CN114390049A - Application data acquisition method and device - Google Patents
Application data acquisition method and device Download PDFInfo
- Publication number
- CN114390049A CN114390049A CN202111631800.XA CN202111631800A CN114390049A CN 114390049 A CN114390049 A CN 114390049A CN 202111631800 A CN202111631800 A CN 202111631800A CN 114390049 A CN114390049 A CN 114390049A
- Authority
- CN
- China
- Prior art keywords
- equipment
- accessed
- cloud platform
- client
- external network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000004044 response Effects 0.000 claims abstract description 56
- 238000012795 verification Methods 0.000 claims description 62
- 238000012545 processing Methods 0.000 claims description 19
- 230000035515 penetration Effects 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 11
- 230000002159 abnormal effect Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000011330 nucleic acid test Methods 0.000 description 6
- 108700023290 Stanford University protocol Proteins 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention discloses an application data acquisition method and device, comprising the following steps: the method comprises the steps that a cloud platform obtains a first request sent by a client; the first request comprises a unique identification of the device to be accessed; determining the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed; the external network address records record the external network addresses of all equipment terminals; the external network address of each equipment terminal is obtained by analyzing the login request sent by each equipment terminal by the cloud platform; taking the external network address as a first response corresponding to the first request, and feeding the first response back to the client; and the first response is used for indicating the client to be connected with the equipment to be accessed according to the external network address so as to acquire the application data from the equipment to be accessed. By converting the intranet address into the extranet address, the client side can acquire application data from the equipment to be accessed, a cloud platform is not required to provide a public network port, the risk that the cloud platform is abnormally invaded or abnormally utilized by a hacker is reduced, and the safety of the cloud platform is improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for acquiring application data.
Background
With the development of video monitoring technology, the GB28181 protocol, "technical requirements for transmission, exchange, and control of information of security video monitoring networking systems" is becoming popular, and the protocol is adopted by all of the device side, the client side, and the cloud platform.
In the prior art, a client acquires data through the GB28181 protocol. Specifically, a public network port is established by the cloud platform and is respectively connected with the equipment end and the client, so that application data such as video data collected by each equipment end is received and stored, and the client can obtain the application data on the cloud platform through a GB28181 protocol.
However, with the popularization of the internet GB28181 protocol, in order to meet the requirement that a device end and a client using the GB28181 protocol can interact with a cloud platform, a large number of public network ports need to be opened on the cloud platform, which causes the cloud platform to have a certain risk potential, and is likely to cause a drawback that the public network ports are abnormally invaded or abnormally utilized by a hacker.
Disclosure of Invention
The embodiment of the invention provides an application data acquisition method and device, which are used for realizing.
In a first aspect, an embodiment of the present invention provides an application data acquiring method, including:
the method comprises the steps that a cloud platform obtains a first request sent by a client; the first request comprises a unique identification of the device to be accessed;
the cloud platform determines the external network address of the equipment to be accessed in an external network address record according to the unique identifier of the equipment to be accessed; the external network address records record the external network addresses of all equipment terminals; the external network address of each equipment terminal is obtained by analyzing the cloud platform based on the login request sent by each equipment terminal;
the cloud platform takes the external network address as a first response corresponding to the first request, and feeds the first response back to the client; and the first response is used for indicating the client to be connected with the equipment to be accessed according to the external network address so as to acquire the application data from the equipment to be accessed.
According to the technical scheme, the internal network address of the equipment to be accessed is converted into the external network address of the equipment to be accessed, so that the client can directly acquire the application data from the equipment to be accessed, a public network port does not need to be provided by the cloud platform, the risk of abnormal invasion or abnormal utilization by hackers of the cloud platform is reduced, and the safety of the cloud platform is improved. And a communication form of P2P is formed between the client and the device to be accessed, that is, no intermediate forwarding is required by the cloud platform, so that the data transmission pressure of the cloud platform is reduced, the delay of application data transmission is reduced, and the real-time performance of application data transmission is improved.
Optionally, the external network address of each device end is obtained by analyzing, by the cloud platform, a login request sent by each device end, and includes:
aiming at any equipment terminal, the cloud platform acquires a login request sent by the equipment terminal; the login request comprises an intranet address of the equipment end;
the cloud platform performs intranet penetration on the sending address of the login request through a preset protocol service, and analyzes the extranet address of the equipment terminal; the sending address of the login request is obtained by mapping the intranet address of the equipment terminal based on the equipment terminal by the gateway.
In the technical scheme, the outer network address of the equipment end is obtained through the penetration of the inner network, and the outer network address of the equipment end is sent to the client, so that the client is connected with the equipment end through the outer network address of the equipment end, and a P2P communication form is formed between the client and the equipment to be accessed, the cloud platform is not needed to perform intermediate forwarding, the data transmission pressure of the cloud platform is reduced, the delay of application data transmission is reduced, and the real-time performance of application data transmission is improved.
Optionally, the step of using, by the cloud platform, the extranet address as a first response corresponding to the first request includes:
the cloud platform generates first verification information according to the access information and the random number in the first request;
the cloud platform generating a first response containing the extranet address and the first authentication information;
after feeding back the first response to the client, the method further includes:
the cloud platform receives a second request sent by the device to be accessed, wherein the second request comprises second verification information; the second verification information is carried in a connection request sent by the client to the equipment to be accessed;
the cloud platform verifies the second verification information according to the first verification information and sends a second response to the equipment to be accessed; the second response is used for indicating whether the equipment to be accessed establishes connection with the client.
According to the technical scheme, before the client is connected with the equipment side, the cloud platform verifies the client, so that malicious clients are prevented from acquiring application data, and the data acquisition safety is improved.
Optionally, the generating, by the cloud platform, first verification information according to the access information and the random number in the first request includes:
the cloud platform carries out Hash operation according to the account and the password of the client, the unique identification of the equipment to be accessed, the communication number, the data stream type, the access timestamp and the random number to obtain first verification information, and stores the corresponding relation among the first verification information, the identification of the client and the unique identification of the equipment to be accessed in an authority record; and each corresponding relation in the authority record has the effectiveness of set duration.
In the technical scheme, the data acquisition safety is improved by increasing the effectiveness with the set duration.
Optionally, the method further includes:
the cloud platform does not determine the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed;
and the cloud platform acquires application data from the equipment to be accessed according to the unique identifier of the equipment to be accessed and uploads the application data to the client.
Optionally, the acquiring, by the cloud platform, application data from the device to be accessed according to the unique identifier of the device to be accessed, and uploading the application data to the client includes:
the cloud platform carries out authority verification on the client according to the account and the password of the client;
after the cloud platform determines that the authority verification of the client passes, a public network port is opened;
and the cloud platform acquires application data from the equipment to be accessed through the public network port and uploads the application data to the client.
In the technical scheme, if it is determined that the client cannot acquire the application data from the device side, the application data can be uploaded to the client through the cloud platform, so that the flexibility of the client in acquiring the application data is improved.
Optionally, the method further includes:
and the cloud platform closes the public network port after determining that the client access is finished.
According to the technical scheme, after the client access is determined to be finished, the public network port is closed, the risk that the cloud platform is abnormally invaded or abnormally utilized by a hacker due to the public network port is prevented, and the safety of the cloud platform is improved.
In a second aspect, an embodiment of the present invention provides an application data acquiring apparatus, including:
the acquisition module is used for acquiring a first request sent by a client; the first request comprises a unique identification of the device to be accessed;
the processing module is used for determining the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed; the external network address records record the external network addresses of all equipment terminals; the external network address of each equipment terminal is obtained by analyzing the cloud platform based on the login request sent by each equipment terminal;
taking the external network address as a first response corresponding to the first request, and feeding back the first response to the client; and the first response is used for indicating the client to be connected with the equipment to be accessed according to the external network address so as to acquire the application data from the equipment to be accessed.
Optionally, the processing module is specifically configured to:
aiming at any equipment terminal, the cloud platform acquires a login request sent by the equipment terminal; the login request comprises an intranet address of the equipment end;
performing intranet penetration on the sending address of the login request through a preset protocol service, and analyzing an extranet address of the equipment terminal; the sending address of the login request is obtained by mapping the intranet address of the equipment terminal based on the equipment terminal by the gateway.
Optionally, the processing module is specifically configured to:
generating first verification information according to the access information and the random number in the first request;
generating a first response comprising the foreign network address and the first authentication information;
after the first response is fed back to the client, receiving a second request sent by the device to be accessed, wherein the second request comprises second verification information; the second verification information is carried in a connection request sent by the client to the equipment to be accessed;
verifying the second verification information according to the first verification information, and sending a second response to the equipment to be accessed; the second response is used for indicating whether the equipment to be accessed establishes connection with the client.
Optionally, the processing module is specifically configured to:
performing hash operation according to the account and the password of the client, the unique identifier of the device to be accessed, the notification number, the data stream type, the access timestamp and the random number to obtain first verification information, and storing the corresponding relation among the first verification information, the identifier of the client and the unique identifier of the device to be accessed in an authority record; and each corresponding relation in the authority record has the effectiveness of set duration.
Optionally, the processing module is further configured to:
according to the unique identifier of the equipment to be accessed, the external network address of the equipment to be accessed is not determined in the external network address record;
and acquiring application data from the equipment to be accessed according to the unique identifier of the equipment to be accessed, and uploading the application data to the client.
Optionally, the processing module is specifically configured to:
performing authority verification on the client according to the account and the password of the client;
after the permission of the client is confirmed to pass verification, opening a public network port;
and acquiring application data from the equipment to be accessed through the public network port, and uploading the application data to the client.
Optionally, the processing module is further configured to:
and after the client access is determined to be finished, closing the public network port.
In a third aspect, an embodiment of the present invention further provides a computer device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the application data acquisition method according to the obtained program.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored, and the computer-executable instructions are configured to enable a computer to execute the above application data obtaining method.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a diagram illustrating application data acquisition according to a prior art embodiment of the present invention;
FIG. 2 is a system architecture diagram according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of an application data obtaining method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of an application data obtaining method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an application data acquiring apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following explains the possible embodiments of the present invention, and the explanation is as follows.
A User Datagram Protocol (UDP) for monitoring a UDP port, and the server informs the device end through an INVITE signaling to instruct the device end to actively initiate streaming to the server end; the server can be any client or cloud platform.
A TCP (Transmission Control Protocol) is used for monitoring a TCP port, and the server informs the device end through an INVITE signaling to realize that the server end actively acquires stream Transmission from the device end; or the device side initiatively initiates stream transmission to the server side.
NAT (Network Address Translation) is used to solve the problem of insufficient IP (Internet Protocol) addresses, avoid attacks from outside the Network, and hide and protect computers inside the Network. In a real Internet network environment, most computer hosts are behind firewalls or NATs, and if two computer hosts in the network are expected to be able to communicate directly, i.e., P2P communication, no relay from other public servers is required. Typically, a test is made to determine whether and how P2P communication can be made between two host computers, a technique commonly referred to as NAT.
In the prior art, a client and a device are generally connected with a cloud platform in a UDP manner and a TCP manner. In order to better illustrate the technical solution of the present invention, fig. 1 is a schematic diagram of acquiring application data in the prior art exemplarily shown in an embodiment of the present invention, and as shown in fig. 1, a cloud platform is respectively connected to a client and a device; specifically, the cloud platform opens TCP ports and UDP ports, which are generally at least 10000 TCP ports and 10000 UDP ports, and total 20000 public network ports are respectively connected with the client and the device end through the TCP ports and the UDP ports; the cloud platform can be a GB28181 platform at the cloud end, and signaling streams and application data streams, such as video streams, are transmitted between the cloud platform and the client; signaling flow and application data flow are transmitted between the cloud platform and the equipment end; it should be noted that no connection is made between the client and the device.
Because the cloud platform is provided with a large number of public network ports, certain risk hidden dangers exist in the cloud platform, and the disadvantage that the public network ports are abnormally invaded or abnormally utilized by hackers is easily caused. Therefore, an application data obtaining method is needed to reduce the risk of abnormal intrusion or abnormal utilization by hackers on the cloud platform and improve the security of the cloud platform.
Fig. 2 illustrates an exemplary system architecture applicable to the embodiment of the present invention, which includes a client 210, a cloud platform 220, and a device 230.
The client 210 is configured to send the unique identifier of the device to be accessed to the cloud platform 220, so as to instruct the cloud platform 220 to feed back the extranet address of the device to be accessed; and then the external network address of the equipment to be accessed is fed back to be connected with the equipment to be accessed, and the application data is obtained from the equipment to be accessed.
The cloud platform 220 is configured to obtain a login request sent by the device end 230, perform intranet penetration on a sending address of the login request through a preset protocol service, analyze an extranet address of the device end, and record the extranet address of the device end 230 to an extranet address record; after acquiring the first request sent by the client 210, the first request includes the unique identifier of the device to be accessed; determining the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed; then, the external network address of the device to be accessed is fed back to the client 210; the number of the device ends 230 is not limited herein; the device to be accessed is any one of the device sides 230.
The device end 230 is configured to obtain an external network address after gateway mapping based on the internal network address of the device end, and send a login request to the cloud platform 220 according to the external network address.
It should be noted that the structure shown in fig. 2 is only an example, and the embodiment of the present invention is not limited thereto.
Based on the above description, fig. 3 exemplarily illustrates a flowchart of an application data acquiring method according to an embodiment of the present invention, where the flowchart may be executed by an application data acquiring apparatus.
As shown in fig. 3, the process specifically includes:
in step 310, the cloud platform obtains a first request sent by the client.
In an embodiment of the present invention, the first request includes a unique identifier of the device to be accessed.
And step 320, the cloud platform determines the external network address of the device to be accessed in the external network address record according to the unique identifier of the device to be accessed.
In the embodiment of the invention, the external network address of each equipment terminal is recorded in the external network address record; the external network address of each equipment terminal is obtained by analyzing the cloud platform based on the login request sent by each equipment terminal.
In the embodiment of the present invention, the first response is used to instruct the client to connect to the device to be accessed according to the extranet address, so as to obtain application data from the device to be accessed.
In step 320, the external network address of each device end in the external network address record of the cloud platform is obtained by analyzing the device end when the cloud platform requests for login; specifically, aiming at any equipment terminal, the cloud platform acquires a login request sent by the equipment terminal; the login request comprises an intranet address of the equipment end; the cloud platform performs intranet penetration on the sending address of the login request through a preset protocol service, and analyzes an extranet address of the equipment end; the sending address of the login request is obtained by the device side after the device side is mapped in the gateway based on the intranet address of the device side.
The predetermined protocol service includes, but is not limited to, TURN (Traversal Using relay around NAT) service and STUN (Session Traversal Using NAT for NAT) service.
Further, in a typical networking, a TURN client is connected in a private network, through one or more NATs, to the public network. There is a TURN server in the public network. There are one or more peers elsewhere on the internet that the TURN client wishes to communicate with. These peers may be behind one or more NATs. The TURN client uses the server as a relay to send and receive packets to and from the peers.
In TURN server, 3478/3479 is standard stun/TURN service port, 49152 and 65535 are random ports for client connection of intranet devices mapped on TURN service. The device side connection TURN service allocates a random port, and the client side directly connects the port to communicate with the device side through the TURN service.
The client establishes a session with the server through a combination of an IP address and a port. The client uses the TURN command to create and operate an allocation on the server. After the allocation is created, the client can send application data to this server under the indication of which peer the data is sent to, and the server will relay the data to the appropriate peer. The application data sent by the client is contained in the TURN message, and the server extracts the data and sends the data to the opposite terminal in a UDP (user Datagram protocol) data packet mode; on the contrary, the opposite end sends the application data to the relay transmission address provided by the allocation in a UDP data packet mode; because TURN messages always contain an indication that the client is communicating with multiple peers, the client can use a single allocation to communicate with multiple peers.
The STUN protocol, defined in RFC3489, is a lightweight protocol that traverses NATs with UDP. It allows applications to discover NATs and firewalls and other types that exist between public internets; and provides the application with a public internet protocol address that determines NAT allocation. STUN generally operates over multiple NATs, allowing a wide variety of applications to traverse the NAT.
The STUN protocol in RFC5389, which is located to provide a tool for penetrating NAT, i.e. NAT session penetration utility is a protocol for other protocols that solve the NAT penetration problem. The STUN protocol may be used for clients to check the IP address and port number assigned by NAT; it can also be used to check the connectivity between the two device ends, the STUN protocol corresponding to a tool in a NAT traversal solution.
Common to both the TURN protocol and the STUN protocol is the utility of NAT traversal achieved by modifying the intranet address in the application layer.
In step 330, after the extranet address of the device to be accessed is obtained, a first response is generated according to the extranet address of the device to be accessed.
Specifically, the cloud platform generates first verification information according to the access information and the random number in the first request; generating a first response comprising the external network address and the first authentication information;
after the first response is fed back to the client, the cloud platform receives a second request sent by the device to be accessed, wherein the second request comprises second verification information; the second verification information is carried in a connection request sent by the client to the equipment to be accessed; the cloud platform verifies the second verification information according to the first verification information and sends a second response to the equipment to be accessed; and the second response is used for indicating whether the equipment to be accessed establishes connection with the client.
Further, the cloud platform performs hash operation according to the account and the password of the client, the unique identifier of the device to be accessed, the notification number, the data stream type, the access timestamp and the random number to obtain first verification information, and stores the corresponding relation among the first verification information, the identifier of the client and the unique identifier of the device to be accessed in the permission record; each corresponding relation in the authority record has the effectiveness of a set time length.
For example, the client a sends a first request to the cloud platform B, where the first request includes a unique identifier of the device, such as the device C, that is, the client a wants to access application data of the device C.
The cloud platform B determines that the external network address of the equipment C is C in the external network address record; the cloud platform B also carries out Hash operation according to the account and the password of the client A, the unique identification of the equipment to be accessed, the communication number, the data stream type, the access timestamp and the random number to obtain a first verification message a 1; the foreign network address c and the first authentication letter a1 are then fed back to the client a as a first response.
After the client A obtains the external network address C, a second request is generated according to a second verification letter a2, and the second request is sent to the equipment C through the external network address C; the device C sends the second request to the cloud platform B in order to verify the validity of the client a.
After obtaining the second request, the cloud platform B determines whether the second verification letter a2 in the second request is consistent with the first verification letter a1 recorded by the cloud platform B, and if so, feeds back a second response to the device C to indicate that the device C allows connection with the client a.
Illustratively, when the client fails to acquire the application data, a third request is sent to the cloud platform to instruct the cloud platform to establish a public port, and then the public port is connected with the cloud platform to obtain the application data.
Specifically, the cloud platform does not determine the extranet address of the device to be accessed in the extranet address record according to the unique identifier of the device to be accessed; and acquiring application data from the equipment to be accessed according to the unique identifier of the equipment to be accessed, and uploading the application data to the client.
Further, the cloud platform carries out authority verification on the client according to the account and the password of the client; after the permission of the client is confirmed to pass verification, opening a public network port; and acquiring application data from the equipment to be accessed through the public network port, and uploading the application data to the client.
For example, after the cloud platform B receives the first request sent by the client a, if the cloud platform B does not determine that the external network address of the device C is C in the external network address record; it is determined that the connection between the client a and the device C fails, i.e., the data acquisition fails.
At this time, the cloud platform B opens a public network port, and the public network port is connected with the device C and the client a, so that the cloud platform B obtains the application data from the device C and uploads the obtained application data to the client a.
Illustratively, after the client is actively disconnected from the cloud platform, it is determined that the access of the client is finished, and the cloud platform closes the public network port, so that the risk of abnormal intrusion or abnormal utilization by a hacker is avoided, and the security of the cloud platform is improved.
To better explain the above technical solution, fig. 4 is a schematic flowchart of an application data obtaining method provided in an embodiment of the present invention, and as shown in fig. 4, a specific flowchart includes:
step 401, map request.
And the equipment terminal sends a mapping request to the gateway based on the intranet address of the equipment terminal.
Step 402, mapping the result.
The gateway feeds back a mapping result to the equipment terminal; the mapping result includes the external network address of the device side.
Step 403, login request.
The device side sends a login request to the cloud platform based on the own external network address; the login request is used for recording the equipment side in the cloud platform.
At step 404, an external network address is determined.
The cloud platform verifies the equipment terminal based on the login request, after the verification is passed, intranet penetration is carried out on the sending address of the login request according to a preset protocol service, the extranet address of the equipment terminal is analyzed, and the identifier of the equipment terminal and the corresponding record of the extranet address of the equipment terminal are recorded in the extranet address record.
Step 405, log in the result.
And the cloud platform feeds back a login result (such as login failure or login success) to the equipment side.
Step 406, a first request.
The method comprises the steps that a cloud platform obtains a first request sent by a client; the first request comprises an account and a password of the client, a unique identifier of the equipment to be accessed, a notification number, a data stream type, an access timestamp and a random number.
Step 407, the first request is verified.
The cloud platform verifies the client according to the account and the password of the client; determining whether the equipment to be accessed meets the request authority or not according to the notification number; the notification number corresponds to a unique identifier of the device to be accessed, for example, the request right of the client includes device terminals c1, c2 and c 3; that is, the device to be accessed can be only one of the device terminals c1, c2, and c3 to satisfy the request right.
Step 408, feeding back the first response.
The cloud platform generates first verification information according to the account and the password of the client in the first request, the unique identification of the device to be accessed, the notification number, the data stream type, the access timestamp and the random number; storing the first verification information in the authority record;
the cloud platform determines the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed, generates a first response containing the external network address of the equipment to be accessed and the first verification information, and then feeds the first response back to the client.
Step 409, connect request.
The client generates a connection request according to the first response of the external network address of the equipment to be accessed and the second verification information, and sends the connection request to the equipment end to request to be connected with the equipment to be accessed; the device to be accessed is any device in the device side.
Step 410, a second request.
After the device to be accessed acquires the connection request, a second request is generated according to second verification information of the connection request, and the second request is sent to the cloud platform, so that the cloud platform verifies the connection request.
Step 411, the second request is verified.
The cloud platform verifies second verification information based on the first verification information recorded by the cloud platform; this corresponds to the authentication of a connection request sent by a client. Because the first verification information has the set duration, the security of the connection between the equipment side and the client side is improved.
Step 412, second response.
The cloud platform determines a second response based on the second request verification result; and the second response is used for indicating whether the equipment to be accessed allows the connection to be established with the client.
For example, if the first authentication information is consistent with the second authentication information, the second response is to allow connection; and if the first verification information is inconsistent with the second verification information, the second response is to forbid connection.
In step 413, the application data is transmitted.
And when the second response is connection permission, the client acquires the application data from the equipment side.
In the embodiment of the invention, the internal network address of the equipment to be accessed is converted into the external network address of the equipment to be accessed, so that the client can directly acquire the application data from the equipment to be accessed, a public network port does not need to be provided by a cloud platform, the risk of abnormal invasion or abnormal utilization by hackers of the cloud platform is reduced, and the safety of the cloud platform is improved.
Based on the same technical concept, fig. 5 exemplarily shows a schematic structural diagram of an application data acquiring apparatus provided by an embodiment of the present invention, and the apparatus can execute a flow of an application data acquiring method.
As shown in fig. 5, the apparatus specifically includes:
an obtaining module 510, configured to obtain a first request sent by a client; the first request comprises a unique identification of the device to be accessed;
a processing module 520, configured to determine an extranet address of the device to be accessed in an extranet address record according to the unique identifier of the device to be accessed; the external network address records record the external network addresses of all equipment terminals; the external network address of each equipment terminal is obtained by analyzing the cloud platform based on the login request sent by each equipment terminal;
taking the external network address as a first response corresponding to the first request, and feeding back the first response to the client; and the first response is used for indicating the client to be connected with the equipment to be accessed according to the external network address so as to acquire the application data from the equipment to be accessed.
Optionally, the processing module 520 is specifically configured to:
aiming at any equipment terminal, the cloud platform acquires a login request sent by the equipment terminal; the login request comprises an intranet address of the equipment end;
performing intranet penetration on the sending address of the login request through a preset protocol service, and analyzing an extranet address of the equipment terminal; the sending address of the login request is obtained by mapping the intranet address of the equipment terminal based on the equipment terminal by the gateway.
Optionally, the processing module 520 is specifically configured to:
generating first verification information according to the access information and the random number in the first request;
generating a first response comprising the foreign network address and the first authentication information;
after the first response is fed back to the client, receiving a second request sent by the device to be accessed, wherein the second request comprises second verification information; the second verification information is carried in a connection request sent by the client to the equipment to be accessed;
verifying the second verification information according to the first verification information, and sending a second response to the equipment to be accessed; the second response is used for indicating whether the equipment to be accessed establishes connection with the client.
Optionally, the processing module 520 is specifically configured to:
performing hash operation according to the account and the password of the client, the unique identifier of the device to be accessed, the notification number, the data stream type, the access timestamp and the random number to obtain first verification information, and storing the corresponding relation among the first verification information, the identifier of the client and the unique identifier of the device to be accessed in an authority record; and each corresponding relation in the authority record has the effectiveness of set duration.
Optionally, the processing module 520 is further configured to:
according to the unique identifier of the equipment to be accessed, the external network address of the equipment to be accessed is not determined in the external network address record;
and acquiring application data from the equipment to be accessed according to the unique identifier of the equipment to be accessed, and uploading the application data to the client.
Optionally, the processing module 520 is specifically configured to:
performing authority verification on the client according to the account and the password of the client;
after the permission of the client is confirmed to pass verification, opening a public network port;
and acquiring application data from the equipment to be accessed through the public network port, and uploading the application data to the client.
Optionally, the processing module 520 is further configured to:
and after the client access is determined to be finished, closing the public network port.
Based on the same technical concept, an embodiment of the present invention further provides a computer device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the application data acquisition method according to the obtained program.
Based on the same technical concept, the embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored, and the computer-executable instructions are used to enable a computer to execute the above application data obtaining method.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. An application data acquisition method, comprising:
the method comprises the steps that a cloud platform obtains a first request sent by a client; the first request comprises a unique identification of the device to be accessed;
the cloud platform determines the external network address of the equipment to be accessed in an external network address record according to the unique identifier of the equipment to be accessed; the external network address records record the external network addresses of all equipment terminals; the external network address of each equipment terminal is obtained by analyzing the cloud platform based on the login request sent by each equipment terminal;
the cloud platform takes the external network address as a first response corresponding to the first request, and feeds the first response back to the client; and the first response is used for indicating the client to be connected with the equipment to be accessed according to the external network address so as to acquire the application data from the equipment to be accessed.
2. The method of claim 1, wherein the analyzing of the extranet address of each device by the cloud platform based on the login request sent by each device comprises:
aiming at any equipment terminal, the cloud platform acquires a login request sent by the equipment terminal; the login request comprises an intranet address of the equipment end;
the cloud platform performs intranet penetration on the sending address of the login request through a preset protocol service, and analyzes the extranet address of the equipment terminal; the sending address of the login request is obtained by mapping the intranet address of the equipment terminal based on the equipment terminal by the gateway.
3. The method of claim 1, wherein the cloud platform using the extranet address as a first response to the first request comprises:
the cloud platform generates first verification information according to the access information and the random number in the first request;
the cloud platform generating a first response containing the extranet address and the first authentication information;
after feeding back the first response to the client, the method further includes:
the cloud platform receives a second request sent by the device to be accessed, wherein the second request comprises second verification information; the second verification information is carried in a connection request sent by the client to the equipment to be accessed;
the cloud platform verifies the second verification information according to the first verification information and sends a second response to the equipment to be accessed; the second response is used for indicating whether the equipment to be accessed establishes connection with the client.
4. The method of claim 1, wherein the cloud platform generating first authentication information from the access information and the random number in the first request comprises:
the cloud platform carries out Hash operation according to the account and the password of the client, the unique identification of the equipment to be accessed, the communication number, the data stream type, the access timestamp and the random number to obtain first verification information, and stores the corresponding relation among the first verification information, the identification of the client and the unique identification of the equipment to be accessed in an authority record; and each corresponding relation in the authority record has the effectiveness of set duration.
5. The method of any of claims 1 to 4, further comprising:
the cloud platform does not determine the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed;
and the cloud platform acquires application data from the equipment to be accessed according to the unique identifier of the equipment to be accessed and uploads the application data to the client.
6. The method of claim 5, wherein the cloud platform obtaining application data from the device to be accessed according to the unique identifier of the device to be accessed and uploading the application data to the client comprises:
the cloud platform carries out authority verification on the client according to the account and the password of the client;
after the cloud platform determines that the authority verification of the client passes, a public network port is opened;
and the cloud platform acquires application data from the equipment to be accessed through the public network port and uploads the application data to the client.
7. The method of claim 6, further comprising:
and the cloud platform closes the public network port after determining that the client access is finished.
8. An application data acquisition apparatus, comprising:
the acquisition module is used for acquiring a first request sent by a client; the first request comprises a unique identification of the device to be accessed;
the processing module is used for determining the external network address of the equipment to be accessed in the external network address record according to the unique identifier of the equipment to be accessed; the external network address records record the external network addresses of all equipment terminals; the external network address of each equipment terminal is obtained by analyzing the cloud platform based on the login request sent by each equipment terminal;
taking the external network address as a first response corresponding to the first request, and feeding back the first response to the client; and the first response is used for indicating the client to be connected with the equipment to be accessed according to the external network address so as to acquire the application data from the equipment to be accessed.
9. A computer device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to perform the method of any of claims 1 to 7 in accordance with the obtained program.
10. A computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111631800.XA CN114390049A (en) | 2021-12-29 | 2021-12-29 | Application data acquisition method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111631800.XA CN114390049A (en) | 2021-12-29 | 2021-12-29 | Application data acquisition method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114390049A true CN114390049A (en) | 2022-04-22 |
Family
ID=81199299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111631800.XA Pending CN114390049A (en) | 2021-12-29 | 2021-12-29 | Application data acquisition method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114390049A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114928641A (en) * | 2022-05-13 | 2022-08-19 | 阿里巴巴(中国)有限公司 | Data sharing method and device based on cloud application, electronic equipment and storage medium |
| CN115720174A (en) * | 2022-11-30 | 2023-02-28 | 广西壮族自治区信息中心 | Setting method, device and equipment for blacklist exception and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859094A (en) * | 2005-04-30 | 2006-11-08 | 腾讯科技(深圳)有限公司 | Method for point-to-point linking safety detection |
| CN112637364A (en) * | 2021-01-06 | 2021-04-09 | 上海哔哩哔哩科技有限公司 | Method, client and system for establishing P2P connection |
| WO2021238990A1 (en) * | 2020-05-27 | 2021-12-02 | 杭州海康威视数字技术股份有限公司 | Authentication method and apparatus, electronic device, server, program, and storage medium |
-
2021
- 2021-12-29 CN CN202111631800.XA patent/CN114390049A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859094A (en) * | 2005-04-30 | 2006-11-08 | 腾讯科技(深圳)有限公司 | Method for point-to-point linking safety detection |
| WO2021238990A1 (en) * | 2020-05-27 | 2021-12-02 | 杭州海康威视数字技术股份有限公司 | Authentication method and apparatus, electronic device, server, program, and storage medium |
| CN112637364A (en) * | 2021-01-06 | 2021-04-09 | 上海哔哩哔哩科技有限公司 | Method, client and system for establishing P2P connection |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114928641A (en) * | 2022-05-13 | 2022-08-19 | 阿里巴巴(中国)有限公司 | Data sharing method and device based on cloud application, electronic equipment and storage medium |
| CN115720174A (en) * | 2022-11-30 | 2023-02-28 | 广西壮族自治区信息中心 | Setting method, device and equipment for blacklist exception and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200220875A1 (en) | Methods and systems for data traffic based adaptive security | |
| US11956338B2 (en) | Correlating packets in communications networks | |
| US11647003B2 (en) | Concealing internal applications that are accessed over a network | |
| US9237168B2 (en) | Transport layer security traffic control using service name identification | |
| US7305546B1 (en) | Splicing of TCP/UDP sessions in a firewalled network environment | |
| US20150058983A1 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| US8219679B2 (en) | Detection and control of peer-to-peer communication | |
| CN114390049A (en) | Application data acquisition method and device | |
| CN111935212A (en) | Security router and Internet of things security networking method based on security router | |
| CN110691097A (en) | Industrial honey pot system based on hpfeeds protocol and working method thereof | |
| CN113904807A (en) | Source address authentication method and device, electronic equipment and storage medium | |
| CN110035082B (en) | Switch access authentication method, switch and system | |
| CN110830419B (en) | Access control method and device for internet protocol camera | |
| CN110995763A (en) | Data processing method and device, electronic equipment and computer storage medium | |
| CN112333088B (en) | Compatible instant messaging transmission method | |
| CN114465744A (en) | Safety access method and network firewall system | |
| Sørensen et al. | Automatic profile-based firewall for iot devices | |
| CN114363083B (en) | Security protection method, device and equipment of intelligent gateway | |
| CN112532702B (en) | Cloud service platform, secure communication method of user and cloud isolation security system | |
| Nassar et al. | VoIP malware: Attack tool & attack scenarios | |
| CN113965338B (en) | Intranet penetration method | |
| US11297104B2 (en) | Method and apparatus for resilient decoy routing without conspiring autonomous systems (AS) via distributed hash table (DHT) routing | |
| Arafat et al. | Study on security issue in open source SIP server | |
| Liu | Residential Network Security: Using Software-defined Networking to Inspect and Label Traffic | |
| CN116743868A (en) | Service request processing method, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |