CN109246002A - A kind of depth security gateway and network element device - Google Patents
A kind of depth security gateway and network element device Download PDFInfo
- Publication number
- CN109246002A CN109246002A CN201811091164.4A CN201811091164A CN109246002A CN 109246002 A CN109246002 A CN 109246002A CN 201811091164 A CN201811091164 A CN 201811091164A CN 109246002 A CN109246002 A CN 109246002A
- Authority
- CN
- China
- Prior art keywords
- network element
- user
- network
- instruction
- business
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention discloses a kind of depth security gateway and network element devices, and depth security gateway is by depth recognition and pipeline flow control, the application program for identifying the corresponding behavior act of customer flow and using, and enterprise is helped effectively to manage the internet behavior of employee.Also, by effective connection of network element device and depth security gateway, network element device can realize more flexible security with autonomous deployment safety detection.
Description
Technical field
This application involves technical field of network information safety more particularly to a kind of depth security gateways and network element device.
Background technique
Existing gateway simply can only be parsed and be limited flow to customer flow, cannot accomplish to be known according to flow analysis
What the application program that its corresponding network behavior of road is, uses is, cannot effectively supervise enterprise staff whether do with
Work relevant thing.Also, existing gateway can not be established with network element device and effectively be connect, so that existing network element device is not
Can well ancillary gateway management user flow.
Summary of the invention
The purpose of the present invention is to provide a kind of depth security gateway and network element device, gateway passes through depth recognition and pipeline
Flow control, the application program for identifying the corresponding behavior act of customer flow and using help enterprise effectively to manage the online of employee
Behavior.Also, by effective connection of network element device and gateway, the autonomous deployment of network element device realizes more flexible safety
Prevention and control.
In a first aspect, the application provides a kind of depth security gateway, the gateway includes:
Receiving module, the data packet sent for receiving ext nal network element equipment, and receive what network safety platform was sent
Instruction;
Depth recognition module therefrom extracts user's mark of carrying for parsing the data packet of ext nal network element equipment transmission
One or more of knowledge, application identities or critical field judge behavior act corresponding with data packet or application program;
Pipeline flow control module therefrom extracts the network letter of carrying for parsing the data packet of ext nal network element equipment transmission
Breath, establishes model, model is associated with the mark of business or user, judge whether business or user are core business or user;
Control module, for the judging result according to the depth recognition module and pipeline flow control module, to customer flow
It is controlled, and generates the control instruction for the network element device being directly connected to user;
Sending module for sending control instruction to corresponding network element device, and sends judging result to network security
Platform.
With reference to first aspect, in a first possible implementation of that first aspect, the judgement is corresponding with data packet
Behavior act or application program, comprising: user identity is determined according to user identifier, determines application program, base according to application identities
In the corresponding relationship of application behavior movement and critical field, the corresponding behavior act of real-time traffic is determined.
With reference to first aspect, in a second possible implementation of that first aspect, described to judge whether are business or user
For core business or user, comprising: match the present flow rate of specific transactions or user with model, according to matched knot
Whether fruit judges the specific transactions or user in the reference range of model;
If the judgment is Yes, then assert the specific transactions or user is business or the user of core;
If the judgment is No, then assert the specific transactions or user is common business or user.
With reference to first aspect, in first aspect in the third possible implementation, the generation is directly connected to user
Network element device control instruction, comprising:
If it is determined that the corresponding behavior act of data packet or application program are unrelated with work, generate control instruction, instruction with
The network element device that user is directly connected to limits corresponding data packet flow;
If it is determined that business or user are core business or user, control instruction is generated, what instruction was directly connected to user
Network element device preferentially guarantees the flow demand of the user.
Second aspect, the application provide a kind of with depth security gateway is connected described in first aspect network element device, institute
Stating network element device includes:
Receiving module, for receiving the instruction of depth security gateway, and the data packet that the neighbouring network element of reception passes over;
Processing module obtains the load of local and neighbouring network element and network-like for the instruction according to depth security gateway
State, the security service resource of automatic deployment and extension network element;
Control module controls the flow of user for the instruction according to depth security gateway;
Deployment result is uploaded to network security for the instruction of automatic deployment to be sent to neighbouring network element by sending module
Platform.
In conjunction with second aspect, in second aspect in the first possible implementation, the automatic deployment and extension network element
Security service resource, comprising: according to the load and network state of local and neighbouring network element, safety detection is deployed in proximity network
In member on network element most lightly loaded or best network state.
It is neighbouring when safety detection to be deployed in second of second aspect possible implementation in conjunction with second aspect
When on other network elements, local network element obtains the flow control of other neighbouring network elements as a result, deployment result with local network element
Network safety platform is uploaded to together.
The present invention provides a kind of depth security gateway and network element device, and depth security gateway passes through depth recognition and pipeline stream
Control, the application program for identifying the corresponding behavior act of customer flow and using help enterprise effectively to manage the online row of employee
For.Also, by effective connection of network element device and depth security gateway, network element device can be real with autonomous deployment safety detection
Existing more flexible security.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, for those of ordinary skills, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the frame diagram of one embodiment of depth security gateway of the present invention;
Fig. 2 is the frame diagram of one embodiment of network element device of the present invention;
Fig. 3 is the frame diagram of one embodiment of depth security gateway of the present invention and network element device composition system.
Specific embodiment
The preferred embodiment of the present invention is described in detail with reference to the accompanying drawing, so that advantages and features of the invention energy
It is easier to be readily appreciated by one skilled in the art, so as to make a clearer definition of the protection scope of the present invention.
Fig. 1 is the frame diagram of one embodiment of depth security gateway provided by the invention, and the gateway includes:
Receiving module 101, for receiving the data packet of ext nal network element equipment transmission, and reception network safety platform transmission
Instruction;
Depth recognition module 102 therefrom extracts the user of carrying for parsing the data packet of ext nal network element equipment transmission
One or more of mark, application identities or critical field judge behavior act corresponding with data packet or application program;
Pipeline flow control module 103 therefrom extracts the network of carrying for parsing the data packet of ext nal network element equipment transmission
Information establishes model, and model is associated with the mark of business or user, judges whether business or user are core business or use
Family;
Control module 104 flows user for the judging result according to the depth recognition module and pipeline flow control module
Amount is controlled, and generates the control instruction for the network element device being directly connected to user;
Sending module 105 gives network to pacify for sending control instruction to corresponding network element device, and transmission judging result
Full platform.
In some preferred embodiments, judgement behavior act corresponding with data packet or application program, comprising: according to
User identifier determines user identity, determines application program according to application identities, based on application behavior movement and critical field
Corresponding relationship, determine the corresponding behavior act of real-time traffic.
In some preferred embodiments, described to judge whether business or user are core business or user, comprising: will be specific
Business or the present flow rate of user are matched with model, according to matched as a result, judging whether are the specific transactions or user
In the reference range of model;
If the judgment is Yes, then assert the specific transactions or user is business or the user of core;
If the judgment is No, then assert the specific transactions or user is common business or user.
In some preferred embodiments, the control instruction for the network element device that the generation is directly connected to user, comprising:
If it is determined that the corresponding behavior act of data packet or application program are unrelated with work, generate control instruction, instruction with
The network element device that user is directly connected to limits corresponding data packet flow;
If it is determined that business or user are core business or user, control instruction is generated, what instruction was directly connected to user
Network element device preferentially guarantees the flow demand of the user.
Fig. 2 is the frame diagram of one embodiment of network element device provided by the invention, and the network element device includes:
Receiving module 201, for receiving the instruction of depth security gateway, and the data that the neighbouring network element of reception passes over
Packet;
Processing module 202 obtains load and the network of local and neighbouring network element for the instruction according to depth security gateway
State, the security service resource of automatic deployment and extension network element;
Control module 203 controls the flow of user for the instruction according to depth security gateway;
Deployment result is uploaded to network peace for the instruction of automatic deployment to be sent to neighbouring network element by sending module 204
Full platform.
In some preferred embodiments, the security service resource of the automatic deployment and extension network element, comprising: according to local
And the load and network state of neighbouring network element, it is best that safety detection is deployed in most lightly loaded or network state in neighbouring network element
On network element.
In some preferred embodiments, when being deployed in safety detection on other neighbouring network elements, local network element obtains institute
The flow control of other neighbouring network elements is stated as a result, the deployment result with local network element uploads to network safety platform together.
Fig. 3 is the frame diagram of one embodiment of depth security gateway provided by the invention and network element device composition system,
The system comprises: depth security gateway as described in relation to the first aspect, and the network element device as described in second aspect.
In the specific implementation, the present invention also provides a kind of computer storage mediums, wherein the computer storage medium can deposit
Program is contained, which may include in each embodiment for the method that user provided by the invention accesses compliance analysis when executing
Part or all of step.The storage medium can be magnetic disk, CD, read-only memory (referred to as: ROM) or deposit at random
Store up memory body (referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software
The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or
The part that contributes to existing technology can be embodied in the form of software products, which can store
In storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use is so that a computer equipment (can be
Personal computer, server or network equipment etc.) it executes described in certain parts of each embodiment of the present invention or embodiment
Method.
The same or similar parts between the embodiments can be referred to each other for this specification.For embodiment,
Since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to the explanation in embodiment of the method
?.
Invention described above embodiment is not intended to limit the scope of the present invention..
Claims (7)
1. a kind of depth security gateway, the gateway include:
Receiving module, for receiving the data packet of ext nal network element equipment transmission, and the instruction that reception network safety platform is sent;
Depth recognition module therefrom extracts the user identifier of carrying, answers for parsing the data packet of ext nal network element equipment transmission
With one or more of mark or critical field, behavior act corresponding with data packet or application program are judged;
Pipeline flow control module therefrom extracts the network information of carrying, builds for parsing the data packet of ext nal network element equipment transmission
Model is associated with by formwork erection type with the mark of business or user, judges whether business or user are core business or user;
Control module carries out customer flow for the judging result according to the depth recognition module and pipeline flow control module
Control, and generate the control instruction for the network element device being directly connected to user;
Sending module for sending control instruction to corresponding network element device, and sends judging result to network safety platform.
2. gateway according to claim 1, described to judge behavior act corresponding with data packet or application program, comprising:
Determine user identity according to user identifier, determine application program according to application identities, based on application behavior movement with
The corresponding relationship of critical field determines the corresponding behavior act of real-time traffic.
3. gateway according to claim 1, described to judge whether business or user are core business or user, comprising: will
The present flow rate of specific transactions or user are matched with model, according to matched as a result, judging the specific transactions or user
Whether in the reference range of model;
If the judgment is Yes, then assert the specific transactions or user is business or the user of core;
If the judgment is No, then assert the specific transactions or user is common business or user.
4. gateway according to claim 1, the control instruction for the network element device that the generation is directly connected to user, packet
It includes:
If it is determined that the corresponding behavior act of data packet or application program are unrelated with work, control instruction, instruction and user are generated
The network element device being directly connected to limits corresponding data packet flow;
If it is determined that business or user are core business or user, control instruction, the network element that instruction is directly connected to user are generated
Equipment preferentially guarantees the flow demand of the user.
5. a kind of network element device being connected with depth security gateway according to any one of claims 1-4, the network element device
Include:
Receiving module, for receiving the instruction of depth security gateway, and the data packet that the neighbouring network element of reception passes over;
Processing module obtains the load and network state of local and neighbouring network element for the instruction according to depth security gateway, from
The security service resource of dynamic deployment and extension network element;
Control module controls the flow of user for the instruction according to depth security gateway;
Deployment result is uploaded to network safety platform for the instruction of automatic deployment to be sent to neighbouring network element by sending module.
6. network element according to claim 4, the security service resource of the automatic deployment and extension network element, comprising: according to
The load and network state of local and neighbouring network element, safety detection is deployed in adjacent to most lightly loaded or network state in network element most
On good network element.
7. network element according to claim 5, when being deployed in safety detection on other neighbouring network elements, local network element is obtained
The flow control of other neighbouring network elements is as a result, the deployment result with local network element uploads to network safety platform together.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811091164.4A CN109246002B (en) | 2018-09-17 | 2018-09-17 | Deep security gateway and network element equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811091164.4A CN109246002B (en) | 2018-09-17 | 2018-09-17 | Deep security gateway and network element equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109246002A true CN109246002A (en) | 2019-01-18 |
| CN109246002B CN109246002B (en) | 2020-10-30 |
Family
ID=65058235
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811091164.4A Active CN109246002B (en) | 2018-09-17 | 2018-09-17 | Deep security gateway and network element equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109246002B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138804A (en) * | 2019-06-03 | 2019-08-16 | 武汉思普崚技术有限公司 | A kind of method and system of network security certification |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197836A (en) * | 2007-12-20 | 2008-06-11 | 华为技术有限公司 | Data communication control method and data communication control device |
| CN103716804A (en) * | 2012-09-28 | 2014-04-09 | 北京亿赞普网络技术有限公司 | Wireless data communication network user network behavior analyzing method, device and system |
| CN105284150A (en) * | 2013-11-15 | 2016-01-27 | 华为技术有限公司 | Service offloading method, control network element, gateway router, and user plane entity |
| US20160119382A1 (en) * | 2006-10-17 | 2016-04-28 | A10 Networks, Inc. | Applying Security Policy to an Application Session |
| CN105824884A (en) * | 2016-03-10 | 2016-08-03 | 海信集团有限公司 | User internet surfing information processing method and device |
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| CN107070885A (en) * | 2017-03-06 | 2017-08-18 | 北京安博通科技股份有限公司 | Information processing method, apparatus and system |
-
2018
- 2018-09-17 CN CN201811091164.4A patent/CN109246002B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160119382A1 (en) * | 2006-10-17 | 2016-04-28 | A10 Networks, Inc. | Applying Security Policy to an Application Session |
| CN101197836A (en) * | 2007-12-20 | 2008-06-11 | 华为技术有限公司 | Data communication control method and data communication control device |
| CN103716804A (en) * | 2012-09-28 | 2014-04-09 | 北京亿赞普网络技术有限公司 | Wireless data communication network user network behavior analyzing method, device and system |
| CN105284150A (en) * | 2013-11-15 | 2016-01-27 | 华为技术有限公司 | Service offloading method, control network element, gateway router, and user plane entity |
| CN105824884A (en) * | 2016-03-10 | 2016-08-03 | 海信集团有限公司 | User internet surfing information processing method and device |
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| CN107070885A (en) * | 2017-03-06 | 2017-08-18 | 北京安博通科技股份有限公司 | Information processing method, apparatus and system |
Non-Patent Citations (1)
| Title |
|---|
| 郑磊: ""网络流量管理及控制系统的设计及实现"", 《中国科学院大学硕士学位论文》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138804A (en) * | 2019-06-03 | 2019-08-16 | 武汉思普崚技术有限公司 | A kind of method and system of network security certification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109246002B (en) | 2020-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110311899A (en) | Multiservice system access method, device and server | |
| WO2006034185A3 (en) | Method for dynamic rate adaptation based on selective passive network monitoring | |
| CN108171519A (en) | The processing of business datum, account recognition methods and device, terminal | |
| CN107528818B (en) | Data processing method and device for media file | |
| CN104253810B (en) | Safe login method and system | |
| Koduru et al. | Detection of economic denial of sustainability using time spent on a web page in cloud | |
| CN107920094A (en) | Data capture method, device, server and the network equipment | |
| CN108124007A (en) | The method and apparatus of message data real-time Transmission | |
| CN107196936A (en) | Interface retransmission method, system, computer equipment and storage medium | |
| CN105978938A (en) | Service processing equipment service status determining method and scheduling equipment | |
| CN105516658B (en) | A kind of monitoring device control method and device | |
| CN110430198A (en) | Auth method, Edge Server, and shopping management method and system | |
| CN109067645A (en) | A kind of NFV Virtual Security Gateway and network element device | |
| CN113726890A (en) | Block chain data service-oriented federal prediction method and system | |
| CN105827300A (en) | Relay apparatus and data communication system | |
| CN105281987B (en) | Router and data uploading method, device, system | |
| CN109246002A (en) | A kind of depth security gateway and network element device | |
| WO2005033894A3 (en) | Systems and methods for managing resources | |
| CN110190998A (en) | A kind of Network Situation visualization method and system | |
| CN105187391B (en) | APP and its logging in network access point methods, server and system | |
| CN104009846B (en) | A kind of single-sign-on apparatus and method | |
| CN108881275A (en) | A kind of user accesses the method and system of compliance analysis | |
| Coppolino et al. | Effective QoS monitoring in large scale social networks | |
| CN108023779A (en) | A kind of method and system based on network traffic analysis user behavior | |
| CN108521435A (en) | A kind of method and system of user network behavior portrait |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 430070 room 01, 3 / F, building 11, phase I, Guanggu power energy saving and environmental protection technology business incubator (accelerator), No. 308, Guanggu Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: WUHAN SIPULING TECHNOLOGY Co.,Ltd. Address before: 430070 Wuhan Donghu New Technology Development Zone, Hubei Province Patentee before: WUHAN SIPULING TECHNOLOGY Co.,Ltd. |