CN115065494A - Method, device, equipment and medium for establishing network connection - Google Patents

Method, device, equipment and medium for establishing network connection Download PDF

Info

Publication number
CN115065494A
CN115065494A CN202210354156.4A CN202210354156A CN115065494A CN 115065494 A CN115065494 A CN 115065494A CN 202210354156 A CN202210354156 A CN 202210354156A CN 115065494 A CN115065494 A CN 115065494A
Authority
CN
China
Prior art keywords
target external
request
external device
network connection
arp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210354156.4A
Other languages
Chinese (zh)
Other versions
CN115065494B (en
Inventor
林皓
宋成龙
段杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN202210354156.4A priority Critical patent/CN115065494B/en
Publication of CN115065494A publication Critical patent/CN115065494A/en
Application granted granted Critical
Publication of CN115065494B publication Critical patent/CN115065494B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a method, an apparatus, a device and a medium for establishing network connection. The network connection establishing method comprises the following steps: intercepting an Address Resolution Protocol (ARP) request when a target external device sends the ARP request to an electronic device; detecting whether the target external device has been authenticated in response to the ARP request; if the target external equipment fails to pass the authentication, feeding back a first ARP message corresponding to the access control system to the target external equipment; the first ARP message is used for establishing network connection between the target external equipment and the access control system. According to the embodiment of the disclosure, the security of the network can be improved, and the network is prevented from receiving malicious attacks.

Description

Method, device, equipment and medium for establishing network connection
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for establishing a network connection.
Background
In the existing private network, when accessing a device, after submitting registration information, a manager can access the network after checking the registration information.
However, in the process of establishing a network, if authentication of a device is lacked, a non-compliant device may be accessed to the network, and once a device with a pseudo-compliant device is accessed to the network, security of the private network may not be guaranteed, so that the private network may be attacked maliciously.
Disclosure of Invention
In order to solve the technical problem, the present disclosure provides a method, an apparatus, a device, and a medium for establishing a network connection.
In a first aspect, the present disclosure provides a method for establishing a network connection, including:
intercepting an Address Resolution Protocol (ARP) request when a target external device sends the ARP request to an electronic device;
detecting whether the target external device has been authenticated in response to the ARP request;
if the target external equipment fails to pass the authentication, feeding back a first ARP message corresponding to the access control system to the target external equipment; the first ARP message is used for establishing network connection between the target external equipment and the access control system.
In a second aspect, the present disclosure provides an apparatus for establishing a network connection, including:
the request intercepting module is used for intercepting an Address Resolution Protocol (ARP) request when the target external equipment sends the ARP request to the electronic equipment;
a device detection module for detecting whether the target external device has been authenticated in response to the ARP request;
the network connection module is used for feeding back a first ARP message corresponding to the access control system to the target external equipment if the target external equipment fails to pass the authentication; the first ARP message is used for establishing network connection between the target external equipment and the access control system.
In a third aspect, the present disclosure provides a device for establishing a network connection, including:
a processor;
a memory for storing executable instructions;
the processor is configured to read the executable instructions from the memory and execute the executable instructions to implement the method for establishing a network connection according to the first aspect.
In a fourth aspect, the present disclosure provides a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to implement the method for establishing a network connection of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the method, apparatus, device, and medium for establishing a network connection according to the embodiments of the present disclosure can intercept an Address Resolution Protocol (ARP) request when a target external device sends the ARP request to an electronic device, responding to the ARP request, detecting whether the target external equipment passes the authentication, if the target external equipment does not pass the authentication, feeding back a first ARP message corresponding to the admission control system to the target external equipment, since this first ARP message may be used to establish a network connection for the target external device with the admission control system, therefore, when the target external device is not authenticated, the target external device is prevented from directly establishing a network connection with the electronic device, but the target external device is established with the admission control system, and then the access control system is used as a safety barrier of the electronic equipment, so that the safety of the network is improved, and the network is prevented from being attacked maliciously.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.
Fig. 1 is a schematic flowchart of a method for establishing a network connection according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a device authentication process according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another device authentication process provided in the embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an apparatus for establishing a network connection according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a network connection establishment apparatus according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more complete and thorough understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The disclosed embodiments provide a method, apparatus, device and medium for establishing a network connection that enables identity authentication of a target external device.
The following first describes a method for establishing a network connection according to an embodiment of the present disclosure with reference to fig. 1 to 3.
The method for establishing a network connection provided by the embodiment of the disclosure may be executed by an admission control system.
Fig. 1 shows a flowchart of a method for establishing a network connection according to an embodiment of the present disclosure.
As shown in fig. 1, the method for establishing a network connection may include the following steps.
S110, when the target external device sends an Address Resolution Protocol (ARP) request to the electronic device, intercepting the ARP request.
In the embodiment of the present disclosure, when a target external device wants to perform network connection with an electronic device, an address resolution protocol ARP request needs to be sent to the electronic device, and at this time, the admission control system may monitor the ARP request sent by the target external device in real time and intercept the ARP request after monitoring the ARP request.
Optionally, the ARP request may include a Local Area Network Address (MAC), an Internet Protocol Address (IP), and a Virtual Local Area Network (VLAN).
Alternatively, the target external device may be a device that needs to be network connected with the electronic device, for example: camera, speaker, microphone, etc., without limitation thereto.
Alternatively, the electronic apparatus may be a Personal Computer (PC) having a control function for the target external apparatus.
Specifically, taking the target external device as a camera as an example, when the camera wants to perform network connection with a PC, the camera sends an ARP request including address information of the camera itself, and at this time, the admission control system may receive and intercept the ARP request, and at the same time, create a virtual target external device node and store the address information included in the ARP request.
And S120, responding to the ARP request, and detecting whether the target external equipment passes the authentication.
In the embodiment of the present disclosure, after the admission control system intercepts the ARP request sent by the target external device, it may detect whether the target external device has passed the authentication in response to the ARP request.
Alternatively, the admission control system may look up in the history data whether the target external device is authenticated according to the address information included in the ARP request.
Alternatively, the historical record data may include authentication data for the external device recorded in the admission control system database over a historical period of time.
Specifically, taking the target external device as a camera as an example, the admission control system may intercept an ARP request sent by the camera, and search, according to the ARP request, whether the camera passes authentication in the history data.
S130, if the target external equipment fails to pass the authentication, feeding back a first ARP message corresponding to the access control system to the target external equipment; the first ARP message is used for establishing network connection between the target external equipment and the access control system.
In this disclosure, after the admission control system responds to the ARP request and detects whether the target external device has passed the authentication, if it is detected that the target external device has not passed the authentication or has passed the authentication but has not passed the authentication, at this time, the admission control system may determine that the target external device has not passed the authentication, and then feed back a first ARP packet corresponding to its own admission control system to the target external device, where the first ARP packet is used to establish a network connection between the target external device and the admission control system.
Alternatively, the first ARP message may be a message that includes address information of the admission control system. The first ARP message may include the IP address of the admission control system.
Specifically, after the admission control system detects according to the ARP request sent by the target external device, if it is detected that the target external device is not authenticated or authenticated but not authenticated, at this time, the admission control system feeds back a first ARP packet including its own IP address to the target external device, where the target external device and the admission control system may establish a network connection according to the first ARP packet, so that all traffic of the target external device is introduced into the admission control system.
In the embodiment of the disclosure, when the target external device sends an ARP request to the electronic device, the ARP request is intercepted, and whether the target external device passes the authentication is detected in response to the ARP request, if the target external device does not pass the authentication, a first ARP packet corresponding to the admission control system is fed back to the target external device, and the first ARP packet can be used to establish a network connection between the target external device and the admission control system.
In another embodiment of the present disclosure, the target external device may have been authenticated and passed authentication, as described in detail below.
Optionally, after S120, the method for establishing a network connection further includes: if the target external equipment passes the authentication, feeding back a second ARP message corresponding to the electronic equipment to the target external equipment; and the second ARP message is used for establishing network connection between the target external equipment and the electronic equipment.
In some embodiments of the present disclosure, after the admission control system responds to the ARP request and detects whether the target external device has passed the authentication, if it is detected that the target external device has performed the authentication and passed the authentication, a second ARP packet corresponding to the electronic device is fed back to the target external device, where the second ARP packet is used to establish a network connection between the target external device and the electronic device.
Alternatively, the second ARP message may be a message that includes address information of the electronic device. The second ARP message may include the IP address of the electronic device.
Specifically, after the admission control system detects according to an ARP request sent by the target external device, if it is detected that the target external device is authenticated and passes the authentication, the admission control system feeds back a second ARP packet containing the IP address of the electronic device to the target external device, where the target external device and the electronic device may establish network connection according to the second ARP packet.
In the embodiment of the disclosure, if the target external device is authenticated and passes the authentication, the admission control system controls the target external device and the electronic device to establish network connection without repeated authentication, so that the working efficiency of the admission control system is improved, the risk of illegal video network connection of the target external device is reduced, the security of the network is improved, and the network is prevented from being attacked maliciously.
In another embodiment of the present disclosure, after the admission control system feeds back the first ARP packet to the target external device, the admission control system needs to perform device authentication on the target external device, which is described in detail below with reference to fig. 2.
Fig. 2 shows a flowchart of a device authentication process provided in an embodiment of the present disclosure.
As shown in fig. 2, the device authentication process includes:
s210, sending a network connection notification to the electronic equipment; the network connection notification is used for notifying the target external device of requesting to establish network connection with the electronic device.
In the embodiment of the disclosure, after the admission control system feeds back the first ARP packet corresponding to itself to the target external device, the admission control system establishes a network connection with the target external device, and then the admission control system sends a network connection notification to the electronic device, where the network connection notification is used to notify the target external device of requesting to establish a network connection with the electronic device.
Alternatively, the network connection notification may be used to notify the electronic device that information that the target external device requests to establish a network connection with the electronic device is received. For example, the network connection notification may include information that the target external device requests the electronic device to establish a network connection.
Specifically, after the admission control system establishes a network connection with the target external device, the admission control system may send a network connection notification to the electronic device, where the network connection notification may be used to notify the electronic device that information is received by the target external device that requests to establish a network connection with the electronic device.
For example, taking the target external device as a camera as an example, after the camera receives the first ARP packet, the admission control system establishes a network connection with the camera at this time, and the admission control system sends a network connection notification to the electronic device, where the network connection notification may include information that the camera requests the electronic device to establish a network connection, and the electronic device may know information that the camera requests the electronic device to establish a network connection according to the network connection notification.
S220, responding to the received equipment login information sent by the electronic equipment, and generating a first ONVIF request according to the equipment login information; the first ONVIF request comprises a login account and a login password.
In the embodiment of the present disclosure, after receiving the Network connection notification, the electronic device sends device login information of the target external device to the admission control system, and the admission control system generates a first ONVIF (open Network Video Interface form) request in response to receiving the device login information of the target external device, where the first ONVIF request includes a login account and a login password.
Alternatively, the ONVIF request may be used to exchange information between the admission control system and the target external device. The first ONVIF request may include a login account number and a login password for the target external device.
Specifically, after the electronic device sends device login information corresponding to the target external device to the admission control system, the admission control system may generate a corresponding first ONVIF request according to the device login information.
S230, sending a first ONVIF request to the target external equipment; the first ONVIF request is used for enabling the target external device to verify the login account and the login password.
In the embodiment of the present disclosure, after the admission control system generates the corresponding first ONVIF request according to the device login information, the first ONVIF request is sent to the target external device. Wherein the first ONVIF request is for the target external device to authenticate the login account and the login password.
Specifically, the admission control system may send a first ONVIF request to the target external device, where the first ONVIF request may be used to cause the target external device to authenticate the login account and the login password.
For example, taking the target external device as a camera as an example, the admission control system sends a first ONVIF request to the camera, where the first ONVIF request may include a login account and a login password of the camera, and the admission control system may cause the camera to verify the login account and the login password based on the first ONVIF request.
S240, responding to the received first ONVIF response message sent by the target external equipment, and feeding back a second ARP message corresponding to the electronic equipment to the target external equipment; and the second ARP message is used for establishing network connection between the target external equipment and the electronic equipment.
In the embodiment of the disclosure, after the admission control system sends the first ONVIF request to the target external device, the first ONVIF response message sent by the target external device is received, and a second ARP message corresponding to the electronic device is fed back to the target external device in response to the first ONVIF response message, where the second ARP message is used to establish network connection between the target external device and the electronic device.
Optionally, the first ONVIF response message may be an ONVIF response message after the target external device receives the first ONVIF request. The first ONVIF response message may include acknowledgement information of the first ONVIF request by the target external device.
Specifically, the admission control system may respond to a received first ONVIF response message sent by the target external device for the first ONVIF request.
For example, taking the target external device as a camera as an example, after the camera receives the first ONVIF request, that is, after receiving the login account and the login password, and after confirmation, the camera may generate a corresponding first ONVIF request.
In some embodiments of the present disclosure, the first ONVIF response message may include correct acknowledgement information for the first ONVIF request.
Optionally, after receiving the first ONVIF response packet including the correct acknowledgement information, the admission control system responds to the first ONVIF response packet to feed back a second ARP packet corresponding to the electronic device to the target external device.
Specifically, when the first ONVIF response message includes the correct confirmation information, the admission control system feeds back the second ARP message corresponding to the electronic device to the target external device, so that the target external device and the electronic device establish network connection, even if the target external device and the admission control system perform network connection, the target external device changes to perform network connection with the electronic device.
Optionally, after the first ONVIF response packet includes correct confirmation information and the admission control system feeds back the second ARP packet corresponding to the electronic device to the target external device, the method for establishing the network connection further includes: sending an authentication success notification to the electronic device; wherein the authentication success notification is for notifying that the target external device has been authenticated.
Alternatively, the authentication success notification may include information that the target external device has been authenticated. For example, the authentication success notification may be specifically "xxx authenticated".
In the embodiment of the present disclosure, after receiving the first ONVIF response packet including the correct acknowledgement information, the admission control system feeds back the second ARP packet corresponding to the electronic device to the target external device, and sends an authentication success notification to the electronic device, where the authentication success notification is used to notify that the target external device has passed the authentication.
Specifically, taking a target external device as a camera as an example, after receiving a first ONVIF response message that includes correct confirmation information and is sent by the camera, the admission control system may determine that the camera passes authentication, may establish network connection with the electronic device, and send a second ARP message that includes address information of the electronic device to the camera, and at the same time, the admission control system sends an authentication success notification to the electronic device, where the authentication success notification may be used to notify that the camera has passed authentication, and the authentication success notification may include information that the camera has passed authentication.
Specifically, taking a target external device as a camera as an example, after receiving a first ONVIF response message including correct confirmation information sent by the camera, the admission control system may determine that the camera passes authentication, may establish network connection with the electronic device, first send an authentication success notification to the electronic device, and then send a second ARP message including address information of the electronic device to the camera, where the authentication success notification may be used to notify that the camera has passed authentication, and the authentication success notification may include information that the camera has passed authentication.
Therefore, in the embodiment of the disclosure, the admission control system can send the authentication success notification to the electronic device, so that the electronic device can be safely connected with the target external device, thereby reducing the risk of illegal video network connection of the target external device, improving the security of the network, and preventing the network from receiving malicious attacks.
In some embodiments of the present disclosure, the first ONVIF response message may include error acknowledgement information for the first ONVIF request.
Optionally, after receiving the first ONVIF response packet including the error confirmation information, the admission control system responds to the first ONVIF response packet without feeding back a second ARP packet corresponding to the electronic device to the target external device.
Specifically, when the first ONVIF response message includes the error confirmation information, the admission control system does not feed back the second ARP message corresponding to the electronic device to the target external device, so that the target external device and the electronic device do not establish network connection.
In the embodiment of the disclosure, the admission control system can perform device authentication on the target external device based on the device login information, and can allow the target external device to establish network connection with the electronic device after the authentication is successful, thereby reducing the risk of illegal video network connection of the target external device, improving the security of the network, and preventing the network from receiving malicious attacks.
In some embodiments, before the admission Control system receives the device login information sent by the electronic device, the electronic device further needs to establish a Transmission Control Protocol (TCP) connection with the target external device, which is described in detail below.
Optionally, before receiving the device login information sent by the electronic device, the method for establishing the network connection further includes: responding to the received first TCP request confirmation information sent by the target external equipment, and forwarding the first TCP request confirmation information to the electronic equipment; the first TCP request confirmation information is used for informing the target external equipment that the received transmission control protocol TCP request is confirmed, the first TCP request confirmation information is used for enabling the electronic equipment to send second TCP request confirmation information to the target external equipment when confirming the first TCP request confirmation information, and the second TCP request confirmation information is used for enabling the target external equipment to establish TCP connection with the electronic equipment.
In the embodiment of the present disclosure, after the admission control system feeds back the first ARP packet to the target external device, the admission control system simultaneously sends a network connection notification to the electronic device, and after the electronic device receives the network connection, the electronic device sends a first TCP request to the target external device, and the admission control system may forward the first TCP request acknowledgement information to the electronic device in response to receiving the first TCP request acknowledgement information sent by the target external device.
Optionally, the network connection notification may further include an ARP request of the target external device.
Optionally, after the admission control system sends the network connection notification to the electronic device, the electronic device needs to establish a TCP connection with the target external device, and a specific manner of the TCP connection is described in detail below.
Specifically, after the admission control system sends the network connection notification to the electronic device, the electronic device may determine address information of the target external device according to an ARP request of the target external device included in the network connection notification, and send a first TCP request to the target external device based on the address information, where the first TCP request may include request information and synchronization Sequence Numbers (SYN), and the request information may specifically be "request to establish a TCP connection".
Further, after receiving the first TCP request, the target external device may feed back first TCP request acknowledgement information, where the first TCP request acknowledgement information may include a SYN + Acknowledgement Character (ACK), where the ACK is used to prompt that the target external device has received the first TCP request and confirms that the first TCP request is granted, and the first TCP request acknowledgement information may be specifically "grant to establish a TCP connection".
Further, the admission control system may receive first TCP request acknowledgement information fed back by the target external device, and send the first TCP request acknowledgement information to the electronic device.
Further, the electronic device sends a second TCP request acknowledgement message to the target external device after receiving the first TCP request acknowledgement message, where the second TCP request acknowledgement message may include ACK, and the second TCP request acknowledgement message may be specifically "acknowledged receipt acknowledgement message". At this time, the electronic device successfully establishes a TCP connection with the target external device.
In the embodiment of the disclosure, before the admission control system performs information authentication, TCP connection is required, the information authentication can be performed only after the TCP connection is performed, and the target external device and the electronic device can be allowed to establish network connection after the authentication is successful, so that the risk of illegal video network connection of the target external device is reduced, the security of the network is improved, and the network is prevented from being attacked maliciously.
In other embodiments, before the admission control system receives the device login information sent by the electronic device, a hypertext Transfer Protocol (HTTP) connection needs to be performed after the TCP connection is established.
Optionally, before receiving the device login information sent by the electronic device, the method for establishing the network connection further includes: responding to the received hypertext transfer protocol HTTP response information sent by the target external equipment, and sending HTTP response information to the electronic equipment; the HTTP response information is sent by the target external device in response to the received HTTP request for acquiring the address of the login page.
Alternatively, the HTTP request may be for the electronic device to send a request to the target external device. The HTTP request may be specifically a "request login page".
Alternatively, the HTTP response information may be response information fed back by the target external device in response to the HTTP request. Wherein the HTTP response information may include a login page of the target external device.
In this disclosure, after the electronic device establishes a TCP connection with a target external device, the electronic device continues to send an HTTP request to the target external device, and the admission control system may receive HTTP response information sent by the target external device, and in response to the HTTP response information, discard the received message information except the HTTP response information, process the obtained HTTP response information, and send the processed HTTP response information to the electronic device.
The HTTP connection method is explained in detail below.
Specifically, after the electronic device establishes a TCP connection with the target external device, the electronic device continues to send an HTTP request to the target external device, where the HTTP request may include a request for a login page corresponding to the target external device from the target external device.
Further, after the target external device receives the HTTP request, HTTP response information is sent to the admission control system, where the HTTP response information may include a login page corresponding to the target external device.
Further, after receiving HTTP response information sent by the target external device, the admission control system discards the message information except the HTTP response information, processes the acquired HTTP response information to generate new message information, and sends the new message information to the electronic device, where the HTTP response information may include a login page corresponding to the admission control system. And after receiving the HTTP response information, the electronic equipment sends equipment login information corresponding to the target external equipment to the admission control system.
In the embodiment of the disclosure, after the HTTP connection is established, the admission control system can perform the device authentication, and can allow the target external device to establish the network connection with the electronic device after the authentication is successful, thereby reducing the risk of illegal video network connection of the target external device, improving the security of the network, and preventing the network from receiving malicious attacks.
In another embodiment of the present disclosure, after the electronic device passes the authentication, the electronic device needs to perform the authentication at a certain time, which is described in detail below with reference to fig. 3.
Fig. 3 shows a flowchart of another device authentication process provided in an embodiment of the present disclosure.
As shown in fig. 3, the device authentication process may include:
and S310, timing the time length of the target external device which passes the authentication.
In the embodiment of the present disclosure, after the admission control system feeds back the second ARP packet corresponding to the electronic device to the target external device, and the electronic device establishes network connection with the target external device, the admission control system performs authenticated duration timing on the target external device that has passed the authentication.
Alternatively, the authenticated duration may be a duration from the time when the target external device passes the authentication to the present time.
Specifically, the admission control system may record the authentication passing time of the target external device that has passed the authentication, and count the time of the target external device to obtain the authentication passing time of the target external device.
S320, if the authentication time length passes and reaches the preset time length, generating a second ONVIF request; wherein the second ONVIF request includes a login account and a login password of the target external device.
In the embodiment of the present disclosure, the admission control system may compare the recorded time length of passing authentication of the target external device with the preset time length, and if the time length of passing authentication does not reach the preset time length, not authenticate the target external device; and if the time length passes the authentication and reaches the preset time length, the admission control system generates a second ONVIF request, wherein the second ONVIF request comprises a login account and a login password of the target external equipment.
Optionally, the second ONVIF request may be the same as the first ONVIF request, and the detailed description refers to S220, which is not described herein again.
S330, sending a second ONVIF request to the target external equipment; wherein the second ONVIF request is for the target external device to authenticate the login account and the login password.
S330 is similar to S230 and will not be described herein.
And S340, if the second ONVIF response message sent by the target external equipment is not received, feeding back the first ARP message to the target external equipment.
In the embodiment of the present disclosure, after the admission control system sends the second ONVIF request to the target external device, if the second ONVIF response packet sent by the target external device is not received, at this time, the admission control system feeds back the first ARP packet to the target external device, so that the target external device establishes network connection with the admission control system again.
Optionally, reference is made to S130 for a specific implementation manner of the target external device and the admission control system for establishing a network connection, which is not described herein again.
In other embodiments of the present disclosure, after the admission control system sends the second ONVIF request to the target external device, if the second ONVIF response packet sent by the target external device is received, at this time, the admission control system times the passed authentication duration of the target external device again.
Therefore, in the embodiment of the disclosure, the admission control system periodically re-authenticates the target external device, and allows the target external device to continue to establish network connection with the electronic device after the authentication is successful, so that the risk of illegal video network connection of the target external device is reduced, the security of the network is improved, and the network is prevented from being attacked maliciously.
Fig. 4 shows a schematic structural diagram of an apparatus for establishing a network connection according to an embodiment of the present disclosure.
As shown in fig. 4, the network connection establishing apparatus 400 may include a request intercepting module 410, an equipment authenticating module 420, and a first feedback module 430.
The request intercepting module 410 may be configured to intercept an address resolution protocol, ARP, request when the target external device sends the ARP request to the electronic device.
The device authentication module 420 may be configured to detect whether the target external device has been authenticated in response to the ARP request.
The first feedback module 430 may be configured to feed back a first ARP packet corresponding to the admission control system to the target external device if the target external device fails to be authenticated; the first ARP message is used for establishing network connection between the target external equipment and the access control system.
In the embodiment of the disclosure, when the target external device sends an ARP request to the electronic device, the ARP request is intercepted, and whether the target external device passes the authentication is detected in response to the ARP request, if the target external device does not pass the authentication, a first ARP packet corresponding to the admission control system is fed back to the target external device, and the first ARP packet can be used to establish a network connection between the target external device and the admission control system.
In some embodiments of the present disclosure, the apparatus 400 for establishing a network connection may further include a second feedback module.
The second feedback module may be configured to, after detecting whether the target external device has passed the authentication, feed back a second ARP packet corresponding to the electronic device to the target external device if the target external device passes the authentication; and the second ARP message is used for establishing network connection between the target external equipment and the electronic equipment.
In some embodiments of the present disclosure, the apparatus 400 for establishing a network connection may further include a first sending module, a first generating module, a second sending module, and a third feedback module.
The first sending module may be configured to send a network connection notification to the electronic device after feeding back the first ARP packet corresponding to the admission control system to the target external device; the network connection notification is used for notifying the target external device to request to establish network connection with the electronic device.
The first generation module can be used for responding to the received equipment login information sent by the electronic equipment and generating a first open network video interface forum ONVIF request according to the equipment login information; the first ONVIF request comprises a login account and a login password.
The second sending module may be to send a first ONVIF request to a target external device; the first ONVIF request is used for enabling the target external device to verify the login account and the login password.
The third feedback module may be configured to, in response to receiving the first ONVIF response packet sent by the target external device, feed back a second ARP packet corresponding to the electronic device to the target external device; and the second ARP message is used for changing the target external equipment into network connection with the electronic equipment.
In some embodiments of the present disclosure, the apparatus 400 for establishing a network connection may further include a third sending module.
The third sending module may be configured to send an authentication success notification to the electronic device; wherein the authentication success notification is for notifying that the target external device has been authenticated.
In some embodiments of the present disclosure, the apparatus 400 for establishing a network connection may further include a fourth sending module.
The fourth sending module may be configured to forward, before receiving the device login information sent by the electronic device, the first TCP request acknowledgement information to the electronic device in response to receiving the first TCP request acknowledgement information sent by the target external device; the first TCP request confirmation information is used for informing the target external equipment that the TCP request is received and confirming, the electronic equipment is used for sending second TCP request confirmation information to the target external equipment when confirming the first TCP request confirmation information, and the second TCP request confirmation information is used for enabling the target external equipment to establish TCP connection with the electronic equipment.
In some embodiments of the present disclosure, the apparatus 400 for establishing a network connection may further include a fifth sending module.
The fifth sending module may be configured to send, in response to receiving hypertext transfer protocol HTTP response information sent by the target external device, preset HTTP response information to the electronic device before receiving device login information sent by the electronic device; the HTTP response information is sent by the target external device in response to receiving an HTTP request for acquiring the address of the login page.
In some embodiments of the present disclosure, the apparatus 400 for establishing a network connection may further include a duration timing module, a second generating module, a sixth sending module, and a fourth feedback module.
The time length timing module may be configured to time the time length of the target external device that has passed the authentication after feeding back the second ARP packet corresponding to the electronic device to the target external device.
The second generation module may be configured to generate a second ONVIF request if the authentication duration has passed reaches a preset duration; wherein the second ONVIF request includes a login account and a login password of the target external device.
The sixth sending module may be configured to send a second ONVIF request to the target external device; wherein the second ONVIF request is for the target external device to authenticate the login account and the login password.
The fourth feedback module may be configured to feed back the first ARP packet to the target external device if the second ONVIF response packet sent by the target external device is not received.
It should be noted that the apparatus 400 for establishing a network connection shown in fig. 4 may perform each step in the method embodiments shown in fig. 1 to fig. 3, and implement each process and effect in the method embodiments shown in fig. 1 to fig. 3, which are not described herein again.
Fig. 5 shows a schematic structural diagram of a network connection establishing device according to an embodiment of the present disclosure.
As shown in fig. 5, the network connection establishing device may include a processor 501 and a memory 502 storing computer program instructions.
Specifically, the processor 501 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 502 may include a mass storage for information or instructions. By way of example, and not limitation, memory 502 may include a Hard Disk Drive (HDD), a floppy Disk Drive, flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 502 may include removable or non-removable (or fixed) media, where appropriate. Memory 502 may be internal or external to the integrated gateway device, where appropriate. In a particular embodiment, the memory 502 is non-volatile solid-state memory. In a particular embodiment, the Memory 502 includes a Read-Only Memory (ROM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (Electrically Erasable PROM, EPROM), Electrically Erasable PROM (Electrically Erasable PROM, EEPROM), Electrically Alterable ROM (Electrically Alterable ROM, EAROM), or flash memory, or a combination of two or more of these, where appropriate.
The processor 501 reads and executes the computer program instructions stored in the memory 502 to perform the steps of the network connection establishment method provided by the embodiments of the present disclosure.
In one example, the network connection establishing device may also include a transceiver 503 and a bus 504. As shown in fig. 5, the processor 501, the memory 502 and the transceiver 503 are connected via a bus 504 to complete communication.
Bus 504 includes hardware, software, or both. By way of example, and not limitation, a BUS may include an Accelerated Graphics Port (AGP) or other Graphics BUS, an Enhanced Industry Standard Architecture (EISA) BUS, a Front-Side BUS (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) BUS, an InfiniBand interconnect, a Low Pin Count (LPC) BUS, a memory Bus, a Micro Channel Architecture (MCA) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Standards Association Local Bus (VLB) Bus, or other suitable Bus, or a combination of two or more of these. Bus 504 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The disclosed embodiments also provide a computer-readable storage medium, which may store a computer program, and when the computer program is executed by a processor, the processor is enabled to implement the network connection establishment method provided by the disclosed embodiments.
The storage medium may, for example, include a memory 502 of computer program instructions that are executable by a processor 501 of a network connection establishment device to perform the network connection establishment methods provided by the embodiments of the present disclosure. Alternatively, the storage medium may be a non-transitory computer readable storage medium, for example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a Compact disc read only Memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and the like.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the term "comprises/comprising" is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for establishing network connection is applied to an admission control system, and is characterized by comprising the following steps:
intercepting an Address Resolution Protocol (ARP) request when a target external device sends the ARP request to an electronic device;
detecting whether the target external device has been authenticated in response to the ARP request;
if the target external equipment is not authenticated, feeding back a first ARP message corresponding to the access control system to the target external equipment; and the first ARP message is used for establishing network connection between the target external equipment and the admission control system.
2. The method of claim 1, wherein after said detecting whether the target external device has been authenticated, the method further comprises:
if the target external equipment passes the authentication, feeding back a second ARP message corresponding to the electronic equipment to the target external equipment; and the second ARP message is used for establishing network connection between the target external equipment and the electronic equipment.
3. The method according to claim 1, wherein after the feeding back the first ARP packet corresponding to the admission control system to the target external device, the method further comprises:
sending a network connection notification to the electronic device; wherein the network connection notification is to notify the target external device to request establishment of a network connection with the electronic device;
responding to the received equipment login information sent by the electronic equipment, and generating a first ONVIF request according to the equipment login information; wherein the first ONVIF request comprises a login account and a login password;
sending the first ONVIF request to the target external device; wherein the first ONVIF request is for the target external device to authenticate the login account and the login password;
responding to a received first ONVIF response message sent by the target external equipment, and feeding back a second ARP message corresponding to the electronic equipment to the target external equipment; and the second ARP message is used for establishing network connection between the target external equipment and the electronic equipment.
4. The method of claim 3, further comprising:
sending an authentication success notification to the electronic device; wherein the authentication success notification is to notify that the target external device has been authenticated.
5. The method of claim 3, wherein prior to said receiving device login information sent by the electronic device, the method further comprises:
in response to receiving first TCP request confirmation information sent by the target external equipment, forwarding the first TCP request confirmation information to the electronic equipment; the first TCP request acknowledgement information is used to notify the target external device that the received TCP request has been acknowledged, the first TCP request acknowledgement information is used to enable the electronic device to send a second TCP request acknowledgement information to the target external device when the first TCP request acknowledgement information is acknowledged, and the second TCP request acknowledgement information is used to enable the target external device to establish a TCP connection with the electronic device.
6. The method of claim 3, wherein prior to said receiving device login information sent by the electronic device, the method further comprises:
responding to the received hypertext transfer protocol (HTTP) response information sent by the target external equipment, and sending the HTTP response information to the electronic equipment; the HTTP response information comprises a login page address, and is sent by the target external equipment in response to a received HTTP request for acquiring the login page address.
7. The method according to claim 3, wherein after the feeding back the second ARP packet corresponding to the electronic device to the target external device, the method further comprises:
timing the time length of the target external device which passes the authentication;
if the time length of the passed authentication reaches the preset time length, generating a second ONVIF request; wherein the second ONVIF request includes a login account and a login password of the target external device;
sending the second ONVIF request to the target external device; wherein the second ONVIF request is for the target external device to authenticate the login account and the login password;
and if the second ONVIF response message sent by the target external equipment is not received, feeding back the first ARP message to the target external equipment.
8. An apparatus for establishing a network connection, comprising:
the device comprises a request intercepting module, a processing module and a processing module, wherein the request intercepting module is used for intercepting an Address Resolution Protocol (ARP) request when a target external device sends the ARP request to an electronic device;
an equipment authentication module for detecting whether the target external equipment has been authenticated in response to the ARP request;
a first feedback module, configured to feed back, to the target external device, a first ARP packet corresponding to the admission control system if the target external device fails to be authenticated; and the first ARP message is used for establishing network connection between the target external equipment and the admission control system.
9. An apparatus for establishing a network connection, comprising:
a processor;
a memory for storing executable instructions;
wherein the processor is configured to read the executable instructions from the memory and execute the executable instructions to implement the network connection establishment method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, causes the processor to implement the method for establishing a network connection according to any one of claims 1 to 7.
CN202210354156.4A 2022-04-02 2022-04-02 Method, device, equipment and medium for establishing network connection Active CN115065494B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210354156.4A CN115065494B (en) 2022-04-02 2022-04-02 Method, device, equipment and medium for establishing network connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210354156.4A CN115065494B (en) 2022-04-02 2022-04-02 Method, device, equipment and medium for establishing network connection

Publications (2)

Publication Number Publication Date
CN115065494A true CN115065494A (en) 2022-09-16
CN115065494B CN115065494B (en) 2023-11-14

Family

ID=83197022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210354156.4A Active CN115065494B (en) 2022-04-02 2022-04-02 Method, device, equipment and medium for establishing network connection

Country Status (1)

Country Link
CN (1) CN115065494B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008244765A (en) * 2007-03-27 2008-10-09 Toshiba Corp Dynamic host configuration protocol server, and ip address assignment method
CN101888329A (en) * 2010-04-28 2010-11-17 北京星网锐捷网络技术有限公司 Address resolution protocol (ARP) message processing method, device and access equipment
CN104883410A (en) * 2015-05-21 2015-09-02 深圳颐和网络科技有限公司 Network transmission method and network transmission device
CN107222433A (en) * 2017-04-18 2017-09-29 中国科学院信息工程研究所 A kind of access control method and system based on SDN path
US20180013788A1 (en) * 2016-07-07 2018-01-11 Attivo Networks Inc. Detecting man-in-the-middle attacks
WO2019100993A1 (en) * 2017-11-21 2019-05-31 迈普通信技术股份有限公司 Sdn network in-band control channel establishment method and device
CN113347155A (en) * 2021-05-10 2021-09-03 西安交大捷普网络科技有限公司 Method, system and device for defending ARP spoofing
CN114172750A (en) * 2022-02-14 2022-03-11 南京易科腾信息技术有限公司 Network communication method, device and storage medium based on encryption mechanism

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008244765A (en) * 2007-03-27 2008-10-09 Toshiba Corp Dynamic host configuration protocol server, and ip address assignment method
CN101888329A (en) * 2010-04-28 2010-11-17 北京星网锐捷网络技术有限公司 Address resolution protocol (ARP) message processing method, device and access equipment
CN104883410A (en) * 2015-05-21 2015-09-02 深圳颐和网络科技有限公司 Network transmission method and network transmission device
US20180013788A1 (en) * 2016-07-07 2018-01-11 Attivo Networks Inc. Detecting man-in-the-middle attacks
CN107222433A (en) * 2017-04-18 2017-09-29 中国科学院信息工程研究所 A kind of access control method and system based on SDN path
WO2019100993A1 (en) * 2017-11-21 2019-05-31 迈普通信技术股份有限公司 Sdn network in-band control channel establishment method and device
CN113347155A (en) * 2021-05-10 2021-09-03 西安交大捷普网络科技有限公司 Method, system and device for defending ARP spoofing
CN114172750A (en) * 2022-02-14 2022-03-11 南京易科腾信息技术有限公司 Network communication method, device and storage medium based on encryption mechanism

Also Published As

Publication number Publication date
CN115065494B (en) 2023-11-14

Similar Documents

Publication Publication Date Title
US8453208B2 (en) Network authentication method, method for client to request authentication, client, and device
CN109413060B (en) Message processing method, device, equipment and storage medium
CN105847245B (en) Electronic mailbox login authentication method and device
JP5350649B2 (en) Method for authenticating user, device for authenticating user terminal, and authentication server for authenticating user terminal
WO2011000304A1 (en) Method, device and gateway equipment for detecting abnormal connections
EP3711274B1 (en) Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system
CN110784464B (en) Client verification method, device and system for flooding attack and electronic equipment
CN102710667B (en) Method for realizing Portal authentication server attack prevention and broadband access server
US10148636B2 (en) Authentication methods and apparatus
EP2981022B1 (en) Method and system for transmitting and receiving data, method and device for processing message
EP2285041A1 (en) Communication establishing method, system and device
CN107872445B (en) Access authentication method, device and authentication system
CN111970308A (en) Method, device and equipment for protecting SYN Flood attack
CN112583607A (en) Equipment access management method, device, system and storage medium
CN106789858B (en) Access control method and device and server
CN113672897A (en) Data communication method, device, electronic equipment and storage medium
CN106330948A (en) Message control method and message control device
CN112235329A (en) Method, device and network equipment for identifying authenticity of SYN message
CN115065494B (en) Method, device, equipment and medium for establishing network connection
JP4768547B2 (en) Authentication system for communication devices
CN106506410B (en) Method and device for establishing safety table item
CN107360573B (en) Terminal access method and device
WO2017016415A1 (en) Access authentication method, server and authentication system of wireless local area network
US20090138952A1 (en) Method for transmitting and receiving data of a terminal in a communication system and communication terminal thereof
CN106789864B (en) Message anti-attack method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant