CN113783897B - Cross-network access process flow management method, system, equipment and medium - Google Patents
Cross-network access process flow management method, system, equipment and medium Download PDFInfo
- Publication number
- CN113783897B CN113783897B CN202111331194.XA CN202111331194A CN113783897B CN 113783897 B CN113783897 B CN 113783897B CN 202111331194 A CN202111331194 A CN 202111331194A CN 113783897 B CN113783897 B CN 113783897B
- Authority
- CN
- China
- Prior art keywords
- data packet
- information
- trusted
- credible
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Abstract
The embodiment of the invention discloses a cross-network access process flow management method, a system, equipment and a medium, wherein an application layer is responsible for monitoring the starting and stopping of a process and judging whether the process is credible; monitoring the establishment and release of all process network connections by a WFP driving layer without filtering; and filtering the data packets passing through the virtual network card by the NDIS driving layer, and releasing the credible flow. The embodiment of the invention adopts the technical scheme of the dynamic trusted flow agent, so that the unsafe flow can be effectively blocked, and the attack events of the protected network are reduced. The dynamic strategy updating can acquire the latest safety strategy in time and can be well matched with the safety emergency response work.
Description
Technical Field
The embodiment of the invention relates to the technical field of trusted flow agent design, in particular to a cross-network access process flow management method, a cross-network access process flow management system, a cross-network access process flow management device and a cross-network access process flow management medium.
Background
Multiple networks are built in enterprises and public institutions for protecting important data, blocking is achieved through network isolation, and resources need to be accessed across the networks for multiple purposes, and many enterprises achieve the purpose through traffic agents.
OpenVPN is an application layer VPN implementation based on the OpenSSL library. The technical core is the realization of a virtual network card and an SSL protocol. A tunnel for secure data transfer between enterprises or between individuals and companies is provided through a virtual private channel.
The Windows version realizes the forwarding of the flow through the NDIS virtual network and the routing strategy, and has the defect that all the flow routed to the virtual network card in the system is forwarded, and the access isolation network data of dangerous processes cannot be effectively controlled.
Disclosure of Invention
Therefore, embodiments of the present invention provide a method, a system, a device, and a medium for cross-network access process traffic management, so as to solve the problem how to achieve effective dynamic identification and block illegal process traffic from accessing an isolated network through an agent, and meanwhile, an application layer alarms when untrusted process traffic passes through the agent.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
according to a first aspect of an embodiment of the present invention, a method for cross-network access process traffic management is provided, where the method includes:
the server dynamically issues a strategy set to an application layer;
when an application program receives a process creation event, identifying whether the process is trusted by using the rules in the policy set; if the process is credible, the process ID and the process credible state are issued to inform the WFP driving layer;
when a process initiates connection or receives data, the WFP driving layer captures tuple information of a first data packet in a link process, and the notification information issued by the application layer is utilized to perform credible judgment on the tuple of the first data packet; if the data packet tuple is credible, informing the NDIS driving layer of the credible data packet tuple information;
when a data packet is routed to the NDIS driving layer, judging whether the captured data packet is credible or not by using the credible data packet tuple information; if the data packet is credible, the credible data packet is released and forwarded to the proxy server through the VPN tunnel; if the packet is not trusted, discarding the untrusted packet.
Further, the performing the trusted judgment on the first data packet tuple by using the notification information issued by the application layer includes:
establishing a corresponding relation by using the process ID and the process trusted state and maintaining a trusted state list A on a WFP driving layer;
comparing the process ID in the first data packet tuple information with all the process IDs in the trusted status list a, where the first data packet tuple information includes: a source IP address, a destination IP address, a source port, a destination port, a process ID, and a process path;
if the process ID in the first data packet tuple information exists in the trusted state list A, the data packet tuple is trusted, otherwise, the data packet tuple is not trusted.
Preferably, the determining whether the captured data packet is trusted by using the trusted data packet tuple information includes:
adding trusted data packet tuple information in an NDIS drive layer increment, and maintaining a trusted data packet tuple list B;
comparing the four-tuple information of the captured data packet with all trusted data packet tuple information in the trusted data packet tuple list B;
if the four-tuple information of the captured data packet exists in the trusted data packet tuple list B, the data packet is trusted, otherwise, the data packet is not trusted;
the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port.
Preferably, the method further comprises:
if the data packet tuple is not trusted, reporting the untrusted data packet tuple information to the application layer by the WFP driving layer;
acquiring first untrusted quadruple information from the untrusted data packet tuple information by the application layer, constructing a corresponding relation between the first untrusted quadruple information and the process information by using the first untrusted quadruple information and the process information, and maintaining an untrusted data packet quadruple and process information list C;
if the data packet is not trusted, the NDIS driving layer reports second non-trusted four-tuple information to the application layer;
and tracing the source of the untrusted data packet by the application layer, comparing the second untrusted quadruple information with all the first untrusted quadruple information in the untrusted data packet quadruple and the process information list C, and if the second untrusted quadruple information is the same as any one of the first untrusted quadruple information, performing interface alarm and reporting a log to a server.
Preferably, the method further comprises:
adopting PsSetCreateProcessNotifyRoute to register a process to notify a callback by a HOOK driving layer, and monitoring the creation process and exit of the process;
when the process is created, the HOOK driving layer temporarily intercepts the event and informs an application program of the event for identification, and after the application layer finishes processing, the HOOK driving layer releases the event;
when the process is finished, the HOOK driving layer captures the message and directly releases the event, and simultaneously informs the application program of the event for processing, and sends a process quit message to the WFP driving layer.
Preferably, the method further comprises:
registering ALE layer events of accept and connect through a register CallcultureForLayer in the WFP drive layer for processing the connection and the reception of network data;
when the WFP driving layer receives the process exit message, deleting corresponding information from the trusted state list A according to the exit process ID;
when the WFP driving layer receives the process exit message or the process non-credible message, the NDIS driving layer is informed of the exit process ID or the non-credible process ID, and the NDIS driving layer removes corresponding information from the credible data packet tuple list B according to the exit process ID or the non-credible process ID.
According to a second aspect of an embodiment of the present invention, there is provided a cross-network access process traffic management system, including:
the system comprises a server, an application layer, a WFP driving layer and an NDIS driving layer;
the server dynamically issues a policy set to the application layer;
the application layer is provided with an application program, and when the application program receives a process creation event, whether the process is credible or not is identified by using the rule in the policy set; if the process is credible, the process ID and the process credible state are issued to inform a WFP driving layer;
when a process initiates connection or receives data, the WFP driving layer captures tuple information of a first data packet in a link process, and the notification information sent by the application layer is used for carrying out credible judgment on the tuple of the first data packet; if the data packet tuple is credible, informing the NDIS driving layer of the credible data packet tuple information;
when a data packet is routed to the NDIS driving layer, judging whether the captured data packet is credible or not by using the credible data packet tuple information; if the data packet is credible, the credible data packet is released and forwarded to the proxy server through the VPN tunnel; if the packet is not trusted, discarding the untrusted packet.
Further, the performing, by using the notification information delivered by the application layer, the trusted judgment on the first data packet tuple includes:
establishing a corresponding relation by using the process ID and the process trusted state and maintaining a trusted state list A on a WFP driving layer;
comparing the process ID in the first data packet tuple information with all the process IDs in the trusted status list a, where the first data packet tuple information includes: a source IP address, a destination IP address, a source port, a destination port, a process ID, and a process path;
if the process ID in the first data packet tuple information exists in the trusted state list A, the data packet tuple is trusted, otherwise, the data packet tuple is not trusted.
Further, the determining whether the captured data packet is trusted by using the trusted data packet tuple information includes:
adding trusted data packet tuple information to an NDIS drive layer increment, and maintaining a trusted data packet tuple list B;
comparing the four-tuple information of the captured data packet with all trusted data packet tuple information in the trusted data packet tuple list B;
if the four-tuple information of the captured data packet exists in the trusted data packet tuple list B, the data packet is trusted, otherwise, the data packet is not trusted;
the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port.
Preferably, if the data packet tuple is not trusted, reporting untrusted data packet tuple information to the application layer by the WFP driver layer; acquiring first untrusted quadruple information from the untrusted data packet tuple information by the application layer, constructing a corresponding relation between the first untrusted quadruple information and the process information by using the first untrusted quadruple information and the process information, and maintaining an untrusted data packet quadruple and process information list C; if the data packet is not trusted, the NDIS driving layer reports second non-trusted four-tuple information to the application layer; and tracing the source of the untrusted data packet by the application layer, comparing the second untrusted quadruple information with all the first untrusted quadruple information in the untrusted data packet quadruple and the process information list C, and if the second untrusted quadruple information is the same as any one of the first untrusted quadruple information, performing interface alarm and reporting a log to a server.
Preferably, the system further comprises: a HOOK driver layer;
adopting PsSetCreateProcessNotifyRoute to register a process to notify a callback by the HOOK driving layer, and monitoring the creation process and exit of the process;
when the process is created, the HOOK driving layer temporarily intercepts the event and informs an application program of the event for identification, and after the application layer finishes processing, the HOOK driving layer releases the event;
when the process is finished, the HOOK driving layer captures the message and directly releases the event, and simultaneously informs the application program of the event for processing, and sends a process quit message to the WFP driving layer.
Preferably, at the WFP driver layer, ALE layer events of accept and connect are registered through register calloutforlayer for processing connection and reception of network data; when the WFP driving layer receives the process exit message, deleting corresponding information from the trusted state list A according to the exit process ID; when the WFP driving layer receives the process exit message or the process non-credible message, the NDIS driving layer is informed of the exit process ID or the non-credible process ID, and the NDIS driving layer removes corresponding information from the credible data packet tuple list B according to the exit process ID or the non-credible process ID.
According to a third aspect of the embodiments of the present invention, there is provided a cross-network access process traffic management device, including: a processor and a memory;
the memory is to store one or more program instructions;
the processor is configured to execute one or more program instructions to perform the steps of a cross-network access process traffic management method as described in any one of the above.
According to a fourth aspect of embodiments of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a cross-network access process traffic management method as recited in any one of the above.
The embodiment of the invention has the following advantages:
the application layer is responsible for monitoring the starting and stopping of the process and judging whether the process is credible or not; monitoring the establishment and release of all process network connections by a WFP driving layer without filtering; and filtering the data packets passing through the virtual network card by the NDIS driving layer, and releasing the credible flow. The embodiment of the invention adopts the technical scheme of the dynamic trusted flow agent, so that the unsafe flow can be effectively blocked, and the attack events of the protected network are reduced. The dynamic strategy updating can acquire the latest safety strategy in time and can be well matched with the safety emergency response work.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so as to be understood and read by those skilled in the art, and are not used to limit the conditions that the present invention can be implemented, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the effects and the achievable by the present invention, should still fall within the range that the technical contents disclosed in the present invention can cover.
Fig. 1 is a schematic diagram of a logical architecture of a cross-network access process traffic management system according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for cross-network access process traffic management according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention aims to effectively and dynamically identify and block illegal process flow from accessing the isolation network through the proxy, and simultaneously, the application layer gives an alarm when the untrusted process flow passes through the proxy.
The embodiment of the invention is implemented in a solution of holding security and zero trust, and is mainly applied to Windows office access trusted flow control and interface alarm and log reporting. The invention is mainly applied to the field of the flow agent of the client of the operating system above Windows vista.
In order to achieve the above object, first, functional entities related to the embodiments of the present invention are described as follows, where the functional entities may be physical functional entities or logical functional entities, a single functional entity may serve as an independent device, or multiple functional entities may serve as an integrated device. The technical solution is not limited thereto.
Referring to fig. 1, a system for managing cross-network access process traffic disclosed in an embodiment of the present invention includes: server 1, application layer 2, WFP driver layer 4, and NDIS driver layer 5.
The main functions of the above layers in the embodiments of the present invention are summarized as follows: the application layer is responsible for monitoring the starting and stopping of the process and judging whether the process is credible or not; monitoring the establishment and release of all process network connections by a WFP driving layer without filtering; filtering the data packets passing through the virtual network card by the NDIS driving layer, and releasing the credible flow; and the application layer captures the data packet from the virtual network card and forwards the data packet to the proxy server through the physical network card.
Further, the server 1 dynamically issues a policy set to the application layer 2; the application layer 2 is provided with an application program 3, and when the application program 3 receives a process creation event, whether the process is credible or not is identified by using the rule in the policy set; if the process is credible, the process ID and the process credible state are issued to inform the WFP drive layer 4; when a process initiates connection or receives data, a WFP drive layer 4 captures tuple information of a first data packet in a link process, and the first data packet tuple is subjected to credible judgment by using notification information sent by an application layer 2; if the data packet tuple is credible, informing the NDIS driving layer 5 of the credible data packet tuple information; when a data packet is routed to the NDIS drive layer 5, judging whether the captured data packet is credible or not by using the credible data packet tuple information; if the data packet is credible, the credible data packet is released and forwarded to the proxy server through the VPN tunnel; if the data packet is not trusted, the untrusted data packet is discarded.
Referring to fig. 1, preferably, the cross-network access process traffic management system disclosed in the embodiment of the present invention further includes: a HOOK driver layer 6; the HOOK driving layer 6 adopts PsSetCreateProcessNotifyRoute registration process to notify callback and monitor the process creation process and exit; when a process is created, the HOOK driving layer 6 temporarily intercepts the event and informs the application program of the event for identification, and after the processing of the application layer 2 is completed, the HOOK driving layer 6 releases the event; when a process is finished, the HOOK driving layer 6 captures the message and directly releases the event, and simultaneously notifies the application program 3 of the event for processing, and issues a process quit message to the WFP driving layer 5.
The embodiment of the invention adopts the technical scheme of the dynamic trusted flow agent, so that the unsafe flow can be effectively blocked, and the attack events of the protected network are reduced. The dynamic strategy updating can acquire the latest safety strategy in time and can be well matched with the safety emergency response work.
Corresponding to the cross-network access process flow management system, the embodiment of the invention also discloses a cross-network access process flow management method. The cross-network access process traffic management method disclosed in the embodiment of the present invention is described in detail below with reference to the above-described cross-network access process traffic management system.
Referring to fig. 2, a method for managing cross-network access process traffic disclosed in an embodiment of the present invention includes: the server 1 dynamically issues a strategy set to the application layer 2; when the application program 3 receives a process creation event, identifying whether the process is credible by using a rule in a strategy set; if the process is credible, the process ID and the process credible state are issued to inform the WFP drive layer 4; when a process initiates connection or receives data, a WFP drive layer 4 captures tuple information of a first data packet in a link process, and the first data packet tuple is subjected to credible judgment by using notification information sent by an application layer 2; if the data packet tuple is credible, informing the NDIS driving layer 5 of the credible data packet tuple information; when a data packet is routed to the NDIS drive layer 5, judging whether the captured data packet is credible or not by using the credible data packet tuple information; if the data packet is credible, the credible data packet is released and forwarded to the proxy server through the VPN tunnel; and if the data packet is not credible, discarding the credible data packet.
The application layer is responsible for monitoring the starting and stopping of the process and judging whether the process is credible or not; monitoring the establishment and release of all process network connections by a WFP driving layer without filtering; and filtering the data packets passing through the virtual network card by the NDIS driving layer, and releasing the credible flow. The embodiment of the invention adopts the technical scheme of the dynamic trusted flow agent, so that unsafe flow can be effectively blocked, and the attacked events of the protected network are reduced. The dynamic strategy updating can acquire the latest safety strategy in time and can be well matched with the safety emergency response work.
Furthermore, in the embodiment of the invention, operation and maintenance personnel compile a credible strategy according to scene requirements, and dynamically issue a strategy set of the credible strategy through the server. Thus, the server security policy is specified by the operation and maintenance personnel. The specific scenes are as follows: only certified secure browsers are allowed to access the physically isolated network through the proxy. The policy supports the form of black and white lists, and each policy set contains a plurality of rules. The matching rules are flexible, each rule is matched regularly, and the following judgment can be carried out on the information such as the process file name, the file hash, the process signer, the process file version, the process file modification time, the process file MD5 and the like: string full match, string contained, string not contained, version/timestamp equal, version/timestamp unequal, version/timestamp greater, version/timestamp less. For example, the specific trust policy may be as follows: A. only "a.exe" process traffic is allowed to pass through the proxy; B. only "a.exe" process traffic with file versions greater than "2.0.10" is allowed to pass through the proxy; C. only "a.exe" process traffic with a file version greater than "2.0.10" and a signer of "Google LLC" is allowed to pass through the proxy; D. only "a.exe" process traffic is allowed through the proxy for file versions greater than "2.0.10" and signer "AAA LLC" and file MD5 "087 f6bcd4621d373cade4e832627b4f 6".
Preferably, referring to fig. 2, a method for managing cross-network access process traffic disclosed in the embodiment of the present invention further includes: and the HOOK driver layer 6 adopts PsSetCreateProcessNotifyRoute registration process to notify a callback and monitor the creation process and exit of the process. When a process is created, the HOOK driving layer 6 temporarily intercepts the event and informs the application program 3 of the event for identification, and after the processing of the application layer 2 is completed, the HOOK driving layer 6 releases the event; when a process is finished, the HOOK driving layer 6 captures the message and directly releases the event, and simultaneously notifies the application program 3 of the event for processing, and sends a process quit message to the WFP driving layer 4.
Specifically, in the embodiment of the present invention, the performing the trusted judgment on the first data packet tuple by using the notification information issued by the application layer 2 includes: in the WFP drive layer 4, establishing a corresponding relation by using a process ID and a process trusted state and maintaining a trusted state list A; comparing the process ID in the first data packet tuple information with all the process IDs in the trusted state list A, wherein the first data packet tuple information comprises: a source IP address, a destination IP address, a source port, a destination port, a process ID and a process path; if the process ID in the first data packet tuple information exists in the trusted state list A, the data packet tuple is trusted, otherwise, the data packet tuple is not trusted.
Further, in the embodiment of the present invention, determining whether the captured data packet is trusted by using the trusted data packet tuple information includes: incrementally adding trusted data packet tuple information in an NDIS drive layer 5, and maintaining a trusted data packet tuple list B; comparing the four-tuple information of the captured data packet with all trusted data packet tuple information in the trusted data packet tuple list B; if the four-tuple information of the captured data packet exists in the trusted data packet tuple list B, the data packet is trusted, otherwise, the data packet is not trusted; the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port.
Preferably, the method for managing cross-network access process traffic disclosed in the embodiment of the present invention further includes: if the data packet tuple is not credible, reporting the credible data packet tuple information to the application layer 2 by the WFP driving layer 4; acquiring first untrusted quadruple information from the untrusted data packet tuple information by the application layer 2, constructing a corresponding relation between the first untrusted quadruple information and the process information by using the first untrusted quadruple information and the process information, and maintaining an untrusted data packet quadruple and process information list C; if the data packet is not credible, the NDIS drive layer 5 reports the second credible quadruple information to the application layer 2; and tracing the source of the untrusted data packet by the application layer 2, comparing the second untrusted quadruple information with the untrusted data packet quadruple and all the first untrusted quadruple information in the process information list C, and if the second untrusted quadruple information is the same as any one of the first untrusted quadruple information, performing interface alarm and reporting the log to the server 1.
In the embodiment of the invention, the interface alarm can timely enable the user to know which process flows fail to pass through the agent, thereby reducing the operation and maintenance pressure. Reporting the alarm log can enable an administrator to know the actual running state in time so as to adjust the credible strategy in time.
Preferably, the method for managing cross-network access process traffic disclosed in the embodiment of the present invention further includes: in the WFP drive layer 4, a drive program registers a filter engine callback and adds a sublayer to the WFP drive layer 4, and ALE layer events of an accept and a connect are registered through a register CallcultureForLayer and are used for processing the connection and the receiving of network data; the process of WFP driver layer 4 only needs to process the first data of the link process. When the WFP drive layer 4 receives the process exit message, deleting corresponding information from the trusted state list A according to the exit process ID; when the WFP driver layer 4 receives the process exit message or the process untrusted message, it notifies the NDIS driver layer 5 of the exit process ID or the untrusted process ID, and the NDIS driver layer 5 removes the corresponding information from the trusted data packet tuple list B according to the exit process ID or the untrusted process ID.
In conclusion, the embodiment of the invention can dynamically execute the credible strategy to adjust the incredible flow blocking in time. The matching rule is flexible, and the regular matching can be supported. The method can trace the source of the untrusted traffic passing through the agent and alarm in time to reduce the operation and maintenance pressure. The trusted tuple and the trusted process list can be updated in time, and the operation pressure of the system is reduced. Only ALE layer events of accept and connect are registered, only the first data packet of the link process is processed, and the data traffic received by WFP layer drive is greatly reduced.
In addition, an embodiment of the present invention further provides a device for managing process traffic across a network access, where the device includes: a processor and a memory; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform the steps of a cross-network access process traffic management method as described in any one of the above.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the cross-network access process traffic management method are implemented as described in any one of the above.
In an embodiment of the present invention, the processor may be an integrated circuit chip having signal processing capability. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The various methods, steps, and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.
The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), SLDRAM (SLDRAM), and Direct Rambus RAM (DRRAM).
The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.
Claims (10)
1. A method for cross-network access process traffic management, the method comprising:
the server dynamically issues a strategy set to an application layer;
when the application program receives a process creation event, using the rules in the policy set to identify whether the process is trusted; if the process is credible, the process ID and the process credible state are issued to inform the WFP driving layer;
when a process initiates connection or receives data, the WFP driving layer captures tuple information of a first data packet in a link process, and the notification information issued by the application layer is utilized to perform credible judgment on the tuple of the first data packet; if the data packet tuple is credible, informing the NDIS driving layer of the credible data packet tuple information;
when a data packet is routed to the NDIS driving layer, judging whether the captured data packet is credible or not by using the credible data packet tuple information; if the data packet is credible, the credible data packet is released and forwarded to the proxy server through the VPN tunnel; if the packet is not trusted, discarding the untrusted packet.
2. The method for managing cross-network access process traffic according to claim 1, wherein the performing the trusted judgment on the first data packet tuple by using the notification information issued by the application layer includes:
in a WFP driving layer, establishing a corresponding relation by using the process ID and the process trusted state and maintaining a trusted state list A;
comparing the process ID in the first data packet tuple information with all the process IDs in the trusted status list a, where the first data packet tuple information includes: a source IP address, a destination IP address, a source port, a destination port, a process ID and a process path;
if the process ID in the first data packet tuple information exists in the trusted state list A, the data packet tuple is trusted, otherwise, the data packet tuple is not trusted.
3. The method for cross-network access process traffic management according to claim 2, wherein determining whether the captured packet is trusted using the trusted packet tuple information comprises:
adding trusted data packet tuple information in an NDIS drive layer increment, and maintaining a trusted data packet tuple list B;
comparing the four-tuple information of the captured data packet with all trusted data packet tuple information in the trusted data packet tuple list B;
if the four-tuple information of the captured data packet exists in the trusted data packet tuple list B, the data packet is trusted, otherwise, the data packet is not trusted;
the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port.
4. A method for cross-network access process traffic management as recited in claim 3, wherein the method further comprises:
if the data packet tuple is not trusted, reporting the information of the untrusted data packet tuple to the application layer by the WFP driving layer;
acquiring first untrusted quadruple information from the untrusted data packet tuple information by the application layer, constructing a corresponding relation between the first untrusted quadruple information and the process information by using the first untrusted quadruple information and the process information, and maintaining an untrusted data packet quadruple and process information list C;
if the data packet is not trusted, reporting second untrusted quadruplet information to the application layer by the NDIS driver layer;
and tracing the source of the untrusted data packet by the application layer, comparing the second untrusted quadruple information with the untrusted data packet quadruple and all the first untrusted quadruple information in the process information list C, and if the second untrusted quadruple information is the same as any one of the first untrusted quadruple information, performing interface alarm and reporting a log to a server.
5. The method of cross-network access process traffic management of claim 4, the method further comprising:
adopting PsSetCreateProcessNotifyRoute registration process to notify callback by a HOOK driving layer, and monitoring the creation process and exit of the process;
when the process is created, the HOOK driving layer temporarily intercepts the event and informs an application program of the event for identification, and after the application layer finishes processing, the HOOK driving layer releases the event;
when the process is finished, the HOOK driving layer captures the message and directly releases the event, and simultaneously informs the application program of the event for processing, and sends a process quit message to the WFP driving layer.
6. The method of cross-network access process traffic management of claim 5, the method further comprising:
registering ALE layer events of accept and connect through a register CalloutForLayer in the WFP driving layer for processing the connection and the receiving of network data;
when the WFP driving layer receives the process exit message, deleting corresponding information from the trusted state list A according to the exit process ID;
when the WFP driver layer receives the process exit message or the process untrusted message, the NDIS driver layer is informed of the exit process ID or the untrusted process ID, and the NDIS driver layer removes the corresponding information from the trusted data packet tuple list B according to the exit process ID or the untrusted process ID.
7. A cross-network access process traffic management system, the system comprising:
the system comprises a server, an application layer, a WFP driving layer and an NDIS driving layer;
the server dynamically issues a policy set to the application layer;
the application layer is provided with an application program, and when the application program receives a process creation event, the rules in the strategy set are used for identifying whether the process is credible or not; if the process is credible, the process ID and the process credible state are issued to inform a WFP driving layer;
when a process initiates connection or receives data, the WFP driving layer captures tuple information of a first data packet in a link process, and the notification information sent by the application layer is used for carrying out credible judgment on the tuple of the first data packet; if the data packet tuple is credible, informing the NDIS driving layer of the credible data packet tuple information;
when a data packet is routed to the NDIS driving layer, judging whether the captured data packet is credible or not by using the credible data packet tuple information; if the data packet is credible, the credible data packet is released and forwarded to the proxy server through the VPN tunnel; if the packet is not trusted, discarding the untrusted packet.
8. The cross-network access process traffic management system of claim 7, further comprising: a HOOK driver layer;
adopting PsSetCreateProcessNotifyRoute registration process to notify callback by the HOOK driving layer, and monitoring the creation process and exit of the process;
when the process is created, the HOOK driving layer temporarily intercepts the event and informs an application program of the event for identification, and after the application layer finishes processing, the HOOK driving layer releases the event;
when the process is finished, the HOOK driving layer captures the message and directly releases the event, and simultaneously informs the application program of the event for processing, and sends a process quit message to the WFP driving layer.
9. A cross-network access process traffic management device, the device comprising: a processor and a memory;
the memory is to store one or more program instructions;
the processor, configured to execute one or more program instructions to perform the steps of a method for cross-network access process traffic management according to any of claims 1 to 6.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, carries out the steps of a cross-network access process traffic management method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111331194.XA CN113783897B (en) | 2021-11-11 | 2021-11-11 | Cross-network access process flow management method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111331194.XA CN113783897B (en) | 2021-11-11 | 2021-11-11 | Cross-network access process flow management method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113783897A CN113783897A (en) | 2021-12-10 |
| CN113783897B true CN113783897B (en) | 2022-06-24 |
Family
ID=78873819
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111331194.XA Active CN113783897B (en) | 2021-11-11 | 2021-11-11 | Cross-network access process flow management method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113783897B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
| CN110266732A (en) * | 2019-07-24 | 2019-09-20 | 北京众谊越泰科技有限公司 | A kind of method that network bottom layer filtering is realized in WFP+NDISFilter combination driving |
| US10637839B2 (en) * | 2012-05-24 | 2020-04-28 | Smart Security Systems Llc | Systems and methods for protecting communications between nodes |
| CN113297567A (en) * | 2021-02-03 | 2021-08-24 | 阿里巴巴集团控股有限公司 | Network filtering method, device, equipment and system |
-
2021
- 2021-11-11 CN CN202111331194.XA patent/CN113783897B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
| US10637839B2 (en) * | 2012-05-24 | 2020-04-28 | Smart Security Systems Llc | Systems and methods for protecting communications between nodes |
| CN110266732A (en) * | 2019-07-24 | 2019-09-20 | 北京众谊越泰科技有限公司 | A kind of method that network bottom layer filtering is realized in WFP+NDISFilter combination driving |
| CN113297567A (en) * | 2021-02-03 | 2021-08-24 | 阿里巴巴集团控股有限公司 | Network filtering method, device, equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113783897A (en) | 2021-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7076803B2 (en) | Integrated intrusion detection services | |
| US7296291B2 (en) | Controlled information flow between communities via a firewall | |
| US7797749B2 (en) | Defending against worm or virus attacks on networks | |
| US7222366B2 (en) | Intrusion event filtering | |
| JP5774103B2 (en) | System and method for network level protection against malicious software | |
| US20050283831A1 (en) | Security system and method using server security solution and network security solution | |
| US20050289647A1 (en) | Method of remotely managing a firewall | |
| US20160050182A1 (en) | Diverting Traffic for Forensics | |
| CN106789865B (en) | Network security protection method based on GRE network combined with SDN technology and honeypot technology | |
| US6760330B2 (en) | Community separation control in a multi-community node | |
| US11178105B2 (en) | Secure enclave-based guest firewall | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| US10375099B2 (en) | Network device spoofing detection for information security | |
| US11190515B2 (en) | Network device information validation for access control and information security | |
| CN115174269A (en) | Linux host network communication security protection method and device | |
| US20050240993A1 (en) | Methodology, system and computer readable medium for streams-based packet filtering | |
| US7447782B2 (en) | Community access control in a multi-community node | |
| CN113783897B (en) | Cross-network access process flow management method, system, equipment and medium | |
| JP2003099339A (en) | Infiltration-detecting and infiltration-preventing device and program therefor | |
| US6915351B2 (en) | Community separation control in a closed multi-community node | |
| US20240146694A1 (en) | Automatic firewall configuration for control systems in critical infrastructure | |
| JP2004104739A (en) | System for virus and hacker invasion preventive mechanism, invasion prevention method, and information processing apparatus | |
| WO2023109450A1 (en) | Access control method and related device thereof | |
| JP7366320B1 (en) | Information processing system, information processing method, and information processing program | |
| CN115051851B (en) | User access behavior management and control system and method in scene of internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |