CN103414725A - Method and device used for detecting and filtering data message - Google Patents
Method and device used for detecting and filtering data message Download PDFInfo
- Publication number
- CN103414725A CN103414725A CN2013103670833A CN201310367083A CN103414725A CN 103414725 A CN103414725 A CN 103414725A CN 2013103670833 A CN2013103670833 A CN 2013103670833A CN 201310367083 A CN201310367083 A CN 201310367083A CN 103414725 A CN103414725 A CN 103414725A
- Authority
- CN
- China
- Prior art keywords
- data message
- detection
- described data
- user
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and device used for detecting and filtering traffic, wherein the method and device are based on an Android intelligent terminal. The method includes the steps that firstly, data messages to be sent or data messages having been received are intercepted at a data massage sending interface and/or a data message receiving interface of an operating system; secondly, according to one or more detection rules, the data messages are matched; thirdly, according to data messages matched with at least one of the one or more detection rules, filtering processing corresponding to the at least one detection rule is executed.
Description
Technical field
Present invention relates in general to data communication field, relate more specifically to for detection of the method and apparatus with the filtering data message.
Background technology
Along with the extensive use of mobile communication terminal, its people that become society indispensable important component part in productive life, and also naturally become the research topic of public attention for the network data supervision of mobile device.
As one of main flow development platform of mobile communication terminal, a large amount of dissimilar application on the basis of Android (Android) platform, have been developed.And the certain applications in these application are realizing on the basis of its basic function, driving for commercial interest or other factors, may, in the unwitting situation of user, on the system backstage, produce additional networks access and data download request outside normal function, and then produce added flow.Its result directly caused is exactly that customer flow is consumed for no reason, produces simultaneously unnecessary campus network.
At present the main flow detection technique of network traffics (data message) concentrated on to application layer basically, it analyzes to realize detection and the filtration of data message by the access behavior to application.In this way, must with the application (app) specific object carry out associated after, could to the application safety whether analyze and judge.Thereby, can't for illegitimate traffic and request that application produces, analyze at bottom, and then block.And can only carry out from the application relativity aspect safety inspection, and can't to flowing of access, carry out safety analysis and monitoring from data on flows cornerite degree.
Summary of the invention
In order to address the above problem, provide of the present invention for detection of the method and apparatus with the filtering data message.
According to a first aspect of the invention, provide a kind of for detection of the method with the filtering data message.The method comprises: a) at data message transmission interface and/or the data message receiving interface place of operating system, tackle data message to be sent and/or that received; B) according to one or more detection rules, described data message is mated; And c) for described one or more detection rules at least one detect the data message that rule is complementary, carry out with described at least one detect regular corresponding filtration treatment.
In certain embodiments, interception the step to be sent and/or data message that received comprises: tackle data message to be sent and/or that received with Hook Function.
In certain embodiments, described method step a) and step b) between also comprise: judge whether described data message complete: if described data message is complete, continue to carry out subsequent step; Otherwise, directly abandon described data message and finish described method.
In certain embodiments, each detection rule comprises following at least one: application protocol; Destination address; Source address; And Apply Names.
In certain embodiments, the step that described data message is mated comprises: if described data message is data message to be sent, according to the source port of described data message, determine the Apply Names of the application that sends described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
In certain embodiments, the step that described data message is mated comprises: if described data message is the data message received, according to the target port of described data message, determine the Apply Names of the application that will receive described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
In certain embodiments, described filtration treatment comprises one of the following: allow the data message of coupling to pass through; And forbid that the data message mated passes through.
In certain embodiments, described method also comprises: be provided for arranging and check the regular ability of described one or more detection to the user.
In certain embodiments, described method also comprises: the ability that is provided for arranging and checking described filtration treatment to the user.
In certain embodiments, in the situation that the data message of coupling detected, described method also comprises: the daily record that record is relevant to the data message of coupling.
In certain embodiments, described method also comprises: the ability that is provided for checking described daily record to the user.
According to a second aspect of the invention, provide a kind of for detection of the equipment with the filtering data message.This equipment comprises: interception unit, for the data message transmission interface in operating system and/or data message receiving interface place, tackle data message to be sent and/or that received; Matching unit, for according to one or more detection rules, mate described data message; And filter element, for the data message that at least one the detection rule for described one or more detection rules is complementary, carry out and the regular corresponding filtration treatment of described at least one detection.
In certain embodiments, described interception unit also for: with Hook Function, tackle data message to be sent and/or that received.
In certain embodiments, described equipment also comprises: whether judging unit is complete be used to judging described data message: as if described data message is complete, to continue to carry out subsequent step; Otherwise, directly abandon described data message.
In certain embodiments, each detection rule comprises following at least one: application protocol; Destination address; Source address; And Apply Names.
In certain embodiments, described matching unit also for: if described data message is data message to be sent, according to the source port of described data message, determine the Apply Names of the application that sends described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
In certain embodiments, described matching unit also for: if described data message is the data message received, according to the target port of described data message, determine the Apply Names of the application that will receive described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
In certain embodiments, described filtration treatment comprises one of the following: allow the data message of coupling to pass through; And forbid that the data message mated passes through.
In certain embodiments, described equipment also comprises: user interface, and for to the user, being provided for arranging and checking the regular ability of described one or more detection.
In certain embodiments, described equipment also comprises: user interface, and for to the user, being provided for arranging and checking the ability of described filtration treatment.
In certain embodiments, described equipment also comprises: log unit, and in the situation that the data message of coupling detected, the daily record that record is relevant with the data message mated.
In certain embodiments, described equipment also comprises: user interface, and for to the user, being provided for checking the ability of described daily record.
Use method and apparatus of the present invention, can at bottom, directly carry out flow analysis and control for the network behavior of application, thereby realize the data message processing capacity that speed is faster, efficiency is higher.
The accompanying drawing explanation
By below in conjunction with accompanying drawing explanation the preferred embodiments of the present invention, will make above-mentioned and other target of the present invention, feature and advantage clearer, wherein:
Fig. 1 shows the block diagram according to the example network protocol stack in the mobile communication terminal of the embodiment of the present invention.
Fig. 2 shows the sample data message processing procedure according to the embodiment of the present invention.
Fig. 3 shows the example flow diagram for detection of the method with the filtering data message according to the embodiment of the present invention.
Fig. 4 shows the functional block diagram according to the example for detection of the equipment with the filtering data message of the embodiment of the present invention.
In institute of the present invention drawings attached, same or analogous structure is all with same or analogous designated.
Embodiment
To a preferred embodiment of the present invention will be described in detail, in the description process, having omitted is unnecessary details and function for the present invention with reference to the accompanying drawings, obscures to prevent that the understanding of the present invention from causing.Below, the scene that the present invention of take is applied to mobile radio system is example, and the present invention is described in detail.But the present invention is not limited thereto, the present invention also can be applied to fixed communications, wired communication system, or is applied to any mixed structure of mobile radio system, fixed communications, wired communication system etc.With regard to mobile communication system, the present invention is not limited to the concrete communication protocol of each related mobile communication terminal, can include, but is not limited to 2G, 3G, 4G, 5G network, WCDMA, CDMA2000, TD-SCDMA system etc., different mobile terminals can adopt identical communication protocol, also can adopt different communication protocol.The present invention is not limited to the specific operating system of mobile terminal, can include, but is not limited to iOS, Windows Mobile, Symbian, Android etc., different mobile terminals can adopt identical operating system, also can adopt different operating system.Especially, in following examples of the present invention, use mobile communication terminal based on Android (" Android ") platform development as example, theory of the present invention is described.Yet should be understood that: in fact can realize various embodiments of the present invention by any movement or fixed communication terminal, the present invention is not subject to hardware, software (comprising operating system), firmware or their combination etc. of concrete use.
At first, with reference to accompanying drawing Fig. 1, the block diagram according to the example network protocol stack in the mobile communication terminal 100 of some example embodiments of the present invention is described.As shown in Figure 1, in mobile communication terminal 100, has the network protocol stack 110 for the treatment of data message.At open system interconnection (Open System Interconnection, hereafter is OSI) under 7 layers of reference model, this protocol stack 110 also correspondingly comprises 7 protocol layers, that is: physical layer 111, data link layer 112, network layer 113, transport layer 114, session layer 115, presentation layer 116 and application layer 117.What in the present embodiment, we mainly paid close attention to is network layer 113, transport layer 114 and the application layer 117 of protocol stack 110.
Network layer 113 is corresponding to the 3rd layer in OSI Reference Model (layer 3), and it is between transport layer 114 and data link layer 112.The function of transmitting data frame between two adjacent end points that based on data link layer 112 provides, data communication in the further supervising the network of network layer 113, data are managed through several intermediate nodes, to be sent to destination node from source node, thereby provide the most basic data transport service end to end to transport layer 114.In current internet the most main flow also the most famous network layer protocol be Internet protocol (Internet Protocol, hereafter is IP) edition 4 and version 6 (IPv4 and IPv6).The relevant information such as source IP address, target ip address of current data message is provided in the IP header of data message.Certainly, the network layer protocol in data message can be also other agreements, for example ICMP, IGMP, IPX etc.Note that and the invention is not restricted to diverse network layer protocol listed above.
Transport layer 114 is corresponding to one deck relatively important and crucial in OSI Reference Model, and it is one deck of unique responsible conceptual data transmission and Data Control.Transport layer 114 is provided for the mechanism of swap data end to end.Transport layer 114, for upper three layers of session layer 115, presentation layer 116 and application layer 117 etc. provide reliable transmission service, provides reliable destination node information to network layer 113.For example, because various communication networks in the world (exist very big-difference on performance, the communication networks such as switched telephone network, the packet switching network, Public Switched Data Network, local area network (LAN) all can interconnect, but the throughput that they provide, transmission rate, data delay, communication cost etc. are different), therefore for session layer 115 contour levels, require to have the interface of stable performance.Transport layer 114 has just been born this function.The difference that it adopts the technology such as shunting/interflow, multiplex/demultiplex to regulate above-mentioned communication network, make session layer 115 impressions less than this difference.In addition, transport layer 114 also will possess the functions such as mistake recovery, flow control, with to session layer 115 shielded communication networks details and difference in these areas.The data object that transport layer 114 is faced is not the network address and host address, but and the interface port of session layer 115.In current internet the most main flow also the most famous transport layer protocol be transmission control protocol (Transport Control Protocol, hereafter is TCP) and User Datagram Protoco (UDP) (User Datagram Protocol, hereafter is UDP).The relevant information such as source port address, target port address of current data message is provided in the TCP header of data message or UDP header.Certainly, the transport layer protocol in data message can be also other agreements, for example AH, ESP, GRE, SCTP etc.Note that and the invention is not restricted to various transport layer protocol listed above.
Application layer 117 is corresponding to the 7th layer of OSI Reference Model.Application layer 117 is direct and local process application program is mutual and common network application service is provided.Application layer 117 is also sent request to presentation layer 116.Application layer 117 is the top of OSI Reference Model, and it is directly for application process, to provide service.Its effect is when realizing that a plurality of system applies processes intercom mutually, completes the required service of a series of Business Processing.In current the Internet, exist a large amount of standardized or self-defining application layer protocols.Wherein, comparatively well-known application layer protocol comprises: HTTP (HTML (Hypertext Markup Language)), FTP (file transfer protocol (FTP)), SMTP (Simple Mail Transfer protocol) etc.Each application layer protocol has the protocol format of oneself, usually need to determine which kind of application layer protocol form is the data that this data message carries have by the application header of analyzing data message.Certainly, the application layer protocol in data message can be also other agreements, for example BT, DNS, DHCP, IMAP, POP3 etc.Note that and the invention is not restricted to various application layer protocol listed above.
We specifically describe embodiments of the invention in connection with Fig. 2 and how to use above-mentioned these information after a while: for example, and source IP address, target ip address, source port, target port, application protocol etc.
Next, get back to Fig. 1, how to utilize its network protocol stack 110 to process the data message received and/or the data message that will send by continuing to describe mobile communication terminal 100 in the present embodiment.In the present embodiment, the concrete processing operation of network protocol stack 110 each layers of mobile communication terminal 100 can be distributed on different hardware, software module, firmware module.
For example, the processing of physical layer 111 operation normally is responsible for by the communicator module of mobile communication terminal 100.In addition, in the present embodiment, because mobile communication terminal 100 is based on the Android platform exploitation, and Android platform is the class linux system, and it can be divided into kernel spacing (kernel space) and user's space (user space) usually.The operation of the layers such as data link layer 112, network layer 113, transport layer 114, session layer 115 mainly realizes in kernel spacing, the user calls the function interface in kernel spacing by system call (system calls), and then processes the affairs of these layers.And the operation of presentation layer 116 and application layer 117 is realized by user oneself basically in user's space, the user need to write voluntarily the processing function and process the affairs in these two layers.Certainly, in other embodiments, can adopt for other kernel spacing of processing operation/user's space distribution mode, the invention is not restricted to above-mentioned distribution mode.For example, the relevant treatment of session layer 115 can be called voluntarily and realize by the first floor system of calling Android system at user's space by the user.
In the present embodiment, as shown in the arrow of Fig. 1 left side, when the signal of communication of carrying data message entered mobile communication terminal 100 through communication network, at first it entered the physical layer 111 of being responsible for by the communicator module.In physical layer 111, the communicator module is converted to data message under ordinary meaning (being for example, digital signal etc. according to the voltage height of signal of communication, system clock frequency etc. by analog signal conversion) by this signal of communication.The interface that then can provide by the communicator driver of modules moved on the primary processor at mobile communication terminal 100, submit this data message to the data link layer 112 of the network protocol stack 110 moved in kernel spacing.Data link layer 112 for example,, according to the data link layer header in data message (, MAC (media interviews control) protocol header), is carried out the processing of data link layer 112 to it, then it can be submitted to network layer 113.Network layer 113 and then for example, according to its network layer header (, the IP header), carry out the processing of network layer 113 to it, then it can be submitted to transport layer 114.Similarly, transport layer 114 for example,, according to its transport layer header (, TCP header or UDP header), is carried out the processing of transport layer 114 to it.Then, can be according to the port numbers of appointment in transport layer header, this data message is passed to the local process of binding the application program of (or monitoring this port) with this port numbers, and carry out various subsequent treatment (session layer 115, presentation layer 116 and application layer 117 are processed) by this local process.
Correspondingly, as shown in Fig. 1 right side arrow, when mobile communication terminal 100 is wanted to send datagram to communication network, it can call session layer 115 by the application program on it, presentation layer 116, and the processing of application layer 117, generation has application layer 117, presentation layer 116, and/or the data message of the protocol header of session layer 115, and it is handed down to transport layer 114, and the parameter of being imported into when issuing by transport layer 114, for example, for this data message (adds the transport layer protocol header, TCP header or UDP header) and carry out respective handling, then be handed down to network layer 113.By that analogy, finally the communicator module converts by mobile communication terminal 100 is actual physical signalling by this data message of having added network layer protocol header and data link layer protocol header, and sends to communication network.
Therefore, for the source of based on data message, target, Apply Names, application protocol etc. mate and filter, and due to the various differences that are applied in specific implementation, feature, therefore in the present embodiment, need to modify to the kernel of Android system, can the data message being mated and filter in bottom (for application layer 117, such as network layer 113, transport layer 114 etc.).
For example, malicious application by malice third party exploitation may be outside the normal function of its Games Software provided, and built-in additional flow generator in Games Software also, for generation of the additional flow that causes user's extra charge.And the destination address of this additional flow is the third-party server of this malice, user (or Secure Application provider) may wish by this destination address is mated, find all data messages that will go to this destination address in mobile communication terminal 100, and it is tackled.Therefore, need to modify to the kernel of Android system, in the processing procedure at the normal data message, add the coupling of this destination address and the processing capacity of filtration.Below in conjunction with Fig. 2, describe in detail to inserting the concrete mode of example of function in kernel.
Before the embodiment that describes Fig. 2 in detail, incite somebody to action at first brief description hook (hook) function.In computer programming, the technology that changes or increase the behavior of operating system, application program or other component software between component software for function call, message or the event of transmitting by interception contained in term " hook ".And the code of processing this function call be blocked, event or message just is called as Hook Function.Hook is generally used for all types of target, comprises function is debugged and function is expanded.Its example can be included in keyboard or mouse event and tackle them before being delivered to application program, or intercepting system calls (system call), to monitor or to revise the function of application program or other assembly.In following embodiment of the present invention, for convenience of description, will realize revising with Hook Function the target of original data message handling process in system kernel.
As shown in Figure 2, solid arrow shows original data message handling process.When the interface provided when the driver by the communicator module transmitted data message from the communicator module to system kernel, at first data message arrived the data message receiving interface 220 in kernel.In the system of the exemplary operations based on Android platform of the present embodiment, this data message receiving interface 220 can be for example the function relevant to the local input of network data (LOCAL_IN) processing in kernel source code.Then according to the header of each different stage of this data message, such as IP header, TCP/UDP header etc., be directed to this data message the corresponding local process 210 of the program of carrying out on native processor.For example, the data message of carrying HTTP data (port numbers of its TCP header can be http port 80 commonly used) can be passed to the process with the program of 80 port bindings of the machine, for example browser.Thereby, realize the correct processing to the data message (web data) received from network.
On the other hand, when local process 210 was wanted to transmit data message to the communicator module, at first data message arrived the data message transmission interface 230 in kernel.In the system of the exemplary operations based on Android platform of the present embodiment, this data message transmission interface 230 can be for example the function relevant to the local output of network data (LOCAL_OUT) processing in kernel source code.The parameters imported into when then basis is called this correlation function, can add to this data message the header of each different stage, such as IP header, TCP/UDP header etc., then this data message is directed to the interface that the driver of communicator module provides, and finally passes to the hardware device of communicator module.For example, can and specify the data message of destination address, target port to pass to the communication interface that driver provides by carrying HTTP data, and sent to network by the communicator module.Thereby, realize the correct processing for sending datagram to network.
As previously mentioned, in order to realize function as shown in the embodiment of the present invention, need to expand existing normal data message handling process with Hook Function.For this reason, in data message reception & disposal side, at first should use Hook Function to increase data messages at original data message receiving interface 220 places and receive cleaning modules 240, the data message received with interception.For example, in one embodiment, receive cleaning module 240 (Hook Function) by log-on data message when the kernel initialization, and when starting the mixed-media network modules mixed-media of kernel by this module loading in kernel spacing.Similarly, also use Hook Function to increase data message at original data message transmission interface 230 places and send cleaning module 250, to tackle the data message that will send.
After having loaded data message reception cleaning module 240 and data message transmission cleaning module 250, the standard operation for data message in Fig. 2 just becomes the process be illustrated by the broken lines.That is, in certain embodiments, when data message was delivered to data message receiving interface 220 from the communicator module, it no longer directly was passed to local process 210 places, but first will receive through data message the processing of cleaning module 240.Similarly, from local process 210 to the data message transmission interface 230 while transmitting, it first will send through data message the processing of cleaning module 250 when data message.Certainly, in other embodiments, the position that data message receives cleaning module 240 and data message transmission cleaning module 250 is not limited to above-mentioned position.For example, in further embodiments, can before data message receiving interface 220, among or add afterwards data message and receive cleaning module 240.In other embodiment, can before data message transmission interface 230, among or add afterwards data message and send cleaning module 250.Therefore in fact, as long as can realize the function that the data message is detected and filters at bottom of the present invention, these two modules can appear on any desired location of data message handling process.
When loading data message reception cleaning module 240 and/or data message transmission cleaning module 250, at first according to the memory at mobile communication terminal 100 (for example, SD card, CF card etc.) the upper one or more couplings (detection) that are set by the user in advance rule and corresponding filter operation of storing, in corresponding module, set up tactful formation (coupling (detection) regular formation) separately.This matched rule and filter operation can use cipher mode (for example, DES) to be stored in the memory of mobile communication terminal 100.
Next, if described in conjunction with Figure 1, when data message arrives data message reception cleaning module 240, data message receives the integrality that at first cleaning module 240 (and/or data message receiving interface 220) can detect data message, if this message is imperfect, it is directly abandoned, and continue the reception of subsequent packet.If message is complete, data message according to the transport layer protocol header of data message (for example receives cleaning module 240, TCP header or UDP header) target port, determine the process (or monitoring the process of the application of this target port) of the application of binding with this target port in local process, and corresponding definite Apply Names and/or application protocol.For example, when the target port of data message is 80, according to the configuration file in system (for example, "/etc/service " under linux system or similar configuration file) and/or actual process (and corresponding Apply Names, the application protocol of monitoring 80 ports, browser for example), can determine that the expection of this data message receives Apply Names and/or the application protocol of application.Certainly, also can determine according to the application protocol header of this data message the application protocol of its use.In addition, according to the IP header of data message, can determine source IP address, the target ip address of this data message.
Determined above-mentioned these (for example, source IP address, target ip address, source port, target port, application protocol, Apply Names etc.) in one or more after, can carry out the data message coupling according to the predefined one or more matched rules of user.For example, the user can preset following some matched rules: (1) for source IP address be known malice third party IP address (for example, 192.168.1.222), target ip address is the machine, and target port is 21 (namely, FTP port commonly used), application protocol is FTP, and Apply Names is the data message of virus.exe, its corresponding filtration treatment is " forbidding that the data message mated passes through " (that is, abandoning (" DROP ") or refusal (" REJECTED ")); (2) for source address, be 192.168.1.211 for example, target ip address is the machine, and target port is 80, application protocol is HTTP, and Apply Names is the data message of Internet Explorer, its corresponding filtration treatment is " allowing the data message of coupling to pass through " (that is, accepting (" ACCEPTED ")); And (3) for application protocol be the P2P agreement (for example, the agreement such as EMULE, BT) data message, its corresponding filtration treatment is " forbidding that the data message mated passes through " (that is, abandoning (" DROP ") or refusal (" REJECTED ")).Visible, in matched rule, can comprise above-mentioned subitem (at least one) in every, and not necessarily for the coupling of all.
On the other hand, when data message arrives data message transmission cleaning module 250, data message sends the source port of cleaning module 250 according to data message, determine in local process 210 and the process of the application of this source port binding (or process of the application sent datagram by this source port), and corresponding definite Apply Names and/or application protocol.For example, when the source port of data message is 10000, according to the process with port one 0000 binding (and corresponding Apply Names, application protocol, respectively for example Internet Explorer, http protocol), can determine this data message transmission application Apply Names (for example, Internet Explorer) and/or application protocol (for example, http protocol).In addition, according to the IP header of data message, can determine source IP address, the target ip address of this data message.
After having determined above-mentioned one or more in these, can carry out the data message coupling according to the predefined one or more matched rules of user.For example, the user can preset following some matched rules: (1) for target ip address be known malice third party IP address (for example, 192.168.1.200), source IP address is the machine, and source port is 10001, application protocol is RTP, and Apply Names is the data message of virus.exe, its corresponding filtration treatment is " forbidding that the data message mated passes through " (that is, abandoning (" DROP ") or refusal (" REJECTED ")); (2) for target ip address, be 192.168.1.195 for example, source IP address is the machine, and source port is 1500, application protocol is HTTP, and Apply Names is the data message of Internet Explorer, its corresponding filtration treatment is " allowing the data message of coupling to pass through " (that is, accepting (" ACCEPTED ")); And (3) for application protocol be the P2P agreement (for example, the agreement such as EMULE, BT) data message, its corresponding filtration treatment is " forbidding that the data message mated passes through " (that is, abandoning (" DROP ") or refusal (" REJECTED ")).
Certainly, the matched rule that can arrange and the number of corresponding filtration treatment are not limited to three in above-described embodiment, and can be arbitrary numbers.And in matched rule, set coupling entry also is not limited to above-mentioned source IP address, target ip address, source port, target port, application protocol, Apply Names etc.In fact, one or more in these can only be set, or one or more other (for example, source MAC, destination-mac address, COS (TOS), service quality (QoS), VLAN etc.) or their combination outside these be set.In fact, so long as the included field of each header in data message all can become the Bi Jiao item in matched rule.
In addition, for the consideration of processing speed, to relatively can occurring in kernel spacing of these occurrences of data message and matched rule, but also can occur in user's space, part in kernel spacing and part in user's space.In addition, check/add/revise/delete matched rule in order to facilitate the user, can occur in user's space for these processing of matched rule.For example, in the present embodiment, these processing can be used software development kit (SDK) and the JAVA language that Android platform provides to realize.By to the user, providing relevant user interface, can allow the user check/add/revise/delete that data message detects and filtering policy.
In one embodiment, this strategy for example can comprise [application protocol, Apply Names, destination address, source address, control switch].Wherein, application protocol, Apply Names, destination address, source address etc. have been described in detail above item, and control switch is the filter operation for the data message with 4 couplings in front.When control switch is made as permission,, when the data message of coupling being detected, allow this data message to pass through, for example, pass to local process or send to network.When control switch is made as while forbidding,, when the data message of coupling being detected, do not allow this data message to pass through, for example, directly abandon this data message.
In addition, these strategies can PARALLEL MATCHING, order coupling or mate with other any-modes.For example, in the situation that use is sequentially mated, when data message met article one matched rule, it was directly processed according to the filter operation (control switch) corresponding with article one matched rule, and without considering follow-up matched rule.Again for example, in the situation that use PARALLEL MATCHING, data message and all matched rules are mated one by one, and determine corresponding filter operation which result of determining the final filtration operation of number of (for example, according to " permission " and " forbidding ") according to the combination of the corresponding filter operation of all matched rules more.The invention is not restricted to above-mentioned various tactful processing mode.
In addition, can be according to the time sequencing of configurations match rule to the user display part or all matching strategies (rule) and corresponding filter operations thereof.
In addition, can provide and to data message, detect and filter relevant daily record to the user.For example, when the data message of coupling being detected, data message receives cleaning module 240 and/or data message transmission cleaning module 250 can for example, in the upper storage of designated storage location (, the SD card of the mobile communication terminal 100) daily record relevant to this data message.For example, the source IP address of this data message, target ip address, source port, target port, application protocol, Apply Names and respective handling result (for example, allow or forbid).Therefore, the user can check the relevant daily record of the data message stored on the SD card by the user interface provided, thereby whether the user for example can determine by the malice third party attack, stop flow of going to which IP address of local what application etc.
In addition, in certain embodiments, this daily record can be to use des encryption, preventing that the third party from checking, modification etc.In addition, in certain embodiments, when writing journal file, may need at first to carry out file and write latching operation, to guarantee the consistency of file content.For example, because a lot of processes in kernel receive concomitantly and/or send datagram, in order to guarantee the integrality recorded in daily record, consistency etc., need to be when writing journal file at every turn, journal file is added and writes lock (write lock), to this document, write simultaneously to prevent a plurality of processes.
Fig. 3 shows according to the data message detection of the embodiment of the present invention and the flow chart of filter method 300.As shown in Figure 3, data message detects and filter method 300 can comprise step S310, S320 and S330, and wherein, execution can be carried out separately or combine to part steps, and can executed in parallel or order carry out, be not limited to concrete operations order shown in Figure 3.In certain embodiments, data message detection and filter method 300 can be brought in execution by mobile communication terminal shown in Figure 1 100 or the client who is arranged in mobile communication terminal 100.
Fig. 4 shows the block diagram for detection of the mobile communication terminal 100 with the filtering data message according to the embodiment of the present invention.As shown in Figure 4, terminal 100 can comprise: interception unit 410, matching unit 420 and filter element 430.
In addition, mobile communication terminal 100 can also comprise: judging unit, user interface and/or log unit etc.Whether judging unit is complete for the data message that judgement receives: if data message is complete, continue to carry out subsequent step; Otherwise, directly abandon data message.User interface is used for: be provided for arranging and check the regular ability of (for example, check/add/revise/delete) one or more detections, be provided for arranging and check the ability of filtration treatment and/or the ability that is provided for checking daily record to the user to the user to the user.Log unit is used in the situation that the data message of coupling detected, the daily record that record is relevant to the data message of coupling.These unit are selectable unit, therefore be not shown in the drawing, and its concrete function operation are identical with corresponding part in top description.
Below with reference to Fig. 3 and Fig. 4, the method 300 and the mobile communication terminal 100 that for data message, detect and filter according to the embodiment of the present invention are described in detail.
In step S310, can at data message transmission interface and/or the data message receiving interface place of operating system, tackle data message to be sent and/or that received by the interception unit 410 of mobile communication terminal 100.
In step S320, can be regular according to one or more detections by the matching unit 420 of mobile communication terminal 100, the data message is mated.
In step S330, can by the filter element 430 of mobile communication terminal 100 for one or more detection rules at least one detect the data message that rule is complementary, carry out that at least one detects regular corresponding filtration treatment with this.
In certain embodiments, step S310 can comprise: tackle data message to be sent and/or that received with Hook Function.
In certain embodiments, can also comprise between step S310 and step S320: judge whether data message is complete: if data message is complete, continue to carry out subsequent step; Otherwise, directly abandon data message ending method 300.
In certain embodiments, each detection rule can comprise following at least one: application protocol; Destination address; Source address; And Apply Names.
In certain embodiments, step S420 can comprise: if data message is data message to be sent, according to the source port of data message, determine the Apply Names of the application sent datagram, then the corresponding entry that at least one item in the source address of the destination address of the application protocol of data message, data message, data message and Apply Names and at least one detection in one or more detection rules is regular compares, and at least one of whether mating in one or more detection rules with the specified data message detects rule.
In certain embodiments, step S420 can comprise: if data message is the data message received, according to the target port of data message, determine the Apply Names of the application of wanting receiving data packets, then the corresponding entry that at least one item in the source address of the destination address of the application protocol of data message, data message, data message and Apply Names and at least one detection in one or more detection rules is regular compares, and at least one of whether mating in one or more detection rules with the specified data message detects rule.
In certain embodiments, filtration treatment can comprise one of the following: allow the data message of coupling to pass through; And forbid that the data message mated passes through.
In certain embodiments, method 300 can also comprise: be provided for arranging and check the regular ability of described one or more detection to the user.
In certain embodiments, method 300 can also comprise: the ability that is provided for arranging and checking described filtration treatment to the user.
In certain embodiments, in the situation that the data message of coupling detected, method 300 can also comprise: the daily record that record is relevant to the data message of coupling.
In certain embodiments, method 300 can also comprise: the ability that is provided for checking daily record to the user.
So far invention has been described in conjunction with the preferred embodiments.Should be appreciated that, those skilled in the art without departing from the spirit and scope of the present invention, can carry out various other change, replacement and interpolations.Therefore, scope of the present invention is not limited to above-mentioned specific embodiment, and should be limited by claims.
Claims (22)
1. one kind for detection of the method with the filtering data message, comprising:
A) at data message transmission interface and/or the data message receiving interface place of operating system, tackle data message to be sent and/or that received;
B) according to one or more detection rules, described data message is mated; And
C) for described one or more detection rules at least one detect the data message that rule is complementary, carry out with described at least one detect regular corresponding filtration treatment.
2. method according to claim 1, wherein, the step of tackling to be sent and/or the data message that received comprises: tackle data message to be sent and/or that received with Hook Function.
3. method according to claim 1, wherein, described method step a) and step b) between also comprise:
Judge whether described data message is complete:
If described data message is complete, continue to carry out subsequent step;
Otherwise, directly abandon described data message and finish described method.
4. method according to claim 1, wherein, each detects rule and comprises following at least one:
Application protocol;
Destination address;
Source address; And
Apply Names.
5. method according to claim 4, wherein, the step that described data message is mated comprises: if described data message is data message to be sent, according to the source port of described data message, determine the Apply Names of the application that sends described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
6. method according to claim 4, wherein, the step that described data message is mated comprises: if described data message is the data message received, according to the target port of described data message, determine the Apply Names of the application that will receive described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
7. method according to claim 1, wherein, described filtration treatment comprises one of the following:
Allow the data message of coupling to pass through; And
Forbid that the data message mated passes through.
8. method according to claim 1, also comprise: be provided for arranging and check the regular ability of described one or more detection to the user.
9. method according to claim 1, also comprise: the ability that is provided for arranging and checking described filtration treatment to the user.
10. method according to claim 1, wherein, in the situation that the data message of coupling detected, described method also comprises: the daily record that record is relevant with the data message mated.
11. method according to claim 10 also comprises: the ability that is provided for checking described daily record to the user.
12. one kind for detection of the equipment with the filtering data message, comprising:
Interception unit, tackle data message to be sent and/or that received for the data message transmission interface in operating system and/or data message receiving interface place;
Matching unit, for according to one or more detection rules, mate described data message; And
Filter element, for the data message that at least one the detection rule for described one or more detection rules is complementary, carry out and the regular corresponding filtration treatment of described at least one detection.
13. equipment according to claim 12, wherein, described interception unit also for: with Hook Function, tackle data message to be sent and/or that received.
14. equipment according to claim 12, wherein, described equipment also comprises:
Whether judging unit is complete be used to judging described data message:
If described data message is complete, continue to carry out subsequent step;
Otherwise, directly abandon described data message.
15. equipment according to claim 12, wherein, each detects rule and comprises following at least one:
Application protocol;
Destination address;
Source address; And
Apply Names.
16. equipment according to claim 15, wherein, described matching unit also for: if described data message is data message to be sent, according to the source port of described data message, determine the Apply Names of the application that sends described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
17. equipment according to claim 15, wherein, described matching unit also for: if described data message is the data message received, according to the target port of described data message, determine the Apply Names of the application that will receive described data message, then by the application protocol of described data message, the destination address of described data message, the source address of described data message, and in described Apply Names, the regular corresponding entry of at least one detection at least one and described one or more detection rules compares, to determine whether described data message mates at least one the detection rule in described one or more detection rule.
18. equipment according to claim 12, wherein, described filtration treatment comprises one of the following:
Allow the data message of coupling to pass through; And
Forbid that the data message mated passes through.
19. equipment according to claim 12 also comprises: user interface, for to the user, being provided for arranging and checking the regular ability of described one or more detection.
20. equipment according to claim 12 also comprises: user interface, for to the user, being provided for arranging and checking the ability of described filtration treatment.
21. equipment according to claim 12, wherein, described equipment also comprises: log unit, and in the situation that the data message of coupling detected, the daily record that record is relevant with the data message mated.
22. equipment according to claim 21 also comprises: user interface, for to the user, being provided for checking the ability of described daily record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103670833A CN103414725A (en) | 2013-08-21 | 2013-08-21 | Method and device used for detecting and filtering data message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103670833A CN103414725A (en) | 2013-08-21 | 2013-08-21 | Method and device used for detecting and filtering data message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103414725A true CN103414725A (en) | 2013-11-27 |
Family
ID=49607711
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013103670833A Pending CN103414725A (en) | 2013-08-21 | 2013-08-21 | Method and device used for detecting and filtering data message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103414725A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103823757A (en) * | 2014-03-11 | 2014-05-28 | 国家电网公司 | P2P (peer-to-peer) platform batch debug method and device |
| CN103973817A (en) * | 2014-05-29 | 2014-08-06 | 上海斐讯数据通信技术有限公司 | System and method for shielding information push of internet |
| CN104269810A (en) * | 2014-10-13 | 2015-01-07 | 北京四方继保自动化股份有限公司 | Network redundant data restraining method for relay protection device |
| CN104852833A (en) * | 2015-06-04 | 2015-08-19 | 上海斐讯数据通信技术有限公司 | Network protocol stack management method and system in Linux system |
| WO2016070568A1 (en) * | 2014-11-04 | 2016-05-12 | 华为技术有限公司 | Message sending method and apparatus |
| CN106533930A (en) * | 2016-12-30 | 2017-03-22 | 深圳天珑无线科技有限公司 | Mobile terminal application message push method and device |
| CN106850657A (en) * | 2017-02-27 | 2017-06-13 | 郑州云海信息技术有限公司 | A kind of efficient ip addresses matching process |
| CN107104905A (en) * | 2017-06-23 | 2017-08-29 | 北京星网锐捷网络技术有限公司 | Parallel flow control methods and device |
| CN107483508A (en) * | 2017-09-30 | 2017-12-15 | 北京东土军悦科技有限公司 | Message filtering method, device, equipment and storage medium |
| CN110866037A (en) * | 2019-11-19 | 2020-03-06 | 中国民航信息网络股份有限公司 | Message filtering method and device |
| CN114070624A (en) * | 2021-11-16 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message monitoring method and device, electronic equipment and medium |
| CN114900350A (en) * | 2022-04-29 | 2022-08-12 | 北京元数智联技术有限公司 | Message transmission method, device, equipment, storage medium and program product |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068229A (en) * | 2007-06-08 | 2007-11-07 | 北京工业大学 | Content filtering gateway realizing method based on network filter |
| US20120039332A1 (en) * | 2010-08-12 | 2012-02-16 | Steve Jackowski | Systems and methods for multi-level quality of service classification in an intermediary device |
| US20120230202A1 (en) * | 2011-03-07 | 2012-09-13 | Oracle International Corporation | Virtual network interface with packet filtering hooks |
-
2013
- 2013-08-21 CN CN2013103670833A patent/CN103414725A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068229A (en) * | 2007-06-08 | 2007-11-07 | 北京工业大学 | Content filtering gateway realizing method based on network filter |
| US20120039332A1 (en) * | 2010-08-12 | 2012-02-16 | Steve Jackowski | Systems and methods for multi-level quality of service classification in an intermediary device |
| US20120230202A1 (en) * | 2011-03-07 | 2012-09-13 | Oracle International Corporation | Virtual network interface with packet filtering hooks |
Non-Patent Citations (1)
| Title |
|---|
| 庞有祥: "网络层内容过滤防火墙系统的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103823757B (en) * | 2014-03-11 | 2016-05-04 | 国家电网公司 | P2P platform batch debugging method and device |
| CN103823757A (en) * | 2014-03-11 | 2014-05-28 | 国家电网公司 | P2P (peer-to-peer) platform batch debug method and device |
| CN103973817A (en) * | 2014-05-29 | 2014-08-06 | 上海斐讯数据通信技术有限公司 | System and method for shielding information push of internet |
| CN104269810A (en) * | 2014-10-13 | 2015-01-07 | 北京四方继保自动化股份有限公司 | Network redundant data restraining method for relay protection device |
| CN104269810B (en) * | 2014-10-13 | 2017-06-20 | 北京四方继保自动化股份有限公司 | A kind of protective relaying device suppresses network redundancy data method |
| CN105635067B (en) * | 2014-11-04 | 2019-11-15 | 华为技术有限公司 | File transmitting method and device |
| WO2016070568A1 (en) * | 2014-11-04 | 2016-05-12 | 华为技术有限公司 | Message sending method and apparatus |
| CN105635067A (en) * | 2014-11-04 | 2016-06-01 | 华为技术有限公司 | Packet transmission method and apparatus |
| US10791127B2 (en) | 2014-11-04 | 2020-09-29 | Huawei Technologies Co., Ltd. | Packet transmission method and apparatus |
| CN104852833A (en) * | 2015-06-04 | 2015-08-19 | 上海斐讯数据通信技术有限公司 | Network protocol stack management method and system in Linux system |
| CN106533930A (en) * | 2016-12-30 | 2017-03-22 | 深圳天珑无线科技有限公司 | Mobile terminal application message push method and device |
| CN106850657A (en) * | 2017-02-27 | 2017-06-13 | 郑州云海信息技术有限公司 | A kind of efficient ip addresses matching process |
| CN107104905A (en) * | 2017-06-23 | 2017-08-29 | 北京星网锐捷网络技术有限公司 | Parallel flow control methods and device |
| CN107483508A (en) * | 2017-09-30 | 2017-12-15 | 北京东土军悦科技有限公司 | Message filtering method, device, equipment and storage medium |
| CN110866037A (en) * | 2019-11-19 | 2020-03-06 | 中国民航信息网络股份有限公司 | Message filtering method and device |
| CN110866037B (en) * | 2019-11-19 | 2022-09-20 | 中国民航信息网络股份有限公司 | Message filtering method and device |
| CN114070624A (en) * | 2021-11-16 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message monitoring method and device, electronic equipment and medium |
| CN114070624B (en) * | 2021-11-16 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Message monitoring method, device, electronic equipment and medium |
| CN114900350A (en) * | 2022-04-29 | 2022-08-12 | 北京元数智联技术有限公司 | Message transmission method, device, equipment, storage medium and program product |
| CN114900350B (en) * | 2022-04-29 | 2024-02-20 | 北京元数智联技术有限公司 | Message transmission method, device, equipment, storage medium and program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103414725A (en) | Method and device used for detecting and filtering data message | |
| CN102763382B (en) | Front end system and front end processing method | |
| EP2461520B1 (en) | Service-centric communication network monitoring | |
| CN101933290B (en) | Method for configuring acls on network device based on flow information | |
| US8149705B2 (en) | Packet communications unit | |
| CN109347817A (en) | A kind of method and device that network security redirects | |
| CN104767748B (en) | Opc server security protection system | |
| CN102301660A (en) | Tcp communication scheme | |
| CA2949466C (en) | Communication apparatus, communication method, and communication system | |
| CN105591967A (en) | Data transmission method and apparatus | |
| EP3641248B1 (en) | Traffic optimization device, communication system, traffic optimization method, and program | |
| CN106506409B (en) | A kind of management method and network management exchange of network management exchange | |
| CN100550829C (en) | By the monitoring link status port re-enabling | |
| CN102347932A (en) | Processing method and system for data message | |
| CN104410576A (en) | Mixed type condition policy routing system and method | |
| FR2961367A1 (en) | SYSTEM AND METHOD FOR MANAGING SECURE FLOWS BETWEEN SEVERAL REMOTE SITES | |
| EP1445892A2 (en) | Dynamic callback packet filtering gateway | |
| CN101160867A (en) | Packet processing device, communication system, packet processing method, and program executing the method | |
| CN109617866B (en) | Industrial control system host session data filtering method and device | |
| CN110417679B (en) | Method, device and system for avoiding bypass blocking | |
| CN103428295B (en) | A kind of monitoring method and system of peer-to-peer network application | |
| CN117278360B (en) | Network communication method, device and storage medium based on virtual private network | |
| JP5121789B2 (en) | Data transmission system and computer | |
| CN117938408A (en) | Method and system for implementing dynamic access control in Android device | |
| CN116546040A (en) | Integrated Broadband Network Gateway (BNG) device for providing BNG control plane for one or more BNG user plane devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131127 |