CN113079180A - Execution context based firewall fine-grained access control method and system - Google Patents
Execution context based firewall fine-grained access control method and system Download PDFInfo
- Publication number
- CN113079180A CN113079180A CN202110424080.3A CN202110424080A CN113079180A CN 113079180 A CN113079180 A CN 113079180A CN 202110424080 A CN202110424080 A CN 202110424080A CN 113079180 A CN113079180 A CN 113079180A
- Authority
- CN
- China
- Prior art keywords
- access control
- execution context
- information
- firewall
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a firewall fine-grained access control method and a firewall fine-grained access control system based on execution context. According to the firewall access control method and the firewall access control device, the agent installed on the terminal acquires the execution context information, so that firewall access control can be performed with finer granularity, particularly, when a network or the terminal is invaded, possible attack behaviors can still be effectively detected, the firewall detection accuracy can be greatly improved, and the firewall access control method and the firewall access control device have better practicability.
Description
Technical Field
The invention belongs to the technical field of data security protection, and particularly relates to a firewall fine-grained access control method and system based on execution context.
Background
The network firewall is deployed on the network boundary, checks data messages flowing through the network firewall, and blocks or releases the messages. The minimum granularity of access control in a general firewall access control technology is a host (identified by a network address, such as an IP address, a MAC address, and the like), and a security policy can prevent or pass access of a certain host to a certain application. However, this access control policy cannot accurately block or pass access from a certain user of a certain host. Fine-grained access control the minimum granularity can be based on user access control (such as a user name), so that the security policy can be more accurate.
The existing network firewall determines whether the data packet is an abnormal flow by analyzing the data packet flowing through the firewall, for example, rejecting the data packet from the source ip address of 1.1.1.1 and addressed to the destination address of 2.2.2.2 and the tcp port 80. However, as attacks become more complex, there are significant limitations to this type of protection. For example: a hacker may forge the source IP address by means of ARP spoofing or the like, thereby bypassing the check of the above-mentioned guard wall. Thus, the firewall needs to know whether a piece of data is really coming from a device, not a fake device. In addition, a hacker may also directly invade the target device, launch an attack through the real target device, and in order to defend such an attack, the firewall needs to know context environment information when a certain section of data is sent, such as a process, a thread, a call stack and the like for sending the data. Since the execution context information is not included in the normal data, such fine-grained access control is impossible in the conventional firewall.
In view of the above disadvantages, the present invention completes the collection of the execution context information through the agent program installed in the terminal, because all information on the terminal is complete, and a certain network access is necessarily performed by a certain user on the operating system through executing a certain program, and the information does not appear in the application traffic, but can be found in the agent.
The invention also provides a method for encapsulating the execution context information and the user data together in the tunnel and sending the encapsulated execution context information and the user data, so that the firewall can simultaneously receive the user data and the execution context after unlocking the tunnel, and the firewall knows which user, which process and which equipment send a certain section of user data, and can carry out fine-grained access control.
Disclosure of Invention
The invention aims to provide a firewall fine-grained access control method based on execution context, and aims to solve the problems.
The invention also aims to provide a firewall fine-grained access control system based on the execution context, so as to realize more accurate fine-grained access control.
The invention is mainly realized by the following technical scheme: a firewall fine-grained access control method based on execution context intercepts a data sending request through an agent deployed on a terminal to obtain execution context information of a data sender, and injects the information into normal data in a tunnel mode, and the firewall end obtains the execution context information by unlocking the tunnel and analyzes the normal data and the corresponding execution context information to perform fine-grained access control.
In order to better implement the present invention, further, the execution context information includes any one or more of device information, user information, process information, and call stack information; the device information is used for uniquely identifying one device, the user information is used for determining a user sending the current data, the process information is used for identifying a program sending the current data, and the call stack information is used for distinguishing whether a malicious program sends the data in a code injection mode.
To better implement the present invention, further, the device information includes a device ID and/or a device fingerprint, the user information includes a user ID and/or a user group ID, and the process information includes any one or more of a process name, a process ID, and a process executable file.
In order to better implement the present invention, further, the agent is deployed in a kernel layer of an operating system of the terminal device, the agent intercepts message transmission through a hook function, then collects current execution context information, then encapsulates the current execution context information and a normal message in different tunnels, and finally invokes an original message transmission function to complete message transmission.
In order to better implement the present invention, further, after the firewall end receives the data, the firewall end first splits the received data into different tunnels, then separates the normal data and the corresponding execution context information from the tunnels, and the access control engine identifies the attack according to the corresponding access control rule.
The invention is mainly realized by the following technical scheme: a firewall fine-grained access control system based on execution context comprises an agent deployed at a terminal, wherein the agent comprises a message sending hook function module and a context acquisition module, and a firewall end comprises a tunnel decapsulation module and an access control engine; the message sending hook function module intercepts a message, collects current execution context information through a context collection module, then packages the current execution context information and a normal message in different tunnels, and finally calls an original message sending function to finish sending the message; the tunnel decapsulation module decapsulates the received data to obtain a normal data message and corresponding execution context information, and the access control engine performs corresponding identification according to a fine-grained access control rule.
The fine-grained access control rule mentioned in the invention not only includes the information of traditional firewalls such as source address and destination address, but also includes the execution context information such as equipment information, user information, process information and call stack information. Thus, finer-grained access control can be performed against increasingly complex attack behavior.
The invention has the beneficial effects that:
according to the firewall access control method and the firewall access control system, the execution context information is collected by the Agent installed on the terminal, so that firewall access control can be performed with finer granularity, particularly, when a network or the terminal is invaded, possible attack behaviors can still be effectively detected, the firewall detection accuracy can be greatly improved, and the firewall access control method and the firewall access control system have better practicability.
Drawings
FIG. 1 is a schematic diagram of prior art data transmission;
FIG. 2 is a schematic diagram of the present invention for transmitting data;
fig. 3 is a schematic diagram of the firewall side parsing data.
Detailed Description
Example 1:
a firewall fine-grained access control method based on execution context intercepts a data sending request through an agent deployed on a terminal to obtain execution context information of a data sender, and injects the information into normal data in a tunnel mode, and the firewall end obtains the execution context information by unlocking the tunnel and analyzes the normal data and the corresponding execution context information to perform fine-grained access control.
According to the firewall access control method and the firewall access control system, the execution context information is collected by the Agent installed on the terminal, so that firewall access control can be performed with finer granularity, particularly, when a network or the terminal is invaded, possible attack behaviors can still be effectively detected, the firewall detection accuracy can be greatly improved, and the firewall access control method and the firewall access control system have better practicability.
Example 2:
in this embodiment, optimization is performed on the basis of embodiment 1, where the execution context information includes any one or more of device information, user information, process information, and call stack information; the device information is used for uniquely identifying one device, the user information is used for determining a user sending the current data, the process information is used for identifying a program sending the current data, and the call stack information is used for distinguishing whether a malicious program sends the data in a code injection mode.
Further, the device information includes a device ID and/or a device fingerprint, the user information includes a user ID and/or a user group ID, and the process information includes any one or more of a process name, a process ID, and a process executable file.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
Example 3:
the embodiment is optimized based on embodiment 1 or 2, and as shown in fig. 2 and fig. 3, the agent is deployed in a kernel layer of an operating system of a terminal device, and the agent intercepts packet transmission through a hook function, then collects current execution context information, then encapsulates the current execution context information and a normal packet in different tunnels, and finally invokes an original packet transmission function to complete packet transmission.
Furthermore, after the firewall side receives the data, the firewall side firstly splits the received data into different tunnels, then normal data and corresponding execution context information are separated from the tunnels, and the access control engine identifies attacks according to corresponding access control rules.
According to the firewall access control method and the firewall access control system, the execution context information is collected by the Agent installed on the terminal, so that firewall access control can be performed with finer granularity, particularly, when a network or the terminal is invaded, possible attack behaviors can still be effectively detected, the firewall detection accuracy can be greatly improved, and the firewall access control method and the firewall access control system have better practicability.
The rest of this embodiment is the same as embodiment 1 or 2, and therefore, the description thereof is omitted.
Example 4:
a firewall fine-grained access control system based on execution context is disclosed, as shown in FIG. 2 and FIG. 3, and comprises an agent deployed at a terminal, wherein the agent comprises a message sending hook function module and a context acquisition module, and the firewall end comprises a tunnel decapsulation module and an access control engine; the message sending hook function module intercepts a message, collects current execution context information through a context collection module, then packages the current execution context information and a normal message in different tunnels, and finally calls an original message sending function to finish sending the message; the tunnel decapsulation module decapsulates the received data to obtain a normal data message and corresponding execution context information, and the access control engine performs corresponding identification according to a fine-grained access control rule.
Comparing fig. 1 and fig. 2, the present invention collects the execution context information through the Agent installed in the terminal, and the present invention can perform firewall access control with finer granularity, especially when the network or the terminal is invaded, the present invention can still effectively detect possible attack behaviors, can greatly improve the accuracy of firewall detection, and has better practicability.
Example 5:
a firewall fine-grained access control method based on execution context intercepts a data sending request by deploying an agent at a terminal, acquires execution context information of a data sender, and injects the information into normal data in a tunnel mode. And obtaining execution context information at one end of the firewall by opening the tunnel, and analyzing the normal data and the execution context information corresponding to the normal data to perform fine-grained access control.
Comparing fig. 1 and fig. 2, the agent program is installed on the terminal, when sending data, the agent program obtains the current execution context, and injects the execution context data into the normal data, when detecting the firewall, the normal data and the execution context are separated, and the malicious attack is detected and blocked, and the harmless data is released.
The execution context information that the agent of the present invention needs to collect includes but is not limited to:
the device information, including device ID, device fingerprint, etc., is used to uniquely identify a device.
The user information includes a user ID, a user group ID, etc. for which user is transmitting the current data.
The process information, including process name, process ID, process executable, etc., is used to identify which program is sending the current data.
The call stack information is a call stack (callstack) condition during data transmission, and can be used to distinguish whether a malicious program transmits data by means of code injection (code injection).
The Agent is deployed in a kernel layer of the terminal equipment operating system, and when data is sent, the Agent obtains execution and acquires current execution context information. The agent kernel module intercepts message transmission through a hook function, then acquires the current execution context through the context acquisition module, then encapsulates the current execution context and a normal message in different tunnels, and finally calls the original message transmission function to finish message transmission.
After receiving the data, the firewall needs to first split the received data into different tunnels, and then separate the normal data and the corresponding execution context information from the tunnels. The access control engine then identifies possible attacks based on the corresponding access control rules.
The fine-grained access control rule not only comprises information of a source address, a destination address and other traditional firewalls, but also comprises execution context information such as equipment information, user information, process information, call stack information and the like. Thus, finer-grained access control can be performed against increasingly complex attack behavior.
According to the firewall access control method and the firewall access control system, the execution context information is collected by the Agent installed on the terminal, so that firewall access control can be performed with finer granularity, particularly, when a network or the terminal is invaded, possible attack behaviors can still be effectively detected, the firewall detection accuracy can be greatly improved, and the firewall access control method and the firewall access control system have better practicability.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (6)
1. A firewall fine-grained access control method based on execution context is characterized in that an agent deployed on a terminal intercepts a data sending request to obtain execution context information of a data sender, the information is injected into normal data in a tunnel mode, the firewall side obtains the execution context information by unlocking the tunnel, and the normal data and the corresponding execution context information are analyzed to perform fine-grained access control.
2. The firewall fine-grained access control method based on execution context according to claim 1, characterized in that the execution context information includes any one or more of device information, user information, process information, call stack information; the device information is used for uniquely identifying one device, the user information is used for determining a user sending the current data, the process information is used for identifying a program sending the current data, and the call stack information is used for distinguishing whether a malicious program sends the data in a code injection mode.
3. The execution context based firewall fine-grained access control method according to claim 2, characterized in that the device information comprises a device ID and/or a device fingerprint, the user information comprises a user ID and/or a user group ID, and the process information comprises any one or more of a process name, a process ID, and a process executable file.
4. The firewall fine-grained access control method based on execution context according to any one of claims 1 to 3, characterized in that the agent is deployed in a kernel layer of a terminal device operating system, the agent intercepts packet transmission through a hook function, then collects current execution context information, then encapsulates the current execution context information and a normal packet in different tunnels, and finally invokes an original packet transmission function to complete packet transmission.
5. The fine-grained access control method for firewalls based on execution context as claimed in claim 4, wherein after receiving the data, the firewall splits the received data into different tunnels, then separates the normal data and the corresponding execution context information from the tunnels, and the access control engine identifies the attack according to the corresponding access control rules.
6. A firewall fine-grained access control system based on execution context is characterized by comprising an agent deployed at a terminal, wherein the agent comprises a message sending hook function module and a context acquisition module, and the firewall end comprises a tunnel decapsulation module and an access control engine; the message sending hook function module intercepts a message, collects current execution context information through a context collection module, then packages the current execution context information and a normal message in different tunnels, and finally calls an original message sending function to finish sending the message; the tunnel decapsulation module decapsulates the received data to obtain a normal data message and corresponding execution context information, and the access control engine performs corresponding identification according to a fine-grained access control rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110424080.3A CN113079180B (en) | 2021-04-20 | 2021-04-20 | Execution context based firewall fine-grained access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110424080.3A CN113079180B (en) | 2021-04-20 | 2021-04-20 | Execution context based firewall fine-grained access control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113079180A true CN113079180A (en) | 2021-07-06 |
| CN113079180B CN113079180B (en) | 2023-03-10 |
Family
ID=76618356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110424080.3A Active CN113079180B (en) | 2021-04-20 | 2021-04-20 | Execution context based firewall fine-grained access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113079180B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116668164A (en) * | 2023-06-26 | 2023-08-29 | 中国电子信息产业集团有限公司第六研究所 | Industrial firewall security isolation detection processing method, system and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447627A (en) * | 2011-12-05 | 2012-05-09 | 上海顶竹通讯技术有限公司 | Message encapsulation/decapsulation device and method |
| CN104394175A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Message access control method based on network marking |
| CN106302371A (en) * | 2015-06-12 | 2017-01-04 | 北京网御星云信息技术有限公司 | A kind of firewall control method based on subscriber service system and system |
| CN107005555A (en) * | 2014-12-02 | 2017-08-01 | Nicira股份有限公司 | The distributed fire wall of context-aware |
| CN107317816A (en) * | 2017-07-05 | 2017-11-03 | 北京信息职业技术学院 | A kind of method for network access control differentiated based on client application |
| US20180183759A1 (en) * | 2016-12-22 | 2018-06-28 | Nicira, Inc. | Context based firewall services for data message flows for multiple concurrent users on one machine |
| US20190132289A1 (en) * | 2017-10-31 | 2019-05-02 | Cisco Technology, Inc. | Application-context-aware firewall |
| CN110226155A (en) * | 2016-12-22 | 2019-09-10 | Nicira股份有限公司 | Context property is collected and handled on host |
-
2021
- 2021-04-20 CN CN202110424080.3A patent/CN113079180B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447627A (en) * | 2011-12-05 | 2012-05-09 | 上海顶竹通讯技术有限公司 | Message encapsulation/decapsulation device and method |
| CN107005555A (en) * | 2014-12-02 | 2017-08-01 | Nicira股份有限公司 | The distributed fire wall of context-aware |
| CN104394175A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Message access control method based on network marking |
| CN106302371A (en) * | 2015-06-12 | 2017-01-04 | 北京网御星云信息技术有限公司 | A kind of firewall control method based on subscriber service system and system |
| US20180183759A1 (en) * | 2016-12-22 | 2018-06-28 | Nicira, Inc. | Context based firewall services for data message flows for multiple concurrent users on one machine |
| CN110226155A (en) * | 2016-12-22 | 2019-09-10 | Nicira股份有限公司 | Context property is collected and handled on host |
| CN107317816A (en) * | 2017-07-05 | 2017-11-03 | 北京信息职业技术学院 | A kind of method for network access control differentiated based on client application |
| US20190132289A1 (en) * | 2017-10-31 | 2019-05-02 | Cisco Technology, Inc. | Application-context-aware firewall |
Non-Patent Citations (1)
| Title |
|---|
| 刘毅: "基于雾计算的信息中心网络防火墙技术研究", 《中国工程科学》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116668164A (en) * | 2023-06-26 | 2023-08-29 | 中国电子信息产业集团有限公司第六研究所 | Industrial firewall security isolation detection processing method, system and storage medium |
| CN116668164B (en) * | 2023-06-26 | 2024-01-02 | 中国电子信息产业集团有限公司第六研究所 | Industrial firewall security isolation detection processing method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113079180B (en) | 2023-03-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
| US7509681B2 (en) | Interoperability of vulnerability and intrusion detection systems | |
| JP4545647B2 (en) | Attack detection / protection system | |
| US7200866B2 (en) | System and method for defending against distributed denial-of-service attack on active network | |
| KR100426317B1 (en) | System for providing a real-time attacking connection traceback using of packet watermark insertion technique and method therefor | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| JP2003527793A (en) | Method for automatic intrusion detection and deflection in a network | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| CN107360182B (en) | Embedded active network defense system and defense method thereof | |
| CN114244570B (en) | Illegal external connection monitoring method and device for terminal, computer equipment and storage medium | |
| CN113079180B (en) | Execution context based firewall fine-grained access control method and system | |
| CN116055214A (en) | Attack detection method, device, equipment and readable storage medium | |
| JP3652661B2 (en) | Method and apparatus for preventing denial of service attack and computer program therefor | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| KR20100066908A (en) | Windows executable file extraction method by using hardware based session matching and pattern matching and apparatus using the same | |
| JP2002318739A (en) | Device, method and system for processing intrusion data measures | |
| KR101003094B1 (en) | Cyber attack traceback system by using spy-bot agent, and method thereof | |
| CN109274638A (en) | A kind of method and router of attack source access automatic identification processing | |
| KR100613904B1 (en) | Apparatus and method for defeating network attacks with abnormal IP address | |
| KR100951930B1 (en) | Method and Apparatus for classificating Harmful Packet | |
| CN115208596B (en) | Network intrusion prevention method, device and storage medium | |
| KR20040085266A (en) | Network Intrusion Detection System with double buffer and the operating method | |
| CN109684831B (en) | Method and device for detecting computer network virus | |
| CN116880319B (en) | Method, system, terminal and medium for identifying upper computer in industrial control system | |
| CN115225297B (en) | Method and device for blocking network intrusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |