CN102769703A - Mobile phone terminal and firewall monitoring method - Google Patents
Mobile phone terminal and firewall monitoring method Download PDFInfo
- Publication number
- CN102769703A CN102769703A CN2012102485417A CN201210248541A CN102769703A CN 102769703 A CN102769703 A CN 102769703A CN 2012102485417 A CN2012102485417 A CN 2012102485417A CN 201210248541 A CN201210248541 A CN 201210248541A CN 102769703 A CN102769703 A CN 102769703A
- Authority
- CN
- China
- Prior art keywords
- subsystem
- data
- truncated
- application processes
- compartment wall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a mobile phone terminal and a firewall monitoring method, and relates to the field of information security. The method is used for enhancing functions of a firewall system on the mobile phone terminal. An AT firewall subsystem is arranged between an MODEM subsystem of the mobile phone terminal and an application processing subsystem. The method comprises the following steps that: the AT firewall subsystem intercepts data which is transmitted from any party of the MODEM subsystem and the application processing subsystem to the other party; and the AT firewall subsystem judges whether the transmission of the intercepted data is permitted or not according to a preset transmission control rule, transmits the intercepted data to the other party if the transmission of the intercepted data is permitted, otherwise denies to transmit the intercepted data to the other party. By the mobile phone terminal and the firewall monitoring method, the functions of the firewall system on the mobile phone terminal can be enhanced.
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of mobile phone terminal and fire compartment wall method for supervising.
Background technology
The security threat that mobile phone faces increases day by day, except stealing the sensitive information in the face of virus, Malware, also can cause a large amount of losses of communication fee.Therefore the firewall system that designs on the cell phone apparatus has very important significance.
At present; Mainly comprise modulation (MODEM) subsystem and application processes subsystem in the mobile phone; The MODEM subsystem mainly is responsible for the function realization relevant with wireless network and the management of mobile phone card, and the application processes subsystem mainly is responsible for the miscellaneous service realization that the user uses.The downlink data that mobile phone receives sends the application processes subsystem to through the MODEM subsystem and handles, and the upstream data that the application processes subsystem produces sends through the MODEM subsystem.
Through being to add number filtering in the exploitation of application processes subsystem at the mobile phone application layer, interfaces such as short message content filtration are realized the SMSCallFilter function in the prior art, and the problem that prior art exists is mainly reflected in the following aspects:
The first, firewall functionality realizes in application layer, makes virus, rogue program be easy to use more the technology of bottom to walk around firewall restriction.Such as; The short message content that mobile phone is received is after arriving the application processes subsystem through the MODEM subsystem, though in the application processes subsystem, be provided with FWSM, virus; Rogue programs etc. possibly carried out number filtering at FWSM; Before the operation such as short message content filtration, just be truncated to short message content, and then short message content is carried out malicious operation.
The second, there is very big limitation in control range, can only be directed against number, short message content etc. and do simple filtration, does not have or be difficult to realize circuit domain and packet switch domain service access control flexibly comprehensively.
Summary of the invention
The embodiment of the invention provides a kind of mobile phone terminal and fire compartment wall method for supervising, is used to strengthen the function of the firewall system on the mobile phone terminal.
A kind of mobile phone terminal; The application processes subsystem of the miscellaneous service that comprises the modulation MODEM subsystem that is used to realize function relevant with wireless network and smart card management and be used to realize that the user uses also comprises: be arranged on the AT fire compartment wall subsystem between said MODEM subsystem and the said application processes subsystem;
Said AT fire compartment wall subsystem is used for: said MODEM subsystem of intercepting and any side of said application processes subsystem are mail to the opposing party's data; Determine whether to allow the transmission of the data that are truncated to according to predefined transmission control law; If allow; Then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.
A kind of fire compartment wall method for supervising, this method comprises:
Any side is mail to the opposing party's data in AT fire compartment wall subsystem intercepting MODEM subsystem and the application processes subsystem;
AT fire compartment wall subsystem determines whether to allow the transmission of the data that are truncated to according to predefined transmission control law, if allow, then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.
In this programme; AT fire compartment wall subsystem is set between the MODEM of mobile phone terminal subsystem and application processes subsystem, and any side is mail to the opposing party's data in AT fire compartment wall subsystem intercepting MODEM subsystem and the application processes subsystem, determines whether to allow the transmission of the data that are truncated to according to predefined transmission control law; If allow; Then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.It is thus clear that; In this programme through AT fire compartment wall subsystem is set between MODEM subsystem and application processes subsystem; And the transfer of data between MODEM subsystem and the application processes subsystem is controlled by AT fire compartment wall subsystem; In the future the malicious data of automatic network etc. or the data that user's lack of competence receives send to the application processes subsystem can effectively to prevent the MODEM subsystem; Can prevent effectively that also the application processes subsystem from sending to the MODEM subsystem with the data of malicious data that produces or the transmission of user's lack of competence; With can only be directed against number, short message content etc. in the prior art and do the firewall system of simple filtration and compare; The present invention can monitor any data of transmitting between the MODEM subsystem of mobile phone terminal and the application processes subsystem, comprises the monitoring of circuit domain and packet switch domain service data, and therefore the function of fire compartment wall supervisory control system provided by the invention is more powerful.
Description of drawings
The system configuration sketch map that Fig. 1 provides for the embodiment of the invention;
The method flow sketch map that Fig. 2 provides for the embodiment of the invention;
Fig. 3 is the schematic flow sheet of the embodiment of the invention one.
Embodiment
In order to strengthen the function of the firewall system on the mobile phone terminal; The embodiment of the invention provides a kind of mobile phone terminal, in this mobile phone terminal, AT fire compartment wall subsystem is set between MODEM subsystem and application processes subsystem; Any side is mail to the opposing party's data in AT fire compartment wall subsystem intercepting MODEM subsystem and the application processes subsystem; Determine whether to allow the transmission of the data that are truncated to according to predefined transmission control law,, then the data that are truncated to are issued the opposing party if allow; Otherwise refusal is with the opposing party that issues of the data that are truncated to.
Referring to Fig. 1; The mobile phone terminal that the embodiment of the invention provides; The application processes subsystem 11 of the miscellaneous service that comprises the MODEM subsystem 10 that is used to realize function relevant with wireless network and smart card management and be used to realize that the user uses also comprises: be arranged on the AT fire compartment wall subsystem 12 between said MODEM subsystem 10 and the said application processes subsystem 11;
AT fire compartment wall subsystem 12 is used for: intercepting MODEM subsystem 10 mails to the opposing party's data with application processes subsystem 11 any sides; Determine whether to allow the transmission of the data that are truncated to according to predefined transmission control law; If allow; Then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.
Further, AT fire compartment wall subsystem 12 comprises visit differentiation interface module 120 and rale store module 121, wherein:
Rale store module 121 is used for the storage transmission control law.
Preferable; Visit is differentiated interface module 120 after the transmission of the data of confirming according to the transmission control law that reads not allow to be truncated to; Can send the information of whether abandoning this data transfer; After the user selects to abandon, refuse the opposing party that issues again, and abandon this data the data that are truncated to.
Further, AT fire compartment wall subsystem 12 further comprises:
Access control interface module 122 is used for carrying out at least one operation of following operation:
Operation one: receive the transmission control law that application processes subsystem 11 sends, should transmit control law and be stored in the rale store module 121;
Concrete; Application processes subsystem 11 is behind the menu item that user's selective rule is provided with; Prompting user's input validation information (such as password) after authentication is passed through, is shown to user with the current transmission control law of having stored in the rale store module 121 to carry out authentication; The user can edit the transmission control law that shows, comprises increase, deletion, modification etc.; After the editor completion of user to the transmission control law of demonstration; Transmission control law behind the editor is sent to the access control interface module 122 of AT fire compartment wall subsystem 12; After access control interface module 122 receives the transmission control law of application processes subsystem 11 transmissions, the transmission control law that receives is stored in the rale store module 121.
Operation two: the firewall state that receives 11 transmissions of application processes subsystem is provided with request, and the state that request AT fire compartment wall subsystem 12 is set according to this firewall state is set to open or close;
Concrete; Application processes subsystem 11 is behind the menu item that user's selection mode is provided with; Prompting user's input validation information (such as password) is to carry out authentication; After authentication was passed through, the prompting user imported the state (such as opening or closing) of the AT fire compartment wall subsystem 12 that need to be provided with, import the information of state of the AT fire compartment wall subsystem 12 that needs to be provided with the user after; Send firewall states to the access control interface module of AT fire compartment wall subsystem 12 122 request is set, wherein carry the information of state of the AT fire compartment wall subsystem 12 of user's input; Access control interface module 122 receives after firewall state that application processes subsystem 11 sends is provided with request, and the state of AT fire compartment wall subsystem 12 is set to the state that this firewall state is provided with the AT fire compartment wall subsystem 12 of user's input of carrying in the request.
Operation three: receive the firewall state query requests that application processes subsystem 11 sends, confirm the current state of AT fire compartment wall subsystem 12, and will confirm that the result returns to application processes subsystem 11.Application processes subsystem 11 can show the current state of AT fire compartment wall subsystem 12.
Concrete; Application processes subsystem 11 is behind the menu item of user's selection mode inquiry; Prompting user's input validation information (such as password) is to carry out authentication; After authentication is passed through; Access control interface module 122 to AT fire compartment wall subsystem 12 is sent the firewall state query requests, after access control interface module 122 receives the firewall state query requests of application processes subsystem 11 transmissions, confirms the current state of AT fire compartment wall subsystem 12 according to the state flag bit of AT fire compartment wall subsystem 12; And the information of the current state of AT fire compartment wall subsystem 12 sent to application processes subsystem 11, application processes subsystem 11 is shown to the user with the current state of fire compartment wall subsystem 12.The state flag bit of AT fire compartment wall subsystem 12 can be arranged in the AT fire compartment wall subsystem 12 in advance, and its initial value can be set to open or close.
Further, AT fire compartment wall subsystem 12 further comprises:
Log management interface module 123 is used for record access differentiation interface module and allows and/or refuse the data that are truncated to are issued the opposing party's information; And after the log query request that receives 11 transmissions of application processes subsystem, information recorded is returned to application processes subsystem 11.Application processes subsystem 11 can show the information that receives.
Concrete; After application processes subsystem 11 is selected the menu item of log query the user; Prompting user's input validation information (such as password) after authentication is passed through, is sent log query request to the log management interface module 123 of AT fire compartment wall subsystem 12 to carry out authentication; Log management interface module 123 returns to application processes subsystem 11 with information recorded after the log query request that receives 11 transmissions of application processes subsystem.
Further, visit is differentiated interface module 120 and is used for: when reading the transmission control law that the rale store module stores, confirm the pairing type of service of the data that are truncated to, from the rale store module, read the corresponding transmission control law of this type of service.
Illustrate:
Example 1: in the data that are truncated to is that the data of the MODEM subsystem 10 that mails to of application processes subsystem 11 and the pairing type of service of data that is truncated to are when being call business; The corresponding transmission control law of this type of service can comprise having the called number of calling out authority; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge whether the called number in the data that are truncated to is included in the transmission control law; If; Then confirm to allow the transmission of the data that are truncated to, otherwise, the transmission of the data that do not allow to be truncated to.
In the data that are truncated to is that MODEM subsystem 10 mails to the data of application processes subsystem 11 and the pairing type of service of data that is truncated to when being call business; The corresponding transmission control law of this type of service can comprise the calling number with call reception authority; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge whether the calling number in the data that are truncated to is included in the transmission control law; If; Then confirm to allow the transmission of the data that are truncated to, otherwise, the transmission of the data that do not allow to be truncated to.
At this moment, the data that are truncated to are the AT order.
Example 2: in the data that are truncated to is that the data of the MODEM subsystem 10 that mails to of application processes subsystem 11 and the pairing type of service of data that is truncated to are when being SMS service; The corresponding transmission control law of this type of service can comprise having the called number that note receives authority; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge whether the called number in the data that are truncated to is included in the transmission control law; If; Then confirm to allow the transmission of the data that are truncated to, otherwise, the transmission of the data that do not allow to be truncated to.
In the data that are truncated to is that MODEM subsystem 10 mails to the data of application processes subsystem 11 and the pairing type of service of data that is truncated to when being SMS service; The corresponding transmission control law of this type of service can comprise the keyword that refuse messages comprises; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge whether the short message content in the data that are truncated to comprises the keyword in the transmission control law; If; Then confirm not allow the transmission of the data that are truncated to, otherwise, the transmission of the data that allow to be truncated to.
At this moment, the data that are truncated to are the AT order.
Example 3: in the data that are truncated to is that the data of the MODEM subsystem 10 that mails to of application processes subsystem 11 and the pairing type of service of data that is truncated to are when being Network; The corresponding transmission control law of this type of service can comprise the domain name of the website that allows visit; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge whether the domain name in the data that are truncated to is included in the transmission control law; If; Then confirm to allow the transmission of the data that are truncated to, otherwise, the transmission of the data that do not allow to be truncated to.
In the data that are truncated to is that MODEM subsystem 10 mails to the data of application processes subsystem 11 and the pairing type of service of data that is truncated to when being Network; The corresponding transmission control law of this type of service can comprise the IP address of the website that allows visit; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge whether the source IP address in the data that are truncated to is included in the transmission control law; If; Then confirm to allow the transmission of the data that are truncated to, otherwise, the transmission of the data that do not allow to be truncated to.
At this moment, the data that are truncated to are protocol data, such as http data etc.
Example 4: in the data that are truncated to is that the data of the MODEM subsystem 10 that mails to of application processes subsystem 11 and the pairing type of service of data that is truncated to are that the E-mail address is when professional; The corresponding transmission control law of this type of service can comprise the title of the mailbox that allows communication; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: whether the title of judging the mailbox in the data that are truncated to is included in the transmission control law; If; Then confirm to allow the transmission of the data that are truncated to, otherwise, the transmission of the data that do not allow to be truncated to.
In the data that are truncated to is that MODEM subsystem 10 mails to the data of application processes subsystem 11 and the pairing type of service of data that is truncated to is that the E-mail address is when professional; The corresponding transmission control law of this type of service can comprise the keyword that spam comprises; Specifically being embodied as of transmission that interface module 120 determines whether to allow the data that are truncated to differentiated in this moment visit: judge the keyword that whether comprises in the data that are truncated in the transmission control law; If; Then confirm not allow the transmission of the data that are truncated to, otherwise, the transmission of the data that allow to be truncated to.
At this moment, the data that are truncated to are protocol data, such as http data etc.
Further, the data that are truncated to of AT fire compartment wall subsystem 12 are that the data of transmission between MODEM subsystem 10 and the application processes subsystem 11 are AT order or protocol data.
Referring to Fig. 2, the embodiment of the invention provides a kind of fire compartment wall method for supervising, may further comprise the steps:
Any side is mail to the opposing party's data in step 20:AT fire compartment wall subsystem intercepting MODEM subsystem and the application processes subsystem;
Step 21:AT fire compartment wall subsystem determines whether to allow the transmission of the data that are truncated to according to predefined transmission control law, if allow, then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.
Concrete, differentiate in interface module intercepting MODEM subsystem and the said application processes subsystem any side by the visit of AT fire compartment wall subsystem and mail to the opposing party's data; Read the transmission control law of storing in the rale store module; Determine whether to allow the transmission of the data that are truncated to according to the transmission control law that reads,, then the data that are truncated to are issued the opposing party if allow; Otherwise refusal is with the opposing party that issues of the data that are truncated to.
Preferable; Visit is differentiated interface module after the transmission of the data of confirming according to the transmission control law that reads not allow to be truncated to; Can send the information of whether abandoning this data transfer; After the user selects to abandon, refuse the opposing party that issues again, and abandon this data the data that are truncated to.
Preferable, the access control interface module of AT fire compartment wall subsystem can be carried out at least one operation in the following operation:
Operation one: receive the transmission control law that the application processes subsystem sends, should transmit control law and be stored in the rale store module;
Operation one: receive the transmission control law that application processes subsystem 11 sends, should transmit control law and be stored in the rale store module 121;
Concrete; The application processes subsystem is behind the menu item that user's selective rule is provided with; Prompting user's input validation information (such as password) after authentication is passed through, is shown to user with the current transmission control law of having stored in the rale store module to carry out authentication; The user can edit the transmission control law that shows, comprises increase, deletion, modification etc.; After the editor completion of user to the transmission control law of demonstration; Transmission control law behind the editor is sent to the access control interface module of AT fire compartment wall subsystem; After the access control interface module receives the transmission control law of application processes subsystem transmission, the transmission control law that receives is stored in the rale store module.
Operation two: the firewall state that receives the transmission of application processes subsystem is provided with request, and the state that request AT fire compartment wall subsystem is set according to this firewall state is set to open or close;
Concrete; The application processes subsystem is behind the menu item that user's selection mode is provided with; Prompting user's input validation information (such as password) is to carry out authentication; After authentication was passed through, the prompting user imported the state (such as opening or closing) of the AT fire compartment wall subsystem that need to be provided with, import the information of state of the AT fire compartment wall subsystem that needs to be provided with the user after; Send firewall state to the access control interface module of AT fire compartment wall subsystem request is set, wherein carry the information of state of the AT fire compartment wall subsystem of user's input; The access control interface module receives after firewall state that the application processes subsystem sends is provided with request, and the state of AT fire compartment wall subsystem is set to the state that this firewall state is provided with the AT fire compartment wall subsystem of user's input of carrying in the request.
Operation three: receive the firewall state query requests that the application processes subsystem sends, confirm the current state of AT fire compartment wall subsystem, and will confirm that the result returns to the application processes subsystem.Application processes subsystem 11 can show the current state of AT fire compartment wall subsystem.
Concrete; The application processes subsystem is behind the menu item of user's selection mode inquiry; Prompting user's input validation information (such as password) is to carry out authentication; After authentication is passed through; Access control interface module 122 to AT fire compartment wall subsystem is sent the firewall state query requests, after the access control interface module receives the firewall state query requests of application processes subsystem transmission, confirms the current state of AT fire compartment wall subsystem according to the state flag bit of AT fire compartment wall subsystem; And the information of the current state of AT fire compartment wall subsystem sent to the application processes subsystem, the application processes subsystem is shown to the user with the current state of fire compartment wall subsystem.The state flag bit of AT fire compartment wall subsystem can be arranged in the AT fire compartment wall subsystem 12 in advance, and its initial value can be set to open or close.
Preferable, the log management interface module of AT fire compartment wall subsystem can record access differentiation interface module allow and/or refuse the data that are truncated to are issued the opposing party's information; And after the Client-initiated log query request that receives the transmission of application processes subsystem, information recorded is returned to said application processes subsystem.The application processes subsystem can show the information that receives.
Concrete; After the application processes subsystem is selected the menu item of log query the user; Prompting user's input validation information (such as password) after authentication is passed through, is sent log query request to the log management interface module of AT fire compartment wall subsystem to carry out authentication; The log management interface module returns to the application processes subsystem with information recorded after the log query request that receives the transmission of application processes subsystem.
Preferable, when visit differentiation interface module reads the transmission control law of storing in the rale store module, at first confirm the pairing type of service of the data that are truncated to, from the rale store module, read the corresponding transmission control law of this type of service then.
Embodiment one:
As shown in Figure 3, idiographic flow is following:
Step 30: the user is after making a call on the mobile phone, and the application processes subsystem of mobile phone sends to the MODEM subsystem and calls out relevant AT order;
Step 31: the AT order that the AT fire compartment wall subsystem intercepting application processes subsystem of mobile phone sends; Determine whether to allow the transmission of the AT order that is truncated to according to predefined transmission control law; If allow; Then the MODEM subsystem is issued in the AT order that is truncated to, the MODEM subsystem sends the AT order through network, to realize call business; Otherwise refusal is issued the MODEM subsystem with the AT order that is truncated to;
Step 32: the MODEM subsystem of mobile phone receives the relevant AT order of the calling of automatic network, and the MODEM subsystem sends this AT order to the application processes subsystem;
Step 33: the AT order that the AT fire compartment wall subsystem intercepting MODEM subsystem of mobile phone sends; Determine whether to allow the transmission of the AT order that is truncated to according to predefined transmission control law; If allow; Then the application processes subsystem is issued in the AT order that is truncated to, the application processes subsystem is realized call business according to this AT order; Otherwise refusal is issued the application processes subsystem with the AT order that is truncated to.
Embodiment two:
Step 1: the user is after initiating the note transmission on the mobile phone, the application processes subsystem of mobile phone sends the relevant AT order of note to the MODEM subsystem;
Step 2: the AT order that the AT fire compartment wall subsystem intercepting application processes subsystem of mobile phone sends; Determine whether to allow the transmission of the AT order that is truncated to according to predefined transmission control law; If allow; Then the MODEM subsystem is issued in the AT order that is truncated to, the MODEM subsystem sends the AT order through network, sends professional to realize note; Otherwise refusal is issued the MODEM subsystem with the AT order that is truncated to;
Step 3: the MODEM subsystem of mobile phone receives the relevant AT order of the note of automatic network, and the MODEM subsystem sends this AT order to the application processes subsystem;
Step 4: the AT order that the AT fire compartment wall subsystem intercepting MODEM subsystem of mobile phone sends; Determine whether to allow the transmission of the AT order that is truncated to according to predefined transmission control law; If allow; Then the application processes subsystem is issued in the AT order that is truncated to, the application processes subsystem shows the short message in this AT order; Otherwise refusal is issued the application processes subsystem with the AT order that is truncated to.
Embodiment three:
Step 1: the user is after initiating business of networking on the mobile phone, and the application processes subsystem of mobile phone sends network data to the MODEM subsystem and obtains relevant protocol data;
Step 2: the protocol data that the AT fire compartment wall subsystem intercepting application processes subsystem of mobile phone sends; Determine whether to allow the transmission of the protocol data that is truncated to according to predefined transmission control law; If allow; Then the protocol data that is truncated to is issued the MODEM subsystem, the MODEM subsystem sends protocol data through network, to obtain network data; Otherwise refusal is issued the MODEM subsystem with the protocol data that is truncated to;
Step 3: the MODEM subsystem of mobile phone receives from the relevant protocol data of network of network Data Receiving, and the MODEM subsystem sends this protocol data to the application processes subsystem;
Step 4: the protocol data that the AT fire compartment wall subsystem intercepting MODEM subsystem of mobile phone sends; Determine whether to allow the transmission of the protocol data that is truncated to according to predefined transmission control law; If allow; Then the protocol data that is truncated to is issued the application processes subsystem, the application processes subsystem shows the network data in this protocol data; Otherwise refusal is issued the application processes subsystem with the protocol data that is truncated to.
Embodiment four:
Step 1: the user is after the part business is sent out in the initiation E-mail address on the mobile phone, and the application processes subsystem of mobile phone sends relevant protocol data to MODEM subsystem send Email;
Step 2: the protocol data that the AT fire compartment wall subsystem intercepting application processes subsystem of mobile phone sends; Determine whether to allow the transmission of the protocol data that is truncated to according to predefined transmission control law; If allow; Then the protocol data that is truncated to is issued the MODEM subsystem, the MODEM subsystem sends protocol data through network, with send Email; Otherwise refusal is issued the MODEM subsystem with the protocol data that is truncated to;
Step 3: the MODEM subsystem of mobile phone receives the Email of automatic network to receive relevant protocol data, and the MODEM subsystem sends this protocol data to the application processes subsystem;
Step 4: the protocol data that the AT fire compartment wall subsystem intercepting MODEM subsystem of mobile phone sends; Determine whether to allow the transmission of the protocol data that is truncated to according to predefined transmission control law; If allow; Then the protocol data that is truncated to is issued the application processes subsystem, the application processes subsystem shows the e-mail messages in this protocol data; Otherwise refusal is issued the application processes subsystem with the protocol data that is truncated to.
To sum up, beneficial effect of the present invention comprises:
In the scheme that the embodiment of the invention provides; AT fire compartment wall subsystem is set between the MODEM of mobile phone terminal subsystem and application processes subsystem, and any side is mail to the opposing party's data in AT fire compartment wall subsystem intercepting MODEM subsystem and the application processes subsystem, determines whether to allow the transmission of the data that are truncated to according to predefined transmission control law; If allow; Then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.It is thus clear that; In this programme through AT fire compartment wall subsystem is set between MODEM subsystem and application processes subsystem; And the transfer of data between MODEM subsystem and the application processes subsystem is controlled by AT fire compartment wall subsystem; In the future the malicious data of automatic network etc. or the data that user's lack of competence receives send to the application processes subsystem can effectively to prevent the MODEM subsystem; Can prevent effectively that also the application processes subsystem from sending to the MODEM subsystem with the data of malicious data that produces or the transmission of user's lack of competence; With can only be directed against number, short message content etc. in the prior art and do the firewall system of simple filtration and compare; The present invention can monitor any data of transmitting between the MODEM subsystem of mobile phone terminal and the application processes subsystem, comprises the monitoring of circuit domain and packet switch domain service data, and therefore the function of fire compartment wall supervisory control system provided by the invention is more powerful.
Simultaneously; The present invention is provided with AT fire compartment wall subsystem between MODEM subsystem and application processes subsystem; With realize that in application layer firewall functionality compares in the prior art, the fail safe of mobile phone terminal provided by the invention is higher, reason is: one of which; The data of MODEM subsystem directly send the application processes subsystem in the prior art, and the data of MODEM subsystem could arrive the application processes subsystem after need passing through the filtration of AT fire compartment wall subsystem among the present invention; They are two years old; The data of application processes subsystem possibly carried out number filtering at FWSM in the prior art; Before short message content filtration etc. the operations, just by virus, rogue program etc. are truncated to and carry out malicious operation; And all data of sending owing to the application processes subsystem among the present invention all will be passed through the filtration of AT fire compartment wall subsystem, and therefore can effectively stop malicious data is transferred to the MODEM subsystem.
Further; Be provided with access control interface module (can software realize) in the AT fire compartment wall subsystem of the present invention; The state that can pass through this access control interface module setting, renewal, query transmission control law and AT fire compartment wall subsystem of outside application program; Also promptly the invention provides unified API (application programming interfaces) and supply outside application call, thereby improved the flexibility and the applicability of AT fire compartment wall subsystem.
The present invention is that reference is described according to the flow chart and/or the block diagram of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block diagram and/or square frame and flow chart and/or the block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out through the processor of computer or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in ability vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work; Make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded on computer or other programmable data processing device; Make on computer or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of on computer or other programmable devices, carrying out is provided for being implemented in the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art get the basic inventive concept could of cicada, then can make other change and modification to these embodiment.So accompanying claims is intended to be interpreted as all changes and the modification that comprises preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.
Claims (10)
1. mobile phone terminal; The application processes subsystem of the miscellaneous service that comprises the modulation MODEM subsystem that is used to realize function relevant and smart card management and be used to realize that the user uses with wireless network; It is characterized in that, also comprise: be arranged on the AT fire compartment wall subsystem between said MODEM subsystem and the said application processes subsystem;
Said AT fire compartment wall subsystem is used for: said MODEM subsystem of intercepting and any side of said application processes subsystem are mail to the opposing party's data; Determine whether to allow the transmission of the data that are truncated to according to predefined transmission control law; If allow; Then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.
2. mobile phone terminal as claimed in claim 1 is characterized in that, said AT fire compartment wall subsystem comprises:
Visit differentiation interface module is used for the said MODEM subsystem of intercepting and any side of said application processes subsystem is mail to the opposing party's data; Read the transmission control law of storing in the rale store module; Determine whether to allow the transmission of the data that are truncated to according to the transmission control law that reads,, then the data that are truncated to are issued the opposing party if allow; Otherwise refusal is with the opposing party that issues of the data that are truncated to;
The rale store module is used for the storage transmission control law.
3. mobile phone terminal as claimed in claim 2 is characterized in that, said AT fire compartment wall subsystem further comprises:
The access control interface module is used for carrying out at least one operation of following operation:
Operation one: receive the transmission control law that said application processes subsystem sends, should transmit control law and be stored in the said rale store module;
Operation two: the firewall state that receives said application processes subsystem transmission is provided with request, and the state that request AT fire compartment wall subsystem is set according to this firewall state is set to open or close;
Operation three: receive the firewall state query requests that said application processes subsystem sends, confirm the current state of AT fire compartment wall subsystem, and will confirm that the result returns to said application processes subsystem.
4. mobile phone terminal as claimed in claim 2 is characterized in that, said AT fire compartment wall subsystem further comprises:
The log management interface module is used to write down said visit differentiation interface module and allows and/or refuse the data that are truncated to are issued the opposing party's information; And after the log query request that receives said application processes subsystem transmission, information recorded is returned to said application processes subsystem.
5. mobile phone terminal as claimed in claim 2 is characterized in that, said visit is differentiated interface module and is used for:
During the transmission control law in reading the rale store module, stored, confirm the pairing type of service of the data that are truncated to, from the rale store module, read the corresponding transmission control law of this type of service.
6. a fire compartment wall method for supervising is characterized in that, this method comprises:
Any side is mail to the opposing party's data in AT fire compartment wall subsystem intercepting MODEM subsystem and the application processes subsystem;
AT fire compartment wall subsystem determines whether to allow the transmission of the data that are truncated to according to predefined transmission control law, if allow, then the data that are truncated to are issued the opposing party, otherwise refusal is with the opposing party that issues of the data that are truncated to.
7. method as claimed in claim 6 is characterized in that, differentiates in said MODEM subsystem of interface module intercepting and the said application processes subsystem any side by the visit of said AT fire compartment wall subsystem and mails to the opposing party's data; Read the transmission control law of storing in the rale store module; Determine whether to allow the transmission of the data that are truncated to according to the transmission control law that reads,, then the data that are truncated to are issued the opposing party if allow; Otherwise refusal is with the opposing party that issues of the data that are truncated to.
8. method as claimed in claim 7 is characterized in that, further comprises: the access control interface module of said AT fire compartment wall subsystem is carried out at least one operation in the following operation:
Operation one: receive the transmission control law that said application processes subsystem sends, should transmit control law and be stored in the said rale store module;
Operation two: the firewall state that receives said application processes subsystem transmission is provided with request, and the state that request AT fire compartment wall subsystem is set according to this firewall state is set to open or close;
Operation three: receive the firewall state query requests that said application processes subsystem sends, confirm the current state of AT fire compartment wall subsystem, and will confirm that the result returns to said application processes subsystem.
9. method as claimed in claim 7 is characterized in that, further comprises:
The log management interface module of said AT fire compartment wall subsystem writes down said visit differentiation interface module and allows and/or refuse the data that are truncated to are issued the opposing party's information; And after the Client-initiated log query request that receives said application processes subsystem transmission, information recorded is returned to said application processes subsystem.
10. method as claimed in claim 7 is characterized in that, the step that said visit differentiation interface module reads the transmission control law of storing in the rale store module comprises:
Said visit is differentiated interface module and is confirmed the pairing type of service of the data that are truncated to, and from the rale store module, reads the corresponding transmission control law of this type of service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012102485417A CN102769703A (en) | 2012-07-17 | 2012-07-17 | Mobile phone terminal and firewall monitoring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012102485417A CN102769703A (en) | 2012-07-17 | 2012-07-17 | Mobile phone terminal and firewall monitoring method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102769703A true CN102769703A (en) | 2012-11-07 |
Family
ID=47096950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012102485417A Pending CN102769703A (en) | 2012-07-17 | 2012-07-17 | Mobile phone terminal and firewall monitoring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102769703A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105723660A (en) * | 2013-11-11 | 2016-06-29 | 罗斯伯格系统公司 | Telecommunications system |
| CN108476213A (en) * | 2016-01-22 | 2018-08-31 | 高通股份有限公司 | To detect and abandon the potential danger received in a manner of aerial on the wireless device payload device |
| CN109167777A (en) * | 2018-08-28 | 2019-01-08 | 西安工业大学 | A kind of cell phone intelligent terminal firewall device |
| CN114172860A (en) * | 2020-09-11 | 2022-03-11 | 华为技术有限公司 | Mail processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282514A (en) * | 2008-05-19 | 2008-10-08 | 德信无线通讯科技(北京)有限公司 | Method and system for filtering communication contents |
| CN101984692A (en) * | 2010-11-15 | 2011-03-09 | 中兴通讯股份有限公司 | Method and device for preventing malicious software from transmitting data |
| CN102006569A (en) * | 2009-09-03 | 2011-04-06 | 北京中交兴路信息科技有限公司 | Information filtering device and method based on wireless data transmission |
| CN102209326A (en) * | 2011-05-20 | 2011-10-05 | 北京中研瑞丰信息技术研究所(有限合伙) | Malicious behavior detection method and system based on smartphone radio interface layer |
-
2012
- 2012-07-17 CN CN2012102485417A patent/CN102769703A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282514A (en) * | 2008-05-19 | 2008-10-08 | 德信无线通讯科技(北京)有限公司 | Method and system for filtering communication contents |
| CN102006569A (en) * | 2009-09-03 | 2011-04-06 | 北京中交兴路信息科技有限公司 | Information filtering device and method based on wireless data transmission |
| CN101984692A (en) * | 2010-11-15 | 2011-03-09 | 中兴通讯股份有限公司 | Method and device for preventing malicious software from transmitting data |
| CN102209326A (en) * | 2011-05-20 | 2011-10-05 | 北京中研瑞丰信息技术研究所(有限合伙) | Malicious behavior detection method and system based on smartphone radio interface layer |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105723660A (en) * | 2013-11-11 | 2016-06-29 | 罗斯伯格系统公司 | Telecommunications system |
| CN105723660B (en) * | 2013-11-11 | 2021-01-05 | 罗斯伯格系统公司 | Telecommunication system |
| CN108476213A (en) * | 2016-01-22 | 2018-08-31 | 高通股份有限公司 | To detect and abandon the potential danger received in a manner of aerial on the wireless device payload device |
| CN109167777A (en) * | 2018-08-28 | 2019-01-08 | 西安工业大学 | A kind of cell phone intelligent terminal firewall device |
| CN114172860A (en) * | 2020-09-11 | 2022-03-11 | 华为技术有限公司 | Mail processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9686236B2 (en) | Mobile telephone firewall and compliance enforcement system and methods | |
| US9654981B2 (en) | Data integrity for proximity-based communication | |
| CN102340400B (en) | Method and apparatus for bearer and server independent parental control of a smartphone, using a second smartphone | |
| CA2841776C (en) | Data integrity for proximity-based communication | |
| CN102843682A (en) | Access point authorizing method, device and system | |
| US10462122B2 (en) | Push notification aggregation | |
| CN100583803C (en) | Methods and systems of blocking and/or disregarding data and related wireless terminals | |
| CN106850703B (en) | Communication method based on social identity and server | |
| JP2018533864A (en) | Remote control method, device and portable terminal | |
| CN104702760A (en) | Communication number updating method and device | |
| CN104717212A (en) | Protection method and system for cloud virtual network security | |
| CN101242658A (en) | Mobile information multi-layer network secure auditing system | |
| CN102769703A (en) | Mobile phone terminal and firewall monitoring method | |
| CN101977358A (en) | Method, device and equipment for transmitting data short messages | |
| KR101772144B1 (en) | Security management apparatus and method in a home network system | |
| CN102098640B (en) | Method, device and system for distinguishing and stopping equipment from sending SMS (short messaging service) spam | |
| CN102158830B (en) | Real time monitoring system for mobile network spam | |
| CN102572814B (en) | A kind of mobile terminal virus monitor method, system and device | |
| CN101951568B (en) | Short message information interception processing and device | |
| KR101605850B1 (en) | Method for transmitting and receiving fake communication data and base station performing the same | |
| CN103023943B (en) | Task processing method and device, terminal unit | |
| CN102960000A (en) | Method, system, managingand controlling device, and terminal equipemtn for sending message | |
| CN106878964B (en) | Authentication system and method based on short message channel | |
| CA2887396C (en) | System and method for machine-to-machine privacy and security brokered transactions | |
| CN105119774A (en) | Harassment information identification method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20121107 |