CN101478546B - Method for protecting network safety and network safety protecting equipment - Google Patents
Method for protecting network safety and network safety protecting equipment Download PDFInfo
- Publication number
- CN101478546B CN101478546B CN2009100084523A CN200910008452A CN101478546B CN 101478546 B CN101478546 B CN 101478546B CN 2009100084523 A CN2009100084523 A CN 2009100084523A CN 200910008452 A CN200910008452 A CN 200910008452A CN 101478546 B CN101478546 B CN 101478546B
- Authority
- CN
- China
- Prior art keywords
- ping
- value
- data
- echo reply
- ping echo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Packages (AREA)
Abstract
The invention provides a method for protecting network security mainly comprising: receiving an original ping data pack; obtaining a verification value and adding the verification value to an option data field of the original ping data pack; encoding the original ping data pack with verification value addition and obtaining a ping display back request data pack; sending the ping display back request data pack to an external network; verifying whether the option data field of an external network ping display back response data pack has a value matching with the verification value; decoding the ping display back response data pack if the option data field contains the matched value with the verification value; and sending decoded ping display back response data pack to an internal network. The method of the invention can use the characteristic of the option data field under a unidirectional or bi-directional data stream conditions, implement the monitor to the ping data pack without using a session recording method which occupies the memory of a network security protection device and save the memory of the network security protection device.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of method and network security protection equipment of protecting network safety.
Background technology
Along with development of Communication Technique, people begin to use in a large number ping utility, and it is a kind of application program.The purpose of Ping program is to send a kind of network control message agreement (ICMP, Internet ControlMessage Protocol) query message (echo request msg) is given certain main frame, and wait for and return the icmp echo reply data, be used for testing this main frame and whether can reach.But, people are in the process of using ping utility, be subjected to the puzzlement of some attacks, attack such as ping flood, ping flood attacks and is meant that the assailant replys (ping reply) packet sends to Intranet by outer net victim host or network with a large amount of ICMP echo request (ping request) or echo, this attack may cause many adverse consequencess, and for example: the Intranet bandwidth is seriously consumed, and regular traffic can't operate; The victim host performance is seriously influenced, even produces denial of service; May make local area network (LAN) become the reflection attack instrument.
In the prior art, the defence method of this attack is mainly contained: to the tangible attack method of individual characteristics, as ping of death, adopt the flag check method, protection effect is relatively good; To the unconspicuous attack pattern of feature, adopt modes such as " conversation recording ", " current limliting ", protection effect is undesirable.
For example; the defense schemes of using in two-way environment is: the ping echo request data package that record sends from Intranet in fire compartment wall (or other network security protection equipment); and be stored in fire compartment wall internal memory or other storage area; when ping echo reply data bag arrives fire compartment wall; carry out a record matching ratio to work; abandoning, the ping echo reply data bag that can mate is received with the inconsistent ping echo reply data bag of record.This method is referred to as " conversation recording " method, and it has some limitation or shortcoming:
This method and inapplicable under some network condition is such as uni-direction environment;
When the ping echo request msg of sending from Intranet more for a long time, can take a large amount of network security protection Device memory.
And in the defense schemes of in the unidirectional traffic environment, using; network security protection equipment can not be linked in the user network in serial; network security protection equipment can only be monitored the packet that enters Intranet from outer net; and can not monitor the packet that sends out from Intranet; so also just can't differentiate the ping echo request data package that sends from Intranet; thereby above-mentioned " conversation recording " method is invalid; this moment, most of network security protection equipment adopted simply " current limliting " method, promptly limited the flow that passes through of ping packet.The main limitation or the shortcoming of this " current limliting " method mainly contain: False Rate height, ping are attacked when taking place, and correct, legal ping packet possibly can't pass through, and aggressive packet may enter Intranet by network security protection equipment.
Summary of the invention
The embodiment of the invention provides a kind of method and network security protection equipment of protecting network safety, and the technical scheme of using the embodiment of the invention to provide is taken precautions against ping flood effectively and attacked.
The purpose of the embodiment of the invention is achieved through the following technical solutions:
A kind of method of protecting network safety comprises:
Receive original ping data pack;
Obtain validation value, add described validation value in the option data field of described original ping data pack;
The original ping data pack that has added described validation value is encoded, obtain ping echo request data package;
Send described ping echo request data package to outer net;
Whether checking includes value with described verification value matches from the option data field of the ping echo reply data bag of outer net;
When described option data field includes value with described verification value matches, described ping echo reply data bag is decoded;
Send decoded ping echo reply data bag to Intranet.
A kind of network security protection equipment comprises:
Receiving element is used to receive original ping data pack and from the ping echo reply data bag of outer net;
The verification setting unit is used to obtain validation value, and the option data field of the described original ping data pack that receives at described receiving element adds described validation value;
Authentication unit is used to verify whether option data field from the ping echo reply data bag of outer net includes the value with described verification value matches;
Codec unit, be used for the original ping data pack that has added described validation value is encoded, obtain ping echo request data package, when described authentication unit verifies that described option data field includes value with described verification value matches, described ping echo reply data bag is decoded;
Transmitting element is used for sending ping echo request data package that described codec unit coding obtains and sending the decoded ping echo of described codec unit reply data bag to Intranet to outer net.
From the embodiment of the invention as can be known; because the option data field in the network security protection equipment utilization ping packet comes and goes constant characteristic; whether option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment and the validation value that obtained are mated verify; can take precautions against ping flood effectively and attack, and can take or not take the more internal memory of network security protection equipment less and just can realize monitoring the ping packet.
Description of drawings
Fig. 1 is the schematic flow sheet of the embodiment one of the method for protecting network safety in the embodiment of the invention;
Fig. 2 is the schematic flow sheet of the embodiment two of the method for protecting network safety in the embodiment of the invention;
Fig. 3 is the schematic flow sheet of the embodiment three of the method for protecting network safety in the embodiment of the invention;
Fig. 4 is the schematic flow sheet of the embodiment four of the method for protecting network safety in the embodiment of the invention;
Fig. 5 is the schematic flow sheet of the embodiment five of the method for protecting network safety in the embodiment of the invention;
Fig. 6 is the schematic diagram of method in two-way environment of protecting network safety in the embodiment of the invention;
Fig. 7 is the schematic diagram of method in uni-direction environment of protecting network safety in the embodiment of the invention;
Fig. 8 is the structural representation of the embodiment one of network security protection equipment in the embodiment of the invention;
Fig. 9 is the concrete structure schematic diagram of the embodiment one of network security protection equipment in the embodiment of the invention.
Embodiment
For make purpose of the present invention, technical scheme, and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Before the statement embodiments of the invention, briefly introduce the message format of ping packet earlier:
The message format of ping packet is as follows:
If Ping echo request data package, then [type] field is 8, if Ping echo reply data bag, then [type] field is 0; [code] field all is 0 in both cases; [identifier] in the message, [sequence number] field are selected arbitrarily to set by transmitting terminal (Client), and these values will be returned in replying, and like this, transmitting terminal just can mate echo reply data bag and echo request data package; [option data] field can have, and also can not have, and also is to be set arbitrarily by transmitting terminal (Client), and receiving terminal (Server) must return [option data] field former state.
The embodiment of the method for protecting network safety can include but not limited to following several among the present invention:
The embodiment one of the method for protecting network safety:
As shown in Figure 1, the method step of protecting network safety comprises:
Step 101: network security protection equipment receives original ping data pack.
Described original ping data pack is meant that network security protection equipment does not also add the ping packet of validation value; original ping data pack can be from the original ping echo request data package of Intranet or from the original ping echo reply data bag of outer net, down with.
Step 102: network security protection equipment obtains validation value, at the option data field adding validation value of described original ping data pack.
Step 103: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104: network security protection equipment sends described ping echo request data package to outer net.
Step 105: whether the network security protection device authentication includes value with described verification value matches from the option data field of the ping echo reply data bag of outer net.
Described coupling is meant: include in the option data field of ping echo reply data bag and the identical value of validation value that adds in the option data field of described original ping data pack, perhaps refer to utilize special algorithm that the performance data of the ping echo reply data bag of extraction is calculated, the value that obtains and the validation value that the option data field of ping echo reply data bag has are multiple situations such as identical, and present embodiment does not limit this.
Step 106: when elected item number included value with described verification value matches according to field, network security protection equipment was decoded to described ping echo reply data bag.
Step 107: network security protection equipment sends decoded ping echo reply data bag to Intranet.
From present embodiment as can be known; utilize the option data field of ping packet to set by transmitting terminal (Client); the principle that receiving terminal (Server) must return option data field former state; network security protection equipment adds validation value in the option data field to ping echo request data package; whether network security protection equipment includes with the value of described verification value matches the option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment is verified; owing to the complete content that writes down the original ping data pack of passing through in the internal memory that not be used in network security protection equipment; so can take or not take the network security protection Device memory less, just can realize that monitoring to the ping packet reaches to take precautions against ping flood attack effectively.
Owing in the option data field, added validation value, thereby must carry out adaptive coding, so that the packet that has added validation value is sent normally and receives.Coded system will be illustrated hereinafter for example.
The embodiment two of the method for protecting network safety (with pre-set fixed value as validation value):
As shown in Figure 2, the method step of protecting network safety comprises:
Step 101-1 comprises: network security protection equipment receives original ping data pack.
Step 102-1 comprises: network security protection equipment obtains predefined fixed value, and network security protection equipment adds described fixed value as validation value in the option data field of original ping data pack.
Step 103-1 comprises: network security protection equipment is encoded to the original ping data pack that has added described fixed value, obtains ping echo request data package.
Step 104-1 comprises: network security protection equipment sends described ping echo request data package to outer net.
Step 105-1 comprises: whether the option data field of network security protection device authentication ping echo reply data bag contains described fixed value.
Step 106-1 comprises: when described option data field contained described fixed value, network security protection equipment was decoded to described ping echo reply data bag.
Step 107-1 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
The quantity of described fixed value is not limit, and can be one, can be a plurality of yet, and the obtain manner of described fixed value can be the fixing value that the user preserves on network security protection equipment, also can be the value of Network Security Device with computer.
Use fixed value as validation value; advantage is simple and easy to do; not be used in the complete content of preserving original ping data pack on the Network Security Device; only need preserve fixed value at network security protection equipment; only need stamp the trace of fixed value for the original ping data pack of process; in the time of will checking for security consideration, whether the ping echo reply data bag that the network security protection equipment inspection receives has the fixed value of coupling to get final product.This method is only preserved the purpose that fixed value promptly can reach the memory source of saving network security protection equipment with respect to the complete content of preserving original ping data pack.
