID often becomes changes with increasing by the random number R that is connected in series a more frequent variation, an also additional digital signature DS protects its integrality and verifies.
7. the intermediate system that the user is distinguished and follows the tracks of according to claim 6, it is legal in out-of-date to it is characterized in that according to character string SID||PID||R||DS entrained in the packet it being divided into, and the mode that out-of-date packet filters out come anti-replay-attack, described legal packet is the packet that satisfies one of following two conditions: have the described character string of current effective, perhaps had previous effective described character string before the described character string of current effective arrives user side.
8. the intermediate system that the user is distinguished and follows the tracks of according to claim 2; it is characterized in that long term identification PID and short-term sign SID in the described packet are present in the field that the normal conversation process between user and the server is not had to influence; described not have the field of influence be byte space by the redundancy of protected server reserves, is responsible for inserting, reading and revises required content by described intermediate system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101210864A CN100414889C (en) | 2005-12-29 | 2005-12-29 | Intermediate system used for distinguishing and tracing user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101210864A CN100414889C (en) | 2005-12-29 | 2005-12-29 | Intermediate system used for distinguishing and tracing user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1794656A CN1794656A (en) | 2006-06-28 |
| CN100414889C true CN100414889C (en) | 2008-08-27 |
Family
ID=36805943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101210864A Expired - Fee Related CN100414889C (en) | 2005-12-29 | 2005-12-29 | Intermediate system used for distinguishing and tracing user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100414889C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210399901A1 (en) * | 2018-12-04 | 2021-12-23 | Journey.ai | Receiving information through a zero-knowledge data management network |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383832B (en) * | 2008-10-07 | 2011-12-07 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
| CN108234642B (en) * | 2017-12-29 | 2021-01-26 | 中国银联股份有限公司 | User tracking method, server and user side |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6151676A (en) * | 1997-12-24 | 2000-11-21 | Philips Electronics North America Corporation | Administration and utilization of secret fresh random numbers in a networked environment |
| CN1469591A (en) * | 2002-07-18 | 2004-01-21 | ��Ϊ��������˾ | Method of defending network transmission control protocol sync message from overflowing attack |
| CN1502187A (en) * | 2000-12-08 | 2004-06-02 | ��濨���� | A messaging system involving wireless communications and method therefor |
| US20040111635A1 (en) * | 2002-12-04 | 2004-06-10 | International Business Machines Corporation | Protection against denial of service attacks |
| CN1617522A (en) * | 2003-11-10 | 2005-05-18 | 华为技术有限公司 | Method for sending a ata of user mark after renewing |
| CN1642076A (en) * | 2004-01-14 | 2005-07-20 | 华为技术有限公司 | Method for obtaiing user identification by packet data gate for wireless LAN |
-
2005
- 2005-12-29 CN CNB2005101210864A patent/CN100414889C/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6151676A (en) * | 1997-12-24 | 2000-11-21 | Philips Electronics North America Corporation | Administration and utilization of secret fresh random numbers in a networked environment |
| CN1502187A (en) * | 2000-12-08 | 2004-06-02 | ��濨���� | A messaging system involving wireless communications and method therefor |
| CN1469591A (en) * | 2002-07-18 | 2004-01-21 | ��Ϊ��������˾ | Method of defending network transmission control protocol sync message from overflowing attack |
| US20040111635A1 (en) * | 2002-12-04 | 2004-06-10 | International Business Machines Corporation | Protection against denial of service attacks |
| CN1617522A (en) * | 2003-11-10 | 2005-05-18 | 华为技术有限公司 | Method for sending a ata of user mark after renewing |
| CN1642076A (en) * | 2004-01-14 | 2005-07-20 | 华为技术有限公司 | Method for obtaiing user identification by packet data gate for wireless LAN |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210399901A1 (en) * | 2018-12-04 | 2021-12-23 | Journey.ai | Receiving information through a zero-knowledge data management network |
| US20220006649A1 (en) * | 2018-12-04 | 2022-01-06 | Journey.ai | Receiving information through a zero-knowledge data management network |
| US11895099B2 (en) * | 2018-12-04 | 2024-02-06 | Journey.ai | Receiving information through a zero-knowledge data management network |
| US11916891B2 (en) * | 2018-12-04 | 2024-02-27 | Journey.ai | Receiving information through a zero-knowledge data management network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1794656A (en) | 2006-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102077193B (en) | Cluster shared volumes | |
| EP3465987B1 (en) | Logging of traffic in a computer network | |
| CN104243425A (en) | Content management method, device and system in content delivery network | |
| CN104519018A (en) | Method, device and system for preventing malicious requests for server | |
| CN104065657A (en) | Method for dynamically controlling user behavior based on IP access and system thereof | |
| CN102761573B (en) | A kind of monitoring method of the user browsing behavior data of media information | |
| CN103685304A (en) | Method and system for sharing session information | |
| CN104239353B (en) | WEB classification control and log audit method | |
| CN107710164A (en) | As a kind of disaster recovery of service | |
| CN105302801A (en) | Resource caching method and apparatus | |
| CN103581626A (en) | Video monitoring system and video storage information recording method | |
| CN108965054B (en) | Method for quickly interacting data between client and server | |
| CN106446075A (en) | Page request processing method and apparatus | |
| CN100414889C (en) | Intermediate system used for distinguishing and tracing user | |
| CN101887463B (en) | Virtual domain-based HTTP reduction display method | |
| US20100107217A1 (en) | Content control method and device | |
| CN113037824B (en) | Cloud computing-oriented high-performance block chain construction method | |
| CN105677579B (en) | Data access method in caching system and system | |
| CN108132948A (en) | Handle the method and apparatus for crawling webpage | |
| CN107317831A (en) | Website access method based on memory database | |
| CN111786990B (en) | Defense method and system for WEB active push skip page | |
| CN116582365B (en) | Network traffic safety control method and device and computer equipment | |
| CN109062717A (en) | Data buffer storage and caching disaster recovery method and system, caching system | |
| CN100561516C (en) | Network gridding service system of national geolopy spatial data | |
| CN111970250B (en) | Method for identifying account sharing, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080827 Termination date: 20141229 |
|
| EXPY | Termination of patent right or utility model |