WO2022267564A1

WO2022267564A1 - Packet processing method and apparatus, device, system, and readable storage medium

Info

Publication number: WO2022267564A1
Application number: PCT/CN2022/080721
Authority: WO
Inventors: 周侃; 王禹
Original assignee: 华为技术有限公司
Priority date: 2021-06-26
Filing date: 2022-03-14
Publication date: 2022-12-29

Abstract

The present application provides a packet processing method and apparatus, a device, a system, and a readable storage medium. The method comprises: a terminal device provides CSB detection function information corresponding to the terminal device to other devices; a security device intercepts a first packet sent from an external network to an internal network; after intercepting the first packet, the security device determines a CSB detection function to be performed corresponding to the first packet; in response to the terminal device having all or part of the CSB detection function, the security device omits to perform all or part of the function on the first packet before forwarding the first packet to the terminal device; and the terminal device receives the first packet sent by the security device, and performs the CSB detection function that is not performed by the security device on the first packet. According to the method, device resource occupation during CSB detection performed by a security gateway can be reduced, and the performance requirements of the security device in performing the CSB detection function can be reduced.

Description

Message processing method, device, equipment, system and readable storage medium

This application claims the priority of the Chinese patent application with the application number 202110714768.5 and the invention title "Content Security Detection Method, Device and System" filed on June 26, 2021, the entire contents of which are incorporated in this application by reference; This application also claims the priority of the Chinese patent application with the application number 202111069732.2 and the title of the invention "Message Processing Method, Device, Equipment, System, and Readable Storage Medium" filed on September 13, 2021, the entire content of which is passed References are incorporated in this application.

technical field

The present application relates to the technical field of communications, and in particular to message processing methods, devices, equipment, systems and readable storage media.

Background technique

With the rapid development of the Internet, network traffic has experienced explosive growth. The security gateway device needs to perform content security business (content security business, CSB) detection and other processing on the network traffic flowing through the security gateway device, so as to ensure that the network devices of the internal network can operate safely. With the explosive growth of traffic brought about by the increasing variety of Internet business types, and the increasingly diverse and complex CSB functions, the limited processing performance of security gateway equipment is more likely to become a business bottleneck.

A related technique to alleviate the bottleneck problem is to replace the security gateway device with a higher performance central processing unit (CPU) and more memory. However, on the one hand, the hardware cost of this technology is relatively high. On the other hand, debugging the replaced high-performance security gateway device before it is connected to the network requires a long development and debugging cycle. Therefore, the implementation cost of this technique is relatively high.

Contents of the invention

The present application proposes a message processing method, device, device, system, and readable storage medium, so as to reduce the performance requirements of the security equipment for performing the CSB detection function, and reduce the occupation of equipment resources for the security equipment to perform the CSB detection.

In the first aspect, a packet processing method is provided, the method is applied to a security device, and the security device is deployed on the boundary between the external network and the internal network, and the method includes: the security device intercepts the first packet sent from the external network to the internal network The first message carries the resource provided by the server of the external network according to the request of the terminal device of the internal network; after the security device intercepts the first message, it determines the CSB detection function to be executed corresponding to the first message; In response to the fact that the terminal device has the first CSB detection function, the security device omits performing the first CSB detection function on the first message before forwarding the first message to the terminal device. All or some of the CSB detection functions performed.

In the method, the security device omits the first CSB detection function for the first message, which can reduce equipment resource occupation when the security device performs the CSB detection function, thereby reducing performance requirements of the security device for performing the CSB detection function. In addition, because the method reduces the occupancy of device resources for performing the CSB detection function, the unoccupied device resources of the security device can be used to perform other functions, thereby improving the performance of the security device.

In a possible implementation manner, the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, and before the security device forwards the first message to the terminal device, it also includes: The first message performs a second CSB detection function, and the second CSB detection function is a function other than the first CSB detection function among the CSB detection functions to be performed corresponding to the first message.

Since the first CSB detection function of the terminal device is part of the CSB detection function to be executed corresponding to the first message, the security device performs the second CSB detection function except the first CSB detection function, and the security device and The terminal devices jointly complete the CSB detection function corresponding to the first message, which ensures the security of the first message while reducing the resource consumption of the security device.

In a possible implementation, before the security device intercepts the first message sent from the external network to the internal network, it further includes: the security device intercepts the second message sent by the terminal device, and the second message is used to request to obtain the external The resource provided by the server of the network; based on the second message, the security device obtains the CSB detection function of the terminal device; after the security device determines the CSB detection function to be executed corresponding to the first message, the security device further includes: The CSB detection function and the CSB detection function to be executed corresponding to the first packet determine that the terminal device has the first CSB detection function.

In a possible implementation, the second message includes the identity keyword of the terminal device, and based on the second message, the security device obtains the CSB detection function of the terminal device, including: the security device obtains the CSB detection function of the terminal device by parsing the second message. The identity keyword of the terminal device included in the second message; the security device obtains the CSB detection function of the terminal device according to the identity keyword of the terminal device.

In a possible implementation, the security device obtains the CSB detection function of the terminal device according to the identity key of the terminal device, including: the security device sends a query request to the capability management device, and the capability management device stores the CSB corresponding to the terminal device Detection function information, wherein the query request carries the identity keyword of the terminal device, and the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function of the terminal device; CSB detection function information: determine the CSB detection function of the terminal device according to the CSB detection function information.

In a possible implementation manner, sending the query request to the capability management device includes: sending the query request to the capability management device based on HTTP, HTTPS or API. The method of sending query requests is more flexible.

In a possible implementation manner, the security device obtains the CSB detection function of the terminal device according to the identity key of the terminal device, including: the security device queries the identity key and CSB stored in the security device according to the identity key of the terminal device The corresponding relationship of detection functions is to obtain the CSB detection function corresponding to the identity keyword of the terminal device. Since the relevant information of the CSB detection function of the terminal device can be stored in the capability management device and can also be stored on the security device, the method for storing the relevant information of the CSB detection function of the terminal device is more flexible.

In a possible implementation manner, the identity key includes at least one of a random ID, an IP address, or user information in a local certificate. In this method, the type of the identity key of the terminal device is relatively flexible, and since the identity key of the terminal device can include various types of information, the first CSB detection function of the terminal device is obtained according to the identity key of the terminal device. Higher accuracy.

In a possible implementation, the second message carries information about the CSB detection function corresponding to the terminal device. Based on the second message, the security device obtains the CSB detection function of the terminal device, including: the security device parses the second message Obtain CSB detection function information corresponding to the terminal device carried in the second message; the security device determines the CSB detection function of the terminal device according to the CSB detection function information corresponding to the terminal device carried in the second message. Since the second message can directly carry the CSB detection function information corresponding to the terminal device, the security device can directly obtain the CSB detection function information corresponding to the terminal device by parsing the second message. The efficiency of obtaining the CSB detection function information corresponding to the terminal device is higher.

In a possible implementation manner, the CSB detection function to be executed includes at least one of an IPS detection function, an AV detection function, a URL detection function, an AIE detection function, or an SA detection function.

In a possible implementation manner, the terminal device is a device that completes login authentication, and the login authentication manner includes any one of local authentication, server authentication, or certificate authentication.

In the second aspect, a message processing method is provided, the method is applied to a terminal device, and the terminal device is deployed in an internal network, and the method includes:

The terminal device provides CSB detection function information corresponding to the terminal device to other devices, and the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function of the terminal device; the terminal device receives the first message sent by the security device, wherein the security device Deployed at the boundary between the external network and the internal network, the first message is used to carry the resources provided by the server of the external network according to the request of the terminal device, the first message is a message that the security device has not performed the first CSB detection function, and the terminal device The CSB detection function it has includes the first CSB detection function; the terminal device executes the first CSB detection function on the first packet. Since the terminal device can perform the CSB detection function not performed by the security device on the first message, this method ensures the security of the first message.

In a possible implementation manner, the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, including: the terminal device sends a third message to the capability management device, and the third message carries the CSB detection function corresponding to the terminal device Information, the capability management device is used to store the CSB detection function information corresponding to the terminal device.

In a possible implementation manner, the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, including: the terminal device sends a third message to the security device, and the third message carries the CSB detection function information corresponding to the terminal device , the security device is used to store the CSB detection function information corresponding to the terminal device.

In a possible implementation manner, the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, including: the terminal device sends a second message to the server of the external network, and the second message is used to request to obtain the CSB detection function information of the external network. The resource provided by the server, wherein the second packet carries CSB detection function information corresponding to the terminal device.

In a possible implementation, the second message is a message transmitted based on HTTPS, and the CSB detection function information corresponding to the terminal device is carried in the Cookie of the second message, or the URL parameter, or the HTTPS header field, or the HTTPS auto in the definition field.

In a possible implementation manner, the second message is a message based on HTTP transmission, and the CSB detection function information corresponding to the terminal device is carried in the Cookie, or the HTTP header field, or the HTTP custom field of the second message.

In a possible implementation manner, the second message is a message transmitted based on FTP, and the CSB detection function information corresponding to the terminal device is carried in an FTP redundant field or an FTP custom field of the second message. Since the second message can be transmitted based on different transmission protocols, the method for transmitting the second message is more flexible. In addition, the second message can carry the CSB detection function information corresponding to the terminal device in different ways, and this method is more flexible in carrying the CSB detection function information corresponding to the terminal device.

In a possible implementation manner, after the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, it further includes: the terminal device sends a second message to the server of the external network, and the second message is used to request to obtain the external The resource provided by the server of the network, wherein the second packet includes an identity key of the terminal device, and the identity key is used to obtain the CSB detection function of the terminal device.

In a possible implementation manner, in response to the other device being a capability management device, after the terminal device provides other devices with the CSB detection function information corresponding to the terminal device, it further includes: the terminal device receives the random ID of the terminal device sent by the capability management device , the random ID of the terminal device is used as the identity key of the terminal device; or in response to other devices being security devices, after the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, it also includes: the terminal device receives the information sent by the security device The random ID of the terminal device, the random ID of the terminal device is used as the identity key of the terminal device.

In a possible implementation manner, the third packet further includes the IP address of the terminal device, and the IP address of the terminal device is used as an identity key of the terminal device.

In a possible implementation manner, the third packet further includes a local certificate of the terminal device, and user information in the local certificate of the terminal device is used as an identity key of the terminal device.

In a possible implementation manner, the CSB detection function of the terminal device includes at least one of an IPS detection function, an AV detection function, a URL detection function, an AIE detection function, or an SA detection function.

In a possible implementation, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, it further includes: the terminal device sends a login request to the security device, and the login request includes user information; The authentication result is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the terminal device performs an operation of providing other devices with CSB detection function information corresponding to the terminal device.

In a possible implementation, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, it also includes: the terminal device sends a login request to the login authentication device, and the login request includes user information; The authentication result sent by the information, the authentication result is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the terminal device performs an operation of providing other devices with the corresponding CSB detection function information of the terminal device.

In a possible implementation manner, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, it also includes: the terminal device sends a login request to the login authentication device, and the login request includes the local certificate of the terminal device; receiving the login authentication The authentication result sent by the device based on the local certificate of the terminal device is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the terminal device performs an operation of providing other devices with corresponding CSB detection function information of the terminal device.

Since the terminal device can perform login authentication through different login authentication modes, the login authentication mode of the terminal device is more flexible.

In a third aspect, a message processing device is provided, the device is applied to a security device, and the security device is deployed on the boundary between an external network and an internal network, and the device includes:

The acquiring module is configured to intercept the first message sent from the external network to the internal network, where the first message is used to carry the resource provided by the server of the external network according to the request of the terminal device of the internal network;

A determining module, configured to determine the CSB detection function to be executed corresponding to the first message;

A processing module, configured to omit performing the first CSB detection function on the first message before forwarding the first message to the terminal device in response to the terminal device having the first CSB detection function, wherein the first CSB detection function is the first CSB detection function of the first message All or part of the CSB detection functions to be executed corresponding to the text.

In a possible implementation manner, the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, and the processing module is also used to perform the second CSB detection function on the first message, The second CSB detection function is a function other than the first CSB detection function among the to-be-executed CSB detection functions corresponding to the first message.

In a possible implementation, the obtaining module is also used to intercept the second message sent by the terminal device, and the second message is used to request to obtain the resources provided by the server of the external network; based on the second message, the terminal device obtains The CSB detection function it has; the determination module is also used to determine that the terminal device has the first CSB detection function according to the CSB detection function that the terminal device has and the CSB detection function to be executed corresponding to the first message.

In a possible implementation manner, the second message includes the identity keyword of the terminal device, and the obtaining module is configured to obtain the identity keyword of the terminal device included in the second message by parsing the second message; The identity keyword is used to obtain the CSB detection function of the terminal device.

In a possible implementation, the acquisition module is configured to send a query request to the capability management device, and the capability management device stores CSB detection function information corresponding to the terminal device, where the query request carries the identity keyword of the terminal device, and the terminal device The corresponding CSB detection function information is used to indicate the CSB detection function of the terminal device; the reception capability management device sends the corresponding CSB detection function information of the terminal device in response to the query request; according to the CSB detection function information, determine the CSB detection function of the terminal device .

In a possible implementation manner, the obtaining module is configured to send a query request to the capability management device based on HTTP, HTTPS or API.

In a possible implementation, the obtaining module is configured to query the correspondence between the identity keyword stored in the security device and the CSB detection function according to the identity keyword of the terminal device, and obtain the CSB detection function corresponding to the identity keyword of the terminal device .

In a possible implementation manner, the identity key includes at least one of a random ID, an IP address, or user information in a local certificate.

In a possible implementation manner, the second message carries CSB detection function information corresponding to the terminal device, and the obtaining module is configured to obtain the CSB detection function information corresponding to the terminal device carried in the second message by parsing the second message; Determine the CSB detection function of the terminal device according to the CSB detection function information corresponding to the terminal device carried in the second message.

In a fourth aspect, a message processing device is provided, the device is applied to a terminal device, and the terminal device is deployed in an internal network, and the device includes:

The supply module is configured to provide other devices with CSB detection function information corresponding to the terminal device, and the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function that the terminal device has;

The receiving module is configured to receive the first message sent by the security device, wherein the security device is deployed on the boundary between the external network and the internal network, and the first message is used to carry the resources provided by the server of the external network according to the request of the terminal device. A message is a message for which the security device has not performed the first CSB detection function, and the CSB detection function of the terminal device includes the first CSB detection function;

A processing module, configured to perform a first CSB detection function on the first packet.

In a possible implementation manner, the supply module is configured to send a third message to the capability management device, the third message carries the CSB detection function information corresponding to the terminal device, and the capability management device is used to store the CSB detection function information corresponding to the terminal device. function information.

In a possible implementation manner, the supply module is configured to send a third message to the security device, the third message carries the CSB detection function information corresponding to the terminal device, and the security device is used to store the CSB detection function information corresponding to the terminal device .

In a possible implementation manner, the supply module is configured to send a second message to a server on the external network, and the second message is used to request to obtain resources provided by the server on the external network, where the second message carries the corresponding CSB detection function information.

In a possible implementation manner, the second message is a message transmitted based on FTP, and the CSB detection function information corresponding to the terminal device is carried in an FTP redundant field or an FTP custom field of the second message.

In a possible implementation manner, the device further includes: a sending module, configured to send a second message to a server on an external network, where the second message is used to request resources provided by the server on the external network, where the second The message includes an identity keyword of the terminal device, and the identity keyword is used to obtain the CSB detection function of the terminal device.

In a possible implementation, in response to the fact that the other device is a capability management device, the receiving module is further configured to receive the random ID of the terminal device sent by the capability management device, and the random ID of the terminal device is used as an identity key of the terminal device ; or in response to the fact that the other device is a security device, the receiving module is also configured to receive the random ID of the terminal device sent by the security device, and the random ID of the terminal device is used as an identity key of the terminal device.

In a possible implementation manner, the apparatus further includes: a request module, configured to send a login request to the security device, where the login request includes user information; receive an authentication result sent by the security device based on the user information, and the authentication result is used to instruct the terminal device Whether the login is successful; in response to the successful login of the terminal device, the provisioning module performs an operation of providing the CSB detection function information corresponding to the terminal device to other devices.

In a possible implementation manner, the apparatus further includes: a request module, configured to send a login request to the login authentication device, where the login request includes user information; receive an authentication result sent by the login authentication device based on the user information, and the authentication result is used to indicate Whether the terminal device is successfully logged in; in response to the successful login of the terminal device, the supply module performs an operation of providing the CSB detection function information corresponding to the terminal device to other devices.

In a possible implementation manner, the apparatus further includes: a request module, configured to send a login request to the login authentication device, where the login request includes the local certificate of the terminal device; and receive the authentication result sent by the login authentication device based on the local certificate of the terminal device , the authentication result is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the supply module performs an operation of providing other devices with CSB detection function information corresponding to the terminal device.

In a fifth aspect, a message processing device is provided, the message processing device includes: a processor, the processor is coupled with a memory, at least one program instruction or code is stored in the memory, and at least one program instruction or code is loaded by the processor And execute, so that the packet processing device realizes the packet processing method of any one of the first aspect or the second aspect above.

In the sixth aspect, a message processing system is provided, the message processing system includes: a security device and a terminal device, the security device is used to execute the message processing method in the first aspect or any one of the first aspect, and the terminal device uses To implement the second aspect or the message processing method of any one of the second aspect.

According to a seventh aspect, a computer-readable storage medium is provided, and at least one program instruction or code is stored in the computer-readable storage medium, and when the program instruction or code is loaded and executed by a processor, the computer can realize the following aspects of the first aspect or Any message processing method in the second aspect.

In an eighth aspect, a computer program product is provided, including a computer program. When the computer program is executed by a computer, the computer implements the message processing method in any one of the first aspect or the second aspect above.

In a ninth aspect, a communication device is provided, and the device includes: a transceiver, a memory, and a processor. Wherein, the transceiver, the memory and the processor communicate with each other through an internal connection path, the memory is used to store instructions, and the processor is used to execute the instructions stored in the memory to control the transceiver to receive signals and control the transceiver to send signals , and when the processor executes the instruction stored in the memory, the processor executes the method in the first aspect or any possible implementation manner of the first aspect, or executes the second aspect or any one of the second aspect method in one possible implementation.

In a possible implementation manner, there are one or more processors, and one or more memories.

In a possible implementation manner, the memory may be integrated with the processor, or the memory may be separated from the processor.

In the specific implementation process, the memory can be a non-transitory (non-transitory) memory, for example, a read-only memory (read only memory, ROM), which can be integrated with the processor on the same chip, or can be set in different On the chip, the application does not limit the type of the memory and the arrangement of the memory and the processor.

In a tenth aspect, a chip is provided, including a processor, configured to call and execute instructions stored in the memory from the memory, so that the communication device installed with the chip executes any one of the above-mentioned first aspect or any possible method of the first aspect. The method in the implementation manner, or execute the method in the above second aspect or any possible implementation manner of the second aspect.

In the eleventh aspect, another chip is provided, including: an input interface, an output interface, a processor, and a memory, the input interface, the output interface, the processor, and the memory are connected through an internal connection path, and the processor is used to execute the memory in the memory. Code, when the code is executed, the processor is used to execute the method in the above-mentioned first aspect or any possible implementation manner of the first aspect, or execute the above-mentioned second aspect or any possible implementation manner of the second aspect method in .

Description of drawings

FIG. 1 is a schematic diagram of an implementation scenario of a message processing method provided in an embodiment of the present application;

FIG. 2 is a flow chart of a message processing method provided in an embodiment of the present application;

FIG. 3 is a schematic diagram of a message processing method provided in an embodiment of the present application;

FIG. 4 is a flow chart of another message processing method provided by an embodiment of the present application;

Fig. 5 is a flowchart of another message processing method provided by the embodiment of the present application;

FIG. 6 is a schematic diagram of a local certificate verification terminal device provided by an embodiment of the present application;

FIG. 7 is a flowchart of another message processing method provided by the embodiment of the present application;

FIG. 8 is a schematic structural diagram of a message processing device provided in an embodiment of the present application;

FIG. 9 is a schematic structural diagram of another message processing device provided in an embodiment of the present application;

FIG. 10 is a schematic structural diagram of a packet processing device provided in an embodiment of the present application;

FIG. 11 is a schematic structural diagram of another packet processing device provided by an embodiment of the present application.

detailed description

In order to make the purpose, technical solution and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.

In the field of communication technology, a security device performs a CSB detection function on packets sent from an external network to an internal network, so as to ensure safe operation of devices on the internal network. The embodiment of the present application provides a packet processing method, which can be applied in the implementation scenario shown in FIG. 1 . As shown in FIG. 1 , this implementation scenario includes a security device 101 , terminal devices 102A- 102C (collectively referred to as terminal devices 102 ), and a server 103 . Optionally, this implementation scenario further includes a capability management device 104 and a login authentication device 105 .

Wherein, the security device 101 is deployed on the boundary between the external network and the internal network, the terminal device 102 is deployed on the internal network, and the server 103 is deployed on the external network. Information exchange can be performed between the security device 101 and the terminal device 102, information exchange can be performed between the security device 101 and the server 103, information exchange can be performed between the security device 101 and the capability management device 104, and the security device 101 and the login authentication device 105 Information exchange can be performed between the terminal device 102 and the capability management device 104, and information exchange can be performed between the terminal device 102 and the login authentication device 105. It should be noted that in FIG. 1 only the information interaction between the terminal device 102C, the capability management device 104 and the login authentication device 105 is shown. Information interaction is not shown in FIG. 1 , but it does not limit the implementation scenario.

Exemplarily, the security device 101 includes but not limited to security gateway devices, firewalls and other devices, the terminal device 102 includes but not limited to smart phones, desktop computers, notebook computers, tablet computers and other terminal devices, the server 103, the capability management device 104 and the login All authentication devices 105 may be servers. It should be noted that, in the implementation scenario shown in FIG. 1 , the number of devices is only the number illustrated in the embodiment of the present application, which is not limited in the embodiment of the present application.

With reference to the implementation scenario shown in FIG. 1 , the message processing method provided by the embodiment of the present application is shown in FIG. 2 , and the message processing method includes but not limited to steps 200 to 205 . Wherein, steps 201 to 203 are the process of executing message processing on the security device side, and step 200, step 204 and step 205 are the process of executing message processing on the terminal device side. Next, the packet processing method will be described with reference to FIG. 2 .

In step 200, the terminal device provides other devices with CSB detection function information corresponding to the terminal device.

Wherein, the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function of the terminal device.

Exemplarily, the CSB detection function of the terminal device includes an intrusion prevention system (intrusion prevention system, IPS) detection function, an anti-virus (anti-virus, AV) detection function, a uniform resource locator (uniform resource locator, URL) detection function 1. At least one of an artificial intelligence engine (artificial intelligence engine, AIE) detection function or a service awareness (service awareness, SA) detection function.

In a possible implementation manner, the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, including but not limited to the following two manners.

In a first manner, the terminal device provides the CSB detection function information corresponding to the terminal device to the capability management device.

Exemplarily, the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, including: the terminal device sends a third message to the capability management device, the third message carries the CSB detection function information corresponding to the terminal device, and the capability management device It is used to store the CSB detection function information corresponding to the terminal device.

The above-mentioned "third message" and the "first message", "second message" and other messages that will appear later do not indicate the sequence relationship, but to distinguish different messages. The following instructions refer to The first, second, etc. are also used to distinguish different information, data, requests or messages, etc.

For example, the third message is a message transmitted based on hyper text transfer protocol over secure socket layer (HTTPS), and the CSB detection function information corresponding to the terminal device is carried in the third message on the user's local terminal. Small data (cookie, Cookie), or URL parameters, or HTTPS header field (authorization), or HTTPS custom field. Wherein, if the third message is a message transmitted based on HTTPS, the third message may be a message transmitted through an encrypted communication channel. For another example, the third message is a message transmitted based on hypertext transfer protocol (hyper text transfer protocol, HTTP), and the CSB detection function information of the terminal device is carried in the Cookie of the third message, or the HTTP header field, or the HTTP auto in the definition field. For another example, the third message is a message transmitted based on the file transfer protocol (file transfer protocol, FTP), and the CSB detection function information of the terminal device is carried in the FTP redundant field of the third message or in the custom field of FTP.

Since the third message can be transmitted based on multiple transmission protocols, the method for transmitting the third message is more flexible. For the third message transmitted based on a transmission protocol, the third message can carry the CSB detection function information corresponding to the terminal device in various ways, and the method for carrying the CSB detection function information corresponding to the terminal device in the third message is more flexible.

Exemplarily, the step of the terminal device providing the CSB detection function information corresponding to the terminal device to the capability management device corresponds to related content of capability management performed by the terminal device and the capability management device shown in FIG. 3 .

In a second manner, the terminal device provides the security device with CSB detection function information corresponding to the terminal device.

In a possible implementation manner, the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, including: the terminal device sends a second message to the server of the external network, and the second message is used to request to obtain the information of the external network resources provided by the server, where the second packet carries CSB detection function information corresponding to the terminal device. Wherein, the second message can be intercepted by the security device, so that the security device acquires the CSB detection function information corresponding to the terminal device carried in the second message.

It should be noted that the way the terminal device sends the second message to the server on the external network, and the way the second message carries the CSB detection function information corresponding to the terminal device is similar to the principle of the related process in the above-mentioned way 1, here No longer.

In the case where no capability management device is deployed at the boundary between the external network and the internal network, and only one security device is deployed, when the terminal device sends a request message (that is, the second message) for requesting resources provided by the server of the external network , may directly multiplex the second message to send the CSB detection function information corresponding to the terminal device, and the security device can obtain the CSB detection function information corresponding to the terminal device based on the message. This manner improves the efficiency of the security device in obtaining the CSB detection function information corresponding to the terminal device. In addition, since the second message can be transmitted based on multiple transmission protocols, the method for transmitting the second message is more flexible. For the second message transmitted based on a transmission protocol, the second message can carry the CSB detection function information corresponding to the terminal device in various ways, and the method of carrying the CSB detection function information corresponding to the terminal device in the second message is more flexible.

In another possible implementation, the terminal device provides information about the CSB detection function corresponding to the terminal device to other devices, including: the terminal device sends a third message to the security device, and the third message carries the CSB detection function corresponding to the terminal device Information, the security device is used to store the CSB detection function information corresponding to the terminal device.

It should be noted that the manner in which the terminal device sends the third message to the security device and the manner in which the third message carries the CSB detection function information corresponding to the terminal device are similar to those in the above-mentioned method 1, and will not be repeated here. . In addition, whether the CSB detection function information corresponding to the terminal device is sent to the security device in the form of the second message, or the CSB detection function information corresponding to the terminal device is sent to the security device in the form of the third message, because the security device The received CSB detection function information corresponding to the terminal device can be stored, therefore, the security device can directly obtain the CSB detection function information corresponding to the terminal device locally when performing subsequent detection, thereby improving the detection efficiency.

Since the terminal device can provide the CSB detection function information corresponding to the terminal device in different ways, the method of providing the CSB detection function information corresponding to the terminal device in the embodiment of the present application is more flexible.

Exemplarily, the CSB detection function information corresponding to the terminal device is represented by binary numbers.

For example, for any CSB detection function, 00 is used to indicate that the CSB detection function of the terminal device does not include this detection function, and 01 is used to indicate that the CSB detection function of the terminal device includes this detection function. Exemplarily, the CSB detection function information corresponding to the terminal device may be represented by the following manner A or manner B.

In mode A, the CSB detection function information corresponding to the terminal device is represented by a binary number.

Exemplarily, the CSB detection function information corresponding to the terminal device is expressed as xxxxxxxxxx, where the 0th and 1st digits from the right are used to indicate whether the IPS detection function is included, and the 2nd and 3rd digits are used to indicate whether the IPS detection function is included. AV detection function, the 4th and 5th bits are used to indicate whether the URL detection function is included, the 6th and 7th bits are used to indicate whether the AIE detection function is included, and the 8th and 9th bits are used to indicate whether the SA detection is included Function. For example, the CSB detection function of the terminal device includes the IPS detection function, the AV detection function and the AIE detection function, and the CSB detection function information corresponding to the terminal device is expressed as 0001000101.

In mode B, the CSB detection function information corresponding to the terminal device is represented by a binary array.

Exemplarily, the CSB detection function information corresponding to the terminal device can be represented by a binary array [A, B, C, D, E], where A, B, C, D, and E are all used to indicate a detection function, and Represented by binary numbers. Exemplarily, A is used to indicate the IPS detection function, and A is denoted as xx, where xx is 00, indicating that it does not have the IPS detection function, and xx is 01, indicating that it has the IPS detection function. Similarly, B is used to indicate the AV detection function, C is used to indicate the URL detection function, D is used to indicate the AIE detection function, and E is used to indicate the SA detection function. For example, the CSB detection function of the terminal device includes the IPS detection function and the AV detection function, and the CSB detection function information corresponding to the terminal device is expressed as [01, 01, 00, 00, 00].

It should be noted that the CSB detection function information corresponding to the terminal device can also be expressed in other ways, and the above-mentioned representation mode of the CSB detection function information corresponding to the terminal device is only an example for the embodiment of this application. This is not limited.

In a possible implementation manner, the method further includes: in response to a change in the CSB detection function of the terminal device, the terminal device sends the changed CSB detection function corresponding to the terminal device to a device that stores information about the CSB detection function corresponding to the terminal device. CSB detection function information, so that the device storing the CSB detection function information corresponding to the terminal device updates the stored CSB detection function information corresponding to the terminal device. Exemplarily, the terminal device sends the changed CSB detection function information corresponding to the terminal device to the device that stores the CSB detection function information corresponding to the terminal device, including: the terminal device sends to the device that stores the CSB detection function information corresponding to the terminal device All CSB detection function information, or send the difference CSB detection function information to the device that stores the CSB detection function information corresponding to the terminal device, the difference CSB detection function information is based on the CSB detection function before the change and the CSB detection function after the change Determined CSB detection function information.

For example, the capability management device stores CSB detection function information corresponding to the terminal device, and the terminal device sends all CSB detection function information to the capability management device, or sends different CSB detection function information to the capability management device.

In a possible implementation, the method further includes: the terminal device periodically sends the CSB detection function information corresponding to the terminal device to the device storing the CSB detection function information corresponding to the terminal device, so that the corresponding CSB detection function information of the terminal device is stored. The CSB detection function information of the device updates the stored CSB detection function information corresponding to the terminal device. Exemplarily, the terminal device may also send the CSB detection function information corresponding to the terminal device to the device storing the CSB detection function information corresponding to the terminal device when the device storing the CSB detection function information corresponding to the terminal device requests the terminal device. equipment.

In a possible implementation manner, after the terminal device provides other devices with CSB detection function information corresponding to the terminal device, the method further includes: the terminal device receives the first result or the second result sent by the other device, where the first The result is used to indicate that the other device successfully stores the CSB detection function information corresponding to the terminal device, and the second result is used to indicate that the other device fails to store the CSB detection function information corresponding to the terminal device.

For example, the terminal device provides CSB detection function information corresponding to the terminal device to the capability management device, and the terminal device receives the first result or the second result sent by the capability management device.

In the above two ways in which the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, since the capability management device or the security device stores the CSB detection function information corresponding to the terminal device, the security device intercepts the request sent by the terminal device When obtaining the second packet of resources provided by the server of the external network, the second packet may include the identity key of the terminal device, so that the security device can obtain the corresponding CSB detection function information of the terminal device based on the identity key of the terminal device. Next, the case where the capability management device stores the CSB detection function information corresponding to the terminal device and the case where the security device stores the CSB detection function information corresponding to the terminal device will be respectively described.

In case A, the capability management device stores CSB detection function information corresponding to the terminal device.

Exemplarily, after the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends a second message to the server of the external network, and the second message is used to request to obtain the server information of the external network provided resources. The second message includes an identity keyword of the terminal device, and the identity keyword is used to obtain the CSB detection function of the terminal device. It should be noted that the second packet can be intercepted by the security device, so that the security device obtains the identity key of the terminal device carried in the second packet.

Exemplarily, the identity key includes at least one of a random identity identification number (identity document, ID), an Internet protocol (internet protocol, IP) address, or user information in a local certificate.

For example, in response to the fact that the other device is a capability management device, that is, the terminal device provides the capability management device with the CSB detection function information corresponding to the terminal device, and after the terminal device provides other devices with the CSB detection function information corresponding to the terminal device, the method further includes: The terminal device receives the random ID of the terminal device sent by the capability management device, and the random ID of the terminal device is used as an identity key of the terminal device. Wherein, the random ID of the terminal device may be a random ID generated by the capability management device. For another example, the third packet further includes the IP address of the terminal device, and the IP address of the terminal device is used as an identity key of the terminal device. For another example, the third message further includes a local certificate of the terminal device, and user information in the local certificate of the terminal device is used as an identity key of the terminal device.

Exemplarily, if the terminal device receives the random ID of the terminal device sent by the capability management device, as shown in FIG. 3 , the terminal device may save the random ID as an identity key of the terminal device.

In case B, the security device stores CSB detection function information corresponding to the terminal device.

Exemplarily, after the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends a second message to the server of the external network, and the second message is used to request to obtain the server information of the external network The resource provided, wherein the second packet includes an identity key of the terminal device, and the identity key is used to obtain the CSB detection function of the terminal device. It should be noted that the second packet can be intercepted by the security device, so that the security device obtains the identity key of the terminal device carried in the second packet.

The principle is the same as the related content in case A above, in case B, the identity key includes at least one of random ID, IP address, or user information in the local certificate.

For example, in response to other devices being security devices, that is, the terminal device provides the security device with CSB detection function information corresponding to the terminal device, and after the terminal device provides other devices with CSB detection function information corresponding to the terminal device, the method further includes: the terminal device The random ID of the terminal device sent by the security device is received, and the random ID of the terminal device is used as an identity key of the terminal device. Wherein, the random ID of the terminal device may be a random ID generated by the security device. For another example, the third packet further includes the IP address of the terminal device, and the IP address of the terminal device is used as an identity key of the terminal device. For another example, the third message further includes a local certificate of the terminal device, and user information in the local certificate of the terminal device is used as an identity key of the terminal device.

Exemplarily, if the terminal device receives the random ID of the terminal device sent by the security device, as shown in FIG. 3 , the terminal device may store the random ID as the identity key of the terminal device.

It should be noted that the embodiment of the present application does not specify the manner in which the second packet carries the identity keyword of the terminal device, the manner in which the third packet carries the IP address of the terminal device, and the manner in which the third packet carries the local certificate of the terminal device Be limited.

In the embodiment of the present application, the type of the identity key of the terminal device is relatively flexible. Moreover, the identity key of the terminal device can include various types of information, and the accuracy of obtaining the CSB detection function of the terminal device according to the identity key of the terminal device is relatively high.

Step 201, the security device intercepts the first message sent from the external network to the internal network.

Exemplarily, the first packet is used to bear resources provided by the server of the external network to the terminal device of the internal network.

In a possible implementation manner, the first packet is used to bear the resource provided by the server of the external network according to the request of the terminal device of the internal network. For example, in the implementation scenario shown in Figure 1, the security device 101 intercepts the first message sent from the external network to the internal network, and the first message is used to bear the provided resources.

In another possible implementation manner, the first packet is used to carry the resource actively provided by the server of the external network to the terminal device of the internal network. For example, in the implementation scenario shown in FIG. 1 , the terminal device 102C on the internal network does not request to obtain resources provided by the server on the external network, and the security device 101 intercepts the first message sent from the external network to the internal network. The first message Hosting resources provided by the server 103 on the external network to the terminal device 102C on the internal network.

Exemplarily, the terminal device is a device that has completed login authentication, and the login authentication manner includes any one of local authentication, server authentication, or certificate authentication. For the relevant process of terminal device login authentication, please refer to the following text, and the description will not be expanded here.

Step 202, the security device determines the CSB detection function to be executed corresponding to the first packet.

In a possible implementation manner, the CSB detection function to be executed includes: at least one of an IPS detection function, an AV detection function, a URL detection function, an AIE detection function, or an SA detection function.

Exemplarily, the security device stores multiple CSB detection policies, where each CSB detection policy corresponds to a resource type, and each CSB detection policy includes at least one CSB detection function. The security device determines the to-be-executed CSB detection function corresponding to the first message, including: the security device obtains the resource type of the resource carried by the first message, searches for a CSB detection strategy corresponding to the resource type according to the resource type, and uses the CSB The CSB detection function included in the detection strategy is determined as the CSB detection function to be executed corresponding to the first packet.

Optionally, resource types include but are not limited to: portable document format (portable document format, pdf) file, document (document, .doc) file, text (text, .txt) file, image interchange format (graphics interchange format, GIF) files, executable (executable, exe) files, dynamic link library (dynamic link library, dll) files, etc. Of course, the resource type can also be a broader category, such as exe files and dll files are classified into portable executable (portable executable, PE) files, joint photographic experts group (joint photographic experts group, JPEG) files, bitmap (bitmap, BMP) and GIF files are classified as image files and so on.

Optionally, after the security device intercepts the first message, according to the data in the file content carried in the first message, such as the feature word in the file header, or according to the acquisition request sent by the previously cached terminal device (i.e. The suffix name of the resource name in the URL in the second message), or determine the resource type of the resource carried by the first message in other ways.

Step 203, in response to the fact that the terminal device has the first CSB detection function, the security device omits performing the first CSB detection function on the first message before forwarding the first message to the terminal device.

Wherein, the first CSB detection function is all or part of the CSB detection functions to be executed corresponding to the first message. Exemplarily, according to the functions included in the first CSB detection function, the security device omitting to perform the first CSB detection function on the first packet includes the following cases 1 and 2.

In case 1, the first CSB detection function is all of the CSB detection functions to be executed corresponding to the first message.

For case 1, in response to the fact that the first CSB detection function is all of the CSB detection functions to be executed corresponding to the first message, that is, the terminal device can independently complete all CSB detection functions for the first message, the security device can omit In the process of performing CSB detection on the first packet, the first packet is directly forwarded to the terminal device. In case 1, resources consumed by the security device for CSB detection can be saved.

In case 2, the first CSB detection function is a part of the CSB detection functions to be executed corresponding to the first message.

For case 2, because the first CSB detection function is part of the CSB detection function to be executed corresponding to the first message, it means that the terminal device cannot independently complete all the CSB detection functions for the first message, and therefore requires collaborative security equipment together. Therefore, in this case 2, before the security device forwards the first message to the terminal device, it also includes: the security device performs a second CSB detection function on the first message, and the second CSB detection function is the waiting Among the CSB detection functions performed, other than the first CSB detection function.

For example, the CSB detection function to be executed corresponding to the first message includes an IPS detection function, an AV detection function, and an AIE detection function, and the terminal device has a first CSB detection function, wherein the first CSB detection function includes: an IPS detection function and an AIE detection function detection function. Then the second CSB detection function includes the AIE detection function, and the security device performs the AIE detection function on the first packet.

Exemplarily, the process of step 203 corresponds to the manner of determining to perform the CSB detection function on the first packet and related content of performing the CSB detection function shown in FIG. 3 .

For example, if the first message is a message actively sent by the server of the external network to the terminal device of the internal network, after the security device determines the CSB detection function to be executed corresponding to the first message, it executes all the CSB detection functions to be executed by default. CSB detection function.

In a possible implementation manner, after the security device performs the second CSB detection function on the first message, the method further includes: acquiring a detection result of the security device performing the second CSB detection function on the first message; responding to the The detection result is safe, and the security device forwards the first packet to the terminal device. Exemplarily, in response to the fact that the second CSB detection function includes at least one detection function, the detection results of the security device performing the at least one detection function on the first message are all safe, and the security device performs the second CSB detection function on the first message. The test result of the detection function is safe.

In a possible implementation manner, after acquiring the detection result of the security device performing the second CSB detection function on the first packet, the method further includes: responding to the detection that the security device performs the second CSB detection function on the first packet The result is dangerous, and the security device does not forward the first message to the terminal device. Exemplarily, in response to the fact that the second CSB detection function includes at least one detection function, and among the detection results obtained by the security device performing the at least one detection function on the first packet, at least one detection result is dangerous, and the security device performs the detection on the first message. A detection result of executing the second CSB detection function on a packet is dangerous.

Optionally, the method further includes a process in which the security device obtains the CSB detection function of the terminal device. For example, before step 201, before the security device intercepts the first message sent from the external network to the internal network, the method further includes the following steps 1-1 and 1-2.

In step 1-1, the security device intercepts the second message sent by the terminal device, where the second message is used to request to acquire resources provided by the server of the external network.

Exemplarily, the second message is the above request message for requesting to acquire the resource provided by the server of the external network.

In a possible implementation manner, the second packet includes an identity key of the terminal device. In another possible implementation manner, the second packet carries CSB detection function information corresponding to the terminal device. It should be noted that the type of the identity keyword of the terminal device, the representation method of the CSB detection function information corresponding to the terminal device, and the way the second message carries the CSB detection function information corresponding to the terminal device are the same as those in the preceding paragraphs. Same, no more details here.

Step 1-2, based on the second message, the security device acquires the CSB detection function of the terminal device.

Exemplarily, based on the second message, the security device obtains the CSB detection function of the terminal device, including but not limited to the following two ways.

Mode 1, for the case where the second message includes the identity keyword of the terminal device, the security device obtains the identity keyword of the terminal device included in the second message by parsing the second message; , to obtain the CSB detection function of the terminal device.

In a possible implementation manner, the security device obtains the CSB detection function of the terminal device according to the identity keyword of the terminal device, including: the security device sends a query request to the capability management device, and the capability management device stores the corresponding The CSB detection function information of the terminal device, wherein the query request carries the identity keyword of the terminal device, and the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function that the terminal device has; the receiving capability management device sends in response to the query request According to the CSB detection function information corresponding to the terminal device, the CSB detection function possessed by the terminal device is determined according to the CSB detection function information.

Exemplarily, when the security device sends the query request to the capability management device, it sends the query request to the capability management device based on HTTP, HTTPS or an application programming interface (application programming interface, API). It should be noted that the security device may also send the query request to the capability management device based on other public protocols or private protocols, which is not limited in this embodiment of the present application.

In another possible implementation, the security device obtains the CSB detection function of the terminal device according to the identity key of the terminal device, including: the security device queries the identity key stored in the security device according to the identity key of the terminal device The corresponding relationship between the keyword and the CSB detection function is used to obtain the CSB detection function corresponding to the identity keyword of the terminal device. Exemplarily, as shown in FIG. 3 , the security device stores the correspondence between the identity key and the CSB detection function. Wherein, the corresponding relationship between the identity key and the CSB detection function stored in the security device includes multiple identity keys and a CSB detection function corresponding to each identity key. Therefore, the security device can obtain the corresponding relationship between the identity keyword and the CSB detection function of the identity keyword of the terminal device by querying the corresponding relationship between the identity keyword and the CSB detection function according to the identity keyword of the terminal device. The CSB detection function.

Mode 2, for the case where the second message carries the CSB detection function information corresponding to the terminal device, the security device obtains the CSB detection function information corresponding to the terminal device carried in the second message by analyzing the second message; the security device obtains the CSB detection function information corresponding to the terminal device carried in the second message; The CSB detection function information corresponding to the terminal device carried in the message determines the CSB detection function of the terminal device.

Wherein, according to the type of the second message, the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the second message, including but not limited to the following three situations.

Case 1, the second packet is a packet transmitted based on HTTPS. That is, the second packet is a packet of the HTTPS protocol.

Exemplarily, if the CSB detection function information corresponding to the terminal device is carried in the Cookie of the second message, the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the Cookie; if the terminal device The corresponding CSB detection function information is carried in the URL parameter of the second message, then the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the URL parameter; if the CSB detection function corresponding to the terminal device The information is carried in the HTTPS header field of the second message, and the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the HTTPS header field; if the CSB detection function information corresponding to the terminal device is carried in the In the HTTPS custom field of the second message, the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the HTTPS custom field.

In the second case, the second packet is a packet based on HTTP transmission. That is, the second packet is a packet of the HTTP protocol.

Exemplarily, if the CSB detection function information corresponding to the terminal device is carried in the Cookie of the second message, the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the Cookie; if the terminal device The corresponding CSB detection function information is carried in the HTTP header field of the second message, then the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the HTTP header field; if the CSB corresponding to the terminal device The detection function information is carried in the HTTP custom field of the second message, and the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the HTTP custom field.

In case three, the second packet is a packet based on FTP transmission. That is, the second packet is a packet of the FTP protocol.

For example, if the CSB detection function information corresponding to the terminal device is carried in the FTP redundant field of the second message, the security device parses the second message to obtain the CSB detection function information corresponding to the terminal device carried in the FTP redundant field. Function information; if the CSB detection function information corresponding to the terminal device is carried in the FTP custom field of the second message, the security device parses the second message to obtain the CSB detection function corresponding to the terminal device carried in the FTP custom field information.

Regardless of the CSB detection function information corresponding to the terminal device obtained for any of the above three situations, after obtaining the CSB detection function information corresponding to the terminal device, the security device performs the CSB detection function corresponding to the terminal device carried in the second message information to determine the CSB detection function of the terminal device.

Exemplarily, the step of the security device obtaining the CSB detection function of the terminal device based on the second message corresponds to identifying the second message shown in FIG. 3 , and obtaining relevant content of the CSB detection function of the terminal device.

Since the security device has acquired the CSB detection function of the terminal device, the security device can determine which of the CSB detection functions to be executed corresponding to the first message are the CSB detection functions of the terminal device, and which CSB detection functions It is a CSB detection function that terminal equipment does not have. That is, the security device can determine the first CSB detection function and the second CSB detection function among the CSB detection functions to be executed.

Exemplarily, after the security device determines the to-be-executed CSB detection function corresponding to the first message, the method further includes: the security device, according to the CSB detection function of the terminal device and the to-be-executed CSB detection function corresponding to the first message, It is determined that the terminal device has the first CSB detection function. For example, the CSB detection function to be executed corresponding to the first message includes an IPS detection function, an AV detection function, and a URL detection function, and the CSB detection function possessed by the terminal device includes a URL detection function and an AIE detection function, then the security device determines that the terminal device has A first CSB detection function, the first CSB detection function includes a URL detection function.

Next, please continue to refer to FIG. 2 , the method provided by the embodiment of the present application includes step 204 .

Step 204, the terminal device receives the first message sent by the security device.

Wherein, the security device is deployed on the boundary between the external network and the internal network, the first message is used to carry the resource provided by the server of the external network according to the request of the terminal device, and the first message is that the security device does not perform the first CSB detection function For the packet, the CSB detection function of the terminal device includes the first CSB detection function.

Exemplarily, in the implementation scenario shown in Figure 1, the CSB detection function to be executed corresponding to the first message includes an IPS detection function, an AV detection function, a URL detection function, an AIE detection function and an SA detection function; the terminal device 102B The CSB detection function it has includes an IPS detection function, an AV detection function, and an AIE detection function, wherein the IPS detection function, the AV detection function, and the AIE detection function are respectively the same as the IPS detection function, AV detection function included in the CSB detection function of the security device 101. The function is the same as the AIE detection function. Then the first CSB detection function includes IPS detection function, AV detection function and AIE detection function, and the second CSB detection function includes URL detection function and SA detection function. The terminal device 102B receives the first message sent by the security device 101. The first message is a message that the security device 101 has performed the URL detection function and the SA detection function, but has not performed the IPS detection function, the AV detection function, and the AIE detection function. .

Step 205, the terminal device performs the first CSB detection function on the first packet.

In a possible implementation manner, the terminal device performs a CSB detection function of the terminal device on the first packet. In other words, the terminal device performs all CSB detection functions of the terminal device by default on the received message.

In a possible implementation manner, before the terminal device performs the first CSB detection function on the first message, the method further includes: the terminal device determines the CSB detection function to be performed corresponding to the first message, and according to the terminal device's The CSB detection function and the CSB detection function to be executed corresponding to the first message determine the first CSB detection function.

Exemplarily, the terminal device stores multiple CSB detection strategies, where each CSB detection strategy corresponds to a resource type, and each CSB detection strategy includes at least one CSB detection function. The terminal device determines the to-be-executed CSB detection function corresponding to the first message, including: the terminal device obtains the resource type of the resource carried by the first message, searches for a CSB detection policy corresponding to the resource type according to the resource type, and uses the CSB The CSB detection function included in the detection strategy is determined as the CSB detection function to be executed corresponding to the first packet. Exemplarily, the CSB detection policy stored in the terminal device is the same as the CSB detection policy stored in the security device in step 202 .

Exemplarily, after determining the first CSB detection function, the terminal device performs an operation of performing the first CSB detection function on the first packet.

In another possible implementation manner, before the terminal device performs the first CSB detection function on the first packet, the method further includes: the terminal device receives indication information sent by the security device, where the indication information is used to indicate that the first CSB A detection function: the terminal device obtains the first CSB detection function according to the indication information, and performs an operation of performing the first CSB detection function on the first packet.

Exemplarily, before the terminal device performs the first CSB detection function on the first message, the method further includes: the terminal device detects whether the received first message is a message transmitted in a segmented transmission mode (or is part of data or file); in response to the fact that the first message is part of a message transmitted in segments, the terminal device splices multiple first messages to obtain a spliced message, and the terminal device splices the spliced message The text performs the first CSB detection function. The embodiment of the present application does not limit the manner in which the terminal device detects whether the first packet is a part of the packet transmitted in a segmented transmission manner, and the manner in which the terminal device splices multiple first packets.

In a possible implementation manner, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends authentication information to the login authentication device, so that the login authentication device uses the authentication information to A terminal device joining the internal network performs login authentication, and the login authentication method includes but is not limited to any one of local authentication, server authentication, or certificate authentication. Wherein, the internal network can be accessed locally through the internal network hardware of the enterprise, or remotely accessed through a virtual private network (virtual private network, VPN). Next, the login authentication performed by the terminal device in three login authentication modes will be described respectively.

Login authentication method 1, the terminal device performs login authentication through local authentication.

Exemplarily, if the security device has a login authentication device function, that is, the security device is a login authentication device, the terminal device may perform login authentication in a local authentication manner. Exemplarily, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends a login request to the security device, and the login request includes user information; Authentication result, which is used to indicate whether the terminal device has successfully logged in. Wherein, the user information may include a user name and a password.

In the second login authentication method, the terminal device performs login authentication through server authentication.

Exemplarily, if the login authentication device is other than the security device and the terminal device, the terminal device may perform login authentication through server authentication.

In a possible implementation manner, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends a login request to the login authentication device, and the login request includes user information; The authentication result sent by the device based on the user information is used to indicate whether the terminal device has successfully logged in. Wherein, the user information may include a user name and a password.

In another possible implementation manner, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends a login request to the security device, where the login request includes user information, the The login request is used for the security device to send a login authentication request to the login authentication device based on the login request, so that the login authentication device performs login authentication on the terminal device based on the user information; and receives the authentication result sent by the security device, wherein the authentication result is a login The authentication result generated by the authentication device based on the user information is used to indicate whether the terminal device has successfully logged in. Wherein, the user information may include a user name and a password.

Login authentication mode 3, the terminal device performs login authentication through certificate authentication.

Regardless of whether the login authentication device is a security device or other devices other than the security device and the terminal device, the terminal device can perform login authentication through certificate authentication. Exemplarily, before the terminal device provides the CSB detection function information corresponding to the terminal device to other devices, the method further includes: the terminal device sends a login request to the login authentication device, and the login request includes the local certificate of the terminal device; receiving the login authentication device based on The authentication result sent by the local certificate of the terminal device, which is used to indicate whether the terminal device has successfully logged in. Since the terminal device can complete login authentication through different login authentication modes, the login authentication mode of the terminal device is more flexible.

It should be noted that no matter which login authentication method is used for login authentication, in response to the successful login of the terminal device, the terminal device performs an operation of providing other devices with CSB detection function information corresponding to the terminal device. Exemplarily, in response to the unsuccessful login of the terminal device, the terminal device does not execute the message processing method. In addition, the above-mentioned local authentication, server authentication, and certificate authentication are only login authentication methods described in the embodiment of this application, and the terminal device can also perform login authentication through other login authentication methods, which are not limited in this embodiment of the application.

Exemplarily, the step of the terminal device performing login authentication corresponds to the relevant content of the terminal device login authentication shown in FIG. 3 . It should be noted that, as shown in FIG. 3 , if the login authentication device is other than the security device and the terminal device, the security device can also perform login authentication to join the internal network. Wherein, the manner of login authentication includes any one of local authentication, server authentication or certificate authentication. Of course, the security device may also perform login authentication through other login authentication methods, which is not limited in this embodiment of the present application.

In the method provided in the embodiment of the present application, the security device intercepts the first message sent from the external network to the internal network, in the case that the terminal device has all or part of the CSB detection function to be executed corresponding to the first message Next, by omitting to perform all or part of the functions on the first packet by the security device, it is possible to reduce device resource occupation when the security device performs the CSB detection function, thereby reducing performance requirements of the security device for performing the CSB detection function. In addition, because the method reduces the occupancy of device resources for performing the CSB detection function, the unoccupied device resources of the security device can be used to perform other functions, thereby improving the performance of the security device.

In addition, after the terminal device receives the first message sent by the security device, the terminal device can perform the first CSB detection function on the first message, so as to implement all pending CSB detections corresponding to the first message, ensuring Security of the first message. In addition, the terminal device can splice the packets transmitted in segments, and perform the first CSB detection function on the spliced packets. Since the segmented transmitted message only includes part of the content, threats may not be detected when the first CSB detection function is respectively performed on the segmented transmitted message. The terminal device splices the packets transmitted in segments, and performs the first CSB detection function on the spliced packets to improve the CSB detection effect.

The following three scenarios are taken as examples to describe the packet processing method provided in the embodiment of the present application.

Scenario 1, the terminal device is a device that performs login authentication through local authentication or server authentication, and the security device queries the capability management device for the CSB detection function of the terminal device.

In a possible implementation manner, the security device integrates a function of the login authentication device, that is, the login authentication function is implemented by the security device. In another possible implementation manner, the login authentication function and the capability management function are implemented by the same device, that is, the device is both a login authentication device and a capability management device. In another possible implementation manner, the login authentication function and the capability management function are implemented by two other devices except the security device, that is, the security device, the login authentication device and the capability management device are different devices respectively.

Exemplarily, this embodiment of the present application takes the login authentication function implemented by the login authentication device, and the capability management function implemented by the capability management device as an example for illustration. The message processing method provided by the embodiment of the present application is shown in Figure 4, including but not It is limited to step 401 to step 422.

Step 401, the terminal device sends a login request to the login authentication device, and the login request includes user information.

For example, the user information included in the login request includes username and password.

Step 402, the login authentication device performs login authentication on the terminal device based on the user information.

Step 403, the login authentication device sends the authentication result to the terminal device.

For steps 401 to 403, reference may be made to the related content of local authentication and server authentication mentioned above, and details will not be repeated here.

Step 404, in response to the authentication result being that the authentication is passed, the login authentication device sends user information to the security device.

Exemplarily, the user information is used for the terminal device to perform login authentication through local authentication. After the terminal device successfully logs in, step 405 is performed.

Step 405, the terminal device provides the CSB detection function information corresponding to the terminal device to the capability management device.

Step 406, the capability management device stores the CSB detection function information corresponding to the terminal device and the identity key of the terminal device.

Exemplarily, the identity key of the terminal device includes a random ID of the terminal device. Exemplarily, step 406 includes: the capability management device stores CSB detection function information corresponding to the terminal device, and generates and stores a random ID of the terminal device.

Step 407, the capability management device sends the first result or the second result and the random ID of the terminal device to the terminal device.

Step 408, the terminal device saves the random ID of the terminal device.

It should be noted that, from step 405 to step 407, reference may be made to related content in which the terminal device provides the CSB detection function information corresponding to the terminal device to the capability management device above, which will not be repeated here.

Step 409, the terminal device sends the second message to the server on the external network.

Wherein, the second message includes the identity key of the terminal device, and the second message is used to request to acquire resources provided by the server of the external network.

Step 410, after the security device intercepts the second message, it sends a query request to the capability management device.

Step 411, in response to the query request, the capability management device sends CSB detection function information corresponding to the terminal device to the security device.

Step 412, the security device forwards the second packet to the server on the external network.

Step 413, in response to the second packet, the server of the external network sends the first packet to the terminal device.

It should be noted that, for steps 409 to 413, reference may be made to the related content of steps 200 and 201 above, which will not be repeated here.

Step 414: After the security device intercepts the first message, it determines the CSB detection function to be executed corresponding to the first message.

Step 415, the security device determines the CSB detection function of the terminal device.

In response to the terminal device having the first CSB detection function, the first CSB detection function is all the functions in the CSB detection functions to be executed corresponding to the first message, and step 416 and step 417 are performed; in response to the terminal device having the first CSB detection function function, the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, perform steps 418 to 420; in response to the terminal device not having the first CSB detection function, perform steps 421 and 422 .

Step 416: In response to the fact that the terminal device has a first CSB detection function, and the first CSB detection function is all the CSB detection functions to be executed corresponding to the first message, the security device sends the first message to the terminal device.

Step 417, the terminal device performs a first CSB detection function on the first packet.

Step 418, in response to the fact that the terminal device has a first CSB detection function, the first CSB detection function is part of the CSB detection functions to be executed corresponding to the first message, and the security device performs a second CSB detection function on the first message , the second CSB detection function is a function other than the first CSB detection function among the to-be-executed CSB detection functions corresponding to the first message.

Step 419: In response to the fact that the security device performs the second CSB detection function on the first packet and the detection result is safe, the security device sends the first packet to the terminal device.

Step 420, the terminal device performs a first CSB detection function on the first packet.

Step 421, in response to the fact that the terminal device does not have the first CSB detection function, the security device performs all CSB detection functions to be performed on the first packet.

Step 422: In response to the fact that the security device performs all CSB detection functions to be performed on the first packet and the detection result is safe, the security device sends the first packet to the terminal device.

Step 414 to step 422 may refer to the relevant content of step 202 and step 203 above, and will not be repeated here.

In the second scenario, the terminal device is a device that performs login authentication through certificate authentication, and the security device queries the capability management device for the CSB detection function of the terminal device.

In a possible implementation manner, the security device integrates a function of the login authentication device, that is, the login authentication function is implemented by the security device. In another possible implementation manner, the login authentication function and the capability management function are implemented by the same device, that is, the device is both a login authentication device and a capability management device. In another possible implementation manner, the login authentication function and the capability management function are implemented by two other devices except the security device, that is, the security device, the login authentication device, and the capability management device are different devices.

Exemplarily, this embodiment of the application takes the login authentication function implemented by a security device and the capability management function implemented by a capability management device as an example for illustration. The message processing method provided by this embodiment of the application is shown in Figure 5, including but not limited to Step 501 to step 521.

Step 501, the terminal device sends a login request to the security device, where the login request includes the local certificate of the terminal device.

Step 502, the security device performs login authentication on the terminal device based on the local certificate of the terminal device.

Exemplarily, the security device performs login authentication on the terminal device based on the local certificate of the terminal device, including but not limited to steps 1 to 3.

Step 1, the security device receives the local certificate of the terminal device sent by the terminal device.

Step 2, the security device invokes the certificate authority (certificate authority, CA) certificate of the security device.

Step 3: The security device verifies the local certificate of the terminal device based on the CA certificate of the security device, and obtains a verification result.

For example, as shown in Figure 6, the terminal device sends the local certificate of the terminal device to the security device; the security device invokes the CA certificate of the security device, the CA certificate is stored in the certificate module of the security device, and the CA certificate is a certificate issued by the CA ; The security device verifies the local certificate of the terminal device according to the CA certificate of the security device; the security device sends the verification result to the terminal device.

Step 503, in response to the verification result being authentic, the security device adds user information.

Exemplarily, the user information is used for the terminal device to perform login authentication through local authentication. After the security device performs login authentication on the terminal device based on the local certificate of the terminal device, step 504 is executed.

Step 504, the security device sends the authentication result to the terminal device.

It should be noted that the above step 501 to step 504 correspond to the relevant content of the certificate authentication mentioned above, which will not be repeated here.

After the terminal device successfully logs in, step 505 is executed.

Step 505, the terminal device provides the CSB detection function information corresponding to the terminal device and the local certificate of the terminal device to the capability management device.

Exemplarily, the local certificate includes user information, and the user information is used as an identity key of the terminal device.

Step 506, the capability management device stores the CSB detection function information corresponding to the terminal device and the identity key of the terminal device.

Exemplarily, the identity key of the terminal device includes user information in the local certificate of the terminal device.

Step 507, the capability management device sends the first result or the second result to the terminal device.

It should be noted that, from step 505 to step 507, reference may be made to related content in which the terminal device provides the CSB detection function information corresponding to the terminal device to the capability management device above, which will not be repeated here.

Step 508, the terminal device sends the second packet to the server on the external network.

Step 509: After intercepting the second message, the security device sends a query request to the capability management device.

Step 510, in response to the query request, the capability management device sends CSB detection function information corresponding to the terminal device to the security device.

Step 511, the security device forwards the second message to the server on the external network.

Step 512, in response to the second packet, the server of the external network sends the first packet to the terminal device.

It should be noted that, from step 508 to step 512, reference may be made to the related content of step 200 and step 201 above, which will not be repeated here.

Step 513: After the security device intercepts the first message, it determines the CSB detection function to be executed corresponding to the first message.

Step 514, the security device determines the CSB detection function of the terminal device.

In response to the terminal device having the first CSB detection function, the first CSB detection function is all the functions in the CSB detection functions to be executed corresponding to the first message, and step 515 and step 516 are performed; in response to the terminal device having the first CSB detection function function, the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, perform steps 517 to 519; in response to the terminal device not having the first CSB detection function, perform steps 520 and 521 .

Step 515, in response to the fact that the terminal device has the first CSB detection function, and the first CSB detection function is all the CSB detection functions to be executed corresponding to the first message, the security device sends the first message to the terminal device.

Step 516, the terminal device performs a first CSB detection function on the first packet.

Step 517, in response to the fact that the terminal device has a first CSB detection function, the first CSB detection function is part of the CSB detection functions to be executed corresponding to the first message, and the security device performs a second CSB detection function on the first message , the second CSB detection function is a function other than the first CSB detection function among the to-be-executed CSB detection functions corresponding to the first message.

Step 518: In response to the detection result of the security device performing the second CSB detection function on the first message being safe, the security device sends the first message to the terminal device.

Step 519, the terminal device performs a first CSB detection function on the first packet.

Step 520, in response to the fact that the terminal device does not have the first CSB detection function, the security device performs all CSB detection functions to be performed on the first packet.

Step 521: In response to the fact that the safety device performs all CSB detection functions to be performed on the first packet and the detection result is safe, the safety device sends the first packet to the terminal device.

The principles of steps 513 to 521 are the same as those of steps 414 to 422 above, and will not be repeated here.

In the third scenario, the security device obtains the CSB detection function information corresponding to the terminal device sent by the terminal device.

In a possible implementation manner, the security device integrates the function of the capability management device, that is, the capability management function is implemented by the security device. Exemplarily, a terminal device remotely accesses the internal network, the terminal device establishes a secure sockets layer (SSL) connection with the security device, and the terminal device sends the second message to the server of the external network based on the HTTPS protocol as an example Be explained. The message processing method provided by the embodiment of the present application is shown in FIG. 7 , including but not limited to step 701 to step 718 .

Step 701, the terminal device establishes an SSL connection with the security device.

In a possible implementation manner, the terminal device unidirectionally authenticates the security device, and in response to passing the authentication, the terminal device establishes an SSL connection with the security device. In another possible implementation manner, the terminal device and the security device conduct mutual authentication, and in response to passing the authentication, the terminal device establishes an SSL connection with the security device.

The authentication process involved above is similar to step 503 in FIG. 5 or the related description of FIG. 6 . Please refer to the related description of FIG. 5 or FIG. 6 for the specific process, and will not be described in detail here.

No matter which method is used to establish the SSL connection, an encrypted communication channel is established between the terminal device and the security device through the SSL connection. Therefore, the security of message transmission between the terminal device and the security device through the encrypted communication channel is relatively high.

Step 702, the terminal device sends a login request to the security device.

Step 703, the security device forwards the login request to the login authentication device.

Step 704, the login authentication device sends the authentication result of the terminal device to the security device.

Step 705, the security device forwards the authentication result to the terminal device.

Wherein, from step 702 to step 705, reference may be made to the related content of server authentication in the foregoing, and details are not repeated here.

It should be noted that if the terminal device does not need to establish an SSL connection with the security device, the terminal device can perform login authentication through local authentication, server authentication, certificate authentication or other login authentication methods. For the steps of terminal device login authentication, please refer to the relevant content of the login authentication method above, and will not repeat them here.

After the terminal device successfully logs in, step 706 is executed.

Step 706, the terminal device sends the second packet to the server on the external network.

Wherein, the second message carries the CSB detection function information corresponding to the terminal device, and the second message is used to request to acquire resources provided by the server of the external network.

Step 707: After the security device intercepts the second message, it obtains the CSB detection function information corresponding to the terminal device.

Step 708, the security device forwards the second packet to the server on the external network.

Step 709, in response to the second packet, the server of the external network sends the first packet to the terminal device.

It should be noted that, for steps 706 to 709, reference may be made to the related content of steps 200 and 201 above, which will not be repeated here.

Step 710: After the security device intercepts the first message, it determines the CSB detection function to be executed corresponding to the first message.

Step 711, the security device determines the CSB detection function of the terminal device.

In response to the terminal device having the first CSB detection function, the first CSB detection function is all the functions in the CSB detection functions to be executed corresponding to the first message, and step 712 and step 713 are performed; in response to the terminal device having the first CSB detection function function, the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, perform steps 714 to 716; in response to the terminal device not having the first CSB detection function, perform steps 717 and 718 .

Step 712: In response to the fact that the terminal device has a first CSB detection function, and the first CSB detection function is all the CSB detection functions to be executed corresponding to the first message, the security device sends the first message to the terminal device.

Step 713, the terminal device performs a first CSB detection function on the first packet.

Step 714, in response to the fact that the terminal device has a first CSB detection function, the first CSB detection function is part of the CSB detection functions to be executed corresponding to the first message, and the security device performs a second CSB detection function on the first message , the second CSB detection function is a function other than the first CSB detection function among the to-be-executed CSB detection functions corresponding to the first message.

Step 715: In response to the detection result of the security device performing the second CSB detection function on the first message being safe, the security device sends the first message to the terminal device.

Step 716, the terminal device performs a first CSB detection function on the first packet.

Step 717: In response to the fact that the terminal device does not have the first CSB detection function, the security device performs all CSB detection functions to be performed on the first packet.

Step 718: In response to the fact that the security device performs all the CSB detection functions to be performed on the first message and the detection result is safe, the security device sends the first message to the terminal device.

The principles of steps 710 to 718 are the same as those of steps 414 to 422 above, and will not be repeated here.

FIG. 8 is a schematic structural diagram of a message processing device provided by an embodiment of the present application. The device is applied to a security device, and the security device is the security device shown in FIGS. 2-7 above. Based on the following multiple modules shown in FIG. 8 , the packet processing apparatus shown in FIG. 8 can perform all or part of the operations performed by the security device. For example, the message processing device with the structure shown in FIG. 8 implements the functions of the security device in the solutions described in the above embodiments. Optionally, the message processing device is a function of the security device described in the related embodiments of FIG. 2-7, which can omit performing the first CSB detection function on the first message, and reduce the equipment resource occupation when performing the CSB detection function. In this way, performance requirements for performing the CSB detection function are reduced. It should be understood that the device may include more additional modules than those shown or omit some of the modules shown therein, which is not limited in this embodiment of the present application. As shown in Figure 8, the device includes:

The acquisition module 801 is configured to intercept a first message sent from the external network to the internal network, where the first message is used to carry resources provided by the server of the external network according to the request of the terminal device of the internal network;

A determining module 802, configured to determine the CSB detection function to be executed corresponding to the first message;

The processing module 803 is configured to omit performing the first CSB detection function on the first message before forwarding the first message to the terminal device in response to the terminal device having the first CSB detection function, wherein the first CSB detection function is the first All or part of the CSB detection functions to be executed corresponding to the message.

In a possible implementation, the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, and the processing module 803 is also used to perform the second CSB detection function on the first message , the second CSB detection function is a function other than the first CSB detection function among the to-be-executed CSB detection functions corresponding to the first message.

In a possible implementation, the obtaining module 801 is also configured to intercept a second message sent by the terminal device, the second message is used to request to obtain the resource provided by the server of the external network; based on the second message, obtain the terminal The CSB detection function of the device; the determination module 802 is further configured to determine that the terminal device has the first CSB detection function according to the CSB detection function of the terminal device and the CSB detection function to be executed corresponding to the first message.

In a possible implementation, the second message includes the identity keyword of the terminal device, and the obtaining module 801 is configured to obtain the identity keyword of the terminal device included in the second message by parsing the second message; according to the terminal device The identity keyword to obtain the CSB detection function of the terminal device.

In a possible implementation manner, the obtaining module 801 is configured to send a query request to the capability management device, and the capability management device stores CSB detection function information corresponding to the terminal device, where the query request carries the identity keyword of the terminal device, The CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function that the terminal device has; the reception capability management device sends the CSB detection function information corresponding to the terminal device in response to the query request; according to the CSB detection function information, determine the CSB detection function that the terminal device has. detection function.

In a possible implementation manner, the obtaining module 801 is configured to send a query request to the capability management device based on HTTP, HTTPS or API.

In a possible implementation, the obtaining module 801 is configured to query the correspondence between the identity keyword stored in the security device and the CSB detection function according to the identity keyword of the terminal device, and obtain the CSB detection function corresponding to the identity keyword of the terminal device. Function.

In a possible implementation manner, the second message carries the CSB detection function information corresponding to the terminal device, and the obtaining module 801 is configured to obtain the CSB detection function information corresponding to the terminal device carried in the second message by parsing the second message ; Determine the CSB detection function of the terminal device according to the CSB detection function information corresponding to the terminal device carried in the second message.

FIG. 9 is a schematic structural diagram of a message processing apparatus provided by an embodiment of the present application. The apparatus is applied to a terminal device, and the terminal device is the terminal device shown in FIGS. 2-7 above. Based on the following multiple modules shown in FIG. 9 , the packet processing apparatus shown in FIG. 9 can perform all or part of the operations performed by the terminal device. For example, the packet processing apparatus with the structure shown in FIG. 9 implements the functions of the terminal equipment in the solutions described in the above embodiments. Optionally, the packet processing apparatus is a function of the terminal device described in the related embodiments in FIGS. 2-7, and can perform a first CSB detection function on the received first packet. It should be understood that the device may include more additional modules than those shown or omit some of the modules shown therein, which is not limited in this embodiment of the present application. As shown in Figure 9, the device includes:

The supply module 901 is configured to provide other devices with CSB detection function information corresponding to the terminal device, where the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function that the terminal device has;

The receiving module 902 is configured to receive a first message sent by the security device, where the security device is deployed on the boundary between the external network and the internal network, and the first message is used to carry the resources provided by the server of the external network according to the request of the terminal device, The first message is a message for which the security device does not perform the first CSB detection function, and the CSB detection function of the terminal device includes the first CSB detection function;

The processing module 903 is configured to perform a first CSB detection function on the first packet.

In a possible implementation manner, the supply module 901 is configured to send a third message to the capability management device, the third message carries the CSB detection function information corresponding to the terminal device, and the capability management device is used to store the CSB corresponding to the terminal device Check feature information.

In a possible implementation manner, the supply module 901 is configured to send a third message to the security device, the third message carries the CSB detection function information corresponding to the terminal device, and the security device is used to store the CSB detection function corresponding to the terminal device information.

In a possible implementation manner, the provisioning module 901 is configured to send a second message to a server on the external network, where the second message is used to request to acquire resources provided by the server on the external network, where the second message carries a terminal device Corresponding CSB detection function information.

In a possible implementation, in response to the fact that the other device is a capability management device, the receiving module 902 is also configured to receive the random ID of the terminal device sent by the capability management device, and the random ID of the terminal device is used as the identity key of the terminal device or in response to other devices being security devices, the receiving module 902 is also configured to receive the random ID of the terminal device sent by the security device, and the random ID of the terminal device is used as an identity key of the terminal device.

In a possible implementation manner, the third message further includes a local certificate of the terminal device, and the user information in the local certificate of the terminal device is used as an identity key of the terminal device.

In a possible implementation manner, the apparatus further includes: a request module, configured to send a login request to the security device, where the login request includes user information; receive an authentication result sent by the security device based on the user information, and the authentication result is used to instruct the terminal device Whether the login is successful; in response to the successful login of the terminal device, the supply module 901 executes the operation of providing the CSB detection function information corresponding to the terminal device to other devices.

In a possible implementation manner, the apparatus further includes: a request module, configured to send a login request to the login authentication device, where the login request includes user information; receive an authentication result sent by the login authentication device based on the user information, and the authentication result is used to indicate Whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the supply module 901 performs an operation of providing other devices with CSB detection function information corresponding to the terminal device.

In a possible implementation manner, the apparatus further includes: a request module, configured to send a login request to the login authentication device, where the login request includes the local certificate of the terminal device; and receive the authentication result sent by the login authentication device based on the local certificate of the terminal device , the authentication result is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the supply module 901 performs an operation of providing other devices with CSB detection function information corresponding to the terminal device.

It should be understood that, when the above-mentioned devices provided in Fig. 8 and Fig. 9 realize their functions, they are only illustrated by the division of the above-mentioned functional modules. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to needs. , which divides the internal structure of the device into different functional modules to complete all or part of the functions described above. In addition, the device and the method embodiment provided by the above embodiment belong to the same idea, and the specific implementation process thereof is detailed in the method embodiment, and will not be repeated here.

Referring to FIG. 10 , FIG. 10 shows a schematic structural diagram of a packet processing device 2000 provided by an exemplary embodiment of the present application. The packet processing device 2000 shown in FIG. 10 may be a security device or a terminal device, and is configured to perform operations involved in the packet processing method shown in FIGS. 2-7 above. The packet processing device 2000 is, for example, a switch, a router, etc., and the packet processing device 2000 may be implemented by a general bus architecture.

As shown in FIG. 10 , the packet processing device 2000 includes at least one processor 2001 , a memory 2003 and at least one communication interface 2004 .

The processor 2001 is, for example, a general-purpose central processing unit (central processing unit, CPU), a digital signal processor (digital signal processor, DSP), a network processor (network processor, NP), a graphics processing unit (graphics processing unit, GPU), A neural network processor (neural-network processing units, NPU), a data processing unit (data processing unit, DPU), a microprocessor, or one or more integrated circuits for implementing the solution of this application. For example, the processor 2001 includes an application-specific integrated circuit (application-specific integrated circuit, ASIC), a programmable logic device (programmable logic device, PLD) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. The PLD is, for example, a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general array logic (generic array logic, GAL) or any combination thereof. It can realize or execute various logical blocks, modules and circuits described in conjunction with the disclosure of the embodiments of the present application. The processor may also be a combination for realizing computing functions, for example, a combination of one or more microprocessors, a combination of DSP and a microprocessor, and so on.

Optionally, the packet processing device 2000 further includes a bus. The bus is used to transfer information between the various components of the message processing device 2000. The bus may be a peripheral component interconnect standard (PCI for short) bus or an extended industry standard architecture (EISA for short) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 10 , but it does not mean that there is only one bus or one type of bus.

The memory 2003 is, for example, a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, or a random access memory (random access memory, RAM) or a storage device that can store information and instructions. Other types of dynamic storage devices, such as electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc Storage (including Compact Disc, Laser Disc, Optical Disc, Digital Versatile Disc, Blu-ray Disc, etc.), magnetic disk storage medium, or other magnetic storage device, or is capable of carrying or storing desired program instructions in the form of instructions or data structures and capable of Any other medium accessed by a computer, but not limited to. The memory 2003 exists independently, for example, and is connected to the processor 2001 via a bus. The memory 2003 can also be integrated with the processor 2001.

The communication interface 2004 uses any device such as a transceiver to communicate with other devices or a communication network. The communication network can be Ethernet, radio access network (RAN) or wireless local area network (wireless local area network, WLAN). The communication interface 2004 may include a wired communication interface, and may also include a wireless communication interface. Specifically, the communication interface 2004 can be an ethernet (ethernet) interface, a fast ethernet (fast ethernet, FE) interface, a gigabit ethernet (gigabit ethernet, GE) interface, an asynchronous transfer mode (asynchronous transfer mode, ATM) interface, a wireless local area network ( wireless local area networks, WLAN) interface, cellular network communication interface or a combination thereof. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. In this embodiment of the present application, the communication interface 2004 may be used for the packet processing device 2000 to communicate with other devices.

In a specific implementation, as an embodiment, the processor 2001 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 10 . Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

In a specific implementation, as an embodiment, the packet processing device 2000 may include multiple processors, such as the processor 2001 and the processor 2005 shown in FIG. 10 . Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data such as computer program instructions.

In a specific implementation, as an example, the packet processing device 2000 may further include an output device and an input device. Output devices communicate with processor 2001 and can display information in a variety of ways. For example, the output device may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a cathode ray tube (cathode ray tube, CRT) display device, or a projector (projector). The input device communicates with the processor 2001 and can receive user input in various ways. For example, the input device may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.

In some embodiments, the memory 2003 is used to store program instructions 2010 for implementing the solution of the present application, and the processor 2001 can execute the program instructions 2010 stored in the memory 2003 . That is, the packet processing device 2000 can implement the packet processing method provided by the method embodiment through the processor 2001 and the program instructions 2010 in the memory 2003 . One or more software modules may be included in the program instructions 2010 . Optionally, the processor 2001 itself may also store program codes or instructions for executing the solutions of the present application.

In a specific embodiment, the message processing device 2000 in the embodiment of the present application may correspond to the security device in the above embodiments of the message processing method, and the processor 2001 in the message processing device 2000 reads the instructions in the memory 2003, This enables the message processing device 2000 shown in FIG. 10 to perform all or part of the operations performed by the security device.

In a specific embodiment, the message processing device 2000 in the embodiment of the present application may correspond to the terminal device in each of the foregoing message processing method embodiments, and the processor 2001 in the message processing device 2000 reads the instructions in the memory 2003, The packet processing device 2000 shown in FIG. 10 is enabled to perform all or part of the operations performed by the terminal device.

The packet processing device 2000 may also correspond to the packet processing device shown in FIGS. In other words, the functional modules included in the message processing apparatus are generated after the processor 2001 of the message processing device 2000 reads the program instructions 2010 stored in the memory 2003 .

Wherein, each step of the message processing method shown in FIGS. 2-7 is completed by an integrated logic circuit of hardware in a processor of the message processing device 2000 or an instruction in the form of software. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware. To avoid repetition, no detailed description is given here.

Referring to FIG. 11 , FIG. 11 shows a schematic structural diagram of a packet processing device 2100 provided in another exemplary embodiment of the present application. The packet processing device 2100 shown in FIG. 11 may be a security device or a terminal device, and is configured to perform all or part of the operations involved in the packet processing method shown in FIGS. 2-7 above. The packet processing device 2100 is, for example, a switch, a router, etc., and the packet processing device 2100 may be implemented by a general bus architecture.

As shown in FIG. 11 , the packet processing device 2100 includes: a main control board 2110 and an interface board 2130 .

The main control board is also called a main processing unit (main processing unit, MPU) or a route processing card (route processor card). Device management, device maintenance, protocol processing functions. The main control board 2110 includes: a central processing unit 2111 and a memory 2112 .

The interface board 2130 is also called a line interface unit card (line processing unit, LPU), a line card (line card), or a service board. The interface board 2130 is used to provide various service interfaces and implement data packet forwarding. The service interface includes but not limited to Ethernet interface, POS (packet over SONET/SDH) interface, etc., and the Ethernet interface is, for example, flexible Ethernet service interface (flexible ethernet clients, FlexE Clients). The interface board 2130 includes: a central processing unit 2131 , a network processor 2132 , a forwarding entry storage 2134 and a physical interface card (physical interface card, PIC) 2133 .

The central processor 2131 on the interface board 2130 is used to control and manage the interface board 2130 and communicate with the central processor 2111 on the main control board 2110 .

The network processor 2132 is configured to implement message forwarding processing. The form of the network processor 2132 may be a forwarding chip. The forwarding chip may be a network processor (network processor, NP). In some embodiments, the forwarding chip may be implemented by an application-specific integrated circuit (application-specific integrated circuit, ASIC) or a field programmable gate array (field programmable gate array, FPGA). Specifically, the network processor 2132 is used to forward the received message based on the forwarding table stored in the forwarding table item storage 2134, and if the destination address of the message is the address of the message processing device 2100, then send the message to CPU (such as central processing unit 2131) processing; If the destination address of message is not the address of message processing device 2100, then according to this destination address, find out the next hop and outgoing interface corresponding to this destination address from the forwarding table, and send the The packet is forwarded to the outbound interface corresponding to the destination address. Wherein, the processing of the uplink message may include: processing of the inbound interface of the message, forwarding table search; the processing of the downlink message may include: forwarding table search and so on. In some embodiments, the central processing unit can also perform the function of the forwarding chip, such as implementing software forwarding based on a general-purpose CPU, so that no forwarding chip is needed in the interface board.

The physical interface card 2133 is used to implement the interconnection function of the physical layer, through which the original traffic enters the interface board 2130 , and the processed packets are sent out from the physical interface card 2133 . The physical interface card 2133 is also called a daughter card, which can be installed on the interface board 2130, and is responsible for converting the photoelectric signal into a message, checking the validity of the message and forwarding it to the network processor 2132 for processing. In some embodiments, the central processor 2131 can also execute the functions of the network processor 2132 , such as implementing software forwarding based on a general-purpose CPU, so that the physical interface card 2133 does not need the network processor 2132 .

Exemplarily, the packet processing device 2100 includes a plurality of interface boards, for example, the packet processing device 2100 further includes an interface board 2140, and the interface board 2140 includes: a central processing unit 2141, a network processor 2142, a forwarding entry storage 2144 and a physical interface Card 2143. The functions and implementation methods of the components in the interface board 2140 are the same as or similar to those of the interface board 2130 , and will not be repeated here.

Exemplarily, the packet processing device 2100 further includes a switching fabric unit 2120 . The SFU 2120 may also be called a switch fabric unit (switch fabric unit, SFU). In the case that the packet processing device has multiple interface boards, the switching fabric board 2120 is used to complete the data exchange between the interface boards. For example, the interface board 2130 and the interface board 2140 may communicate through the SFU 2120 .

The main control board 2110 is coupled to the interface board. E.g. The main control board 2110, the interface board 2130, the interface board 2140, and the switching fabric board 2120 are connected to the system backplane through the system bus to realize intercommunication. In a possible implementation manner, an inter-process communication protocol (inter-process communication, IPC) channel is established between the main control board 2110, the interface board 2130, and the interface board 2140, and the main control board 2110, the interface board 2130, and the interface board 2140 Communicate through IPC channels.

Logically, the packet processing device 2100 includes a control plane and a forwarding plane. The control plane includes a main control board 2110 and a central processing unit 2111. The forwarding plane includes various components for performing forwarding, such as a forwarding entry storage 2134, a physical interface card 2133 and network processor 2132 . The control plane executes routers, generates forwarding tables, processes signaling and protocol packets, configures and maintains the status of network devices, and other functions. The control plane sends the generated forwarding tables to the forwarding plane. On the forwarding plane, the network processor 2132 controls The forwarding table issued by the above checks the table and forwards the packets received by the physical interface card 2133. The forwarding table issued by the control plane may be stored in the forwarding table item storage 2134 . In some embodiments, the control plane and the forwarding plane can be completely separated and not on the same network device.

It is worth noting that there may be one or more main control boards, and when there are multiple main control boards, it may include the main main control board and the standby main control board. There may be one or more interface boards. The stronger the data processing capability of the packet processing device, the more interface boards it provides. There may also be one or more physical interface cards on the interface board. There may be no SFU, or there may be one or more SFUs. When there are multiple SFUs, they can jointly implement load sharing and redundant backup. Under the centralized forwarding architecture, the packet processing device does not need a switching network board, and the interface board undertakes the processing function of the service data of the entire system. Under the distributed forwarding architecture, the message processing device can have at least one SFU, and the data exchange between multiple interface boards can be realized through the SFU, providing large-capacity data exchange and processing capabilities. Therefore, the data access and processing capability of the packet processing device with distributed architecture is greater than that of the packet processing device with centralized architecture. Exemplarily, the form of the packet processing device may also be that there is only one board, that is, there is no switching fabric board, and the functions of the interface board and the main control board are integrated on this board. At this time, the CPU and the The central processing unit on the main control board can be combined into one central processing unit on the board to perform the superimposed functions of the two. The data exchange and processing capabilities of this form of message processing equipment are low (for example, low-end network devices such as switches or routers). Which architecture to use depends on the specific networking deployment scenario, and there is no limitation here.

In a specific embodiment, the packet processing device 2100 corresponds to the packet processing apparatus applied to a security device shown in FIG. 8 above. In some embodiments, the acquiring module 801 in the packet processing apparatus shown in FIG. 8 is equivalent to the physical interface card 2133 in the packet processing device 2100; the determining module 802 and the processing module 803 are equivalent to the CPU 2111 or network processor 2132.

In some embodiments, the packet processing device 2100 also corresponds to the packet processing apparatus applied to the terminal device shown in FIG. 9 above. In some embodiments, the supply module 901 in the message processing apparatus shown in FIG. 9 is equivalent to the physical interface card 2133 in the message processing device 2100; the receiving module 902 and the processing module 903 are equivalent to the CPU 2111 or network processor 2132.

Based on the message processing device shown in FIG. 10 and FIG. 11 , the embodiment of the present application further provides a message processing system, which includes: a security device and a terminal device. Optionally, the security device is the message processing device 2000 shown in FIG. 10 or the message processing device 2100 shown in FIG. 11, and the terminal device is the message processing device 2000 shown in FIG. processing device 2100 .

For the message processing methods performed by the security device and the terminal device, reference may be made to the relevant descriptions of the embodiments shown in FIGS. 2-7 above, and details are not repeated here.

The embodiment of the present application also provides a communication device, which includes: a transceiver, a memory, and a processor. Wherein, the transceiver, the memory and the processor communicate with each other through an internal connection path, the memory is used to store instructions, and the processor is used to execute the instructions stored in the memory to control the transceiver to receive signals and control the transceiver to send signals , and when the processor executes the instruction stored in the memory, the processor is made to execute the message processing method required by the security device.

The embodiment of the present application also provides a communication device, which includes: a transceiver, a memory, and a processor. Wherein, the transceiver, the memory and the processor communicate with each other through an internal connection path, the memory is used to store instructions, and the processor is used to execute the instructions stored in the memory to control the transceiver to receive signals and control the transceiver to send signals , and when the processor executes the instructions stored in the memory, the processor is made to execute the message processing method required by the terminal device.

It should be understood that the above-mentioned processor may be a central processing unit (CPU), and may also be other general-purpose processors, digital signal processing (digital signal processing, DSP), application specific integrated circuit (application specific integrated circuit, ASIC), field-programmable gate array (field-programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like. It should be noted that the processor may be a processor supporting advanced RISC machines (ARM) architecture.

Further, in an optional embodiment, the above-mentioned memory may include a read-only memory and a random-access memory, and provide instructions and data to the processor. Memory may also include non-volatile random access memory. For example, the memory may also store device type information.

The memory can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. Among them, the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available. For example, static random access memory (static RAM, SRAM), dynamic random access memory (dynamic random access memory, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access Memory (double data date SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct memory bus random access memory (direct rambus) RAM, DR RAM).

The embodiment of the present application also provides a computer-readable storage medium, where at least one instruction is stored in the storage medium, and the instruction is loaded and executed by a processor to implement any one of the packet processing methods described above.

The embodiment of the present application also provides a computer program (product). When the computer program is executed by the computer, the processor or the computer can execute each step and/or process of the corresponding message processing method in the above method embodiment.

The embodiment of the present application also provides a chip, including a processor, configured to call and execute instructions stored in the memory from the memory, so that the communication device installed with the chip executes the message processing method in the above aspects .

The embodiment of the present application also provides another chip, including: an input interface, an output interface, a processor, and a memory, the input interface, the output interface, the processor, and the memory are connected through an internal connection path, and the The processor is configured to execute the codes in the memory, and when the codes are executed, the processor is configured to execute the message processing method in the above aspects.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the present application will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, DSL) or wireless (eg, infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (such as a floppy disk, a hard disk, or a magnetic tape), an optical medium (such as a DVD), or a semiconductor medium (such as a solid state disk).

Those of ordinary skill in the art can understand that all or part of the steps for implementing the above-mentioned embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium can be read-only memory, magnetic disk or optical disk and so on.

When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer program instructions. As an example, the methods of embodiments of the present application may be described in the context of machine-executable instructions, such as program modules included in a device executed on a real or virtual processor of a target. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, etc. that perform particular tasks or implement particular abstract data structures. In various embodiments, the functionality of the program modules may be combined or divided between the described program modules. Machine-executable instructions for program modules may be executed locally or in distributed devices. In a distributed device, program modules may be located in both local and remote storage media.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and module can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices or modules, and may also be electrical, mechanical or other forms of connection.

The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or may be distributed to multiple network modules. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present application.

In addition, each functional module in each embodiment of the present application may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.

If the integrated module is realized in the form of a software function module and sold or used as an independent product, it can be stored in a computer-readable storage medium. A computer-readable storage medium may be any tangible medium that contains or stores a program for or related to an instruction execution system, apparatus, or device. The computer readable storage medium may be a machine readable signal medium or a machine readable storage medium. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination thereof. More detailed examples of computer-readable storage media include electrical connections with one or more wires, portable computer diskettes, hard disks, random storage access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash), optical storage, magnetic storage, or any suitable combination thereof.

Apparently, those skilled in the art can make various changes and modifications to the present application without departing from the scope of the present application. Thus, if these modifications and variations of the application fall within the scope of the claims of the application, the application also intends to include these modifications and variations.

Claims

A message processing method, characterized in that the method is applied to a security device, and the security device is deployed on the boundary between an external network and an internal network, and the method includes:

The security device intercepts a first message sent from the external network to the internal network, where the first message is used to carry resources provided by a server of the external network according to a request of a terminal device of the internal network;

The security device determines the content security service CSB detection function to be executed corresponding to the first message;

In response to the terminal device having a first CSB detection function, before the security device forwards the first message to the terminal device, omitting to perform the first CSB detection function on the first message, wherein, The first CSB detection function is all or part of the CSB detection functions to be executed corresponding to the first message.
The method according to claim 1, wherein the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, and the security device forwards the CSB detection function to the terminal device Before the first message, it also includes:

The security device performs a second CSB detection function on the first message, and the second CSB detection function is one of the CSB detection functions to be performed corresponding to the first message except the first CSB detection function outside functions.
The method according to claim 1 or 2, wherein before the security device intercepts the first message sent from the external network to the internal network, further comprising:

The security device intercepts a second message sent by the terminal device, where the second message is used to request to obtain the resource provided by the server of the external network;

Based on the second message, the security device acquires the CSB detection function of the terminal device;

After the security device determines the to-be-executed content security service CSB detection function corresponding to the first message, it further includes:

The security device determines that the terminal device has a first CSB detection function according to the CSB detection function possessed by the terminal device and the CSB detection function to be executed corresponding to the first message.
The method according to claim 3, wherein the second message includes the identity key of the terminal device, and based on the second message, the security device acquires the identity key of the terminal device CSB detection functions, including:

The security device acquires the identity key of the terminal device included in the second message by parsing the second message;

The security device acquires the CSB detection function of the terminal device according to the identity key of the terminal device.
The method according to claim 4, wherein the security device obtains the CSB detection function of the terminal device according to the identity key of the terminal device, including:

The security device sends a query request to a capability management device, and the capability management device stores CSB detection function information corresponding to the terminal device, wherein the query request carries an identity keyword of the terminal device, and the terminal device The CSB detection function information corresponding to the device is used to indicate the CSB detection function of the terminal device;

receiving the CSB detection function information corresponding to the terminal device sent by the capability management device in response to the query request;

Determine the CSB detection function of the terminal device according to the CSB detection function information.
The method according to claim 5, wherein the sending the query request to the capability management device comprises:

Send a query request to the capability management device based on Hypertext Transfer Protocol HTTP, Hypertext Transfer Security Protocol HTTPS or Application Programming Interface API.
The method according to claim 4, wherein the security device obtains the CSB detection function of the terminal device according to the identity key of the terminal device, including:

The security device queries the correspondence between the identity key and the CSB detection function stored in the security device according to the identity key of the terminal device, and acquires the CSB detection function corresponding to the identity key of the terminal device.
The method according to any one of claims 4-7, wherein the identity key includes at least one of a random ID, an Internet Protocol IP address, or user information in a local certificate.
The method according to claim 3, wherein the second message carries CSB detection function information corresponding to the terminal device, and based on the second message, the security device obtains the terminal device It has the CSB detection function, including:

The security device acquires CSB detection function information corresponding to the terminal device carried in the second message by parsing the second message;

The security device determines the CSB detection function of the terminal device according to the CSB detection function information corresponding to the terminal device carried in the second message.
The method according to any one of claims 1-9, wherein the content security service CSB detection function to be executed includes an intrusion prevention system IPS detection function, an anti-virus AV detection function, a uniform resource locator URL detection function, At least one of the artificial intelligence engine AIE detection function or the service perception SA detection function.
A message processing method, characterized in that the method is applied to a terminal device, and the terminal device is deployed in an internal network, and the method includes:

The terminal device provides other devices with content security service CSB detection function information corresponding to the terminal device, and the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function of the terminal device;

The terminal device receives a first message sent by a security device, where the security device is deployed on the boundary between the external network and the internal network, and the first message is used to carry the server of the external network according to the The resource provided by the terminal device's request, the first message is a message that the security device does not perform the first CSB detection function, and the CSB detection function of the terminal device includes the first CSB detection function;

The terminal device performs the first CSB detection function on the first packet.
The method according to claim 11, wherein the terminal device provides other devices with content security service CSB detection function information corresponding to the terminal device, including:

The terminal device sends a third message to the capability management device, the third message carries CSB detection function information corresponding to the terminal device, and the capability management device is used to store the CSB detection function information corresponding to the terminal device .
The method according to claim 11, wherein the terminal device provides other devices with content security service CSB detection function information corresponding to the terminal device, including:

The terminal device sends a third message to the security device, the third message carries CSB detection function information corresponding to the terminal device, and the security device is used to store the CSB detection function information corresponding to the terminal device .
The method according to claim 11, wherein the terminal device provides other devices with content security service CSB detection function information corresponding to the terminal device, including:

The terminal device sends a second message to the server of the external network, the second message is used to request to obtain resources provided by the server of the external network, wherein the second message carries the terminal device Corresponding CSB detection function information.
The method according to claim 14, wherein the second message is a message transmitted based on the Hypertext Transfer Security Protocol (HTTPS), and the CSB detection function information corresponding to the terminal device is carried in the second message The small data cookie on the user's local terminal, or the URL parameter of the uniform resource locator, or the HTTPS header field, or the HTTPS custom field.
The method according to claim 14, wherein the second message is a message transmitted based on Hypertext Transfer Protocol HTTP, and the CSB detection function information corresponding to the terminal device is carried in the second message Small data cookies, or HTTP header fields, or HTTP custom fields.
The method according to claim 14, wherein the second message is a message transmitted based on a file transfer protocol (FTP), and the CSB detection function information corresponding to the terminal device is carried in the FTP of the second message. Redundant fields or FTP custom fields.
The method according to claim 12 or 13, characterized in that, after the terminal device provides other devices with the content security service CSB detection function information corresponding to the terminal device, it further includes:

The terminal device sends a second message to the server of the external network, the second message is used to request to obtain resources provided by the server of the external network, wherein the second message includes the terminal device An identity key, where the identity key is used to obtain the CSB detection function of the terminal device.
The method according to claim 18, wherein, in response to the other device being a capability management device, after the terminal device provides other devices with information about the content security service CSB detection function corresponding to the terminal device, further comprising:

The terminal device receives the random ID of the terminal device sent by the capability management device, and the random ID of the terminal device is used as an identity key of the terminal device; or

In response to the fact that the other device is the security device, after the terminal device provides the other device with information about the content security service CSB detection function corresponding to the terminal device, the method further includes:

The terminal device receives the random ID of the terminal device sent by the security device, and the random ID of the terminal device is used as an identity key of the terminal device.
The method according to claim 18 or 19, wherein the third message further includes the IP address of the terminal device, and the IP address of the terminal device is used as an identity key of the terminal device.
The method according to any one of claims 18-20, wherein the third message further includes the local certificate of the terminal device, and the user information in the local certificate of the terminal device is used as the terminal The identity key of the device.
The method according to any one of claims 11-21, wherein the CSB detection function of the terminal device includes an intrusion prevention system IPS detection function, an anti-virus AV detection function, a URL detection function, and an artificial intelligence engine AIE detection function Or at least one of the service-aware SA detection functions.
The method according to any one of claims 11-22, wherein, before the terminal device provides other devices with information about the content security service CSB detection function corresponding to the terminal device, it further includes:

The terminal device sends a login request to the security device, where the login request includes user information;

receiving an authentication result sent by the security device based on the user information, where the authentication result is used to indicate whether the terminal device successfully logs in;

In response to the successful login of the terminal device, the terminal device performs an operation of providing the CSB detection function information corresponding to the terminal device to other devices.
The method according to any one of claims 11-22, wherein, before the terminal device provides other devices with information about the content security service CSB detection function corresponding to the terminal device, it further includes:

The terminal device sends a login request to the login authentication device, and the login request includes user information;

receiving an authentication result sent by the login authentication device based on the user information, where the authentication result is used to indicate whether the terminal device successfully logs in;

In response to the successful login of the terminal device, the terminal device performs an operation of providing the CSB detection function information corresponding to the terminal device to other devices.
The method according to any one of claims 11-22, wherein, before the terminal device provides other devices with information about the content security service CSB detection function corresponding to the terminal device, it further includes:

The terminal device sends a login request to the login authentication device, where the login request includes the local certificate of the terminal device;

receiving an authentication result sent by the login authentication device based on the local certificate of the terminal device, where the authentication result is used to indicate whether the terminal device has successfully logged in;

In response to the successful login of the terminal device, the terminal device performs an operation of providing the CSB detection function information corresponding to the terminal device to other devices.
A message processing device, characterized in that the device is applied to a security device, and the security device is deployed on the boundary between an external network and an internal network, and the device includes:

An acquisition module, configured to intercept a first message sent from the external network to the internal network, where the first message is used to carry the resource provided by the server of the external network according to the request of the terminal device of the internal network ;

A determining module, configured to determine the content security service CSB detection function to be executed corresponding to the first message;

A processing module, configured to, in response to the terminal device having a first CSB detection function, omit performing the first CSB detection function on the first message before forwarding the first message to the terminal device, wherein , the first CSB detection function is all or part of the CSB detection functions to be executed corresponding to the first message.
The device according to claim 26, wherein the first CSB detection function is a part of the CSB detection function to be executed corresponding to the first message, and the processing module is further configured to The first message performs a second CSB detection function, and the second CSB detection function is a function other than the first CSB detection function among the CSB detection functions to be performed corresponding to the first message.
The device according to claim 26 or 27, wherein the obtaining module is further configured to intercept the second message sent by the terminal device, and the second message is used to request to obtain the external network The resource provided by the server; based on the second message, acquire the CSB detection function of the terminal device; the determining module is further configured to obtain the CSB detection function of the terminal device and the first report It is determined that the terminal device has the first CSB detection function corresponding to the to-be-executed CSB detection function.
The device according to claim 28, wherein the second message includes an identity keyword of the terminal device, and the obtaining module is configured to obtain the second message by parsing the second message The identity keyword of the terminal device included in the document; according to the identity keyword of the terminal device, acquire the CSB detection function of the terminal device.
The device according to claim 29, wherein the obtaining module is configured to send a query request to a capability management device, and the capability management device stores CSB detection function information corresponding to the terminal device, wherein the The query request carries the identity keyword of the terminal device, and the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function of the terminal device; receiving the information sent by the capability management device in response to the query request CSB detection function information corresponding to the terminal device; determining the CSB detection function of the terminal device according to the CSB detection function information.
The apparatus according to claim 30, wherein the acquisition module is configured to send a query request to the capability management device based on Hypertext Transfer Protocol HTTP, Hypertext Transfer Security Protocol HTTPS or Application Programming Interface API.
The device according to claim 29, wherein the obtaining module is configured to, according to the identity keyword of the terminal device, query the corresponding relationship between the identity keyword stored in the security device and the CSB detection function, and obtain the The CSB detection function corresponding to the identity keyword of the terminal device is described.
The device according to any one of claims 29-32, wherein the identity key includes at least one of a random ID, an Internet Protocol IP address, or user information in a local certificate.
The device according to claim 28, wherein the second message carries CSB detection function information corresponding to the terminal equipment, and the acquiring module is configured to acquire the second message by parsing the second message The CSB detection function information corresponding to the terminal device carried in the second message; determine the CSB detection function of the terminal device according to the CSB detection function information corresponding to the terminal device carried in the second message.
The device according to any one of claims 26-34, wherein the content security service CSB detection function to be executed includes an intrusion prevention system IPS detection function, an anti-virus AV detection function, a uniform resource locator URL detection function, At least one of the artificial intelligence engine AIE detection function or the service perception SA detection function.
A message processing device, characterized in that the device is applied to a terminal device, and the terminal device is deployed in an internal network, and the device includes:

A supply module, configured to provide other devices with content security service CSB detection function information corresponding to the terminal device, where the CSB detection function information corresponding to the terminal device is used to indicate the CSB detection function that the terminal device has;

A receiving module, configured to receive a first message sent by a security device, where the security device is deployed on the boundary between the external network and the internal network, and the first message is used to carry the server of the external network according to the The resource provided by the request of the terminal device, the first message is a message that the security device does not perform the first CSB detection function, and the CSB detection function of the terminal device includes the first CSB detection function;

A processing module, configured to perform the first CSB detection function on the first packet.
The device according to claim 36, wherein the supply module is configured to send a third message to the capability management device, the third message carries the CSB detection function information corresponding to the terminal device, and the The capability management device is configured to store the CSB detection function information corresponding to the terminal device.
The device according to claim 36, wherein the supply module is configured to send a third message to the security device, the third message carries CSB detection function information corresponding to the terminal device, and the The security device is used to store the CSB detection function information corresponding to the terminal device.
The device according to claim 36, wherein the supply module is configured to send a second message to the server of the external network, and the second message is used to request to obtain the information provided by the server of the external network. resources, wherein the second packet carries CSB detection function information corresponding to the terminal device.
The device according to claim 39, wherein the second message is a message transmitted based on the hypertext transfer security protocol HTTPS, and the CSB detection function information corresponding to the terminal device is carried in the second message The small data cookie on the user's local terminal, or the URL parameter of the uniform resource locator, or the HTTPS header field, or the HTTPS custom field.
The device according to claim 39, wherein the second message is a message transmitted based on Hypertext Transfer Protocol HTTP, and the CSB detection function information corresponding to the terminal device is carried in the second message Small data cookies, or HTTP header fields, or HTTP custom fields.
The device according to claim 39, wherein the second message is a message transmitted based on the file transfer protocol FTP, and the CSB detection function information corresponding to the terminal device is carried in the FTP of the second message Redundant fields or FTP custom fields.
The device according to claim 37 or 38, further comprising: a sending module, configured to send a second message to the server of the external network, and the second message is used to request to obtain the The resource provided by the server of the external network, wherein the second message includes the identity key of the terminal device, and the identity key is used to obtain the CSB detection function of the terminal device.
The device according to claim 43, wherein, in response to the other device being a capability management device, the receiving module is further configured to receive the random ID of the terminal device sent by the capability management device , the random ID of the terminal device is used as the identity key of the terminal device; or

In response to the fact that the other device is the security device, the receiving module is further configured to receive the random ID of the terminal device sent by the security device, and the random ID of the terminal device is used as the ID of the terminal device. identity key.
The apparatus according to claim 43 or 44, wherein the third message further includes the IP address of the terminal device, and the IP address of the terminal device is used as an identity key of the terminal device.
The device according to any one of claims 43-45, wherein the third message further includes the local certificate of the terminal device, and the user information in the local certificate of the terminal device is used as the The identity key of the device.
The device according to any one of claims 36-46, wherein the CSB detection function of the terminal device includes an intrusion prevention system IPS detection function, an anti-virus AV detection function, a URL detection function, and an artificial intelligence engine AIE detection function Or at least one of the service-aware SA detection functions.
The device according to any one of claims 36-47, characterized in that the device further comprises: a request module, configured to send a login request to the security device, the login request including user information; receiving the security device Based on the authentication result sent by the user information, the authentication result is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the supply module executes providing the CSB corresponding to the terminal device to other devices Actions to detect feature information.
The device according to any one of claims 36-47, characterized in that the device further comprises: a request module, configured to send a login request to a login authentication device, the login request including user information; receiving the login authentication device Based on the authentication result sent by the user information, the authentication result is used to indicate whether the terminal device has successfully logged in; in response to the successful login of the terminal device, the supply module executes providing the CSB corresponding to the terminal device to other devices Actions to detect feature information.
The device according to any one of claims 36-47, characterized in that the device further comprises: a request module, configured to send a login request to the login authentication device, the login request including the local certificate of the terminal device; receiving The authentication result sent by the login authentication device based on the local certificate of the terminal device, the authentication result is used to indicate whether the terminal device has successfully logged in; An operation of providing CSB detection function information corresponding to the terminal device.
A message processing device, characterized in that the message processing device includes: a processor, the processor is coupled with a memory, at least one program instruction or code is stored in the memory, and the at least one program instruction or The code is loaded and executed by the processor, so that the message processing device implements the message processing method described in any one of claims 1-25.
A message processing system, characterized in that the message processing system includes a security device and a terminal device, the security device is used to execute the message processing method according to any one of claims 1-10, and the terminal The device is configured to execute the packet processing method according to any one of claims 11-25.
A computer-readable storage medium, characterized in that at least one program instruction or code is stored in the computer-readable storage medium, and the program instruction or code is loaded and executed by a processor, so that the computer implements claim 1. - The message processing method described in any one of 25.
A computer program product, characterized in that the computer program product includes a computer program, and the computer program is executed by a computer, so that the computer implements the message processing method according to any one of claims 1-25.