CN116418538A - Single-packet authorization state detection method, terminal equipment and storage medium - Google Patents

Single-packet authorization state detection method, terminal equipment and storage medium Download PDF

Info

Publication number
CN116418538A
CN116418538A CN202111674189.9A CN202111674189A CN116418538A CN 116418538 A CN116418538 A CN 116418538A CN 202111674189 A CN202111674189 A CN 202111674189A CN 116418538 A CN116418538 A CN 116418538A
Authority
CN
China
Prior art keywords
authorization
packet
data packet
firewall
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111674189.9A
Other languages
Chinese (zh)
Inventor
竹勇
董路明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202111674189.9A priority Critical patent/CN116418538A/en
Priority to PCT/CN2022/142982 priority patent/WO2023125712A1/en
Publication of CN116418538A publication Critical patent/CN116418538A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a single-packet authorization state detection method, terminal equipment and a storage medium, and belongs to the technical field of communication. The method comprises the following steps: acquiring at least one target data packet, and sending the target data packet to a firewall; monitoring the response state of the firewall; if the response state is different from the target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to the target data packet and preset authorization information of the firewall. The technical scheme of the embodiment of the invention aims to improve the safety and the credibility of the single-packet authorization daemon.

Description

Single-packet authorization state detection method, terminal equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method for detecting a state of single packet authorization, a terminal device, and a storage medium.
Background
The traditional network access control is to access first and then authenticate, and the port is exposed on the internet and is easy to be subjected to security attack, so that various security threats are generated. In order to ensure the security of the device, the critical open ports need to be protected. Port stealth is the most common protection mode and can be realized through Port Knocking (PK), single package authorization (Single Packet Authorization, SPA) and the like.
SPA is a core network security protocol that implements software defined boundary (Software Defined Perimeter, SDP) network stealth. The SPA contains connection request information including the IP address of the requesting party, etc., is encrypted and authenticated in a single network packet, and the protected service is made invisible to the outside by configuring a firewall policy that is discarded by default. The purpose of the SPA is to allow the server firewall to be hidden and discarded by default.
However, it is this default discard policy that makes the operating state of the SPA daemon critical. Once the SPA daemon is attacked to cause unexpected operation or code causes operation failure, serious consequences can result.
Disclosure of Invention
The embodiment of the invention mainly aims to provide a single-packet authorization state detection method, terminal equipment and storage medium, aiming at improving the security and the credibility of a single-packet authorization daemon.
In a first aspect, an embodiment of the present invention provides a method for detecting a state of single packet authorization, where the method includes:
acquiring at least one target data packet, and sending the target data packet to a firewall; monitoring the response state of the firewall; if the response state is different from the target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to the target data packet and preset authorization information of the firewall.
In a second aspect, an embodiment of the present invention further provides a terminal device, where the terminal device includes a processor, a memory, a computer program stored on the memory and executable by the processor, and a data bus for implementing connection communication between the processor and the memory, where the computer program, when executed by the processor, implements the steps of the method for detecting a state of single packet authorization as provided in any one of the present specification.
In a third aspect, embodiments of the present invention further provide a storage medium for computer readable storage, where the storage medium stores one or more programs executable by one or more processors to implement the steps of the method for detecting a state of single packet authorization as set forth in any one of the present description.
The embodiment of the invention provides a single-packet authorized state detection method, terminal equipment and a storage medium, and the embodiment of the invention monitors the response state of a firewall by acquiring a target data packet and sending the target data packet to the firewall; if the response state is different from the target response state, determining that the single-packet authorization state is abnormal. Therefore, the working state of the single-packet authorization daemon can be monitored in a remote security access scene, the system service can provide normal service for the authenticated client while hiding the external default, and the security and the credibility of the single-packet authorization daemon are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for detecting a state of single packet authorization according to an embodiment of the present invention;
fig. 2 is an application scenario diagram of a single packet authorized state detection method according to an embodiment of the present invention;
fig. 3 is a flow chart of another method for detecting a state of single packet authorization according to an embodiment of the present invention;
fig. 4 is a schematic block diagram of a structure of a terminal device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.
It is to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the prior art, a mode of monitoring the SPA daemon is to monitor by using universal process monitoring software corresponding to an operation platform. However, such general monitoring software generally uses a heartbeat or access-response mode to determine whether a monitoring target process survives, and cannot accurately determine whether the target process works in an expected manner. For example, the SPA daemon fails to normally open the corresponding port through authorization, so that the port cannot normally provide service, and the effect similar to denial of service (Denial of Service, doS) is achieved; for another example, the SPA daemon fails to close the port by default, so that the port is exposed to the outside, and the initial purpose of network stealth is not achieved. Therefore, in view of the importance of the working state of the SPA daemon and the characteristic of default discarding of the data packet, the universality and the effectiveness of the general monitoring method under the present scene are severely limited.
In summary, how to ensure that the SPA daemon works in an expected manner, to prevent the system service from being exposed to the outside, and further to generate various possible security attacks, and to prevent the system from generating service refuses, which results in that the normal service cannot work, is an urgent problem to be solved. Therefore, a method for detecting the state of single packet authorization is needed to detect and monitor the operation state of the single packet authorization daemon.
The embodiment of the invention provides a single-packet authorization state detection method, terminal equipment and a storage medium. The detection method can be applied to a server, so that the security and the credibility of the single-packet authorization daemon can be improved.
Referring to fig. 1, fig. 1 is a flow chart of a method for detecting a state of single packet authorization according to an embodiment of the present invention. The single-packet authorization state detection method can monitor the working state of the single-packet authorization daemon under a remote security access scene, ensure that the system service can provide normal service for the authenticated client while hiding the system service by default, and improve the security and the credibility of the single-packet authorization daemon. The state detection method of the single-packet authorization can be particularly applied to a server.
As shown in fig. 1, the method for detecting the state of the single packet authorization includes steps S101 to S103.
Step S101, at least one target data packet is obtained, and the target data packet is sent to a firewall.
The target data packet may include a service data packet and an authorization data packet, where the service data packet includes service operations or service information that the user needs to perform by the server, and the firewall needs to open a corresponding service port to enable the server to receive the service data packet and perform the service operations, and the service data packet may specifically include a transmission control protocol (Transmission Control Protocol, TCP) data packet and a user datagram protocol (User Datagram Protocol, UDP) data packet. The authorization data packet is used for updating preset authorization information of the firewall.
It should be noted that, after the target data packet is sent to the firewall to perform a service connection or an authorization request, the response state of the firewall may change after the target data packet is sent to the firewall. The response states of the firewall may include a first response state, a second response state, and a third response state. The first response state is that the firewall does not respond to the message, but a corresponding service port is opened; the second response state is that the firewall does not respond to the message, but the corresponding service port is closed; the third response state is that the firewall sends any response information such as refusal or success.
In some embodiments, the authorization data packet is obtained; after the authorization data packet is acquired, the authorization data packet is sent to the firewall, so that the firewall updates preset authorization information of the firewall according to an authentication result of the authorization data packet. Thus, whether the authorization data packet is authorized or not can be determined through authentication, so that the authorization information is updated, and if the service data packet is transmitted through the same internet protocol address (Internet Protocol Address, IP address) subsequently, the firewall opens the corresponding service port.
Wherein the authorization data packet generally includes a timestamp, a client IP, and a service password. The time stamp is the time for acquiring the authorization data packet, and can be used for recording the authorization time later, the client IP is the IP address of the authorization data packet, and can be used for updating the authorization information later, and the service password is used for verifying the authorization data packet. The authentication result is used for indicating whether the authentication is successful. The preset authorization information of the firewall records the authorized IP address, if the service data packet sent by the authorized IP address is received, the corresponding service port can be opened, and the service data packet is sent to the server, so that the server executes the service operation.
Specifically, the authorization data packet is acquired; after the authorization data packet is obtained, the authorization data packet is sent to the firewall, so that the firewall verifies and authenticates the authorization data packet to obtain an authentication result, and preset authorization information of the firewall is updated.
It should be noted that, after the authorization packet is sent to the firewall at this time, the response state of the firewall may change. Since the IP address of the authorization packet is not necessarily within the preset authorization information at this time, the target response state of the firewall is necessarily the second response state at this time.
If the response state is detected to be the same as the second response state, the state of single-packet authorization is indicated to be in a normal state; and if the response state is detected to be different from the second response state, indicating that the single-packet authorization state is in an abnormal state.
It should be noted that, once the response state of the firewall is detected to be different from the second response state, it may be determined that the state of the single-packet authorization is abnormal. Since the firewall is a policy that is discarded by default to achieve port stealth. Therefore, if the firewall sends any response state such as refusal or success, the firewall does not realize the stealth of the port through the default discarding strategy, so that the state of single-packet authorization can be considered to be abnormal. Meanwhile, the authorized data packet is not authorized, so that the corresponding service port cannot be opened, and once the opening of the corresponding service port is detected, the state of single-packet authorization can be considered to be abnormal.
In some embodiments, the authorization data packet is validated; if the authorization data packet is successfully verified, authenticating the authorization data packet to obtain an authentication result; and if the authentication result is that the authentication is successful, the firewall is instructed to update the IP address of the authorization data packet into preset authorization information of the firewall. The authorization data package is verified and whether the authorization data package is authorized is determined through authentication, so that the authorization information is updated, and the security of the authorization data package is ensured.
The firewall authenticates the authorization data packet according to encryption and authentication modes supported by the system, and the authentication result is used for indicating whether the authentication is successful or not.
Specifically, the firewall can analyze the obtained authorization data packet to obtain a service password of the authorization data packet, verify the service password of the authorization data packet, and if the authorization data packet is successfully verified, the firewall indicates that a correct SPA authentication data packet is obtained, and can authenticate the authorization data packet to obtain an authentication result; if the verification of the authorized data packet fails, the acquisition of the wrong SPA authentication data packet is indicated, so that the wrong SPA authentication data packet needs to be discarded.
Illustratively, the firewall authenticates the authorization data packet to obtain an authentication result; if the authentication result is that the authentication is successful, updating the IP address of the authorization data packet into the authorization information; if the authentication result is unsuccessful authentication, discarding the authorization data packet, and meanwhile, not sending any response state such as refusal or success.
In some embodiments, a plurality of preset encryption algorithms are traversed, and authentication is sequentially performed on the authorization data packet to obtain an authentication result. Multiple tests may thus be performed through the system setup (e.g., all tests all over, or some of them) to verify that the system supports the purported encryption mode.
The encryption algorithm comprises, but is not limited to, a hash algorithm, symmetric encryption or asymmetric encryption and the like. If the system supports multiple encryption and authentication modes at the same time, different modes need to be traversed for monitoring.
Illustratively, if the system sets the encryption algorithm to be a hash algorithm and a symmetric encryption algorithm. Specifically, the client combines the timestamp (date, hour, minute) at the time of the packet transmission, the client IP (in UDP header), and the service password together to generate the hash value. The hash value is packed into UDP data packets and sent to the designated knock port of the server. At this time, the firewall corresponding to the server generates a hash value according to the received timestamp in the UDP header, the client IP and the service password stored in the server, compares the hash value with the received hash value, and opens a service port for the client to apply for access if the hash value is the same. The server will record the last valid authorized data packet it received to prevent an attacker from sending old data packets for replay attacks without performing any action if the hash value does not match or is the same as the valid hash value previously received. And after the authentication is successful through the hash algorithm, the authentication is performed through the symmetric encryption algorithm, and if the authentication is successful through both the hash algorithm and the symmetric encryption algorithm, the authentication result is the authentication success.
Step S102, monitoring the response state of the firewall.
Wherein after the target data packet is sent to the firewall, the response state of the firewall may change. The response states of the firewall may include a first response state, a second response state, and a third response state. The first response state is that the firewall does not respond to the message, but a corresponding service port is opened; the second response state is that the firewall does not respond to the message, but the corresponding service port is closed; the third response state is that the firewall sends any response information such as refusal or success.
For example, the service data packet is sent to the firewall, and the response state of the firewall may be changed into the first response state, the second response state or the third response state, but no matter what remote security access scene, only one response state is actually the expected response state, so that if the other two response states occur, the state of single-packet authorization can be considered to be abnormal. Therefore, the SPA can prevent an attacker from detecting the communication between the client and the server to obtain the knock information, and can also prevent replay attacks by recording valid data packets.
Step S103, if the response state is different from the target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to the target data packet and preset authorization information of the firewall.
The target response state is a desired response state, namely a normal response state. For various remote security access scenarios, only one response state is actually the response state that we expect, namely the target response state, so that if the rest of the response states occur at this time, the state of single-packet authorization can be considered to be abnormal. The preset authorization information of the firewall records the authorized IP address, if the service data packet sent by the authorized IP address is received, a corresponding service port can be opened, and the service data packet is sent to the server, so that the server executes service operation.
In some embodiments, the target data packet includes a service data packet, and the service data packet is parsed to obtain an IP address of the service data packet; and determining the target response state according to the IP address of the service data packet and the authorization information. Therefore, the target response state corresponding to the service data packet at the moment can be determined through analyzing the IP address and the authorization information, and whether the single-packet authorization daemon is abnormal or not can be accurately determined. The single-packet authorization daemon is a process of a series of operations of the firewall daemon on the server in the single-packet authorization mode.
Wherein the IP address refers to an internet protocol address. The IP address is a unified address format provided by the IP protocol, which allocates a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
Specifically, the service data packet may be parsed to obtain an IP address of the service data packet, and then the firewall authorization information is traversed to determine whether the authorization information includes the IP address corresponding to the service data packet, so as to determine a target response state according to the IP address of the service data packet and the authorization information.
In some embodiments, determining whether the IP address of the service data packet is an authorized IP address based on authorization information; if the IP address of the service data packet is an authorized IP address, the target response state is a first response state; and if the IP address of the service data packet is an unauthorized IP address, the target response state is a second response state. Therefore, the target response state corresponding to the service data packet at the moment can be determined through analyzing the IP address and the authorization information, and whether the single-packet authorization daemon is abnormal or not can be accurately determined.
Specifically, traversing the authorization information of the firewall, and determining whether the authorization information of the firewall contains the IP address corresponding to the service data packet; if the authorization information of the firewall contains the IP address corresponding to the service data packet, the IP address of the service data packet can be considered as an authorized IP address; if the authorization information of the firewall does not contain the IP address corresponding to the service data packet, the IP address of the service data packet can be considered as an unauthorized IP address.
If the IP address of the service data packet is an authorized IP address, the firewall should not respond with a message, but a corresponding service port is opened, so that the target response state at the moment is a first response state; if the IP address of the service data packet is an unauthorized IP address, the firewall should not respond with a message, but the corresponding service port is closed, so that the target response state at this time is the second response state.
For example, if the IP address of the service packet is 116.179.32.82, the authorized IP address included in the authorization information of the firewall is: 116.179.32.82, 16.109.22.72, 106.189.52.22, etc., where the authorized IP address contained in the firewall authorization information has 116.179.32.82, that is, the IP address of the service packet is the authorized address, the target response state at this time is the first response state.
In some embodiments, determining whether the authorization time exceeds a preset authorization time threshold; and if the authorization time exceeds a preset authorization time threshold, the target response state is a second response state. By adding the authorization time limit, the IP address authorized for a long time can be re-authorized, and the reliability and the security of the single-packet authorization daemon can be ensured.
The authorization information comprises authorization time, and the authorization time can be acquired by acquiring an authorization data packet. The authorization time threshold is determined by the acquisition time of the service data packet, and may be any time, which is not specifically limited herein.
Specifically, determining whether the authorized time exceeds a preset authorized time threshold; if the authorization time exceeds a preset authorization time threshold, the target response state is a second response state; if the authorization time does not exceed a preset authorization time threshold, determining whether the IP address of the service data packet is an authorized IP address according to authorization information, and if the IP address of the service data packet is the authorized IP address, the target response state is a first response state; and if the IP address of the service data packet is an unauthorized IP address, the target response state is a second response state.
For example, if the acquisition time of the service data packet is 12 months 1 day 14:00 and the authorization time limit is 1 month, the authorization time threshold may be obtained by calculating that the authorization time threshold is 11 months 1 day 14:00, if the authorization time is before 11 months 1 day 14:00, the authorization time is considered to exceed the authorization time threshold, and if the authorization time is after 11 months 1 day 14:00, the authorization time is considered to not exceed the authorization time threshold. And when the authorization time is 18:00 of 10 months and 15 days, the authorization time is considered to exceed a preset authorization time threshold, and the target response state is a second response state.
Because the embodiment of the application is realized based on the working mode of single-packet authorization, namely, the firewall realizes port stealth through the default discarding strategy, and does not reply to the connection attempt, thereby not providing any information about whether the port is being monitored or not for potential attackers. Therefore, if the firewall sends any response state such as refusal or success, the firewall does not realize the stealth of the port through the default discarding strategy, so that the state of single-packet authorization can be considered to be abnormal.
When the authorized service data packet is sent to the firewall, the firewall confirms whether the service data packet is sent from the authorized IP address, and after the service data packet is confirmed, the corresponding service port is opened, but any response state such as refusal or success is not sent.
When sending the unauthorized service data packet to the firewall, the firewall should confirm whether the service data packet is sent from the authorized IP address, and after the determination, the firewall does not open the corresponding service port, and because of the default discarding policy, the firewall should discard the corresponding service data packet, and at the same time, will not send any response state such as rejection or success.
Therefore, the working state of the single-packet authorization daemon can be effectively monitored, and the phenomenon that the SPA daemon fails to normally open the corresponding port through authorization, so that the port cannot normally provide service is prevented; or, the SPA daemon fails to close the port by default, resulting in an external exposure of the port, etc.
Specifically, whether the response state is the same as the target response state is detected, and if the response state is detected to be different from the target response state, the state of single-packet authorization is determined to be abnormal; and if the response state is detected to be the same as the target response state, determining that the single-packet authorization state is a normal state, namely, the single-packet authorization daemon is in the normal state.
In some embodiments, after determining that the state of the single-packet authorization is abnormal, determining an abnormal state condition of the single-packet authorization according to a response state generated by the firewall, generating an intervention measure according to the abnormal state condition of the single-packet authorization, and adjusting the state of the single-packet authorization through the intervention measure.
Wherein the intervention includes, but is not limited to, restarting a process, notifying, alerting, etc.
Illustratively, if the firewall sends any response status such as rejection or success, it means that the firewall does not implement port stealth by default discarded policies. At this time, the state of the single-packet authorization can be adjusted by adopting intervention measures such as restarting process, alarming and the like, so that the single-packet authorization daemon is in a normal working state.
It can be appreciated that, in the embodiment of the present application, once the state of the single packet authorization is abnormal, one or more intervention measures may be introduced to adjust the state of the single packet authorization.
In some embodiments, a plurality of target data packets are acquired, and the plurality of target data packets are sent to a firewall, wherein the IP addresses of the target data packets are different; monitoring the response state of the firewall to each target data packet; if the response state is different from the corresponding target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to preset authorization information of each target data packet and the firewall.
The IP addresses of the target data packets are different, so that service execution or authorization requests can be simultaneously initiated from clients with different IP addresses to verify that the firewall has and only opens the IP address through which the previous authorization passes, and not opens the unexpected IP address by mistake.
For example, if the target packet is a service packet, IP addresses of the plurality of service packets are 116.179.32.82, 16.109.22.72, 106.189.52.22, respectively, and the authorized IP addresses included in the authorization information of the firewall are: 116.179.32.82 and 16.109.22.72, when the authorized IP addresses included in the authorization information of the firewall have 116.179.32.82 and 16.109.22.72, the corresponding target response states are the first response state for the service data packets sent by 116.179.32.82 and 16.109.22.72, and the corresponding target response states are the second response state for the service data packet sent by 106.189.52.22.
If the response states generated by the firewall are the first response state for the service data packets sent by 116.179.32.82 and 16.109.22.72, and the response state generated by the firewall is the second response state for the service data packet sent by 106.189.52.22, the state of single-packet authorization can be considered to be in a normal state.
If any one of the response states generated by the firewall is not the first response state for the service data packets sent by 116.179.32.82 and 16.109.22.72, or the response state generated by the firewall is not the second response state for the service data packet sent by 106.189.52.22, it can be determined that the state of single-packet authorization is abnormal.
As shown in fig. 2, the method for detecting the state of single-packet authorization provided in the embodiment of the present application may be applied to an application environment as shown in fig. 2. The application environment comprises a monitoring program, an SPA daemon, a firewall and a service process. The monitoring program, the SPA daemon, the firewall and the service process can communicate with each other. It can be understood that the SPA daemon, the firewall and the service process can be regarded as a system, and the state of the single-packet authorization daemon of the system is monitored by the monitoring program, so that under the remote security access scene, according to the characteristics of single-packet authorization, under different working states, whether the single-packet authorization daemon works according to expectations under different working states can be monitored by the interaction of the monitoring program and the system and by the response state of the monitoring system side.
It should be noted that, the above mentioned method for detecting the state of single packet authorization may be applied to a monitoring program, and the monitoring program in the embodiment of the present application is not limited to a deployment manner, and may be deployed inside a system as required, or may be deployed outside the system on the premise of ensuring safety and controllability.
The overall flow of the embodiment of the present application may be described below with reference to fig. 3.
S201, firstly, enabling the system to start a firewall default discarding mode of SDP.
S202, the monitoring program firstly sends the service data packet to the firewall so that the firewall generates a corresponding response state, namely, the firewall is connected with the system to execute service operation;
s2021, wherein the target response state is second response information, which indicates that the system has hidden the service port by using a default discarding mode;
s2022, because the service data packet is not sent from the authorized IP address at this time, if the generated response state is detected not to be the second response information, the system is indicated to work abnormally, namely, the state of single-packet authorization is abnormal, and intervention measures need to be introduced.
S203, the monitoring program sends an error SPA authentication data packet for verification;
s2031, the target response state is second response information, which indicates that the system only authorizes the correct authentication data packet;
s2032, if it is detected that the generated response status is not the second response information, it indicates that the system is abnormal in operation, that is, the status of single packet authorization is abnormal, and an intervention measure needs to be introduced.
S204, the monitoring program sends a correct SPA authentication data packet, and the SPA daemon authenticates the received SPA authentication data packet;
S2041, if the authentication is passed, the SPA daemon informs the firewall to open the corresponding service port only aiming at the IP address of the source;
s2042, if authentication fails, the SPA authentication data packet is continuously discarded, and no response is made.
S205, the monitoring program sends the service data packet to the firewall again so that the firewall generates a corresponding response state, namely, the firewall is connected with the system again to execute service operation;
s2051, the target response state is first response information at the moment, which indicates that the system has opened a corresponding service port;
s2052, because the service data packet is sent from the authorized IP address at this time, if the generated response state is detected not to be the first response information, the abnormal operation of the system is indicated, namely, the single packet authorized state is abnormal, and intervention measures need to be introduced.
S206, the monitoring program sends the wrong SPA authentication data packet again;
s2061, the target response state is the second response information, which indicates that the authentication passed by the system previously does not influence the subsequent erroneous data packet authentication;
s2062, if the generated response state is detected not to be the second response information, indicating that the system works abnormally, namely, the state of single-packet authorization is abnormal, and intervention measures need to be introduced.
S207, after the idle time set by the system, the monitoring program sends the service data packet to the firewall again so that the firewall generates a corresponding response state, namely, the firewall is connected with the system again to execute service operation;
s2071, the target response state is the second response information, which indicates that the system has closed the service port for the source IP address on the firewall;
s2072, if the generated response state is detected not to be the second response information, indicating that the system works abnormally, namely, the state of single-packet authorization is abnormal, and intervention measures need to be introduced.
Thus, one cycle of monitoring the single-packet authorization daemon is completed, and the above processes are periodically and circularly executed in the running life cycle of the system, so that the single-packet authorization daemon can be monitored and detected regularly. The monitoring program and the timing cycle execution communication of the single-packet authorization daemon ensure that the state of the system can be monitored in time, and further measures can be taken when unexpected states occur.
It should be noted that, for a specific service scenario, the single-packet authorization daemon may not be monitored completely according to the flow, that is, the execution sequence may be adjusted according to the service requirement, the individual flow steps may be combined according to the service scenario, and only the flow step corresponding to the service scenario is executed.
Referring to fig. 4, fig. 4 is a schematic block diagram of a structure of a terminal device according to an embodiment of the present invention.
As shown in fig. 4, the terminal device 300 includes a processor 301 and a memory 302, the processor 301 and the memory 302 being connected by a bus 303, such as an I2C (Inter-integrated Circuit) bus.
In particular, the processor 301 is used to provide computing and control capabilities, supporting the operation of the entire terminal device. The processor 301 may be a central processing unit (Central Processing Unit, CPU), the processor 301 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Specifically, the Memory 302 may be a Flash chip, a Read-Only Memory (ROM) disk, an optical disk, a U-disk, a removable hard disk, or the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 4 is merely a block diagram of a portion of the structure related to the embodiment of the present invention, and does not constitute a limitation of the terminal device to which the embodiment of the present invention is applied, and that a specific server may include more or less components than those shown in the drawings, or may combine some components, or have a different arrangement of components.
The processor is configured to run a computer program stored in the memory, and implement any one of the single-packet authorization status detection methods provided by the embodiments of the present invention when the computer program is executed.
In an embodiment, the processor is configured to run a computer program stored in a memory and to implement the following steps when executing the computer program:
acquiring at least one target data packet, and sending the target data packet to a firewall; monitoring the response state of the firewall; if the response state is different from the target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to the target data packet and preset authorization information of the firewall.
In an embodiment, when the target response state is determined according to the target data packet and preset authorization information of the firewall, the processor is configured to implement: analyzing the service data packet to obtain an IP address of the service data packet; and determining the target response state according to the IP address of the service data packet and the authorization information.
In an embodiment, when implementing the determining the target response state according to the IP address of the service data packet and the authorization information, the processor is configured to implement: determining whether the IP address of the service data packet is an authorized IP address according to the authorization information; if the IP address of the service data packet is an authorized IP address, the target response state is a first response state; and if the IP address of the service data packet is an unauthorized IP address, the target response state is a second response state.
In one embodiment, the processor, when implementing the acquisition of the at least one target data packet: acquiring an authorization data packet; the processor, after implementing the acquiring the authorization packet, is configured to implement: and sending the authorization data packet to the firewall so that the firewall updates preset authorization information of the firewall according to an authentication result of the authorization data packet.
In an embodiment, when the processor updates the preset authorization information of the firewall according to the authentication result of the authorization data packet, the processor is configured to implement: verifying the authorization data packet; if the authorization data packet is successfully verified, authenticating the authorization data packet to obtain an authentication result; and if the authentication result is that the authentication is successful, the firewall is instructed to update the IP address of the authorization data packet into preset authorization information of the firewall.
In an embodiment, when implementing the authentication of the authorization data packet, the processor is configured to implement: and traversing a plurality of preset encryption algorithms, and sequentially authenticating the authorization data packet to obtain an authentication result.
In an embodiment, the processor is further configured to implement: acquiring a plurality of target data packets, and sending the plurality of target data packets to a firewall, wherein the IP addresses of the target data packets are different; monitoring the response state of the firewall to each target data packet; if the response state is different from the corresponding target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to preset authorization information of each target data packet and the firewall.
In an embodiment, the authorization information includes an authorization time, and the processor is further configured to implement: determining whether the authorized time exceeds a preset authorized time threshold; and if the authorization time exceeds a preset authorization time threshold, the target response state is a second response state.
In an embodiment, after implementing the monitoring of the response state of the firewall, the processor is configured to implement: and if the response state is detected to be the same as the target response state, determining that the single-packet authorization state is a normal state.
It should be noted that, for convenience and brevity of description, a person skilled in the art may clearly understand that, in the specific working process of the terminal device described above, reference may be made to a corresponding process in the foregoing embodiment of the single packet authorization status detection method, which is not described herein again.
Embodiments of the present invention also provide a storage medium for computer readable storage, where the storage medium stores one or more programs, where the one or more programs are executable by one or more processors to implement the steps of any one of the single packet authorized state detection methods as provided in the embodiments of the present invention.
The storage medium may be an internal storage unit of the terminal device according to the foregoing embodiment, for example, a hard disk or a memory of the terminal device. The storage medium may also be an external storage device of the terminal device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the terminal device.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware embodiment, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
It should be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments. While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (11)

1. A method for detecting the status of single packet authorization, the method comprising:
acquiring at least one target data packet, and sending the target data packet to a firewall;
monitoring the response state of the firewall;
if the response state is different from the target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to the target data packet and preset authorization information of the firewall.
2. The method for detecting a state of single-packet authorization according to claim 1, wherein the target packet includes a service packet, the target response state is determined according to preset authorization information of the target packet and the firewall, and the method comprises:
analyzing the service data packet to obtain an IP address of the service data packet;
and determining the target response state according to the IP address of the service data packet and the authorization information.
3. The method for detecting the state of single-packet authorization according to claim 2, wherein the determining the target response state according to the IP address of the service data packet and the authorization information comprises:
determining whether the IP address of the service data packet is an authorized IP address according to the authorization information;
If the IP address of the service data packet is an authorized IP address, the target response state is a first response state;
and if the IP address of the service data packet is an unauthorized IP address, the target response state is a second response state.
4. The method for detecting the status of single packet authorization according to claim 1, wherein the acquiring at least one target data packet comprises: acquiring the authorization data packet;
after the acquiring the authorization data packet, the method further includes:
and sending the authorization data packet to the firewall so that the firewall updates preset authorization information of the firewall according to an authentication result of the authorization data packet.
5. The method for detecting a state of single-packet authorization according to claim 4, wherein the firewall updates preset authorization information of the firewall according to an authentication result of the authorization data packet, comprising:
verifying the authorization data packet;
if the authorization data packet is successfully verified, authenticating the authorization data packet to obtain an authentication result;
and if the authentication result is that the authentication is successful, the firewall is instructed to update the IP address of the authorization data packet into preset authorization information of the firewall.
6. The method for detecting the status of single packet authorization according to claim 5, wherein authenticating the authorization packet comprises:
and traversing a plurality of preset encryption algorithms, and sequentially authenticating the authorization data packet to obtain an authentication result.
7. The method for detecting the status of single packet authorization according to claim 1, further comprising:
acquiring a plurality of target data packets, and sending the plurality of target data packets to a firewall, wherein the IP addresses of the target data packets are different;
monitoring the response state of the firewall to each target data packet;
if the response state is different from the corresponding target response state, determining that the single-packet authorization state is abnormal, wherein the target response state is determined according to preset authorization information of each target data packet and the firewall.
8. The method of claim 1, wherein the authorization information includes an authorization time, the method further comprising:
determining whether the authorized time exceeds a preset authorized time threshold;
and if the authorization time exceeds a preset authorization time threshold, the target response state is a second response state.
9. The single packet authorized status detection method of claim 1, wherein after said monitoring the response status of the firewall, the method further comprises:
and if the response state is the same as the target response state, determining that the single-packet authorization state is a normal state.
10. A terminal device, characterized in that the terminal device comprises:
processor, memory, a computer program stored on the memory and executable by the processor, and a data bus for enabling a connected communication between the processor and the memory, wherein the computer program, when being executed by the processor, implements the steps of the single packet authorised state detection method as claimed in claims 1 to 9.
11. A storage medium for computer readable storage, wherein the storage medium stores one or more programs executable by one or more processors to implement the steps of the single packet authorized state detection method of any one of claims 1 to 9.
CN202111674189.9A 2021-12-31 2021-12-31 Single-packet authorization state detection method, terminal equipment and storage medium Pending CN116418538A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111674189.9A CN116418538A (en) 2021-12-31 2021-12-31 Single-packet authorization state detection method, terminal equipment and storage medium
PCT/CN2022/142982 WO2023125712A1 (en) 2021-12-31 2022-12-28 Single packet authorization state detection method, terminal device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111674189.9A CN116418538A (en) 2021-12-31 2021-12-31 Single-packet authorization state detection method, terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116418538A true CN116418538A (en) 2023-07-11

Family

ID=86998087

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111674189.9A Pending CN116418538A (en) 2021-12-31 2021-12-31 Single-packet authorization state detection method, terminal equipment and storage medium

Country Status (2)

Country Link
CN (1) CN116418538A (en)
WO (1) WO2023125712A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116887266B (en) * 2023-09-05 2024-04-12 中电长城网际系统应用有限公司 Vehicle data access method, electronic device, and computer-readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8413248B2 (en) * 2006-03-22 2013-04-02 Michael B. Rash Method for secure single-packet remote authorization
CN110830447A (en) * 2019-10-14 2020-02-21 云深互联(北京)科技有限公司 SPA single packet authorization method and device

Also Published As

Publication number Publication date
WO2023125712A1 (en) 2023-07-06

Similar Documents

Publication Publication Date Title
KR102206562B1 (en) System for managing control flow for remote execution code based node and method thereof
US7673334B2 (en) Communication system and security assurance device
EP3453136B1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
US8069471B2 (en) Internet security dynamics assessment system, program product, and related methods
KR100917601B1 (en) Method and attestation system for preventing attestation relay attack
US8762731B2 (en) Multi-system security integration
US8959650B1 (en) Validating association of client devices with sessions
EP1583318B1 (en) Signing and validating session initiation protocol routing headers
US20150180662A1 (en) Software key updating method and device
US9058504B1 (en) Anti-malware digital-signature verification
US20070192344A1 (en) Threats and countermeasures schema
WO2018157247A1 (en) System and method for securing communications with remote security devices
US20080037791A1 (en) Method and apparatus for evaluating actions performed on a client device
Yoon et al. Remote security management server for IoT devices
CN111510453A (en) Business system access method, device, system and medium
WO2023125712A1 (en) Single packet authorization state detection method, terminal device, and storage medium
CN113678131A (en) Protecting online applications and web pages using blockchains
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
US7565690B2 (en) Intrusion detection
CN112422527A (en) Safety protection system, method and device of transformer substation electric power monitoring system
US20220247748A1 (en) System For Remote Execution Code-Based Node Control Flow Management, And Method Therefor
CN110830465B (en) Security protection method for accessing UKey, server and client
US10079857B2 (en) Method of slowing down a communication in a network
JP6950304B2 (en) How to match secure elements, computer programs, devices, servers and file information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication