CN105656943B - A kind of application data interception system and method - Google Patents

A kind of application data interception system and method Download PDF

Info

Publication number
CN105656943B
CN105656943B CN201610147276.1A CN201610147276A CN105656943B CN 105656943 B CN105656943 B CN 105656943B CN 201610147276 A CN201610147276 A CN 201610147276A CN 105656943 B CN105656943 B CN 105656943B
Authority
CN
China
Prior art keywords
data
client
unit
server
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610147276.1A
Other languages
Chinese (zh)
Other versions
CN105656943A (en
Inventor
袁初成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Di'an Technology Co Ltd
Original Assignee
Shanghai Di'an Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Di'an Technology Co Ltd filed Critical Shanghai Di'an Technology Co Ltd
Priority to CN201610147276.1A priority Critical patent/CN105656943B/en
Publication of CN105656943A publication Critical patent/CN105656943A/en
Application granted granted Critical
Publication of CN105656943B publication Critical patent/CN105656943B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Stored Programmes (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of application data interception system and methods, belong to application program running technology field;System includes client and server-side, and wherein client includes applying unit, agent unit and driving unit;Method includes: step S1, and use one is set to the applying unit in client, and output is associated with the application data of an application program in client;Step S2, use one are set to the agent unit in client, obtain the preset data interception rule of server-side;Step S3, use one are set to the driving unit in client, are intercepted according to data interception rule to the application data that applying unit exports, the application data intercepted are sent to agent unit;Step S4, agent unit is by the application data forwarding intercepted to server-side.The beneficial effect of above-mentioned technical proposal is: accomplishing that destination address is constant when applying data redirection, avoiding the problem that, which influences whole system when executing application intercepts, operates normally.

Description

A kind of application data interception system and method
Technical field
The present invention relates to application program running technology field more particularly to a kind of application data interception system and methods.
Background technique
It currently realizes in windows platform and is generallyd use using the client of data interception in order to support transport layer application The mode of LSP or TDI intercepts data, but the problem of this interception mode is:
1) when existing application data interception for system-wide, once occur mistake during using data interception Accidentally, it is easy to influence whole system, causes system crash;
2) for application program, interception process be difficult to accomplish it is transparent, such as would generally be connection after data interception It is forwarded to the agent of the machine, the destination address that application program is seen at this time is not just originally to issue the address of server-side, and can It can be a unified destination address such as 127.0.0.1, this is for certain transmission the machine in the packet or opposite end IP The application program of location port can not just support its application data interception to operate;
3) existing Interception Technology is more outmoded, such as the Windows system (such as more than Vista version of more recent version Windows system) just do not support TDI technology.
Summary of the invention
According to the above-mentioned problems in the prior art, a kind of technical side using data interception system and method is now provided Case, it is intended to accomplish that destination address is constant when applying data redirection, avoid influencing whole system when executing application intercepts The problem of normal operation.
Above-mentioned technical proposal specifically includes:
A kind of application data interception system, wherein including client and server-side, the client is remote with the server-side Journey connection;
The client includes:
Applying unit is associated with the application for exporting corresponding to the application program setting in a client The application data of program;
Agent unit, connects the applying unit, and the agent unit is used to obtain from the server-side pre-set Data interception rule;
Driving unit, is separately connected the applying unit and the agent unit, and the driving unit obtains the data Rule is intercepted, and the application data that the applying unit exports are intercepted according to the data interception rule, it is described Driving unit is based on Windows system filter stage and is set;
The application data intercepted are sent to the agent unit by the driving unit, and through the agent unit It is forwarded to the server-side.
Preferably, this applies data interception system, wherein the driving unit is ALE driving unit.
Preferably, this applies data interception system, wherein the application data include:
Formulate the connection of the process of the application program;And/or
Save the storage address of the relevant data of the application program.
Preferably, this applies data interception system, wherein the agent unit acquisition is intercepted described using data Afterwards, the application data are packaged and are transmitted to the server-side.
Preferably, this applies data interception system, wherein the server-side is the Virtual Private Network based on Secure Socket Layer The server of network.
It is a kind of to apply data interception method, wherein including client and server-side, the client is remote with the server-side Journey connection, further includes:
Step S1, use one are set to the applying unit in the client, and output is associated in the client one The application data of application program;
Step S2, use one are set to the agent unit in the client, obtain the preset data of the server-side and block Cut rule;
Step S3, use one are set to the driving unit in the client, according to the data interception rule to described The application data of applying unit output are intercepted, and the application data intercepted are sent to the agent unit;
Step S4, the agent unit is by the application data forwarding intercepted to the server-side;
The driving unit is based on Windows system filter stage and is set.
Preferably, this applies data interception method, wherein the driving unit is ALE driving unit.
Preferably, this applies data interception method, wherein the application data include:
Formulate the connection of the process of the application program;And/or
Save the storage address of the relevant data of the application program.
Preferably, this applies data interception method, wherein in the step S4, what the agent unit acquisition was intercepted After the application data, the application data are packaged and are transmitted to the server-side.
Preferably, this applies data interception method, wherein the server-side is the Virtual Private Network based on Secure Socket Layer The server of network.
The beneficial effect of above-mentioned technical proposal is:
1) a kind of application data interception system is provided, can accomplish that destination address is constant when applying data redirection, avoids The problem of whole system operates normally is influenced when executing application intercepts;
2) it provides a kind of using data interception method, can support above-mentioned application data interception system worked well.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram using data interception system in preferred embodiment of the invention;
Fig. 2 is a kind of flow diagram using data interception method in preferred embodiment of the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art without creative labor it is obtained it is all its His embodiment, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the present invention can phase Mutually combination.
The present invention will be further explained below with reference to the attached drawings and specific examples, but not as the limitation of the invention.
In preferred embodiment of the invention, it is based on the above-mentioned problems in the prior art, a kind of application number is now provided According to intercepting system, the specific structure of the system is as shown in Figure 1, include that customer end A and server-side B, customer end A are remote with server-side B Journey connection.Further, include: in customer end A
Applying unit 1 is associated with application program for exporting corresponding to the application program setting in a customer end A Using data;
Agent unit 2, connects applying unit 1, and agent unit 2 is used to obtain pre-set data interception rule from server-side Then;
Driving unit 3, is separately connected applying unit 1 and agent unit 2, and driving unit 3 obtains data interception rule, and root The application data that applying unit exports are intercepted according to data interception rule, it is flat that driving unit 3 is based on the filtering of Windows system Platform is set;
The application data intercepted are sent to agent unit 2 by driving unit 3, and are forwarded to server-side through agent unit 2 B。
In a specific embodiment, it can be directed to one applying unit 1 of an application setting, it can also be for not The same same applying unit 1 of application setting.The effect of the applying unit 1 is to be responsible for output application program operational process The a series of of middle generation apply data.
In the embodiment, using after data, this is intercepted the output of applying unit 1 using data drived unit 3.Driving unit 3 intercept the preset rules obtained from agent unit 2 from server-side B using the rule of data foundation.In other words, in server-side B The data interception rule using data is pre-set, the application data obtained are wanted with interception service end.Then in client The agent unit 2 of one the machine of interior setting, the agent unit 2 are blocked for obtaining above-mentioned data preset in server-side B Cut rule, and these rules are issued in driving unit 3.
With rear drive unit 3 according to these data interceptions rule, the application data exported to applying unit 1 are intercepted, Agent unit 2 obtains these intercepted and applies data, and transfers it to server-side, to complete transport layer application data Intercept operation.
In this embodiment, 2 moment of agent unit monitors driving unit 3, and obtains what the process that it is exported intercepted in time Using data.
In preferred embodiment of the invention, above-mentioned driving unit 3 is based on WFP (Windows Filtering Platform, WFP) setting, further, above-mentioned driving unit 3 is ALE driving unit.
In preferred embodiment of the invention, above-mentioned data interception rule can specifically include server-side B and wish customer end A It intercepts the rule of which data, such as three browsers (browser A, browser B and clear may be opened simultaneously in customer end A Look at device C), and server-side B only wants to the related browsing data that client sends browser A, server-side B can block data at this time Cut rule is preset as the related browsing data that an interception browser A is sent.
In preferred embodiment of the invention, above-mentioned driving unit 3 can be preformed bottom layer driving in client Program, correspondingly, above-mentioned agent unit 2 can be acted on behalf of for the machine pre-generated in client.
In preferred embodiment of the invention, above-mentioned application data may include:
Formulate the connection of the process of application program;And/or
Save the storage address of the relevant data of application program.
In preferred embodiment of the invention, above-mentioned agent unit 3 is by monitoring the application data got by interception Afterwards, these are transmitted using data to above-mentioned server-side B.
In preferred embodiment of the invention, above-mentioned server-side B is the clothes of the Virtual Private Network based on Secure Socket Layer Business device, specifically, server-side B are SSL VPN.
In conclusion in technical solution of the present invention, one the machine is set in client and is acted on behalf of, the agency is for from server-side Preset data interception rule is obtained, and the rule is handed down to the ALE that bottom is write in advance and is driven.Driving can be according to above-mentioned Data interception rule intercepts the application data generated in application program operation process, and the machine agency monitors from driving The connection of forwarding simultaneously obtains the above-mentioned application data intercepted, and then applies data forwarding to server-side these, to complete One is completely applied data interception process.
In preferred embodiment of the invention, it is based on applications described herein above data interception system, one kind is now provided and is answered It equally include client and server-side in this method with data interception method, step is as shown in Figure 2, comprising:
Step S1, use one are set to the applying unit in client, and output is associated with an application program in client Application data;
Step S2, use one are set to the agent unit in client, obtain the preset data interception rule of server-side;
Step S3, use one are set to the driving unit in client, are exported according to data interception rule to applying unit Application data intercepted, the application data intercepted are sent to agent unit;
Step S4, agent unit is by the application data forwarding intercepted to server-side;
Above-mentioned driving unit is based on Windows system filter stage and is set.
In preferred embodiment of the invention, as mentioned above it is possible, above-mentioned driving unit is ALE driving unit.
In preferred embodiment of the invention, as mentioned above it is possible, above-mentioned application data include:
Formulate the connection of the process of application program;And/or
Save the storage address of the relevant data of application program.
It,, will after agent unit obtains the application data intercepted in above-mentioned steps S4 in preferred embodiment of the invention It is packaged using data and is transmitted to server-side.
In preferred embodiment of the invention, as mentioned above it is possible, above-mentioned server-side is SSL VPN.
The foregoing is merely preferred embodiments of the present invention, are not intended to limit embodiments of the present invention and protection model It encloses, to those skilled in the art, should can appreciate that all with made by description of the invention and diagramatic content Equivalent replacement and obviously change obtained scheme, should all be included within the scope of the present invention.

Claims (10)

1. a kind of application data interception system, which is characterized in that including client and server-side, the client and the service The long-range connection in end;
The client includes:
Applying unit is associated with the application program for exporting corresponding to the application program setting in a client Application data;
Agent unit, connects the applying unit, and the agent unit is used to obtain pre-set data from the server-side Intercept rule;
Driving unit, is separately connected the applying unit and the agent unit, and the driving unit obtains the data interception Rule, and the application data that the applying unit exports are intercepted according to the data interception rule, the driving Unit is based on Windows system filter stage and is set;
The application data intercepted are sent to the agent unit by the driving unit, and are forwarded through the agent unit To the server-side;
The driving unit is preformed bsp driver in the client;
The agent unit is the machine agency pre-generated in the client.
2. applying data interception system as described in claim 1, which is characterized in that the driving unit is ALE driving unit.
3. applying data interception system as described in claim 1, which is characterized in that the application data include:
Formulate the connection of the process of the application program;And/or
Save the storage address of the relevant data of the application program.
4. applying data interception system as described in claim 1, which is characterized in that the agent unit obtains the institute intercepted It states using after data, the application data is packaged and are transmitted to the server-side.
5. applying data interception system as described in claim 1, which is characterized in that the server-side is based on Secure Socket Layer Virtual Private Network server.
6. a kind of apply data interception method, which is characterized in that including client and server-side, the client and the service The long-range connection in end, further includes:
Step S1, use one are set to the applying unit in the client, and output is associated with an application in the client The application data of program;
Step S2, use one are set to the agent unit in the client, obtain the preset data interception rule of the server-side Then;
Step S3, use one are set to the driving unit in the client, according to the data interception rule to the application The application data of unit output are intercepted, and the application data intercepted are sent to the agent unit;
Step S4, the agent unit is by the application data forwarding intercepted to the server-side;
The driving unit is based on Windows system filter stage and is set;
The driving unit is preformed bsp driver in the client;
The agent unit is the machine agency pre-generated in the client.
7. applying data interception method as claimed in claim 6, which is characterized in that the driving unit is ALE driving unit.
8. applying data interception method as claimed in claim 6, which is characterized in that the application data include:
Formulate the connection of the process of the application program;And/or
Save the storage address of the relevant data of the application program.
9. applying data interception method as claimed in claim 6, which is characterized in that in the step S4, the agent unit After obtaining the application data intercepted, the application data are packaged and are transmitted to the server-side.
10. applying data interception method as claimed in claim 6, which is characterized in that the server-side is based on safe socket The server of the Virtual Private Network of layer.
CN201610147276.1A 2016-03-15 2016-03-15 A kind of application data interception system and method Active CN105656943B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610147276.1A CN105656943B (en) 2016-03-15 2016-03-15 A kind of application data interception system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610147276.1A CN105656943B (en) 2016-03-15 2016-03-15 A kind of application data interception system and method

Publications (2)

Publication Number Publication Date
CN105656943A CN105656943A (en) 2016-06-08
CN105656943B true CN105656943B (en) 2019-07-05

Family

ID=56493750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610147276.1A Active CN105656943B (en) 2016-03-15 2016-03-15 A kind of application data interception system and method

Country Status (1)

Country Link
CN (1) CN105656943B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453309B (en) * 2016-10-11 2020-04-17 北京天融信网络安全技术有限公司 Security audit method and PC terminal
CN106713355B (en) * 2017-01-23 2020-02-21 绿网天下(福建)网络科技股份有限公司 Network filtering method based on PC (personal computer) terminal and client PC
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms
CN109088844B (en) * 2017-06-13 2021-03-19 腾讯科技(深圳)有限公司 Information interception method, terminal, server and system
CN108566358B (en) * 2017-12-22 2021-03-26 广州赛意信息科技股份有限公司 iOS system network communication interception method and system based on iPhone mobile phone
CN109587269A (en) * 2018-12-27 2019-04-05 迅雷计算机(深圳)有限公司 A kind of hold-up interception method, unit, system and the storage medium of downloading behavior
CN110120895B (en) * 2019-04-11 2023-01-17 北京字节跳动网络技术有限公司 Method, device, medium and electronic equipment for testing communication of mobile terminal
CN112491927B (en) * 2020-12-15 2022-12-02 厦门市美亚柏科信息股份有限公司 Method and system for bypassing network port shielding

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101636998A (en) * 2006-08-03 2010-01-27 思杰系统有限公司 Systems and methods for application based interception ssi/vpn traffic
CN102195972A (en) * 2011-03-24 2011-09-21 北京思创银联科技股份有限公司 Method for intercepting network data by using WFP (Windows Filter Platform)
CN103840994A (en) * 2012-11-23 2014-06-04 华耀(中国)科技有限公司 System and method for user side to access intranet through VPN
CN104683295A (en) * 2013-11-27 2015-06-03 中兴通讯股份有限公司 Data packet filtering rule configuration method, device and system
CN105337831A (en) * 2014-08-08 2016-02-17 华为技术有限公司 Virtual private network implementation method and client device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7920478B2 (en) * 2008-05-08 2011-04-05 Nortel Networks Limited Network-aware adapter for applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101636998A (en) * 2006-08-03 2010-01-27 思杰系统有限公司 Systems and methods for application based interception ssi/vpn traffic
CN102195972A (en) * 2011-03-24 2011-09-21 北京思创银联科技股份有限公司 Method for intercepting network data by using WFP (Windows Filter Platform)
CN103840994A (en) * 2012-11-23 2014-06-04 华耀(中国)科技有限公司 System and method for user side to access intranet through VPN
CN104683295A (en) * 2013-11-27 2015-06-03 中兴通讯股份有限公司 Data packet filtering rule configuration method, device and system
CN105337831A (en) * 2014-08-08 2016-02-17 华为技术有限公司 Virtual private network implementation method and client device

Also Published As

Publication number Publication date
CN105656943A (en) 2016-06-08

Similar Documents

Publication Publication Date Title
CN105656943B (en) A kind of application data interception system and method
CN106941480B (en) Security management method and security management system
US10341296B2 (en) Firewall configured with dynamic collaboration from network services in a virtual network environment
EP3143745B1 (en) Connecting public cloud with private network resources
CN108370340A (en) Virtual private networks tunnel in the mixing cloud environment of dynamic definition
TWI434564B (en) Enabling secure remote assistance using a terminal services gateway
US20160219019A1 (en) Communication tunneling in application container environments
CN102761534B (en) Realize the method and apparatus of media access control layer Transparent Proxy
WO2013133975A1 (en) Offline provisioning of virtual machines
CN104010001B (en) In mobile terminal, the method and system connecting communication is carried out in similar networking request
CN110808871A (en) Method and system for identifying data sessions at a VPN gateway
US11996977B2 (en) System and method for automated information technology services management
KR102017038B1 (en) An access control system for web applications
CN106470191A (en) Filter system, the method and device of HTTPS transferring content
CN102420837B (en) NDIS (Network Driver Interface Standard)-based method and system
CN108762893A (en) A kind of method, apparatus and storage medium of browser connection Docker containers
CN107613036A (en) Realize the method and system of HTTPS Transparent Proxies
CN103873491A (en) VPN safe browser system and setting method
CN103384246B (en) Safety supervision system login assistant method
CN103685536A (en) Monopolized type virtual desktop management method
CN106533880A (en) Method and apparatus for erecting VPN service on cloud server
CN116915852B (en) Transparent proxy method and system for linux application program
WO2018046985A1 (en) Techniques for policy-controlled analytic data collection in large-scale systems
WO2014120179A1 (en) Remote client application
CN105516256A (en) Batch command operation method and device of Linux host

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant