CN109905352B - Method, device and storage medium for auditing data based on encryption protocol - Google Patents
Method, device and storage medium for auditing data based on encryption protocol Download PDFInfo
- Publication number
- CN109905352B CN109905352B CN201711305729.XA CN201711305729A CN109905352B CN 109905352 B CN109905352 B CN 109905352B CN 201711305729 A CN201711305729 A CN 201711305729A CN 109905352 B CN109905352 B CN 109905352B
- Authority
- CN
- China
- Prior art keywords
- data
- auditing
- communication
- packet
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The application provides a method for auditing data based on an encryption protocol, which comprises the following steps: receiving an encrypted data request packet from a communication requesting party, sending the encrypted data request packet to a virtual network port, and establishing a mapping relation 1 between address information of the communication requesting party and address information of a target communication party; analyzing and auditing data in the request packet, sending the request packet passing the audit to a communication end, and simultaneously creating a mapping relation 2 between a virtual network port and requester address information; based on the relation 2, the address information of the request party is called and replaced by the request source information in the request packet, and then the request source information is sent to the target communication party; receiving a response packet of the target communication party; analyzing and auditing the encrypted data in the data packet; and acquiring the address information of the target party based on the relation 1, replacing the source information of the response data packet with the address information of the target party and sending the address information of the target party to the requesting communication party. The method solves the problems that the use process is complicated, the use is easy to bypass, the applicability is poor and the like in the prior art.
Description
Technical Field
The present application relates to the field of network data security audit technologies, and in particular, to a method, an apparatus, and a storage medium for auditing data based on an encryption protocol.
Background
With the continuous development of information technology, the information security problem is increasingly prominent. How to ensure the security of information systems has become a common concern for the whole society. Although the risk of external intrusion can be reduced by technical means such as antivirus software, firewall, IDS, IPS and the like, the risk of security management may be caused by unclear authority, unsound security management system, lack of operability and the like. According to data display, more than 70% of information leakage is caused by the fact that safety consciousness of staff inside an enterprise is weak, misoperation or internal and external hooking is caused, and the information leakage often influences the normal operation and continuous development of the enterprise and brings great loss to the enterprise. It becomes particularly important how to control and audit user access from system management.
The current service flow is divided into non-encrypted data and encrypted data, in order to realize the full coverage of the service and eliminate the dead zone of safety monitoring, the monitoring of the full flow is really realized from the management aspect, and both the two kinds of data have auditing and controlling capabilities. For the analysis of the plaintext protocol, the analysis can be directly carried out according to the format of the protocol as long as the flow can be obtained; however, for the encryption protocol, the ciphertext cannot be directly analyzed, and the method usually adopts a man-in-the-middle agent mode to reconstruct the business process, and audits and controls the decoded data at the agent end.
A conventional way of auditing data based on an encryption protocol is shown in fig. 1. The specific treatment method generally comprises two steps:
1) user requests are forwarded to the agent, and two approaches are commonly used:
a) in the portal mode, a portal shows a target application which can be accessed by the user, the user needs to access the portal first and select and jump to the target application, which means that an agent program needs to provide the functions of the portal additionally, different portals need to be provided for different applications, a web portal needs to be provided for a web agent of https, and a character interface portal needs to be provided for a ssh encryption protocol.
b) The plug-in mode needs to install hook plug-ins at the user terminal, the plug-ins hijack the request when the user accesses the target, and redirect the target of the user to the agent, which means that the user needs to install plug-ins on the terminal and bypass the inspection of the security product.
2) The agent program obtains the agent target, and two methods are also generally used:
a) the agent program starts different agent ports to map different targets, and the agent program is loaded when being started. Such as: configuration 2222=192.168.1.33:22, sshProxy will listen 2222 port at startup and actively connect 192.168.1.33 on request to 22 port.
b) When accessing the agent, information of the object is transmitted to the agent, and then the object is accessed by the agent.
3) A man-in-the-middle agent. After the agent program establishes the agent process, the data is forwarded, audit is carried out according to the data content, and the user behavior is controlled.
However, although these technical solutions functionally implement auditing and controlling capabilities for the encryption protocol, there are problems in terms of user experience and auditing efficiency, stability, compatibility, and the like, and mainly include:
1) in the process of forwarding the user request to the agent program:
a) the portal mode needs to provide portal functions for different applications, and the development amount is large. For the user, the experience is poor when the use mode is changed.
b) In the plug-in mode, a user needs to install a plug-in at a terminal of the user, which cannot exclude the possibility that the user unloads the plug-in and the plug-in is intercepted by a security product, so that the plug-in is invalid and the access behavior of the user cannot be controlled, namely, the possibility of the user bypassing still exists in the mode.
2) In the process of obtaining the proxy target by the proxy program:
a) for the mode of mapping different targets through different ports, the agent program needs to configure the mapping relation in advance, and when a new application needs to be accessed, the configuration has to be modified and the program is restarted. Not only is a burden on management brought, but also as the number of applications increases, the number of ports for starting the agent is limited, and the performance of the agent becomes a bottleneck.
b) For the way of delivering the target address, it is necessary to provide the sending function at the user access end and receive at the agent end, the development amount is large, and the process may have problems due to the instability of the user-to-agent process.
Based on the above problems, there is a need in the art for an auditing method that is more convenient and faster to use, and that is more stable and comprehensive for auditing data.
Disclosure of Invention
The application provides a method for auditing data based on an encryption protocol, which comprises the following steps:
receiving an encrypted data request packet from a communication requesting party at a communication end, sending the encrypted data request packet to a virtual network port of an auditing end, and simultaneously creating a mapping relation 1 of address information of the communication requesting party and address information of a target communication party;
analyzing and auditing data in the encrypted data request packet at the auditing end, sending the audited encrypted data request packet to the communication end, and creating a mapping relation 2 between a virtual network port and address information of the communication party;
calling the address information of the communication party on the basis of the mapping relation 2 at the communication end, replacing the address information of the request source in the encryption request packet with the address information of the communication party, and then sending the audited encryption request packet to a target communication party;
receiving a response data packet of the target communication party at the communication end, and sending the response data packet to the auditing end;
analyzing and auditing the encrypted data in the response data packet at the auditing end, and sending the response data packet which passes the auditing to the communication end;
and acquiring the address information of the target communication party and the address information of the request communication party at the communication end based on the mapping relation 1, replacing the source address information of the response data packet with the address information of the target communication party, and then sending the response data packet to the request communication party.
The method also comprises the steps that after a communication terminal receives a data request packet from a communication requesting party, the type of a target address of the data request packet is judged firstly, if the type of the target address is judged to be a unicast address and not to be a virtual network port address, data in the data request packet is encrypted and judged, the data packet judged to be unencrypted is directly sent to the target address, and the encrypted data packet judged to be encrypted is sent to an auditing terminal for subsequent auditing procedures.
In the method of the invention, the audit end realizes the analysis of the encrypted data through an encryption protocol agent program; receiving and sending data of the communication terminal by calling a receiving and sending method of a physical port; and receiving and sending the data of the auditing end by calling a receiving and sending method of the virtual network port.
In the method of the invention, pointers of data packets are transmitted between the auditing end and the communication end in a queue mode; and establishing the mapping relation 1 and the mapping relation 2 based on a hash function.
In the method of the present invention, if the encrypted data request packet or the response data packet does not pass the audit, a notification that the request is not legal is sent to the communication requester and the subsequent steps are not performed.
The application discloses a device based on encryption protocol audit data, the device includes communication end and audit end:
the communication terminal includes:
the data receiving and sending module is used for requesting a communication party, a target communication party and the auditing end to transmit data, and the data transmission comprises data receiving, data sending and data returning;
the data processing module is used for analyzing the data at the communication end according to an encryption protocol in the auditing module and reconstructing the data according to the address information of the request communication party, the target communication party and the auditing end virtual network port;
the audit end comprises:
the virtual network port module is used for creating a virtual network port at an auditing end, processing communication end data received by the virtual network port, and transmitting the data with the communication end through the virtual network port;
and the auditing module is used for analyzing and auditing the data from the communication end transmitted by the virtual network port module at the auditing end and returning the auditing result to the communication end through the virtual network port module.
In the apparatus of the present invention, the data processing module further comprises: a virtual network port address obtaining module, configured to send a data packet to the virtual port through the data receiving and sending module, receive a return data packet, and analyze the return data packet to obtain address information of the virtual network port;
the data reconstruction module is used for acquiring the address information of the data request communication party, the address information of the target communication party and the address information of the virtual network port, establishing a mapping relation and replacing source information contained in the data; the established mapping relation comprises a mapping relation 1 between the address information of the request communication party and the address information of the target communication party and a mapping relation 2 between the virtual internet access port and the address information of the request communication party.
In the apparatus of the present invention, the communication terminal further includes: and the data processing module is used for processing the data according to the type judgment result and delivering the data to the data receiving and sending module for transmitting the processed data.
In the device of the present invention, data whose destination address type of the transmission data is determined as a unicast address and whose destination address is a virtual network port address is transmitted to the virtual network port address;
and for the data of which the target address type of the transmission data is judged to be a unicast address and the target address is not a virtual network port address, encrypting and judging the data, directly sending the judged non-encrypted data to the target address, and sending the judged encrypted data to the virtual network port address after the data processing module reconstructs the data.
In the device, the auditing module realizes the analysis of the encrypted data through an encryption protocol agent program;
the data receiving and sending module receives and sends data by calling a receiving and sending method of a physical port;
and the virtual network port module receives and transmits data by calling a receiving and transmitting method of the virtual port.
In the device of the invention, pointers of data packets are transmitted between the auditing end and the communication end in a queue mode; and the data processing module and the virtual network port module establish the mapping relation 1 and the mapping relation 2 respectively based on a hash function.
In the apparatus of the present invention, if the audit module determines that the encrypted data request packet or the response data packet does not pass the audit, a notification that the request is not legal is sent to the communication requester.
The present application also discloses a storage medium having recorded thereon a program for executing the above method.
Compared with the prior art, the method and the device have the following advantages:
1. the invention can be implemented (for example, the device of the invention is arranged) at the boundary of the local area network, a plug-in does not need to be installed at the terminal of a user, a complex agent strategy does not need to be configured, and the user does not sense an auditing program;
2. in the technical scheme of the invention, the user terminal, the auditing equipment and the target are in physical serial connection, so that the user is prevented from bypassing and accessing.
3. The system resource is saved, only the auditing program of the invention needs to be started aiming at different protocols, and no independent agent port (as shown in figure 1) needs to be established for different targets for the same agent type, thereby saving the system overhead.
4. The technical scheme of the invention utilizes the existing agent program on the kernel protocol stack, and the protocol stack and the agent program on the protocol stack do not need to be developed by self under the user mode, thereby greatly shortening the development period and reducing the instability brought by developing the TCP/IP protocol stack by self.
Drawings
The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a schematic flow diagram of a prior art audit data based on an encryption protocol;
FIG. 2 is a flow diagram of an embodiment of a method 10 for auditing data based on an encryption protocol according to the present application;
fig. 3 is a block diagram of an embodiment of the apparatus 20 for auditing data based on an encryption protocol according to the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
First, the meanings of the terms referred to in the present application are explained as follows:
the MAC (Media Access Control) address is used to define the location of the network device, and is referred to as a Media Access Control, or a physical address or a hardware address. A host will have a MAC address that is fixed and determined by the network card. In the present invention, the SMAC, VMAC, and DMAC mean MAC addresses of the requesting correspondent, the virtual portal, and the target correspondent, respectively.
The DPDK is a Data Plane Development Kit (Data Plane Development Kit), is developed by multiple companies such as 6WIND and Intel, is mainly operated based on a Linux system, is used for a function library and a drive set for fast Data packet processing, can greatly improve the Data processing performance and throughput, and improves the working efficiency of a Data Plane application program.
The KNI (kernel interface) mechanism is used for enabling a data packet to re-enter a kernel protocol stack, and achieves the purpose of utilizing a kernel to realize a protocol by creating virtual equipment for receiving and sending messages. The implementation of KNI consists of two parts, a kernel-mode module and a user-mode module. By creating the context of the KNI interface, pointers of the data packet are transmitted in a queue mode between the kernel mode and the user mode, so that copying is avoided, and agent efficiency is improved.
In the description of the present application, it is to be understood that the terms "request", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "requesting" or "second" may explicitly or implicitly include one or more of that feature. The meaning of "plurality" is two or more unless specifically limited otherwise. The terms "comprising," including, "and the like are to be construed as open-ended terms, i.e.," including/including but not limited to. The term "based on" is "based, at least in part, on". The term "an embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment". Relevant definitions for other terms will be given in the following description.
A flow chart of a method for auditing data based on an encryption protocol according to an embodiment of the present invention adapted to solve the above technical problem is described below with reference to fig. 2. As shown in fig. 2, the method 10 of the embodiment of the present invention starts with step S101, in step S101, an encrypted data request packet from a requesting communication party is received at a communication end, and the encrypted data request packet is sent to a virtual network port of an auditing end, and meanwhile, a mapping relation 1 between address information of the requesting communication party and address information of a target communication party is created; the method specifically comprises the following steps: the physical network port of the communication end receives an encrypted data request packet sent by a request communication party, records related information of the encrypted data request packet, such as source information SMAC, SIP and sports, information DMAC, DIP and Dport of a target communication party and the like, creates a mapping relation based on a Hash function, such as a Hash1, according to the information, wherein SIP and sports are key, and DMAC, DIP and Dport are Hash values, and sends the encrypted data request packet to the audit end.
In the embodiment according to the present invention, the reception and transmission of data of the communication side are performed by calling the reception and transmission methods of the physical ports, for example, rte _ eth _ rx _ burst and rte _ eth _ tx _ burst.
In the embodiment according to the present invention, the reception and transmission of data of the auditor are performed by calling the reception and transmission methods of the virtual portal, for example, rte _ kni _ rx _ burst and rte _ kni _ tx _ burst.
In the embodiment according to the present invention, after receiving a data request packet from a communication requesting party at a communication end, first performing type determination on a target address of the data request packet, if the type of the target address is determined as a unicast address and is not a virtual network port address, performing encryption determination on data in the data request packet, directly sending the data packet determined as being unencrypted to the target address, and sending the encrypted data packet determined as being encrypted to the auditing end for a subsequent auditing procedure; the method specifically comprises the following steps: firstly, identifying a DMAC address of a data request packet, if the DMAC address is the same as the VMAC address of the virtual network port of the auditing end, sending the data request packet to the virtual network port of the auditing end, if the DMAC address is not the same as the VMAC address of the virtual network port of the auditing end, judging the data request packet, if the data request packet is an encrypted data request packet, sending the data request packet to the virtual network port of the auditing end, and if the data request packet is not encrypted data, sending the data request packet to a target communication party.
In an embodiment according to the present invention, the virtual portal may be started by KNI of DPDK.
After step S101, step S103 is performed: and analyzing and auditing the data in the encrypted data request packet at the auditing end, sending the audited encrypted data request packet to the communication end, and creating a mapping relation 2 between a virtual network port and the address information of the communication party. The method specifically comprises the following steps: the auditing end receives the encrypted data request packet sent by the communication end through the virtual network port, then analyzes and audits the request packet, returns the encrypted data request packet which passes the audit to the communication end, and simultaneously creates a mapping relation Hash2 based on a Hash function, wherein a Vport of the virtual network port is a key, and SMAC, SIP and Sport are Hash values.
In the embodiment of the invention, if the request packet fails to pass the audit, the data request is intercepted; optionally, a notification is returned to the requesting communication party that the request is not legitimate.
In the embodiment of the invention, if the request packet comprises a plurality of data requests, wherein part of the requests fail to pass the audit, the request packet is reconstructed to delete the request content which fails to pass the audit, and then the reconstructed request packet is returned to the communication terminal to continue the subsequent steps, or all the data requests are intercepted; accordingly, a notification that a partial request is illegal or that the request is illegal may be returned to the requesting communication party.
In an embodiment of the invention, the audit may be implemented as follows: the encryption protocol is pushed to a kernel protocol stack of a used operating system, and the protocol is analyzed and restored through a LibSSH, Nginx and other three-party program, so that the purpose of auditing the encryption protocol is achieved.
After step S103, step S105 is performed: and calling the address information of the communication party on the basis of the mapping relation 2 at the communication end, replacing the request source address information in the encryption request packet with the address information of the communication party, and then sending the audited encryption request packet to a target communication party. The method specifically comprises the following steps: based on the Hash2, obtaining SMAC, SIP and sports, then replacing request source information of an encrypted request packet passing auditing with the SMAC, SIP and sports, and then sending the encrypted request packet to a target communication party, thereby determining the source of the encrypted data request packet as a request communication party when the target communication party receives the encrypted data request packet.
After step S105, step S107 is performed: and receiving a response data packet of the target communication party at the communication end, and sending the response data packet to the auditing end. The method specifically comprises the following steps: and the target communication party generates a corresponding response data packet according to the request after receiving the encrypted data request packet, returns the response data packet to the communication end, and then sends the response data packet to the auditing end by the communication end for subsequent auditing.
After step S107, step S109 is performed: and analyzing and auditing the encrypted data in the response data packet at the auditing end, and sending the response data packet which passes the auditing to the communication end. The audit end receives the response data packet, audits the content after analysis, and returns the response data packet to the communication end if the audit is passed through.
In the embodiment of the invention, if the response data packet fails to pass the audit, the data response is intercepted; optionally, a notification is returned to the requesting communication party that the request is not legitimate.
In the embodiment of the invention, if the response data packet comprises response data of a plurality of data requests, wherein part of the requested response data fails to pass the audit, the response data packet is reconstructed to delete the response content which fails to pass the audit, and then the reconstructed response data packet is returned to the communication terminal to continue the subsequent steps or all the response data is intercepted; accordingly, a notification that a partial request is illegal or that the request is illegal may be returned to the requesting communication party.
After step S109, step S111 is performed: and acquiring the address information of the target communication party and the address information of the request communication party at the communication end based on the mapping relation 1, replacing the source address information of the response data packet with the address information of the target communication party, and then sending the response data packet to the request communication party. Specifically, the communication terminal receives the response packet, then acquires DMAC, DIP, Dport, SIP, and port data based on the Hash1, then reconstructs the response packet to replace the source information with DMAC, DIP, and Dport, and then sends the response packet to the request communication party according to SIP and port.
In the embodiment of the invention, the pointer of the data packet can be transmitted between the auditing end and the communication end in a queue mode.
Corresponding to the method 10, the present invention further provides an apparatus 20 for auditing data based on an encryption protocol, which is adapted to solve the above technical problems. Referring to fig. 3, the apparatus 20 includes: the system comprises a communication terminal 201 and an auditing terminal 202, wherein the communication terminal comprises a data receiving and sending module 2011 and a data processing module 2012; the auditing end comprises a virtual network port module 2021 and an auditing module 2022; the data receiving and sending module 2011 is configured to request a communication party, a target communication party, and the auditing end 202 to perform data transmission, where the data transmission includes receiving data, sending data, and returning data; the data processing module 2012 is configured to analyze the data at the communication terminal 201 according to the encryption protocol in the auditing module 2022, and reconstruct the data according to the address information of the requesting communication party, the target communication party, and the auditing terminal virtual network port; the virtual network port module 2021 is configured to create a virtual network port at the auditing end 202, process data of the communication end 201 received by the virtual network port, and transmit the data with the communication end 201 through the virtual network port; the auditing module 2022 is configured to analyze and audit the data from the communication terminal 201 transmitted by the virtual network interface module 2021 at the auditing end 202, and return an auditing result to the communication terminal 201 through the virtual network interface module 2021. The specific description is as follows:
corresponding to the above step 101, the data receiving and sending module 2011 of the communication terminal 202 receives an encrypted data request packet from a requesting communication party and sends the encrypted data request packet to the virtual network port of the auditing terminal, and the data reconstruction module in the data processing module 2012 creates a mapping relation 1 between address information of the requesting communication party and address information of a target communication party; the method specifically comprises the following steps: the data receiving and sending module 2011 receives the encrypted data request packet sent by the request communication party through the physical network port, the data reconstruction module in the data processing module 2012 acquires the source information SMAC, SIP and port of the encrypted data request packet, the address information DMAC, DIP, Dport and the like of the target communication party, creates a mapping relation Hash1 based on a Hash function according to the source information SMAC, SIP and port information, and then the data receiving and sending module 2011 sends the encrypted data request packet to the audit terminal 202.
In an embodiment according to the present invention, the data receiving and sending module 2011 performs the receiving and sending of the data of the communication terminal 201 by calling the receiving and sending methods of the physical ports, for example, rte _ eth _ rx _ burst and rte _ eth _ tx _ burst.
In the embodiment according to the present invention, the virtual portal module 2021 performs the receiving and sending of the data of the auditor 202 by calling the receiving and sending methods of the virtual portal, for example, rte _ kni _ rx _ burst and rte _ kni _ tx _ burst.
In an embodiment according to the present invention, the communication terminal 201 of the apparatus of the present invention may further include a data determination module 2013, configured to process a case that it is not determined whether the requested data is encrypted data, if the data determination module 2013 determines that the destination address type is a unicast address and is not a virtual network port address, the data determination module 2013 performs encryption determination on the data in the data request packet, directly sends the data packet determined as being unencrypted to the destination address by the data receiving and sending module 2011, and sends the encrypted data packet determined as being encrypted to the auditing terminal for a subsequent auditing procedure; the method specifically comprises the following steps: first, the data determination module 2013 of the communication terminal 201 identifies the DMAC address of the data request packet, if the DMAC address is the same as the VMAC address of the virtual network port of the auditing terminal, the data receiving and sending module 2011 sends the data request packet to the virtual network port of the auditing terminal, if the DMAC address is not the same as the VMAC address of the virtual network port of the auditing terminal, and if the DMAC address is not the same as the VMAC address, the data determination module 2013 continues to determine the data request packet, if the data request packet is an encrypted data request packet, the data receiving and sending module 2011 sends the data request packet to the virtual network port of the auditing terminal, and if the auditing module 2022 determines that the data request packet is not encrypted data, the data receiving and sending module 2011 sends the data request packet to a target communication party.
In an embodiment of the present invention, the virtual portal module 2021 may start the virtual portal by KNI of DPDK.
Then, corresponding to the step 103, the auditing module 2022 analyzes and audits the data in the encrypted data request packet, and then the virtual portal module 2021 sends the audited encrypted data request packet to the communication terminal, and creates the mapping relationship 2. The method specifically comprises the following steps: the virtual network port module 2021 receives the encrypted data request packet sent by the data receiving and sending module 2011, the auditing module 2022 analyzes and audits the request packet, then the virtual network port module 2021 returns the encrypted data request packet passing the audit to the communication terminal 201, and meanwhile, the data reconstruction module creates a mapping relation such as a mapping relation Hash2 based on a Hash function, wherein a virtual network port Vport is key and SMAC, SIP and Sport are Hash values.
In an embodiment according to the present invention, if the request packet fails to pass the audit, the audit module 2022 intercepts the data request this time; alternatively, the audit module 2022 creates a notification requesting the non-legality, the virtual portal module 2021 sends the notification to the data reception transmission module 2011, and then the data reception transmission module 2011 transmits the notification to the requesting correspondent.
In the embodiment of the present invention, if the request packet includes multiple data requests, and part of the requests fail to be audited, the auditing module 2022 reconstructs the request packet to delete the request content that fails to be audited, and then sends the reconstructed request packet to the data receiving and sending module 2011, and then the virtual network interface module 2021 returns the reconstructed request packet to the data receiving and sending module 2011 to continue the subsequent steps, or the auditing module 2022 intercepts all data requests; accordingly, the auditing module 2022 may create a notification of request ineligibility or request ineligibility, the virtual portal module 2021 sends the notification to the data reception transmission module 2011, and then the data reception transmission module 2011 transmits the notification to the requesting communication party.
In an embodiment of the present invention, audit module 2022 may implement auditing by: the encryption protocol is pushed to a kernel protocol stack of a used operating system, and the protocol is analyzed and restored through a LibSSH, Nginx and other three-party program, so that the purpose of auditing the encryption protocol is achieved.
Thereafter, corresponding to the above step 105, the data reconstructing module obtains the SMAC, the SIP and the Sport based on the Hash2 and replaces the request source information in the encrypted request packet with the SMAC, the SIP and the Sport, and then the data receiving and sending module 2011 sends the encrypted request packet to the destination communication party. The method specifically comprises the following steps: the data receiving and sending module 2011 receives the encrypted request packet that passes the audit, the data reconstructing module replaces the request source information with the SMAC, the SIP, and the Sport, and then the data receiving and sending module 2011 sends the encrypted request packet to the target communication party, so that the target communication party determines the source as the request communication party when receiving the encrypted data request packet.
Thereafter, corresponding to step S107 above, the data receiving and sending module 2011 receives the response packet of the target communication party and sends the response packet to the virtual portal module 2021. The method specifically comprises the following steps: the target communication party receives the encrypted data request packet, generates a corresponding response data packet according to the request, returns the response data packet to the communication terminal, and the data receiving and sending module 2011 receives the response data packet, sends the response data packet to the virtual network port module 2021, and then performs subsequent auditing steps by the auditing module 2022.
Corresponding to the above step S109, the auditing module 2022 analyzes and audits the encrypted data in the response packet, and then the audited response packet is sent to the communication terminal by the virtual network interface module 2021. The virtual network port module 2021 may specifically include that the virtual network port module 2021 receives the response data packet, the auditing module 2022 audits the content of the response data packet after analyzing the response data packet, and if the audit is passed through by the response data packet, the virtual network port module 2021 returns the response data packet to the communication end.
In an embodiment according to the present invention, if the response packet fails to pass the audit, the audit module 2022 intercepts this data response; alternatively, the audit module 2022 creates a notification requesting the non-legality, the virtual portal module 2021 sends the notification to the data reception transmission module 2011, and then the data reception transmission module 2011 transmits the notification to the requesting correspondent.
In the embodiment of the present invention, if the response data packet includes response data of multiple data requests, and some of the requested response data fail to be audited, the auditing module 2022 reconstructs the response data packet to delete the response content that fails to be audited, and then the virtual gateway module 2021 returns the reconstructed request packet to the data receiving and sending module 2011 to continue the subsequent steps, or the auditing module 2022 intercepts all data requests; accordingly, the auditing module 2022 may create a notification of request ineligibility or request ineligibility, the virtual portal module 2021 sends the notification to the data reception transmission module 2011, and then the data reception transmission module 2011 transmits the notification to the requesting communication party.
Then, corresponding to the step S111, the data reconstructing module obtains DMAC, DIP, Dport, SIP, and port based on the Hash1 and replaces the source information of the response data packet with DMAC, DIP, and Dport, and then the data receiving and sending module 2011 sends the response data packet to the request communication party. Specifically, the data receiving and sending module 2011 receives the response data packet, then the data reconstruction module acquires DMAC, DIP, Dport, SIP, and Sport data based on the Hash1, reconstructs the response data packet, replaces the source information of the response data packet with DMAC, DIP, and Dport, and finally the data receiving and sending module 2011 sends the response data packet to the request communication party according to SIP and Sport.
In the embodiment of the present invention, pointers of data packets may be transferred between the auditing end virtual network interface module 2021 and the communication end data receiving and sending module 2011 in a queue manner.
It should be noted that the above device embodiments belong to preferred embodiments, and the units and modules involved are not necessarily essential to the present application.
For simplicity of description, the foregoing method embodiments are described as a series of acts or combination of acts, but those skilled in the art will appreciate that the present application is not limited by the order of acts described, as some steps may, in accordance with the present application, occur in other orders and concurrently; further, those skilled in the art should also appreciate that the above-described method embodiments are preferred embodiments and that the acts and modules involved are not necessarily required for the application.
The present application also discloses a storage medium having recorded thereon a program for executing the above method. The storage media includes any mechanism configured to store or transfer information in a form readable by a computer (by way of example, a computer). For example, storage media includes Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media, optical storage media, flash memory media, electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.), and others.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the device embodiments of the present application, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the description of the method embodiments. The above-described apparatus and apparatus embodiments are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, may be located in one place or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The method, the device and the storage medium for auditing data based on the encryption protocol are introduced in detail, and a specific example is applied in the text to explain the principle and the implementation of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (13)
1. A method for auditing data based on a cryptographic protocol, comprising:
receiving an encrypted data request packet from a communication requesting party at a communication end, sending the encrypted data request packet to a virtual network port of an auditing end, and simultaneously creating a mapping relation 1 of address information of the communication requesting party and address information of a target communication party;
analyzing and auditing data in the encrypted data request packet at the auditing end, sending the audited encrypted data request packet to the communication end, and creating a mapping relation 2 between a virtual network port and address information of the communication party;
calling the address information of the communication party on the basis of the mapping relation 2 at the communication end, replacing the address information of the request source in the encrypted data request packet with the address information of the communication party, and then sending the audited encrypted data request packet to a target communication party;
receiving a response data packet of the target communication party at the communication end, and sending the response data packet to the auditing end;
analyzing and auditing the encrypted data in the response data packet at the auditing end, and sending the response data packet which passes the auditing to the communication end;
and acquiring the address information of the target communication party and the address information of the request communication party at the communication end based on the mapping relation 1, replacing the source address information of the response data packet with the address information of the target communication party, and then sending the response data packet to the request communication party.
2. The method according to claim 1, further comprising performing type determination on a destination address of the data request packet after the communication terminal receives the data request packet from a requesting communication party, performing encryption determination on data in the data request packet if the destination address type is determined as a unicast address and is not a virtual network port address, directly sending the data packet determined as non-encrypted to the destination address, and sending the encrypted data packet determined as encrypted to the auditing terminal for a subsequent auditing procedure.
3. The method according to claim 1 or 2, characterized in that:
the auditing end realizes the analysis of the encrypted data through an encryption protocol agent program;
receiving and sending data of the communication terminal by calling a receiving and sending method of a physical port;
and receiving and sending the data of the auditing end by calling a receiving and sending method of the virtual network port.
4. The method of claim 3, wherein the pointer of the data packet is transmitted between the auditing end and the communication end in a queue manner; and establishing the mapping relation 1 and the mapping relation 2 based on a hash function.
5. The method according to claim 1 or 2, wherein if the encrypted data request packet or the response data packet does not pass the audit, a notification that the request is not legal is sent to the requesting communication party and the subsequent steps are not performed.
6. An apparatus for auditing data based on an encryption protocol, the apparatus comprising a communication end and an auditing end:
receiving an encrypted data request packet from a communication requesting party at a communication end, sending the encrypted data request packet to a virtual network port of an auditing end, and simultaneously creating a mapping relation 1 of address information of the communication requesting party and address information of a target communication party;
analyzing and auditing data in the encrypted data request packet at the auditing end, sending the audited encrypted data request packet to the communication end, and creating a mapping relation 2 between a virtual network port and address information of the communication party;
calling the address information of the communication party on the basis of the mapping relation 2 at the communication end, replacing the address information of the request source in the encrypted data request packet with the address information of the communication party, and then sending the audited encrypted data request packet to a target communication party;
receiving a response data packet of the target communication party at the communication end, and sending the response data packet to the auditing end;
analyzing and auditing the encrypted data in the response data packet at the auditing end, and sending the response data packet which passes the auditing to the communication end;
the communication end acquires the address information of the target communication party and the address information of the request communication party on the basis of the mapping relation 1, replaces the source address information of the response data packet with the address information of the target communication party and then sends the response data packet to the request communication party;
the communication terminal includes:
the data receiving and sending module is used for requesting a communication party, a target communication party and the auditing end to transmit data, and the data transmission comprises data receiving, data sending and data returning;
the data processing module is used for analyzing the data at the communication end according to an encryption protocol in the auditing module and reconstructing the data according to the address information of the request communication party, the target communication party and the auditing end virtual network port;
the audit end comprises:
the virtual network port module is used for creating a virtual network port at an auditing end, processing communication end data received by the virtual network port, and transmitting the data with the communication end through the virtual network port;
and the auditing module is used for analyzing and auditing the data from the communication end transmitted by the virtual network port module at the auditing end and returning the auditing result to the communication end through the virtual network port module.
7. The apparatus of claim 6, wherein the data processing module further comprises:
a virtual network port address obtaining module, configured to send a data packet to the virtual network port through the data receiving and sending module, receive a return data packet, and analyze the return data packet to obtain address information of the virtual network port;
the data reconstruction module is used for acquiring the address information of the data request communication party, the address information of the target communication party and the address information of the virtual network port, establishing a mapping relation and replacing source information contained in the data; the established mapping relation comprises a mapping relation 1 between the address information of the request communication party and the address information of the target communication party and a mapping relation 2 between the virtual internet access port and the address information of the request communication party.
8. The apparatus of claim 7, wherein the communication terminal further comprises:
and the data processing module is used for processing the data according to the type judgment result and delivering the data to the data receiving and sending module for transmitting the processed data.
9. The apparatus of claim 8, wherein:
judging the target address type of the transmission data as a unicast address and sending the data of which the target address is a virtual internet access address to the virtual internet access address;
and for the data of which the target address type of the transmission data is judged to be a unicast address and the target address is not a virtual network port address, encrypting and judging the data, directly sending the judged non-encrypted data to the target address, and sending the judged encrypted data to the virtual network port address after the data processing module reconstructs the data.
10. The apparatus according to any one of claims 6-9, wherein:
the auditing module realizes the analysis of the encrypted data through an encryption protocol agent program;
the data receiving and sending module receives and sends data by calling a receiving and sending method of a physical port;
and the virtual network port module receives and transmits data by calling a receiving and transmitting method of the virtual network port.
11. The apparatus according to any one of claims 6-9, wherein the pointer of the data packet is transferred between the auditing end and the communication end in a queue manner;
and the data processing module and the virtual network port module establish the mapping relation 1 and the mapping relation 2 respectively based on a hash function.
12. The apparatus of any of claims 6-9, wherein if the audit module determines that the encrypted data request packet or the response data packet does not pass the audit, a notification is sent to the requesting correspondent that the request is not legitimate.
13. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 5 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711305729.XA CN109905352B (en) | 2017-12-11 | 2017-12-11 | Method, device and storage medium for auditing data based on encryption protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711305729.XA CN109905352B (en) | 2017-12-11 | 2017-12-11 | Method, device and storage medium for auditing data based on encryption protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109905352A CN109905352A (en) | 2019-06-18 |
| CN109905352B true CN109905352B (en) | 2022-02-22 |
Family
ID=66941950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711305729.XA Active CN109905352B (en) | 2017-12-11 | 2017-12-11 | Method, device and storage medium for auditing data based on encryption protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109905352B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932890B (en) * | 2019-11-20 | 2022-09-09 | 厦门网宿有限公司 | Data transmission method, server and computer readable storage medium |
| CN113612790B (en) * | 2021-08-11 | 2023-07-11 | 上海观安信息技术股份有限公司 | Data security transmission method and device based on equipment identity pre-authentication |
| CN114006955B (en) * | 2021-10-28 | 2023-09-05 | 深信服科技股份有限公司 | Data processing method, device, equipment and readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103927489A (en) * | 2014-04-22 | 2014-07-16 | 陈幼雷 | System and method for trusted storage of data |
| US9083753B1 (en) * | 2003-09-24 | 2015-07-14 | Infoexpress, Inc. | Secure network access control |
| CN105656896A (en) * | 2016-01-06 | 2016-06-08 | 甄世存 | IP address default port transfer encryption and port pipeline service method and device |
| CN105743868A (en) * | 2014-12-11 | 2016-07-06 | 中国科学院声学研究所 | Data acquisition system supporting encrypted and non-encrypted protocols and method |
| CN106453610A (en) * | 2016-11-09 | 2017-02-22 | 深圳市任子行科技开发有限公司 | HTTPS data flow auditing method and system oriented on operator backbone network |
| CN106572121A (en) * | 2016-11-15 | 2017-04-19 | 任子行网络技术股份有限公司 | Auditing method and device for VPN data |
-
2017
- 2017-12-11 CN CN201711305729.XA patent/CN109905352B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9083753B1 (en) * | 2003-09-24 | 2015-07-14 | Infoexpress, Inc. | Secure network access control |
| CN103927489A (en) * | 2014-04-22 | 2014-07-16 | 陈幼雷 | System and method for trusted storage of data |
| CN105743868A (en) * | 2014-12-11 | 2016-07-06 | 中国科学院声学研究所 | Data acquisition system supporting encrypted and non-encrypted protocols and method |
| CN105656896A (en) * | 2016-01-06 | 2016-06-08 | 甄世存 | IP address default port transfer encryption and port pipeline service method and device |
| CN106453610A (en) * | 2016-11-09 | 2017-02-22 | 深圳市任子行科技开发有限公司 | HTTPS data flow auditing method and system oriented on operator backbone network |
| CN106572121A (en) * | 2016-11-15 | 2017-04-19 | 任子行网络技术股份有限公司 | Auditing method and device for VPN data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109905352A (en) | 2019-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| US9838356B2 (en) | Encrypted peer-to-peer detection | |
| US11165869B2 (en) | Method and apparatus for dynamic destination address control in a computer network | |
| US10666688B2 (en) | Systems and methods for providing network security using a secure digital device | |
| US11503073B2 (en) | Live state transition using deception systems | |
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| KR102580898B1 (en) | System and method for selectively collecting computer forensics data using DNS messages | |
| CA2672908A1 (en) | Device, system and method for use of micro-policies in intrusion detection/prevention | |
| US11575662B2 (en) | Transmitting and storing different types of encrypted information using TCP urgent mechanism | |
| EP3070633B1 (en) | Network interface devices with remote storage control | |
| CN109905352B (en) | Method, device and storage medium for auditing data based on encryption protocol | |
| US11496440B2 (en) | Systems, methods, and media for intelligent split-tunneling | |
| US8272041B2 (en) | Firewall control via process interrogation | |
| JP2010263310A (en) | Wireless communication device, wireless communication monitoring system, wireless communication method, and program | |
| US20190007306A1 (en) | Device and method for controlling route of traffic flow | |
| US20160112488A1 (en) | Providing Information of Data Streams | |
| GB2606137A (en) | Controlling command execution in a computer network | |
| JP6563872B2 (en) | Communication system and communication method | |
| CN114285646B (en) | Method and device for preventing data leakage based on SMB protocol | |
| US8995271B2 (en) | Communications flow analysis | |
| CN113726917B (en) | Domain name determination method and device and electronic equipment | |
| CN116708041B (en) | Camouflage proxy method, device, equipment and medium | |
| TWI732708B (en) | Network security system and network security method based on multi-access edge computing | |
| KR101124634B1 (en) | integrated management system of network based on embedded operating gateway | |
| CN117834246A (en) | Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |