CN101123534A - Network policy architecture for legal monitoring system and its policy processing method - Google Patents
Network policy architecture for legal monitoring system and its policy processing method Download PDFInfo
- Publication number
- CN101123534A CN101123534A CNA2007100534329A CN200710053432A CN101123534A CN 101123534 A CN101123534 A CN 101123534A CN A2007100534329 A CNA2007100534329 A CN A2007100534329A CN 200710053432 A CN200710053432 A CN 200710053432A CN 101123534 A CN101123534 A CN 101123534A
- Authority
- CN
- China
- Prior art keywords
- strategy
- policy
- tactful
- subclass
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The present invention relates to a network strategy framework applied to a legal interception system, which comprises a strategy library, a global strategy decision point, a local strategy decision point connected with the global strategy decision point and a strategy execution point connected with the local strategy decision point. The present invention also relates to a strategy processing method, which has four steps. Firstly, the strategy execution point sends a registration request to the global strategy decision point via the local strategy decision point; secondly, according to the registration request, the global strategy decision point queries the strategy library to acquire a strategy template, which is then sent down; thirdly, the local strategy decision point analyzes strategy rules and, according to the strategy rules, derives strategy subclasses according to the strategy template; and finally, the strategy execution point obtains the strategy subclasses, which are then distributed. By means of a three-layer system strategy architecture, the present invention alleviates the processing load of the upper-layer global strategy decision point, flexibly loads various modules related to the strategy execution of the legal interception system and encrypts the sent-down strategy subclasses, thus protecting the safety of strategy information.
Description
Technical field
The present invention relates to network safety filed, relate in particular to a kind of network strategy framework that is applied to legal interception system and based on the tactful processing method of this network strategy framework.
Background technology
Lawful Interception is promptly under the prerequisite of corresponding authorities conducting the examination on the ministry's authorization approval, send the interception request order by law enforcement agency to Virtual network operator/access provider/service provider (NWO/AP/SvP), (Public Telecommunication Network, PTN) telex network content and call-related information duplicate and send to an information security technology of law enforcement agency with public telecom network by NWO/AP/SvP.
In the network security management field, Lawful Interception occupies and important effect: at first, can strengthen the guarantee of national security, strengthen satisfying similar anti-terrorism and other political needs to importing and exporting the monitoring of crucial speech channel; Secondly, various criminal offence also utilizes telephone communication to carry out more and more continually, and Lawful Interception can help following the scouting and these criminal offences of evidence obtaining; And Lawful Interception can carry out effectively supervision to attending a banquet of call center, promotes the operating efficiency and the customer service quality of the person of attending a banquet, and the while has also promoted the image of operation enterprise, for enterprise has brought profit; Lawful Interception provides effective accident analysis data, makes things convenient for the quick locating network fault of user.
And stable, a healthy and strong legal interception system needs powerful tactical management as support, thereby can break away from manual intervention, according to the strategy that pre-establishes, finishes the monitoring task to fixed-line telephone network and IP network automatically, efficiently.At present, in network and equipment control, adopt Policy model to be subjected to extensive concern.Aspect practical application, existing at present network management solution based on strategy, some large manufacturers, all issued the product of some support policy management as Cisco, NORTEL etc., but these these tactical management products are based on the policy management framework that IETF proposes mostly, and mainly be that network service quality is managed, lack enough supports for this special applications of legal interception system.The equipment that circuit-switched network, message switching network and packet switching network carry out Lawful Interception comprises one of the core component as legal interception system tactical management equipment.At present, most of tactical management equipment that manufacturer releases is all at service quality (QoS), and the product that is applied to safety management is also few, even these equipment can be supported safety management, the safety product kind that they can be managed is also limited.
As shown in Figure 1, be the schematic diagram of existing IETF policy management framework.As shown in the figure, the framework of tactical management is defined by the pattern based on client/server (Client/Server), promptly there is this center Policy Decision Point 101 (Policy Decision Point, PDP) and a plurality of be distributed in Policy Enforcement Point 102 on the network node (Policy Enforcement Point, PEP).Policy library 103 (PR:Policy Repository) is used for store policy information and rule, can adopt database (DB:Database) or Active Directory (AD:Active Directory) technology to realize.Policy Decision Point, as strategic server, the response policy incident, and lock corresponding policing rule; Completion status and resources effective verification; Convert the policing rule that is stored in the plan knowledge storehouse to equipment executable form.Policy Enforcement Point as the client of policy system, is distributed on each network node, is responsible for carrying out corresponding tactical management operation according to the strategy that receives from Policy Decision Point, and simultaneously the result of strategy execution is reported Policy Decision Point.Wherein Ce Lve the mode of issuing is divided into two kinds, outsourcing mode and method of supplying.
But this IETF policy management framework does not consider that the policy information that issues is clear text format often, has just been caused the leakage of monitoring strategy in case intercept and capture for the maintaining secrecy of strategy, and this point is especially obvious in distributed legal interception system.In distributed legal interception system, the policy message that issues need be through internet transmission each control point in the network, if can not guarantee the confidentiality of message, just may cause after policy message is intercepted and captured halfway, can be adopted specific aim measure ground to escape the monitoring of legal interception system by the eavesdropping target.
Simultaneously, existing IETF policy management framework is used the directory service storage policy, every strategy need clearly be specified the object and the method for being managed, can't be according to the condition of managed object and the dynamic change of state, automatically revise and adjust original strategy of formulating, and must revise the strategy of storing in the LIST SERVER manually by supervisor console.On the other hand, existing IETF policy management framework is a kind of plane centralized architecture, all strategy generate and distribution all in network a unique Policy Decision Point finish, make this Policy Decision Point that heavy processing burden be arranged, so this Policy Decision Point will become the whole legal interception system bottleneck of performance of restriction.
Summary of the invention
The objective of the invention is for lacking of solving that the Existing policies managerial structure exists maintaining secrecy and the shortcoming of the heavy processing burden of Policy Decision Point etc. strategy, adopt a kind of network strategy framework that is applicable to the three-decker in the legal interception system, to alleviate the processing burden of Policy Decision Point, realize comprising the unified Lawful Interception tactical management of safety, QoS and monitoring etc.
The invention still further relates to tactful processing method concrete under this network strategy framework and the tactful subclass that is issued by Policy Enforcement Point is encrypted.
To achieve these goals, the invention provides a kind of network strategy framework that is applied to legal interception system, this network strategy framework comprises:
Policy library is used to store the All Policies masterplate;
The global policies commit point is connected with described policy library, is used for the management strategy decision of the whole network, from described policy library acquisition strategy template and issue;
The local policy commit point is connected with described Policy Decision Point, is used for the analysis strategy rule, receives described tactful masterplate, provides tactful subclass according to described tactful masterplate;
Policy Enforcement Point is connected with described local policy commit point, and be used for registering to Policy Decision Point, and obtain described tactful subclass and/or described tactful subclass is encrypted by described local policy commit point, and the described tactful subclass distribution after will encrypting.
Further, the described network strategy framework that is applied to legal interception system also comprises: encrypting module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
Further, the described network strategy framework that is applied to legal interception system also comprises: the QoS assurance module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
Further, the described network strategy framework that is applied to legal interception system also comprises: the Lawful Interception module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
The present invention also provides a kind of tactful processing method based on the network strategy framework that is applied to legal interception system to achieve these goals, and this comprises that tactful processing method may further comprise the steps:
Policy Enforcement Point sends the register requirement that comprises policy information necessary by the local policy commit point to the global policies commit point;
Described global policies commit point is according to described register requirement query strategy storehouse acquisition strategy masterplate and be issued to the storage of local policy commit point;
Described local policy commit point is according to policy information necessary analysis strategy rule, and according to described policing rule, according to described tactful masterplate derivation strategy subclass; And
Further, described tactful processing method is further comprising the steps of: application module is carried out described tactful subclass, and policy execution result is reported described global policies commit point; Further, described global policies commit point is assessed described policy execution result, optimizes described tactful masterplate.
Further, described Policy Enforcement Point obtain described tactful subclass and with described tactful subclass distribution between further comprising the steps of: described Policy Enforcement Point is encrypted the described tactful subclass of needs distribution; Further, be specially described described tactful subclass is distributed: the described tactful subclass that described strategy execution is named a person for a particular job after encrypting sends to corresponding described application module.
Further, described application module is carried out described tactful subclass and is specially: the key that PKI and private key are formed that the tactful subclass utilization after described application module will be encrypted is assigned to is carried out the tactful subclass of deciphering to after being decrypted.
By network strategy framework provided by the invention, can determine the assembly of application strategy for legal interception system, new policy configurations is controlled automatically, and alleviate the processing burden of Policy Decision Point in the former IETF strategy framework, realization comprises the unified Lawful Interception tactical management of safety, QoS and monitoring etc., and the safety of tactful subclass issues.
Description of drawings
Fig. 1 is the structure chart of prior art IETF policy management framework;
Fig. 2 is applied to the structural representation of the network strategy framework of legal interception system for the present invention;
Fig. 3 is the flow chart that the present invention is based on the tactful processing method of the network strategy framework that is applied to legal interception system;
Fig. 4 is the flow chart that the present invention is based on the tactful processing method embodiment 1 of the network strategy framework that is applied to legal interception system.
Embodiment
Be illustrated in figure 2 as the structural representation that the present invention is applied to the network strategy framework 20 of legal interception system.Consider to the needs of capacity extensions and in order to alleviate the load of Policy Decision Point (PDP) (being referred to as the global policies commit point in the present invention), improve the operating efficiency of policy management framework, need determine function (PDP) to carry out classification to strategy, local policy commit point (Local PolicyDecision Point is set, LPDP), manage each Policy Enforcement Point (PEP) by the local policy commit point.This framework 20 comprises: policy library 201, be used to store the All Policies masterplate, to strategy in the policy library can formulate, modification and delete function; Global policies commit point 202 is connected with described policy library 201, is in network central authorities, plays a part strategic server, is used for the management strategy decision of the whole network, from described policy library acquisition strategy template, issues by the policy provisioning mode; Local policy commit point 203 is connected with described global policies commit point 202, is responsible for each subnet below the whole network or the management strategy decision of local area network (LAN), is used for the analysis strategy condition, receives described tactful masterplate, provides tactful subclass according to described tactful masterplate; Policy Enforcement Point (PEP) 204, be connected with described local policy commit point, be used for registering to the global policies commit point by described local policy commit point, and obtain described tactful subclass, and with described tactful subclass distribution, perhaps after obtaining described tactful subclass, utilize the PKI of application corresponding module that described tactful subclass is encrypted, and the tactful subclass distribution after will encrypting.Local policy commit point 203 of the present invention obtains general policies from global policies commit point 202, tactful at local policy commit point 203 then according to specialize QoS management, safety or monitoring as policy information, thereby do not need the artificial treatment strategy, make strategy more flexibly and in time.
Again referring to shown in Figure 2, the network strategy framework also comprises encrypting module 205, be connected with described Policy Enforcement Point 204, carry out described tactful subclass, the key that PKI and private key are formed that tactful subclass utilization after perhaps will encrypting is assigned to is to after being decrypted, carry out the tactful subclass of deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point 202, and described policy execution result is assessed, and optimizes described tactful masterplate.
The network strategy framework also comprises: QoS assurance module 206, be connected with described Policy Enforcement Point 204, carry out described tactful subclass, the key that PKI and private key are formed that tactful subclass utilization after perhaps will encrypting is assigned to is to after being decrypted, carry out the tactful subclass of deciphering,, ensure the service quality of network, and policy execution result reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point 202, and described policy execution result is assessed, and optimizes described tactful masterplate.
The network strategy framework also comprises: monitor module 207, be connected with described Policy Enforcement Point 204, carry out described tactful subclass, the key that PKI and private key are formed that tactful subclass utilization after perhaps will encrypting is assigned to is to after being decrypted, carry out the tactful subclass of deciphering, and policy execution result is reported described Policy Enforcement Point; Further, Policy Enforcement Point 204 reports described global policies commit point 202 with execution result, and described policy execution result is assessed, and optimizes described tactful masterplate.
Framework of the present invention as seen from Figure 1 is divided into three layers, and ground floor is a global policies commit point 202, and the second layer is that 203, the three layers of local policy commit points are the module 205,206 and 207 of Policy Enforcement Point 204 and bottom.This policy management framework of the present invention is to integrate encryption function management, QoS guarantee management and management of monitor, and can satisfy the tactical management model of new tactical management demand.
Be illustrated in figure 3 as the tactful processing method that the present invention is based on the network strategy framework that is applied to legal interception system, this strategy processing method may further comprise the steps:
Described strategy execution is named a person for a particular job and also can be may further comprise the steps before the described tactful subclass distribution: it is right that each application module all is assigned with the key of being made up of a PKI and private key.The PKI that described Policy Enforcement Point utilizes the application corresponding module is encrypted the described tactful subclass of distribution, and the described strategy execution described tactful subclass of encrypting of naming a person for a particular job sends to described application module respectively.After encrypting, tactful subclass is issued, can guarantee the confidentiality of message like this.
Referring to flow chart shown in Figure 3, described processing method is further comprising the steps of: step 305, application module are carried out described tactful subclass, and policy execution result is reported described global policies commit point; Further, described global policies commit point is assessed described policy execution result, optimizes described tactful masterplate.If what perhaps described application module received is the tactful subclass of encrypting, after then by the private key of self preserving it being decrypted earlier, carry out the tactful subclass after deciphering again.
Be illustrated in figure 4 as the flow chart of the tactful processing method embodiment 1 that the present invention is based on the network strategy framework.This embodiment has mainly described the user and has initiated the request that QoS manages to PEP; The network strategy framework generates the flow process of qos policy.
Policy condition is used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, and appraisal procedure is the appraisal procedure that adopts based on the user.As the user being divided into high, medium and low three ranks, and keep the number that provides other special users to use.If the user's telephone number that make a call this moment is 87544044, then the appraisal procedure based on the user is as follows: search the rank of numbers match therewith, find that this user belongs to rudimentary user.Promptly the result of Policy evaluation is rudimentary subscriber policy at this moment.Strategy interaction is the linking number that this user's of appointment network reservation bandwidth, maximum constraints bandwidth and this user allows, as being 10k for this rudimentary user-specified network bandwidth reserved, and the linking number that the user allows is 1, and when network was not busy, the maximum constraints bandwidth was 15k.Perhaps
Analyze 2 policy conditions, strategy interaction as maximum user's linking number and the maximum bandwidth that allows of the restriction of generating strategy according to the whole flow of data, as the residue linking number be 4, when available bandwidth is 40k, allow to provide 2 of equipment acquiescence linking numbers, default bandwidth 20k, and to specify the maximum user's linking number that allows be 3, and maximum bandwidth is 30k; With strategy section effective time, so tactful effective time of the section of equipment is the second half year in 2007, is July 1 to December 31; And 2 policy conditions are used vector representation respectively, obtain corresponding 2 Policy evaluation vectors; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".
In the first Policy evaluation vector, evaluation object is total flow of network, and appraisal procedure is based on the appraisal procedure of equipment flow.Distribute to promptly as the utilizable flow of this moment that remaining bandwidth is 40k after the bandwidth reserved of its signing of user, the default bandwidth of equipment is 20k, then might specify the bandwidth of 20k for equipment; If this moment, remaining bandwidth had only 15k, then can't be the equipment nominated bandwidth, send error reporting.
In the second Policy evaluation vector, evaluation object is the residue linking number of network, and appraisal procedure is based on the appraisal procedure of equipment linking number.The available linking number of network distributes to promptly that remaining bandwidth is 4 after the linking number of its signing of user as this moment, and equipment acquiescence linking number is 2, then might provide 2 connections for equipment; If remain linking number and have only 1 this moment, then can't can not carry out respective operations for equipment provides required linking number;
The tactful processing method embodiment 2 that the present invention is based on the network strategy framework has described the handling process of encryption policy.Its handling process is similar with Fig. 4 step 401-step 406, unique different register requirement that is is the request that comprises signatory grade of system and the signatory grade enciphered message of user in this example, and step 404 replaces with, LPDP is according to the signatory grade of user, type of service and equipment self bandwidth ability, determine different level of securitys and cryptographic algorithm according to different signatory grades, the policy condition of analysis strategy rule, strategy interaction, tactful action scope, condition vectorial combination method and strategy section effective time, as:
Strategy interaction is as according to assessment result, i.e. intermediate users strategy, and the level of security and the cryptographic algorithm of specifying this user be intermediate as specify level of security for this intermediate users, cryptographic algorithm is the AES cryptographic algorithm; With the strategy effective time section from date of agreement, 15 afternoon of promptly 2007 on May in May in the 15,3:00 to 2008 year afternoons 3:00; And policy condition used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, and appraisal procedure is the appraisal procedure that adopts based on the user.As the user being divided into high, medium and low three ranks, if the user's telephone number that make a call this moment is 87544044, then the appraisal procedure based on the user is as follows: search the rank of numbers match therewith, find that this user belongs to rudimentary user.Promptly the result of Policy evaluation is the intermediate users strategy at this moment; Perhaps, strategy interaction is as being according to assessment result according to behavior, promptly rudimentary subscriber policy, and the level of security and the cryptographic algorithm of specifying this user be intermediate as specify level of security for this, cryptographic algorithm is the des encryption algorithm; With strategy section effective time be the second half year in 2007, be July 1 to December 31; And policy condition used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, and appraisal procedure is based on the appraisal procedure of equipment.The telephone number of the equipment that makes a call is 87541000 as this moment, then this number is evaluated as Default device;
The tactful processing method embodiment 3 that the present invention is based on the network strategy framework has described the handling process of monitoring strategy.Its handling process is similar with Fig. 4 step 401-step 406, unique different register requirement that is is the number that comprises intercepted user in this example, the request of the IP address of the time period that this user is monitored, interception type and retransmission unit, and step 404 is, LPDP is according to the number of intercepted user, the IP address of the time period that this user is monitored, interception type and retransmission unit, analysis strategy rule as: strategy interaction is opened monitoring as according to assessment result to this user; With the strategy effective time section be 3:00 in afternoon on the 15th in May in 2007 in May in the 3:00 to 2008 year afternoon on the 15th; And policy condition used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, appraisal procedure is to adopt On/Off to monitor the Policy evaluation method, if the user's telephone number that make a call this moment is 87544044, then On/Off monitoring Policy evaluation method is as follows: search this number and whether belong to the monitoring class, find that this user belongs to the monitoring class.Promptly the result of Policy evaluation is the monitoring users strategy at this moment; Perhaps search this number and whether belong to and close the monitoring class, find that this user belongs to close the monitoring class.Promptly this moment Policy evaluation the result for closing the monitoring users strategy; Step 405 replaces with LPDP according to above-mentioned monitoring policing rule, the general policies masterplate is derived from generate the encryption policy example, is handed down to PEP; And step 406 comes the user on the core net is carried out Lawful Interception by monitoring module execution monitoring policy instance.
Among the embodiment 1,2,3 of foregoing description, the tactful subclass that Policy Enforcement Point sends is not through encrypting, certainly, alternatively, after the present invention also can encrypt the tactful subclass of Policy Enforcement Point distribution, be distributed to application module again, when application module is somebody's turn to do the tactful subclass of encrypting when carrying out, must the tactful subclass of encrypting be decrypted earlier.
Therefore, the network strategy framework that is applied to legal interception system that proposes by the present invention can utilize the general policies masterplate to carry out the automatic generation of strategy, and the local policy commit point also participates in tactful generative process, has shared the burden of global policies commit point, makes whole system more reliable.And the present invention can load the various modules relevant with strategy execution flexibly, as QoS module, encrypting module and monitoring module, as monitor when module is monitored the user on core net and load, therefore, when carrying out Lawful Interception, can load these modules according to the actual requirements, such as only need ensure network quality the time, can load the QoS module and carry out relevant qos policy and realize network quality is ensured.And can guarantee the confidentiality of message to the encryption of tactful subclass, avoid to be adopted specific aim measure ground to escape the monitoring of legal interception system by the eavesdropping target after policy message is intercepted and captured halfway.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (8)
1. network strategy framework that is applied to legal interception system is characterized in that comprising:
Policy library is used to store the All Policies masterplate;
The global policies commit point is connected with described policy library, is used for the management strategy decision of the whole network, from described policy library acquisition strategy template and issue;
The local policy commit point is connected with described Policy Decision Point, is used for the analysis strategy rule, receives described tactful masterplate, provides tactful subclass according to described tactful masterplate;
Policy Enforcement Point is connected with described local policy commit point, and be used for registering to Policy Decision Point, and obtain described tactful subclass and/or described tactful subclass is encrypted by described local policy commit point, and the described tactful subclass distribution after will encrypting.
2. the network strategy framework that is applied to legal interception system according to claim 1, it is characterized in that also comprising: encrypting module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
3. the network strategy framework that is applied to legal interception system according to claim 1 and 2, it is characterized in that also comprising: the QoS assurance module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
4. the network strategy framework that is applied to legal interception system according to claim 3, it is characterized in that also comprising: the Lawful Interception module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
5. tactful processing method based on the network strategy framework that is applied to legal interception system is characterized in that may further comprise the steps:
Policy Enforcement Point sends the register requirement that comprises policy information necessary by the local policy commit point to the global policies commit point;
Described global policies commit point is according to described register requirement query strategy storehouse acquisition strategy masterplate and be issued to the storage of local policy commit point;
Described local policy commit point is according to policy information necessary analysis strategy rule, and according to described policing rule, according to described tactful masterplate derivation strategy subclass; And
Described Policy Enforcement Point obtains described tactful subclass, and with described tactful subclass distribution.
6. tactful processing method according to claim 5 is characterized in that further comprising the steps of: application module is carried out described tactful subclass, and policy execution result is reported described global policies commit point; Further, described global policies commit point is assessed described policy execution result, optimizes described tactful masterplate.
7. tactful processing method according to claim 6, it is characterized in that described Policy Enforcement Point obtain described tactful subclass and with described tactful subclass distribution between further comprising the steps of: described Policy Enforcement Point is encrypted the described tactful subclass of needs distribution; Further, be specially described described tactful subclass is distributed: the described tactful subclass that described strategy execution is named a person for a particular job after encrypting sends to corresponding described application module.
8. tactful processing method according to claim 7, it is characterized in that described application module carries out described tactful subclass and be specially: the key that PKI and private key are formed that the tactful subclass utilization after described application module will be encrypted is assigned to is carried out the tactful subclass of deciphering to after being decrypted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007100534329A CN101123534B (en) | 2007-09-29 | 2007-09-29 | Network policy architecture for legal monitoring system and its policy processing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007100534329A CN101123534B (en) | 2007-09-29 | 2007-09-29 | Network policy architecture for legal monitoring system and its policy processing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101123534A true CN101123534A (en) | 2008-02-13 |
CN101123534B CN101123534B (en) | 2010-09-01 |
Family
ID=39085720
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2007100534329A Expired - Fee Related CN101123534B (en) | 2007-09-29 | 2007-09-29 | Network policy architecture for legal monitoring system and its policy processing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101123534B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101365014B (en) * | 2008-04-30 | 2012-09-26 | 华中科技大学 | Distributed adaptive listening system, generation and monitor control method |
WO2014040254A1 (en) * | 2012-09-13 | 2014-03-20 | Hewlett-Packard Development Company, L. P. | Policy coordination between policy enforcement points |
WO2014173367A2 (en) * | 2013-08-16 | 2014-10-30 | 中兴通讯股份有限公司 | Qos implementation method, system, device and computer storage medium |
CN104734872A (en) * | 2013-12-19 | 2015-06-24 | 中国科学院沈阳自动化研究所 | Industrial backhaul network realizing method and system based on software-defined network |
CN101729531B (en) * | 2009-03-16 | 2016-04-13 | 中兴通讯股份有限公司 | Network security policy distribution method, Apparatus and system |
CN109858286A (en) * | 2018-12-07 | 2019-06-07 | 赵耘田 | For the security policy manager system of credible calculating platform |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102209041B (en) * | 2011-07-13 | 2014-05-07 | 上海红神信息技术有限公司 | Scheduling method, device and system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100428689C (en) * | 2005-11-07 | 2008-10-22 | 华为技术有限公司 | Network safety control method and system |
CN100596069C (en) * | 2006-08-15 | 2010-03-24 | 中国电信股份有限公司 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
-
2007
- 2007-09-29 CN CN2007100534329A patent/CN101123534B/en not_active Expired - Fee Related
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101365014B (en) * | 2008-04-30 | 2012-09-26 | 华中科技大学 | Distributed adaptive listening system, generation and monitor control method |
CN101729531B (en) * | 2009-03-16 | 2016-04-13 | 中兴通讯股份有限公司 | Network security policy distribution method, Apparatus and system |
WO2014040254A1 (en) * | 2012-09-13 | 2014-03-20 | Hewlett-Packard Development Company, L. P. | Policy coordination between policy enforcement points |
WO2014173367A2 (en) * | 2013-08-16 | 2014-10-30 | 中兴通讯股份有限公司 | Qos implementation method, system, device and computer storage medium |
WO2014173367A3 (en) * | 2013-08-16 | 2014-11-27 | 中兴通讯股份有限公司 | Qos implementation method, system, device and computer storage medium |
CN104378309A (en) * | 2013-08-16 | 2015-02-25 | 中兴通讯股份有限公司 | Method, system and related equipment for achieving QoS in Open Flow network |
CN104378309B (en) * | 2013-08-16 | 2019-05-21 | 中兴通讯股份有限公司 | Method, system and the relevant device of QoS are realized in OpenFlow network |
CN104734872A (en) * | 2013-12-19 | 2015-06-24 | 中国科学院沈阳自动化研究所 | Industrial backhaul network realizing method and system based on software-defined network |
CN104734872B (en) * | 2013-12-19 | 2018-02-23 | 中国科学院沈阳自动化研究所 | A kind of industrial backhaul network implementation method and system based on software defined network |
CN109858286A (en) * | 2018-12-07 | 2019-06-07 | 赵耘田 | For the security policy manager system of credible calculating platform |
CN109858286B (en) * | 2018-12-07 | 2023-07-21 | 赵耘田 | Security policy management system for trusted computing platform |
Also Published As
Publication number | Publication date |
---|---|
CN101123534B (en) | 2010-09-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101123534B (en) | Network policy architecture for legal monitoring system and its policy processing method | |
CN103327002B (en) | Based on the cloud memory access control system of attribute | |
AU2012252388B2 (en) | Method for handling privacy data | |
CN101094056B (en) | Security system of wireless industrial control network, and method for implementing security policy | |
CN104737494A (en) | Method and apparatus for providing secure communications based on trust evaluations in a distributed manner | |
Arfaoui et al. | Security and resilience in 5G: Current challenges and future directions | |
CN107426223A (en) | Cloud file encryption and decryption method, encryption and decryption device and processing system | |
CN114866346B (en) | Password service platform based on decentralization | |
Murala et al. | Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud | |
Gao et al. | Blockchain based secure IoT data sharing framework for SDN-enabled smart communities | |
Agarkhed et al. | An efficient auditing scheme for data storage security in cloud | |
CN111444268A (en) | Data encryption method based on block chain | |
Geng et al. | A Blockchain based privacy-preserving reputation scheme for cloud service | |
CA2446364A1 (en) | Secure group secret distribution | |
Bharadwaj et al. | Proposing a key escrow mechanism for real-time access to end-to-end encryption systems in the interest of law enforcement | |
Agarkhed et al. | Security and privacy for data storage service scheme in cloud computing | |
CN101123541B (en) | A construction method applied to policy model of legal monitoring system | |
CN114466038B (en) | Communication protection system of electric power thing networking | |
CN106230856A (en) | A kind of System of Industrial Device Controls based on Internet of Things | |
Stathopoulos et al. | Secure log management for privacy assurance in electronic communications | |
Raja et al. | An enhanced study on cloud data services using security technologies | |
LU503159B1 (en) | Blockchain-based cloud service privacy protection reputation system | |
CN112328605B (en) | Block chain-based power field security data management method and system | |
Pavithra et al. | Secure Data Storage in Cloud using Code Regeneration and public audition | |
Vetrivel et al. | Data Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100901 Termination date: 20130929 |