CN108011873A - A kind of illegal connection determination methods based on set covering - Google Patents

A kind of illegal connection determination methods based on set covering Download PDF

Info

Publication number
CN108011873A
CN108011873A CN201711215980.7A CN201711215980A CN108011873A CN 108011873 A CN108011873 A CN 108011873A CN 201711215980 A CN201711215980 A CN 201711215980A CN 108011873 A CN108011873 A CN 108011873A
Authority
CN
China
Prior art keywords
client
server
terminal
message
legal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711215980.7A
Other languages
Chinese (zh)
Other versions
CN108011873B (en
Inventor
许道强
张立东
孙虹
官国飞
葛崇慧
宋庆武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Jiangsu Fangtian Power Technology Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Jiangsu Fangtian Power Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Jiangsu Fangtian Power Technology Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201711215980.7A priority Critical patent/CN108011873B/en
Publication of CN108011873A publication Critical patent/CN108011873A/en
Application granted granted Critical
Publication of CN108011873B publication Critical patent/CN108011873B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of illegal connection determination methods based on set covering, include the following steps:Step 1, establishes server and multiple client, is stored with client and the single corresponding log-on message of client-side information;Step 2, user end to server send certification request, and the log-on message of client is compared server with legal terminal list;Step 3, legitimate client receives legal terminal list, when legitimate client receives the communication request of other clients transmission, the log-on message of client for sending communication request is identified in legitimate client, judge log-on message whether there is with legal terminal list.Legal terminal list is sent to each legitimate client, identification is individually carried out again without server by the present invention when establishing communication environment, this determination methods is convenient and efficient, the work of identification is shared to the work load for each client, alleviating server, and is improved work efficiency.

Description

A kind of illegal connection determination methods based on set covering
Technical field
The invention is related to data connection technical field, more particularly to a kind of illegal connection based on set covering judges Method.
Background technology
Current illegal connection is the principal element for causing the security risks such as data leak, especially illegally outer to connect, illegal outer The machine that company refers to install client accesses external network without approval.
Traditional connection validity judgement method is identified using the independent identity to multiple client of server more, from And ensure the legitimacy of each client identity, but when occurring carrying out data connection between illegality equipment and client, service Device in time can not be identified illegality equipment, and illegality equipment can steal the information stored in client even by client The data being stored in server are obtained, cause the leakage of information to a certain extent.
The content of the invention
To solve the deficiencies in the prior art, it is an object of the invention to provide a kind of illegal connection based on set covering to sentence Disconnected method, is sent to each legitimate client by legal terminal list, identification is individually carried out again without server, this judgement Method is convenient and efficient, the work of identification is shared to the work load for each client, alleviating server, and improve Work efficiency.
In order to realize above-mentioned target, the present invention adopts the following technical scheme that:
A kind of illegal connection determination methods based on set covering, including:
Step 1, establishes server and multiple client, is stored with client and the single corresponding registration of client-side information Information, server memory contain legal terminal list, and legal terminal list includes the log-on message of multiple client;
Step 2, user end to server send certification request, and server is by the log-on message of client and legal terminal list It is compared;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stops being communicated with client;
Step 3, legitimate client form network trust chain model M-TNC using Trusted network connection, use trustable network Interconnection technique TNC, the terminal technology provided by using trusted host, realizes terminal access control in a network environment; M- The control of authority rule of TNC checks the confidence level of terminal using the completeness check of terminal;
The framework of M-TNC is divided into following 3 class entity:Terminal access person AP, regular judgement person RJP, regular definien RDP;
Terminal access person is terminal access equipment, the resource of request server;Regular judgement person and regular definien pacify for terminal Full access control system;
The element definition of M-TNC includes following two definition:
First definition:Resource set R=ri | i=1…N }, the resource collection of enterprise's office network;
Second definition:Resource service domain RS={ R, SDP, AP, ISP }, R are the resource sets that enterprise network provides, and RJP is definitely may be used The regular judgement person of letter, RDP manage AP and assisted network ISP ISP (the Internet Service in whole domain Provider) verify the credibility of M-TNC, while accept the cross-domain services request message of other domains M-TNC;
Trusted end-user Access Algorithm includes the following steps:
Step a, RDP formulate corresponding acl rule according to the confidence level of AP: ACLPolicy←getACLPolicy();
Step b, AP request access:Access request is sent, the reliability assessment value of the terminal is collected and is sent to RJP, is waited RJP judges the confidence level of terminal device: APCredibility←CollectAPCredibility (); CredibilityResult←SendJudgeRequest();
The integrality and authenticity of MTAM (Mobile Terminal Access Module) module are tested in step c, RDP completion Card, the terminal device being responsible in MTAM issue trusted certificates: CredibilityCertificate← InRealityIntegrityCheck();
Step d, RDP is responsible to define and distributes the confidence level decision rule of AP, and its certificate is verified, to assess the access The credibility of equipment: CredibilityPolicy←RDPMakeAndAllocatePolicy();To the body of MTAM Part is differentiated, verifies the validity of AP certificates, verifies the credibility of AP equipment: VerifyAPValidity();
Access mechanism analytic process includes:The credible evaluation certificate that MTAM is issued to RDP registration services, application RDP, is somebody's turn to do After certificate, MTAM can be interacted with ISP, and ISP is by verifying that the legitimacy of credible evaluation certificate is completed to the credible of MTAM Degree assessment;RDP obtains the trusted certificates signed and issued by trusted end-user judgement center CMJC, and certificate includes the public key and CMJC label of RDP The information such as name, and public key is announced to external equipments such as terminals by secure way, the entity identities certificate format of each terminal is such as Under:CertA={ IDA, KPubA, DateA, LFA, EKSCAC { IDA, KPA, DateA, LFA } } wherein KPubA is terminal A Public key, EKSCA are the private keys of CMJC, and DateA is the date of issue of certificate, and LFA is the term of validity of certificate.
A kind of foregoing illegal connection determination methods based on set covering, M-TNC is using the latter linked access of first security evaluation Mode.
A kind of foregoing illegal connection determination methods based on set covering, log-on message include client IP address and MAC Address.
A kind of foregoing illegal connection determination methods based on set covering, step 2, user end to server, which is sent, to be recognized The log-on message of client is compared with legal terminal list for card request, server;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time The multiple client that device is stored in legal terminal list to log-on message sends warning message.
A kind of foregoing illegal connection determination methods based on set covering,
Step 2, user end to server send certification request, and server is by the log-on message of client and legal terminal list It is compared;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time Device calls the label information that can be easy to mark illegitimate client to illegitimate client, and label information deposit illegal connection is led to News record, the number that record illegitimate client accesses;Above-mentioned label information is to include terminal unique identifier.
A kind of foregoing illegal connection determination methods based on set covering,
Step 2, user end to server send certification request, and server is by the log-on message of client and legal terminal list It is compared, local security policy is sent to legitimate client by server in real time;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client.
A kind of foregoing illegal connection determination methods based on set covering,
Illegitimate client can send safety identification request to server, after device to be serviced allows illegitimate client to be attached, The label information of illegitimate client is deleted from illegal connection address list.
A kind of foregoing illegal connection determination methods based on set covering, further include:Step 4, the regular pairing of server Corresponding multiple client is identified in method terminal list.
The invention has the beneficial effects that:
The present invention is identified the identity of client when establishing communication environment, and legal terminal list is sent to each Legitimate client, when being communicated between client, identification is individually carried out without server again, this determination methods is convenient Fast, the work of identification is shared to the work load for each client, alleviating server, and improves work effect Rate.
The present invention can be collected illegitimate client arrangement, facilitate staff's tune by illegal connection address list Access grasps the access situation of illegitimate client according to intuitively being checked to illegitimate client, to the equipment of malicious access into Row identification and subsequent treatment.
The server of the present invention possesses the function being identified again, after success to be identified, by the mark of illegitimate client Information is deleted from illegal connection address list, and distributes registration letter to illegitimate client according to the label information of illegitimate client Breath, and the log-on message of illegitimate client is stored to legal terminal list, so that the identity of illegitimate client is legal, energy It is enough to be subsequently normally connected with other clients and server.
Brief description of the drawings
Fig. 1 is a kind of flow chart of embodiment of the present invention.
Embodiment
Make specific introduce to the present invention below in conjunction with the drawings and specific embodiments.
A kind of illegal connection determination methods based on set covering, including:
Step 1, establishes server and multiple client, is stored with client and the single corresponding registration of client-side information Information, server memory contain legal terminal list, and legal terminal list includes the log-on message of multiple client;Log-on message IP address and MAC Address including client.
Step 2, user end to server send certification request, and server is by the log-on message and legal terminal of client List is compared;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stops being communicated with client;
Embodiment preferably 1, step 2, user end to server send certification request, server by the log-on message of client with Legal terminal list is compared;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time Device calls the label information that can be easy to mark illegitimate client to illegitimate client, and label information deposit illegal connection is led to News record, the number that record illegitimate client accesses;Above-mentioned label information is to include terminal unique identifier;Believed by marking Breath, server and client can carry out accurately identification.
By illegal connection address list, arrangement can be collected to illegitimate client, facilitates staff's called data Intuitively illegitimate client is checked, the access situation of illegitimate client is grasped, the equipment of malicious access is identified And subsequent treatment.
Embodiment preferably 2, step 2, user end to server send certification request, and server believes the registration of client Breath is compared with legal terminal list, and local security policy is sent to legitimate client by server in real time;Pass through local peace Full policy, legitimate client such as can be identified, connect, refuse at the data processing work according to the requirement of server, to ensure Connect the smooth of work entirety.
If comparing successfully, server persistently establishes the passage communicated with client, and server sends to client and closes Method terminal list, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client.
Embodiment preferably 3, step 2, user end to server send certification request, and server believes the registration of client Breath is compared with legal terminal list;
If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time The multiple client that device is stored in legal terminal list to log-on message sends warning message.
Such design is it is possible to notify that log-on message is stored in the multiple client of legal terminal list, and there are illegal connection Situation, to remind carry out information protection.
Step 3, legitimate client form network trust chain model M-TNC using Trusted network connection, and use is credible Network Connection TNC, the terminal technology provided by using trusted host, realizes terminal access control in a network environment; The control of authority rule of M-TNC checks the confidence level of terminal using the completeness check of terminal;
The framework of M-TNC is divided into following 3 class entity:Terminal access person AP, regular judgement person RJP, regular definien RDP;
Terminal access person is terminal access equipment, the resource of request server;Regular judgement person and regular definien pacify for terminal Full access control system;
The element definition of M-TNC includes following two definition:
First definition:Resource set R=ri | i=1…N }, the resource collection of enterprise's office network;
Second definition:Resource service domain RS={ R, SDP, AP, ISP }, R are the resource sets that enterprise network provides, and RJP is definitely may be used The regular judgement person of letter, RDP manage AP and assisted network ISP ISP (the Internet Service in whole domain Provider) verify the credibility of M-TNC, while accept the cross-domain services request message of other domains M-TNC;
Trusted end-user Access Algorithm includes the following steps:
Step a, RDP formulate corresponding acl rule according to the confidence level of AP: ACLPolicy←getACLPolicy();
Step b, AP request access:Access request is sent, the reliability assessment value of the terminal is collected and is sent to RJP, waits RJP The confidence level of terminal device is judged: APCredibility←CollectAPCredibility (); CredibilityResult←SendJudgeRequest();
The integrality and authenticity of MTAM (Mobile Terminal Access Module) module are tested in step c, RDP completion Card, the terminal device being responsible in MTAM issue trusted certificates: CredibilityCertificate← InRealityIntegrityCheck();
Step d, RDP is responsible to define and distributes the confidence level decision rule of AP, and its certificate is verified, to assess the access The credibility of equipment: CredibilityPolicy←RDPMakeAndAllocatePolicy();To the body of MTAM Part is differentiated, verifies the validity of AP certificates, verifies the credibility of AP equipment: VerifyAPValidity();
Access mechanism analytic process includes:The credible evaluation certificate that MTAM is issued to RDP registration services, application RDP, is somebody's turn to do After certificate, MTAM can be interacted with ISP, and ISP is by verifying that the legitimacy of credible evaluation certificate is completed to the credible of MTAM Degree assessment;RDP obtains the trusted certificates signed and issued by trusted end-user judgement center CMJC, and certificate includes the public key and CMJC label of RDP The information such as name, and public key is announced to external equipments such as terminals by secure way, the entity identities certificate format of each terminal is such as Under:CertA={ IDA, KPubA, DateA, LFA, EKSCAC { IDA, KPA, DateA, LFA } } wherein KPubA is terminal A Public key, EKSCA are the private keys of CMJC, and DateA is the date of issue of certificate, and LFA is the term of validity of certificate.
As a kind of embodiment, MTAM and RDP, which is established, to be connected, and applies for the trusted certificates issued by RDP.MTAM bases before connection is established Carry out integrity measurement in RDP, MTAM and RDP consult to complete authentication between MTAM and RDP, the authentication be it is two-way, RDP, which is realized, after the completion of certification judges the confidence level of MTAM platforms.The MTAM judged by authentication and confidence level can be obtained It is the trusted certificates that it is issued to obtain RDP, and within the effective time of certificate, terminal user, which holds the certificate, to establish clothes with ISP Business connection.
Traditional access way is:Security evaluation after M-TNC is first connected;The present invention is different from traditional approach, and M-TNC is used The first latter linked access way of security evaluation, such design can greatly enhance the security of network insertion.
As a preferred embodiment, illegitimate client can send safety identification request to server, device to be serviced allows illegal After client is attached, the label information of illegitimate client is deleted from illegal connection address list.In practical work process In, server and multiple client are established, is stored with client and the single corresponding log-on message of client-side information, service Device memory contains legal terminal list, and legal terminal list includes the log-on message of multiple client, but does not ensure that follow-up In work, the quantity of client can't be increased, and increase the quantity of client there are two kinds of situations:
A kind of situation is to increase new client, and staff needs to store log-on message in newly-increased client at this time, and Legal terminal list to server memory storage is updated, and log-on message storage and the legal terminal of newly-increased client are arranged In table, so that newly-increased client subsequently can be connected normally;
Another situation is to be attached before this with server, and as the equipment of illegitimate client, in follow-up work When, it may be allowed to be connected with server, therefore server possesses the function being identified again, success to be identified Afterwards, the label information of illegitimate client is deleted from illegal connection address list, and according to the label information of illegitimate client to Illegitimate client distributes log-on message, and the log-on message of illegitimate client is stored to legal terminal list, so that illegal visitor The identity at family end is legal, subsequently can be normally connected with other clients and server.
A kind of illegal connection determination methods based on set covering, further include:Step 4, server is periodically to legal terminal Corresponding multiple client is identified in list.In practical work process, when client terminal quantity is more, server may There is a situation where identification mistake, therefore server periodically corresponding multiple client in legal terminal list is identified so as to It is legitimate client to ensure client, is avoided during the work time, and client causes leaking for information in the case of unwitting.
The present invention is identified the identity of client, and legal terminal list is sent to when establishing communication environment Each legitimate client, when being communicated between client, individually carries out identification, this determination methods again without server It is convenient and efficient, the work of identification is shared to the work load for each client, alleviating server, and improve work Efficiency.
The present invention can be collected illegitimate client arrangement, facilitate staff's tune by illegal connection address list Access grasps the access situation of illegitimate client according to intuitively being checked to illegitimate client, to the equipment of malicious access into Row identification and subsequent treatment.
The server of the present invention possesses the function being identified again, after success to be identified, by the mark of illegitimate client Information is deleted from illegal connection address list, and distributes registration letter to illegitimate client according to the label information of illegitimate client Breath, and the log-on message of illegitimate client is stored to legal terminal list, so that the identity of illegitimate client is legal, energy It is enough to be subsequently normally connected with other clients and server.
The basic principles, main features and advantages of the invention have been shown and described above.The technical staff of the industry should Understand, the invention is not limited in any way for above-described embodiment, all to be obtained by the way of equivalent substitution or equivalent transformation Technical solution, all falls within protection scope of the present invention.

Claims (8)

  1. A kind of 1. illegal connection determination methods based on set covering, it is characterised in that including:
    Step 1, establishes server and multiple client, is stored with client and the single corresponding registration of client-side information Information, server memory contain legal terminal list, and legal terminal list includes the log-on message of multiple client;
    Step 2, user end to server send certification request, and server is by the log-on message of client and legal terminal list It is compared;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stops being communicated with client;
    Step 3, legitimate client form network trust chain model M-TNC using Trusted network connection, use trustable network Interconnection technique TNC, the terminal technology provided by using trusted host, realizes terminal access control in a network environment;M- The control of authority rule of TNC checks the confidence level of terminal using the completeness check of terminal;
    The framework of M-TNC is divided into following 3 class entity:Terminal access person AP, regular judgement person RJP, regular definien RDP;
    Terminal access person is terminal access equipment, the resource of request server;Regular judgement person and regular definien pacify for terminal Full access control system;
    The element definition of M-TNC includes following two definition:
    First definition:Resource set R=ri | i=1…N }, the resource collection of enterprise's office network;
    Second definition:Resource service domain RS={ R, SDP, AP, ISP }, R are the resource sets that enterprise network provides, and RJP is definitely may be used The regular judgement person of letter, RDP manage AP and assisted network ISP ISP (the Internet Service in whole domain Provider) verify the credibility of M-TNC, while accept the cross-domain services request message of other domains M-TNC;
    Trusted end-user Access Algorithm includes the following steps:
    Step a, RDP formulate corresponding acl rule according to the confidence level of AP:ACLPolicy←getACLPolicy();
    Step b, AP request access:Access request is sent, the reliability assessment value of the terminal is collected and is sent to RJP, waits RJP The confidence level of terminal device is judged: APCredibility←CollectAPCredibility (); CredibilityResult←SendJudgeRequest();Step c, RDP completion is to MTAM (Mobile Terminal Access Module) module integrality and authenticity verification, the terminal device being responsible in MTAM is issued can Believe certificate: CredibilityCertificate←InRealityIntegrityCheck();
    Step d, RDP is responsible to define and distributes the confidence level decision rule of AP, and its certificate is verified, to assess the access The credibility of equipment: CredibilityPolicy←RDPMakeAndAllocatePolicy();To the body of MTAM Part is differentiated, verifies the validity of AP certificates, verifies the credibility of AP equipment: VerifyAPValidity();
    Access mechanism analytic process includes:The credible evaluation certificate that MTAM is issued to RDP registration services, application RDP, is somebody's turn to do After certificate, MTAM can be interacted with ISP, and ISP is by verifying that the legitimacy of credible evaluation certificate is completed to the credible of MTAM Degree assessment;RDP obtains the trusted certificates signed and issued by trusted end-user judgement center CMJC, and certificate includes the public key and CMJC label of RDP The information such as name, and public key is announced to external equipments such as terminals by secure way, the entity identities certificate format of each terminal is such as Under:CertA={ IDA, KPubA, DateA, LFA, EKSCAC { IDA, KPA, DateA, LFA } } wherein KPubA is terminal A Public key, EKSCA are the private keys of CMJC, and DateA is the date of issue of certificate, and LFA is the term of validity of certificate.
  2. A kind of 2. illegal connection determination methods based on set covering according to claim 1, it is characterised in that above-mentioned M- TNC is using the latter linked access way of first security evaluation.
  3. A kind of 3. illegal connection determination methods based on set covering according to claim 1, it is characterised in that above-mentioned note Volume information includes the IP address and MAC Address of client.
  4. A kind of 4. illegal connection determination methods based on set covering according to claim 1, it is characterised in that step Two, user end to server sends certification request, and the log-on message of client is compared server with legal terminal list;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time The multiple client that device is stored in legal terminal list to log-on message sends warning message.
  5. A kind of 5. illegal connection determination methods based on set covering according to claim 1, it is characterised in that step Two, user end to server sends certification request, and the log-on message of client is compared server with legal terminal list;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time Device calls the label information that can be easy to mark illegitimate client to illegitimate client, and label information deposit illegal connection is led to News record, the number that record illegitimate client accesses;Above-mentioned label information is to include terminal unique identifier.
  6. A kind of 6. illegal connection determination methods based on set covering according to claim 1, it is characterised in that step Two, user end to server sends certification request, and the log-on message of client is compared server with legal terminal list, Local security policy is sent to legitimate client by server in real time;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client.
  7. A kind of 7. illegal connection determination methods based on set covering according to claim 1, it is characterised in that illegal visitor Family end can send safety identification request to server, after device to be serviced allows illegitimate client to be attached, by illegal client The label information at end is deleted from illegal connection address list.
  8. 8. a kind of illegal connection determination methods based on set covering according to claim 1, it is characterised in that also wrap Include:Step 4, server are periodically identified corresponding multiple client in legal terminal list.
CN201711215980.7A 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage Active CN108011873B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711215980.7A CN108011873B (en) 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711215980.7A CN108011873B (en) 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage

Publications (2)

Publication Number Publication Date
CN108011873A true CN108011873A (en) 2018-05-08
CN108011873B CN108011873B (en) 2020-09-04

Family

ID=62054236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711215980.7A Active CN108011873B (en) 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage

Country Status (1)

Country Link
CN (1) CN108011873B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067932A (en) * 2018-07-24 2018-12-21 广州贯行电能技术有限公司 A kind of data collection station data transmission method and data service end without fixed IP
CN110401669A (en) * 2019-07-31 2019-11-01 广州华多网络科技有限公司 A kind of proof of identity method and relevant device
CN111131255A (en) * 2019-12-25 2020-05-08 中国联合网络通信集团有限公司 Network private connection identification method and device
CN112243041A (en) * 2020-12-21 2021-01-19 成都雨云科技有限公司 Cross-domain connection system and method for remote desktop access protocol
CN113411190A (en) * 2021-08-20 2021-09-17 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004032421A1 (en) * 2002-10-01 2004-04-15 Huawei Technologies Co., Ltd. A method for adding devices to management system
CN102035837A (en) * 2010-12-07 2011-04-27 中国科学院软件研究所 Method and system for hierarchically connecting trusted networks
CN106992988A (en) * 2017-05-11 2017-07-28 浙江工商大学 A kind of cross-domain anonymous resource sharing platform and its implementation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004032421A1 (en) * 2002-10-01 2004-04-15 Huawei Technologies Co., Ltd. A method for adding devices to management system
CN102035837A (en) * 2010-12-07 2011-04-27 中国科学院软件研究所 Method and system for hierarchically connecting trusted networks
CN106992988A (en) * 2017-05-11 2017-07-28 浙江工商大学 A kind of cross-domain anonymous resource sharing platform and its implementation

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067932A (en) * 2018-07-24 2018-12-21 广州贯行电能技术有限公司 A kind of data collection station data transmission method and data service end without fixed IP
CN110401669A (en) * 2019-07-31 2019-11-01 广州华多网络科技有限公司 A kind of proof of identity method and relevant device
CN110401669B (en) * 2019-07-31 2021-06-11 广州方硅信息技术有限公司 Identity verification method and related equipment
CN111131255A (en) * 2019-12-25 2020-05-08 中国联合网络通信集团有限公司 Network private connection identification method and device
CN111131255B (en) * 2019-12-25 2022-03-15 中国联合网络通信集团有限公司 Network private connection identification method and device
CN112243041A (en) * 2020-12-21 2021-01-19 成都雨云科技有限公司 Cross-domain connection system and method for remote desktop access protocol
CN113411190A (en) * 2021-08-20 2021-09-17 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system

Also Published As

Publication number Publication date
CN108011873B (en) 2020-09-04

Similar Documents

Publication Publication Date Title
CN108011873A (en) A kind of illegal connection determination methods based on set covering
CN111541656A (en) Identity authentication method and system based on converged media cloud platform
EP2770662A1 (en) Centralized security management method and system for third party application and corresponding communication system
CN108512862A (en) Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques
CN101741860B (en) Computer remote security control method
CN107846447A (en) A kind of method of the home terminal access message-oriented middleware based on MQTT agreements
US20100138907A1 (en) Method and system for generating digital certificates and certificate signing requests
US8274401B2 (en) Secure data transfer in a communication system including portable meters
CN104378210A (en) Cross-trust-domain identity authentication method
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN103391539B (en) The account-opening method of internet protocol multi-media sub-system IMS, Apparatus and system
US10862890B2 (en) Method and system related to authentication of users for accessing data networks
CN108040044B (en) A kind of management method and system for realizing eSIM card security authentication
CN107113613B (en) Server, mobile terminal, network real-name authentication system and method
CN107786515B (en) Certificate authentication method and equipment
CN100561919C (en) A kind of broadband access user authentication method
CN109347875A (en) Internet of things equipment, platform of internet of things and the method and system for accessing platform of internet of things
US20070234054A1 (en) System and method of network equipment remote access authentication in a communications network
CN104869111B (en) A kind of trusted end-user access authentication system and method
US9332432B2 (en) Methods and system for device authentication
CN108259406A (en) Examine the method and system of SSL certificate
CN105681030A (en) Key management system, method and device
JP2001186122A (en) Authentication system and authentication method
CN106559785A (en) Authentication method, equipment and system and access device and terminal
CN108834146A (en) A kind of Bidirectional identity authentication method between terminal and authentication gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant