Disclosure of Invention
Therefore, the invention provides a method for constructing a password-defined network security system, a system architecture and a data forwarding method, which rely on the cryptography technology and carry out global unified management on network equipment based on entity identification, and can adopt matched scene-based and diversified security strategies aiming at different service flows and data flows, thereby ensuring the confidentiality and integrity of communication data and realizing the requirements on communication security.
According to the design scheme provided by the invention, the method for constructing the password-defined network security system comprises the following steps:
establishing a plurality of entities for describing network facilities and/or network resources, and generating entity attributes corresponding to the entities according to the characteristics of the entities; and allocating an entity identifier for representing identity ID data to each entity;
according to the service data flow, different cipher suites are utilized to group and divide the entities in the network into corresponding control subdomains, the entities in the same key grouping control subdomain establish a credible network link based on entity identification and a security strategy, and a network boundary is defined for each key grouping control subdomain.
As the method for constructing the password-defined network security system, further, the entities at least comprise the following types: the system comprises user equipment for accessing a network to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point and used for distributing tunnel policy for the repeater, a domain manager used for registering and managing the repeater and the controller in the same control domain, a running time log management system used for continuously analyzing and managing running time logs of the controller and the repeater, a continuous credible management system used for continuously monitoring and maintaining the states of the controller and the repeater equipment, a key management system used for certificate and key management, a security management system used for monitoring the running process of the system and making and adjusting the tunnel policy, and an identity management system used for access control management.
As the method for constructing the password-defined network security system, further, the entity attributes include: the entity type is used for describing the logical attributes of the entity name, the IP address and the certificate, describing the physical attributes of the hardware configuration and the geographic position of the entity, and describing the domain attributes of the control sub-domain to which the entity belongs.
As the method for constructing the password-defined network security system, further, the entity identifier is encoded by using bytes, wherein the entity identifier encoding comprises: a tunnel type field, a network packet identification field, an entity type field, an entity number field, an affiliated domain manager field, an affiliated controller field, an intra-entity soft device number field, and reserved bytes.
The invention further provides a password-defined network security system architecture, which is realized based on the method and comprises the steps of slicing equipment and resources in a network, dividing the network into a plurality of control sub-domains corresponding to service data streams and isolated through passwords by adopting a password suite, associating related entities in each control sub-domain by utilizing entity identifications, and selecting a data forwarding path based on channel identifications to forward stream data packets.
As the password defined network security architecture of the present invention, further, the devices in the network include but are not limited to: the system comprises user equipment for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute a security policy, a controller used as a policy decision point and used for distributing a tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain.
As the password defined network security architecture of the present invention, further, the resources in the network include but are not limited to: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management.
Further, the present invention also provides a data forwarding method for a password-defined network security system, which is implemented based on the above architecture, and associates a physical entity and a logical entity in a network through an entity identifier, wherein the physical entity comprises: user equipment used for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point to distribute tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain, wherein the logic entity comprises: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management, wherein the forwarding process comprises the following contents:
the repeater applies for a security policy for data forwarding to the controller according to a request of the user equipment;
the controller obtains an authentication authorization decision from an identity management system according to forwarding request information sent by the forwarder to determine whether the forwarder can establish tunnel connection or not, and obtains a security policy for creating a password-defined network between the forwarders from a security management system, wherein the forwarding request information comprises: forwarding the data quintuple, entity identifiers and access time of the forwarder and the user equipment;
the transponder establishes a security channel based on the channel identifier according to the security policy, and encrypts and forwards the data packet based on the channel identifier.
As the data forwarding method of the password-defined network security system, the controller accesses the identity management system by using the forwarding request information, searches the entity attribute based on the entity identifier, acquires the security level corresponding to the entity attribute, judges the validity of the forwarding behavior of the forwarding request information and whether the forwarding behavior meets the security level requirement, and authorizes the forwarding according to the security level aiming at the situation that the forwarding behavior is legal; the controller accesses the security management system by using the forwarding request information and the security level, searches and acquires the communication connection information and the channel identifier based on the entity identifier, and generates a security policy according to the security level, wherein the security policy includes but is not limited to: communication connection information, channel identification, a password suite, a password exchange algorithm and a password updating period.
The data packet in the flow of the safety channel is used for distinguishing the password-defined network of the control subdomain by carrying a channel identifier, and feedback is executed according to a safety strategy to maintain the life cycle of the password-defined network.
The invention has the beneficial effects that:
the invention realizes the password definition boundary based on the combination of the modes of entity identification, security strategy and the like, establishes the credible network link, and can form a network in the same key group; network access is protected by an encryption protocol, and confidentiality and integrity of communication contents are guaranteed; channel separation is realized, and different access requests use exclusive encrypted channels, so that the requirements of users on remote, multi-equipment type, multi-scene and mobile access resources can be met; and the identity authentication is carried out before the network accesses the resources, so that the application program resources can be accessed through the network after the authorization is ensured, and an attacker is more difficult to attack; the safety of the equipment is continuously and credibly tracked, the overall safety of a safety system is enhanced, the safety of a channel is guaranteed, and the safety of two ends of the channel is also guaranteed; by dividing physical entities and logical entities in the network and binding entity identifiers, the whole security system is systematized, unified management is facilitated, the requirement of network dynamic change is met based on static and dynamic security strategies, and the method has a good application prospect.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
An embodiment of the present invention, as shown in fig. 1, provides a method for establishing a password-defined network security architecture, including:
s101, establishing a plurality of entities for describing network facilities and/or network resources, and generating entity attributes corresponding to the entities according to the characteristics of the entities; and allocating an entity identifier for representing identity ID data to each entity;
s102, according to the service data flow, different cipher suites are utilized to group the entities in the network and divide the entities into corresponding control subdomains, the entities in the same key grouping control subdomain establish a credible network link based on entity identification and a security strategy, and meanwhile, a network boundary is defined for each key grouping control subdomain.
In the embodiment of the scheme, in order to solve the problems of network architecture complexity, user access breadth, user access speed and the like, a dynamic and flexible password definition network security system is constructed based on entity identification and a security strategy, a control subdomain corresponding to service requirements is divided, and credible network connection between entities in the control subdomain is established based on the entity identification and the security strategy by using different password suites, so that the security defect based on static network boundary defense in the prior art is overcome, resource service is used as direction, multiple channels are separated, and ciphertext is used for channel protection, the information security of an enterprise is obviously enhanced, and the requirement of higher service agility can be met.
As the method for constructing the password-defined network security architecture in the embodiment of the present invention, further, the entity at least includes the following types: the system comprises user equipment for accessing a network to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point and used for distributing tunnel policy for the repeater, a domain manager used for registering and managing the repeater and the controller in the same control domain, a running time log management system used for continuously analyzing and managing running time logs of the controller and the repeater, a continuous credible management system used for continuously monitoring and maintaining the states of the controller and the repeater equipment, a key management system used for certificate and key management, a security management system used for monitoring the running process of the system and making and adjusting the tunnel policy, and an identity management system used for access control management. Further, the entity attributes include: the entity type is used for describing the logical attributes of the entity name, the IP address and the certificate, describing the physical attributes of the hardware configuration and the geographic position of the entity, and describing the domain attributes of the control sub-domain to which the entity belongs.
Network infrastructure, users, accessed resources, etc. are defined as entities, which are described by a set of entity attributes. Entity attributes refer to a set of characteristics of an entity. These features may be used alone or in combination to form a unique identity that distinguishes the entity from other entities. Setting the entity attributes includes: entity type, logical attribute, physical attribute, domain attribute. The entity logic attribute refers to an entity name, an IP address and a certificate (certificate); the physical attribute of the entity refers to the hardware configuration and the geographic position of the entity; the entity domain attribute refers to a control sub-domain to which an entity belongs, and generally, a password-defined network divides a network into one or more control sub-domains to reduce an attack surface.
The password defines an entity in a network security system structure, and user equipment is equipment used for accessing a network and accessing resources by a user; the repeaters are used as security gateways to execute security strategies, encryption channels are established among the repeaters to carry out password protection on network traffic, and confidentiality, integrity and authentication of data are ensured; the controller is used as a policy decision point, and when two repeaters want to establish a security tunnel, the controller is responsible for distributing tunnel policies for the two repeaters; the domain manager receives the registration of the repeater and the controller equipment in the same control domain, generates an entity identifier, a certificate and a certificate of the registered equipment, and issues the entity identifier, the certificate and the certificate to the registered equipment; the operation time log management system continuously receives and manages operation time logs from the controller and the repeater, the analysis of the operation time logs can provide effect graphs related to strategy execution, and the operation time log management system collects the operation time logs to the safety management system; the continuous credible management system monitors and maintains the equipment credibility of the controller and the repeater, continuously monitors the equipment safety state information of the controller and the repeater, provides a safety state report about the controller and the repeater for the safety management system, and collects the safety state report to the safety management system; the key management system generates and manages certificates and keys; the safety management system monitors the operation process of the whole safety system and makes or revises a tunnel strategy; the identity management system provides techniques and business processes for controlling access. The method mainly comprises identity storage, wherein information related to an entity is stored, attributes of meaningful data of the entity are described, the attributes are used for verifying the access authority of a user, and identity verification is carried out according to the sources; managing the life cycle of the identity; access control uses multi-factor authentication, typically a certificate (and its supporting systems) is used to authenticate user and device identities.
As the method for constructing the password-defined network security system in the embodiment of the present invention, further, the entity identifier is encoded by using bytes, where the entity identifier encoding includes: a tunnel type field, a network packet identification field, an entity type field, an entity number field, an affiliated domain manager field, an affiliated controller field, an intra-entity soft device number field, and reserved bytes.
The password definition network brings the entities such as the network infrastructure, the user, the accessed resource and the like into unified management based on the entity identification. The entity identifier is used to uniquely identify an entity. Referring to fig. 2, the entity identifier may be a 16-byte data encoding field, and may include a 1-byte tunnel type, a 2-byte network packet identifier, a 1-byte entity type, a 4-byte entity number, a 1-byte belonging domain manager, a 2-byte belonging controller, a 1-byte entity internal soft device number, and a 2-byte reserved data. In fig. 2, the platform system entity identification code ignores the number fields of the domain manager, the controller and the software device in the entity, and the entity identification field is obtained by adding or deleting some code bytes of unrelated entities or changing the length of the code field according to the actual application in the coded representation of the entity.
Entities such as a repeater, a controller and the like register with a domain manager, the domain manager calls a service interface of an identity management system, the identity management system performs identity authentication on registered equipment, after the authentication is passed, the registered equipment is divided into a plurality of different attributes, a corresponding resource authority is searched through an access control table according to an access control strategy based on the attributes, the registered equipment is authorized, and registered equipment entity identification, a certificate and a certificate are generated. The domain manager issues the entity identification, the certificate and the certificate to the registered equipment to realize the binding of the entity identification, so that the entity is brought into the whole security system for unified management.
According to the service category, the devices in the network are divided into different network groups in a grouping mode based on different cipher suites, the groups are trusted mutually based on identifiers and trusted certificates, and trusted network links can be established mutually, so that the devices in the same key group form a network, the trusted links are established based on the identifiers (based on keys, the trusted certificates and the like), and the network boundary is defined.
Further, based on the implementation of the above method, an embodiment of the present invention further provides a password-defined network security architecture, where devices and resources in a network are sliced, a password suite is adopted to divide the network into a plurality of control sub-domains corresponding to a service data stream and isolated by a password, entity identifiers are used to associate related entities in each control sub-domain, and a data forwarding path is selected based on a channel identifier to forward a stream data packet.
Passwords define that the network's forwarding of data is performed according to a security policy, which is a set of access rules based on other factors, such as the allocation to users (devices), networks, resources, and environmental threats. The security policy is dynamic, and is strictly enforced when forwarding data. The strategy realizes that trust link is established based on security strategy in network grouping on the basis of password definition network division, and service communication is limited in password definition network boundary. As shown in fig. 3, 2 password-defined networks, in order to satisfy the requirements of high security level, strict key usage period management, protocol type filtering, and the like for transmitting internal files between devices in the password-defined network 1, a national-secret encryption password suite may be used to implement the file transmission encryption function between devices; the equipment in the password definition network 2 is in communication encryption communication for meeting daily work, the security level is low, and an international encryption algorithm suite can be used to realize encryption communication of daily work communication contents. There may be an intersection between the devices of the two networks, such as device 1 and device 2 in the figure; inside the password-defined network, channel separation is implemented, such as A, B and C in password-defined network 1, a, b and C in password-defined network 2; the boundary definition division is beneficial to the realization of the security policy based on the identification, the grouping management of the policy and the channel separation management based on the policy can be realized, and the device in the figure can be a security gateway or a host for installing a security agent program. According to the above two schematic diagrams of the password-defined network, the password-defined network can also be divided by using other password suites in practical application, so as to meet the functional requirements of different service types.
The generation of security policies includes authentication of identities, auditing of resources, access to resources, connectivity of networks, evaluation of threats and security events, and many other factors. The security policy is made or revised by an administrator through a security management system. Or automatically generating a policy, for example, the runtime log management system analyzes a runtime program exception report, a network traffic log, a tunnel policy execution log, an exception network behavior, or a network security event, finds the exception event, reports the exception event to the security management system, and the security management system generates a security policy according to a preset algorithm; for example, the security configuration state and the security monitoring log of the entity in the network security system are defined by the monitoring password of the continuous trusted management system, for example, the monitoring password of the continuous trusted management system is operated in a correct operating system and an application program, and whether the monitoring password is operated under a correct configuration condition or not, the security configuration state report of the entity is provided for the security management system, and the security management system generates a security policy according to a preset algorithm.
Further, based on the above architecture implementation, an embodiment of the present invention further provides a data forwarding method for a password-defined network security system, where a physical entity in a network is associated with a logical entity through an entity identifier, where the physical entity includes: user equipment used for accessing a network by a user to perform resource access, a repeater used as a security gateway to execute security policy, a controller used as a policy decision point to distribute tunnel policy for the repeater, and a domain manager used for performing registration management on the repeater and the controller in the same control domain, wherein the logic entity comprises: the system comprises a running time log management system for continuously analyzing and managing running time logs of a controller and a repeater, a continuous credible management system for continuously monitoring and maintaining states of equipment of the controller and the repeater, a key management system for certificate and key management, a security management system for monitoring a system running process and making and adjusting a tunnel policy, and an identity management system for access control management, wherein the forwarding process comprises the following contents:
the repeater applies for a security policy for data forwarding to the controller according to a request of the user equipment;
the controller obtains an authentication authorization decision from an identity management system according to forwarding request information sent by the forwarder to determine whether the forwarder can establish tunnel connection or not, and obtains a security policy for creating a password-defined network between the forwarders from a security management system, wherein the forwarding request information comprises: forwarding the data quintuple, entity identifiers and access time of the forwarder and the user equipment;
the transponder establishes a security channel based on the channel identifier according to the security policy, and encrypts and forwards the data packet based on the channel identifier.
When the repeater forwards data, a security policy for forwarding the data is applied to the controller, the controller takes quintuple information of the forwarded data, an entity identifier of the repeater, an entity identifier of the user equipment and other information as input, and decision bases are respectively from a security management system and an identity management system. The controller determines whether tunnel connection can be established between the repeaters according to authentication and authorization decisions of the identity management system; the controller manages the establishment of the password defined network between the repeaters according to the security policy issued by the security management system. The controller is in a normally online state and maintains service connection with the system through a specific interface.
As the data forwarding method of the password-defined network security system in the embodiment of the present invention, further, the controller accesses the identity management system using the forwarding request information, searches the entity attribute based on the entity identifier, and obtains the security level corresponding to the entity attribute, determines whether the forwarding behavior of the forwarding request information is legal and meets the security level requirement, and authorizes the forwarding according to the security level in case that the forwarding behavior is legal; the controller accesses the security management system by using the forwarding request information and the security level, searches and acquires the communication connection information and the channel identifier based on the entity identifier, and generates a security policy according to the security level, wherein the security policy includes but is not limited to: communication connection information, channel identification, a password suite, a password exchange algorithm and a password updating period. Further, the data packet in the safety channel flow distinguishes the password defined network of the control subdomain by carrying the channel identification, and carries out feedback to maintain the life cycle of the password defined network according to the safety strategy.
The controller accesses the identity management system by using quintuple information, access time, transponder entity identification, user equipment entity identification and other information of the forwarded data, searches identity information stored in the system based on the identification, such as deployed geographic position, role and the like, gives a security level corresponding to the attribute, obtains a final security level by taking the intersection of all the security levels corresponding to the attribute, and judges the legality and security level requirements of the data access behavior according to a preset access control algorithm. If not, issuing a forwarding prohibition strategy; and if the authentication is legal, the issuing of the security policy is allowed according to the security level authorization. The controller uses quintuple information of the forwarded data, the transponder entity identifier, the user equipment entity identifier, the access security level and the like to access a security management system, the security management system searches the stored security policy information according to the input to obtain network communication connection information and an encrypted channel identifier, then parameters such as a corresponding password suite, a key exchange algorithm, a key updating period and the like are generated according to the security level, finally the parameters are summarized into the security policy to be issued, and the security policy is issued to the controller. The controller respectively issues the received security policies to the repeaters needing to establish communication, the repeaters analyze the content of the security policies, establish a secure network channel based on channel identification, a data packet in the channel flow carries the channel identification, the channel identification is used for distinguishing different networks defined by passwords, the encryption forwarding of the data packet is carried out based on the channel identification, and the life cycle of the network is maintained based on the channel identification.
The cipher definition network safety system structure is a closed loop system, and connects each physical entity and logic entity in the system through entity identification. And executing a security policy among the physical entities of the repeaters, and reporting the successful feedback of the execution of the security policy after establishing a data transmission channel logical entity meeting various service requirements based on the channel identifier so as to enable the physical entities of the controller and the physical entity of the security management system to carry out life cycle management on the defined network.
The following explains the deployment of the security system of the scheme further by combining with fig. 4, in which the dotted line is a registration signaling link, the thick line is a control signaling link, the thin line is a data link, and different links use different identifiers, and the scheme is a channel separation embodiment based on different services and different cipher suites; the safety system comprises the following components: a security agent on the user device, an application resource, a transponder in front of the application resource network location, a controller, an identity management system, a key management system, a security management system, and a security system continuous monitoring platform. The deployment security architecture workflow may be described as follows:
the administrator applies the user name of the security agent and the serial number of the security agent software from the identity management system and assigns the user name and the serial number to the security agent software. The user installs the security agent on the user device and configures the security agent. The security broker and domain manager perform TLS handshake since there is no certificate yet, authentication relies on custom extension fields in TLS. And attaching a user name and a security agent program serial number in the custom extension field, and carrying the user name and the security agent program serial number by the domain manager to access an authentication interface of the identity management system to perform double-factor identity authentication so as to achieve the purposes of authentication and key exchange and generate a session key and a session channel identifier used during registration. The method is equivalent to establishing a ciphertext registration channel between the security agent program and the domain manager, ensuring the confidentiality and the integrity of a registration signaling, and realizing the separation of the registration channel from a control channel and a data channel which will be described below by distinguishing based on identifiers and using different cipher suites.
The user inputs a user name and a self-set password which are distributed in advance, the user equipment registers to the domain manager through the security agent program, and equipment system information, equipment network information, the user name, the password and the like are provided during registration so as to obtain entity identification, a certificate and a certificate. The domain manager calls an interface of the identity management system, uploads the registration information of the user equipment, stores the registration information after the identity management system passes authentication, and issues an entity identifier of the user equipment; requesting the certificate and the certificate by calling the service of the key management system, and acquiring the certificate and the certificate issued to the registration equipment; then, a registration request is replied to the equipment, and entity identification, certificate and certificate are issued. After the registration is completed, the controller and the forwarder also need to register with the domain manager to acquire the entity identifier, and the processes are similar and are not repeated.
And the safety management system arranges the strategy and sends a strategy rule set to the controller. The policy set contains a cipher suite, which is generated by the security management system calling a service interface of the key management system. The controller issues one or more security policies to the repeater, allows the user equipment to access one or a group of application program resources, but does not access other application program resources behind the repeater, different security policies include different channel identifiers, the channel identifiers are used for identifying different policies, and the system performs life cycle management on the security policies, established channels and the like according to the channel identifiers, which is the core embodiment of the password defined network.
The user equipment logs in the controller through the security agent program, and the login information comprises a user name, an entity identifier and the like. The login information is cryptographically protected by a pre-shared key in the credential. The controller calls an interface of the security management system, uploads user access request information, calls an identity management system service interface by the security management system, and authorizes the controller to issue a security connection strategy to the user equipment after authentication is passed.
After the user equipment receives the security connection strategy, TLS handshake is executed between the security agent program of the user equipment and the repeater, the handshake is initiated by the security agent program, the repeater establishes TLS sessions with equal number according to the number of the received security strategies, bidirectional certificate authentication is carried out in the session process, a session key is finally obtained, one or more encryption channels are established between the security agent program and the repeater, the channels are marked by different channel identifications, the separation of the encryption channels based on different service flows is realized, and a trust link between an accessor and a resource is established. And the application program resource list which can be accessed by the user is used as the extension information in the TLS, and is sent after the TLS handshake phase, and the leakage of the application program resource list is prevented due to the fact that the application program resource list is a cipher text. The security agent program creates a virtual network card on the user equipment, adds a routing table according to an application program resource list acquired when the TLS session is established, and routes the access flow of the user to the application program resource to the virtual network card, so that the security agent program captures a network data packet from the virtual network card, determines different encryption paths according to a destination network address, adds an encryption channel identifier in the data packet, and encrypts and transmits the data packet. After receiving the encrypted flow, the repeater selects different keys and algorithms for decryption according to the encrypted channel identification in the data packet, and then sends the encrypted flow to the following application program resource. The packet processing flow from the application resource to the security agent is similar. The security agent program also has a device state monitoring function, when the device is monitored to be abnormal, the security agent program reports to a security management system, the security management system reports an event to a security system monitoring platform, the security system monitoring platform consists of a continuous credible management system and an operation time log management system, the device credible report and the operation log record are collected during operation, the platform makes a decision according to the event and the operation log record, the security management system dynamically issues an emergency strategy to a repeater according to a decision result, and the repeater retrieves the channel record and closes an encrypted channel between the channel record and the security agent program according to a channel identifier contained in the strategy. The transponder locally traverses the life cycle record of the security strategy through the channel identifier, and finds that after a certain strategy is expired, the transponder actively disconnects the encrypted channel corresponding to the strategy without influencing the normal work of other channels, thereby embodying the advantage of channel separation.
The repeater senses the access context behavior of the user equipment, reports to the security management system when the behavior is abnormal, and the security management system dynamically adjusts the security policy.
Compared with the traditional application which has the internal identity and certificate storage, the scheme reduces the software security loophole which can be utilized, integrates the centralized identity management and life cycle process in an enterprise, avoids the island, and avoids the omission of life cycle events of a mobile person or a leaving person, thereby causing the account to be still in an active state; deployment is carried out based on identification and a security policy, network access to an application program can be protected by an encryption protocol, confidentiality and integrity of communication content are guaranteed, channel separation is achieved, different access requests use exclusive encryption channels, isolation boundaries defined by passwords are used, and the passwords define the embodiment of a network. Before accessing the application program resource, the user must pass identity authentication, and the application program resource can be accessed through the network after authorization is ensured, so that an attacker is more difficult to attack, the requirement of the user for remotely accessing the application program resource can be met, the mobile access of the user is met, and the application requirement of network dynamic change is met.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method and/or system, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method and/or system, the embodiment of the invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.