The embodiment three of the method for protecting network safety (validation value that obtains by special algorithm estimated performance data):
As shown in Figure 3, the method step of protecting network safety comprises:
Step 101-2 comprises: network security protection equipment receives original ping data pack.
Step 102-2 comprises: network security protection equipment carries out the computing value of being verified according to the performance data that the original ping data pack that receives is carried with special algorithm; In the option data field of described original ping data pack, add described validation value.
Step 103-2 comprises: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104-2 comprises: network security protection equipment sends described ping echo request data package to outer net.
Step 105-2 comprises: when network security protection equipment contains described validation value when the option data field of ping echo reply data bag; utilize described special algorithm to carry out the computing value of obtaining, verify whether described value is identical with described validation value according to the performance data that ping echo reply data bag carries.
Step 106-2 comprises: when utilizing described special algorithm to carry out computing according to the performance data that ping echo reply data bag carries, when the value that obtains was identical with described validation value, network security protection equipment was decoded to described ping echo reply data bag.
Step 107-2 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
The performance data that use is carried according to original ping data pack is carried out the method for the computing value of being verified with special algorithm; advantage is: even enter Intranet by network security protection equipment when desire; carrying out the packet of the malice of attack activity can forge and the identical value of validation value that adds original ping data pack in the option data field; but; because packet self characteristics data are specific often; distorted or be exactly originally the packet of malice if that is to say packet; its performance data also can change or be different with the performance data of the packet of safety; utilize this different performance data to calculate; the value that obtains is different with the value that the packet of malice is forged in the option data field often; thereby can't calculate the validation value that gets according to specific performance data and have higher fail safe by checking.
Compare with " first kind of mode: the fixed value that configures in advance with the user is as validation value "; more excellent is; on network security protection equipment, need not preserve validation value; only need stamp the trace of validation value for the original ping data pack of process; in the time of will checking for security consideration; network security protection equipment utilization special algorithm calculates a value to the performance data that the ping echo reply data bag that receives carries; when this value is consistent with the described validation value that presents in ping echo reply data bag option data field, judge that ping echo reply data bag is safe.This method can reach the purpose of the memory source of saving network security protection equipment with respect to the complete content of preserving original ping data pack.
The embodiment four of the method for protecting network safety (validation value that obtains by special algorithm estimated performance data and fixed value):
As shown in Figure 4, the method step of protecting network safety comprises:
Step 101-3 comprises: network security protection equipment receives original ping data pack.
Step 102-3 comprises: network security protection equipment carries out the computing value of being verified according to the performance data that predefined fixed value and original ping data pack are carried with special algorithm; In the option data field of described original ping data pack, add described validation value.
Step 103-3 comprises: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104-3 comprises: network security protection equipment sends described ping echo request data package to outer net.
Step 105-3 comprises: when network security protection equipment contains described validation value when the option data field of the ping echo reply data bag that receives; utilize described special algorithm to carry out the computing value of obtaining, verify whether described value is identical with described validation value according to the performance data that described fixed value and described ping echo reply data bag carry.
Step 106-3 comprises: when utilizing described special algorithm to carry out computing according to the performance data that described fixed value and described ping echo reply data bag carry; when the value that obtains was identical with described validation value, network security protection equipment was decoded to described ping echo reply data bag.
Step 107-3 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
The factor that in the calculating of validation value, adds fixed value; because this fixed value is grasped by network security protection equipment, outer net can't be learnt fixed value, can be so that complexity of calculation increases; success is pretended and is descended by the probability of verifying, has increased the assailant and has carried out the difficulty that packet is forged.This method need be preserved fixed value on network security protection equipment, with respect to the complete content of preserving original ping data pack, can reach the purpose of the memory source of saving network security protection equipment.
The embodiment five of the method for protecting network safety (first validation value that obtains by special algorithm estimated performance data and fixed value and in the option data field, add described first validation value and fixed value as validation value):
As shown in Figure 5, the method step of protecting network safety comprises:
Step 101-4 comprises: network security protection equipment receives original ping data pack.
Step 102-4 comprises: the performance data that network security protection equipment carries according to predefined fixed value and original ping data pack is carried out computing with special algorithm and is obtained first validation value; In the option data field of described original ping data pack, add described first validation value and described fixed value as validation value.
Step 103-4 comprises: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104-4 comprises: network security protection equipment sends described ping echo request data package to outer net;
Step 105-4 comprises: network security protection equipment contains described fixed value and when described option data field contains described first validation value when the option data field of ping echo reply data bag; utilize described special algorithm to carry out the computing value of obtaining, verify whether described value is identical with described first validation value according to the performance data that described fixed value and described ping echo reply data bag carry.
Step 106-4 comprises: network security protection equipment is when utilizing described special algorithm to carry out computing according to the performance data that described fixed value and described ping echo reply data bag carry; when the value that obtains is identical with described first validation value, described ping echo reply data bag is decoded.
Step 107-4 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
In the option data field, add the fixed value and first validation value as validation value; earlier to whether being that correct fixed value is verified; again to whether being to have first validation value of coupling to verify; can carry out twice checking to the ping echo reply data bag that receives; this method except advantage with " the third mode " promptly with respect to the complete content of preserving original ping data pack; can reach outside the purpose of the memory source of saving network security protection equipment, also have better strick precaution effect.
More than in four kinds of modes original ping data pack as previously mentioned, can be from the original ping echo reply data bag of outer net or from the original ping echo request data package of Intranet.
Above-mentioned special algorithm can be a hash algorithm.Hash algorithm is a kind of one-way function, and this principle of computing can be mapped as the binary value of random length the less binary value of regular length, and this little binary value just is called cryptographic Hash.Cryptographic Hash is the numeric representation form of one piece of data.For example, after one section plain text is carried out Hash operation, obtain a cryptographic Hash, even only change a letter in this section plain text, the cryptographic Hash that obtains is all the same hardly.Promptly being to locate through obtaining the data of identical cryptographic Hash after the Hash operation, is less feasible on calculating.And then, can obtain such conclusion: carry out cryptographic Hash that the cryptographic Hash that obtains after the Hash operation and packet present in the option data field when identical when a packet being extracted its characteristic, the data that this packet is described are not distorted, and promptly are original data.
For example,
When described original ping data pack was original ping echo reply data bag from outer net, the described characteristic of hash algorithm utilization can be: source IP address, purpose IP address, the packet life span of described original ping echo reply data bag.
When described original ping data pack was original ping echo request data package from Intranet, the described characteristic of hash algorithm utilization can be: source IP address, purpose IP address.
For example, after option data, add the fixed value FLAG of 2 bytes and the cryptographic Hash H of 2 bytes, totally 4 bytes, the computational methods of H are as follows:
H=Hash(FLAG,SIP,DIP,TTL),
Wherein, SIP is client's IP address, and DIP is the IP address of server, and TTL is IP bag life cycle.FLAG value relative fixed can be by being set in advance in the network security protection equipment, and whether can be used to distinguish is the Ping request response message of process coding.
The length of FLAG and H value can be expanded as required, such as respectively accounting for 4 bytes.
Use hash algorithm can have sizable elasticity to go to control the complexity of validation value, realize more preferably preventing ping malicious attack.
Certainly, hash algorithm is a kind of in the special algorithm, and this example does not constitute the qualification to special algorithm, so long as the special algorithm that can reach purpose of the present invention is all at these row.
Now illustrate under the uni-direction environment utilization to hash algorithm:
As shown in Figure 6, step 1: outer net sends original ping echo reply data bag to network security protection equipment.
Step 2: network security protection equipment structure validation value; in the option data field of described original ping echo reply data bag, add validation value; network security protection equipment sends the ping echo request data package of described code construction to outer net; as previously mentioned; type field is changed to 8 from 0; can with the type change of described original ping echo reply data bag ping echo request data package just; again to the procotol (IP of described original ping echo reply data bag; Internet Protocol) Tou source IP address and purpose IP address exchange; recomputate and revise original ping echo reply data bag the icmp packet verification of network control message agreement and with IP checksum field; revise the length field of described IP head; code construction goes out ping echo request data package; in this step from type field is changed to 8 from 0; up to this partial content of length field of revising described IP head promptly is the coding that preamble is mentioned; this is owing to added validation value in the option data field; and then packet can change packet voluntarily, and some are used for the data of usefulness of safety inspection such as the value of checksum field; for the transmission that can be well on to packet; need carry out aforesaid multiple field is exchanged or revises in this link; for the packet that has passed through checking; just need carry out the corresponding decoding step of process, just can obtain can be to it packet that is well on and sends.
Step 3: outer net sends ping echo reply data bag to network security protection equipment.
Step 4: for the ping echo reply data bag by checking, network security protection equipment sends decoded ping echo reply data bag through after decoding to Intranet.
Step 5: for the ping echo reply data bag that does not pass through checking, network security protection equipment abandons.
For original ping echo reply data bag from outer net; take in network security protection equipment, to make up validation value and original ping echo reply data bag is built into a ping echo request data package of passing through network security protection equipment; and send the scheme of described ping echo request data package to outer net; the general character that has owing to most existing ping attack packets; after adopting this scheme exactly; requirement does not enter Intranet with regard to not returning once more; therefore, can reduce the attack of ping attack packets.
Now illustrate under the two-way environment utilization to hash algorithm:
As shown in Figure 7, step 01: the subscriber equipment of Intranet sends original ping echo request data package to network security protection equipment.
Step 02: network security protection equipment structure validation value; in the option data field of described original ping echo request data package, add validation value; type field is constant; recomputate and revise original ping echo request data package the icmp packet verification of network control message agreement and with IP checksum field; revise the length field of described IP head; code construction goes out ping echo request data package, and network security protection equipment sends ping echo request data package to outer net.
Step 03: outer net sends ping echo reply data bag to network security protection equipment.
Step 04: for the ping echo reply data bag by checking, network security protection equipment sends decoded ping echo reply data bag through after decoding to Intranet.
Step 05: for the ping echo reply data bag that does not pass through checking, network security protection equipment abandons.
The embodiment of the invention also provides network security protection equipment, and the embodiment of network security protection equipment can include but not limited to following several:
The embodiment one of network security protection equipment:
As shown in Figure 8, this network security protection equipment comprises:
Receiving element 201 is used to receive original ping data pack and from the ping echo reply data bag of outer net.
Transmitting element 203 is used for sending ping echo request data package that described codec unit 205 codings obtain and sending the decoded ping echo of described codec unit reply data bag to Intranet to outer net.
From present embodiment as can be known; owing to utilized the option data field of ping packet to set by transmitting terminal (Client); the principle that receiving terminal (Server) must return option data field former state; network security protection equipment adds validation value in the option data field to ping echo request data package; whether network security protection equipment mates the option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment is verified; can take precautions against ping flood effectively attacks; and, just can realize monitoring to the ping packet so can take or not take the more internal memory of network security protection equipment less owing to writing down the complete content of the original ping data pack of passing through in the internal memory that not be used in network security protection equipment.
The concrete structure of the embodiment one of network security protection equipment comprises as shown in Figure 9:
Receiving element 201 comprises: primary reception unit 201-01 and outer net receiving element 201-02.Primary reception unit 201-01 is used to receive original ping data pack; Outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Authentication unit 204-0
Be used forWhether checking includes value with described verification value matches from the option data field of the ping echo reply data bag of outer net.
Transmitting element 203 comprises: outwards transmitting element 203-01 and inwardly transmitting element 203-02.Outwards transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net; Inwardly transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
The embodiment two of network security protection equipment (with pre-set fixed value as validation value):
The concrete structure schematic diagram of the embodiment two of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used to obtain predefined fixed value as validation value.
Describedly the option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds described fixed value.
Described coding unit 205-01 is used for the original ping data pack that has added described fixed value is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used to verify that described outer net receiving element 201-02 receives whether contains the value identical with described fixed value from the option data field of the ping echo reply data bag of outer net.
Described decoding unit 205-02 is used for when described authentication unit 204-0 verifies that described option data field contains the value identical with described fixed value, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
Use fixed value as validation value; advantage is simple and easy to do; not be used in the complete content of preserving the original ping data pack of process on the Network Security Device; only need preserve fixed value at network security protection equipment; only need stamp the trace of fixed value for the original ping data pack of process; in the time of will checking for security consideration, network security protection equipment only checks whether the ping echo reply data bag of process has the fixed value of coupling to get final product.This network security protection equipment is with respect to the complete content of preserving original ping data pack, only preserves fixed value and be the purpose that can reach the memory source of saving network security protection equipment.
The embodiment three of network security protection equipment (by the special algorithm estimated performance data value of being verified):
The concrete structure schematic diagram of the embodiment three of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used for carrying out the computing value of being verified according to the performance data that the original ping data pack that described primary reception unit 201-01 receives is carried with special algorithm.
Described be provided with unit 202-02 be used for the original ping data pack that receives at described primary reception unit 201-01 the option data field add the described validation value that computing obtains.
Described coding unit 205-01 is used for the original ping data pack that has added the described validation value that computing obtains is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used for when the option data field from the ping echo reply data bag of outer net that described outer net receiving element 201-02 receives contains described validation value, and whether the performance data of utilizing described special algorithm to carry according to ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains.
Described decoding unit 205-02 is used for carrying out value that computing obtains when identical with described validation value when the performance data that described authentication unit 204-0 checking utilizes described special algorithm to carry according to ping echo reply data bag, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
The performance data that use is carried according to original ping data pack is carried out the method for the computing value of being verified with special algorithm; advantage is: even enter Intranet by network security protection equipment when desire; carrying out the packet of the malice of attack activity can forge and the identical value of validation value that adds original ping data pack in the option data field; but; because packet self characteristics data are specific often; distorted or be exactly originally the packet of malice if that is to say packet; its performance data also can change or be different with the performance data of the packet of safety; utilizing this different performance data to calculate is often can't be by checking; thereby, calculate the validation value that gets according to specific performance data and have higher fail safe.
Compare with " first kind of mode "; what the second way was more excellent is; on network security protection equipment, need not preserve validation value; only need stamp the trace of validation value for the original ping data pack of process; in the time of will checking for security consideration; network security protection equipment utilization special algorithm calculates a value to the performance data that the ping echo reply data bag that receives carries; when this value is consistent with the validation value that presents in ping echo reply data bag option data field, judge that ping echo reply data bag is safe.This network security protection equipment can reach the purpose of the memory source of saving network security protection equipment with respect to the complete content of preserving original ping data pack or the second way.
The embodiment four of network security protection equipment (by special algorithm estimated performance data and the fixed value value of being verified):
The concrete structure schematic diagram of the embodiment four of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used for carrying out the computing value of being verified according to the performance data that the original ping data pack of predefined fixed value and described primary reception unit 201-01 reception is carried with special algorithm.
Describedly the option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds the described validation value that computing obtains.
Described coding unit 205-01 is used for the original ping data pack that has added the described validation value that computing obtains is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used for when the option data field from the ping echo reply data bag of outer net that described outer net receiving element 201-02 receives contains described validation value, and whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains.
Described decoding unit 205-02 is used for carrying out value that computing obtains when identical with described validation value when the performance data that described authentication unit 204-0 checking utilizes described special algorithm to carry according to described fixed value and described ping echo reply data bag, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
The factor that in the calculating of validation value, adds fixed value; because this fixed value is grasped by network security protection equipment, outer net can't be learnt fixed value, can be so that complexity of calculation increases; success is pretended and is descended by the probability of verifying, has increased the assailant and has carried out the difficulty that packet is forged.This network security protection equipment need be preserved fixed value, with respect to the complete content of preserving original ping data pack, can reach the purpose of the memory source of saving network security protection equipment.
The embodiment five of network security protection equipment (obtain first validation value by special algorithm estimated performance data and fixed value, in the option data field, add the fixed value and first validation value) as validation value:
The concrete structure schematic diagram of the embodiment five of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used for carrying out computing according to the performance data that predefined fixed value and original ping data pack are carried with special algorithm and obtains first validation value.
Describedly option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds described first validation value and described fixed value as validation value.
Described coding unit 205-01 is used for the original ping data pack that has added described validation value is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used for containing described fixed value and when described option data field contains described first validation value when the option data field from the ping echo reply data bag of outer net that described outer net receiving element 201-02 receives, and whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described first validation value with the value of verifying computing and obtaining.
Described decoding unit 205-02 is used for carrying out value that computing obtains when identical with described first validation value when the performance data that described authentication unit 204-0 checking utilizes described special algorithm to carry according to described fixed value and described ping echo reply data bag, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
In the option data field, add the fixed value and first validation value; earlier to whether being that correct fixed value is verified; again to whether being to have first validation value of coupling to verify; can carry out twice checking to the ping echo reply data bag that receives; this network security protection equipment is except having the advantage of " the third mode "; promptly with respect to the complete content of preserving original ping data pack; can reach outside the purpose of the memory source of saving network security protection equipment, also have better strick precaution effect.
More than in the mode of four kinds of network security protection equipment, the special algorithm of mentioning is with identical to the argumentation content in the method for the encoding and decoding of packet and protecting network safety.
In addition, in the network environment that some confidentiality is had relatively high expectations, because the option data field can be utilized to transmit secret data, after the option data field is encoded, just strengthened difficulty to obtaining secret data, this can block effectively by setting up " ping passage (Ping Tunnel) " and carry out the transmission of secret data.
Because the option data field in the network security protection equipment utilization ping packet comes and goes constant characteristic; whether option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment and the validation value that obtained are mated verify; can take precautions against ping flood effectively and attack, and can take or not take the more internal memory of network security protection equipment less and just can realize monitoring the ping packet.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, described storage medium can be a read-only memory, disk or CD etc.
More than the method and the network security protection equipment of a kind of protecting network safety that the embodiment of the invention provided is described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (13)
1. the method for a protecting network safety is characterized in that, comprising:
Receive original ping data pack, described original ping data pack is the original ping echo request data package from Intranet;
Obtain validation value, add described validation value in the option data field of described original ping data pack;
The original ping data pack that has added described validation value is encoded, obtain ping echo request data package;
Send described ping echo request data package to outer net;
Whether checking includes value with described verification value matches from the option data field of the ping echo reply data bag of outer net;
When described option data field includes value with described verification value matches, described ping echo reply data bag is decoded;
Send decoded ping echo reply data bag to Intranet.
2. the method for protecting network safety according to claim 1 is characterized in that, the described validation value that obtains, and the step that adds validation value in the option data field of described original ping data pack comprises:
Obtain predefined fixed value as validation value, add described fixed value in the option data field of described original ping data pack;
Described checking comprises from the step whether the option data field of the ping echo reply data bag of outer net includes with the value of described verification value matches:
Whether checking contains described fixed value from the option data field of the ping echo reply data bag of outer net;
When described option data field when described ping echo reply data bag included value with described verification value matches, the step that described ping echo reply data bag is decoded comprised:
When the option data field of described ping echo reply data bag contains described fixed value, described ping echo reply data bag is decoded.
3. the method for protecting network safety according to claim 1 is characterized in that, the described validation value that obtains, and the step that adds validation value in the option data field of described original ping data pack comprises:
Carry out the computing value of being verified according to the performance data that described original ping data pack is carried with special algorithm; In the option data field of described original ping data pack, add described validation value;
Described checking comprises from the step whether the option data field of the ping echo reply data bag of outer net includes with the value of described verification value matches:
When the option data field from the ping echo reply data bag of outer net contained described validation value, whether the performance data of utilizing described special algorithm to carry according to ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains;
When described option data field when described ping echo reply data bag included value with described verification value matches, the step that described ping echo reply data bag is decoded comprised:
Carry out value that computing obtains when identical when the performance data of utilizing described special algorithm to carry, described ping echo reply data bag is decoded with described validation value according to ping echo reply data bag.
4. the method for protecting network safety according to claim 1 is characterized in that, the described validation value that obtains, and the step that adds validation value in the option data field of described original ping data pack comprises:
Carry out the computing value of being verified according to the performance data that predefined fixed value and original ping data pack are carried with special algorithm; In the option data field of described original ping data pack, add described validation value;
Described checking comprises from the step whether the option data field of the ping echo reply data bag of outer net includes with the value of described verification value matches:
When the option data field from the ping echo reply data bag of outer net contained described validation value, whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains;
When described option data field when described ping echo reply data bag included value with described verification value matches, the step that described ping echo reply data bag is decoded comprised:
Carry out value that computing obtains when identical when the performance data of utilizing described special algorithm to carry, described ping echo reply data bag is decoded with described validation value according to described fixed value and described ping echo reply data bag.
5. the method for protecting network safety according to claim 1 is characterized in that, the described validation value that obtains, and the step that adds validation value in the option data field of described original ping data pack comprises:
The performance data of carrying according to predefined fixed value and original ping data pack is carried out computing with special algorithm and is obtained first validation value; In the option data field of described original ping data pack, add described first validation value and described fixed value as validation value;
Described checking comprises from the step whether the option data field of the ping echo reply data bag of outer net includes with the value of described verification value matches:
When the option data field from the ping echo reply data bag of outer net contains described fixed value and when the option data field of described ping echo reply data bag contained described first validation value, whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described first validation value with the value that the checking computing obtains;
When described option data field when described ping echo reply data bag included value with described verification value matches, the step that described ping echo reply data bag is decoded comprised:
Carry out value that computing obtains when identical when the performance data of utilizing described special algorithm to carry, described ping echo reply data bag is decoded with described first validation value according to described fixed value and described ping echo reply data bag.
6. according to the method for each described protecting network safety of claim 3 to 5, it is characterized in that described special algorithm is a hash algorithm.
7. a network security protection equipment is characterized in that, comprising:
Receiving element is used to receive original ping data pack, and described original ping data pack is the original ping echo request data package from Intranet;
The verification setting unit is used to obtain validation value, and the option data field of the described original ping data pack that receives at described receiving element adds described validation value;
Authentication unit is used to verify whether option data field from the ping echo reply data bag of outer net includes the value with described verification value matches;
Codec unit, be used for the original ping data pack that has added described validation value is encoded, obtain ping echo request data package, when described authentication unit verifies that described option data field includes value with described verification value matches, described ping echo reply data bag is decoded;
Transmitting element is used for sending ping echo request data package that described codec unit coding obtains and sending the decoded ping echo of described codec unit reply data bag to Intranet to outer net.
8. network security protection equipment according to claim 7 is characterized in that,
Described receiving element comprises:
The primary reception unit is used to receive original ping data pack, and described original ping data pack is the original ping echo request data package from Intranet;
The outer net receiving element is used to receive the ping echo reply data bag from outer net;
Described verification setting unit comprises:
Acquiring unit is used to obtain validation value;
The unit is set, is used for option data field adding validation value in the original ping data pack of described primary reception unit reception;
Described codec unit comprises:
Coding unit is used for the original ping data pack that the unit added described validation value is set encodes described, obtains ping echo request data package;
Decoding unit is used for when described authentication unit verifies that the option data field of described ping echo reply data bag includes value with described verification value matches described ping echo reply data bag being decoded;
Described transmitting element comprises:
Outwards transmitting element is used for sending the ping echo request data package that described coding unit coding obtains to outer net;
Inwardly transmitting element is used for the ping echo reply data bag after Intranet sends described decoding unit decodes.
9. network security protection equipment according to claim 8 is characterized in that,
Described acquiring unit is used to obtain predefined fixed value as validation value;
Describedly the option data field that the unit is used for the original ping data pack that receives in described primary reception unit is set adds described fixed value;
Described coding unit is used for the original ping data pack that has added described fixed value is encoded, and obtains ping echo request data package;
Described authentication unit is used to verify that described outer net receiving element receives whether contains the value identical with described fixed value from the option data field of the ping echo reply data bag of outer net;
Described decoding unit is used for when described authentication unit verifies that the option data field of described ping echo reply data bag contains the value identical with described fixed value described ping echo reply data bag being decoded.
10. network security protection equipment according to claim 8 is characterized in that,
Described acquiring unit is used for carrying out the computing value of being verified according to the performance data that the original ping data pack that described primary reception unit receives is carried with special algorithm;
Describedly option data field that the unit is used for the original ping data pack that receives in described primary reception unit is set adds and carry out the described validation value that computing obtains;
Described coding unit is used for encoding to having added the original ping data pack of carrying out the described validation value that computing obtains, and obtains ping echo request data package;
Described authentication unit is used for when the option data field from the ping echo reply data bag of outer net that described outer net receiving element receives contains described validation value, and whether the performance data of utilizing described special algorithm to carry according to ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains;
Described decoding unit is used for carrying out value that computing obtains when identical with described validation value when the performance data that the checking of described authentication unit utilizes described special algorithm to carry according to ping echo reply data bag, and described ping echo reply data bag is decoded.
11. network security protection equipment according to claim 8 is characterized in that,
Described acquiring unit is used for carrying out the computing value of being verified according to the performance data that the original ping data pack of predefined fixed value and the reception of described primary reception unit is carried with special algorithm;
Describedly option data field that the unit is used for the original ping data pack that receives in described primary reception unit is set adds and carry out the described validation value that computing obtains;
Described coding unit is used for encoding to having added the original ping data pack of carrying out the described validation value that computing obtains, and obtains ping echo request data package;
Described authentication unit is used for when the option data field from the ping echo reply data bag of outer net that described outer net receiving element receives contains described validation value, and whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains;
Described decoding unit is used for carrying out value that computing obtains when identical with described validation value when the performance data that the checking of described authentication unit utilizes described special algorithm to carry according to described fixed value and described ping echo reply data bag, and described ping echo reply data bag is decoded.
12. network security protection equipment according to claim 8 is characterized in that,
Described acquiring unit is used for carrying out computing according to the performance data that predefined fixed value and original ping data pack are carried with special algorithm and obtains first validation value;
Describedly option data field that the unit is used for the original ping data pack that receives in described primary reception unit is set adds described fixed value and carry out described first validation value that computing obtains as validation value;
Described coding unit is used for the original ping data pack that has added described validation value is encoded, and obtains ping echo request data package;
Described authentication unit is used for containing described fixed value and when the option data field of described ping echo reply data bag contains described first validation value when the option data field from the ping echo reply data bag of outer net that described outer net receiving element receives, and whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described first validation value with the value of verifying computing and obtaining;
Described decoding unit is used for carrying out value that computing obtains when identical with described first validation value when the performance data that the checking of described authentication unit utilizes described special algorithm to carry according to described fixed value and described ping echo reply data bag, and described ping echo reply data bag is decoded.
13., it is characterized in that described special algorithm is a hash algorithm according to each described network security protection equipment of claim 10 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100084523A CN101478546B (en) | 2009-01-23 | 2009-01-23 | Method for protecting network safety and network safety protecting equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100084523A CN101478546B (en) | 2009-01-23 | 2009-01-23 | Method for protecting network safety and network safety protecting equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101478546A CN101478546A (en) | 2009-07-08 |
| CN101478546B true CN101478546B (en) | 2011-11-16 |
Family
ID=40839178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100084523A Expired - Fee Related CN101478546B (en) | 2009-01-23 | 2009-01-23 | Method for protecting network safety and network safety protecting equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101478546B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103581172A (en) * | 2013-09-10 | 2014-02-12 | 昆山奥德鲁自动化技术有限公司 | Method for achieving long-distance Ethernet TCP |
| CN103973480B (en) * | 2014-04-09 | 2017-10-31 | 汉柏科技有限公司 | Improve the device and method of cloud computing system user reponding time |
| CN103957213A (en) * | 2014-05-05 | 2014-07-30 | 上海大亚科技有限公司 | System and method for achieving network service opening and closing based on PING packet |
| WO2016008089A1 (en) * | 2014-07-15 | 2016-01-21 | Microsoft Technology Licensing, Llc | Brokering data access requests and responses |
| CN105591830B (en) * | 2014-10-23 | 2020-04-03 | 北京华为数字技术有限公司 | Link packet change detection method and device |
| CN105939206B (en) * | 2015-09-11 | 2019-09-06 | 天地融科技股份有限公司 | The management method and system of electronic equipment |
| CN105306476B (en) * | 2015-11-09 | 2018-09-11 | 北京奇虎科技有限公司 | The PING packet inspection methods and device of DNS |
| CN105787303B (en) * | 2016-03-22 | 2019-10-11 | 深圳森格瑞通信有限公司 | A kind of built-in system software intellectual property protection method and protection system |
| CN107071079B (en) * | 2017-03-07 | 2020-10-20 | 上海斐讯数据通信技术有限公司 | Method and system for private network terminal to acquire public network IP |
| CN112261038B (en) * | 2020-10-20 | 2021-08-06 | 苏州莱锦机电自动化有限公司 | Big data acquisition method and system, computer equipment and storage medium thereof |
| CN113890844B (en) * | 2021-09-17 | 2023-05-09 | 济南浪潮数据技术有限公司 | Method, device, equipment and readable medium for optimizing ping command |
| CN113872953B (en) * | 2021-09-18 | 2024-03-26 | 杭州迪普信息技术有限公司 | Access message processing method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1650572A (en) * | 2002-09-27 | 2005-08-03 | 松下电器产业株式会社 | Group judgment device |
| CN101204067A (en) * | 2005-06-20 | 2008-06-18 | 汤姆森特许公司 | Method and devices for secure measurements of time-based distance between two devices |
-
2009
- 2009-01-23 CN CN2009100084523A patent/CN101478546B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1650572A (en) * | 2002-09-27 | 2005-08-03 | 松下电器产业株式会社 | Group judgment device |
| CN101204067A (en) * | 2005-06-20 | 2008-06-18 | 汤姆森特许公司 | Method and devices for secure measurements of time-based distance between two devices |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101478546A (en) | 2009-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101478546B (en) | Method for protecting network safety and network safety protecting equipment | |
| Pongle et al. | Real time intrusion and wormhole attack detection in internet of things | |
| Yang et al. | RIHT: a novel hybrid IP traceback scheme | |
| CN106454815B (en) | A kind of wireless sensor network routing method based on LEACH agreement | |
| Goher et al. | Covert channel detection: A survey based analysis | |
| US20040064725A1 (en) | Method and system for detecting a communication problem in a computer network | |
| CN104717105B (en) | A kind of industrial sensor network Data duplication detection method based on ISA100.11a standards | |
| Ji et al. | Covert channel for local area network | |
| CN109194643B (en) | Data transmission and message analysis method, device and equipment | |
| RU2307392C1 (en) | Method (variants) for protecting computer networks | |
| US7296207B2 (en) | Communications protocol | |
| CN110417804B (en) | Bidirectional identity authentication encryption communication method and system suitable for single-chip microcomputer implementation | |
| CN104660584A (en) | Trojan virus analysis technique based on network conversation | |
| Kitisriworapan et al. | Evil-twin detection on client-side | |
| Wen et al. | Retransmission or redundancy: Transmission reliability study in wireless sensor networks | |
| Jaballah et al. | An efficient source authentication scheme in wireless sensor networks | |
| CN114915577A (en) | Equipment communication method based on non-blocking IO model | |
| Dandare et al. | Detection of collision attacks and comparison of efficiency in wireless sensor network | |
| CN105471839A (en) | Method for judging whether router data is tampered | |
| Kuo et al. | Single-packet IP Traceback with less logging | |
| Kim et al. | IP traceback with sparsely-tagged fragment marking scheme under massively multiple attack paths | |
| CN104363248B (en) | Radio data transmission method and user terminal | |
| CN107809760A (en) | A kind of method of message authentication in wireless sensor network | |
| CN103731314B (en) | A kind of detection method, system and the equipment of communication service abnormal behavior | |
| CN114666129B (en) | Network security authentication method, system, computer device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111116 Termination date: 20170123 |