CN101123534A - Network policy architecture for legal monitoring system and its policy processing method - Google Patents

Network policy architecture for legal monitoring system and its policy processing method Download PDF

Info

Publication number
CN101123534A
CN101123534A CNA2007100534329A CN200710053432A CN101123534A CN 101123534 A CN101123534 A CN 101123534A CN A2007100534329 A CNA2007100534329 A CN A2007100534329A CN 200710053432 A CN200710053432 A CN 200710053432A CN 101123534 A CN101123534 A CN 101123534A
Authority
CN
China
Prior art keywords
strategy
policy
tactful
subclass
point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007100534329A
Other languages
Chinese (zh)
Other versions
CN101123534B (en
Inventor
王芙蓉
黄辰
杨军
胡海
莫益军
黄本雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN2007100534329A priority Critical patent/CN101123534B/en
Publication of CN101123534A publication Critical patent/CN101123534A/en
Application granted granted Critical
Publication of CN101123534B publication Critical patent/CN101123534B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The present invention relates to a network strategy framework applied to a legal interception system, which comprises a strategy library, a global strategy decision point, a local strategy decision point connected with the global strategy decision point and a strategy execution point connected with the local strategy decision point. The present invention also relates to a strategy processing method, which has four steps. Firstly, the strategy execution point sends a registration request to the global strategy decision point via the local strategy decision point; secondly, according to the registration request, the global strategy decision point queries the strategy library to acquire a strategy template, which is then sent down; thirdly, the local strategy decision point analyzes strategy rules and, according to the strategy rules, derives strategy subclasses according to the strategy template; and finally, the strategy execution point obtains the strategy subclasses, which are then distributed. By means of a three-layer system strategy architecture, the present invention alleviates the processing load of the upper-layer global strategy decision point, flexibly loads various modules related to the strategy execution of the legal interception system and encrypts the sent-down strategy subclasses, thus protecting the safety of strategy information.

Description

Be applied to the network strategy framework and the tactful processing method thereof of legal interception system
Technical field
The present invention relates to network safety filed, relate in particular to a kind of network strategy framework that is applied to legal interception system and based on the tactful processing method of this network strategy framework.
Background technology
Lawful Interception is promptly under the prerequisite of corresponding authorities conducting the examination on the ministry's authorization approval, send the interception request order by law enforcement agency to Virtual network operator/access provider/service provider (NWO/AP/SvP), (Public Telecommunication Network, PTN) telex network content and call-related information duplicate and send to an information security technology of law enforcement agency with public telecom network by NWO/AP/SvP.
In the network security management field, Lawful Interception occupies and important effect: at first, can strengthen the guarantee of national security, strengthen satisfying similar anti-terrorism and other political needs to importing and exporting the monitoring of crucial speech channel; Secondly, various criminal offence also utilizes telephone communication to carry out more and more continually, and Lawful Interception can help following the scouting and these criminal offences of evidence obtaining; And Lawful Interception can carry out effectively supervision to attending a banquet of call center, promotes the operating efficiency and the customer service quality of the person of attending a banquet, and the while has also promoted the image of operation enterprise, for enterprise has brought profit; Lawful Interception provides effective accident analysis data, makes things convenient for the quick locating network fault of user.
And stable, a healthy and strong legal interception system needs powerful tactical management as support, thereby can break away from manual intervention, according to the strategy that pre-establishes, finishes the monitoring task to fixed-line telephone network and IP network automatically, efficiently.At present, in network and equipment control, adopt Policy model to be subjected to extensive concern.Aspect practical application, existing at present network management solution based on strategy, some large manufacturers, all issued the product of some support policy management as Cisco, NORTEL etc., but these these tactical management products are based on the policy management framework that IETF proposes mostly, and mainly be that network service quality is managed, lack enough supports for this special applications of legal interception system.The equipment that circuit-switched network, message switching network and packet switching network carry out Lawful Interception comprises one of the core component as legal interception system tactical management equipment.At present, most of tactical management equipment that manufacturer releases is all at service quality (QoS), and the product that is applied to safety management is also few, even these equipment can be supported safety management, the safety product kind that they can be managed is also limited.
As shown in Figure 1, be the schematic diagram of existing IETF policy management framework.As shown in the figure, the framework of tactical management is defined by the pattern based on client/server (Client/Server), promptly there is this center Policy Decision Point 101 (Policy Decision Point, PDP) and a plurality of be distributed in Policy Enforcement Point 102 on the network node (Policy Enforcement Point, PEP).Policy library 103 (PR:Policy Repository) is used for store policy information and rule, can adopt database (DB:Database) or Active Directory (AD:Active Directory) technology to realize.Policy Decision Point, as strategic server, the response policy incident, and lock corresponding policing rule; Completion status and resources effective verification; Convert the policing rule that is stored in the plan knowledge storehouse to equipment executable form.Policy Enforcement Point as the client of policy system, is distributed on each network node, is responsible for carrying out corresponding tactical management operation according to the strategy that receives from Policy Decision Point, and simultaneously the result of strategy execution is reported Policy Decision Point.Wherein Ce Lve the mode of issuing is divided into two kinds, outsourcing mode and method of supplying.
But this IETF policy management framework does not consider that the policy information that issues is clear text format often, has just been caused the leakage of monitoring strategy in case intercept and capture for the maintaining secrecy of strategy, and this point is especially obvious in distributed legal interception system.In distributed legal interception system, the policy message that issues need be through internet transmission each control point in the network, if can not guarantee the confidentiality of message, just may cause after policy message is intercepted and captured halfway, can be adopted specific aim measure ground to escape the monitoring of legal interception system by the eavesdropping target.
Simultaneously, existing IETF policy management framework is used the directory service storage policy, every strategy need clearly be specified the object and the method for being managed, can't be according to the condition of managed object and the dynamic change of state, automatically revise and adjust original strategy of formulating, and must revise the strategy of storing in the LIST SERVER manually by supervisor console.On the other hand, existing IETF policy management framework is a kind of plane centralized architecture, all strategy generate and distribution all in network a unique Policy Decision Point finish, make this Policy Decision Point that heavy processing burden be arranged, so this Policy Decision Point will become the whole legal interception system bottleneck of performance of restriction.
Summary of the invention
The objective of the invention is for lacking of solving that the Existing policies managerial structure exists maintaining secrecy and the shortcoming of the heavy processing burden of Policy Decision Point etc. strategy, adopt a kind of network strategy framework that is applicable to the three-decker in the legal interception system, to alleviate the processing burden of Policy Decision Point, realize comprising the unified Lawful Interception tactical management of safety, QoS and monitoring etc.
The invention still further relates to tactful processing method concrete under this network strategy framework and the tactful subclass that is issued by Policy Enforcement Point is encrypted.
To achieve these goals, the invention provides a kind of network strategy framework that is applied to legal interception system, this network strategy framework comprises:
Policy library is used to store the All Policies masterplate;
The global policies commit point is connected with described policy library, is used for the management strategy decision of the whole network, from described policy library acquisition strategy template and issue;
The local policy commit point is connected with described Policy Decision Point, is used for the analysis strategy rule, receives described tactful masterplate, provides tactful subclass according to described tactful masterplate;
Policy Enforcement Point is connected with described local policy commit point, and be used for registering to Policy Decision Point, and obtain described tactful subclass and/or described tactful subclass is encrypted by described local policy commit point, and the described tactful subclass distribution after will encrypting.
Further, the described network strategy framework that is applied to legal interception system also comprises: encrypting module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
Further, the described network strategy framework that is applied to legal interception system also comprises: the QoS assurance module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
Further, the described network strategy framework that is applied to legal interception system also comprises: the Lawful Interception module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
The present invention also provides a kind of tactful processing method based on the network strategy framework that is applied to legal interception system to achieve these goals, and this comprises that tactful processing method may further comprise the steps:
Policy Enforcement Point sends the register requirement that comprises policy information necessary by the local policy commit point to the global policies commit point;
Described global policies commit point is according to described register requirement query strategy storehouse acquisition strategy masterplate and be issued to the storage of local policy commit point;
Described local policy commit point is according to policy information necessary analysis strategy rule, and according to described policing rule, according to described tactful masterplate derivation strategy subclass; And
Further, described tactful processing method is further comprising the steps of: application module is carried out described tactful subclass, and policy execution result is reported described global policies commit point; Further, described global policies commit point is assessed described policy execution result, optimizes described tactful masterplate.
Further, described Policy Enforcement Point obtain described tactful subclass and with described tactful subclass distribution between further comprising the steps of: described Policy Enforcement Point is encrypted the described tactful subclass of needs distribution; Further, be specially described described tactful subclass is distributed: the described tactful subclass that described strategy execution is named a person for a particular job after encrypting sends to corresponding described application module.
Further, described application module is carried out described tactful subclass and is specially: the key that PKI and private key are formed that the tactful subclass utilization after described application module will be encrypted is assigned to is carried out the tactful subclass of deciphering to after being decrypted.
By network strategy framework provided by the invention, can determine the assembly of application strategy for legal interception system, new policy configurations is controlled automatically, and alleviate the processing burden of Policy Decision Point in the former IETF strategy framework, realization comprises the unified Lawful Interception tactical management of safety, QoS and monitoring etc., and the safety of tactful subclass issues.
Description of drawings
Fig. 1 is the structure chart of prior art IETF policy management framework;
Fig. 2 is applied to the structural representation of the network strategy framework of legal interception system for the present invention;
Fig. 3 is the flow chart that the present invention is based on the tactful processing method of the network strategy framework that is applied to legal interception system;
Fig. 4 is the flow chart that the present invention is based on the tactful processing method embodiment 1 of the network strategy framework that is applied to legal interception system.
Embodiment
Be illustrated in figure 2 as the structural representation that the present invention is applied to the network strategy framework 20 of legal interception system.Consider to the needs of capacity extensions and in order to alleviate the load of Policy Decision Point (PDP) (being referred to as the global policies commit point in the present invention), improve the operating efficiency of policy management framework, need determine function (PDP) to carry out classification to strategy, local policy commit point (Local PolicyDecision Point is set, LPDP), manage each Policy Enforcement Point (PEP) by the local policy commit point.This framework 20 comprises: policy library 201, be used to store the All Policies masterplate, to strategy in the policy library can formulate, modification and delete function; Global policies commit point 202 is connected with described policy library 201, is in network central authorities, plays a part strategic server, is used for the management strategy decision of the whole network, from described policy library acquisition strategy template, issues by the policy provisioning mode; Local policy commit point 203 is connected with described global policies commit point 202, is responsible for each subnet below the whole network or the management strategy decision of local area network (LAN), is used for the analysis strategy condition, receives described tactful masterplate, provides tactful subclass according to described tactful masterplate; Policy Enforcement Point (PEP) 204, be connected with described local policy commit point, be used for registering to the global policies commit point by described local policy commit point, and obtain described tactful subclass, and with described tactful subclass distribution, perhaps after obtaining described tactful subclass, utilize the PKI of application corresponding module that described tactful subclass is encrypted, and the tactful subclass distribution after will encrypting.Local policy commit point 203 of the present invention obtains general policies from global policies commit point 202, tactful at local policy commit point 203 then according to specialize QoS management, safety or monitoring as policy information, thereby do not need the artificial treatment strategy, make strategy more flexibly and in time.
Again referring to shown in Figure 2, the network strategy framework also comprises encrypting module 205, be connected with described Policy Enforcement Point 204, carry out described tactful subclass, the key that PKI and private key are formed that tactful subclass utilization after perhaps will encrypting is assigned to is to after being decrypted, carry out the tactful subclass of deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point 202, and described policy execution result is assessed, and optimizes described tactful masterplate.
The network strategy framework also comprises: QoS assurance module 206, be connected with described Policy Enforcement Point 204, carry out described tactful subclass, the key that PKI and private key are formed that tactful subclass utilization after perhaps will encrypting is assigned to is to after being decrypted, carry out the tactful subclass of deciphering,, ensure the service quality of network, and policy execution result reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point 202, and described policy execution result is assessed, and optimizes described tactful masterplate.
The network strategy framework also comprises: monitor module 207, be connected with described Policy Enforcement Point 204, carry out described tactful subclass, the key that PKI and private key are formed that tactful subclass utilization after perhaps will encrypting is assigned to is to after being decrypted, carry out the tactful subclass of deciphering, and policy execution result is reported described Policy Enforcement Point; Further, Policy Enforcement Point 204 reports described global policies commit point 202 with execution result, and described policy execution result is assessed, and optimizes described tactful masterplate.
Framework of the present invention as seen from Figure 1 is divided into three layers, and ground floor is a global policies commit point 202, and the second layer is that 203, the three layers of local policy commit points are the module 205,206 and 207 of Policy Enforcement Point 204 and bottom.This policy management framework of the present invention is to integrate encryption function management, QoS guarantee management and management of monitor, and can satisfy the tactical management model of new tactical management demand.
Be illustrated in figure 3 as the tactful processing method that the present invention is based on the network strategy framework that is applied to legal interception system, this strategy processing method may further comprise the steps:
Step 301, Policy Enforcement Point sends the register requirement that comprises policy information necessary by the local policy commit point to the global policies commit point;
Step 302, described global policies commit point is according to described register requirement query strategy storehouse acquisition strategy masterplate and be issued to the storage of local policy commit point;
Step 303, described local policy commit point be according to policy information necessary analysis strategy rule, and according to described policing rule, according to described tactful masterplate derivation strategy subclass;
Step 304, described Policy Enforcement Point are obtained described tactful subclass, and with described tactful subclass distribution.
Described strategy execution is named a person for a particular job and also can be may further comprise the steps before the described tactful subclass distribution: it is right that each application module all is assigned with the key of being made up of a PKI and private key.The PKI that described Policy Enforcement Point utilizes the application corresponding module is encrypted the described tactful subclass of distribution, and the described strategy execution described tactful subclass of encrypting of naming a person for a particular job sends to described application module respectively.After encrypting, tactful subclass is issued, can guarantee the confidentiality of message like this.
Referring to flow chart shown in Figure 3, described processing method is further comprising the steps of: step 305, application module are carried out described tactful subclass, and policy execution result is reported described global policies commit point; Further, described global policies commit point is assessed described policy execution result, optimizes described tactful masterplate.If what perhaps described application module received is the tactful subclass of encrypting, after then by the private key of self preserving it being decrypted earlier, carry out the tactful subclass after deciphering again.
Be illustrated in figure 4 as the flow chart of the tactful processing method embodiment 1 that the present invention is based on the network strategy framework.This embodiment has mainly described the user and has initiated the request that QoS manages to PEP; The network strategy framework generates the flow process of qos policy.
Step 401, PEP checks whether the application module of carrying out this qos policy allows qos policy, if allow, execution in step 402, otherwise finish;
Step 402, PEP sends to PDP by LPDP and comprises qos policy information such as the signatory grade of user, and type of service and equipment self bandwidth ability are determined the register requirement of different bandwidth and linking number according to different signatory grades;
Step 403, PDP obtains the general policies masterplate according to register requirement query strategy storehouse and is issued to LPDP and stores; This general policies masterplate comprises member such as tactful action scope, Policy evaluation vector, tactful action scope, strategy interaction and strategy section effective time and member method such as condition vectorial combination method;
Step 404, LPDP is according to qos policy information such as the signatory grade of user, type of service and equipment self bandwidth ability, determine different bandwidth and linking number according to different signatory grades, the policy condition of analysis strategy rule, strategy interaction, tactful action scope, condition vectorial combination method and strategy section effective time, as:
Policy condition is used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, and appraisal procedure is the appraisal procedure that adopts based on the user.As the user being divided into high, medium and low three ranks, and keep the number that provides other special users to use.If the user's telephone number that make a call this moment is 87544044, then the appraisal procedure based on the user is as follows: search the rank of numbers match therewith, find that this user belongs to rudimentary user.Promptly the result of Policy evaluation is rudimentary subscriber policy at this moment.Strategy interaction is the linking number that this user's of appointment network reservation bandwidth, maximum constraints bandwidth and this user allows, as being 10k for this rudimentary user-specified network bandwidth reserved, and the linking number that the user allows is 1, and when network was not busy, the maximum constraints bandwidth was 15k.Perhaps
Analyze 2 policy conditions, strategy interaction as maximum user's linking number and the maximum bandwidth that allows of the restriction of generating strategy according to the whole flow of data, as the residue linking number be 4, when available bandwidth is 40k, allow to provide 2 of equipment acquiescence linking numbers, default bandwidth 20k, and to specify the maximum user's linking number that allows be 3, and maximum bandwidth is 30k; With strategy section effective time, so tactful effective time of the section of equipment is the second half year in 2007, is July 1 to December 31; And 2 policy conditions are used vector representation respectively, obtain corresponding 2 Policy evaluation vectors; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".
In the first Policy evaluation vector, evaluation object is total flow of network, and appraisal procedure is based on the appraisal procedure of equipment flow.Distribute to promptly as the utilizable flow of this moment that remaining bandwidth is 40k after the bandwidth reserved of its signing of user, the default bandwidth of equipment is 20k, then might specify the bandwidth of 20k for equipment; If this moment, remaining bandwidth had only 15k, then can't be the equipment nominated bandwidth, send error reporting.
In the second Policy evaluation vector, evaluation object is the residue linking number of network, and appraisal procedure is based on the appraisal procedure of equipment linking number.The available linking number of network distributes to promptly that remaining bandwidth is 4 after the linking number of its signing of user as this moment, and equipment acquiescence linking number is 2, then might provide 2 connections for equipment; If remain linking number and have only 1 this moment, then can't can not carry out respective operations for equipment provides required linking number;
Step 405, LPDP inherits the general policies masterplate and generates the qos policy example according to above-mentioned qos policy condition, strategy interaction, tactful action scope, condition vectorial combination method and strategy section effective time, is handed down to PEP;
Step 406, PEP distribution qos policy example carries out the service quality that ensures network for application module such as QoS module, and policy execution result is reported PDP; Further, PDP assesses described policy execution result, the optimisation strategy masterplate.
The tactful processing method embodiment 2 that the present invention is based on the network strategy framework has described the handling process of encryption policy.Its handling process is similar with Fig. 4 step 401-step 406, unique different register requirement that is is the request that comprises signatory grade of system and the signatory grade enciphered message of user in this example, and step 404 replaces with, LPDP is according to the signatory grade of user, type of service and equipment self bandwidth ability, determine different level of securitys and cryptographic algorithm according to different signatory grades, the policy condition of analysis strategy rule, strategy interaction, tactful action scope, condition vectorial combination method and strategy section effective time, as:
Strategy interaction is as according to assessment result, i.e. intermediate users strategy, and the level of security and the cryptographic algorithm of specifying this user be intermediate as specify level of security for this intermediate users, cryptographic algorithm is the AES cryptographic algorithm; With the strategy effective time section from date of agreement, 15 afternoon of promptly 2007 on May in May in the 15,3:00 to 2008 year afternoons 3:00; And policy condition used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, and appraisal procedure is the appraisal procedure that adopts based on the user.As the user being divided into high, medium and low three ranks, if the user's telephone number that make a call this moment is 87544044, then the appraisal procedure based on the user is as follows: search the rank of numbers match therewith, find that this user belongs to rudimentary user.Promptly the result of Policy evaluation is the intermediate users strategy at this moment; Perhaps, strategy interaction is as being according to assessment result according to behavior, promptly rudimentary subscriber policy, and the level of security and the cryptographic algorithm of specifying this user be intermediate as specify level of security for this, cryptographic algorithm is the des encryption algorithm; With strategy section effective time be the second half year in 2007, be July 1 to December 31; And policy condition used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, and appraisal procedure is based on the appraisal procedure of equipment.The telephone number of the equipment that makes a call is 87541000 as this moment, then this number is evaluated as Default device;
Step 405 replaces with LPDP according to above-mentioned encryption policy rule, inherits the general policies masterplate and generates the encryption policy example, is handed down to PEP; Step 406 is carried out the encryption policy example by encrypting module, comes to carry out the user is distributed level of security and cryptographic algorithm according to the strategy that issues.
The tactful processing method embodiment 3 that the present invention is based on the network strategy framework has described the handling process of monitoring strategy.Its handling process is similar with Fig. 4 step 401-step 406, unique different register requirement that is is the number that comprises intercepted user in this example, the request of the IP address of the time period that this user is monitored, interception type and retransmission unit, and step 404 is, LPDP is according to the number of intercepted user, the IP address of the time period that this user is monitored, interception type and retransmission unit, analysis strategy rule as: strategy interaction is opened monitoring as according to assessment result to this user; With the strategy effective time section be 3:00 in afternoon on the 15th in May in 2007 in May in the 3:00 to 2008 year afternoon on the 15th; And policy condition used vector representation respectively, obtain corresponding Policy evaluation vector; Described Policy evaluation vector comprises evaluation object and appraisal procedure, and wherein said appraisal procedure compares described evaluation object and preset value or interval, if coupling then is " very ", otherwise is " vacation ".Evaluation object is a user's telephone number, appraisal procedure is to adopt On/Off to monitor the Policy evaluation method, if the user's telephone number that make a call this moment is 87544044, then On/Off monitoring Policy evaluation method is as follows: search this number and whether belong to the monitoring class, find that this user belongs to the monitoring class.Promptly the result of Policy evaluation is the monitoring users strategy at this moment; Perhaps search this number and whether belong to and close the monitoring class, find that this user belongs to close the monitoring class.Promptly this moment Policy evaluation the result for closing the monitoring users strategy; Step 405 replaces with LPDP according to above-mentioned monitoring policing rule, the general policies masterplate is derived from generate the encryption policy example, is handed down to PEP; And step 406 comes the user on the core net is carried out Lawful Interception by monitoring module execution monitoring policy instance.
Among the embodiment 1,2,3 of foregoing description, the tactful subclass that Policy Enforcement Point sends is not through encrypting, certainly, alternatively, after the present invention also can encrypt the tactful subclass of Policy Enforcement Point distribution, be distributed to application module again, when application module is somebody's turn to do the tactful subclass of encrypting when carrying out, must the tactful subclass of encrypting be decrypted earlier.
Therefore, the network strategy framework that is applied to legal interception system that proposes by the present invention can utilize the general policies masterplate to carry out the automatic generation of strategy, and the local policy commit point also participates in tactful generative process, has shared the burden of global policies commit point, makes whole system more reliable.And the present invention can load the various modules relevant with strategy execution flexibly, as QoS module, encrypting module and monitoring module, as monitor when module is monitored the user on core net and load, therefore, when carrying out Lawful Interception, can load these modules according to the actual requirements, such as only need ensure network quality the time, can load the QoS module and carry out relevant qos policy and realize network quality is ensured.And can guarantee the confidentiality of message to the encryption of tactful subclass, avoid to be adopted specific aim measure ground to escape the monitoring of legal interception system by the eavesdropping target after policy message is intercepted and captured halfway.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.

Claims (8)

1. network strategy framework that is applied to legal interception system is characterized in that comprising:
Policy library is used to store the All Policies masterplate;
The global policies commit point is connected with described policy library, is used for the management strategy decision of the whole network, from described policy library acquisition strategy template and issue;
The local policy commit point is connected with described Policy Decision Point, is used for the analysis strategy rule, receives described tactful masterplate, provides tactful subclass according to described tactful masterplate;
Policy Enforcement Point is connected with described local policy commit point, and be used for registering to Policy Decision Point, and obtain described tactful subclass and/or described tactful subclass is encrypted by described local policy commit point, and the described tactful subclass distribution after will encrypting.
2. the network strategy framework that is applied to legal interception system according to claim 1, it is characterized in that also comprising: encrypting module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
3. the network strategy framework that is applied to legal interception system according to claim 1 and 2, it is characterized in that also comprising: the QoS assurance module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
4. the network strategy framework that is applied to legal interception system according to claim 3, it is characterized in that also comprising: the Lawful Interception module, be connected with described Policy Enforcement Point, carry out described tactful subclass or described tactful subclass is decrypted, carry out the described tactful subclass after deciphering, and policy execution result is reported described Policy Enforcement Point; Further, the strategy execution execution result of naming a person for a particular job reports described global policies commit point, and described policy execution result is assessed, and optimizes described tactful masterplate.
5. tactful processing method based on the network strategy framework that is applied to legal interception system is characterized in that may further comprise the steps:
Policy Enforcement Point sends the register requirement that comprises policy information necessary by the local policy commit point to the global policies commit point;
Described global policies commit point is according to described register requirement query strategy storehouse acquisition strategy masterplate and be issued to the storage of local policy commit point;
Described local policy commit point is according to policy information necessary analysis strategy rule, and according to described policing rule, according to described tactful masterplate derivation strategy subclass; And
Described Policy Enforcement Point obtains described tactful subclass, and with described tactful subclass distribution.
6. tactful processing method according to claim 5 is characterized in that further comprising the steps of: application module is carried out described tactful subclass, and policy execution result is reported described global policies commit point; Further, described global policies commit point is assessed described policy execution result, optimizes described tactful masterplate.
7. tactful processing method according to claim 6, it is characterized in that described Policy Enforcement Point obtain described tactful subclass and with described tactful subclass distribution between further comprising the steps of: described Policy Enforcement Point is encrypted the described tactful subclass of needs distribution; Further, be specially described described tactful subclass is distributed: the described tactful subclass that described strategy execution is named a person for a particular job after encrypting sends to corresponding described application module.
8. tactful processing method according to claim 7, it is characterized in that described application module carries out described tactful subclass and be specially: the key that PKI and private key are formed that the tactful subclass utilization after described application module will be encrypted is assigned to is carried out the tactful subclass of deciphering to after being decrypted.
CN2007100534329A 2007-09-29 2007-09-29 Network policy architecture for legal monitoring system and its policy processing method Expired - Fee Related CN101123534B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007100534329A CN101123534B (en) 2007-09-29 2007-09-29 Network policy architecture for legal monitoring system and its policy processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007100534329A CN101123534B (en) 2007-09-29 2007-09-29 Network policy architecture for legal monitoring system and its policy processing method

Publications (2)

Publication Number Publication Date
CN101123534A true CN101123534A (en) 2008-02-13
CN101123534B CN101123534B (en) 2010-09-01

Family

ID=39085720

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007100534329A Expired - Fee Related CN101123534B (en) 2007-09-29 2007-09-29 Network policy architecture for legal monitoring system and its policy processing method

Country Status (1)

Country Link
CN (1) CN101123534B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101365014B (en) * 2008-04-30 2012-09-26 华中科技大学 Distributed adaptive listening system, generation and monitor control method
WO2014040254A1 (en) * 2012-09-13 2014-03-20 Hewlett-Packard Development Company, L. P. Policy coordination between policy enforcement points
WO2014173367A2 (en) * 2013-08-16 2014-10-30 中兴通讯股份有限公司 Qos implementation method, system, device and computer storage medium
CN104734872A (en) * 2013-12-19 2015-06-24 中国科学院沈阳自动化研究所 Industrial backhaul network realizing method and system based on software-defined network
CN101729531B (en) * 2009-03-16 2016-04-13 中兴通讯股份有限公司 Network security policy distribution method, Apparatus and system
CN109858286A (en) * 2018-12-07 2019-06-07 赵耘田 For the security policy manager system of credible calculating platform

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209041B (en) * 2011-07-13 2014-05-07 上海红神信息技术有限公司 Scheduling method, device and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100428689C (en) * 2005-11-07 2008-10-22 华为技术有限公司 Network safety control method and system
CN100596069C (en) * 2006-08-15 2010-03-24 中国电信股份有限公司 Automatic configuration system and method of IPSec safety tactis in domestic gateway

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101365014B (en) * 2008-04-30 2012-09-26 华中科技大学 Distributed adaptive listening system, generation and monitor control method
CN101729531B (en) * 2009-03-16 2016-04-13 中兴通讯股份有限公司 Network security policy distribution method, Apparatus and system
WO2014040254A1 (en) * 2012-09-13 2014-03-20 Hewlett-Packard Development Company, L. P. Policy coordination between policy enforcement points
WO2014173367A2 (en) * 2013-08-16 2014-10-30 中兴通讯股份有限公司 Qos implementation method, system, device and computer storage medium
WO2014173367A3 (en) * 2013-08-16 2014-11-27 中兴通讯股份有限公司 Qos implementation method, system, device and computer storage medium
CN104378309A (en) * 2013-08-16 2015-02-25 中兴通讯股份有限公司 Method, system and related equipment for achieving QoS in Open Flow network
CN104378309B (en) * 2013-08-16 2019-05-21 中兴通讯股份有限公司 Method, system and the relevant device of QoS are realized in OpenFlow network
CN104734872A (en) * 2013-12-19 2015-06-24 中国科学院沈阳自动化研究所 Industrial backhaul network realizing method and system based on software-defined network
CN104734872B (en) * 2013-12-19 2018-02-23 中国科学院沈阳自动化研究所 A kind of industrial backhaul network implementation method and system based on software defined network
CN109858286A (en) * 2018-12-07 2019-06-07 赵耘田 For the security policy manager system of credible calculating platform
CN109858286B (en) * 2018-12-07 2023-07-21 赵耘田 Security policy management system for trusted computing platform

Also Published As

Publication number Publication date
CN101123534B (en) 2010-09-01

Similar Documents

Publication Publication Date Title
CN101123534B (en) Network policy architecture for legal monitoring system and its policy processing method
CN103327002B (en) Based on the cloud memory access control system of attribute
AU2012252388B2 (en) Method for handling privacy data
CN101094056B (en) Security system of wireless industrial control network, and method for implementing security policy
CN104737494A (en) Method and apparatus for providing secure communications based on trust evaluations in a distributed manner
Arfaoui et al. Security and resilience in 5G: Current challenges and future directions
CN107426223A (en) Cloud file encryption and decryption method, encryption and decryption device and processing system
CN114866346B (en) Password service platform based on decentralization
Murala et al. Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud
Gao et al. Blockchain based secure IoT data sharing framework for SDN-enabled smart communities
Agarkhed et al. An efficient auditing scheme for data storage security in cloud
CN111444268A (en) Data encryption method based on block chain
Geng et al. A Blockchain based privacy-preserving reputation scheme for cloud service
CA2446364A1 (en) Secure group secret distribution
Bharadwaj et al. Proposing a key escrow mechanism for real-time access to end-to-end encryption systems in the interest of law enforcement
Agarkhed et al. Security and privacy for data storage service scheme in cloud computing
CN101123541B (en) A construction method applied to policy model of legal monitoring system
CN114466038B (en) Communication protection system of electric power thing networking
CN106230856A (en) A kind of System of Industrial Device Controls based on Internet of Things
Stathopoulos et al. Secure log management for privacy assurance in electronic communications
Raja et al. An enhanced study on cloud data services using security technologies
LU503159B1 (en) Blockchain-based cloud service privacy protection reputation system
CN112328605B (en) Block chain-based power field security data management method and system
Pavithra et al. Secure Data Storage in Cloud using Code Regeneration and public audition
Vetrivel et al. Data Security

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100901

Termination date: 20130929