Summary of the invention
In view of the above problems, the present invention has been proposed in order to provide a kind of method of a kind of movable equipment access monitoring that overcomes the problems referred to above or address the above problem at least in part and the device of corresponding a kind of movable equipment access monitoring.
According to one aspect of the present invention, a kind of access method for supervising of movable equipment is provided, comprising:
In the security control server, preset the tabulation of legal movable equipment information; Described security control server is used for controlling the safety of coupled client, comprises unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
When client control when the access of movable equipment is arranged, calculate unique identification marking of described movable equipment;
Described unique identification marking is sent to the security control server, judge by the security control server whether described unique identification marking is present in the tabulation of described legal movable equipment information, if then allow the access of described movable equipment; If not, then refuse the access of described movable equipment.
Alternatively, described when client control when the access of movable equipment is arranged, the step of calculating unique identification marking of described movable equipment comprises:
Obtain the hardware attributes information of described movable equipment;
Judge and whether have signature identification in the described movable equipment;
If then from described movable equipment, extract signature identification;
If not, write in the movable equipment then according to described hardware attributes information calculations signature identification, and with described signature identification;
According to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
Alternatively, described method also comprises:
If when described signature identification is write operation failure in the movable equipment, the information of said write operation failure is sent to the security control server;
Described security control server is refused the access of described movable equipment according to the information of said write operation failure.
Alternatively, described security control server presets the time interval that movable equipment allows access, and described method also comprises:
Judge whether described movable equipment accesses in the time interval of described permission access;
If described movable equipment is to access in the time interval of described permission access, then the security control server allows the access of described movable equipment;
If described movable equipment is not to access in the time interval of described permission access, then the security control server is refused the access of described movable equipment.
Alternatively, described method also comprises:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information of said write operation is sent to the security control server.
Alternatively, described hardware attributes information comprises the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
Alternatively, described according to hardware attributes information calculations signature identification, and the step that described signature identification is write in the movable equipment comprises:
With described movable equipment sign, and the hardware attributes information combination is the first character string;
Adopt Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification of described movable equipment is write in the described movable equipment.
Alternatively, comprise according to the hardware attributes information of described movable equipment and the step of unique identification marking that signature identification calculates described movable equipment:
With the signature identification of described movable equipment, and the hardware attributes information combination is the second character string;
Adopt Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Alternatively, the access of described movable equipment is monitored by the default driving in the client.
Alternatively, described access comprises readable access, the access that can write and the non-readable access of writing.
According to another aspect of the present invention, a kind of access supervising device of movable equipment is provided, comprising:
Preset the legitimate list module, be positioned at the security control server, be used for controlling the safety of coupled client, comprise unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
Unique identification marking computing module is positioned at client, is used for calculating unique identification marking of described movable equipment when the access that monitors movable equipment;
Unique identification marking sending module is positioned at client, is used for described unique identification marking is sent to the security control server;
Unique identification marking judge module is positioned at the security control server, is used for judging whether described unique identification marking is present in the tabulation of described legal movable equipment information, if, then call the clearance module, if not, then call the refusal module;
The clearance module is used for allowing the access of described movable equipment;
The refusal module is used for refusing the access of described movable equipment.
Alternatively, described unique identification marking computing module comprises:
Hardware attributes acquisition of information submodule is for the hardware attributes information of obtaining described movable equipment;
Signature identification is judged submodule, is used for judging whether described movable equipment has signature identification; If, then call signature identification and extract submodule, if not, then call the signature identification calculating sub module;
Signature identification extracts submodule, is used for extracting signature identification from described movable equipment;
The signature identification calculating sub module is used for according to described hardware attributes information calculations signature identification, and described signature identification is write in the movable equipment;
Unique identification marking calculating sub module is used for according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
Alternatively, described device also comprises:
Write the failure information sending module, be positioned at client, if when being used for that described signature identification write the operation failure of movable equipment, the information of said write operation failure is sent to the security control server;
The refusal access module is positioned at the security control server, is used for the information according to the said write operation failure, refuses the access of described movable equipment.
Alternatively, described security control server presets the time interval that movable equipment allows access, and described device also comprises:
The time interval judge module is positioned at the security control server, is used for judging whether described movable equipment accesses in the time interval of described permission access; If, then allow access module in the allocating time interval, if not, then refuse access module in the allocating time interval; Allowing access module in the time interval, be positioned at the security control server, is to access in the time interval of described permission access if be used for described movable equipment, then allows the access of described movable equipment;
The refusal access module is positioned at the security control server in the time interval, is not to access in the time interval of described permission access if be used for described movable equipment, then refuses the access of described movable equipment.
Alternatively, described device also comprises:
The access monitoring module is positioned at client, is used for monitoring the write operation of described movable equipment when allowing the access of described movable equipment;
The writing information sending module is positioned at client, is used for the information of said write operation is sent to the security control server.
Alternatively, described hardware attributes information comprises the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
Alternatively, described signature identification calculating sub module comprises:
The first character string assembled unit be used for described movable equipment sign, and the hardware attributes information combination is the first character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification writing unit is used for the signature identification of described movable equipment is write described movable equipment.
Alternatively, described unique identification marking calculating sub module comprises:
The second character string assembled unit be used for the signature identification with described movable equipment, and the hardware attributes information combination is the second character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Alternatively, the access of described movable equipment is monitored by the default driving in the client.
Alternatively, described access comprises readable access, the access that can write and the non-readable access of writing.
The access that the method that a kind of movable equipment access according to the present invention is monitored and device can judge whether to allow by the unique identification marking that whether has movable equipment in the tabulation of presetting legal movable equipment information at the security control server movable equipment; the write operation of monitoring movable equipment when movable equipment allows access; solved thus the problem of divulging a secret of the movable equipment that enterprise often can run into; source and the whereabouts of the data of can accurately following the trail of have been obtained; prevent by virus infections; improve the fail safe that movable equipment uses; guarantee the network information, the especially beneficial effect of the safety of inner-mesh network information.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
One of core idea of the embodiment of the invention is, preset the unique identification marking that whether has movable equipment in the tabulation of legal movable equipment information by the security control server and judge whether to allow the access of movable equipment, the write operation of monitoring movable equipment when movable equipment allows access, can accurately follow the trail of thus source and the whereabouts of data, improve the fail safe that movable equipment uses, guarantee the network information, the especially safety of inner-mesh network information.
With reference to Fig. 1, show the flow chart of steps of the embodiment of the method for a kind of movable equipment access monitoring of the present invention, specifically can may further comprise the steps:
Step 101, the tabulation of in the security control server, presetting legal movable equipment information; Described security control server is used for controlling the safety of coupled client, comprises unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
With at the PC that privately owned cloud client has been installed (Personal Computer, PC) upward using the present invention is example, the PC that privately owned cloud client has been installed can monitor file, prevent by virus infections, can carry out alternately with corresponding security control server simultaneously, some information of local computing are sent to the security control server.PC can also monitor whether new equipment access is arranged, the type of access device, whether movable equipment etc.
Need to prove that in the embodiment of the invention, described security control server and client form master control and controlled relation, described security control server is for the safety of controlling coupled client, for example, and the server in the local area network (LAN) and client.
In specific implementation, need in the security control server, preset the tabulation of legal movable equipment information, the unique identification marking that comprises the movable equipment that allows access in the tabulation of described legal movable equipment information, be used for contrast judge whether consistent with unique identification marking of the movable equipment that accesses, whether legal with this access of judging movable equipment.
Step 102, when client control when the access of movable equipment is arranged, calculate unique identification marking of described movable equipment;
In a preferred embodiment of the present invention, the access of described movable equipment can be monitored by the default driving in the client.
By default the driving is installed in client, utilize this driving needle that all write operations of movable equipment are monitored.When driving monitors the access of movable equipment, with the application layer of throwing on the relevant information.Whether application layer sends information inquiry to the security control server and can access after getting access to information.
In a kind of preferred exemplary of the embodiment of the invention because privately owned cloud client resides, so the access that can monitor movable equipment by Message function WM DEVICECHANGE with withdraw from, also can monitor with driving.Preferably, if the security control server lookup is overtime, also can eject this movable equipment, avoid taking resource.In a preferred embodiment of the present invention, described step 102 can comprise following substep:
Substep S11 obtains the hardware attributes information of described movable equipment;
Substep S12 judges whether have signature identification in the described movable equipment; If, then carry out substep S13, if not, then carry out substep S14;
Substep S13 is if then extract signature identification from described movable equipment;
Substep S14 if not, writes in the movable equipment then according to described hardware attributes information calculations signature identification, and with described signature identification;
Substep S15 is according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
When movable equipment is linked into the PC that privately owned cloud client has been installed, get access to hardware attributes information and the signature identification of the movable equipment of access client, wherein, described hardware attributes information can comprise the intrinsic hardware attributes of movable equipment, and, the hardware attributes of the follow-up adding of movable equipment.The signature identification of movable equipment is according to the hardware attributes information calculations gained of movable equipment, described signature identification can be done further mark to movable equipment on the hardware attributes information of movable equipment, and unique identification marking is to calculate gained according to the hardware attributes information of movable equipment and signature identification, even the hardware attributes information of movable equipment is identical, also not necessarily allow this movable equipment access, to guarantee the network information, the especially safety of corporate intranet information.
In a preferred embodiment of the present invention, described hardware attributes information can comprise the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
In a preferred embodiment of the present invention, the step of described substep S14 can comprise following substep:
Substep S21, with described movable equipment sign, and the hardware attributes information combination is the first character string;
Substep S22 adopts Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
Substep S23 writes the signature identification of described movable equipment in the described movable equipment.
In specific implementation, when client control after movable equipment access is arranged, obtain sign, the movable equipment of this movable equipment manufacturer's information, movable equipment space size and be combined into one group of character string, then adopt the MD5 algorithm to calculate the signature identification of this movable equipment according to this.Be well known that MD5 (Message Digest Algorithm, Message Digest Algorithm 5) is the widely used a kind of hash function of computer safety field, it is another fixed-length value with data operation, and Information Compression is become a kind of secret form.
For example, movable equipment be designated 5001, manufacturer's information of movable equipment is the patriot, the space size of movable equipment is 1000000K, can be combined into one group of character string is: 5001 patriots 1000000, the signature identification that adopts the MD5 algorithm can calculate unique movable equipment of 32 this character string is: B64D19F84EEEF997453CDD25738C082C, the signature identification that then will calculate gained writes in this movable equipment.
In a preferred embodiment of the present invention, described step 102 can also comprise following substep:
If when described signature identification is write operation failure in the movable equipment, the information of said write operation failure is sent to the security control server;
Described security control server is refused the access of described movable equipment according to the information of said write operation failure.
Preferably, write the movable equipment operation failure if will calculate the signature identification of gained, can the information of write operation failure be sent to the security control server by client, the security control server can be refused the access of this movable equipment according to the information of operation failure, further the assurance network information, the especially safety of inner-mesh network information.
In a preferred embodiment of the present invention, the step of described substep S15 can comprise following substep:
Substep S31, with the signature identification of described movable equipment, and the hardware attributes information combination is the second character string;
Substep S32 adopts Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
For example, movable equipment be designated 5001, manufacturer's information of movable equipment is the patriot, the space size of movable equipment is 1000000K, the signature identification of movable equipment is B64D19F84EEEF997453CDD25738C082C, can be combined into one group of character string is: B64D19F84EEEF997453CDD25738C082C 5001 patriots 1000000, the unique identification marking that adopts the MD5 algorithm can calculate 32 movable equipment this character string is: 45B51AE3C3445170E39801CA9ACD564D.
Certainly, in actual applications, be not limited to the MD5 algorithm, those skilled in the art can also select other suitable algorithm to generate signature identification and unique identification marking of movable equipment take the MD5 algorithm as principle, and the present invention is not restricted this.
Step 103 sends to the security control server with described unique identification marking, judges by the security control server whether described unique identification marking is present in the tabulation of described legal movable equipment information; If then execution in step 104, if not, then execution in step 105;
Step 104 allows the access of described movable equipment;
Step 105 is refused the access of described movable equipment.
Utilize the movable equipment of the incidence relation management access client between client and the security control server in the embodiment of the invention.If unique identification marking of the movable equipment of access client is present in the tabulation of legal movable equipment information in the security control server, the access that then represents this movable equipment is legal, and then the security control server allows the access of described movable equipment.If unique identification marking of the movable equipment of access client is not present in the tabulation of security control server legitimacy movable equipment information, the access that then represents this movable equipment is illegal, and the security control server is refused the access of described movable equipment.
In a preferred embodiment of the present invention, can also preset the time interval that movable equipment allows access in the described security control server, in this case, described method can also comprise the steps:
Judge whether described movable equipment accesses in the time interval of described permission access;
If described movable equipment is to access in the time interval of described permission access, then the security control server allows the access of described movable equipment;
If described movable equipment is not to access in the time interval of described permission access, then the security control server is refused the access of described movable equipment.
By the time interval that allows access is set for the movable equipment that allows access, so that this movable equipment is only can and move in the client access in the time interval that allows access, outside the time interval that allows access, then refuse the access of this movable equipment, further guarantee the network information with this, especially the safety of inner-mesh network information.In practice, can also the identification title be set for the movable equipment that allows access, make things convenient for keeper's identification and follow-up management.
In specific implementation, to allow the movable equipment of access be the access that read right is arranged but can arrange, but the access of write permission is arranged, but or the access of non-readable write permission is arranged, described movable equipment moves in client according to its corresponding authority.
In a preferred embodiment of the present invention, described method can also comprise the steps:
When allowing the access of described movable equipment, monitor the write operation of described movable equipment;
The information of said write operation is sent to the security control server.
Preferably, after movable equipment allows access normally to use, the write operation of this movable equipment of security control server monitoring, and each situation that is written to movable equipment issued the security control server.The operation that writes comprises that file is saved in movable equipment and is saved in the operation of local disk from movable equipment, as long as to source path or destination path be movable equipment all carry out recording and sending to the security control server, can accurately follow the trail of like this source and the whereabouts of data, prevent by virus infections, improved the fail safe that movable equipment uses.
After the associative operation of movable equipment in client finished, in the time of need to withdrawing from this movable equipment, can unload by SetupDiDestroyDeviceInfoList, destroy the movable equipment information aggregate, and discharge related internal memory, eject movable equipment at ring3 (CPU Least Privilege rank), also can unload with driving in addition.
Need to prove, for embodiment of the method, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the specification all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
With reference to Fig. 2, show the structured flowchart of the device embodiment of a kind of movable equipment access monitoring of the present invention, specifically can comprise such as lower module:
Preset legitimate list module 201, be positioned at the security control server, be used for controlling the safety of coupled client, comprise unique identification marking of the movable equipment that allows access in the tabulation of described legal movable equipment information;
Unique identification marking computing module 202 is positioned at client, is used for calculating unique identification marking of described movable equipment when the access that monitors movable equipment;
In a preferred embodiment of the present invention, the access of described movable equipment can be monitored by the default driving in the client.
In a preferred embodiment of the present invention, described unique identification marking computing module 202 can comprise following submodule:
Hardware attributes acquisition of information submodule is for the hardware attributes information of obtaining described movable equipment;
Signature identification is judged submodule, is used for judging whether described movable equipment has signature identification; If, then call signature identification and extract submodule, if not, then call the signature identification calculating sub module;
Signature identification extracts submodule, is used for extracting signature identification from described movable equipment;
The signature identification calculating sub module is used for according to described hardware attributes information calculations signature identification, and described signature identification is write in the movable equipment;
Unique identification marking calculating sub module is used for according to the hardware attributes information of described movable equipment and unique identification marking that signature identification calculates described movable equipment.
In a preferred embodiment of the present invention, described device can also comprise such as lower module:
Write the failure information sending module, be positioned at client, if when being used for that described signature identification write the operation failure of movable equipment, the information of said write operation failure is sent to the security control server;
The refusal access module is positioned at the security control server, is used for the information according to the said write operation failure, refuses the access of described movable equipment.
In a preferred embodiment of the present invention, described security control server presets the time interval that movable equipment allows access, and described device can also comprise such as lower module:
The time interval judge module is positioned at the security control server, is used for judging whether described movable equipment accesses in the time interval of described permission access; If, then allow access module in the allocating time interval, if not, then refuse access module in the allocating time interval;
Allowing access module in the time interval, be positioned at the security control server, is to access in the time interval of described permission access if be used for described movable equipment, then allows the access of described movable equipment;
The refusal access module is positioned at the security control server in the time interval, is not to access in the time interval of described permission access if be used for described movable equipment, then refuses the access of described movable equipment.
In a preferred embodiment of the present invention, described hardware attributes information can comprise the movable equipment sign, and/or, manufacturer's information of movable equipment, and/or, the space size of movable equipment.
In a preferred embodiment of the present invention, described signature identification calculating sub module can comprise such as lower unit:
The first character string assembled unit be used for described movable equipment sign, and the hardware attributes information combination is the first character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate the signature identification of described movable equipment according to described the first character string;
The signature identification writing unit is used for the signature identification of described movable equipment is write described movable equipment.
In a preferred embodiment of the present invention, described unique identification marking calculating sub module can comprise such as lower unit:
The second character string assembled unit be used for the signature identification with described movable equipment, and the hardware attributes information combination is the second character string;
The second computing unit is used for adopting Message Digest 5 MD5 to calculate unique identification marking of described movable equipment according to described the second character string.
Unique identification marking sending module 203 is positioned at client, is used for described unique identification marking is sent to the security control server;
Unique identification marking judge module 204 is positioned at the security control server, is used for judging whether described unique identification marking is present in the tabulation of described legal movable equipment information, if, then call clearance module 205, if not, then call refusal module 206;
Clearance module 205 is used for allowing the access of described movable equipment;
Refusal module 206 is used for refusing the access of described movable equipment.
In a preferred embodiment of the present invention, described access can comprise readable access, the access that can write and the non-readable access of writing.
In a preferred embodiment of the present invention, described device can also comprise such as lower module:
The access monitoring module is positioned at client, is used for monitoring the write operation of described movable equipment when allowing the access of described movable equipment;
The writing information sending module is positioned at client, is used for the information of said write operation is sent to the security control server.
For the device embodiment of Fig. 2 because itself and the embodiment of the method basic simlarity of Fig. 1, so describe fairly simple, relevant part gets final product referring to the part explanation of embodiment of the method.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the equipment of a kind of movable equipment access monitoring of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.