CN109905352A - A kind of method, apparatus and storage medium based on cryptographic protocol Audit data - Google Patents

A kind of method, apparatus and storage medium based on cryptographic protocol Audit data Download PDF

Info

Publication number
CN109905352A
CN109905352A CN201711305729.XA CN201711305729A CN109905352A CN 109905352 A CN109905352 A CN 109905352A CN 201711305729 A CN201711305729 A CN 201711305729A CN 109905352 A CN109905352 A CN 109905352A
Authority
CN
China
Prior art keywords
data
audit
request
packet
virtual network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711305729.XA
Other languages
Chinese (zh)
Other versions
CN109905352B (en
Inventor
张磊
周春楠
赵贵阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
YIYANG SAFETY TECHNOLOGY Co Ltd
Original Assignee
YIYANG SAFETY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by YIYANG SAFETY TECHNOLOGY Co Ltd filed Critical YIYANG SAFETY TECHNOLOGY Co Ltd
Priority to CN201711305729.XA priority Critical patent/CN109905352B/en
Publication of CN109905352A publication Critical patent/CN109905352A/en
Application granted granted Critical
Publication of CN109905352B publication Critical patent/CN109905352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application provides the methods based on cryptographic protocol Audit data, comprising: receives the mapping relations 1 that virtual network port and request to create side's address information and destinations traffic side's address information are sent it to after the encryption data request packet for requesting communication party;Data in request packet are parsed and audited and communication ends will be sent to by the request packet audited, while creating the mapping relations 2 of virtual network port port Yu Supplicant Address information;Supplicant Address information is transferred based on relationship 2 and the request source-information being replaced in request packet sends it to destinations traffic side later;Receive the response data packet of destinations traffic side;Encryption data in data packet is parsed and audited;Target side address information is obtained based on relationship 1, the source-information of response data packet is replaced with into target side address information and sends it to request communication party.The application is complicated by above-mentioned means solution process for using existing in the prior art, is easy the problems such as being detoured and is poor for applicability.

Description

A kind of method, apparatus and storage medium based on cryptographic protocol Audit data
Technical field
This application involves network data security audit technique fields, particularly, are related to a kind of based on cryptographic protocol audit number According to method, apparatus and storage medium.
Background technique
With the continuous development of information technology, information security issue also becomes increasingly conspicuous.How the safety of information system is ensured Have become the problem of whole society pays close attention to jointly.Although can be subtracted by the technological means such as anti-virus software, firewall, IDS, IPS The risk of few exotic invasive, but due to indefinite about the power and responsibility, safety management system is unsound and lacks operability etc. and may all draw Play the risk of management safety.According to data, 70% or more information leakage be realized due to enterprises Employee Security it is weak, Operation error or collusion from both within and without and caused by the destruction that generates, and information leakage often influences whether the normal operation of enterprise And sustainable development, great loss is brought to enterprise.Therefore how user's access to be controlled and is audited from system administration Just become particularly important.
Current service traffics are divided into non-encrypted and encryption data, in order to realize all standing of business, clear away security monitoring Blind area will have the ability of audit and control for two kinds of data from the upper monitoring for really realizing full flow of management.For bright The parsing of cultural association's view, is directly parsed according to the format of agreement as long as flow can be got;However for encryption We can not directly parse ciphertext to agreement, and the mode generallyd use is construction go-between's agent way, business procedure be rebuild, in generation Reason end is audited and controlled by decoded data.
Traditional data audit measure based on cryptographic protocol is as shown in Figure 1.Specific treating method generally comprises two steps:
1) user's request is forwarded to broker program, and usually used there are two types of modes:
A) portal mode, portal show the addressable target application of the user, and user needs first to access portal, select and jump to Target application, it means that broker program needs to be additionally provided the function of portal, and to provide difference for different applications Portal, the different web agent of https is needed to provide Web portal, needs to provide textual interface portal for ssh cryptographic protocol.
B) plug-in mode is needed to be kidnapped in user terminal hold-down hook subboard, user's access target by plug-in unit and be requested, and The target for redirecting user arrives broker program, it means that user needs to install plug-in card program at the terminal, and around safety production The inspection of product.
2) broker program obtains proxy target, and usually used also there are two types of modes:
A) broker program starts different proxy ports and maps different targets, and broker program is loaded when starting.Such as: configuration 2222=192.168.1.33:22 then sshProxy will monitor 2222 ports on startup, and actively connects when receiving request Connect 22 ports of 192.168.1.33.
B) in access agent program, the information of target is sent to broker program, then by broker program access target.
3) go-between acts on behalf of.Broker program is established after agent process, carries out the forwarding of data, and according to data content into Row audit, controls user behavior.
However, although these technical solutions functionally realize audit and control ability to cryptographic protocol, There are problems for user experience and audit efficiency and stability, compatibility etc., specifically include that
1) it is forwarded in agent process in user's request:
A) portal mode needs to provide portal function to different applications, and exploitation amount is big.Change user for a user Formula, it is poor to experience.
B) plug-in mode, user need oneself terminal install plug-in unit, this can not exclude user unload plug-in unit can The interception of energy and safety product to plug-in unit is unable to control the access behavior of user, i.e. which so that plug-in unit be caused to fail There are still the possibility that user detours down.
2) during broker program obtains proxy target:
A) in such a way that different port maps different target, broker program needs to configure mapping relations in advance, has and newly answers When with needing to access, it has to modification configuration, reset routine.Managerial burden, and increasing with application are not only brought, Starting proxy port quantity is restricted, and the performance of broker program can also become bottleneck.
B) it for the mode of transmitting destination address, needs to provide sending function in user's incoming end and be received in agent side, Exploitation amount is big, and due to the unstability of above-mentioned user to agent process, causes the process that can also have problem.
Based on problem above, this field needs a kind of using more convenient, more stable to the audit of data and comprehensive Auditing method.
Summary of the invention
The application provides a kind of method based on cryptographic protocol Audit data comprising:
The encryption data request packet from request communication party is received in communication ends, and the encryption data request packet is sent to careful The virtual network port at end is counted, while creating the mapping relations of the address information of the request correspondent addresses information and destinations traffic side 1;
The data in the encryption data request packet are parsed and audited at the audit end, and the encryption of audit will be passed through Data request packet is sent to the communication ends, the mapping relations of creation virtual network port port and the request correspondent addresses information 2;
The mapping relations 2, which are based on, in the communication ends transfers the request correspondent addresses information and by the CIPHERING REQUEST packet In request source address information replace with the request correspondent addresses information, later by the CIPHERING REQUEST packet after the audit It is sent to destinations traffic side;
The response data packet of the destinations traffic side is received in the communication ends, and the response data packet is sent to described examine Count end;
The encryption data in the response data packet is parsed and audited at the audit end, the sound of audit will be passed through Data packet is answered to be sent to the communication ends;
The address information and request communication of the destinations traffic side are obtained based on the mapping relations 1 in the communication ends Square address information replaces with institute the source address information of the response data packet after the address information of the destinations traffic side It states response data packet and is sent to the request communication party.
Method of the invention further includes after communication ends receive the data request packet from request communication party first to described The destination address of data request packet carries out type decision, if the destination address type decision is unicast address and is not virtual Portal address will be determined as that non-encrypted data packet is directly sent out then the data in the data request packet carry out encryption judgement It send to the destination address, will be determined as that the encrypted packet encrypted is sent to the audit end and carries out follow-up audit program.
In the method for the invention, the solution to encryption data is realized by cryptographic protocol broker program at the audit end Analysis;By calling the method that sends and receivees of physical port to carry out the data of the communication ends and send and receive;Pass through calling The method that sends and receivees of virtual network port carries out the data at the audit end and sends and receivees.
In the method for the invention, the finger of data packet is transmitted between the audit end and the communication ends in a manner of queue Needle;The mapping relations 1 and mapping relations 2 are established based on hash function.
In the method for the invention, if the encryption data request packet or the response data packet are not over audit, It is then sent to the communication request side and requests illegal notice and without subsequent step.
A kind of device based on cryptographic protocol Audit data disclosed in the present application, described device includes communication ends and audit End:
The communication ends include:
Data receiver sending module, it is described for requesting communication party, destinations traffic side and the audit end to carry out the transmission of data The transmission of data includes to receive data, send data, returned data;
Data processing module, for parsing the data according to the cryptographic protocol in Audit Module in the communication ends, and according to The address information of communication party, destinations traffic side, end virtual network port of auditing is requested to reconstruct the data;
The audit end includes:
Virtual network port module, for creating virtual network port, the processing received communication end data of virtual network port at audit end, and And the transmission of the data is carried out by the virtual network port and the communication ends;
Audit Module, for being carried out at the audit end to by the data from communication ends of the virtual network port module transfer Parsing and audit, and the result of audit is returned into the communication ends by the virtual network port module.
In the apparatus of the present, the data processing module further comprises: virtual network port address acquisition module is used for Data packet is sent to the virtual port by the data receiver sending module, receives returned data packet, parses the return Data packet obtains the address information of the virtual network port;
Data reconstruction module, for obtaining the address information of request of data communication party, the address information of destinations traffic side, virtual net The address information of mouth simultaneously establishes the source-information for including in mapping relations and replacement data;The mapping relations of the foundation include It is described request correspondent addresses information and destinations traffic side's address information mapping relations 1 and the virtual network port port with it is described Request the mapping relations 2 between correspondent addresses information.
In the apparatus of the present, the communication ends also include: data judging module, send mould for recording the reception The source address of the data of block transmission, and type decision is carried out to its destination address, the data processing module is according to the type The result of judgement handles the data, and transfers to the data receiver sending module data pass to treated It is defeated.
In the apparatus of the present, for transmitting the destination address type decision of data for unicast address and target Location is the data of virtual network port address, sends the data to the virtual network port address;
The destination address type decision for transmitting data is unicast address and destination address is not virtual network port address The data are carried out encryption judgement by data, and the non-encrypted data of judgement is sent directly to destination address, by the encryption number of judgement The virtual network port address is sent to according to after the data processing module carries out data reconstruction.
In the apparatus of the present, the Audit Module realizes the solution to encryption data by cryptographic protocol broker program Analysis;
The data receiver sending module is by calling the method that sends and receivees of physical port to carry out sending and receiving for data;
The virtual network port module is by calling the method that sends and receivees of virtual port to carry out sending and receiving for data.
In the apparatus of the present, the finger of data packet is transmitted between the audit end and the communication ends in a manner of queue Needle;The data processing module and the virtual network port module are based respectively on hash function and establish the mapping relations 1 and mapping Relationship 2.
In the apparatus of the present, if the Audit Module determines the encryption data request packet or the response data Packet then sends to the communication request side not over audit and requests illegal notice.
Disclosed herein as well is a kind of storage mediums for being recorded on the program for executing the above method.
Compared with prior art, the present processes and device have the advantage that
1, the present invention (such as setting the device of the invention) can be carried out in the boundary of local area network, without the end in user End installation plug-in unit, does not need the complicated proxy policies of configuration, user is to auditing procedure unaware yet;
2, it is in the inventive solutions, physical serial between user terminal, audit device and target, prevents user from detouring Access.
3, system resource is saved, it is only necessary to start auditing procedure of the invention for different agreements, for same generation Reason type does not need to establish individual proxy port (as shown in Figure 1) for different targets, to save overhead.
4, technical solution of the present invention is not needed under User space certainly using the broker program in existing kernel protocol stack Broker program on row development agreement stack and the protocol stack to substantially reduce the development cycle, and reduces oneself exploitation Unstability brought by ICP/IP protocol stack.
Detailed description of the invention
The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as the limitation to the application.And whole In a attached drawing, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the flow diagram in the prior art based on cryptographic protocol Audit data;
Fig. 2 is the flow chart of the embodiment of method 10 of the application based on cryptographic protocol Audit data;
Fig. 3 is the structure chart of the embodiment of device 20 of the application based on cryptographic protocol Audit data.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real Applying mode, the present application will be further described in detail.
Firstly, to this application involves term meaning be explained as follows:
MAC(Media Access Control or Medium Access Control) address, it is intended that media access control, Or be physical address, hardware address, for defining the position of the network equipment.One host has a MAC Address, MAC Location is that network interface card determines, is fixed.SMAC, VMAC and DMAC are respectively intended to mean request communication party, virtual network port in the present invention With the MAC Address of destinations traffic side.
DPDK is that data plane development kit (Data Plane Development Kit) is more by 6WIND, Intel etc. Company's exploitation is based primarily upon linux system operation, gathers for the function library of rapid data packet processing and driving, Ke Yiji It is big to improve data processing performance and handling capacity, improve the working efficiency of data plane application program.
KNI(Kernel Interface) mechanism be in order to allow data packet reentry kernel protocol stack, by creation virtually set Transmitting-receiving message is ready for use on to achieve the purpose that have realized agreement using kernel itself.The realization of KNI consists of two parts, kernel state Module and User space module.By creating KNI interface context, the side of queue is used between kernel state and User space Formula transmits the pointer of data packet, and so as to avoid copy, efficiency is acted on behalf of in promotion.
In the description of the present application, it is to be understood that term " request ", " second " are used for description purposes only, and cannot It is interpreted as indication or suggestion relative importance or implicitly indicates the quantity of indicated technical characteristic.It defines and " asks as a result, Ask ", the feature of " second " can explicitly or implicitly include one or more of the features.The meaning of " plurality " is two Or it is more than two, unless otherwise specifically defined.The terms "include", "comprise" and similar terms are understood to out The term of putting property, i.e., " including/including but not limited to ".Term "based" is " being based at least partially on ".Term " embodiment " It indicates " at least one embodiment ";Term " another embodiment " expression " at least one other embodiment ".The phase of other terms Pass definition provides in will be described below.
Illustrate below with reference to Fig. 2 it is according to an embodiment of the invention, suitable for solve above-mentioned technical problem based on adding The flow chart of the method for close agreement Audit data.As shown in Fig. 2, the method 10 of the embodiment of the present invention starts from step S101, in step In rapid S101, the encryption data request packet from request communication party is received in communication ends, and the encryption data request packet is sent out It send to the virtual network port at audit end, while creating reflecting for request correspondent addresses information and the address information of destinations traffic side Penetrate relationship 1;Can specifically include: the physical internet ports of communication ends receive the encryption data request packet that request communication party sends, together When recording of encrypted data request packet relevant information, such as source-information SMAC, SIP and Sport, the information of destinations traffic side DMAC, DIP and Dport etc., such as mapping relations Hash1 based on hash function according to these information creating mapping relations, Middle SIP and Sport is key and DMAC, DIP and Dport are hash value, and encryption data request packet is sent to audit end.
In an embodiment according to the present invention, method such as rte_eth_ is sended and received by calling physical port Rx_burst and rte_eth_tx_burst carries out sending and receiving for the data of communication ends.
In an embodiment according to the present invention, method such as rte_kni_ is sended and received by calling virtual network port Rx_burst and rte_kni_tx_burst carries out sending and receiving for the data at audit end.
In an embodiment according to the present invention, the present invention can also include receiving the number from request communication party in communication ends According to type decision is carried out to the destination address of the data request packet first after request packet, if the destination address type decision For unicast address and it is not virtual network port address, then the data in the data request packet carry out encryption judgement, will be determined as Non-encrypted data packet is sent directly to the destination address, will be determined as that the encrypted packet encrypted is sent to the audit end Carry out follow-up audit program;It can specifically include: the dmac address of data request packet being identified first, if dmac address It is identical as the audit address VMAC of end virtual network port, then data request packet is sent to audit end virtual network port, if not identical Then data request packet is determined, audit end virtual network port is sent to if data request packet is encryption data request packet, Destinations traffic side is sent to if data request packet is not encryption data.
In an embodiment according to the present invention, virtual network port can be started by the KNI of DPDK.
After step slol, step S103 is executed: at the audit end to the data in the encryption data request packet It is parsed and is audited, and the communication ends will be sent to by the encryption data request packet audited, create virtual network port port With the mapping relations 2 of the request correspondent addresses information.Can specifically include: audit end receives communication ends by virtual network port The encryption data request packet of transmission, is parsed and is audited to request packet later, and will pass through the encryption data request packet of audit Return communication end, while creating the mapping relations such as mapping relations Hash2 based on hash function, wherein virtual network port port Vport is key and SMAC, SIP and Sport are hash value.
In an embodiment according to the present invention, if request packet fails to intercept current request of data by audit;It is optional Ground returns to request communication party and requests illegal notice.
In an embodiment of the present invention, if request packet includes multinomial request of data, part request fails by examining Meter, then RECONFIGURATION REQUEST packet deletes the request content failed through audit, later continues the request packet return communication end after reconstruct Subsequent step, or intercept total data request;It correspondingly, can or request illegal to request communication party's returning part request Illegal notice.
In an embodiment of the present invention, used in audit can be accomplished in that and be pushed to cryptographic protocol The kernel protocol stack of operating system realizes that the parsing of agreement restores by three equation such as LibSSH, Nginx, to reach careful Count the purpose of cryptographic protocol.
After step s 103, it executes step S105: being based on the mapping relations 2 in the communication ends and transfer the request Request source address information in the CIPHERING REQUEST packet is simultaneously replaced with the request correspondent addresses by correspondent addresses information CIPHERING REQUEST packet after the audit is sent to destinations traffic side later by information.It can specifically include: based on the Hash2 Obtain SMAC, SIP and Sport, later by by audit CIPHERING REQUEST packet request source-information replace with SMAC, SIP and CIPHERING REQUEST packet is sent to destinations traffic side later by Sport, so that destinations traffic side is receiving encryption data request packet When be judged to its source to request communication party.
After step S105, executes step S107: receiving the response data of the destinations traffic side in the communication ends Packet, and the response data packet is sent to the audit end.Can specifically include: destinations traffic side receives encryption data request Corresponding response data packet is generated according to request after packet, and response data packet is back to communication ends, communication ends will respond later Data packet is sent to audit end and carries out follow-up audit step.
After step S107, step S109 is executed: at the audit end to the encryption data in the response data packet It is parsed and is audited, the communication ends will be sent to by the response data packet audited.It can specifically include, end of auditing Response data packet is received, is audited after parsing to its content, if returned it into logical by response data packet by audit Believe end.
In an embodiment according to the present invention, if response data packet fails to intercept current data response by audit; Optionally, it is returned to request communication party and requests illegal notice.
In an embodiment of the present invention, part of if response data packet includes the response data of multinomial request of data The response data of request fails then to reconstruct response data packet by auditing and delete the response contents failed through audit, later will Subsequent step is continued at response data packet return communication end after reconstruct, or intercepts whole response datas;It correspondingly, can be to request The request of communication party's returning part is illegal or requests illegal notice.
After step S109, step S111 is executed: being based on the mapping relations 1 in the communication ends and obtain the target The address information of communication party and the request correspondent addresses information replace the source address information of the response data packet For the response data packet is sent to the request communication party after the address information of the destinations traffic side.Specifically it can wrap It including, communication ends receive response data packet, DMAC, DIP, Dport, SIP and Sport data are obtained based on the Hash1 later, The response data packet is reconstructed later, and its source-information is replaced with into DMAC, DIP and Dport, it later will according to SIP and Sport The response data packet is sent to the request communication party.
In an embodiment of the present invention, data can be transmitted in a manner of queue between the audit end and the communication ends The pointer of packet.
It is corresponding with above-mentioned method 10, the present invention also provides a kind of embodiment, be suitable for solve above-mentioned technical problem The device 20 based on cryptographic protocol Audit data.Referring to Fig. 3, the device 20 include: communication ends 201 and audit end 202, it is described Communication ends include data receiver sending module 2011 and data processing module 2012;The audit end includes virtual network port module 2021 and Audit Module 2022;Wherein the data receiver sending module 2011 is for requesting communication party, destinations traffic side and institute The transmission that audit end 202 carries out data is stated, the transmission of the data includes to receive data, send data, returned data;The number It is used to parse the data according to the cryptographic protocol in Audit Module 2022 in the communication ends 201 according to processing module 2012, and The data are reconstructed according to the address information of request communication party, destinations traffic side, end virtual network port of auditing;The virtual net mouth mold Block 2021 is used to create the data of virtual network port, the processing received communication ends 201 of virtual network port at audit end 202, and The transmission of the data is carried out by the virtual network port and the communication ends 201;The Audit Module 2022 is used for described Data from communication ends 201 of 202 pairs of the audit end by the virtual network port module 2021 transmission are parsed and are audited, and The result of audit is returned into the communication ends 201 by the virtual network port module 2021.It is described in detail below:
Corresponding to above step 101, the data receiver sending module 2011 of communication ends 202 is received from request communication party's Encryption data request packet, and by the encryption data request packet be sent to it is described audit end virtual network port, data processing module The mapping relations of correspondent addresses information and destinations traffic side's address information are requested described in data reconstruction module creation in 2012 1;Can specifically include: data receiver sending module 2011 receives the encryption data that request communication party sends by physical internet ports Request packet, the data reconstruction module in data processing module 2012 obtain encryption data request packet source-information SMAC, SIP and Sport, address information DMAC, DIP and Dport of destinations traffic side etc., and according to these information creatings based on hash function Mapping relations Hash1, encryption data request packet is sent to audit end 202 by data receiver sending module 2011 later.
In an embodiment according to the present invention, reception and hair of the data receiver sending module 2011 by calling physical port Delivery method such as rte_eth_rx_burst and rte_eth_tx_burst carry out sending and receiving for the data of communication ends 201.
In an embodiment according to the present invention, the side of sending and receiving that virtual network port module 2021 passes through calling virtual network port Method such as rte_kni_rx_burst and rte_kni_tx_burst carry out sending and receiving for the data at audit end 202.
In an embodiment according to the present invention, the communication ends 201 of apparatus of the present invention can also include data judging module 2013, the case where whether data of uncertain request are encryption data handled, if data judging module 2013 is by the mesh Mark address style is determined as unicast address and is not virtual network port address, then data judging module 2013 is to the request of data Data in packet carry out encryption judgement, will be determined as that non-encrypted data packet is sent directly to by data receiver sending module 2011 The destination address will be determined as that the encrypted packet encrypted is sent to the audit end and carries out follow-up audit program;Specifically may be used To be: the data judging module 2013 of communication ends 201 first identifies the dmac address of data request packet, if DMAC Location is identical as the audit address VMAC of end virtual network port, then data request packet is sent to audit by data receiver sending module 2011 Virtual network port is held, if not identical and continue to determine data request packet for data judging module 2013 if unicast address, Data receiver sending module 2011 sends it to audit end virtual network port if data request packet is encryption data request packet, Data receiver sending module 2011 sends it to mesh if Audit Module 2022 determines that data request packet is not encryption data Mark communication party.
In an embodiment according to the present invention, virtual network port module 2021 can start virtual network port by the KNI of DPDK.
Later correspond to above step 103, Audit Module 2022 to the data in the encryption data request packet into Row parsing and audit, virtual network port module 2021 will be sent to the communication ends by the encryption data request packet audited later, Mapping relations 2 are created simultaneously.Can specifically include: virtual network port module 2021 receives what data receiver sending module 2011 was sent Encryption data request packet, Audit Module 2022 are parsed and are audited to request packet, and virtual network port module 2021 will pass through later The encryption data request packet return communication end 201 of audit, while data reconstruction module creation mapping relations are for example based on Hash letter Several mapping relations Hash2, wherein virtual network port port Vport is key and SMAC, SIP and Sport are hash value.
In an embodiment according to the present invention, if request packet fails through audit, Audit Module 2022 is intercepted specifically Request of data;Optionally, the illegal notice of 2022 request to create of Audit Module, virtual network port module 2021 send the notice To data receiver sending module 2011, which is sent to request communication party by subsequent data receiver sending module 2011.
In an embodiment of the present invention, if request packet includes multinomial request of data, part request fails by examining Meter, then 2022 RECONFIGURATION REQUEST packet of Audit Module deletes the request content failed through audit, later sends out the request packet after reconstruct It send to data receiver sending module 2011, the request packet returned data after reconstruct is received and sent by subsequent virtual network port module 2021 Module 2011 continues subsequent step or Audit Module 2022 intercepts total data request;Correspondingly, it can be created with Audit Module 2022 It builds and requests the illegal or illegal notice of request, which is sent to data receiver and sends mould by virtual network port module 2021 The notice is sent to request communication party by block 2011, subsequent data receiver sending module 2011.
In an embodiment of the present invention, Audit Module 2022 can realize in the following way audit: cryptographic protocol is pushed away The kernel protocol stack of operating system used in being sent to realizes the parsing of agreement also by three equation such as LibSSH, Nginx Original, to achieve the purpose that cryptographic protocol of auditing.
Later correspond to above step 105, data reconstruction module be based on the Hash2 obtain SMAC, SIP and Request source-information in the CIPHERING REQUEST packet is simultaneously replaced with SMAC, SIP and Sport by Sport, and data receiver is sent later The CIPHERING REQUEST packet is sent to the destinations traffic side by module 2011.It can specifically include: data receiver sending module 2011 receive by audit CIPHERING REQUEST packet, data reconstruction module requested source-information replace with SMAC, SIP and Sport, CIPHERING REQUEST packet is sent to destinations traffic side by data receiver sending module 2011 later, so that destinations traffic side It is judged to its source to request communication party when receiving encryption data request packet.
Correspond to above step S107 later, data receiver sending module 2011 receives the sound of the destinations traffic side Data packet is answered, and the response data packet is sent to virtual network port module 2021.Can specifically include: destinations traffic side receives Corresponding response data packet is generated according to request after encryption data request packet, and response data packet is back to communication ends, data It receives after sending module 2011 receives response data packet and sends it to virtual network port module 2021, later by Audit Module 2022 Carry out follow-up audit step.
Later correspond to above step S109, Audit Module 2022 to the encryption data in the response data packet into Row parsing and audit, are sent to the communication ends by virtual network port module 2021 by the response data packet of audit later. It can specifically include, the reception response data packet of virtual network port module 2021, to it after 2022 resolution response data packet of Audit Module Content is audited, if by response data packet by audit, virtual network port module 2021 returns it into communication ends.
In an embodiment according to the present invention, if response data packet fails through audit, Audit Module 2022 is intercepted Current data response;Optionally, the illegal notice of 2022 request to create of Audit Module, virtual network port module 2021 is by the notice It is sent to data receiver sending module 2011, which is sent to request communication party by subsequent data receiver sending module 2011.
In an embodiment of the present invention, part of if response data packet includes the response data of multinomial request of data The response data of request fails through audit, then Audit Module 2022 reconstructs response data packet and deletes the response failed through audit Request packet returned data after reconstruct is received sending module 2011 and continues subsequent step by content, subsequent virtual network port module 2021 Suddenly or Audit Module 2022 intercepts total data request;Correspondingly, it can be illegal with 2022 request to create of Audit Module or asks Illegal notice is sought, which is sent to data receiver sending module 2011 by virtual network port module 2021, and subsequent data connect It transmits and receives module 2011 and the notice is sent to request communication party.
Later correspond to above step S111, data reconstruction module be based on the Hash1 obtain DMAC, DIP, The source-information of the response data packet is simultaneously replaced with DMAC, DIP and Dport by Dport, SIP and Sport, and data connect later It transmits and receives module 2011 and the response data packet is sent to the request communication party.It can specifically include, data receiver is sent Module 2011 receives response data packet, and data reconstruction module is based on the Hash1 and obtains DMAC, DIP, Dport, SIP later With Sport data and reconstruct the response data packet its source-information replaced with into DMAC, DIP and Dport, final data receives The response data packet is sent to the request communication party according to SIP and Sport by sending module 2011.
In an embodiment of the present invention, audit end virtual network port module 2021 and the communication ends data receiver are sent The pointer of data packet can be transmitted between module 2011 in a manner of queue.
It should be noted that above-mentioned apparatus embodiment belongs to preferred embodiment, related unit and module might not It is necessary to the application.
For the various method embodiments described above, simple in order to describe, therefore, it is stated as a series of action combinations, but It is that those skilled in the art should be aware of, the application is not limited by the described action sequence, because according to the application, Certain steps can serially or simultaneously be executed using other;Secondly, those skilled in the art should also know that, the above method is implemented Example belongs to preferred embodiment, necessary to related actions and modules not necessarily the application.
Disclosed herein as well is a kind of storage mediums for being recorded on the program for executing the above method.It is described to deposit Storage media includes any mechanism being configured to by the readable form storage of computer (by taking computer as an example) or transmission information.Example Such as, storage medium includes read-only memory (ROM), random-access memory (ram), magnetic disk storage medium, optical storage media, sudden strain of a muscle Fast storage medium, electricity, light, sound or transmitting signal (for example, carrier wave, infrared signal, digital signal etc.) of other forms etc..
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.For the dress of the application For setting embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place is referring to method reality Apply the explanation of example part.Device and Installation practice described above is only schematical, wherein described be used as is divided Module from part description may or may not be physically separated, and both can be located in one place or can also be with It is distributed over a plurality of network elements.Some or all of the modules therein can be selected to realize this implementation according to the actual needs The purpose of example scheme.Those of ordinary skill in the art can understand and implement without creative efforts.
Above to a kind of method, apparatus and storage medium based on cryptographic protocol Audit data provided herein, into It has gone and has been discussed in detail, specific examples are used herein to illustrate the principle and implementation manner of the present application, the above implementation The explanation of example is merely used to help understand the present processes and its core concept;Meanwhile for the general technology people of this field Member, according to the thought of the application, there will be changes in the specific implementation manner and application range, in conclusion this explanation Book content should not be construed as the limitation to the application.

Claims (13)

1. a kind of method based on cryptographic protocol Audit data characterized by comprising
The encryption data request packet from request communication party is received in communication ends, and the encryption data request packet is sent to careful The virtual network port at end is counted, while creating the mapping relations of the address information of the request correspondent addresses information and destinations traffic side 1;
The data in the encryption data request packet are parsed and audited at the audit end, and the encryption of audit will be passed through Data request packet is sent to the communication ends, the mapping relations of creation virtual network port port and the request correspondent addresses information 2;
The mapping relations 2, which are based on, in the communication ends transfers the request correspondent addresses information and by the CIPHERING REQUEST packet In request source address information replace with the request correspondent addresses information, later by the CIPHERING REQUEST packet after the audit It is sent to destinations traffic side;
The response data packet of the destinations traffic side is received in the communication ends, and the response data packet is sent to described examine Count end;
The encryption data in the response data packet is parsed and audited at the audit end, the sound of audit will be passed through Data packet is answered to be sent to the communication ends;
The address information and request communication of the destinations traffic side are obtained based on the mapping relations 1 in the communication ends Square address information replaces with institute the source address information of the response data packet after the address information of the destinations traffic side It states response data packet and is sent to the request communication party.
2. the method according to claim 1, wherein further including receiving the number from request communication party in communication ends According to type decision is carried out to the destination address of the data request packet first after request packet, if the destination address type decision For unicast address and it is not virtual network port address, then the data in the data request packet carry out encryption judgement, will be determined as Non-encrypted data packet is sent directly to the destination address, will be determined as that the encrypted packet encrypted is sent to the audit end Carry out follow-up audit program.
3. method according to claim 1 or 2, it is characterised in that:
Parsing at the audit end by the realization of cryptographic protocol broker program to encryption data;
By calling the method that sends and receivees of physical port to carry out the data of the communication ends and send and receive;
By calling the method that sends and receivees of virtual network port to carry out the data at the audit end and send and receive.
4. according to the method described in claim 3, it is characterized in that, with the side of queue between audit end and the communication ends The pointer of formula transmitting data packet;The mapping relations 1 and mapping relations 2 are established based on hash function.
5. method according to claim 1 or 2, which is characterized in that if the encryption data request packet or the response Data packet then sends to the communication request side not over audit and requests illegal notice and without subsequent step.
6. a kind of device based on cryptographic protocol Audit data, which is characterized in that described device includes communication ends and audit end:
The communication ends include:
Data receiver sending module, it is described for requesting communication party, destinations traffic side and the audit end to carry out the transmission of data The transmission of data includes to receive data, send data, returned data;
Data processing module, for parsing the data according to the cryptographic protocol in Audit Module in the communication ends, and according to The address information of communication party, destinations traffic side, end virtual network port of auditing is requested to reconstruct the data;
The audit end includes:
Virtual network port module, for creating virtual network port, the processing received communication end data of virtual network port at audit end, and And the transmission of the data is carried out by the virtual network port and the communication ends;
Audit Module, for being carried out at the audit end to by the data from communication ends of the virtual network port module transfer Parsing and audit, and the result of audit is returned into the communication ends by the virtual network port module.
7. device according to claim 6, which is characterized in that the data processing module further comprises:
Virtual network port address acquisition module, for sending data to the virtual port by the data receiver sending module Packet receives returned data packet, parses the address information that the returned data packet obtains the virtual network port;
Data reconstruction module, for obtaining the address information of request of data communication party, the address information of destinations traffic side, virtual net The address information of mouth simultaneously establishes the source-information for including in mapping relations and replacement data;The mapping relations of the foundation include It is described request correspondent addresses information and destinations traffic side's address information mapping relations 1 and the virtual network port port with it is described Request the mapping relations 2 between correspondent addresses information.
8. device according to claim 7, which is characterized in that the communication ends also include:
Data judging module, for record it is described reception sending module transmission data source address, and to its destination address into Row type decision, the data processing module is handled the data according to the result of the type decision, and transfers to institute Stating data receiver sending module, data are transmitted to treated.
9. device according to claim 8, it is characterised in that:
The destination address type decision for transmitting data is unicast address and destination address is the number of virtual network port address According to sending the data to the virtual network port address;
The destination address type decision for transmitting data is unicast address and destination address is not virtual network port address The data are carried out encryption judgement by data, and the non-encrypted data of judgement is sent directly to destination address, by the encryption number of judgement The virtual network port address is sent to according to after the data processing module carries out data reconstruction.
10. the device according to any one of claim 6-9, it is characterised in that:
The Audit Module realizes the parsing to encryption data by cryptographic protocol broker program;
The data receiver sending module is by calling the method that sends and receivees of physical port to carry out sending and receiving for data;
The virtual network port module is by calling the method that sends and receivees of virtual port to carry out sending and receiving for data.
11. the device according to any one of claim 6-9, which is characterized in that the audit end and the communication ends it Between the pointer of data packet is transmitted in a manner of queue;
The data processing module and the virtual network port module are based respectively on hash function and establish the mapping relations 1 and mapping Relationship 2.
12. the device according to any one of claim 6-9, which is characterized in that if described in Audit Module judgement Encryption data request packet or the response data packet are not over audit, then illegal to communication request side transmission request Notice.
13. a kind of storage medium, which is characterized in that the storage medium, which is stored with, requires side described in 1-5 for perform claim The program of method.
CN201711305729.XA 2017-12-11 2017-12-11 Method, device and storage medium for auditing data based on encryption protocol Active CN109905352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711305729.XA CN109905352B (en) 2017-12-11 2017-12-11 Method, device and storage medium for auditing data based on encryption protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711305729.XA CN109905352B (en) 2017-12-11 2017-12-11 Method, device and storage medium for auditing data based on encryption protocol

Publications (2)

Publication Number Publication Date
CN109905352A true CN109905352A (en) 2019-06-18
CN109905352B CN109905352B (en) 2022-02-22

Family

ID=66941950

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711305729.XA Active CN109905352B (en) 2017-12-11 2017-12-11 Method, device and storage medium for auditing data based on encryption protocol

Country Status (1)

Country Link
CN (1) CN109905352B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110932890A (en) * 2019-11-20 2020-03-27 厦门网宿有限公司 Data transmission method, server and computer readable storage medium
CN113612790A (en) * 2021-08-11 2021-11-05 上海观安信息技术股份有限公司 Data security transmission method and device based on equipment identity pre-authentication
CN114006955A (en) * 2021-10-28 2022-02-01 深信服科技股份有限公司 Data processing method, device and equipment and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103927489A (en) * 2014-04-22 2014-07-16 陈幼雷 System and method for trusted storage of data
US9083753B1 (en) * 2003-09-24 2015-07-14 Infoexpress, Inc. Secure network access control
CN105656896A (en) * 2016-01-06 2016-06-08 甄世存 IP address default port transfer encryption and port pipeline service method and device
CN105743868A (en) * 2014-12-11 2016-07-06 中国科学院声学研究所 Data acquisition system supporting encrypted and non-encrypted protocols and method
CN106453610A (en) * 2016-11-09 2017-02-22 深圳市任子行科技开发有限公司 HTTPS data flow auditing method and system oriented on operator backbone network
CN106572121A (en) * 2016-11-15 2017-04-19 任子行网络技术股份有限公司 Auditing method and device for VPN data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9083753B1 (en) * 2003-09-24 2015-07-14 Infoexpress, Inc. Secure network access control
CN103927489A (en) * 2014-04-22 2014-07-16 陈幼雷 System and method for trusted storage of data
CN105743868A (en) * 2014-12-11 2016-07-06 中国科学院声学研究所 Data acquisition system supporting encrypted and non-encrypted protocols and method
CN105656896A (en) * 2016-01-06 2016-06-08 甄世存 IP address default port transfer encryption and port pipeline service method and device
CN106453610A (en) * 2016-11-09 2017-02-22 深圳市任子行科技开发有限公司 HTTPS data flow auditing method and system oriented on operator backbone network
CN106572121A (en) * 2016-11-15 2017-04-19 任子行网络技术股份有限公司 Auditing method and device for VPN data

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110932890A (en) * 2019-11-20 2020-03-27 厦门网宿有限公司 Data transmission method, server and computer readable storage medium
CN110932890B (en) * 2019-11-20 2022-09-09 厦门网宿有限公司 Data transmission method, server and computer readable storage medium
CN113612790A (en) * 2021-08-11 2021-11-05 上海观安信息技术股份有限公司 Data security transmission method and device based on equipment identity pre-authentication
CN113612790B (en) * 2021-08-11 2023-07-11 上海观安信息技术股份有限公司 Data security transmission method and device based on equipment identity pre-authentication
CN114006955A (en) * 2021-10-28 2022-02-01 深信服科技股份有限公司 Data processing method, device and equipment and readable storage medium
CN114006955B (en) * 2021-10-28 2023-09-05 深信服科技股份有限公司 Data processing method, device, equipment and readable storage medium

Also Published As

Publication number Publication date
CN109905352B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
US10091238B2 (en) Deception using distributed threat detection
US9794282B1 (en) Server with queuing layer mechanism for changing treatment of client connections
US9014373B2 (en) System and method for interleaving information into slices of a data packet, differentially encrypting the slices, and obfuscating information in the data packet
CN103023906B (en) Method and system aiming at remote procedure calling conventions to perform status tracking
JP2019067398A (en) Automated reduction in electronic mail-based security threat
EP2764660B1 (en) Distributed system and method for tracking and blocking malicious internet hosts
Albin A comparative analysis of the snort and suricata intrusion-detection systems
WO2014094151A1 (en) System and method for monitoring data in a client environment
CA2672908A1 (en) Device, system and method for use of micro-policies in intrusion detection/prevention
US11374946B2 (en) Inline malware detection
CN109905352A (en) A kind of method, apparatus and storage medium based on cryptographic protocol Audit data
US10320881B2 (en) Operating system fingerprint detection
CN108737407A (en) A kind of method and device for kidnapping network flow
US20100017843A1 (en) Scenario Based Security
US20230164184A1 (en) Cloud-based deception technology with auto-decoy and breadcrumb creation
US20200412692A1 (en) Contextual engagement and disengagement of file inspection
Foster " Why does MPTCP have to make things so complicated?": cross-path NIDS evasion and countermeasures
He et al. Analysis of computer network attack based on the virus propagation model
Xu et al. Yet another traffic black hole: Amplifying CDN fetching traffic with rangefragamp attacks
US20230164183A1 (en) Cloud-based deception technology with granular scoring for breach detection
US20230164182A1 (en) Cloud-based deception technology utilizing zero trust to identify threat intelligence, telemetry, and emerging adversary tactics and techniques
EP4184868A1 (en) Cloud-based deception technology utilizing zero trust to identify threat intelligence, telemetry, and emerging adversary tactics and techniques
US11075947B2 (en) Virtual traffic decoys
WO2006092785A2 (en) Method and apparatus for the dynamic defensive masquerading of computing resources
Ahonen Transparent Quantum Safe Tunneling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant