CN112866297A - Method, device and system for processing access data - Google Patents

Method, device and system for processing access data Download PDF

Info

Publication number
CN112866297A
CN112866297A CN202110360329.9A CN202110360329A CN112866297A CN 112866297 A CN112866297 A CN 112866297A CN 202110360329 A CN202110360329 A CN 202110360329A CN 112866297 A CN112866297 A CN 112866297A
Authority
CN
China
Prior art keywords
knock
data
packet data
access
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110360329.9A
Other languages
Chinese (zh)
Other versions
CN112866297B (en
Inventor
曾炜
谢晓昕
黄文蕾
刘智彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110360329.9A priority Critical patent/CN112866297B/en
Publication of CN112866297A publication Critical patent/CN112866297A/en
Application granted granted Critical
Publication of CN112866297B publication Critical patent/CN112866297B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses an access data processing method, device and system, relating to the field of information security, wherein the method comprises the following steps: receiving knock packet data corresponding to a user data packet protocol (DTLS UDP) port by monitoring the DTLS UDP port, wherein the knock packet data comprises the following components: source address information, pre-accessed target address information and Transmission Control Protocol (TCP) port information; and performing authentication operation on the knock packet data according to a preset rule, wherein the authentication operation comprises the following steps: authenticating the access equipment and the access user corresponding to the source address information; and in response to the passing of the knock packet data authentication, opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the authentication data. The invention can effectively prevent the application port from being scanned and detected, thereby improving the network security.

Description

Method, device and system for processing access data
Technical Field
The invention relates to the field of information security, in particular to an access data processing method, device and system.
Background
With the popularization and development of internet technology, internet users and internet applications are increasing, internet attack behaviors are also increasing, especially due to the influence of social and economic factors such as epidemic situations, remote application, remote office and remote access become mainstream of internet use, and internet attacks are also changing. The internet attack behavior comprises the steps that firstly, a service port of an application or service access platform is scanned, and an attack path of a service is assembled in an exhaustion mode and the like. Because the service port needs to be opened all the time to provide access for the user, when an attacker scans the port, the application port information is completely opened, the traditional defense method has no way to defend the port scanning and detecting behaviors of the attacker, only when the attacker scans the service port and collects the application information, the attack behavior is launched to the application, the attack behavior defense is passively carried out, and the defense is possibly disabled due to the development and the update of the attack behavior, so that the network security risk is caused.
Disclosure of Invention
Accordingly, the present invention is directed to a method, apparatus and system for processing access data to solve at least one of the problems set forth above.
According to a first aspect of the present invention, there is provided an access data processing method, the method comprising:
receiving knock packet data corresponding to a user data packet protocol (DTLS UDP) port by monitoring the DTLS UDP port, wherein the knock packet data comprises the following components: source address information, pre-accessed target address information and Transmission Control Protocol (TCP) port information;
and performing authentication operation on the knock packet data according to a preset rule, wherein the authentication operation comprises the following steps: authenticating the access equipment and the access user corresponding to the source address information;
and in response to the passing of the knock packet data authentication, opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the authentication data.
According to a second aspect of the present invention there is provided an access data processing apparatus, the apparatus comprising:
a data receiving unit, configured to receive, through a DTLS UDP port of a snooping user data packet protocol, knock packet data corresponding to the port protocol, where the knock packet data includes: source address information, pre-accessed target address information and Transmission Control Protocol (TCP) port information;
an authentication unit configured to perform an authentication operation on the knock packet data according to a predetermined rule, the authentication operation including: authenticating the access equipment and the access user corresponding to the source address information;
and the control unit is used for responding to the passing of the verification of the knock packet data and opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the verification data.
According to a third aspect of the present invention there is provided an access data processing system comprising an access data processing apparatus as described above and an access device.
According to a fourth aspect of the present invention, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the above method when executing the program.
According to a fifth aspect of the invention, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method.
According to the technical scheme, the DTLS UDP port is monitored to receive the knock-on packet data corresponding to the port protocol and authenticate the data, and when the authentication operation is passed, the access right of the source address information to the target address information and the TCP port information is opened, so that the application port can be effectively prevented from being scanned and detected, and the network safety can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow diagram of a method of accessing data processing according to an embodiment of the invention;
FIG. 2 is a block diagram of an architecture for accessing a data processing system according to an embodiment of the present invention;
FIG. 3 is a block diagram of an architecture of an access data processing apparatus according to an embodiment of the present invention;
FIG. 4 is an exemplary architecture diagram for accessing a data processing system, in accordance with an embodiment of the present invention;
FIG. 5 is a flow diagram of an access data process based on the system of FIG. 4, according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a system configuration of an electronic apparatus 600 according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, the application port information is completely open, and the traditional defense method cannot actively defend the port scanning and detecting behaviors of an attacker, but can only passively defend the attacking behaviors, so that the defense is possibly disabled to cause network security risks. Based on this, the embodiment of the present invention provides an access data processing scheme, which can prevent the information collection behavior of the application service port in the stage of port scanning and detection performed by an attacker before the actual attack behavior of the attacker occurs, in order to overcome the shortcomings of the existing network security defense. An attacker cannot acquire information such as an application service port, cannot detect application services, cannot try to attack the application from a system, middleware and application logic, and accordingly avoids subsequent targeted attack behaviors. The scheme can effectively prevent the application port from being scanned and detected, and improves the network security. Embodiments of the present invention are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of an access data processing method according to an embodiment of the present invention, as shown in fig. 1, the method including:
step 101, receiving, by monitoring a DTLS UDP (data packet Transport Layer Security User data packet Protocol) port, knock packet data corresponding to the port Protocol, where the knock packet data includes: source address information, pre-accessed target address information, and Transmission Control Protocol (TCP) port information, and an access device identification.
Step 102, performing an authentication operation on the knock packet data according to a predetermined rule, wherein the authentication operation comprises: and authenticating the access equipment and the access user corresponding to the source address information.
In one embodiment, the knock packet data is: single Packet Authorization DTLS UDP SPA (Single Packet Authorization authentication) knock-on Packet data.
The authentication operation on the knock packet data specifically comprises the following steps: and performing SPA authorization information authentication on the knock packet data according to a preset secret key. Specifically, the knock-out packet data may be unpacked according to a preset key; and responding to successful unpacking operation, and performing SPA authorization information authentication on the knock-on packet data.
In the authentication operation, the access device may be authenticated according to the access device identifier in the knock packet data, and the access user may be authenticated according to the source address information.
And 103, responding to the passing of the verification of the knock packet data, and opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the verification data.
In a specific implementation process, in response to the DTLS UDP port receiving data that does not conform to the port protocol, in response to the authentication failure on the knock-out packet data, or in response to the unpacking operation failure on the knock-out packet data, only a data discarding operation is performed without performing any feedback operation, so as to avoid an attacker from performing information collection from feedback information or performing a blasting attack.
From the above description, it can be known that by monitoring the DTLS UDP port to receive the knock packet data corresponding to the port protocol and performing the authentication operation on the data, the access right of the source address information to the destination address information and the TCP port information is opened only when the authentication operation passes, so that the application port can be effectively prevented from being scanned and detected, and the network security is improved.
The embodiment of the invention is based on the DTLS protocol, utilizes the principle that the UDP protocol does not need communication handshake, only monitors the knocking packet of the DTLS UDP SPA (single packet authorization authentication), decapsulates the UDP packet encapsulated by the DTLS according to the preset secret key, discards the packet if the packet cannot be decapsulated or the type of the decapsulated data packet is wrong, and further authenticates the SPA authorization information if the decapsulated data packet is normal.
In actual operation, multiple authentications can be performed on unpacked data, and the identities of the device and the user can be confirmed according to the preset key, the DTLS protocol encryption and the SPA authorization information. And the server side does not respond to other packets without the preset key, and only the UDP packets containing the preset key, the client side equipment identification, the user source IP address, the access target and the port carry out data validity check. The verification part comprises whether the connection device and the user are authorized users or not, whether the connection device is replay information or not, whether the connection device is fake information or not, whether the user identity is verified or not, whether the device identification is verified or not and the like. After verification, the local firewall policy can be updated, and the access of the legal device to the real application service is opened according to the client information in the knock packet and the access target and port. Therefore, the scanning and detecting actions of the application service port by an attacker can be prevented, and the safety of the system is guaranteed to the maximum extent.
Based on similar inventive concepts, the embodiment of the present invention further provides an access data processing system, as shown in fig. 2, the system includes: an access device 1 and an access data processing apparatus 2, wherein the access data processing apparatus 2 is preferably operable to implement the flow of the access data processing method described above.
Fig. 3 is a block diagram showing the structure of the access data processing apparatus 2, and as shown in fig. 3, the access data processing apparatus 2 includes: a data receiving unit 21, an authentication unit 22, and a control unit 23, wherein:
a data receiving unit 21, configured to receive, through a DTLS UDP port of a snooping user data packet protocol, knock packet data corresponding to the port protocol, where the knock packet data includes: source address information, pre-accessed destination address information, and Transmission Control Protocol (TCP) port information.
An authentication unit 22 for performing an authentication operation on the knock packet data according to a predetermined rule, the authentication operation including: and authenticating the access equipment and the access user corresponding to the source address information.
In one embodiment, the knock package data is: a single packet of authorized DTLS UDP SPA knock-out packet data, the knock-out packet data further comprising: the device identification is accessed.
The authentication unit is specifically configured to: and performing SPA authorization information authentication on the knock packet data according to a preset secret key, wherein the access equipment is authenticated according to the access equipment identifier, and the access user is authenticated according to the source address information.
In one embodiment, the authentication unit comprises: unpacking module and authentication module, wherein:
the unpacking module is used for unpacking the knock-out packet data according to a preset secret key;
and the authentication module is used for responding to successful unpacking operation and performing SPA authorization information authentication on the knock-on packet data.
And the control unit 23 is configured to open access control of the source address information to the destination address information and TCP port information in response to passing of authentication on the knock packet data, where a TCP port opens access right only to authentication data.
In a specific implementation process, the apparatus 2 further includes: a processing unit, configured to perform only a discard data operation in response to the DTLS UDP port receiving data that does not conform to the port protocol, in response to the authentication failure for the knock-out packet data, or in response to the unpacking operation failure for the knock-out packet data.
As can be seen from the above description, the data receiving unit 21 monitors the DTLS UDP port to receive the knock packet data corresponding to the port protocol, the authentication unit 22 performs an authentication operation on the data, and when the authentication operation passes, the control unit 23 opens the access right of the source address information to the destination address information and the TCP port information, so as to effectively prevent the application port from being scanned and detected, and improve the network security.
For specific execution processes of the units and the modules, reference may be made to the description in the foregoing method embodiments, and details are not described here again.
In practical operation, the units and the modules may be combined or may be singly arranged, and the present invention is not limited thereto.
For a better understanding of the present invention, embodiments of the present invention are described in detail below in connection with the exemplary system shown in FIG. 4.
FIG. 4 is an exemplary architecture diagram for accessing a data processing system, such as that shown in FIG. 4, including: the module 1 comprises a service security access control module, a module 2 comprises a verification evaluation module and a module 3 comprises a dynamic access control module, which are respectively described below.
The module 1 service security access control module monitors a UDP authentication port, only receives UDP data packets packaged by a DTLS encryption protocol, namely, the service end decapsulates the data packets through a preset secret key, confirms that the data packets are UDP packets packaged by the DTLS, if the data packets cannot be decapsulated or the type of the decapsulated data packets is wrong, the data packets are discarded, and if the data packets pass through the preset secret key, the SPA authorization information in the data packets is further authenticated, wherein the information comprises information such as an access equipment identifier used by a user, a user source IP address, an access target and the port. Because the UDP is not connected with a handshake mechanism, for the UDP packets which do not conform to the DTLS encapsulation, the module 1 service security access control module does not respond, and an attacker cannot acquire any information from the UDP monitoring port with the design function.
The module 1 service safety access control module receives UDP data packaged by a DTLS encryption protocol, transmits the data to the module 2 verification evaluation module, the module 2 verification evaluation module verifies the validity of the data, the DTLS data packet can be opened by a preset key and the type of the data packet after being unsealed is confirmed, the content of the data packet is further verified, the verification evaluation module judges whether the data packet is replay information or not from the time stamp hash value of the data, the data processing cache history, verifies whether the user identity is verified or not from SAP information in the data packet, further judges whether the data packet is forged information from user authentication authorization and history access records, verifies whether the equipment identification accessed by the user is historical credible equipment or not from the credible equipment, if the data packet is new equipment, the equipment and person authentication is further carried out in the modes of short message authentication codes and the like, when the module 2 verification evaluation module fails to verify the data packet, the data packet is discarded, and meanwhile, no feedback information is given to the client, so that an attacker is prevented from collecting information from the feedback information or carrying out blasting attack.
After the module 2 verifies that the evaluation module passes the DTLS UDP SAP authentication request of the user, the module 3 opens the access control of the user source IP address to the application target and the port contained in the authentication packet by the dynamic access control module, namely, the access control from the user source IP address to the target system destination address is released by the firewall of the local machine after the authentication, and the reliable application service address and the port face the user to open the service.
Fig. 5 is a flow chart of access data processing based on the system of fig. 4, and as shown in fig. 5, the flow chart comprises:
step S1, the service safety access control module closes the service TCP port and monitors the DTLS UDP port;
step S2, the UDP port receives the request;
step S3, judging whether the request is DTLS UDP SAP request, if yes, proceeding step S5, otherwise proceeding step S4;
step S4, discarding the request;
step S5, verifying whether the request includes the user preset key, and verifying the user identity, whether the request is a replay or forgery request, the device identification, and the like, if the verification is passed, performing step S6, otherwise, performing step S4;
in step S6, the dynamic access control module releases the access control of the user source IP to the target system and port.
As can be seen from the above description, the embodiment of the present invention provides a system for preventing a port from being scanned and detected, which hides an address and a port of a real service in a DTLS UDP SAP authentication manner to prevent a real service from being scanned and detected. By means of double authentication of the access equipment and the user, the user access request can be verified, the application can be accessed only when the verification is passed, and network security is further improved.
In actual operation, the source IP and the device identification of an attacker can be traced and controlled by matching with conventional network security defense equipment.
The present embodiment also provides an electronic device, which may be a desktop computer, a tablet computer, a mobile terminal, and the like, but is not limited thereto. In this embodiment, the electronic device may be implemented with reference to the above method embodiment and the embodiment of accessing the data processing apparatus/system, and the contents thereof are incorporated herein, and repeated descriptions are omitted.
Fig. 6 is a schematic block diagram of a system configuration of an electronic apparatus 600 according to an embodiment of the present invention. As shown in fig. 6, the electronic device 600 may include a central processor 100 and a memory 140; the memory 140 is coupled to the central processor 100. Notably, this diagram is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one embodiment, the access data processing functions may be integrated into central processor 100. The central processor 100 may be configured to control as follows:
receiving knock packet data corresponding to a user data packet protocol (DTLS UDP) port by monitoring the DTLS UDP port, wherein the knock packet data comprises the following components: source address information, pre-accessed target address information and Transmission Control Protocol (TCP) port information;
and performing authentication operation on the knock packet data according to a preset rule, wherein the authentication operation comprises the following steps: authenticating the access equipment and the access user corresponding to the source address information;
and in response to the passing of the knock packet data authentication, opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the authentication data.
As can be seen from the above description, in the electronic device provided in the embodiment of the present application, the DTLS UDP port is monitored to receive the knock packet data corresponding to the port protocol and perform the authentication operation on the data, and when the authentication operation passes, the access right of the source address information to the destination address information and the TCP port information is opened, so that the application port can be effectively prevented from being scanned and detected, and the network security is improved.
In another embodiment, the access data processing apparatus/system may be configured separately from the central processor 100, for example, the access data processing apparatus/system may be configured as a chip connected to the central processor 100, and the access data processing function is realized by the control of the central processor.
As shown in fig. 6, the electronic device 600 may further include: communication module 110, input unit 120, audio processing unit 130, display 160, power supply 170. It is noted that the electronic device 600 does not necessarily include all of the components shown in FIG. 6; furthermore, the electronic device 600 may also comprise components not shown in fig. 6, which may be referred to in the prior art.
As shown in fig. 6, the central processor 100, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, the central processor 100 receiving input and controlling the operation of the various components of the electronic device 600.
The memory 140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 100 may execute the program stored in the memory 140 to realize information storage or processing, etc.
The input unit 120 provides input to the cpu 100. The input unit 120 is, for example, a key or a touch input device. The power supply 170 is used to provide power to the electronic device 600. The display 160 is used to display an object to be displayed, such as an image or a character. The display may be, for example, an LCD display, but is not limited thereto.
The memory 140 may be a solid state memory such as Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 140 may also be some other type of device. Memory 140 includes buffer memory 141 (sometimes referred to as a buffer). The memory 140 may include an application/function storage section 142, and the application/function storage section 142 is used to store application programs and function programs or a flow for executing the operation of the electronic device 600 by the central processing unit 100.
The memory 140 may also include a data store 143, the data store 143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by the electronic device. The driver storage portion 144 of the memory 140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging application, address book application, etc.).
The communication module 110 is a transmitter/receiver 110 that transmits and receives signals via an antenna 111. The communication module (transmitter/receiver) 110 is coupled to the central processor 100 to provide an input signal and receive an output signal, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 110 is also coupled to a speaker 131 and a microphone 132 via an audio processor 130 to provide audio output via the speaker 131 and receive audio input from the microphone 132 to implement general telecommunications functions. Audio processor 130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, an audio processor 130 is also coupled to the central processor 100, so that recording on the local can be enabled through a microphone 132, and so that sound stored on the local can be played through a speaker 131.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps of the above-mentioned access data processing method.
In summary, the embodiments of the present invention provide a solution for preventing port scanning and detection, and provide a method for preventing information collection behavior of an application service port in a port scanning and detection phase of an attacker before an actual attack behavior of the attacker occurs, aiming at the deficiency of the existing network security defense. The embodiment of the invention prevents the scanning and detecting actions of an attacker on the application service port and furthest ensures the safety of the system.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings. The many features and advantages of the embodiments are apparent from the detailed specification, and thus, it is intended by the appended claims to cover all such features and advantages of the embodiments which fall within the true spirit and scope thereof. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the embodiments of the invention to the exact construction and operation illustrated and described, and accordingly, all suitable modifications and equivalents may be resorted to, falling within the scope thereof.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (11)

1. A method of accessing data, the method comprising:
receiving knock packet data corresponding to a user data packet protocol (DTLS UDP) port by monitoring the DTLS UDP port, wherein the knock packet data comprises the following components: source address information, pre-accessed target address information and Transmission Control Protocol (TCP) port information;
and performing authentication operation on the knock packet data according to a preset rule, wherein the authentication operation comprises the following steps: authenticating the access equipment and the access user corresponding to the source address information;
and in response to the passing of the knock packet data authentication, opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the authentication data.
2. The method of claim 1, wherein the knock package data is: a single packet of authorized DTLS UDP SPA knock-out packet data, the knock-out packet data further comprising: accessing a device identifier, and performing authentication operation on the knock packet data according to a predetermined rule, wherein the authentication operation comprises the following steps:
and performing SPA authorization information authentication on the knock packet data according to a preset secret key, wherein the access equipment is authenticated according to the access equipment identifier, and the access user is authenticated according to the source address information.
3. The method of claim 2, wherein performing the SPA authorization information authentication on the knock packet data according to a preset key comprises:
unpacking the knock-out packet data according to a preset secret key;
and responding to successful unpacking operation, and performing SPA authorization information authentication on the knock-on packet data.
4. The method of claim 3, further comprising:
performing only a discard data operation in response to the DTLS UDP port receiving data that does not conform to the port protocol, in response to a failure to authenticate the knock-out packet data, or in response to a failure to unpack the knock-out packet data.
5. An apparatus for accessing data, the apparatus comprising:
a data receiving unit, configured to receive, through a DTLS UDP port of a snooping user data packet protocol, knock packet data corresponding to the port protocol, where the knock packet data includes: source address information, pre-accessed target address information and Transmission Control Protocol (TCP) port information;
an authentication unit configured to perform an authentication operation on the knock packet data according to a predetermined rule, the authentication operation including: authenticating the access equipment and the access user corresponding to the source address information;
and the control unit is used for responding to the passing of the verification of the knock packet data and opening the access control of the source address information to the target address information and the TCP port information, wherein the TCP port only opens the access right to the verification data.
6. The apparatus of claim 5, wherein the knock package data is: a single packet of authorized DTLS UDP SPA knock-out packet data, the knock-out packet data further comprising: an access device identifier, the authentication unit being specifically configured to:
and performing SPA authorization information authentication on the knock packet data according to a preset secret key, wherein the access equipment is authenticated according to the access equipment identifier, and the access user is authenticated according to the source address information.
7. The apparatus according to claim 6, wherein the authentication unit includes:
the unpacking module is used for unpacking the knock-out packet data according to a preset secret key;
and the authentication module is used for responding to successful unpacking operation and performing SPA authorization information authentication on the knock-on packet data.
8. The apparatus of claim 7, further comprising:
a processing unit, configured to perform only a discard data operation in response to the DTLS UDP port receiving data that does not conform to the port protocol, in response to the authentication failure for the knock-out packet data, or in response to the unpacking operation failure for the knock-out packet data.
9. An access data processing system, the system comprising: access data processing apparatus, access device according to any of claims 5 to 8.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 4 are implemented when the processor executes the program.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 4.
CN202110360329.9A 2021-04-02 2021-04-02 Method, device and system for processing access data Active CN112866297B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110360329.9A CN112866297B (en) 2021-04-02 2021-04-02 Method, device and system for processing access data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110360329.9A CN112866297B (en) 2021-04-02 2021-04-02 Method, device and system for processing access data

Publications (2)

Publication Number Publication Date
CN112866297A true CN112866297A (en) 2021-05-28
CN112866297B CN112866297B (en) 2023-02-24

Family

ID=75992051

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110360329.9A Active CN112866297B (en) 2021-04-02 2021-04-02 Method, device and system for processing access data

Country Status (1)

Country Link
CN (1) CN112866297B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422194A (en) * 2021-12-24 2022-04-29 中国电信股份有限公司 Single package authentication method, device, server and storage medium
CN115118442A (en) * 2022-08-30 2022-09-27 飞天诚信科技股份有限公司 Port protection method and device under software defined boundary framework
CN115277254A (en) * 2022-09-26 2022-11-01 安徽华云安科技有限公司 Network service hiding method and device based on UDP transmission protocol
CN116781421A (en) * 2023-08-18 2023-09-19 广东广宇科技发展有限公司 Network authentication method based on DTLS

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055589A (en) * 2011-01-27 2011-05-11 北京傲天动联技术有限公司 Method and system for authenticating subscriber
US20120246702A1 (en) * 2011-03-21 2012-09-27 Webcetera, L.P. System, method and computer program product for access authentication
US20130007850A1 (en) * 2011-06-30 2013-01-03 Lambert Paul A Verifying Server Identity
CN105359486A (en) * 2013-05-03 2016-02-24 思杰系统有限公司 Secured access to resources using a proxy
US9560015B1 (en) * 2016-04-12 2017-01-31 Cryptzone North America, Inc. Systems and methods for protecting network devices by a firewall
CN108881127A (en) * 2017-05-15 2018-11-23 中兴通讯股份有限公司 A kind of method and system of control remote access permission
CN110351298A (en) * 2019-07-24 2019-10-18 中国移动通信集团黑龙江有限公司 Access control method, device, equipment and storage medium
CN111193712A (en) * 2019-12-03 2020-05-22 云深互联(北京)科技有限公司 Agent access method and device based on enterprise browser
CN111586014A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Network connection management apparatus and method
CN111586025A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 SDN-based SDP security group implementation method and security system
CN111737723A (en) * 2020-08-25 2020-10-02 杭州海康威视数字技术股份有限公司 Service processing method, device and equipment
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055589A (en) * 2011-01-27 2011-05-11 北京傲天动联技术有限公司 Method and system for authenticating subscriber
US20120246702A1 (en) * 2011-03-21 2012-09-27 Webcetera, L.P. System, method and computer program product for access authentication
US20130007850A1 (en) * 2011-06-30 2013-01-03 Lambert Paul A Verifying Server Identity
CN105359486A (en) * 2013-05-03 2016-02-24 思杰系统有限公司 Secured access to resources using a proxy
US9560015B1 (en) * 2016-04-12 2017-01-31 Cryptzone North America, Inc. Systems and methods for protecting network devices by a firewall
CN108881127A (en) * 2017-05-15 2018-11-23 中兴通讯股份有限公司 A kind of method and system of control remote access permission
CN110351298A (en) * 2019-07-24 2019-10-18 中国移动通信集团黑龙江有限公司 Access control method, device, equipment and storage medium
CN111193712A (en) * 2019-12-03 2020-05-22 云深互联(北京)科技有限公司 Agent access method and device based on enterprise browser
CN111586014A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Network connection management apparatus and method
CN111586025A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 SDN-based SDP security group implementation method and security system
CN111737723A (en) * 2020-08-25 2020-10-02 杭州海康威视数字技术股份有限公司 Service processing method, device and equipment
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422194A (en) * 2021-12-24 2022-04-29 中国电信股份有限公司 Single package authentication method, device, server and storage medium
CN115118442A (en) * 2022-08-30 2022-09-27 飞天诚信科技股份有限公司 Port protection method and device under software defined boundary framework
CN115277254A (en) * 2022-09-26 2022-11-01 安徽华云安科技有限公司 Network service hiding method and device based on UDP transmission protocol
CN116781421A (en) * 2023-08-18 2023-09-19 广东广宇科技发展有限公司 Network authentication method based on DTLS
CN116781421B (en) * 2023-08-18 2023-12-01 广东广宇科技发展有限公司 Network authentication method based on DTLS

Also Published As

Publication number Publication date
CN112866297B (en) 2023-02-24

Similar Documents

Publication Publication Date Title
CN112866297B (en) Method, device and system for processing access data
US11271727B2 (en) End-to-end communication security
CN109246053B (en) Data communication method, device, equipment and storage medium
US10264001B2 (en) Method and system for network resource attack detection using a client identifier
US9325708B2 (en) Secure access to data in a device
JP6262278B2 (en) Method and apparatus for storage and computation of access control client
US9032493B2 (en) Connecting mobile devices, internet-connected vehicles, and cloud services
TWI477137B (en) Web authentication using client platform root of trust
CN111404696B (en) Collaborative signature method, security service middleware, related platform and system
US20170148029A1 (en) Payment verification system, method and apparatus
JP5844471B2 (en) How to control access to Internet-based applications
CN106612180A (en) Method and device for realizing session identifier synchronization
US20210352101A1 (en) Algorithmic packet-based defense against distributed denial of service
JP6654651B2 (en) Dynamic security module terminal device and driving method thereof
US20170289159A1 (en) Security support for free wi-fi and sponsored connectivity for paid wi-fi
CN110933109B (en) Dynamic small program authentication method and device
WO2016188335A1 (en) Access control method, apparatus and system for user data
WO2015015366A1 (en) Secure transaction and access using insecure device
CN101090321B (en) Device and method for discovering emulated clients
CN114844644A (en) Resource request method, device, electronic equipment and storage medium
US9712556B2 (en) Preventing browser-originating attacks
EP3261009B1 (en) System and method for secure online authentication
EP1746798A1 (en) A personal token for reliable GBA-U authentication
KR20220116483A (en) Systems and methods for protection against malicious program code injection
CN117061140A (en) Penetration defense method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant