CN116318912A - Dynamic network interface hiding method - Google Patents
Dynamic network interface hiding method Download PDFInfo
- Publication number
- CN116318912A CN116318912A CN202310187016.7A CN202310187016A CN116318912A CN 116318912 A CN116318912 A CN 116318912A CN 202310187016 A CN202310187016 A CN 202310187016A CN 116318912 A CN116318912 A CN 116318912A
- Authority
- CN
- China
- Prior art keywords
- preset
- sdp
- network interface
- address
- adjustment coefficient
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000012795 verification Methods 0.000 claims abstract description 79
- 230000008569 process Effects 0.000 abstract description 12
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000004590 computer program Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006854 communication Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of computers, in particular to a method for dynamically hiding a network interface, which comprises the following steps: receiving an authentication request data packet sent by an SDP client; the authentication request packet includes: a source IP address, a source MAC address, a device serial number and a digital certificate of the SDP client; the SDP controller performs verification based on the verification request data packet, discards the data packet and does not respond if the verification is failed, judges the trusted level of the SDP client based on access information recorded in the SDP controller if the verification is passed, and determines the dynamic open time length of the network interface based on the trusted level. The invention verifies the legal identity of the SDP client user based on SDP technology, opens the network interface if the verification is passed, discards the verification request data packet if the verification is not passed, and does not respond, thereby realizing network stealth, reducing the network attack surface, simultaneously avoiding the risk of the illegal use of the IP address of the SDP client of the legal user, and improving the security in the network interface connection process.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method for dynamically hiding a network interface.
Background
At present, in order to adapt to the complexity and continuous development of enterprise office systems, more and more enterprises at home and abroad begin to pay attention to the construction of enterprise internet office technology platforms. The zero trust technology is based on identity authentication, minimizes the authorization principle, utilizes software to define boundaries through multidimensional dynamic trust authorization and continuous trust evaluation, combines comprehensive and flexible network access strategies and security strategies, can effectively reduce network potential safety hazards, does not expose any TCP ports externally, and avoids attacks caused by network protocol self-loopholes, thereby effectively reducing the exposure surface of the Internet and effectively protecting network communication and service access. By combining with the group office system, the working efficiency and the data security of remote office can be improved, and the research and development cost and the security risk of the group office system can be reduced.
SDP technology is one of the best technical frameworks to implement the zero trust concept. The attack surface can be reduced to the minimum, and even the port is not exposed at all, so that the 'zero' attack surface is realized. A web site needs to map ports to the internet to be accessible by external users. The SDP can only map the port to the illegal user by one website, and not map the port to the illegal user.
In the process of verifying legal users, the verification of the IP address of the client is mainly relied on, and the IP address has the risk of being stolen, so a dynamic network interface hiding method is urgently needed to solve the problems.
Disclosure of Invention
In view of this, the present invention proposes a method for dynamically hiding network interfaces, which is mainly used for solving the problem that in the prior art, there is a risk of stealing the IP address of a legitimate user, so that the verification process of the legitimate user is at risk.
In one aspect, the present invention provides a method for dynamically hiding a network interface, the method comprising:
receiving an authentication request data packet sent by an SDP client;
the authentication request packet includes: a source IP address, a source MAC address, a device serial number and a digital certificate of the SDP client;
the SDP controller performs verification based on the verification request data packet, discards the data packet and does not respond if the verification is failed, judges the trusted level of the SDP client based on the access information recorded in the SDP controller if the verification is passed, and determines the dynamic opening time of the network interface based on the trusted level.
In some embodiments of the present application, when the SDP controller performs authentication based on the authentication request packet, the first authentication is included, specifically including:
and extracting source IP address information of the SDP client, comparing according to a trusted IP address list pre-stored in the SDP controller, if the consistent IP address information exists, verifying to pass, if the consistent IP address information does not exist, verifying to fail, discarding a verification request data packet and not responding.
In some embodiments of the present application, the first verification further includes a second verification after passing, specifically including:
and extracting source MAC address information of the SDP client, comparing the source MAC address information with a trusted MAC address list pre-stored in an SDP controller, if the consistent MAC address information exists, verifying to pass, if the consistent MAC address information does not exist, verifying to fail, discarding a verification request data packet and not responding.
In some embodiments of the present application, the second verification further includes a third verification after passing, specifically including:
and acquiring an ARP corresponding relation table based on the SDP controller, comparing whether the corresponding relation exists between the source IP address and the source MAC address, if so, verifying to pass, and if not, discarding the verification request data packet and not responding.
In some embodiments of the present application, the third verification further includes a fourth verification after passing, specifically including:
and extracting the equipment serial numbers in the SDP client, comparing according to a trusted equipment information list pre-stored in the SDP controller, if the consistent equipment information exists, verifying to pass, if the consistent equipment information does not exist, verifying to fail, discarding a verification request data packet and not responding.
In some embodiments of the present application, the third verification further includes a fourth verification after passing, specifically including:
and extracting user identity information in the digital certificate, comparing the user identity information with a user identity information list pre-stored in the SDP controller, if the user identity information is consistent, verifying and passing, if the user identity information is not consistent, verifying and failing, discarding a verification request data packet and not responding.
In some embodiments of the present application, the fourth verification further includes a fifth verification after passing, specifically including:
and comparing the user identity information extracted from the verification request data packet with the source IP address information based on a corresponding information list of the user identity information and the source IP address pre-stored in the SDP controller, if the corresponding relation exists, verifying to pass through the open network interface, and if the corresponding relation does not exist, verifying to fail, discarding the verification request data packet and not responding.
In some embodiments of the present application, when determining the trusted class of the SDP client based on the access information recorded inside the SDP controller, the method specifically includes:
acquiring access times H and access total time length L of a source IP address pre-stored in an SDP controller, and presetting a first preset access time length L1, a second preset access time length L2, a third preset access time length L3 and a fourth preset access time length L4, wherein L1 is more than L2 and more than L3 and more than L4;
when L2 is less than or equal to L1, selecting a first preset adjustment coefficient L1 to adjust the access times H of the source IP address, wherein the adjusted open time length is H1;
when L3 is less than or equal to L2, selecting a second preset adjustment coefficient L2 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l2;
when L4 is less than or equal to L3, selecting a third preset adjustment coefficient L3 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l3;
when L is smaller than L4, a fourth preset adjustment coefficient L4 is selected to adjust the access times H of the source IP address, and the adjusted open time length is H.l4.
In some embodiments of the present application, after the i-th preset adjustment coefficient li is selected to adjust the access number H of the source IP address, i=1, 2,3,4, and the adjusted access number h×li is obtained, the method further includes:
the SDP controller records the access time T0 of the source IP address in the verification request data packet, invokes the access time period of the source IP address which is requested to be verified in the prestored access time period record table of each IP address to obtain the time difference T of the nearest moment in the T0 and the access time period, and presets a first preset time difference T1, a second preset time difference T2, a third preset time difference T3 and a fourth preset time difference T4, wherein T1 is more than T2 and less than T3 is more than T4; a first preset adjustment coefficient t1, a second preset adjustment coefficient t2, a third preset adjustment coefficient t3 and a fourth preset adjustment coefficient t4 are preset, and 1.2 is more than t1 and more than t2 is more than 1 and more than t3 and more than t4 is more than 0.8;
when T1 is less than or equal to T2, selecting a first preset adjustment coefficient T1 to carry out secondary adjustment on the adjusted access times H.li, so as to obtain the access times H.li.t1 after secondary adjustment;
when T2 is less than or equal to T3, selecting a second preset adjustment coefficient T2 to carry out secondary adjustment on the adjusted access times H.times li, and obtaining the access times H.times.li2 after secondary adjustment;
when T3 is less than or equal to T4, selecting a third preset adjustment coefficient T3 to carry out secondary adjustment on the adjusted access times H.times.li, and obtaining the access times H.times.li.t 3 after secondary adjustment;
when T4 is less than or equal to T, selecting a fourth preset adjustment coefficient T4 to carry out secondary adjustment on the adjusted access times H.li, and obtaining the access times H.li.t4 after secondary adjustment.
In some embodiments of the present application, after selecting the i-th preset adjustment coefficient ti to perform secondary adjustment on the adjusted access times h×li, i=1, 2,3,4, and obtaining the secondary adjusted access times h×li, the method further includes:
presetting a first preset access frequency H1, a second preset access frequency H2, a third preset access frequency H3 and a fourth preset access frequency H4, wherein H1 is more than H2 and more than H3 and more than H4, presetting a first preset trusted level X1, presetting a second preset trusted level X2, presetting a third preset trusted level X3 and presetting a fourth preset trusted level X4, and wherein X1 is more than X2 and more than X3 is more than X4;
when H2 is less than or equal to H1, selecting a first preset trusted level X1 as the trusted level of the SDP client;
when H3 is less than or equal to H2, selecting a second preset trusted level X2 as the trusted level of the SDP client;
when H4 is less than or equal to H3, selecting a third preset trusted level X3 as the trusted level of the SDP client;
when H < H4, a third preset trusted level X3 is selected as the trusted level of the SDP client.
In some embodiments of the present application, when Xi is selected as the trusted class of the SDP client, i=1, 2,3,4, further comprising:
presetting a first preset adjustment coefficient n1, a second preset adjustment coefficient n2, a third preset adjustment coefficient n3 and a fourth preset adjustment coefficient n4, wherein 1.2 is more than n1 and more than n2 is more than 1 and more than n3 is more than n4 and more than 0.8;
when xi=x1, selecting a first preset adjustment coefficient N1 to adjust the open time length N of the network interface, wherein the adjusted open time length is n×n1;
when xi=x2, selecting a second preset adjustment coefficient N2 to adjust the open time length N0 of the network interface, wherein the adjusted open time length is N0X N2;
when xi=x3, selecting a third preset adjustment coefficient N3 to adjust the open time length N0 of the network interface, wherein the adjusted open time length is N0×n3;
when xi=x4, a fourth preset adjustment coefficient N4 is selected to adjust the open time length N0 of the network interface, where the adjusted open time length is N0×n4.
After the i-th preset adjustment coefficient ni is selected to adjust the opening duration N of the network interface, i=1, 2,3,4, and the adjusted opening duration is n×ni as the final opening duration.
Compared with the prior art, the invention has the following beneficial effects:
the legal identity of the SDP client user is verified based on the SDP technology, a network interface is opened when the verification is passed, the verification request data packet is discarded when the verification is not passed, and no response is carried out, so that network stealth is realized, and the network attack surface is reduced;
further, in this embodiment, by verifying the source IP address, the MAC address, the correspondence between the source IP address and the MAC address, the device serial number, the user identity information in the digital certificate, and the correspondence between the user identity information and the IP address in the verification request packet sent by the SDP client terminal one by one, security of legal user identity verification is ensured, and at the same time, the risk of theft of the IP address of the SDP client terminal of the legal user is avoided by verifying the correspondence between the source IP address and the MAC address and the correspondence between the user identity information and the IP address;
further, in this embodiment, the open time length of the network interface is dynamically adjusted based on the level of the trusted party verifying the IP address of the SDP client terminal of the passing legitimate user, so that the risk of the SDP client terminal in the access connection process is reduced, and the security in the network interface connection process is improved.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. In the drawings:
fig. 1 is a flow chart of a method for dynamically hiding a network interface according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
Referring to fig. 1, the present embodiment provides a client data security management method of a video conference system, including:
step S100: receiving an authentication request data packet sent by an SDP client;
step S200: the SDP controller performs verification based on the verification request data packet;
step S300: discarding the data packet and not responding if the verification is not passed, and judging the trusted level of the SDP client based on the access information recorded in the SDP controller if the verification is passed;
step S400: and determining the dynamic open time length of the network interface based on the trusted level.
Specifically, the authentication request packet includes: the source IP address, source MAC address, device serial number, and digital certificate information of the SDP client.
It can be seen that, in this embodiment, based on the SDP technology, the verification manner of the legal user identity of the SDP client is reasonably adjusted, the network interface is opened for the authenticated SDP client user, and the trusted class judgment is performed for the authenticated SDP client user, so as to determine the dynamic opening time of the network interface, and reduce the security risk in the authentication and network connection process.
In a specific embodiment of the present application, when the SDP controller performs authentication based on the authentication request packet, the method includes a first authentication, specifically including:
and extracting source IP address information of the SDP client, comparing according to a trusted IP address list pre-stored in the SDP controller, if the consistent IP address information exists, verifying to pass, if the consistent IP address information does not exist, verifying to fail, discarding a verification request data packet and not responding.
In some embodiments of the present application, the first verification further includes a second verification after passing, specifically including:
and extracting source MAC address information of the SDP client, comparing the source MAC address information with a trusted MAC address list pre-stored in an SDP controller, if the consistent MAC address information exists, verifying to pass, if the consistent MAC address information does not exist, verifying to fail, discarding a verification request data packet and not responding.
In a specific embodiment of the present application, the second verification further includes a third verification after passing, specifically including:
and acquiring an ARP corresponding relation table based on the SDP controller, comparing whether the corresponding relation exists between the source IP address and the source MAC address, if so, verifying to pass, and if not, discarding the verification request data packet and not responding.
It can be seen that in this embodiment, by verifying the source IP address and the MAC address of the SDP client terminal, after the source IP address and the MAC address pass through the verification, the corresponding relationship between the IP address and the MAC address is verified, which avoids the risk generated when the client terminal IP is stolen, and further ensures the security of the verification process.
In a specific embodiment of the present application, the third verification further includes a fourth verification after passing, specifically including:
and extracting the equipment serial numbers in the SDP client, comparing according to a trusted equipment information list pre-stored in the SDP controller, if the consistent equipment information exists, verifying to pass, if the consistent equipment information does not exist, verifying to fail, discarding a verification request data packet and not responding.
It can be seen that, in this embodiment, the security of the authentication of the legal user is further ensured by verifying the device serial number of the SDP client, and meanwhile, the device serial number in this embodiment may be a machine code, any device serial number capable of implementing the authentication of the device identity may be selected, which is not specifically limited in this embodiment.
In a specific embodiment of the present application, the third verification further includes a fourth verification after passing, specifically including:
and extracting user identity information in the digital certificate, comparing the user identity information with a user identity information list pre-stored in the SDP controller, if the user identity information is consistent, verifying and passing, if the user identity information is not consistent, verifying and failing, discarding a verification request data packet and not responding.
In a specific embodiment of the present application, the fourth verification further includes a fifth verification after passing, specifically including:
and comparing the user identity information extracted from the verification request data packet with the source IP address information based on a corresponding information list of the user identity information and the source IP address pre-stored in the SDP controller, if the corresponding relation exists, verifying to pass through the open network interface, and if the corresponding relation does not exist, verifying to fail, discarding the verification request data packet and not responding.
It can be seen that in this embodiment, by comparing the user identity information in the digital certificate with the trusted user identity information list pre-stored in the SDP controller, authentication of the actual identity of the user is completed, and meanwhile, the corresponding relationship between the source IP address and the user identity obtained in the authentication process is authenticated based on the corresponding information list of the user identity information and the source IP address pre-stored in the SDP controller, if the authentication is passed, the SDP client user is a legal user, and does not perform interactive authentication on the security of the digital certificate with the SDP client, so that the network interface is stealth in the scanning process, the network attack surface is reduced, and the risk that the IP address and the MAC address are stolen at the same time is avoided.
Furthermore, in the process of verifying the SDP client, each step of verification is that the SDP client cannot be responded, so that the stealth of the network interface in the process of connection verification is ensured, and the security of the network interface is further improved.
In a specific embodiment of the present application, when determining the trusted class of the SDP client based on the access information recorded inside the SDP controller, the method specifically includes:
acquiring access times H and access total time length L of a source IP address pre-stored in an SDP controller, and presetting a first preset access time length L1, a second preset access time length L2, a third preset access time length L3 and a fourth preset access time length L4, wherein L1 is more than L2 and more than L3 and more than L4;
when L2 is less than or equal to L1, selecting a first preset adjustment coefficient L1 to adjust the access times H of the source IP address, wherein the adjusted open time length is H1;
when L3 is less than or equal to L2, selecting a second preset adjustment coefficient L2 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l2;
when L4 is less than or equal to L3, selecting a third preset adjustment coefficient L3 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l3;
when L is smaller than L4, a fourth preset adjustment coefficient L4 is selected to adjust the access times H of the source IP address, and the adjusted open time length is H.l4.
In a specific embodiment of the present application, after the i-th preset adjustment coefficient li is selected to adjust the access number H of the source IP address, i=1, 2,3,4, and the adjusted access number h×li is obtained, the method further includes:
the SDP controller records the access time T0 of the source IP address in the verification request data packet, invokes the access time period of the source IP address which is requested to be verified in the prestored access time period record table of each IP address to obtain the time difference T of the nearest moment in the T0 and the access time period, and presets a first preset time difference T1, a second preset time difference T2, a third preset time difference T3 and a fourth preset time difference T4, wherein T1 is more than T2 and less than T3 is more than T4; a first preset adjustment coefficient t1, a second preset adjustment coefficient t2, a third preset adjustment coefficient t3 and a fourth preset adjustment coefficient t4 are preset, and 1.2 is more than t1 and more than t2 is more than 1 and more than t3 and more than t4 is more than 0.8;
when T1 is less than or equal to T2, selecting a first preset adjustment coefficient T1 to carry out secondary adjustment on the adjusted access times H.li, so as to obtain the access times H.li.t1 after secondary adjustment;
when T2 is less than or equal to T3, selecting a second preset adjustment coefficient T2 to carry out secondary adjustment on the adjusted access times H.times li, and obtaining the access times H.times.li2 after secondary adjustment;
when T3 is less than or equal to T4, selecting a third preset adjustment coefficient T3 to carry out secondary adjustment on the adjusted access times H.times.li, and obtaining the access times H.times.li.t 3 after secondary adjustment;
when T4 is less than or equal to T, selecting a fourth preset adjustment coefficient T4 to carry out secondary adjustment on the adjusted access times H.li, and obtaining the access times H.li.t4 after secondary adjustment.
In a specific embodiment of the present application, after selecting the i-th preset adjustment coefficient ti to perform secondary adjustment on the adjusted access times h×li, i=1, 2,3,4, and obtaining the secondary adjusted access times h×li×ti, the method further includes:
presetting a first preset access frequency H1, a second preset access frequency H2, a third preset access frequency H3 and a fourth preset access frequency H4, wherein H1 is more than H2 and more than H3 and more than H4, presetting a first preset trusted level X1, presetting a second preset trusted level X2, presetting a third preset trusted level X3 and presetting a fourth preset trusted level X4, and wherein X1 is more than X2 and more than X3 is more than X4;
when H2 is less than or equal to H1, selecting a first preset trusted level X1 as the trusted level of the SDP client;
when H3 is less than or equal to H2, selecting a second preset trusted level X2 as the trusted level of the SDP client;
when H4 is less than or equal to H3, selecting a third preset trusted level X3 as the trusted level of the SDP client;
when H < H4, a third preset trusted level X3 is selected as the trusted level of the SDP client.
It can be seen that in this embodiment, the access times are adjusted by obtaining the total access duration and the access times of the source IP address of the legitimate user of the SDP client terminal, the risk factor is low when the access duration is long, the access times are increased and adjusted by selecting a larger adjustment factor, meanwhile, the access times of the main access period of the source IP address are obtained, the risk factor is high when the time difference between the login time and the main access period is compared, the access times are reduced by selecting a smaller adjustment factor, the risk is small when the access times after adjustment are compared with the preset access times, and the trusted level is selected when the access times are more, so that the trusted level is dynamically matched for the legitimate user accessed by the SDP client terminal.
In a specific embodiment of the present application, when Xi is selected as the trusted class of the SDP client, i=1, 2,3,4, the method further includes:
presetting a first preset adjustment coefficient n1, a second preset adjustment coefficient n2, a third preset adjustment coefficient n3 and a fourth preset adjustment coefficient n4, wherein 1.2 is more than n1 and more than n2 is more than 1 and more than n3 is more than n4 and more than 0.8;
when xi=x1, selecting a first preset adjustment coefficient N1 to adjust the open time length N of the network interface, wherein the adjusted open time length is n×n1;
when xi=x2, selecting a second preset adjustment coefficient N2 to adjust the open time length N0 of the network interface, wherein the adjusted open time length is N0X N2;
when xi=x3, selecting a third preset adjustment coefficient N3 to adjust the open time length N0 of the network interface, wherein the adjusted open time length is N0×n3;
when xi=x4, a fourth preset adjustment coefficient N4 is selected to adjust the open time length N0 of the network interface, where the adjusted open time length is N0×n4.
After the i-th preset adjustment coefficient ni is selected to adjust the opening duration N of the network interface, i=1, 2,3,4, and the adjusted opening duration is n×ni as the final opening duration.
It can be seen that in this embodiment, the open time of the network interface is adjusted by the trusted level, if the trusted level is high, the risk of the network interface in the communication process is small, the open time of the network interface can be properly prolonged, if the trusted level is low, the risk of the network interface in the communication process is high, the open time of the network interface can be properly shortened, the open time of the network interface is dynamically adjusted, and the security of the network interface in the connection communication process is further reduced.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (10)
1. A method for dynamically hiding a network interface, comprising:
receiving an authentication request data packet sent by an SDP client;
the authentication request packet includes: the SDP client has a source IP address, a source MAC address, a device serial number and a digital certificate;
and the SDP controller performs verification based on the verification request data packet, discards the data packet and does not respond if the verification is failed, judges the trusted level of the SDP client based on access information recorded in the SDP controller if the verification is passed, and determines the dynamic open time length of the network interface based on the trusted level.
2. The method of dynamically hiding a network interface as recited in claim 1, wherein when the SDP controller performs authentication based on the authentication request packet, a first authentication is included, specifically comprising:
and extracting the source IP address information of the SDP client, comparing according to a trusted IP address list pre-stored in an SDP controller, if the consistent IP address information exists, verifying to pass, if the consistent IP address information does not exist, verifying to fail, discarding the verification request data packet and not responding.
3. The method for dynamically hiding a network interface according to claim 2, wherein the first authentication is passed further comprises a second authentication, specifically comprising:
and extracting the source MAC address information of the SDP client, comparing the source MAC address information with a trusted MAC address list pre-stored in the SDP controller, if the consistent MAC address information exists, verifying to pass, if the consistent MAC address information does not exist, verifying to fail, discarding the verification request data packet and not responding.
4. A method of dynamically hiding a network interface according to claim 3, wherein the second authentication is passed further comprising a third authentication, comprising:
and based on the SDP controller, acquiring an ARP corresponding relation table, comparing whether the corresponding relation exists between the source IP address and the source MAC address, if the corresponding relation exists, verifying to pass, and if the corresponding relation does not exist, verifying to fail, discarding the verification request data packet and not responding.
5. The method for dynamically hiding a network interface according to claim 4, wherein the third authentication is passed further comprises a fourth authentication, specifically comprising:
and extracting the equipment serial numbers in the SDP client, comparing according to a trusted equipment information list pre-stored in the SDP controller, if the consistent equipment information exists, verifying to pass, if the consistent equipment information does not exist, verifying to fail, discarding the verification request data packet and not responding.
And after the third verification is passed, the method further comprises a fourth verification, and specifically comprises the following steps:
and extracting user identity information in the digital certificate, comparing the user identity information with a user identity information list pre-stored in the SDP controller, if the user identity information is consistent, verifying to pass, if the user identity information is not consistent, verifying to fail, discarding the verification request data packet and not responding.
6. The method for dynamically hiding a network interface according to claim 5, wherein the fourth authentication is passed further comprises a fifth authentication, specifically comprising:
and comparing the user identity information and the source IP address information extracted from the verification request data packet based on a corresponding information list of the user identity information and the source IP address pre-stored in the SDP controller, if the corresponding relation exists, opening the network interface through verification, and if the corresponding relation does not exist, the verification is failed, discarding the verification request data packet and not responding.
7. The method for dynamically hiding a network interface as recited in claim 1, wherein when determining the trusted class of the SDP client based on the access information recorded inside the SDP controller, specifically comprising:
acquiring access times H and access total time L of the source IP address pre-stored in the SDP controller, and presetting a first preset access time L1, a second preset access time L2, a third preset access time L3 and a fourth preset access time L4, wherein L1 is more than L2 and more than L3 and more than L4;
when L2 is less than or equal to L1, selecting the first preset adjustment coefficient L1 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l1;
when L3 is less than or equal to L2, selecting the second preset adjustment coefficient L2 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l2;
when L4 is less than or equal to L3, selecting the third preset adjustment coefficient L3 to adjust the access times H of the source IP address, wherein the adjusted open time length is H.l3;
and when L is smaller than L4, selecting the fourth preset adjustment coefficient L4 to adjust the access times H of the source IP address, wherein the adjusted opening duration is H.l4.
8. The method for dynamically hiding a network interface according to claim 7, wherein after selecting an i-th preset adjustment coefficient li to adjust the number of accesses H to the source IP address, i=1, 2,3,4, and obtaining the adjusted number of accesses H x li, further comprising:
the SDP controller records the access time T0 of the source IP address in the verification request data packet, invokes the access time period of the source IP address which is requested to be verified in a prestored access time period record table of each IP address to obtain a time difference T between the T0 and the nearest time in the access time period, and presets a first preset time difference T1, a second preset time difference T2, a third preset time difference T3 and a fourth preset time difference T4, wherein T1 is more than T2 and less than T3 and less than T4; a first preset adjustment coefficient t1, a second preset adjustment coefficient t2, a third preset adjustment coefficient t3 and a fourth preset adjustment coefficient t4 are preset, and 1.2 is more than t1 and more than t2 is more than 1 and more than t3 and more than t4 is more than 0.8;
when T1 is less than or equal to T2, selecting the first preset adjustment coefficient T1 to carry out secondary adjustment on the adjusted access times H.li, so as to obtain the access times H.li.t1 after secondary adjustment;
when T2 is less than or equal to T3, selecting the second preset adjustment coefficient T2 to carry out secondary adjustment on the adjusted access times H.li, so as to obtain the access times H.li.t2 after secondary adjustment;
when T3 is less than or equal to T4, selecting the third preset adjustment coefficient T3 to carry out secondary adjustment on the adjusted access times H.li, so as to obtain the access times H.li.t3 after secondary adjustment;
and when T4 is less than or equal to T, selecting the fourth preset adjustment coefficient T4 to carry out secondary adjustment on the adjusted access times H.times.li, so as to obtain the access times H.times.t4 after secondary adjustment.
9. The method for dynamically hiding a network interface according to claim 8, wherein after selecting an i-th preset adjustment coefficient ti to perform secondary adjustment on the adjusted access times H x li, i=1, 2,3,4, and obtaining the secondary adjusted access times H x li, further comprising:
presetting a first preset access frequency H1, a second preset access frequency H2, a third preset access frequency H3 and a fourth preset access frequency H4, wherein H1 is more than H2 and more than H3 and more than H4, presetting a first preset trusted level X1, presetting a second preset trusted level X2, presetting a third preset trusted level X3 and presetting a fourth preset trusted level X4, and wherein X1 is more than X2 and more than X3 is more than X4;
when H2 is less than or equal to H1, selecting the first preset trusted level X1 as the trusted level of the SDP client;
when H3 is less than or equal to H2, selecting the second preset trusted level X2 as the trusted level of the SDP client;
when H4 is less than or equal to H3, selecting the third preset trusted level X3 as the trusted level of the SDP client;
and when H < H4, selecting the third preset trusted level X3 as the trusted level of the SDP client.
10. The method of dynamically hiding a network interface as recited in claim 9, further comprising, when Xi is selected as the trusted class of the SDP client, i=1, 2,3, 4:
presetting a first preset adjustment coefficient n1, a second preset adjustment coefficient n2, a third preset adjustment coefficient n3 and a fourth preset adjustment coefficient n4, wherein 1.2 is more than n1 and more than n2 is more than 1 and more than n3 is more than n4 and more than 0.8;
when xi=x1, selecting the first preset adjustment coefficient N1 to adjust the open time length N of the network interface, where the adjusted open time length is n×n1;
when xi=x2, selecting the second preset adjustment coefficient N2 to adjust the open time length N0 of the network interface, where the adjusted open time length is N0×n2;
when xi=x3, selecting the third preset adjustment coefficient N3 to adjust the open time length N0 of the network interface, where the adjusted open time length is N0×n3;
when xi=x4, selecting the fourth preset adjustment coefficient N4 to adjust the open time length N0 of the network interface, where the adjusted open time length is N0×n4;
after the i-th preset adjustment coefficient ni is selected to adjust the open duration N of the network interface, i=1, 2,3,4, and the adjusted open duration is n×ni as the final open duration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310187016.7A CN116318912A (en) | 2023-03-01 | 2023-03-01 | Dynamic network interface hiding method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310187016.7A CN116318912A (en) | 2023-03-01 | 2023-03-01 | Dynamic network interface hiding method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116318912A true CN116318912A (en) | 2023-06-23 |
Family
ID=86779084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310187016.7A Pending CN116318912A (en) | 2023-03-01 | 2023-03-01 | Dynamic network interface hiding method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116318912A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117240510A (en) * | 2023-08-24 | 2023-12-15 | 华能信息技术有限公司 | SDP client secure authentication system |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120011567A1 (en) * | 2008-11-24 | 2012-01-12 | Gary Cronk | Apparatus and methods for content delivery and message exchange across multiple content delivery networks |
| CN111131310A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Access control method, device, system, computer device and storage medium |
| CN113992354A (en) * | 2021-09-28 | 2022-01-28 | 新华三信息安全技术有限公司 | Identity authentication method, device, equipment and machine readable storage medium |
| CN113992402A (en) * | 2021-10-27 | 2022-01-28 | 北京房江湖科技有限公司 | Access control method, system and medium based on zero trust strategy |
| CN114039750A (en) * | 2021-10-26 | 2022-02-11 | 中电鸿信信息科技有限公司 | Method for protecting SDP controller |
| CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN114629692A (en) * | 2022-02-25 | 2022-06-14 | 国家电网有限公司 | Access authentication method and system of power Internet of things based on SDP |
| US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
| US20220255916A1 (en) * | 2019-09-30 | 2022-08-11 | Intel Corporation | Methods and apparatus to attest objects in edge computing environments |
| CN114915427A (en) * | 2022-06-06 | 2022-08-16 | 中国联合网络通信集团有限公司 | Access control method, device, equipment and storage medium |
| CN115277168A (en) * | 2022-07-25 | 2022-11-01 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
| CN115277089A (en) * | 2022-06-20 | 2022-11-01 | 江苏易安联网络技术有限公司 | Single packet authorization method and system introducing OTP (one time programmable) dynamic selection port |
-
2023
- 2023-03-01 CN CN202310187016.7A patent/CN116318912A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120011567A1 (en) * | 2008-11-24 | 2012-01-12 | Gary Cronk | Apparatus and methods for content delivery and message exchange across multiple content delivery networks |
| US20220255916A1 (en) * | 2019-09-30 | 2022-08-11 | Intel Corporation | Methods and apparatus to attest objects in edge computing environments |
| CN111131310A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Access control method, device, system, computer device and storage medium |
| US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
| CN113992354A (en) * | 2021-09-28 | 2022-01-28 | 新华三信息安全技术有限公司 | Identity authentication method, device, equipment and machine readable storage medium |
| CN114039750A (en) * | 2021-10-26 | 2022-02-11 | 中电鸿信信息科技有限公司 | Method for protecting SDP controller |
| CN113992402A (en) * | 2021-10-27 | 2022-01-28 | 北京房江湖科技有限公司 | Access control method, system and medium based on zero trust strategy |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN114629692A (en) * | 2022-02-25 | 2022-06-14 | 国家电网有限公司 | Access authentication method and system of power Internet of things based on SDP |
| CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
| CN114915427A (en) * | 2022-06-06 | 2022-08-16 | 中国联合网络通信集团有限公司 | Access control method, device, equipment and storage medium |
| CN115277089A (en) * | 2022-06-20 | 2022-11-01 | 江苏易安联网络技术有限公司 | Single packet authorization method and system introducing OTP (one time programmable) dynamic selection port |
| CN115277168A (en) * | 2022-07-25 | 2022-11-01 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
Non-Patent Citations (2)
| Title |
|---|
| ADNAN AHMED, KAMALRULNIZAM ABU BAKAR, MUHAMMAD IBRAHIM CHANNA , ABDUL WAHEED KHAN: "A Secure Routing Protocol with Trust and Energy Awareness for Wireless Sensor Network", 《SPRINGER LINK》, 26 January 2016 (2016-01-26) * |
| 肖曼: "移动群智感知网络中用户的安全访问控制机制研究", 《中国优秀硕士学位论文全文数据库》, 15 March 2022 (2022-03-15) * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117240510A (en) * | 2023-08-24 | 2023-12-15 | 华能信息技术有限公司 | SDP client secure authentication system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP0667998B1 (en) | Method and apparatus for authentication of client server communication | |
| US7478434B1 (en) | Authentication and authorization protocol for secure web-based access to a protected resource | |
| CA2407482C (en) | Security link management in dynamic networks | |
| US8091120B2 (en) | Adaptive authentication methods, systems, devices, and computer program products | |
| US8214890B2 (en) | Login authentication using a trusted device | |
| US9172541B2 (en) | System and method for pool-based identity generation and use for service access | |
| US20120284506A1 (en) | Methods and apparatus for preventing crimeware attacks | |
| Jeong et al. | Integrated OTP-based user authentication scheme using smart cards in home networks | |
| CN101986598B (en) | Authentication method, server and system | |
| EP2021938A2 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| KR20070122495A (en) | Peer-to-peer authentication and authorization | |
| WO2003098899A1 (en) | Method and apparatus for lan authentication on switch | |
| US20070162752A1 (en) | System and method for establishing mutual trust on a per-deployment basis between two software modules | |
| CN110830446B (en) | SPA security verification method and device | |
| US20240064021A1 (en) | Access control method, apparatus, network side device, terminal and blockchain node | |
| CN111259352A (en) | Cloud storage data access control system based on zero-knowledge proof | |
| CN116318912A (en) | Dynamic network interface hiding method | |
| CN114978773A (en) | Single package authentication method and system | |
| WO2022143935A1 (en) | Blockchain-based method and system for sdp access control | |
| CN111935067A (en) | Enterprise user identity authentication system based on cloud computing technology | |
| CN117411671A (en) | IPv 6-based terminal identity authentication method and device | |
| WO2012166669A2 (en) | Methods and apparatus for preventing crimeware attacks | |
| KR100298280B1 (en) | Firewall system integrated with an authentication server | |
| US11943349B2 (en) | Authentication through secure sharing of digital secrets previously established between devices | |
| Lakshmi et al. | JPermit: usable and secure registration of guest-phones into enterprise VoIP network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |