CN111835728B - Method and device for hiding privileges to access real network and protocol - Google Patents
Method and device for hiding privileges to access real network and protocol Download PDFInfo
- Publication number
- CN111835728B CN111835728B CN202010543491.XA CN202010543491A CN111835728B CN 111835728 B CN111835728 B CN 111835728B CN 202010543491 A CN202010543491 A CN 202010543491A CN 111835728 B CN111835728 B CN 111835728B
- Authority
- CN
- China
- Prior art keywords
- access
- protocol
- session
- engine
- protocol conversion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/562—Brokering proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for hiding privilege access to a real network and a protocol, which comprises the following steps: a) The target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine; b) The resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine; c) The access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal; d) And the access terminal receives the information encapsulated by the secondary protocol. The invention also relates to a device for realizing the method. The method and the device for implementing the hidden privilege access to the real network and the protocol have the following beneficial effects: the risk that the real protocol is hijacked and the target end type architecture is probed can be greatly reduced, and the security of privileged access of the access end and the target end is improved.
Description
Technical Field
The invention relates to the field of privilege access, in particular to a method and a device for hiding privilege access to a real network and a protocol.
Background
When the access terminal and the target terminal directly access the privileges, the real protocol used by the target terminal to create the session can be probed, which leads to the risk of leakage of the target type. In the process of establishing a session between an access terminal and a target terminal, a protocol may be hijacked maliciously. The hijacking person can even know the architecture of the target end through the flow direction of the protocol. The existence of these risks can undermine significant safety hazards. Fig. 1 is a flowchart of a conventional access method for directly performing privileged access with a target, where the privileged access method has the following risks: the type of the target end can be known by probing the real protocol; the protocol may be hijacked; the architecture of the target end can be known through the protocol flow direction.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method and a device for hiding privilege access to a real network and a protocol, which can greatly reduce the risks that a real protocol is hijacked and a target end type architecture is probed and increase the security of privilege access of an access end and a target end.
The technical scheme adopted for solving the technical problems is as follows: a method of constructing a hidden privileged access to a real network and protocol comprising the steps of:
a) The target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
b) The resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine;
c) The access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
d) And the access terminal receives the information encapsulated by the secondary protocol.
In the method for hiding privileged access to real network and protocol according to the present invention, before said step a), further comprising:
a01 The access terminal sends the request access to the access proxy engine;
a02 The access proxy engine forwards the requested access to the resource connection and protocol conversion engine;
a03 The resource connection and protocol conversion engine sends the request access to the target end.
In the method for hiding the privilege to access the real network and the protocol, the encapsulation protocol adopted by the secondary protocol encapsulation is over https.
The invention also relates to a device for realizing the method for hiding the privilege to access the real network and the protocol, which comprises the following steps:
session creation unit: the method comprises the steps that a target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
session forwarding unit: the protocol conversion engine is used for carrying out protocol conversion on the session from the target end and forwarding the session after protocol conversion to the access agent engine;
protocol encapsulation unit: the access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
an information receiving unit: and the access terminal is used for receiving the information encapsulated by the secondary protocol.
In the device of the invention, the device further comprises:
the first request access transmitting unit: the access terminal is used for sending the request access to the access agent engine;
request access forwarding unit: the access agent engine is used for forwarding the request access to the resource connection and protocol conversion engine;
the second request access transmitting unit: and the resource connection and protocol conversion engine is used for sending the request access to the target end.
In the device of the present invention, the encapsulation protocol adopted by the secondary protocol encapsulation is over https.
The method and the device for implementing the hidden privilege access to the real network and the protocol have the following beneficial effects: because the target end uses the real protocol to create the session, the created session is processed by the resource connection and protocol conversion engine; the resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine; the access agent engine performs secondary protocol encapsulation on the session after protocol conversion and forwards the session to the access terminal; the access terminal receives the information encapsulated by the secondary protocol; the invention can greatly reduce the risks that the real protocol is hijacked and the target end type architecture is probed, and increase the security of privilege access of the access end and the target end.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a conventional access terminal directly performing privileged access with a target terminal;
FIG. 2 is a flow chart of one embodiment of a method and apparatus for hiding privileged access to a real network and protocol of the present invention;
FIG. 3 is a flow diagram of a method of hiding privileged access to a real network and protocol in the embodiment;
fig. 4 is a schematic view of the structure of the device in the embodiment.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In an embodiment of the method and apparatus for hiding privileged access to real networks and protocols of the present invention, a flow chart of the method for hiding privileged access to real networks and protocols is shown in fig. 2. A flow diagram of the method of hiding privileged access to real networks and protocols is shown in fig. 3. In fig. 2, the method of hiding privileged access to a real network and protocol includes the steps of:
step S01, the target end uses a real protocol to create a session, and the created session is processed by a resource connection and protocol conversion engine: in this step, the target uses the real protocol to create a session, and the created session is processed by the resource connection and protocol conversion engine.
Step S02, the resource connection and protocol conversion engine carries out protocol conversion on the session from the target end, and forwards the session after protocol conversion to the access agent engine: in this step, the resource connection and protocol conversion engine performs protocol conversion on the session from the target end, and forwards the session after protocol conversion to the access proxy engine for further encapsulation.
Step S03, the access agent engine performs secondary protocol encapsulation on the session after protocol conversion and then forwards the session to the access terminal: in this step, the access proxy engine performs secondary protocol encapsulation on the session after the protocol conversion, and forwards the session after the secondary encapsulation to the access terminal. The encapsulation protocol adopted by the secondary protocol encapsulation is over https.
Step S04, the access terminal receives the information encapsulated by the secondary protocol: in this step, the access terminal receives the information encapsulated by the secondary protocol.
The method for hiding the privilege to access the real network and the protocol adopts a method of adding protocol conversion and protocol encapsulation between the access terminal and the target terminal, and hiding the real network and the protocol in the privilege access process. The method comprises the steps of adding a resource connection and protocol conversion engine and an access proxy engine between an access terminal and a target terminal, and carrying out protocol conversion and protocol encapsulation on a real protocol from the target terminal. Compared with the prior art that an access terminal directly performs privilege access to a target terminal, the method for hiding the privilege access to the real network and the protocol adds the resource connection and protocol conversion engine and the access proxy engine between the access terminal and the target terminal, converts and encapsulates the real protocol used for creating the session, achieves the purpose of hiding the privilege access to the real network and the protocol, can greatly reduce the risk that the real protocol is hijacked and the type architecture of the target terminal is probed, and increases the security of privilege access by the access terminal and the target terminal.
It should be noted that, in this embodiment, the following steps are further included before step S01:
step S001, the access terminal sends the request access to the access proxy engine: in this step, the access terminal sends the request access to the access proxy engine.
Step S002 the access proxy engine forwards the request access to the resource connection and protocol conversion engine: in this step, the access proxy engine forwards the requested access to the resource connection and protocol conversion engine.
Step S003, the resource connection and protocol conversion engine sends the request access to the target end: in this step, the resource connection and protocol conversion engine sends the request access to the target.
The embodiment also relates to a device for realizing the method for hiding the privilege to access the real network and the protocol, and the structure schematic diagram of the device is shown in fig. 3. In fig. 3, the apparatus includes a session creation unit 1, a session forwarding unit 2, a protocol encapsulation unit 3, and an information reception unit 4; the session creation unit 1 is used for creating a session by using a real protocol by a target end, and the created session is processed by a resource connection and protocol conversion engine; the session forwarding unit 2 is used for performing protocol conversion on the session from the target end by the resource connection and protocol conversion engine, and forwarding the session after the protocol conversion to the access agent engine; the protocol encapsulation unit 3 accesses the proxy engine to carry out secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to the access terminal; the encapsulation protocol adopted by the secondary protocol encapsulation is over https. The information receiving unit 4 is configured to receive the information encapsulated by the secondary protocol at the access terminal.
The device adopts a method of adding protocol conversion and protocol encapsulation between the access terminal and the target terminal, and conceals the real network and protocol in the privilege access process. The method comprises the steps of adding a resource connection and protocol conversion engine and an access proxy engine between an access terminal and a target terminal, and carrying out protocol conversion and protocol encapsulation on a real protocol from the target terminal. Compared with the prior art that an access terminal directly accesses a target terminal with privileges, the device adds the resource connection and protocol conversion engine and the access agent engine between the access terminal and the access terminal, converts and encapsulates the real protocol used for creating the session, achieves the aim of hiding the privileges to access the real network and the protocol, can greatly reduce the risks that the real protocol is hijacked and the type architecture of the target terminal is probed, and increases the security of the privilege access of the access terminal and the target terminal.
In this embodiment, the apparatus further includes a first request access transmitting unit 5, a request access forwarding unit 6, and a second request access transmitting unit 7; the first request access sending unit 5 is configured to send a request access to the access proxy engine by the access terminal; the request access forwarding unit 6 is used for forwarding the request access to the resource connection and protocol conversion engine by the access proxy engine; the second request access sending unit 7 is configured to send the request access to the target end by using the resource connection and the protocol conversion engine.
In summary, in this embodiment, in order to reduce risks existing in the conventional technology, a protocol conversion and a protocol encapsulation are added between the access terminal and the target terminal, so as to implement a real network and a protocol in the process of hiding the privileged access, and increase security of performing the privileged access. The invention can greatly reduce the risks that the real protocol is hijacked and the target end type architecture is probed, and increase the security of privilege access of the access end and the target end.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the invention.
Claims (5)
1. A method for hiding privileged access to real networks and protocols, comprising the steps of:
a) The target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
b) The resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine;
c) The access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
d) The access terminal receives the information encapsulated by the secondary protocol;
wherein before said step a), further comprising:
a01 The access terminal sends the request access to the access proxy engine;
a02 The access proxy engine forwards the requested access to the resource connection and protocol conversion engine;
a03 The resource connection and protocol conversion engine sends the request access to the target end.
2. The method of claim 1, wherein the secondary protocol encapsulation employs an encapsulation protocol of over https.
3. An apparatus for implementing the method for hiding privileged access to a real network and protocol as claimed in claim 1, comprising:
session creation unit: the method comprises the steps that a target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
session forwarding unit: the protocol conversion engine is used for carrying out protocol conversion on the session from the target end and forwarding the session after protocol conversion to the access agent engine;
protocol encapsulation unit: the access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
an information receiving unit: and the access terminal is used for receiving the information encapsulated by the secondary protocol.
4. A device according to claim 3, further comprising:
the first request access transmitting unit: the access terminal is used for sending the request access to the access agent engine;
request access forwarding unit: the access agent engine is used for forwarding the request access to the resource connection and protocol conversion engine;
the second request access transmitting unit: and the resource connection and protocol conversion engine is used for sending the request access to the target end.
5. The apparatus of claim 3 or 4, wherein the secondary protocol encapsulation employs an encapsulation protocol of over https.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010543491.XA CN111835728B (en) | 2020-06-15 | 2020-06-15 | Method and device for hiding privileges to access real network and protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010543491.XA CN111835728B (en) | 2020-06-15 | 2020-06-15 | Method and device for hiding privileges to access real network and protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111835728A CN111835728A (en) | 2020-10-27 |
CN111835728B true CN111835728B (en) | 2023-09-01 |
Family
ID=72898830
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010543491.XA Active CN111835728B (en) | 2020-06-15 | 2020-06-15 | Method and device for hiding privileges to access real network and protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111835728B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101753531A (en) * | 2008-12-19 | 2010-06-23 | 上海安达通信息安全技术股份有限公司 | Method utilizing https/http protocol to realize encapsulation of IPsec protocol |
CN105323310A (en) * | 2015-09-30 | 2016-02-10 | 深圳市先河系统技术有限公司 | Network communication method, device and network attached storage device |
CN107453861A (en) * | 2016-05-30 | 2017-12-08 | 中国科学院声学研究所 | A kind of collecting method based on SSH2 agreements |
CN109284296A (en) * | 2018-10-24 | 2019-01-29 | 北京云睿科技有限公司 | A kind of big data PB grades of distributed informationm storage and retrieval platforms |
CN109756501A (en) * | 2019-01-02 | 2019-05-14 | 中国科学院信息工程研究所 | A kind of high concealment network agent method and system based on http protocol |
CN110611594A (en) * | 2019-09-23 | 2019-12-24 | 广州海颐信息安全技术有限公司 | Method and device for multiple access and fault switching of main node of privileged system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9282120B2 (en) * | 2013-02-01 | 2016-03-08 | Vidder, Inc. | Securing communication over a network using client integrity verification |
-
2020
- 2020-06-15 CN CN202010543491.XA patent/CN111835728B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101753531A (en) * | 2008-12-19 | 2010-06-23 | 上海安达通信息安全技术股份有限公司 | Method utilizing https/http protocol to realize encapsulation of IPsec protocol |
CN105323310A (en) * | 2015-09-30 | 2016-02-10 | 深圳市先河系统技术有限公司 | Network communication method, device and network attached storage device |
CN107453861A (en) * | 2016-05-30 | 2017-12-08 | 中国科学院声学研究所 | A kind of collecting method based on SSH2 agreements |
CN109284296A (en) * | 2018-10-24 | 2019-01-29 | 北京云睿科技有限公司 | A kind of big data PB grades of distributed informationm storage and retrieval platforms |
CN109756501A (en) * | 2019-01-02 | 2019-05-14 | 中国科学院信息工程研究所 | A kind of high concealment network agent method and system based on http protocol |
CN110611594A (en) * | 2019-09-23 | 2019-12-24 | 广州海颐信息安全技术有限公司 | Method and device for multiple access and fault switching of main node of privileged system |
Non-Patent Citations (1)
Title |
---|
一种隐匿网络结构实现方案及安全性分析;韩首魁;张铮;苏昆仑;邰铭;;信息工程大学学报(第06期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN111835728A (en) | 2020-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109688586B (en) | Network function authentication method and device and computer readable storage medium | |
US10498831B2 (en) | Communication sessions at a CoAP protocol layer | |
EP3637844B1 (en) | Data transmission methods, data transmitting end, data receiving end, data transmission system and computer-readable storage media | |
CN101335758B (en) | Method and system for access service in SIM card by dual-processor terminal | |
CN111083102A (en) | Internet of things data processing method, device and equipment | |
EP2627056A1 (en) | Method, gateway, proxy and system for implementing mobile internet services | |
CN106817341B (en) | A kind of Session Initiation Protocol throttling Transmission system and method towards mobile Internet | |
CN113900429B (en) | Gateway system design method for converting CAN bus into vehicle-mounted Ethernet bus | |
US9756113B2 (en) | Method and apparatus of performing remote command dispatching | |
CN108093041A (en) | Single channel VDI proxy servers and implementation method | |
CN111541718A (en) | Internal and external network interaction method and system of power terminal and data transmission method | |
RU2462746C1 (en) | Control method, device and system | |
CN111835728B (en) | Method and device for hiding privileges to access real network and protocol | |
CN110602112A (en) | MQTT (multiple quantum dots technique) secure data transmission method | |
KR101554760B1 (en) | Network message transformation device and methods thereof | |
CN112235734B (en) | Method, device and equipment for realizing unicast service in broadcast mode | |
CN105897665B (en) | Method for realizing TCP transmission in satellite network environment and corresponding gateway | |
WO2022134089A1 (en) | Method and apparatus for generating security context, and computer-readable storage medium | |
CN105721509A (en) | Server system | |
CN102571717A (en) | M2M (Machine-2-Machine) terminal communication method and system based on primitive | |
CN117527338A (en) | Bidirectional identity enhanced identification method and system in Internet of things application | |
CN114070606B (en) | Network security terminal device based on domestic operating system and working method | |
CN114710568A (en) | Audio and video data communication method, equipment and storage medium | |
CN111770099B (en) | Data transmission method and device, electronic equipment and computer readable medium | |
WO2018112756A1 (en) | User offline method and system, and network device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |