CN105101210A - Wireless security based client automatic connection protecting method and system - Google Patents

Abstract

The invention provides a wireless security based client automatic connection protecting method. The wireless security based client automatic connection protecting method comprises a step 1 of obtaining information of a to-be-identified connection object, wherein the information of the to-be-identified connection object comprises base station information and/or authentication information corresponding to the base station; and a step 2 of carrying out authenticity identification for the to-be-identified connection object based on a matching result of the information of the to-be-identified connection object and local historical connection object information of the client, wherein the historical connection object information comprises historical base station information and/or historical authentication information. The invention also provides a corresponding system. Based on the situation that the current clients are lack of automatic connection protection, a scheme of building a wireless automatic connection protection mechanism actively at the client end is provided, so that the client can identify a pseudo base station actively, thereby guaranteeing information safety thereof.

Description

Client computer based on wireless security connects guard method and system certainly

Technical field

The present invention relates to network security, particularly, the client computer related to based on wireless security connects guard method and system certainly.

Background technology

Along with China the whole network covers the propelling of plan, client computer also achieving and connect networking whenever and wherever possible gradually, but meanwhile wireless network secure problem also result in increasing concern.

Wireless security is made up of base station safety and Client Security two parts usually; wherein base station safety ratio is more common; it is mainly managed access point by base station end, thus embodiment is as cryptoguard, connects the mode such as restriction to ensure the safety of base station and stable.But owing to can not be controlled by client computer active handle safely most of base station, thus it is passive to make client computer be in all the time in wireless connections, although have right to choose, but the verification mode of traditional SSID+ password is too simple also, client computer once connect upper pseudo-base station for the purpose of trick, then also means that the personal information of client can arbitrarily be intercepted and captured.Therefore, client-side must take certain safety prevention measure in wireless connection procedures, initiatively to protect personal information security.In current connection safety, comparatively common technical scheme has:

A () checking and killing virus, by the investigation of some fail-safe softwares, finds out " problem " formula existed in system, and is limited or deletes.

B () installs specific safety applications, the ephemeral data in safety applications and storage data use the mode of encryption usually, prevent from leaking, are tampered.

C the access of () restriction critical file, makes deposit data position cannot obtain from outside or lack of competence access by system-level amendment.

But above-mentioned conventional solution also also exists the various problem that cannot evade in the process of protection client information safety:

A the definition boundary of () " problem " formula is comparatively fuzzy, easy exist the situation appearance that virus is omitted or false drop is killed, and incessantly so, this kind of checking and killing virus software often exists competing interests each other, once run foul of each other, then there will be the behavior of kidnapping user.

B () this kind of safety applications coverage rate is narrower, and need due to its specificity, and easily produce violence binding thus impose on client computer, meanwhile, data encryption also exists the possibility be necessarily cracked, and can not fundamentally ensure its information security.

C () system-level amendment needs higher administrator right, and higher for threshold general client computer user, do not have generality, and non-professional amendment also may influential system stability.

Through retrieving prior art, find following pertinent literature.

Coordinate indexing result 1

Title: the method for wireless local network connecting point checking and website

Number of patent application: CN201110337877.6

Application publication number: CN103096301A

This bright method and website disclosing the checking of a kind of wireless local network connecting point, relate to the communications field, STA user is accessed illegal network carry out illegal act for solving camouflage AP with the information or control STA user of stealing STA user, cause STA user to incur loss problem.Method provided by the invention comprises: obtain the Access Point Identifier information element that access point sends; According to described Access Point Identifier information element, described access point is verified.Send checking request information element to access point, described checking request information element is used to indicate described access point and returns authentication response information element; Obtain the authentication response information element that described access point returns; According to described authentication response information element, described access point is verified.

Technical essential compares:

This patent documentation belongs to base station authentication, and access point needs the verification method provided based on access point identity information element, and the checking request that such user sends just can come into force, and is correctly returned, and therefore needs in this patent documentation to change base station end.And present invention is directed at history base station information, thus whole truth identification work is concentrated on client computer complete, do not relate to any change of base station end.

Coordinate indexing result 2

Title: identify the method for false wifi, client, server end and system

Number of patent application: CN201410447084.3

Application publication number: CN104219670A

The invention provides a kind of method, client, server end and the system that identify false wifi, belong to wireless network secure field.Wherein, described method comprises: the service set SSID of client scan wifi, and obtains MAC Address corresponding to described service set SSID; In MAC Address storehouse, inquire about described MAC Address whether exist, when Query Result shows that described MAC Address exists and is arranged in the black storehouse of the MAC in MAC Address storehouse, service set SSID corresponding for described MAC Address is carried out falseness and identify.

Technical essential compares:

This patent documentation utilizes the black storehouse of MAC recording the MAC Address storehouse of the false wifi of forgery to identify pseudo-base station, but, how this patent documentation will temporarily also not have the pseudo-base station of the trick of implement general plan behavior to conclude into black storehouse if not providing, therefore these inveigle pseudo-base station to be free on for a long time outside black storehouse.And in the present invention, even if pseudo-base station does not have implement general plan behavior, equally can identify before data cube computation.

Coordinate indexing result 3:

Title: for monitoring method and the device of pseudo-wireless access point AP

Number of patent application: CN201410638322.9

Application publication number: CN104349325A

A kind of method for monitoring pseudo-wireless access point AP of this disclosure of the invention and device, wherein method comprises: each legal AP of operator deployment monitors pseudo-AP as follows: multiple legal AP of operator's management adopt honeycomb type networking plan to dispose, each legal AP is operated on the channel of specifying, and while carrying out transfer of data, the beacon frame that near scanning, AP sends; The AP information scanned is extracted from the beacon frame obtained; The AP information of extraction and legal AP information database are compared, wherein, in legal AP information database, stores the information of legal AP; When the AP information extracted is not in legal AP information database, judge that the AP that scans is as pseudo-AP.

Technical essential compares:

On the one hand, this patent documentation needs the legal AP database provided by means of operator as the foundation of mating, belong to base station authentication, do not belong to the checking of client-side, even if a legal AP have identified pseudo-AP, but for client computer, one cannot learn the information finding this pseudo-AP, even if its two legal AP can notify that client computer has found pseudo-AP, but client computer can not determine whether the AP itself sending this notice is legal AP or pseudo-AP; And the present invention is from client computer angle, and do not rely on legal AP database that operator the provides foundation as coupling.

On the other hand, the pseudo-AP in this patent documentation refers to illegal, unregistered AP, and legal AP is carried out resetting and arranged the AP that brings and inveigle Information Problems not then to be considered into, so the present invention can effectively for inveigling pseudo-base station.Another aspect, since legal AP can scan the beacon frame that neighbouring AP sends, then pseudo-base station can scan the beacon frame that neighbouring AP sends equally, carry out pseudo-base station the beacon frame of self to be disguised oneself as beacon frame that neighbouring AP sends signal transmission power lid is crossed legal AP, then still can realize inveigling; But trick mode is like this inoperative to the present invention.

Again on the one hand, this patent documentation gives the antipodal technology with the present invention and enlightens, particularly, this patent documentation specification [0004] section is recorded " improvement at present for pseudo-AP mainly comprises ... increase pseudo-AP monitoring function at mobile phone terminal ... need to install a corresponding application software on user mobile phone; and in the every new WLAN (wireless local area network) of user; all to re-start Data Update, be difficult to the seamless monitoring realizing pseudo-AP ".

Coordinate indexing result 4:

Title: the system and method realizing the encryption of mobile terminal wireless authentication

Number of patent application: CN201410837945.9

Application publication number: CN104468626A

This invention relates to a kind of system and method realizing the encryption of mobile terminal wireless authentication, comprising mobile terminal, in order to the IMEI that sends equipment of itself when setting up communication for the first time with Network Access Point to Network Access Point and send when former wireless connections cipher authentication failure comprise equipment of itself IMEI authentication request packet to Network Access Point; Network Access Point, in order to preserve IMEI corresponding to mobile terminal and MAC Address and to carry out certification when former wireless connections cipher authentication is failed to mobile terminal.Adopt the system and method realizing the encryption of mobile terminal wireless authentication of this kind of structure, after the wireless connections password in AP is modified, if this mobile terminal device had connected this AP, this mobile device can use IMEI to carry out certification, and based on IMEI, regenerate the key of encryption, facilitate the interconnection network of mobile phone users, improve user's experience, there is range of application widely.

Technical essential compares:

This patent documentation is completely different from technical problem solved by the invention.The reason of this patent documentation be its use IMEI proposed and MAC Address as new identification (RFID) tag thus replace SSID with the conventional combination of password, even if history AP is changed new password client computer still can be connected, this is consideration for convenience.Object of the present invention is then the object adopting various identifier combination to reach personal information security.

Summary of the invention

For defect of the prior art; the object of this invention is to provide a kind of client computer based on wireless security from connecting guard method and system, thus solve current client computer and to be dynamically connected the problem of self-shield by namely causing dereliction from the base station that is dynamically connected based on SSID and password.

According to a kind of client computer based on wireless security provided by the invention from connecting guard method, comprise the steps:

Step 1: obtain connecting object information to be identified, wherein, described connecting object information to be identified comprises base station information and/or the authentication information corresponding with base station;

Step 2: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Wherein, described history connecting object information comprises history base station information and/or history authentication information;

Preferably, history base station information comprises following any one or much information arbitrarily:

The historical information that the previous data connection base station of-client computer is formed;

The historical information that this data connection base station of-client computer is formed;

The history base station information table that-client computer has.

Preferably, history authentication information comprises:

Certification website corresponding to-base station gives the feedback information with client computer

Preferably, described step 1 is included in the following steps performed before client computer is connected with base station data:

Step 1.1: the first wireless identification information and the second wireless identification information that obtain base station;

Described step 2 is included in the following steps performed before client computer is connected with base station data:

Step 2.1: by the combination of the first wireless identification information and the second wireless identification information, mate with history base station information, according to matching result, truth identification is carried out to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label;

Preferably, described step 1.1, comprises the steps:

-when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.

Preferably, described step 1 comprises the steps:

Step 1-1: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information;

Step 2 is included in during client computer is connected with base station data the following steps performed:

Step 2-1: judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

Preferably, described base station information comprises firmware label, and the method obtaining base station information comprises the steps:

Step I 1: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

Step I 2: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

Preferably, message that described client computer sends, refers to the message that client computer sends for certification website corresponding to the firmware device of base station in reliable connection and/or base station.

Preferably, described step 1 is included in the front following steps performed of the client logon certification website corresponding with base station:

Step 101: the site tags obtaining the certification website corresponding with base station;

Step 102: site tags mated with history authentication information, carries out truth identification according to matching result to described base station.

According to a kind of client computer based on wireless security provided by the invention from connecting protection system, comprise as lower device:

First acquisition device: obtain connecting object information to be identified, wherein, described connecting object information to be identified comprises base station information and/or the authentication information corresponding with base station;

First recognition device: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Wherein, described history connecting object information comprises history base station information and/or history authentication information;

Preferably, history base station information comprises following any one or much information arbitrarily:

The historical information that the previous data connection base station of-client computer is formed;

The historical information that this data connection base station of-client computer is formed;

The history base station information table that-client computer has.

Preferably, history authentication information comprises:

Certification website corresponding to-base station gives the website corresponding with base station with the previous login of feedback information client computer of client computer

Preferably, described first acquisition device comprises as lower device:

Second acquisition device: before client computer is connected with base station data, obtains the first wireless identification information and second wireless identification information of base station;

Described first recognition device comprises as lower device:

Second recognition device: before client computer is connected with base station data, by the combination of the first wireless identification information and the second wireless identification information, mates with history base station information, carries out truth identification according to matching result to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label;

Preferably, described second acquisition device, comprises as lower device:

-the first policy device: when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.

Preferably, described first acquisition device comprises as lower device:

3rd acquisition device: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information; ;

Described first recognition device comprise as lower device:

3rd recognition device: in client computer is connected with base station data, judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

Preferably, the described client computer based on wireless security also comprises first receiving device, the first extraction element from connecting protection system; Described base station information comprises firmware label, and the method obtaining base station information is performed by such as lower device:

First receiving device: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

First extraction element: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

Preferably, message that described client computer sends, refers to the message that client computer sends for certification website corresponding to the firmware device of base station in reliable connection and/or base station.

Preferably, described first acquisition device comprises as lower device:

4th acquisition device: before the certification website corresponding with base station in client logon, obtain the site tags of the certification website corresponding with base station;

4th recognition device: before the certification website corresponding with base station in client logon, site tags is mated with history authentication information, according to matching result, truth identification is carried out to described base station.Compared with prior art, the present invention has following beneficial effect:

The present situation from connecting protection is lacked based on current client; the present invention provides and initiatively builds the wireless scheme from connecting protection mechanism from client-side; before wireless data connects, identification is done to the base station focus of connecting object to be identified; check whether with history base station to be same (class /); according to the rank of safe early warning; coupling screen and inform client computer or directly management and control connect, make client computer can initiative recognition puppet base station, thus ensure the information security of self.Especially, when target BS becomes the history of client computer to access base sites by SSID with cryptographic camouflage, client computer can go out pseudo-base station also to pointing out with user by initiative recognition when attempting connecting.

Accompanying drawing explanation

By reading the detailed description done non-limiting example with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:

Fig. 1 is that the client computer based on wireless security provided by the present invention is from the structural representation connecting protection system;

Fig. 2 is that the client computer based on wireless security provided by the present invention is from the schematic flow sheet connecting guard method;

Fig. 3 be legacy clients from catenation principle schematic diagram;

Fig. 4 is the protection philosophy of the connection certainly schematic diagram of client computer in the present invention;

Fig. 5 is the workflow diagram of advantageous applications example of the present invention.

Embodiment

Below in conjunction with specific embodiment, the present invention is described in detail.Following examples will contribute to those skilled in the art and understand the present invention further, but not limit the present invention in any form.It should be pointed out that to those skilled in the art, without departing from the inventive concept of the premise, some changes and improvements can also be made.These all belong to protection scope of the present invention.

According to a kind of client computer based on wireless security provided by the invention from connecting protection system, comprise as lower device:

First acquisition device: obtain connecting object information to be identified, wherein, described connecting object information to be identified comprises base station information and/or the authentication information corresponding with base station;

First recognition device: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Wherein, described history connecting object information comprises history base station information and/or history authentication information;

Further, history base station information comprises following any one or much information arbitrarily:

The historical information that the previous data connection base station of-client computer is formed;

The historical information that this data connection base station of-client computer is formed;

The history base station information table that-client computer has.

Further, history authentication information comprises:

Certification website corresponding to-base station gives the feedback information with client computer.

Preferably, described first acquisition device comprises as lower device:

Second acquisition device: before client computer is connected with base station data, obtains the first wireless identification information and second wireless identification information of base station;

Described first recognition device comprises as lower device:

Second recognition device: before client computer is connected with base station data, by the combination of the first wireless identification information and the second wireless identification information, mates with history base station information, carries out truth identification according to matching result to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label;

Described second acquisition device, comprises as lower device:

-the first policy device: when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.

Preferably, described first acquisition device comprises as lower device:

3rd acquisition device: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information; ;

Described first recognition device comprise as lower device:

3rd recognition device: in client computer is connected with base station data, judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

The described client computer based on wireless security also comprises first receiving device, the first extraction element from connecting protection system; Described base station information comprises firmware label, and the method obtaining base station information is performed by such as lower device:

First receiving device: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

First extraction element: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

Message that described client computer sends, refers to the message that client computer sends for certification website corresponding to the firmware device of base station in reliable connection and/or base station.

Preferably, described first acquisition device comprises as lower device:

4th acquisition device: before the certification website corresponding with base station in client logon, obtain the site tags of the certification website corresponding with base station;

4th recognition device: before the certification website corresponding with base station in client logon, site tags is mated with history authentication information, according to matching result, truth identification is carried out to described base station.

The described client computer based on wireless security, from connecting protection system, can be realized from the process step connecting guard method by a kind of client computer based on wireless security.From connecting guard method, the described client computer based on wireless security can be interpreted as that the described client computer based on wireless security is from the embodiment connecting protection system by those skilled in the art.The described client computer based on wireless security is from connecting guard method, specific as follows.

According to a kind of client computer based on wireless security provided by the invention from connecting guard method, comprise the steps:

Step 1: obtain connecting object information to be identified;

Step 2: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Client computer can adopt wireless mode short-distance wireless communication modes such as () such as wifi and base station (such as wifi base station) to connect to add the WLAN (wireless local area network) at place, base station, then connect into the Internet by base station.Client computer can be smart mobile phone; Client computer can also be internet-of-things terminal, the route box of such as household electrical appliance, and base station is wireless base station.

Connecting object to be identified can be base station, and correspondingly, connecting object information to be identified is base station information, and history connecting object information is history base station information.Connecting object to be identified can also be the authentication platform (such as certification website) corresponding with base station, and correspondingly, connecting object information to be identified is the authentication information corresponding with base station, and history connecting object information is history authentication information.The all or part of information of true base station and/or true certification website can be recorded in local formation by client computer by history connecting object information.

Can there be various ways the time of implementation of step 1.Namely step 1 can perform before client computer and base station set up real connection.Step 1 can also have been set up among real connection in client computer and base station and perform, in reality, can set up among real connection in client computer and base station, repeatedly repeatedly perform step 1, step 2, to identify that the current connecting object of client computer is the pseudo-base station that true base station or signal transmission power are better than true base station.Wherein, described connection really refers to data cube computation, and namely object of the present invention is to prevent pseudo-base station from obtaining the data (especially private data) of client computer.

It should be noted that: described connecting object to be identified comprises linked data object to be set up, waits to continue to keep linked data object.Particularly, described connecting object to be identified can be not yet the setting up data cube computation of client computer and rely on the connecting object that truth identification result considers whether will set up data cube computation, namely described connecting object to be identified comprises linked data object to be set up, correspondingly, described connecting object information to be identified comprises vertical linked data object information yet to be built, described connecting object to be identified can also be the built vertical data cube computation of client computer and need to rely on truth identification result to consider the connecting object that whether can continue to keep data cube computation, namely described connecting object to be identified comprise wait continue keep linked data object, correspondingly, described connecting object information to be identified comprises to be waited to continue to keep linked data object information, further, after data cube computation is set up in client computer and true base station, if the transmitting power of pseudo-base station is greater than true base station, then interference and shielding are caused in Hui Duizhen base station, pseudo-base station, client computer is made to be forced to be connected to pseudo-base station, therefore, even if client computer is the data cube computation set up with true base station at current time, but, can not get rid of the next moment in data cube computation can be forced to be connected to pseudo-base station, therefore for client computer, whether the next moment continues data cube computation and needs to carry out truth identification, that is, the base station of subsequent time is the connecting object to be identified being just confirmed whether to keep data cube computation or data cube computation again after a true and false to be identified for client computer.

In step 2, if connecting object information to be identified is consistent for matching with the matching result of the history connecting object information of client computer this locality, then connecting object to be identified is identified as very; If connecting object information to be identified is consistent for not mating with the matching result of the history connecting object information of client computer this locality, then connecting object to be identified is identified as puppet.Described history connecting object information comprises history base station information and/or history authentication information.

Described client computer this locality is this locality for base station and the Internet, and such as, client computer this locality can be the storage device of client internal, can also be belong to same subterminal storage device with client computer.

Described history base station information can be the historical information that the previous data connection base station of client computer is formed.The method formed can be: prepare to treat the base station setting up data cube computation relative to client computer at this and carry out truth identification with before setting up data cube computation, this base station information storage is formed as described historical information by client computer after data cube computation is set up in previous active and base station.Preferably, described previous refer to first historical or previous.

Described history base station information can be the historical information that this data connection base station of client computer is formed.The method formed can be: client computer is after this initiatively sets up data cube computation with base station, this base station information is stored as described historical information by (such as in next time slot) at once, then in the process of data cube computation, after again obtaining base station information, then this base station information forms historical information relative to the base station information again obtained.

Described history base station information can be the history base station information table that client computer has, and wherein, the base station information recorded in described history base station information table preferably pre-sets.Such as, if wish, limited some base stations are appointed as in the connection base station of client computer, then the base station information of this some base station can be pre-set in write history base station information table.

Described history authentication information comprises certification website corresponding to base station to the feedback information with client computer.Such as, described certification website is given and the feedback information of client computer, and can be the historical information of the previous login of the client computer certification website formation corresponding with base station, can also be that this website feeds back for the certification of special packet.

Described history authentication information can be the historical information that the previous login of the client computer certification website corresponding with base station is formed.In the public place (such as traffic website, dining room) in city, can surf the Net efficiently and easily to make user, be built with wifi hotspot, when user needs smart mobile phone to access wifi hotspot, first need to log in the certification website (the certification website of such as i-Shanghai) corresponding with this wifi hotspot by smart mobile phone and obtain password of surfing the Net (safe key of wifi), then had online passwordlclient just can access wifi hotspot and then connecting Internet.Wherein, the method formed can be: carry out truth identification with before sending log-on message relative to client computer at the certification website corresponding with base station that this prepares to treat login, the authenticating station dot information storage corresponding with this base station is formed as described historical information by client computer after previous active sets up data cube computation with base station.Preferably, described previous refer to first historical or previous.

When recognizing pseudo-base station, user can be informed by prompting safety information, be specified by user and reconnect.User receives new inconsistent base station by the method for (increase/replace) credit, removing or more new historical base station information, and true base station is regarded as in the pseudo-base station recognized.

In a preference, the connecting object to be identified of client computer is the base station of not yet data cube computation, therefore before data cube computation, need carry out truth identification to this base station, if true base station, then data cube computation is set up in client computer and this base station, if pseudo-base station, then client computer generates the prompting of pseudo-base station.Particularly, the wireless identification information of base station can be utilized as the basis of characterization of true and false base station, realize initiatively connecting self-shield to client computer.

Described step 1 is included in the following steps performed before client computer is connected with base station data:

Step 1.1: the first wireless identification information and the second wireless identification information that obtain base station;

Described step 2 is included in the following steps performed before client computer is connected with base station data:

Step 2.1: by the combination of the first wireless identification information and the second wireless identification information, mate with history base station information, according to matching result, truth identification is carried out to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label;

Described first wireless identification information, can be the clear identification information of base station, described clear identification information refers to and can be obtained by pseudo-base station and can be replicated the public information of camouflage, SSID (ServiceSetIdentifier), the ESSID (ExtendedServiceSetIdentifier) of such as base station, the network name of place, base station local area network (LAN), BSSID (BasicServiceSetIdentifier), channel (channel), device address.Wherein, in mobile phone WLAN, ESSID can think wifi network name.Correspondingly, described second wireless identification information, can be the wireless identification information outside described clear identification information, be designated as ciphertext identification information, such as equipment manufacturer's information.Wherein, in mobile phone WLAN, the MAC Address of BSSID and wireless routing.Wherein, described at random for base station, namely described referring at random for base station is erratic, instead of fixing.If described second wireless identification information is not random, such as the second wireless identification information is fixing several ciphertext identification informations, then pseudo-base station can arrange to these ciphertext identification informations the object reaching camouflage in advance; And when described second wireless identification information is random, pseudo-base station will be difficult to know in advance and need to which ciphertext identification information to pretend, such as the second wireless identification information can be a kind of ciphertext identification information sometimes, sometimes be several ciphertext identification informations, wherein the kind number of ciphertext identification information and kind all can change each acquisition in base station information, reach to make pseudo-base station can not find rule to realize random object.

Described first wireless identification information, can also for connecting the default authentication information of base station, default authentication information refer to base station searched by client computer or client computer find base station before the client computer base station information that must obtain, SSID (ServiceSetIdentifier), the ESSID (ExtendedServiceSetIdentifier) of such as base station or the network name of place local area network (LAN).Wherein, when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.Wherein, described at random for base station, namely described referring at random for base station is erratic, instead of fixing.If described second wireless identification information is not random, such as the second wireless identification information is fixing several non-default authentication informations, then pseudo-base station can arrange to these non-default authentication informations the object reaching camouflage in advance; And when described second wireless identification information is random, pseudo-base station will be difficult to know in advance and need to which non-default authentication information to pretend, such as the second wireless identification information can be a kind of non-default authentication information sometimes, sometimes be several non-default authentication informations, wherein the kind number of non-default authentication information and kind all can change each acquisition in base station information, reach to make pseudo-base station can not find rule to realize random object.

Such as, traditional client computer only using ESSID as identifying the foundation of base station, as shown in Figure 3, the ESSID of self can disguise oneself as " abc ", " xyz " or " 123 " by pseudo-base station completely.And in the present invention, before setting up data cube computation, client computer will represent that label is defined as the combination of ESSID, BSSID, channel, but not alone ESSID is as identification base station.Once find the wireless identification information requirement of this combination of Incomplete matching, then client computer informs that user needs manually to specify ESSID and non-automatic connection, because target connect base station may not be before in history secure data connected, may be pseudo-base station.As shown in Figure 4, to represent that label is defined as the combination of ESSID, BSSID, channel, as long as any one in the ESSID of a base station, BSSID, channel causes its combination not mated with history base station information, just can be identified as pseudo-base station, wherein, cause combining unmatched item to mark with underscore in the diagram.

In another preference, the connecting object to be identified of client computer is the base station as waiting to continue to keep linked data object, because in the data cube computation process of client computer and true base station, client computer likely can be forced to be connected to pseudo-base station, therefore need regularly or aperiodically to carry out truth identification to the base station that current data connects in data cube computation, if the base station that current data connects is true base station, then client computer continues to keep the data cube computation with this true base station, if the base station that current data connects is pseudo-base station, then the direct turn-off data of client computer connects or generates the prompting of pseudo-base station.Particularly, the basis of characterization of firmware label as true and false base station of base station can be utilized, realize initiatively connecting self-shield to client computer.

Described step 1 comprises the steps:

Step 1-1: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information; ;

Described step 2 is included in during client computer is connected with base station data the following steps performed:

Step 2-1: judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

After can being confirmed that by above-mentioned steps 1.1-1.2 or alternate manner base station is true base station (and certification website corresponding to corresponding confirmation base station is true certification website), then client computer is initiatively initiated the connection of true base station and is thought that this connection connects for reliable, that is, only when confirming that base station is true base station, client computer just can initiatively be initiated to connect, otherwise client computer can not initiatively be initiated to connect when the true and false of base station is unidentified.

By step 1-1, step 2-1 needs repeatedly to obtain base station information (and/or authentication information of certification website), the reliable base station information obtained when initiating that connects is the last base station information (and authentication information of the certification website of correspondence) obtained before client computer is initiatively initiated to connect, wherein, it is true base station (or identify certification website by authentication information be true certification website) that the base station information that client computer is obtained by described the last time just identifies base station, thus set up reliable connection, therefore the base station information of described client computer the last acquisition before initiatively initiating connection corresponds to reliable connection.Certainly, less preferably, also the base station information reliably connecting acquisition when the rear base station information obtained for the first time is initiated as described reliable connection will can be set up.

Whether the base station information of described follow-up acquisition mates with described history base station information, specifically refer to the base station information of follow-up acquisition with corresponding reliably connect initiation time the base station information that obtains mate, if coupling is consistent, then client computer continues to keep current data cube computation, if mate inconsistent, then client computer disconnects current data cube computation or generates the prompting of pseudo-base station.

Whether the authentication information of the certification website that the base station of described follow-up acquisition is corresponding mates with described history authentication information, specifically refer to the authentication information of follow-up acquisition with corresponding reliably connect initiation time the authentication information that obtains mate, if coupling is consistent, then client computer continues to keep current data cube computation, if mate inconsistent, then client computer disconnects current data cube computation or generates the prompting of pseudo-base station.

Described base station information comprises firmware label, correspondingly, described step 1-1 is specially using the connection of client computer active initiation as reliable connection, and the firmware label obtained first correspondence reliably connected stores as history base station information, described step 2-1 is specially the passing judged along with the data cube computation time, and whether the firmware label obtained for follow-up time mates with the described firmware label obtained first.

The method obtaining firmware label comprises the steps:

Step I 1: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

Step I 2: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

After setting up data cube computation, client computer is talked with by the message (such as: the TCP/UDP agreements such as HTTP, LLDP, ICMP, DHCP or SNMP) and base station secret initiatively sending application layer and data link layer, and receive base station for client computer send the response of message and/or feed back message.

Wherein, message that described client computer sends, refer to the message that client computer sends for the firmware device of base station in reliable connection, described message requires that the current base station be connected with client data returns the response of the firmware device information recording this base station and/or feeds back message, then client computer extracts the keyword about firmware device information from described response and/or feedback message, composition firmware label.Described firmware device information can be firmware date of production, firmware brand producer, firmware version number, firmware management mark.Described response can be with or without response, the response of TCP connection request etc.Such as, firmware label can by label " tag1 (back message first keyword) ", " tag2 (back message second keyword) ", " tag3 (response/nothing response) ", " tag4 (IP network address number) ", " tag5 (equipment control mark) " and " tag6 (the training in rotation TCP connection request response condition of 9000 ports) be formed.

Message that described client computer sends, can refer to the message that client computer sends for the certification website that base station in reliable connection is corresponding.Particularly, described message can be SNMP message.

If firmware label and the described firmware label obtained first of follow-up acquisition are inconsistent, then the base station be connected to user's early warning with client computer changes, and prompting is interrupted, with the connection of current base station, guaranteeing fail safe.

Further, the firmware label that required by described message, the current base station be connected with client data returns is the random combine of multiple firmware device information.The random combine of described multiple firmware device information is for base station, and namely described referring at random for base station is erratic, instead of fixing.And for client computer, described is not pure random at random, the firmware device information in random combine can set based on factors such as the IP agreement detectings of the signal strength signal intensity of time, connecting object and client computer support.Such benefit is, the random combine that the follow-up firmware label repeatedly obtained in data cube computation is corresponding is different, so just can realize by repeatedly identifying, avoids once identifying just exposing all recognition methodss of client computer to pseudo-base station.

Further, described message is the firmware device for base station in reliable connection, therefore, the firmware device of pseudo-base station is owing to being different from the firmware device of true base station, therefore the firmware device information of true base station is unknown for pseudo-base station, thus for the firmware device of base station in reliable connection message required by the firmware device information that returns be random to pseudo-base station.

In another preference, the connecting object to be identified of client computer is corresponding with the base station of not yet data cube computation treat login authentication website.The following steps that described step 1 performs before being included in the client logon certification website corresponding with base station:

Step 101: the site tags obtaining the certification website corresponding with base station;

Step 102: site tags mated with history authentication information, carries out truth identification according to matching result to described base station.

Described site tags can be DNS, the server in station label of website, the label for identifying website identity such as IP address.

For open WLAN (wireless local area network) (WLAN (wireless local area network) in such as fast food restaurant) towards the public, before permission client computer accessing WLAN base station, do user name certification after needing client computer to be logged in by unified backstage certification website, then could obtain online password.For so open WLAN (wireless local area network), client computer is after being connected to pseudo-base station, and the certification website corresponding with pseudo-base station can be website of going fishing, and so not only can continue to inveigle, and can also obtain the user authentication information of the personalization of user.Now, authenticating station point detection (DNS, server in station label, IP address etc.) on backstage widened further by this label.Therefore, the site tags storage of the certification website corresponding with this base station can be formed as described history authentication information by client computer after previous active sets up data cube computation with base station, thus carry out truth identification with before sending log-on message at the certification website corresponding with base station that current client prepares to treat login, the site tags of current authentication website is mated with described history authentication information, if coupling is consistent, be then true by current authentication station recognition, otherwise be identified as puppet.

Below a preferred embodiment is described.

The client computer based on wireless security provided by the invention is embedded from connecting protection system in as Intelligent mobile equipment system systems such as () android/ios/wp/linux of client computer; or in integrated circuit (IC) chip (as in 51 single-chip microcomputers/arm single-chip microcomputer/avr single-chip microcomputer/flush bonding module); embedding the client computer based on wireless security provided by the invention from connecting protection system, adopting following steps:

Whether-client computer exists near judging can connect and the focus base station crossed of data cube computation in history; If exist, then enter following step and continue to perform; If do not exist, then manual triggers connection is carried out to available hotspots base station;

-utilize expression label to carry out truth identification to base station by execution above-mentioned steps 1.1, step 2.1; If recognition result is true, then data cube computation is carried out in true base station with this, if recognition result is pseudo-, is then judged whether to need manual triggers to connect by user;

-in data cube computation, utilize firmware label to carry out truth identification to the base station of current connection by performing above-mentioned steps 1-1, step 2-1; If recognition result is true, then true base station keeps data cube computation with this, if recognition result is pseudo-, is then judged whether to need to continue by user;

After-communication terminates, the expression label of client computer record focus base station and firmware label are as history base station information.

The present invention also provides a kind of computer-readable recording medium storing computer program, wherein, computer program in described computer-readable recording medium makes computer perform the described client computer based on wireless security from connecting guard method, and described computer-readable recording medium comprises CD, disk, ROM, PROM, VCD, DVD etc.; The described client computer based on wireless security comprises the steps: from connecting guard method

Step 1: obtain connecting object information to be identified, wherein, described connecting object information to be identified comprises base station information and/or the authentication information corresponding with base station;

Step 2: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Wherein, described history connecting object information comprises history base station information and/or history authentication information.

Preferably, history base station information comprises following any one or much information arbitrarily:

The historical information that the previous data connection base station of-client computer is formed;

The historical information that this data connection base station of-client computer is formed;

The history base station information table that-client computer has.

Preferably, history authentication information comprises:

Certification website corresponding to-base station gives the feedback information with client computer

Preferably, described step 1 is included in the following steps performed before client computer is connected with base station data:

Step 1.1: the first wireless identification information and the second wireless identification information that obtain base station;

Described step 2 is included in the following steps performed before client computer is connected with base station data:

Step 2.1: by the combination of the first wireless identification information and the second wireless identification information, mate with history base station information, according to matching result, truth identification is carried out to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label;

Preferably, described step 1.1, comprises the steps:

-when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.

Preferably, described step 1 comprises the steps:

Step 1-1: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information;

Step 2 is included in during client computer is connected with base station data the following steps performed:

Step 2-1: judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

Preferably, described base station information comprises firmware label, and the method obtaining base station information comprises the steps:

Step I 1: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

Step I 2: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

Preferably, message that described client computer sends, refers to the message that client computer sends for certification website corresponding to the firmware device of base station in reliable connection and/or base station.

Preferably, described step 1 is included in the front following steps performed of the client logon certification website corresponding with base station:

Step 101: the site tags obtaining the certification website corresponding with base station;

Step 102: site tags mated with history authentication information, carries out truth identification according to matching result to described base station.

Those skilled in the art will know that, except realizing except system provided by the invention and each device thereof in pure computer readable program code mode, system provided by the invention and each device thereof can be made to realize identical function with the form of gate, switch, application-specific integrated circuit (ASIC), programmable logic controller (PLC) and embedded microcontroller etc. by method step being carried out programming in logic completely.So system provided by the invention and every device thereof can be considered to a kind of hardware component, and to the structure that also can be considered as the device realizing various function in hardware component comprised in it; Also the device being used for realizing various function can be considered as not only can be implementation method software module but also can be structure in hardware component.

Above specific embodiments of the invention are described.It is to be appreciated that the present invention is not limited to above-mentioned particular implementation, those skilled in the art can make a variety of changes within the scope of the claims or revise, and this does not affect flesh and blood of the present invention.When not conflicting, the feature in embodiments of the invention and embodiment can combine arbitrarily mutually.

Claims (18)

1. the client computer based on wireless security connects a guard method certainly, it is characterized in that, comprises the steps:

Step 1: obtain connecting object information to be identified, wherein, described connecting object information to be identified comprises base station information and/or the authentication information corresponding with base station;

Step 2: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Wherein, described history connecting object information comprises history base station information and/or history authentication information.

2. the client computer based on wireless security according to claim 1 is from connecting guard method, it is characterized in that, history base station information comprises following any one or much information arbitrarily:

The historical information that the previous data connection base station of-client computer is formed;

The historical information that this data connection base station of-client computer is formed;

The history base station information table that-client computer has.

3. the client computer based on wireless security according to claim 1 is from connecting guard method, and it is characterized in that, history authentication information comprises:

Certification website corresponding to-base station gives the feedback information with client computer.

4. the client computer based on wireless security according to claim 1 is from connecting guard method, it is characterized in that, described step 1 is included in the following steps performed before client computer is connected with base station data:

Step 1.1: the first wireless identification information and the second wireless identification information that obtain base station;

Described step 2 is included in the following steps performed before client computer is connected with base station data:

Step 2.1: by the combination of the first wireless identification information and the second wireless identification information, mate with history base station information, according to matching result, truth identification is carried out to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label.

5. the client computer based on wireless security according to claim 4 is from connecting guard method, and it is characterized in that, described step 1.1, comprises the steps:

-when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.

6. the client computer based on wireless security according to claim 1 is from connecting guard method, and it is characterized in that, described step 1 comprises the steps:

Step 1-1: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information;

Described step 2 is included in during client computer is connected with base station data the following steps performed:

Step 2-1: judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

7. the client computer based on wireless security according to claim 6 is from connecting guard method, and it is characterized in that, described base station information comprises firmware label, and the method obtaining base station information comprises the steps:

Step I 1: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

Step I 2: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

8. the client computer based on wireless security according to claim 7 is from connecting guard method; it is characterized in that; message that described client computer sends, refers to the message that client computer sends for certification website corresponding to the firmware device of base station in reliable connection and/or base station.

9. the client computer based on wireless security according to claim 1 is from connecting guard method, it is characterized in that, the following steps that described step 1 performs before being included in the client logon certification website corresponding with base station:

Step 101: the site tags obtaining the certification website corresponding with base station;

Step 102: site tags mated with history authentication information, carries out truth identification according to matching result to described base station.

10. the client computer based on wireless security connects a protection system certainly, it is characterized in that, comprises as lower device:

First acquisition device: obtain connecting object information to be identified, wherein, described connecting object information to be identified comprises base station information and/or the authentication information corresponding with base station;

First recognition device: according to the matching result of the history connecting object information of described connecting object information to be identified and client computer this locality, truth identification is carried out to connecting object to be identified;

Wherein, described history connecting object information comprises history base station information and/or history authentication information.

11. client computer based on wireless security according to claim 10 from connecting protection system, is characterized in that, history base station information comprises following any one or much information arbitrarily:

The historical information that the previous data connection base station of-client computer is formed;

The historical information that this data connection base station of-client computer is formed;

The history base station information table that-client computer has.

12. client computer based on wireless security according to claim 10 are from connecting protection system, and it is characterized in that, history authentication information comprises:

Certification website corresponding to-base station gives the feedback information with client computer.

13. client computer based on wireless security according to claim 10 are from connecting protection system, and it is characterized in that, described first acquisition device comprises as lower device:

Second acquisition device: before client computer is connected with base station data, obtains the first wireless identification information and second wireless identification information of base station;

Described first recognition device comprises as lower device:

Second recognition device: before client computer is connected with base station data, by the combination of the first wireless identification information and the second wireless identification information, mates with history base station information, carries out truth identification according to matching result to described base station;

Wherein, the combination of described first wireless identification information and the second wireless identification information, is designated as expression label.

14. client computer based on wireless security according to claim 13 are from connecting protection system, and it is characterized in that, described second acquisition device, comprises as lower device:

-the first policy device: when obtaining the second wireless identification information of base station, at random using a kind of non-default authentication information of base station or the combination of multiple non-default authentication information the second wireless identification information as described base station.

15. client computer based on wireless security according to claim 10 are from connecting protection system, and it is characterized in that, described first acquisition device comprises as lower device:

3rd acquisition device: using the connection of client computer active initiation as reliable connection, the base station information got when this reliable connection being initiated carries out this locality and is stored as history base station information, and/or the authentication information of the corresponding certification website in this base station is as history authentication information; ;

Described first recognition device comprise as lower device:

3rd recognition device: in client computer is connected with base station data, judge the passing along with the data cube computation time, whether the base station information of follow-up acquisition mates with described history base station information, and/or whether the authentication information of certification website corresponding to the base station of follow-up acquisition mates with described history authentication information.

16. client computer based on wireless security according to claim 15, from connecting protection system, is characterized in that, comprise first receiving device, the first extraction element; Described base station information comprises firmware label, and the method obtaining base station information is performed by such as lower device:

First receiving device: receive certification website corresponding to base station and/or base station and the response of message is sent for client computer institute and/or feeds back message;

First extraction element: extract keyword from described response and/or feedback message, composition firmware label is as base station information.

17. client computer based on wireless security according to claim 16 are from connecting protection system; it is characterized in that; message that described client computer sends, refers to the message that client computer sends for certification website corresponding to the firmware device of base station in reliable connection and/or base station.

18. client computer based on wireless security according to claim 10 are from connecting protection system, and it is characterized in that, described first acquisition device comprises as lower device:

4th acquisition device: before the certification website corresponding with base station in client logon, obtain the site tags of the certification website corresponding with base station;

4th recognition device: before the certification website corresponding with base station in client logon, site tags is mated with history authentication information, according to matching result, truth identification is carried out to described base station.