CN107395619A - A kind of safety communicating method and system - Google Patents
A kind of safety communicating method and system Download PDFInfo
- Publication number
- CN107395619A CN107395619A CN201710708227.5A CN201710708227A CN107395619A CN 107395619 A CN107395619 A CN 107395619A CN 201710708227 A CN201710708227 A CN 201710708227A CN 107395619 A CN107395619 A CN 107395619A
- Authority
- CN
- China
- Prior art keywords
- packet
- keyword
- application layer
- filtering
- data content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Abstract
The present invention relates to a kind of safety communicating method and system, this method includes:Filtering gateway establishes the encrypted communication channel with convergence unit communication;Filtering gateway received data packet, restore the application layer data content of packet;Filtering gateway is handled application layer data content according to default information filtering rule, filters out the packet that application layer data content does not meet information filtering rule;The packet not filtered is sent to convergence unit by filtering gateway by encrypted communication channel.A kind of safety communicating method provided by the invention and system, it may insure filtering gateway and converge the information transmission security between unit, realize and the packet comprising flame and customizing messages is filtered, the terminal for avoiding user from using receives the packet for including information threat, the information security of user is ensure that, the information effectively taken precautions against in network threatens.
Description
Technical field
The present invention relates to the communications field, more particularly to a kind of safety communicating method and system.
Background technology
At present, the data volume of internet is in explosive growth, and information security therein also increasingly attracts people's attention,
However, various negative reports are flooded with network, mainly including terrorist violence, pornographic, anti-government etc., also to individual
Terminal produces the virus infection information threatened and spam etc., is also exactly to steal the information such as leakage Company Confidential using network
Threaten, these information are threatened to need badly and handled.
Filtering gateway is as special equipment, for giving significant data forwarding to convergence unit.However, filtering at present
Data transfer between gateway and convergence unit does not have safety guarantee, and generally, filtering gateway is used for according to ad hoc rules to message
Information or packet etc. are filtered, and the communication process between filtering gateway and convergence unit is simultaneously dangerous, lacks and ensures, can not
These information in network are threatened and effectively taken precautions against.
The content of the invention
The technical problems to be solved by the invention are in view of the shortcomings of the prior art, there is provided a kind of safety communicating method and are
System.
The technical scheme that the present invention solves above-mentioned technical problem is as follows:
A kind of safety communicating method, comprises the following steps:
Filtering gateway establishes the encrypted communication channel with convergence unit communication;
The filtering gateway received data packet, restore the application layer data content of the packet;
The filtering gateway is handled the application layer data content according to default information filtering rule, is filtered out
The application layer data content does not meet the packet of the information filtering rule;
The packet not filtered is sent to the convergence unit by the filtering gateway by the encrypted communication channel.
The beneficial effects of the invention are as follows:A kind of safety communicating method provided by the invention, by filtering gateway and convergence
The encrypted communication channel of communication is established between unit, it can be ensured that the information transmission security between filtering gateway and convergence unit,
And the application layer content of packet is restored by filtering gateway, the packet is carried out according to default information filtering rule
Filtering, realizes and the packet comprising flame and customizing messages is filtered, the terminal for avoiding user from using receives
Include the packet of information threat, ensure that the information security of user, can also be set according to the demand of user needs to filter
Content, can be filtered according to being customized of demand of client, further improve information security, effectively taken precautions against net
Information in network threatens.
On the basis of above-mentioned technical proposal, the present invention can also do following improvement.
Further, the filtering gateway is established specifically includes with converging the encrypted communication channel of unit communication:
Filtering gateway and convergence unit obtain the IP address of other side respectively, and respectively in the filtering gateway and the convergence
Unit sets address filtering rule;
IP address filtering is performed between the filtering gateway and the convergence unit, establishes and leads to for the coded communication of communication
Road.
It is using the above-mentioned further beneficial effect of scheme:By address filtering rule filtering gateway and convergence unit it
Between establish the communication port of encryption, filtering gateway can be improved and converge the communications security between unit.
The another technical solution that the present invention solves above-mentioned technical problem is as follows:
A kind of safe communication system, including:Filtering gateway and convergence unit, the filtering gateway specifically include:
Communication unit, for establishing and converging the encrypted communication channel of unit communication;
Processing unit, for received data packet, restore the application layer data content of the packet;
Filter element, for being handled according to default information filtering rule the application layer data content, filtering
Fall the packet that the application layer data content does not meet the information filtering rule;
The communication unit is additionally operable to the packet not filtered being sent to the remittance by the encrypted communication channel
Poly- unit.
The beneficial effects of the invention are as follows:A kind of safe communication system provided by the invention, by filtering gateway and convergence
The encrypted communication channel of communication is established between unit, it can be ensured that the information transmission security between filtering gateway and convergence unit,
And the application layer content of packet is restored by filtering gateway, the packet is carried out according to default information filtering rule
Filtering, realizes and the packet comprising flame and customizing messages is filtered, the terminal for avoiding user from using receives
Include the packet of information threat, ensure that the information security of user, can also be set according to the demand of user needs to filter
Content, can be filtered according to being customized of demand of client, further improve information security, effectively taken precautions against net
Information in network threatens.
On the basis of above-mentioned technical proposal, the present invention can also do following improvement.
Further, the filtering gateway and the convergence unit are respectively used to obtain the IP address of other side, and exist respectively
The filtering gateway and the convergence unit are configured location filtering rule, and between the filtering gateway and the convergence unit
IP address filtering is performed, establishes the encrypted communication channel for communication.
It is using the above-mentioned further beneficial effect of scheme:By address filtering rule filtering gateway and convergence unit it
Between establish the communication port of encryption, filtering gateway can be improved and converge the communications security between unit.
The advantages of aspect that the present invention adds, will be set forth in part in the description, and will partly become from the following description
Obtain substantially, or recognized by present invention practice.
Brief description of the drawings
Fig. 1 is a kind of schematic flow sheet of safety communicating method provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic flow sheet for safety communicating method that another embodiment of the present invention provides;
Fig. 3 is a kind of schematic flow sheet for safety communicating method that another embodiment of the present invention provides;
Fig. 4 is a kind of schematic flow sheet for safety communicating method that another embodiment of the present invention provides;
Fig. 5 is a kind of schematic flow sheet for safety communicating method that another embodiment of the present invention provides;
Fig. 6 is a kind of schematic flow sheet for safety communicating method that another embodiment of the present invention provides;
Fig. 7 is a kind of structural framing figure for safe communication system that another embodiment of the present invention provides;
Fig. 8 is a kind of network topological diagram for safe communication system that another embodiment of the present invention provides.
Embodiment
The principle and feature of the present invention are described below in conjunction with accompanying drawing, the given examples are served only to explain the present invention, and
It is non-to be used to limit the scope of the present invention.
As shown in figure 1, for a kind of schematic flow sheet of safety communicating method provided in an embodiment of the present invention, this method includes
Following steps:
S1, filtering gateway establish the encrypted communication channel with convergence unit communication.
For example, make filtering gateway and converge to obtain the IP address of other side between unit respectively, and respectively in filtering gateway and
Converge unit and IP address filtering rule is set, make filtering gateway and converge unit before a communication according to the IP address pre-set
Filtering rule performs IP address filtering, can thus set up the communication port of an encryption, can lift data and filter
The security transmitted between gateway and convergence unit.
In another example symmetrical certification key Ka/Ka' can be based between filtering gateway and convergence unit performs two-way authentication,
And encryption mobile communication is established based on symmetric communication key Kc/Kc'.
In another example cryptographic Hash secret signal can be generated by default create-rule between filtering gateway and convergence unit, then
Cryptographic Hash secret signal matching is carried out, when the cryptographic Hash secret signal between filtering gateway and convergence unit is identical, it is mobile logical to establish encryption
Letter.
S2, filtering gateway received data packet, restore the application layer data content of packet.
For example, here by taking TCP message as an example, reduction process is illustrated.Filtering gateway is first after packet is received
Cache file is first write the data packet, then the packet for writing cache file is recombinated, is reduced to TCP connection data,
Means are provided for protocol identification.Writing the content of the packet of cache file can include:Source IP address, the mesh of TCP connections
The data content of IP address, source port, target port, sequence number, acknowledged sequence number and packet is marked, to the packet after caching
The process recombinated can be carried out using the sequence number in TCP header and acknowledged sequence number.
S3, filtering gateway are handled application layer data content according to default information filtering rule, filter out application
Layer data content does not meet the packet of information filtering rule.
Default information filtering rule is to be set in advance by user, and is stored in the tables of data of filtering gateway, with
Just call.For example, when needing to filter the sudden and violent information of Huang in network, some yellow sudden and violent phrases can be pre-set as inspection
Keyword is surveyed, when the yellow sudden and violent phrase pre-set occurs in application layer data content, filters out the data for including detection keyword
Bag.In another example when needing to filter the content comprising Company Confidential information, some Company Confidentials letter can be pre-set
The keyword of breath, when the keyword comprising Company Confidential information pre-set occurs in application layer data content, filtering is exchanged
The packet of the keyword containing detection, can prevent Company Confidential information leakage.
The packet not filtered is sent to convergence unit by S4, filtering gateway by encrypted communication channel.
A kind of safety communicating method that the present embodiment provides, by establishing what is communicated between filtering gateway and convergence unit
Encrypted communication channel, it can be ensured that the information transmission security between filtering gateway and convergence unit, and reduced by filtering gateway
Go out the application layer content of packet, packet is filtered according to default information filtering rule, realized to comprising bad
The packet of information and customizing messages is filtered, and the terminal for avoiding user from using receives the data for including information threat
Bag, ensure that the information security of user, and the content for needing to filter can also be set according to the demand of user, can be according to client's
Being customized of demand filters, and further improves the security of information, and the information effectively taken precautions against in network threatens.
In another embodiment, as shown in Fig. 2 a kind of stream of the safety communicating method provided for another embodiment of the present invention
Journey schematic diagram, this method comprise the following steps:
S1, filtering gateway establish the encrypted communication channel with convergence unit communication.
For example, make filtering gateway and converge to obtain the IP address of other side between unit respectively, and respectively in filtering gateway and
Converge unit and IP address filtering rule is set, make filtering gateway and converge unit before a communication according to the IP address pre-set
Filtering rule performs IP address filtering, can thus set up the communication port of an encryption, can lift data and filter
The security transmitted between gateway and convergence unit.
In another example symmetrical certification key Ka/Ka' can be based between filtering gateway and convergence unit performs two-way authentication,
And encryption mobile communication is established based on symmetric communication key Kc/Kc'.
In another example cryptographic Hash secret signal can be generated by default create-rule between filtering gateway and convergence unit, then
Cryptographic Hash secret signal matching is carried out, when the cryptographic Hash secret signal between filtering gateway and convergence unit is identical, it is mobile logical to establish encryption
Letter.
A kind of step S1 preferred embodiment is given below, specifically includes following steps:
S11, filtering gateway and convergence unit obtain the IP address of other side respectively, and respectively in filtering gateway and convergence unit
Address filtering rule is set.
Specifically, filtering gateway obtains the IP address IP1 of the machine from internet, and is sent to money order member;
Filtering gateway obtains the IP address IP2 of convergence unit;
Filtering gateway sets IP address filtering rule, it is allowed to which locally received IP source address is IP2 IP packets;
Converge unit and IP address filtering rule is set, it is allowed to which locally received IP source address is IP1 IP packets.
S12, IP address filtering is performed between filtering gateway and convergence unit, establishes the encrypted communication channel for communication.
S2, filtering gateway received data packet, restore the application layer data content of packet.
For example, here by taking TCP message as an example, reduction process is illustrated.Filtering gateway is first after packet is received
Cache file is first write the data packet, then the packet for writing cache file is recombinated, is reduced to TCP connection data,
Means are provided for protocol identification.Writing the content of the packet of cache file can include:Source IP address, the mesh of TCP connections
The data content of IP address, source port, target port, sequence number, acknowledged sequence number and packet is marked, to the packet after caching
The process recombinated can be carried out using the sequence number in TCP header and acknowledged sequence number.
S3, filtering gateway are handled application layer data content according to default information filtering rule, filter out application
Layer data content does not meet the packet of information filtering rule.
Default information filtering rule is to be set in advance by user, and is stored in the tables of data of filtering gateway, with
Just call.For example, when needing to filter the sudden and violent information of Huang in network, some yellow sudden and violent phrases can be pre-set as inspection
Keyword is surveyed, when the yellow sudden and violent phrase pre-set occurs in application layer data content, filters out the data for including detection keyword
Bag.In another example when needing to filter the content comprising Company Confidential information, some Company Confidentials letter can be pre-set
The keyword of breath, when the keyword comprising Company Confidential information pre-set occurs in application layer data content, filtering is exchanged
The packet of the keyword containing detection, can prevent Company Confidential information leakage.
The packet not filtered is sent to convergence unit by S4, filtering gateway by encrypted communication channel.
A kind of safety communicating method that the present embodiment provides, on the basis of a upper embodiment, further passes through screen pack
Close and convergence unit obtains the IP address of other side respectively, and address filtering rule is set, both sides is performed IP address filtering, can
Safe encrypted communication channel is set up, filtering gateway and convergence unit is only received according to default address filtering rule
Mutual data, it can be ensured that the information transmission security between filtering gateway and convergence unit, effectively guard against network attack etc.
Behavior, the transmission safety of data is just ensured from the bottom transmitting procedure of data, has been made between filtering gateway and convergence unit
Data flowing is more reliable and more stable.
In another embodiment, as shown in figure 3, a kind of stream of the safety communicating method provided for another embodiment of the present invention
Journey schematic diagram, this method comprise the following steps:
S1, filtering gateway establish the encrypted communication channel with convergence unit communication.
A kind of step S1 preferred embodiment is given below, specifically includes following steps:
S11, filtering gateway and convergence unit obtain the IP address of other side respectively, and respectively in filtering gateway and convergence unit
Address filtering rule is set.
Specifically, filtering gateway obtains the IP address IP1 of the machine from internet, and is sent to money order member;
Filtering gateway obtains the IP address IP2 of convergence unit;
Filtering gateway sets IP address filtering rule, it is allowed to which locally received IP source address is IP2 IP packets;
Converge unit and IP address filtering rule is set, it is allowed to which locally received IP source address is IP1 IP packets.
S12, IP address filtering is performed between filtering gateway and convergence unit, establishes the encrypted communication channel for communication.
S2, filtering gateway received data packet, restore the application layer data content of packet.
For example, here by taking TCP message as an example, reduction process is illustrated.Filtering gateway is first after packet is received
Cache file is first write the data packet, then the packet for writing cache file is recombinated, is reduced to TCP connection data,
Means are provided for protocol identification.Writing the content of the packet of cache file can include:Source IP address, the mesh of TCP connections
The data content of IP address, source port, target port, sequence number, acknowledged sequence number and packet is marked, to the packet after caching
The process recombinated can be carried out using the sequence number in TCP header and acknowledged sequence number.
Specifically, step S2 can be refined as following steps:
S21, filtering gateway received data packet, extract packet in target ip address, target port, source IP address, source
Port and transport layer protocol number, and the cryptographic Hash of packet is calculated accordingly.
Below by taking a common message as an example, to the step for be described in detail.
Assuming that the heading of the message is:
02:54:cd:d8:f3:22>52:54:d1:f2:8e:38,172.17.0.3.53794>172.17.1.2.22
Ttl63, proto TCP
It can therefrom obtain:
Source IP address and source port:172.17.0.3.53794
Target ip address and target port:172.17.1.2.22
Transport layer protocol number:6
Cryptographic Hash is calculated as 2293368848795334559.
S22, filtering gateway are matched cryptographic Hash with the cryptographic Hash in default tables of data, are breathed out when matching identical
During uncommon value, packet is filtered out;When not matching identical cryptographic Hash, the application layer data content of packet is restored.
Filtering gateway has searched whether identical cryptographic Hash after the cryptographic Hash is obtained from default tables of data, when
When being fitted on identical cryptographic Hash, illustrate formerly to be sent to target ip address from source IP address and source port 172.17.0.3.53794
, therefore, can be directly by from the source IP address and source and target port 172.17.1.2.22 TCP message is filtered
Mouth is sent to the target ip address and the subsequent packet of target port filters out, and can effectively prevent network attack or virus note
Enter, improve the filter efficiency of message and the security of data transfer.
And if not matching identical cryptographic Hash in tables of data, then in the application layer data that restores packet
Hold, the content in the packet is further detected.
Preferably, when matching identical cryptographic Hash, filter out packet and specifically include:
When matching identical cryptographic Hash, the packet corresponding to the cryptographic Hash received within a certain period of time is obtained
Quantity, when the quantity of the packet corresponding to the cryptographic Hash is more than predetermined number threshold value, filter out packet.
It should be noted that certain time here can be set according to actual conditions, for example, 5S is could be arranged to, when
Substantial amounts of packet is have received in 5S, and the cryptographic Hash of these packets is identical, and found in tables of data identical
Cryptographic Hash, illustrate to be likely to be attack or virus infection etc., directly can fall follow-up Packet Filtering, and
Without by reduction application layer content, carrying out matching detection etc. again, the operating pressure of filtering gateway can be mitigated, improving data
Forwarding speed.
S3, filtering gateway are handled application layer data content according to default information filtering rule, filter out application
Layer data content does not meet the packet of information filtering rule.
Default information filtering rule is to be set in advance by user, and is stored in the tables of data of filtering gateway, with
Just call.For example, when needing to filter the sudden and violent information of Huang in network, some yellow sudden and violent phrases can be pre-set as inspection
Keyword is surveyed, when the yellow sudden and violent phrase pre-set occurs in application layer data content, filters out the data for including detection keyword
Bag.In another example when needing to filter the content comprising Company Confidential information, some Company Confidentials letter can be pre-set
The keyword of breath, when the keyword comprising Company Confidential information pre-set occurs in application layer data content, filtering is exchanged
The packet of the keyword containing detection, can prevent Company Confidential information leakage.
The packet not filtered is sent to convergence unit by S4, filtering gateway by encrypted communication channel.
A kind of safety communicating method that the present embodiment provides, on the basis of a upper embodiment, filtered by basis
Message cryptographic Hash, directly source IP address and source port and target ip address and target port identical subsequent packet are filtered
Fall, can effectively prevent network attack or virus injection, improve the filter efficiency of message and the security of data transfer, can be with
Mitigate the operating pressure of filtering gateway, improve the forwarding speed of data.
In another embodiment, as shown in figure 4, a kind of stream of the safety communicating method provided for another embodiment of the present invention
Journey schematic diagram, this method comprise the following steps:
S1, filtering gateway establish the encrypted communication channel with convergence unit communication.
A kind of step S1 preferred embodiment is given below, specifically includes following steps:
S11, filtering gateway and convergence unit obtain the IP address of other side respectively, and respectively in filtering gateway and convergence unit
Address filtering rule is set.
Specifically, filtering gateway obtains the IP address IP1 of the machine from internet, and is sent to money order member;
Filtering gateway obtains the IP address IP2 of convergence unit;
Filtering gateway sets IP address filtering rule, it is allowed to which locally received IP source address is IP2 IP packets;
Converge unit and IP address filtering rule is set, it is allowed to which locally received IP source address is IP1 IP packets.
S12, IP address filtering is performed between filtering gateway and convergence unit, establishes the encrypted communication channel for communication.
S2, filtering gateway received data packet, restore the application layer data content of packet.
Specifically, step S2 can be refined as following steps:
S21, filtering gateway received data packet, extract packet in target ip address, target port, source IP address, source
Port and transport layer protocol number, and the cryptographic Hash of packet is calculated accordingly.
S22, filtering gateway are matched cryptographic Hash with the cryptographic Hash in default tables of data, are breathed out when matching identical
During uncommon value, packet is filtered out;When not matching identical cryptographic Hash, the application layer data content of packet is restored.
S3, filtering gateway are handled application layer data content according to default information filtering rule, filter out application
Layer data content does not meet the packet of information filtering rule.
Default information filtering rule is to be set in advance by user, and is stored in the tables of data of filtering gateway, with
Just call.For example, when needing to filter the sudden and violent information of Huang in network, some yellow sudden and violent phrases can be pre-set as inspection
Keyword is surveyed, when the yellow sudden and violent phrase pre-set occurs in application layer data content, filters out the data for including detection keyword
Bag.In another example when needing to filter the content comprising Company Confidential information, some Company Confidentials letter can be pre-set
The keyword of breath, when the keyword comprising Company Confidential information pre-set occurs in application layer data content, filtering is exchanged
The packet of the keyword containing detection, can prevent Company Confidential information leakage.
Cryptographic Hash is stored in tables of data by S4, filtering gateway, can provide foundation for the processing of follow-up data bag, when
When being fitted on identical cryptographic Hash, directly filter out the message, can further improve data filtering gateway with convergence unit it
Between transmission speed.
For example, exemplified by the heading of following message:
02:54:cd:d8:f3:22>52:54:d1:f2:8e:38,172.17.0.3.53794>172.17.1.2.22
Ttl63, proto TCP
It can therefrom obtain:
Source IP address and source port:172.17.0.3.53794
Target ip address and target port:172.17.1.2.22
Transport layer protocol number:6
The cryptographic Hash that the data are calculated accordingly is 2293368848795334559.
S5, filtering gateway are monitored to the matching times of cryptographic Hash in tables of data, when detecting within a preset time interval
When exceeding the cryptographic Hash of preset times to the match is successful number, the prompting message of doubtful network attack is sent to default receiving terminal.
It should be noted that the specific suggestion content of prompting message can be set according to the actual requirements, for example, when company is
When preventing that Company Confidential from revealing, some related keywords can be set, when once being filtered twice once in a while, may not have
Company Confidential is revealed, and when mass data coating filters out in the short time (apparently by matching cryptographic Hash in tables of data
Mode filter out), then just very likely someone is to outward leakage Company Confidential for explanation, therefore, can be to default
Receiving terminal send the doubtful leakage of Company Confidential prompting message, receiving terminal can be terminal, and such as mobile phone, computer can also
It is data processor etc..
The packet not filtered is sent to convergence unit by S6, filtering gateway by encrypted communication channel.
A kind of safety communicating method that the present embodiment provides, on the basis of a upper embodiment, by obtaining by filtering number
It is stored according to the cryptographic Hash of bag, and by the cryptographic Hash in tables of data, foundation can be provided for the processing of follow-up data bag, work as matching
During to identical cryptographic Hash, the message is directly filtered out, can further improve data between filtering gateway and convergence unit
Transmission speed, and the matching times of cryptographic Hash in tables of data are monitored, it is big when being received within the default period
When the application layer data content of amount does not meet the packet of information filtering rule, information leakage or information can be judged exactly
Attack, to send the prompting message of doubtful network attack to default receiving terminal in time, remind in time at user
Reason is taken precautions against, and improves the security of information transfer.
In another embodiment, as shown in figure 5, a kind of stream of the safety communicating method provided for another embodiment of the present invention
Journey schematic diagram, this method comprise the following steps:
S1, filtering gateway establish the encrypted communication channel with convergence unit communication.
A kind of step S1 preferred embodiment is given below, specifically includes following steps:
S11, filtering gateway and convergence unit obtain the IP address of other side respectively, and respectively in filtering gateway and convergence unit
Address filtering rule is set.
Specifically, filtering gateway obtains the IP address IP1 of the machine from internet, and is sent to money order member;
Filtering gateway obtains the IP address IP2 of convergence unit;
Filtering gateway sets IP address filtering rule, it is allowed to which locally received IP source address is IP2 IP packets;
Converge unit and IP address filtering rule is set, it is allowed to which locally received IP source address is IP1 IP packets.
S12, IP address filtering is performed between filtering gateway and convergence unit, establishes the encrypted communication channel for communication.
S2, filtering gateway received data packet, restore the application layer data content of packet.
Specifically, step S2 can be refined as following steps:
S21, filtering gateway received data packet, extract packet in target ip address, target port, source IP address, source
Port and transport layer protocol number, and the cryptographic Hash of packet is calculated accordingly.
S22, filtering gateway are matched cryptographic Hash with the cryptographic Hash in default tables of data, are breathed out when matching identical
During uncommon value, packet is filtered out;When not matching identical cryptographic Hash, the application layer data content of packet is restored.
S3, keyword detection is carried out to application layer data content according to information filtering rule, when detecting default key
During word, the packet that application layer data content includes default keyword is filtered out.
Keyword is to be set in advance by user, and is stored in the tables of data of filtering gateway, to call.For example,
When needing to filter the sudden and violent information of Huang in network, some yellow sudden and violent phrases can be pre-set and be used as detection keyword, when
When the yellow sudden and violent phrase pre-set occurs in application layer data content, the packet for including detection keyword is filtered out.In another example when
When needing to filter the content comprising Company Confidential information, the keyword of some Company Confidential information can be pre-set,
When the keyword comprising Company Confidential information pre-set occurs in application layer data content, filter out comprising detection keyword
Packet, Company Confidential information leakage can be prevented.
Cryptographic Hash is stored in tables of data by S4, filtering gateway.
S5, filtering gateway are monitored to the matching times of cryptographic Hash in tables of data, when detecting within a preset time interval
When exceeding the cryptographic Hash of preset times to the match is successful number, the prompting message of doubtful network attack is sent to default receiving terminal.
The packet not filtered is sent to convergence unit by S6, filtering gateway by encrypted communication channel.
The present embodiment provide a kind of safety communicating method, on the basis of a upper embodiment, by set keyword come
Keyword detection is carried out to the application layer data content after reduction, violation information in data and interior can be identified exactly
Hold, accurately directionally data can be filtered, prevent sensitive data from revealing, the propagation of network rubbish information, improve network
Security.
In another embodiment, as shown in fig. 6, a kind of stream of the safety communicating method provided for another embodiment of the present invention
Journey schematic diagram, this method comprise the following steps:
S1, filtering gateway establish the encrypted communication channel with convergence unit communication.
A kind of step S1 preferred embodiment is given below, specifically includes following steps:
S11, filtering gateway and convergence unit obtain the IP address of other side respectively, and respectively in filtering gateway and convergence unit
Address filtering rule is set.
Specifically, filtering gateway obtains the IP address IP1 of the machine from internet, and is sent to money order member;
Filtering gateway obtains the IP address IP2 of convergence unit;
Filtering gateway sets IP address filtering rule, it is allowed to which locally received IP source address is IP2 IP packets;
Converge unit and IP address filtering rule is set, it is allowed to which locally received IP source address is IP1 IP packets.
S12, IP address filtering is performed between filtering gateway and convergence unit, establishes the encrypted communication channel for communication.
S2, filtering gateway received data packet, restore the application layer data content of packet.
Specifically, step S2 can be refined as following steps:
S21, filtering gateway received data packet, extract packet in target ip address, target port, source IP address, source
Port and transport layer protocol number, and the cryptographic Hash of packet is calculated accordingly.
S22, filtering gateway are matched cryptographic Hash with the cryptographic Hash in default tables of data, are breathed out when matching identical
During uncommon value, packet is filtered out;When not matching identical cryptographic Hash, the application layer data content of packet is restored.
S3, keyword detection is carried out to application layer data content according to information filtering rule, when detecting default key
During word, the packet that application layer data content includes default keyword is filtered out.
Keyword is to be set in advance by user, and is stored in the tables of data of filtering gateway, to call.For example,
When needing to filter the sudden and violent information of Huang in network, some yellow sudden and violent phrases can be pre-set and be used as detection keyword, when
When the yellow sudden and violent phrase pre-set occurs in application layer data content, the packet for including detection keyword is filtered out.In another example when
When needing to filter the content comprising Company Confidential information, the keyword of some Company Confidential information can be pre-set,
When the keyword comprising Company Confidential information pre-set occurs in application layer data content, filter out comprising detection keyword
Packet, Company Confidential information leakage can be prevented.
Specifically, step S3 can be refined as following steps:
S31, when detecting default keyword, record keyword.
For example, the whole keywords detected can be stored in default file, for the ease of subsequent step
Analysis, can store the sentence where keyword in the lump after keyword is detected.
For example, keyword is arranged to " violence ", then after being reduced to the application layer data of certain packet, detection
Obtain including default keyword at following two:
... ... ... insurgent violence ... ... .. is carried out to x cities by original plan
... ... ... around a kind of violent strength ... ... .. around his body
Then it is conceivable that " violence " in first sentence might mean that the insurgent violence meter of terrorist
Draw, be the information for needing to filter out, and " violence " in second sentence is the erroneous judgement to " violent strength ", may belong to swordsman
A part for novel, belong to the information that filtered, therefore, the keyword that will can be detected, extract the sentence where it
Son, obtain following two records:
Record 1:Insurgent violence is carried out to x cities by original plan.
Record 2:Around a kind of violent strength around his body.
Record 1 and record 2 are stored in default file, so as to subsequent calls.
S32, after application layer data content all detection, according to default semantic analysis algorithm, to the complete of record
Portion's keyword is screened, and when there is judging by accident keyword, erroneous judgement keyword is removed from whole keywords of record, and will sieve
It is left keyword after choosing as keyword to be filtered.
Specifically, according to semantic analysis algorithm successively to handle whole keywords, before extracting each keyword
One close to the first character;
Judge whether the first character can synthesize new phrase with crucial phrase, when result is to be, after extraction keyword
One close to the second character;
Judge whether keyword can be with the second character combination Cheng Xin phrase, and when result is to be, then keyword is erroneous judgement
Keyword.All records are analyzed successively, default semantic analysis algorithm specific implementation is:Keyword is extracted first
Previous character A, judge whether A and keyword can be combined into new phrase, when that can be combined into new phrase, extraction is crucial
The latter character B of word, judges whether B and keyword can be combined into new phrase, when that can be combined into new phrase, is somebody's turn to do
Keyword is erroneous judgement keyword.
Below by taking above-mentioned record 1 and record 2 as an example, illustrate.
In record 1, the previous character " shape " of extraction keyword " violence ", " shape is sudden and violent " or " shape violence " is not phrase,
Therefore, " violence " in record 1 is not erroneous judgement keyword, it should is filtered.
In record 2, the previous character " mad " of extraction keyword " violence ", " violent " is phrase, therefore, then extracts key
The latter character " amount " of word " violence ", " strength " and phrase, therefore, it is erroneous judgement phrase to judge " violence " in record 2,
Deletion record 2.
" violence " most at last in record 1 is used as keyword to be filtered.
It should be noted that if record 1 and record 2 belong to same packet, then by judging, still there is record
Keyword in 1 need to be to be filtered, therefore the packet still can be filtered;If record 1 and record 2 belong to different numbers
According to bag, then because record 2 has been deleted, then what is filtered out is exactly to record the packet where 1, the data where record 2
Bag will not be filtered.
S33, when the quantity of keyword to be filtered is more than predetermined number, filter out the packet.
The step for be to improve the serious forgiveness of filtering, and filtering rule is set according to actual use demand.
For example, predetermined number can be set to 0, then assuming that having matched 1 keyword in certain packet, then warp
The judgement of the step is crossed, keyword quantity is matched more than 0, then just filters out the packet, that is to say, that work as predetermined number
When being set to 0, as long as there is the keyword of non-erroneous judgement, the packet Austria will be filtered.
In another example when including mass data in packet, predetermined number can be arranged to 100, then only work as inspection
When the keyword measured is more than 100, the packet can be just filtered out, improves the serious forgiveness of filtering, can effectively prevent from missing
Filter.
Cryptographic Hash is stored in tables of data by S4, filtering gateway.
S5, filtering gateway are monitored to the matching times of cryptographic Hash in tables of data, when detecting within a preset time interval
When exceeding the cryptographic Hash of preset times to the match is successful number, the prompting message of doubtful network attack is sent to default receiving terminal.
The packet not filtered is sent to convergence unit by S6, filtering gateway by encrypted communication channel.
A kind of safety communicating method that the present embodiment provides, on the basis of a upper embodiment, by being reduced to packet
The application layer data gone out carries out keyword detection, can efficiently detect that the violation included in application layer data content is crucial
Word, and semantic analysis is carried out to these keywords, previous and the latter character of these keywords is extracted, determines whether to miss
The keyword sentenced, it is possible to reduce erroneous judgement problem caused by filtering, filtering can be made more accurate and reliable, and by setting number
The processing such as threshold value is measured, the serious forgiveness of filtering can be improved, can effectively prevent from filtering by mistake.
In another embodiment, as shown in fig. 7, a kind of knot of the safe communication system provided for another embodiment of the present invention
Structure frame diagram, the system include:Filtering gateway 1 and convergence unit 2, before data is transmitted, filtering gateway 1 and convergence unit 2
Between obtain the IP address of other side respectively, filtering gateway 1 and convergence unit 2 set respective address filtering rule, filtering respectively
IP address filtering is performed between gateway 1 and convergence unit 2 respectively, it is established that the encrypted communication channel for communication.
The structure of filtering gateway 1 is further described below, filtering gateway 1 specifically includes:For establishing and converging
The communication unit 11 for the encrypted communication channel that unit 2 communicates, for received data packet, is restored in the application layer data of packet
The processing unit 12 of appearance, for being handled according to default information filtering rule application layer data content, filter out application
Layer data content does not meet the filter element 13 of the packet of information filtering rule, and communication unit 11 is additionally operable to not filtered
Packet is sent to convergence unit 2 by encrypted communication channel.
As can be seen that processing unit 12 and filter element 13 play an important role, below to this in from the above
Two units are described further.
Preferably, processing unit 12 is specifically used for received data packet, and extracts the target ip address in packet, destination end
Mouth, source IP address, source port and transport layer protocol number, and according to the target ip address of packet, target port, source IP address,
Source port and transport layer protocol number calculate the cryptographic Hash of packet, and the cryptographic Hash in cryptographic Hash and default tables of data is carried out
Matching, when matching identical cryptographic Hash, filters out packet;When not matching identical cryptographic Hash, data are restored
The application layer data content of bag.
It should be noted that the cryptographic Hash in tables of data is to be stored in by filter element 13 in tables of data, filter element 13
The cryptographic Hash that processing unit 12 is calculated is obtained, and cryptographic Hash is stored in tables of data, and to cryptographic Hash in tables of data
Matching times are monitored, when the number that detects that the match is successful within a preset time interval exceedes the cryptographic Hash of preset times,
The prompting message of doubtful network attack is sent to default receiving terminal by communication unit 11.
Preferably, filter element 13 is specifically used for carrying out keyword inspection to application layer data content according to information filtering rule
Survey, when detecting default keyword, filter out the packet data that application layer data content does not meet information filtering rule
Bag.
When detecting default keyword, keyword is recorded, and after application layer data content all detection, root
According to default semantic analysis algorithm, whole keywords are handled successively, extract one before each keyword close to
One character, judges whether the first character can synthesize new phrase with crucial phrase, when result is to be, after extraction keyword
One close to the second character, judge keyword whether can with the second character combination Cheng Xin phrase, when result for be when, then close
Keyword is erroneous judgement keyword, and after whole keywords are disposed, erroneous judgement keyword is removed from whole keywords of record, and
Remaining keyword is as keyword to be filtered after screening, and the quantity for working as keyword to be filtered is more than predetermined number
When, filter out packet.
A kind of safe communication system that the present embodiment provides, communicated by being established between filtering gateway 1 and convergence unit 2
Encrypted communication channel, it can be ensured that the information transmission security between filtering gateway 1 and convergence unit 2, and pass through filtering gateway 1
Restore the application layer content of packet, packet filtered according to default information filtering rule, realize to comprising
The packet of flame and customizing messages is filtered, and the terminal for avoiding user from using receives the number for including information threat
According to bag, the information security of user is ensure that, the content for needing to filter can also be set according to the demand of user, can be according to client
The filtering of being customized of demand, further improve the security of information, effectively taken precautions against information in network and threatened.
In another embodiment, as shown in figure 8, a kind of net of the safe communication system provided for another embodiment of the present invention
Network topological diagram, illustrated with reference to network connection frameworks of the Fig. 8 to the system.
After filtering gateway 1 gets data from network, internally data are filtered, then between convergence unit
The communication port of encryption is established, data are transmitted by the passage, ensure the security of data.
In figure by taking a filtering gateway 1 as an example, multiple convergence-level equipment are connected with, these convergence-level equipment can be understood as
Unit, such as interchanger 2 are converged, each interchanger 2 carries out data exchange with the station terminal 4 of access layer equipment 3 or more, and this is net
A kind of preferred scheme of network framework, can actually there are other networking modes, such as mesh network topologies, star dress network topology
Deng.
When the disposal ability deficiency of filtering gateway 1, dilatation, networking can be carried out to filtering gateway 1.
Reader should be understood that in the description of this specification, reference term " one embodiment ", " some embodiments ", " show
The description of example ", " specific example " or " some examples " etc. mean to combine the specific features of the embodiment or example description, structure,
Material or feature are contained at least one embodiment or example of the present invention.In this manual, above-mentioned term is shown
The statement of meaning property need not be directed to identical embodiment or example.Moreover, specific features, structure, material or the feature of description
It can be combined in an appropriate manner in any one or more embodiments or example.In addition, in the case of not conflicting, this
The technical staff in field can be by the different embodiments or example described in this specification and the spy of different embodiments or example
Sign is combined and combined.
It is apparent to those skilled in the art that for convenience of description and succinctly, the dress of foregoing description
The specific work process with unit is put, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, it can be passed through
Its mode is realized.For example, device embodiment described above is only schematical, for example, the division of unit, is only
A kind of division of logic function, can there is an other dividing mode when actually realizing, for example, multiple units or component can combine or
Person is desirably integrated into another system, or some features can be ignored, or does not perform.
The unit illustrated as separating component can be or may not be physically separate, be shown as unit
Part can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple networks
On unit.Some or all of unit therein can be selected to realize the mesh of scheme of the embodiment of the present invention according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
It is that unit is individually physically present or two or more units are integrated in a unit.It is above-mentioned integrated
Unit can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can
To be stored in a computer read/write memory medium.Based on such understanding, technical scheme substantially or
Say that the part to be contributed to prior art, or all or part of the technical scheme can be embodied in the form of software product
Out, the computer software product is stored in a storage medium, including some instructions are causing a computer equipment
(can be personal computer, server, or network equipment etc.) performs all or part of each embodiment method of the present invention
Step.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-OnlyMemory), deposit at random
Access to memory (RAM, RandomAccessMemory), magnetic disc or CD etc. are various can be with the medium of store program codes.
More than, it is only embodiment of the invention, but protection scope of the present invention is not limited thereto, and it is any to be familiar with
Those skilled in the art the invention discloses technical scope in, various equivalent modifications or substitutions can be readily occurred in,
These modifications or substitutions should be all included within the scope of the present invention.Therefore, protection scope of the present invention should be wanted with right
The protection domain asked is defined.
Claims (10)
1. a kind of safety communicating method, it is characterised in that comprise the following steps:
Filtering gateway establishes the encrypted communication channel with convergence unit communication;
The filtering gateway received data packet, restore the application layer data content of the packet;
The filtering gateway is handled the application layer data content according to default information filtering rule, is filtered out described
Application layer data content does not meet the packet of the information filtering rule;
The packet not filtered is sent to the convergence unit by the filtering gateway by the encrypted communication channel.
2. safety communicating method according to claim 1, it is characterised in that the filtering gateway received data packet, reduction
The application layer data content for going out the packet specifically includes:
The filtering gateway received data packet, extract target ip address in the packet, target port, source IP address, source
Port and transport layer protocol number, and according to the target ip address, the target port, the source IP address, the source port
The cryptographic Hash of the packet is calculated with the transport layer protocol number;
The filtering gateway is matched the cryptographic Hash with the cryptographic Hash in default tables of data, is breathed out when matching identical
During uncommon value, the packet is filtered out;When not matching identical cryptographic Hash, the application layer data of the packet is restored
Content.
3. safety communicating method according to claim 2, it is characterised in that described to filter out the application layer data content
After the packet for not meeting the information filtering rule, in addition to:
The cryptographic Hash is stored in the tables of data by the filtering gateway;
The filtering gateway is monitored to the matching times of cryptographic Hash in the tables of data, when detecting within a preset time interval
When exceeding the cryptographic Hash of preset times to the match is successful number, the prompting message of doubtful network attack is sent to default receiving terminal.
4. safety communicating method according to any one of claim 1 to 3, it is characterised in that described according to default interior
Hold filtering rule to handle the application layer data content, filter out the application layer data content and do not meet the content
The packet of filtering rule specifically includes:
Keyword detection is carried out to the application layer data content according to the information filtering rule, when detecting default key
During word, the packet that the application layer data content includes the keyword is filtered out.
5. safety communicating method according to claim 4, it is characterised in that it is described when detecting default keyword,
Then filtering out the packet also includes:
When detecting default keyword, the keyword is recorded;
After the application layer data content all detection, according to default semantic analysis algorithm, successively to described in whole
Keyword is handled, extract one before each keyword close to the first character;
Judge whether first character can synthesize new phrase with the crucial phrase, when result is to be, extract the pass
One after keyword close to the second character;
Judge whether the keyword can be with the phrase of the second character combination Cheng Xin, when result for when being, the then key
Word is erroneous judgement keyword;
After all the keyword is disposed, the erroneous judgement keyword is removed from the whole keyword of record, and
Keyword will be left as keyword to be filtered after screening;
When the quantity of the keyword to be filtered is more than predetermined number, the packet is filtered out.
A kind of 6. safe communication system, it is characterised in that including:Filtering gateway and convergence unit, the filtering gateway specifically wrap
Include:
Communication unit, for establishing and converging the encrypted communication channel of unit communication;
Processing unit, for received data packet, restore the application layer data content of the packet;
Filter element, for being handled according to default information filtering rule the application layer data content, filter out institute
State the packet that application layer data content does not meet the information filtering rule;
The communication unit is additionally operable to the packet not filtered being sent to the money order by the encrypted communication channel
Member.
7. safe communication system according to claim 6, it is characterised in that the processing unit is specifically used for receiving data
Bag, and target ip address, target port, source IP address, source port and transport layer protocol number in the packet are extracted, and root
Institute is calculated according to the target ip address, the target port, the source IP address, the source port and the transport layer protocol number
The cryptographic Hash of packet is stated, and the cryptographic Hash is matched with the cryptographic Hash in default tables of data, it is identical when matching
Cryptographic Hash when, filter out the packet;When not matching identical cryptographic Hash, the application layer of the packet is restored
Data content.
8. safe communication system according to claim 7, it is characterised in that the filter element is additionally operable to the Hash
Value is stored in the tables of data, and the matching times of cryptographic Hash in the tables of data are monitored, when between preset time
When the interior number that detects that the match is successful exceedes the cryptographic Hash of preset times, carrying for doubtful network attack is sent to default receiving terminal
Show message.
9. the safe communication system according to any one of claim 6 to 8, it is characterised in that the filter element is specific
For carrying out keyword detection to the application layer data content according to the information filtering rule, when detecting default key
During word, the packet that the application layer data content includes the keyword is filtered out.
10. safe communication system according to claim 9, it is characterised in that the filter element is specifically used for when detection
During to default keyword, the keyword is recorded, and after the application layer data content all detection, according to default
Semantic analysis algorithm, all keywords are handled successively, extract one before each keyword close to
First character, judges whether first character can synthesize new phrase with the crucial phrase, when result is to be, extracts institute
State one after keyword close to the second character, judge whether the keyword can be with the second character combination Cheng Xin's
Phrase, when result for when being, then the keyword is erroneous judgement keyword, after all the keyword is disposed, from record
The whole keyword in remove the erroneous judgement keyword, and will after screening remaining keyword as key to be filtered
Word, and when the quantity of the keyword to be filtered is more than predetermined number, filter out the packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710708227.5A CN107395619B (en) | 2017-08-17 | 2017-08-17 | Secure communication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710708227.5A CN107395619B (en) | 2017-08-17 | 2017-08-17 | Secure communication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107395619A true CN107395619A (en) | 2017-11-24 |
| CN107395619B CN107395619B (en) | 2020-03-17 |
Family
ID=60353662
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710708227.5A Active CN107395619B (en) | 2017-08-17 | 2017-08-17 | Secure communication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107395619B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111949717A (en) * | 2020-08-14 | 2020-11-17 | 上海交通大学 | Cross-domain information system-oriented real-time on-demand data aggregation method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068229A (en) * | 2007-06-08 | 2007-11-07 | 北京工业大学 | Content filtering gateway realizing method based on network filter |
| CN101594234A (en) * | 2009-07-09 | 2009-12-02 | 上海交通大学 | Method for controlling Internet encrypted safe communication |
| CN102208992A (en) * | 2010-06-13 | 2011-10-05 | 天津海量信息技术有限公司 | Internet-facing filtration system of unhealthy information and method thereof |
| CN106549938A (en) * | 2016-10-11 | 2017-03-29 | 北京知道未来信息技术有限公司 | A kind of distributed network Behavior Manager and access control method |
| CN106850547A (en) * | 2016-12-15 | 2017-06-13 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | A kind of data restoration method and system based on http protocol |
-
2017
- 2017-08-17 CN CN201710708227.5A patent/CN107395619B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068229A (en) * | 2007-06-08 | 2007-11-07 | 北京工业大学 | Content filtering gateway realizing method based on network filter |
| CN101594234A (en) * | 2009-07-09 | 2009-12-02 | 上海交通大学 | Method for controlling Internet encrypted safe communication |
| CN102208992A (en) * | 2010-06-13 | 2011-10-05 | 天津海量信息技术有限公司 | Internet-facing filtration system of unhealthy information and method thereof |
| CN106549938A (en) * | 2016-10-11 | 2017-03-29 | 北京知道未来信息技术有限公司 | A kind of distributed network Behavior Manager and access control method |
| CN106850547A (en) * | 2016-12-15 | 2017-06-13 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | A kind of data restoration method and system based on http protocol |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111949717A (en) * | 2020-08-14 | 2020-11-17 | 上海交通大学 | Cross-domain information system-oriented real-time on-demand data aggregation method and system |
| CN111949717B (en) * | 2020-08-14 | 2024-02-06 | 上海交通大学 | Cross-domain information system-oriented real-time on-demand data aggregation method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107395619B (en) | 2020-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
| CN106464577B (en) | Network system, control device, communication device and communication control method | |
| CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
| CN102271068B (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| CN103532957B (en) | A kind of long-range shell behavioral values device and method of wooden horse | |
| CN104796405B (en) | Rebound connecting detection method and apparatus | |
| CN111817982A (en) | Encrypted flow identification method for category imbalance | |
| CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
| CN105187437B (en) | A kind of centralized detecting system of SDN network Denial of Service attack | |
| CN107623661A (en) | Block system, the method and device of access request, server | |
| CN104283882B (en) | A kind of intelligent safety protection method of router | |
| CN101364981A (en) | Hybrid intrusion detection method based on Internet protocol version 6 | |
| CN104091122A (en) | Detection system of malicious data in mobile internet | |
| CN109120602B (en) | IPv6 attack tracing method | |
| CN107623691A (en) | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm | |
| CN106357641A (en) | Method and device for defending interest flooding attacks in information centric network | |
| CN109818970A (en) | A kind of data processing method and device | |
| CN106953855A (en) | A kind of method of intrusion detection to IEC61850 digital transformer substation GOOSE messages | |
| CN106657689A (en) | Method for preventing and controlling international fraud call and apparatus thereof | |
| CN108200067A (en) | Big data information network adaptive security guard system based on trust computing | |
| CN106027497A (en) | DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM | |
| CN112788064B (en) | Encryption network abnormal flow detection method based on knowledge graph | |
| CN110324346A (en) | A kind of Internet of Things Information Security Management System and method | |
| ITTO20130513A1 (en) | SYSTEM AND METHOD FOR FILTERING ELECTRONIC MESSAGES |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |