CN109698831B - Data protection method and device - Google Patents

Data protection method and device Download PDF

Info

Publication number
CN109698831B
CN109698831B CN201811626506.8A CN201811626506A CN109698831B CN 109698831 B CN109698831 B CN 109698831B CN 201811626506 A CN201811626506 A CN 201811626506A CN 109698831 B CN109698831 B CN 109698831B
Authority
CN
China
Prior art keywords
protocol
data
rule
protection
segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811626506.8A
Other languages
Chinese (zh)
Other versions
CN109698831A (en
Inventor
郭肖旺
陈海
贡春燕
张湾
杨文龙
纪宇潇
王帅
原崇蛟
傅一帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cec Intelligent Technology Co ltd
Original Assignee
Cec Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cec Intelligent Technology Co ltd filed Critical Cec Intelligent Technology Co ltd
Priority to CN201811626506.8A priority Critical patent/CN109698831B/en
Publication of CN109698831A publication Critical patent/CN109698831A/en
Application granted granted Critical
Publication of CN109698831B publication Critical patent/CN109698831B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a data protection method and a device, which are applied to protection equipment, wherein the protection equipment can be communicated with an internal server and an external server; searching whether a protocol protection strategy corresponding to the protocol type exists or not according to the protocol type, and if the protocol protection strategy corresponding to the protocol type exists, analyzing the protocol data stream according to a segment set analysis rule to obtain a plurality of data segments; calling a protocol protection strategy matched with each data segment based on a target rule data structure; and carrying out validity verification on corresponding data segments according to the protocol protection strategy, and if each data segment is legal, sending the protocol data stream to the internal server. The invention can effectively realize the safe interaction of the data and ensure the privacy of the user data.

Description

Data protection method and device
Technical Field
The invention relates to the field of industrial control, in particular to a data protection method and device.
Background
In the existing data protection process, most of the protocols that firewalls can protect are fixed, especially in the industrial control field, for example, when the industrial control protocols such as Modbus and DNP3 are protected, although protocol protection rules are mostly built in the existing firewalls, the authority of the user-definable rules is also limited in some range, if a new industrial control protocol is to be supported, the custom development must be performed, so that the private protocol must be exposed to the firewall developer, and thus the user lacks privacy and has higher security threat in the use process of the industrial control protocol.
Disclosure of Invention
In view of the above, an object of the embodiments of the present invention is to provide a data protection method and apparatus, so as to improve the above-mentioned problems.
In one aspect, a preferred embodiment of the present invention provides a data protection method, which is applied to a protection device, where the protection device is capable of communicating with an internal server and an external server, and the data protection method includes:
receiving a protocol data stream sent by the external server, and analyzing to obtain a protocol type corresponding to the protocol data stream;
searching whether a protocol protection strategy corresponding to the protocol type exists or not according to the protocol type, and if the protocol protection strategy corresponding to the protocol type exists, analyzing the protocol data stream according to a segment set analysis rule to obtain a plurality of data segments;
calling a protocol protection strategy matched with each data segment based on a target rule data structure;
and carrying out validity verification on corresponding data segments according to the protocol protection strategy, and if each data segment is legal, sending the protocol data stream to the internal server.
In an alternative embodiment of the present invention, the protocol protection policy is obtained by:
acquiring a protocol to be processed, and dividing the protocol to be processed into a plurality of different segment sets;
for each segment set, decomposing the segment set into a plurality of sub-segments according to the protocol format of the segment set, and making a protocol protection strategy for different sub-segments.
In an alternative preferred embodiment of the present invention, before the step of formulating the protocol protection policy for different sub-segments, the method further comprises:
configuring a plurality of keywords for protocol definition, rule definition, protocol management, rule matching and rule query description when the protocol protection strategy is made;
configuring a protocol description language for performing protocol definition action and protocol management action description when the protocol protection policy is made based on a plurality of keywords;
configuring a rule description language for rule description when a protocol protection strategy is formulated based on a plurality of keywords;
and configuring a rule control language for performing control operation during protocol protection policy control based on a plurality of keywords.
In an alternative preferred embodiment of the invention, the target rule data structure is obtained by:
analyzing a rule language defined by a user based on a rule lexical analysis unit, and analyzing the rule language into a token stream;
carrying out syntax analysis on the token stream based on a rule syntax analysis module;
generating an abstract syntax tree according to an analysis result of syntax analysis on the token stream;
and extracting a data structure in the abstract syntax tree based on a target rule data structure unit, and converting the data structure into a target rule data structure.
In an option of the preferred embodiment of the present invention, the method further comprises:
when the protection strategy matched with each data segment is called based on the target rule data structure, if the protocol protection strategy corresponding to one or more data segments in the plurality of data segments cannot be found, marking the corresponding data segment as legal or illegal according to a preset mark.
In an option of the preferred embodiment of the present invention, the method further comprises:
and if the protocol protection strategy corresponding to the protocol type does not exist or the data segment is verified to be illegal through the protocol protection strategy, intercepting the protocol data stream and carrying out illegal alarm.
In an alternative embodiment of the present invention, the protocol data stream is a data stream detected and determined as illegal by the external server.
On the other hand, a preferred embodiment of the present invention further provides a data protection apparatus, which is applied to a protection device, where the protection device is capable of communicating with an internal server and an external server, and the data protection method includes:
the data receiving module is used for receiving the protocol data stream sent by the external server and analyzing the protocol data stream to obtain a protocol type corresponding to the protocol data stream;
the judging and analyzing module is used for searching whether a protocol protection strategy corresponding to the protocol type exists or not according to the protocol type, and analyzing the protocol data stream according to a segment set analysis rule to obtain a plurality of data segments if the protocol protection strategy corresponding to the protocol type exists;
the strategy calling module is used for calling a protocol protection strategy matched with each data segment based on a target rule data structure;
and the data verification module is used for verifying the legality of the corresponding data segments according to the protocol protection strategy, and if each data segment is legal, the protocol data stream is sent to the internal server.
In a selection of a preferred embodiment of the present invention, the data protection device further includes a policy making module, where the policy making module is configured to obtain a protocol to be processed, and divide the protocol to be processed into a plurality of different segment sets; and for each segment set, decomposing the segment set into a plurality of sub-segments according to the protocol format of the segment set, and making a protocol protection strategy for different sub-segments.
In the selection of the preferred embodiment of the present invention, the data protection apparatus further includes a rule parsing module, where the rule parsing module is configured to parse a rule language defined by a user based on a rule lexical analysis unit, and parse the rule language into a token stream;
carrying out grammar analysis on sentences of the rule language based on a rule grammar analysis unit;
generating an abstract syntax tree based on the analysis result output by the rule syntax analysis module and the syntax rule by a rule syntax tree unit; and
and extracting a data structure in the abstract syntax tree based on a target rule data structure unit, and converting the data structure into a target rule data structure.
In a selection of a preferred embodiment of the present invention, the data verification module is further configured to, when the protection policy matched with each of the data segments is called based on the target rule data structure, if the protocol protection policy corresponding to one or more data segments of the plurality of data segments is not found, mark the corresponding data segment as legal or illegal according to a preset mark.
Compared with the prior art, the embodiment of the invention provides a data protection method and a data protection device, wherein a user can perform data protection without exposing a private protocol, and can easily configure a deep detection strategy, so that the protocol privacy of different equipment suppliers, developers and use scenes in the industrial control field is effectively solved, the safety of industrial control application is effectively improved, and the user experience is effectively improved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic view of an application scenario of a data protection method and apparatus provided in an embodiment of the present invention.
Fig. 2 is a block configuration diagram of the protection device shown in fig. 1.
Fig. 3 is a schematic flow chart of a data protection method according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a generation flow of the protocol protection policy.
FIG. 5 is a schematic diagram of a generation process of a target rule data structure.
Fig. 6 is a schematic block diagram of a data protection apparatus according to an embodiment of the present invention.
Icon: 10-a shielding device; 100-a data guard; 110-a data receiving module; 120-judging and analyzing module; 130-policy invocation module; 140-a data validation module; 150-a policy making module; 160-rule parsing module; 200-a memory; 300-a memory controller; 400-a processor; 20-an external server; 30-internal server.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
As shown in fig. 1, an application scenario diagram of the data protection method and apparatus provided by the embodiment of the present invention is shown, where the application scenario includes a protection device 10, an external server 20, and an internal server 30. In this embodiment, the protective device 10 may include two network ports for configuring two internal networks and two external networks on the protective device 10 simultaneously, such as the network 1 for processing data streams of the protected network, and the network 2 for processing data streams of the external networks, and may be configured to filter received protocol data streams according to a protocol protection policy, and only allow authorized data streams to pass through, so as to ensure security during data transmission and application of the internal network.
Optionally, referring to fig. 2, a block diagram of the protection device 10 shown in fig. 1 is shown, where the protection device 10 includes a data protection apparatus 100, a memory 200, a memory controller 300, and a processor 400. The memory 200, the memory controller 300 and the processor 400 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components are electrically connected to each other through one or more communication buses or signal lines. The data guard 100 includes at least one software function module that may be stored in the memory 200 in the form of software or firmware or may be resident in an operating system in the guard device 10. The processor 400 accesses the memory 200 under the control of the memory controller 300 for executing executable modules stored in the memory 200, such as software functional modules and computer programs included in the data guard 100.
It will be appreciated that the configuration shown in figure 2 is merely illustrative and that the shielding device 10 may include more or fewer components than shown in figure 2 or may have a different configuration than shown in figure 2. In addition, the protection device 10 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), a cloud server, a small computer, and the like.
Further, as shown in fig. 3, a schematic flow chart of a data protection method provided in an embodiment of the present invention is applied to the above-mentioned protection device 10, and specific steps and a flow of the data protection method will be described in detail below with reference to fig. 3. It should be understood that the data protection method presented in the present embodiment is not limited by the order of the steps and flows described below.
Step S11, receiving the protocol data stream sent by the external server 20, and analyzing to obtain a protocol type corresponding to the protocol data stream;
step S12, searching whether a protocol protection strategy corresponding to the protocol type exists according to the protocol type, and if the protocol protection strategy corresponding to the protocol type exists, executing step S13; otherwise, go to step S17;
step S13, analyzing the protocol data stream according to the segment set analysis rule to obtain a plurality of data segments;
step S14, based on the target rule data structure, calling the protocol protection strategy matched with each data segment;
step S15, the corresponding data segments are validated according to the protocol protection strategy, if each data segment is legal, the step S16 is executed; otherwise, go to step S18;
a step S16 of transmitting the protocol data stream to the internal server 30;
step S17, marking the corresponding data segment as legal or illegal according to the preset mark;
and step S18, intercepting the protocol data stream and carrying out illegal warning.
In the data protection method provided in the above step S11-step S18, when the method is applied to devices such as an industrial control firewall, a protection gateway, and the like, protocol protection policies are selected for different protocol types, and then the legitimacy of a protocol data stream is determined, for example, the protocol protection policies, a target rule data structure, and the like may be preset to implement data security when the external server 20 performs data interaction with the internal server 30, and ensure user privacy.
In detail, the protocol data stream in step S11 may be a data stream detected by the external server 20 and determined as illegal, or may be all data streams that need to be forwarded into the internal server 30 through the external server 20, which is not limited herein. In addition, the protocol type may include, but is not limited to, a protocol type of an industrial control protocol such as Modbus, DNP3, and the protocol type may be implemented based on a protocol label when analyzing the protocol type, or implemented by a protocol comparison method, and the present embodiment is not limited herein.
Further, in step S12, the protocol protection policy is configured for each existing industrial control protocol and is configured by combining preset keywords, a Protocol Description Language (PDL), a Rule Description Language (RDL), a Rule Control Language (RCL), and the like. In detail, as shown in fig. 4, the protocol protection policy may be obtained through the following steps S19 and S20:
step S19, acquiring a protocol to be processed, and dividing the protocol to be processed into a plurality of different segment sets;
and step S20, for each segment set, decomposing the segment set into a plurality of sub-segments according to the protocol format of the segment set, and making a protocol protection strategy for different sub-segments.
In steps S19 to S20, the protocol to be processed may be, but is not limited to, an industrial control protocol, and different application functions based on the protocols such as the industrial control protocol may cause different protocol lengths, in this embodiment, each industrial control protocol may be defined as a plurality of different segment sets according to different lengths to describe, each segment set may be further decomposed into segments of different lengths, and then a protocol protection policy is defined for different segments.
Before the step of formulating the protocol protection policy for different sub-segments, a plurality of keywords for performing protocol definition, rule definition, protocol management, rule matching and rule query description during protocol protection policy formulation need to be configured in the embodiment; configuring a protocol description language for performing protocol definition action and protocol management action description when the protocol protection policy is made based on a plurality of keywords; configuring a rule description language for rule description when a protocol protection strategy is formulated based on a plurality of keywords; and configuring a rule control language for performing control operation during protocol protection policy control based on a plurality of keywords. The following describes the keyword, Protocol Description Language (PDL), Rule Description Language (RDL), and Rule Control Language (RCL), respectively, as follows.
The keywords refer to the character strings of the mark types used for protocol definition, rule definition, protocol management, rule matching, rule query and the like; as said keywords may include but are not limited to the following keywords:
(1) a PROTOCOL type flag (PROTOCOL) for marking a defined PROTOCOL and judging a PROTOCOL type, a name and the like by checking the flag when performing PROTOCOL analysis, for example, a character string behind the flag can be considered as a PROTOCOL name and the like;
(2) the segment set (SEGS), because the industrial control protocol can be divided into different lengths or segment sets, the protocol can be defined by the angle of the segment set;
(3) RULE mark (RULE), which refers to the RULE associated with a certain protocol, when the keyword is detected during analysis, the keyword is considered to enter the RULE analysis part subsequently;
(4) segmentation (SECTION) of data in the protocol, which is used for decomposing the description of the data in the segment set segment under each segment set;
(5) a protocol data DIRECTION mark (DIRECTION), when detecting the key word, considering the following character to describe the protocol data flow DIRECTION;
(6) rule handling policy-allowed (PASS); RULE processing strategy-rejection (DENY), Creation (CREATE), used when creating PROTOCOL and RULE, and detecting the keyword during analysis to deem that the PROTOCOL or RULE needs to be created, and used together with PROTOCOL, RULE, etc.;
(7) modifying (ALTER), modifying the PROTOCOL and RULE keywords, detecting the keywords during analysis, considering that the PROTOCOL or RULE needs to be modified, and using the keywords together with PROTOCOL, RULE, etc.;
(8) disable and Delete (DROP), disable certain protocol usage; declaration (decode), declaration of SECTION usage; lookup (SELECT), used with the key IN, to indicate that a rule is to be looked up from a certain protocol;
(9) at … (IN), used with the keyword SELECT, indicates to look up a certain rule from a certain protocol;
(10) DELETE (DELETE), DELETE RULE, use with RULE, analyze to this mark, think should DELETE a RULE;
(11) renaming (RENAME), used when renaming PROTOCOL and RULE, used together with PROTOCOL and RULE, and analyzing the keyword mark, and considering that a PROTOCOL or RULE should be renamed subsequently;
(12) UPDATE (UPDATE), UPDATE RULE use, use with RULE;
(13) INSERT (INSERT), INSERT RULE, used with RULE;
(14) EQULE, rule constraint policy-equal; NOT EQULE, rule constraint policy-NOT equal;
(15) LIKE: rule constraint policy-conforming to regular expression; NOT LIKE, rule constraint policy-NOT compliant with regular expression;
(16) ID, unique identification;
(17) LENGTH (LENGTH) for protocol segment description;
(18) auto increment (AutoIncase) for ID calculation; integer (INT), data type definition for length, ID, etc.;
(19) a STRING (STRING) for data type definitions such as name;
(20) UNITs (UNIT) used to describe UNITs in length such as BIT, BYTE;
(21) BIT type (BIT), representing a BIT; BYTE type (BYTE); regular Expressions (REGS);
(22) AND, jointly searching keywords, AND simultaneously meeting the two conditions of the front AND the back;
(23) OR, jointly searching keywords, and meeting any one of the two conditions;
(24) REQUEST, data REQUEST direction; RESPONSE, data RESPONSE direction.
The Protocol Description Language (PDL) refers to syntax and semantic description for performing operations such as protocol definition and protocol management by using the keywords. For example, the specific definitions of syntax and semantics of the protocol description language are as follows:
creating a protocol: CREATE PROTOCOL PROTOCOL-name;
deleting the protocol: DROP Protocol-name;
declaring a segment set: CREATE SEGS SEGS-name
{
ID:int,AutoIncrease;
LENGTH: int; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BIT/BYTE;
DIRECTION:REQUEST/RESPONSE;
}
Deleting the segment set: DELETE SEGS-name;
renaming the segment set: RENAME SEGS-name SEGS-newName;
statement section: decode Session-name
{
ID:int,AutoIncrease;
SEGS_ID:int;
LENGTH: int; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BIT/BYTE;
STARTPOS:int
STARTUNIT:BIT/BYTE;
ENDPOS:int
ENDPOSUNIT:BIT/BYTE;
}
And (3) deleting the segment: DELETE SECTION-name;
renaming the segment: RENAME SECTION-name SECTION-newName.
The Rule Description Language (RDL) is syntax and semantic description for performing operations such as rule definition and rule management by using the keywords, and is used for describing a protection rule of a certain protocol, the rule is established on the basis of a section, and the specific provisions of the syntax and the semantic of the RDL are as follows:
creating a rule: CREATE Rule-name
{
ID:int,AutoIncrease;
SECTION_ID:int;
LENGTH: int; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BIT/BYTE;
STARTPOS:int
STARTUNIT:BIT/BYTE;
ENDPOS:int
ENDPOSUNIT:BIT/BYTE;
POLICY:PASS/DENY;
REGS:string
}
Deletion rule: DELETE Rule-name
Renaming rules: RENAME RULE-name RULE-newName;
the Rule Control Language (RCL) is syntax and semantic description for performing operations such as rule matching and rule querying by using the keywords, and is used for defining control operations such as rule searching, inserting and deleting. For example, the grammar and semantics of the rule control language may be specified as follows:
(1) inserting rules:
INSERT INTO RULE RULENAME rule_name(
ID=id;
SEGS_ID=segs_id;
LENGTH=length;
UNIT=BIT/BYTE;
STARTPOS=start_pos;
STARTUNIT=BIT/BYTE;
ENDPOS=end_pos
ENDPOSUNIT=BIT/BYTE;
POLICY=PASS/DENY;
REGS=regs_str;
);
(2) deletion rule: DELETE run BY run ID. The deletion rule can also be used in combination with the search, and the rule meeting a certain condition is deleted in the following way:
rule deleting the beginning of name AB: DELETE rub BY rub NAME LIKE AB;
(3) the search rules can be divided into the following types according to the search range:
a. the rules are looked up under a certain set of segments, where the protocol, the content of the set of segments is known:
according to the name search rule: SELECT RULE BY RULE _ NAME;
all rules are listed: SELECT ALL IN RULE;
look up all PASS rules: SELECT RULE BY POLICY equal PASS;
find all DENY rules: SELECT RULE BY POLICY EQULE DENY;
and searching rules according to the ID: SELECT RULE BY ID equal ×;
b. the joint search is as follows:
SELECT RULE BY POLICY EQULE PASS AND ID EQULE; up to 5 conditions may be in succession.
Finding a rule that does not meet a certain condition: if ID is not equal to rule: SELECT RULE BY ID NOT equal ×;
finding a rule that conforms to an expression: as the rule whose name starts with AB: SELECT RULE BY RULE _ NAME LIKE AB;
finding a rule that does not fit an expression: as the rule that the name does not begin with AB: SELECT RULE BY RULE _ NAME NOT LIKE AB;
c. the rules are searched under a certain protocol range, when the protocol information is known, the segment set needs to be traversed, and the key word IN can be used for searching the specific segment set during searching.
List rules within the set of segments beginning with AB: SELECT RULE BY RULE _ NAME IN SEGS BY SEGS _ NAME equal AB;
all rules under the segment set ID 2 are listed: SELECT ALL RULE IN SEGS BY SEGS _ ID EQULE 2;
it should be noted that for other ways of finding, see the situation shown in 1.
d. Rules are looked up under all protocol scopes:
the rules within the set of segments beginning with AB in the Modbus protocol are listed: SELECT RULE BY RULE _ NAME IN SEGS BY SEGS _ NAME EQULE AB IN PROTOCOL BY PROTOCOL _ NAME EQULE MODBUS;
all rules under the segment set with ID 2in all protocols are listed: SELECT ALL RULE IN SEGS BY SEGS _ ID EQULE 2IN PROTOCOL BY ALL; in addition, the foregoing case may be referred to for other modes.
Further, in step S13 and step S17, the segment set parsing rule is similar to the formulation of the protocol protection policy, that is, the protocol data stream is divided into a plurality of different segment sets according to different lengths, each segment set may be in a protocol format of one length, and each segment set may be further decomposed into segments of different lengths, that is, data segments, according to the internal data format of the protocol at the length of the segment set. Because all protocol types or sub-protocol types possibly included in each protocol data stream cannot be considered when configuring the protocol protection policy, in order to avoid that the protocol data stream cannot pass the verification of the protection device 10 due to the absence of the protocol protection policy configuration process, the present invention also designs a uniform protection rule for the situation that the corresponding protocol protection policy cannot be found, for example, the data segment in which the corresponding protocol protection policy cannot be found can be marked as legal or illegal.
Further, as shown in fig. 5, the target rule data structure described in step S14 is generated by steps S21 to S24 as follows:
step S21, analyzing the rule language defined by the user based on the rule lexical analysis unit, and analyzing the rule language into token flow;
step S22, carrying out syntax analysis on the token stream based on a rule syntax analysis module;
step S23, generating an abstract syntax tree according to the analysis result of the syntax analysis of the token stream;
step S24, extracting the data structure in the abstract syntax tree based on the target rule data structure unit, and converting the data structure into the target rule data structure.
Further, the abstract syntax tree described in steps S21-S24 refers to the context-free grammar used in the parsing stage. The actual generation process of the abstract syntax tree is not limited herein.
Further, it should be noted in step S15 and step S16 that, since each protocol data stream may include one or more data segments, when determining the validity of a protocol data stream, for one protocol data stream, the protocol data stream may be determined to be valid when all data segments are valid, or when the ratio of valid data segments to all data segments exceeds a preset value, the protocol data stream may be determined to be valid. In addition, when the validity of the incoming data segment is determined, the determination may be made by lexical methods, grammatical methods, protocol definition rules, and the like, and the present embodiment is not limited thereto.
Further, in actual implementation, when the protocol data stream is determined to be illegal, or when there is no protocol protection policy corresponding to the protocol type, the protection device 10 may intercept the protocol data stream and perform an illegal alarm.
Based on the description of the above data protection method, a Protocol Description Language (PDL), a Rule Description Language (RDL), and a Rule Control Language (RCL) included in a protocol protection rule configuration process related to the data protection method are explained below by taking a MODBUS TCP protocol as an example and combining a pseudo code example.
(1) Protocol description language, when a user creates and describes a MODBUS protocol, the following description may be used:
CREATE PROTOCOL Protocol-Modbus;
declaring a segment set: CREATE SEGS readCoil
{
ID:1;
LENGTH: 5; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
DIRECTION:REQUEST;
}
Statement section: DECLARE SECTION FUNCTIONCode
{
ID:1;
SEGS_ID:1;
LENGTH: 1; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:0
STARTUNIT:BYTE;
ENDPOS:1
ENDPOS:BYTE;
}
DECLARE SECTION StartAddress
{
ID:2;
SEGS_ID:1;
LENGTH: 2; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:1
STARTUNIT:BYTE;
ENDPOS:3
ENDPOS:BYTE;
}
DECLARE SECTION CoilCount
{
ID:3;
SEGS_ID:1;
LENGTH: 2; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:3
STARTUNIT:BYTE;
ENDPOS:END
ENDPOS:BYTE;
}
Declaring a segment set: CREATE SEGS ready _ resp
{
ID:2;
LENGTH: n; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
DIRECTION:RESPONSE;
}
Statement section: DECLARE SECTION FUNCTIONCode
{
ID:4;
SEGS_ID:1;
LENGTH: 1; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:0
STARTUNIT:BYTE;
ENDPOS:1
ENDPOS:BYTE;
}
DECLARE SECTION StartAddress
{
ID:5;
SEGS_ID:1;
LENGTH: 1; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:1
STARTUNIT:BYTE;
ENDPOS:2
ENDPOS:BYTE;
}
DECLARE SECTION CoilCount
{
ID:6;
SEGS_ID:1;
LENGTH: 2; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:2
STARTUNIT:BYTE;
ENDPOS:END
ENDPOS:BYTE;
}
(2) Rule Description Language (RDL): the protection rules for describing the MODBUS protocol define the rules for requests and responses to read coil PDUs as follows:
creating a rule: CREATE Rule1
{
ID:1;
SECTION_ID:1;
LENGTH: 1; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:0
STARTUNIT:BYTE;
ENDPOS:1
ENDPOS:BYTE;
POLICY:PASS;
REGS:01
}
CREATE Rule Rule2
{
ID:2;
SECTION_ID:2;
LENGTH: 2; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:1
STARTUNIT:BYTE;
ENDPOS:3
ENDPOS:BYTE;
POLICY:PASS;
REGS:[0-9|A-F|a-F]{4}
}
CREATE Rule Rule3
{
ID:3;
SECTION_ID:3;
LENGTH: 2; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:3
STARTUNIT:BYTE;
ENDPOS:END
ENDPOS:BYTE;
POLICY:PASS;
REGS:[1-2000]
}
CREATE Rule Rule4
{
ID:4;
SECTION_ID:4;
LENGTH: 1; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:0
STARTUNIT:BYTE;
ENDPOS:1
ENDPOS:BYTE;
POLICY:PASS;
REGS:01
}
CREATE Rule Rule5
{
ID:5;
SECTION_ID:5;
LENGTH: 2; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:1
STARTUNIT:BYTE;
ENDPOS:2
ENDPOS:BYTE;
POLICY:PASS;
REGS:[0-9|A-F|a-f]+AND(EQULE rule6.LENGTH)
}
CREATE Rule Rule6
{
ID:6;
SECTION_ID:6;
LENGTH: n; // protocol length, the length of the indefinite length protocol will be different, and the field will be different
UNIT:BYTE;
STARTPOS:2
STARTUNIT:BYTE;
ENDPOS:END
ENDPOS:BYTE;
POLICY:PASS;
REGS:
}
(3) Rule Control Language (RCL): and the definition of control operations for searching, inserting, deleting and the like of the rules. The concrete application is as follows:
the rules are looked up under a certain set of segments, where the protocol, the content of the set of segments is known:
according to the name search rule:
SELECT RULE BY RULE_NAME=rule1;
and searching a result:
Rule1:{ID=1;SECTION_ID=1;LENGTH=1;UNIT=BYTE;STARTPOS=0;STARTUNIT=BYTE;ENDPOS=1;ENDPOS=BYTE;POLICY=PASS;REGS=01}
all rules are listed:
SELECT ALL IN RULE;
and searching a result:
Rule1:{ID=1;SECTION_ID=1;LENGTH=1;UNIT=BYTE;STARTPOS=0;STARTUNIT=BYTE;ENDPOS=1;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule2:{ID=1;SECTION_ID=2;LENGTH=2;UNIT=BYTE;STARTPOS=1;STARTUNIT=BYTE;ENDPOS=3;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule3:{ID=1;SECTION_ID=3;LENGTH=2;UNIT=BYTE;STARTPOS=3;STARTUNIT=BYTE;ENDPOS=END;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule4:{ID=1;SECTION_ID=4;LENGTH=1;UNIT=BYTE;STARTPOS=0;STARTUNIT=BYTE;ENDPOS=1;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule5:{ID=1;SECTION_ID=5;LENGTH=1;UNIT=BYTE;STARTPOS=1;STARTUNIT=BYTE;ENDPOS=2;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule6:{ID=1;SECTION_ID=6;LENGTH=N;UNIT=BYTE;STARTPOS=2;STARTUNIT=BYTE;ENDPOS=END;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
look up all PASS rules:
SELECT RULE BY POLICY EQULE PASS;
and searching a result:
Rule1:{ID=1;SECTION_ID=1;LENGTH=1;UNIT=BYTE;STARTPOS=0;STARTUNIT=BYTE;ENDPOS=1;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule2:{ID=1;SECTION_ID=2;LENGTH=2;UNIT=BYTE;STARTPOS=1;STARTUNIT=BYTE;ENDPOS=3;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule3:{ID=1;SECTION_ID=3;LENGTH=2;UNIT=BYTE;STARTPOS=3;STARTUNIT=BYTE;ENDPOS=END;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule4:{ID=1;SECTION_ID=4;LENGTH=1;UNIT=BYTE;STARTPOS=0;STARTUNIT=BYTE;ENDPOS=1;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule5:{ID=1;SECTION_ID=5;LENGTH=1;UNIT=BYTE;STARTPOS=1;STARTUNIT=BYTE;ENDPOS=2;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
Rule6:{ID=1;SECTION_ID=6;LENGTH=N;UNIT=BYTE;STARTPOS=2;STARTUNIT=BYTE;ENDPOS=END;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
find all DENY rules:
SELECT RULE BY POLICY EQULE DENY;
and searching a result: is free of
And searching rules according to the ID:
SELECT RULE BY ID EQULE 3;
and searching a result:
Rule3:{ID=1;SECTION_ID=3;LENGTH=2;UNIT=BYTE;STARTPOS=3;STARTUNIT=BYTE;ENDPOS=END;ENDPOSUNIT=BYTE;POLICY=PASS;REGS=01}
the network 2 of the industrial control protective device 10 receives a coil reading request sent by an external network, performs data message analysis such as IP and TCP on a data stream, and obtains a PDU data segment 0100130013; according to the matching of the protocol rules, the data is legal data, the processing result is PASS, the protecting equipment 10 transmits the protocol data stream to the protected network (such as the internal server 30) of the network 1, the network 1 of the protected equipment 10 sends back the response data 0103CD6B05, according to the matching of the protocol rules, the data is legal data, the processing result is PASS, and the protecting equipment 10 transmits the data stream to the network 2 external network.
Further, as shown in fig. 6, which is a block schematic diagram of a data protection apparatus 100 according to an embodiment of the present invention, the data protection apparatus 100 is applied to the protection device 10, and the data protection apparatus 100 includes a data receiving module 110, a judgment parsing module 120, a policy invoking module 130, a data verifying module 140, a policy making module 150, and a rule parsing module 160.
The data receiving module 110 is configured to receive a protocol data stream sent by the external server 20, and analyze the protocol data stream to obtain a protocol type corresponding to the protocol data stream; in this embodiment, the detailed description of the step S11 may be referred to for the description of the data receiving module 110, that is, the step S11 may be executed by the data receiving module 110, and thus, no further description is provided herein.
The determining and analyzing module 120 is configured to search whether a protocol protection policy corresponding to the protocol type exists according to the protocol type, and if the protocol protection policy corresponding to the protocol type exists, analyze the protocol data stream according to a segment set parsing rule to obtain a plurality of data segments; in this embodiment, the detailed description of the step S12 and the step S13 may be referred to for the description of the determination parsing module 120, that is, the step S12 and the step S13 may be executed by the determination parsing module 120, and thus will not be further described herein.
The policy invoking module 130 is configured to invoke a protocol protection policy matched with each data segment based on a target rule data structure; in this embodiment, the description of the policy invoking module 130 may refer to the detailed description of the step S14, that is, the step S14 may be executed by the policy invoking module 130, and thus will not be further described herein.
The data verification module 140 is configured to perform validity verification on corresponding data segments according to the protocol protection policy, and if each data segment is valid, send the protocol data stream to the internal server 30. In this embodiment, the data verification module 140 may specifically refer to the detailed description of the step S15 and the step S16, that is, the step S15 and the step S16 may be executed by the data verification module 140, and thus will not be further described herein.
The policy making module 150 is configured to obtain a protocol to be processed, and divide the protocol to be processed into a plurality of different segment sets; and for each segment set, decomposing the segment set into a plurality of sub-segments according to the protocol format of the segment set, and making a protocol protection strategy for different sub-segments. In this embodiment, the description of the policy making module 150 may refer to the detailed description of the steps S19 to S20, that is, the steps S19 to S20 may be executed by the policy making module 150, and thus will not be further described herein.
The rule parsing module 160 is configured to parse a rule language defined by a user based on a rule lexical analysis unit, and parse the rule language into a token stream; carrying out grammar analysis on sentences of the rule language based on a rule grammar analysis unit; generating an abstract syntax tree based on the analysis result output by the rule syntax analysis module and the syntax rule by a rule syntax tree unit; and extracting a data structure in the abstract syntax tree based on a target rule data structure unit, and converting the data structure into a target rule data structure. In this embodiment, the description of the rule parsing module 160 may refer to the detailed description of the steps S21-S24, that is, the steps S21-S24 may be executed by the rule parsing module 160, and thus will not be further described herein.
In summary, embodiments of the present invention provide a data protection method and apparatus, where a user can purchase a protection device 10 without exposing a private protocol, and can easily configure a deep detection policy, thereby effectively protecting protocol privacy of different device suppliers, developers, and usage scenarios in the industrial control field, effectively improving safety of industrial control application, and effectively improving user experience.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, an electronic device, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only an alternative embodiment of the present invention and is not intended to limit the present invention, and various modifications and variations of the present invention may occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A data protection method is applied to protection equipment, the protection equipment can be communicated with an internal server and an external server, and the data protection method comprises the following steps:
receiving a protocol data stream sent by the external server, and analyzing to obtain a protocol type corresponding to the protocol data stream;
searching whether a protocol protection strategy corresponding to the protocol type exists or not according to the protocol type, and if the protocol protection strategy corresponding to the protocol type exists, analyzing the protocol data stream according to a segment set analysis rule to obtain a plurality of data segments;
calling a protocol protection strategy matched with each data segment based on a target rule data structure;
and carrying out validity verification on the corresponding data segments according to the protocol protection strategy matched with each data segment, and if each data segment is legal, sending the protocol data stream to the internal server.
2. The data protection method of claim 1, wherein the protocol protection policy is obtained by:
acquiring a protocol to be processed, and dividing the protocol to be processed into a plurality of different segment sets;
for each segment set, decomposing the segment set into a plurality of sub-segments according to the protocol format of the segment set, and making a protocol protection strategy for different sub-segments.
3. The data protection method according to claim 2, wherein prior to the step of formulating a protocol protection policy for different sub-segments, the method further comprises:
configuring a plurality of keywords for protocol definition, rule definition, protocol management, rule matching and rule query description when the protocol protection strategy is made;
configuring a protocol description language for performing protocol definition action and protocol management action description when the protocol protection policy is made based on a plurality of keywords;
configuring a rule description language for rule description when a protocol protection strategy is formulated based on a plurality of keywords;
and configuring a rule control language for performing control operation during protocol protection policy control based on a plurality of keywords.
4. The data protection method of claim 1, wherein the target rule data structure is obtained by:
analyzing a rule language defined by a user based on a rule lexical analysis unit, and analyzing the rule language into a token stream;
carrying out syntax analysis on the token stream based on a rule syntax analysis module;
generating an abstract syntax tree according to an analysis result of syntax analysis on the token stream;
and extracting a data structure in the abstract syntax tree based on a target rule data structure unit, and converting the data structure into a target rule data structure.
5. The method of data protection according to claim 1, further comprising:
when the protection strategy matched with each data segment is called based on the target rule data structure, if the protocol protection strategy corresponding to one or more data segments in the plurality of data segments cannot be found, marking the corresponding data segment as legal or illegal according to a preset mark.
6. The method of data protection according to claim 1, further comprising:
and if the protocol protection strategy corresponding to the protocol type does not exist or the data segment is verified to be illegal through the protocol protection strategy, intercepting the protocol data stream and carrying out illegal alarm.
7. The data protection method according to claim 1, wherein the protocol data stream is a data stream detected and determined as illegal by the external server.
8. A data protection device is applied to protection equipment, the protection equipment can be communicated with an internal server and an external server, and the data protection method comprises the following steps:
the data receiving module is used for receiving the protocol data stream sent by the external server and analyzing the protocol data stream to obtain a protocol type corresponding to the protocol data stream;
the judging and analyzing module is used for searching whether a protocol protection strategy corresponding to the protocol type exists or not according to the protocol type, and analyzing the protocol data stream according to a segment set analysis rule to obtain a plurality of data segments if the protocol protection strategy corresponding to the protocol type exists;
the strategy calling module is used for calling a protocol protection strategy matched with each data segment based on a target rule data structure;
and the data verification module is used for verifying the legality of the corresponding data segment according to the protocol protection strategy matched with each data segment, and sending the protocol data stream to the internal server if each data segment is legal.
9. The data protection device of claim 8, further comprising a policy formulation module for obtaining a protocol to be processed, dividing the protocol to be processed into a plurality of different sets of segments; and for each segment set, decomposing the segment set into a plurality of sub-segments according to the protocol format of the segment set, and making a protocol protection strategy for different sub-segments.
10. The data protection device of claim 8, further comprising a rule parsing module for parsing a user-defined rule language based on a rule lexical analysis unit and parsing the rule language into a token stream;
carrying out grammar analysis on sentences of the rule language based on a rule grammar analysis unit;
generating an abstract syntax tree based on the analysis result output by the rule syntax analysis module and the syntax rule by a rule syntax tree unit; and
and extracting a data structure in the abstract syntax tree based on a target rule data structure unit, and converting the data structure into a target rule data structure.
CN201811626506.8A 2018-12-28 2018-12-28 Data protection method and device Active CN109698831B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811626506.8A CN109698831B (en) 2018-12-28 2018-12-28 Data protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811626506.8A CN109698831B (en) 2018-12-28 2018-12-28 Data protection method and device

Publications (2)

Publication Number Publication Date
CN109698831A CN109698831A (en) 2019-04-30
CN109698831B true CN109698831B (en) 2021-07-02

Family

ID=66232345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811626506.8A Active CN109698831B (en) 2018-12-28 2018-12-28 Data protection method and device

Country Status (1)

Country Link
CN (1) CN109698831B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111258711B (en) * 2020-01-09 2022-05-03 武汉思普崚技术有限公司 Multi-protocol network micro-isolation method and system
CN111339785B (en) * 2020-05-18 2021-02-05 杭州木链物联网科技有限公司 Semantic level security audit method based on business modeling
CN111756686B (en) * 2020-05-18 2022-04-26 武汉思普崚技术有限公司 Firewall equipment regular matching method and device and computer readable storage medium
CN114465742B (en) * 2020-11-10 2023-05-02 华为技术有限公司 Network security protection method and protection equipment
CN113079185B (en) * 2021-06-07 2021-09-24 北京网藤科技有限公司 Industrial firewall control method and equipment for realizing deep data packet detection control
CN114900370B (en) * 2022-06-02 2024-04-26 合肥卓讯云网科技有限公司 Method and device for filtering flow aiming at application protocol

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622448A (en) * 2012-03-26 2012-08-01 中山大学 Digital television interactive application page markup language resolving method
CN106657104A (en) * 2016-12-30 2017-05-10 杭州迪普科技股份有限公司 Matching method and device of protection strategies
CN107395592A (en) * 2017-07-19 2017-11-24 武汉信安珞珈科技有限公司 A kind of security processing and system of the Internet protocol data bag
CN107404487A (en) * 2017-08-07 2017-11-28 浙江国利信安科技有限公司 A kind of industrial control system safety detection method and device
US9843655B1 (en) * 2016-01-11 2017-12-12 Mbit Wireless, Inc. Method and apparatus for packet data unit processing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622448A (en) * 2012-03-26 2012-08-01 中山大学 Digital television interactive application page markup language resolving method
US9843655B1 (en) * 2016-01-11 2017-12-12 Mbit Wireless, Inc. Method and apparatus for packet data unit processing
CN106657104A (en) * 2016-12-30 2017-05-10 杭州迪普科技股份有限公司 Matching method and device of protection strategies
CN107395592A (en) * 2017-07-19 2017-11-24 武汉信安珞珈科技有限公司 A kind of security processing and system of the Internet protocol data bag
CN107404487A (en) * 2017-08-07 2017-11-28 浙江国利信安科技有限公司 A kind of industrial control system safety detection method and device

Also Published As

Publication number Publication date
CN109698831A (en) 2019-04-30

Similar Documents

Publication Publication Date Title
CN109698831B (en) Data protection method and device
US11089040B2 (en) Cognitive analysis of security data with signal flow-based graph exploration
Clincy et al. Web application firewall: Network security models and configuration
US11848913B2 (en) Pattern-based malicious URL detection
Fogla et al. Evading network anomaly detection systems: formal reasoning and practical techniques
KR101538305B1 (en) System and method for protecting specified data combinations
Razzaq et al. Ontology for attack detection: An intelligent approach to web application security
US7962591B2 (en) Object classification in a capture system
KR100884714B1 (en) Application layer security method and system
CN103744802B (en) Method and device for identifying SQL injection attacks
CN112468520B (en) Data detection method, device and equipment and readable storage medium
US7882555B2 (en) Application layer security method and system
US8051484B2 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
CN110870278B (en) Method and system for security policy monitoring service and storage medium
CA2786058C (en) System, apparatus and method for encryption and decryption of data transmitted over a network
WO2011032094A1 (en) Extracting information from unstructured data and mapping the information to a structured schema using the naive bayesian probability model
US8484232B2 (en) Method, computer arrangement, computer program and computer program product for checking for the presence of control statements in a data value
Gupta et al. Evaluation and monitoring of XSS defensive solutions: a survey, open research issues and future directions
CN113886812A (en) Detection protection method, system, computer equipment and readable storage medium
Liljebjörn et al. Mantis the black-box scanner: Finding XSS vulnerabilities through parse errors
CN115514539B (en) Network attack protection method and device, storage medium and electronic equipment
Abawajy et al. Policy-based SQLIA detection and prevention approach for RFID systems
US11792162B1 (en) Machine learning based web application firewall
Sharma et al. Using AMNESIA to secure web applications and database against SQL injection attack
Rice Automated snort signature generation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant