CN107835167A

CN107835167A - A kind of method of data protection, terminal and computer-readable recording medium

Info

Publication number: CN107835167A
Application number: CN201711046626.6A
Authority: CN
Inventors: 张庆治
Original assignee: Nubia Technology Co Ltd
Current assignee: Nubia Technology Co Ltd
Priority date: 2017-10-31
Filing date: 2017-10-31
Publication date: 2018-03-23

Abstract

The embodiment of the invention discloses a kind of method of data protection, terminal and computer-readable recording medium, wherein this method includes：Receive the packet that peer node is sent；It is non-trusted node to determine peer node；When packet includes request message, response message corresponding to packet is determined, request message is used for acquisition request feedback data；Feedback data in response message corresponding to packet is replaced with into the first preset data, the response message after being replaced；Response message after replacement is sent to peer node；When packet does not include request message, packet discard, or the data division in packet is replaced with into the second preset data and is stored the packet after replacement；Generate response；Response is sent to peer node, response is used to indicate that packet normally receives.In this way, improving the protective capacities to non-trusted website, strengthen data protection dynamics.

Description

Data protection method, terminal and computer readable storage medium

Technical Field

The present invention relates to internet security technologies, and in particular, to a method, a terminal, and a computer-readable storage medium for data protection.

Background

The firewall technique is a protection barrier which is formed by combining software and hardware equipment and is constructed on the interfaces between internal network and external network and between private network and public network, it is an image saying of a method for obtaining security, it is a combination of computer hardware and software, make a security gateway established between networks, thus protect internal network from the invasion of illegal user, the firewall mainly consists of 4 parts of service access rule, authentication tool, packet filtering and application gateway, the firewall is a software or hardware located between computer and network connected with it, all network communication and data packet which the computer flows in and out must pass through the firewall. The firewall can effectively filter the data sent by the untrusted website, but not all the data sent by the untrusted website can be filtered. Therefore, when the untrusted website issues data which may carry viruses to the terminal, the terminal may affect the normal operation of the terminal when receiving the data which carries the viruses; when the untrusted website requests to acquire data of the terminal, the terminal uploads important data to the untrusted website, so that terminal information is leaked; in addition, if the terminal refuses to receive, the non-trust network station can continuously send data to the terminal, and the normal work of the terminal is also influenced.

Disclosure of Invention

In order to solve the above technical problems, embodiments of the present invention provide a data protection method, a terminal, and a computer-readable storage medium, so as to improve protection capability for an untrusted website and enhance data protection strength.

In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:

the embodiment of the invention provides a data protection method, which comprises the following steps:

receiving a data packet sent by an opposite end node;

determining that the opposite node is an untrusted node;

when the data packet comprises a request message, determining a response message corresponding to the data packet, wherein the request message is used for requesting to acquire feedback data; replacing feedback data in the response message corresponding to the data packet with first preset data to obtain a replaced response message; sending the replaced response message to the opposite end node;

when the data packet does not comprise the request message, discarding the data packet, or replacing a data part in the data packet with second preset data, and storing the replaced data packet; generating a response; and sending the response to the opposite end node, wherein the response is used for indicating that the data packet is normally received.

In the above scheme, the replaced response message is used to instruct the corresponding node to stop sending the data packet continuously.

In the above scheme, the first preset data is: encrypted data, scrambled data, all-0 data or all-1 data; the encrypted data is: encrypting the feedback data by using a preset encryption algorithm to obtain data; the second preset data is: scrambled data, all 0 data, or all 1 data.

In the foregoing solution, after receiving the data packet sent by the peer node, the method further includes:

acquiring identification information of the opposite end node and an untrusted node set, wherein the untrusted node set comprises identification information of at least one untrusted node;

and when the identification information of the opposite end node is one identification information in the non-trust node set, determining that the opposite end node is a non-trust node.

In the above solution, the identification information of the untrusted node includes at least one of the following: IP address, domain name.

The embodiment of the invention also provides a terminal, which is characterized by comprising: a processor and a memory; wherein,

the processor is configured to execute a data protection program stored in the memory to implement the steps of: receiving a data packet sent by an opposite end node;

determining that the opposite node is an untrusted node;

when the data packet does not comprise the request message, discarding the data packet, or replacing a data part in the data packet with second preset data, and storing the replaced data packet; and generating a response, and sending the response to the opposite end node, wherein the response is used for indicating that the data packet is normally received.

In the foregoing solution, after receiving the data packet sent by the peer node, the processor is specifically configured to implement the following steps:

Embodiments of the present invention also provide a computer readable storage medium, and the computer program realizes the steps of any one of the above methods when executed by a processor.

The method, the terminal and the computer readable storage medium for data protection provided by the embodiment of the invention receive a data packet sent by an opposite terminal node; determining that the opposite node is an untrusted node; when the data packet comprises a request message, determining a response message corresponding to the data packet, wherein the request message is used for requesting to acquire feedback data; replacing feedback data in the response message corresponding to the data packet with first preset data to obtain a replaced response message; sending the replaced response message to the opposite end node; when the data packet does not comprise the request message, discarding the data packet, or replacing a data part in the data packet with second preset data, and storing the replaced data packet; generating a response; and sending the response to the opposite end node, wherein the response is used for indicating that the data packet is normally received.

By adopting the technical scheme, when the opposite end node sending the data packet is determined to be the untrusted node, feedback data requested by the untrusted node is replaced by first preset data and then is sent to the opposite end node; or the data packet sent by the opposite end node is directly discarded and a response for indicating normal receiving is returned, so that data stealing of the untrusted node and receiving of dangerous data of the untrusted node are avoided, and continuous sending of the data packet by the untrusted node is also avoided. Therefore, the protection capability of the untrusted website is improved, and the data protection strength is enhanced.

Drawings

Fig. 1 is a schematic diagram of a hardware structure of an alternative mobile terminal for implementing various embodiments of the present invention;

FIG. 2 is a diagram of a wireless communication system for the mobile terminal shown in FIG. 1;

FIG. 3 is a flow chart of a first embodiment of a method of data protection in an embodiment of the present invention;

FIG. 4 is a flow chart of a second embodiment of a method of data protection in an embodiment of the present invention;

FIG. 5 is a flow chart of a third embodiment of a method of data protection in an embodiment of the present invention;

FIG. 6 is a flow chart of a fourth embodiment of a method of data protection in an embodiment of the present invention;

FIG. 7 is a flow chart of a fifth embodiment of a method of data protection in an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a terminal according to an embodiment of the present invention.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.

The terminal may be implemented in various forms. For example, the terminal described in the present invention may include a mobile terminal such as a mobile phone, a tablet computer, a notebook computer, a palmtop computer, a Personal Digital Assistant (PDA), a Portable Media Player (PMP), a navigation device, a wearable device, a smart band, a pedometer, and the like, and a fixed terminal such as a Digital TV, a desktop computer, and the like.

The following description will be given by way of example of a mobile terminal, and it will be understood by those skilled in the art that the construction according to the embodiment of the present invention can be applied to a fixed type terminal, in addition to elements particularly used for mobile purposes.

Referring to fig. 1, which is a schematic diagram of a hardware structure of a mobile terminal for implementing various embodiments of the present invention, the mobile terminal 100 may include: RF (Radio Frequency) unit 101, WiFi module 102, audio output unit 103, a/V (audio/video) input unit 104, sensor 105, display unit 106, user input unit 107, interface unit 108, memory 109, processor 110, and power supply 111. Those skilled in the art will appreciate that the mobile terminal architecture shown in fig. 1 is not intended to be limiting of mobile terminals, which may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

The following describes each component of the mobile terminal in detail with reference to fig. 1:

the radio frequency unit 101 may be configured to receive and transmit signals during information transmission and reception or during a call, and specifically, receive downlink information of a base station and then process the downlink information to the processor 110; in addition, the uplink data is transmitted to the base station. Typically, radio frequency unit 101 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. In addition, the radio frequency unit 101 can also communicate with a network and other devices through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System for Mobile communications), GPRS (General Packet Radio Service), CDMA2000(Code Division Multiple Access 2000), WCDMA (Wideband Code Division Multiple Access), TD-SCDMA (Time Division-Synchronous Code Division Multiple Access), FDD-LTE (Frequency Division duplex-Long Term Evolution), and TDD-LTE (Time Division duplex-Long Term Evolution).

WiFi belongs to short-distance wireless transmission technology, and the mobile terminal can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 102, and provides wireless broadband internet access for the user. Although fig. 1 shows the WiFi module 102, it is understood that it does not belong to the essential constitution of the mobile terminal, and may be omitted entirely as needed within the scope not changing the essence of the invention.

The audio output unit 103 may convert audio data received by the radio frequency unit 101 or the WiFi module 102 or stored in the memory 109 into an audio signal and output as sound when the mobile terminal 100 is in a call signal reception mode, a call mode, a recording mode, a voice recognition mode, a broadcast reception mode, or the like. Also, the audio output unit 103 may also provide audio output related to a specific function performed by the mobile terminal 100 (e.g., a call signal reception sound, a message reception sound, etc.). The audio output unit 103 may include a speaker, a buzzer, and the like.

The a/V input unit 104 is used to receive audio or video signals. The a/V input Unit 104 may include a Graphics Processing Unit (GPU) 1041 and a microphone 1042, the Graphics processor 1041 Processing image data of still pictures or video obtained by an image capturing device (e.g., a camera) in a video capturing mode or an image capturing mode. The processed image frames may be displayed on the display unit 106. The image frames processed by the graphic processor 1041 may be stored in the memory 109 (or other storage medium) or transmitted via the radio frequency unit 101 or the WiFi module 102. The microphone 1042 may receive sounds (audio data) via the microphone 1042 in a phone call mode, a recording mode, a voice recognition mode, or the like, and may be capable of processing such sounds into audio data. The processed audio (voice) data may be converted into a format output transmittable to a mobile communication base station via the radio frequency unit 101 in case of a phone call mode. The microphone 1042 may implement various types of noise cancellation (or suppression) algorithms to cancel (or suppress) noise or interference generated in the course of receiving and transmitting audio signals.

The mobile terminal 100 also includes at least one sensor 105, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor includes an ambient light sensor that can adjust the brightness of the display panel 1061 according to the brightness of ambient light, and a proximity sensor that can turn off the display panel 1061 and/or a backlight when the mobile terminal 100 is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a fingerprint sensor, a pressure sensor, an iris sensor, a molecular sensor, a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, further description is omitted here.

The display unit 106 is used to display information input by a user or information provided to the user. The Display unit 106 may include a Display panel 1061, and the Display panel 1061 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.

The user input unit 107 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the mobile terminal. Specifically, the user input unit 107 may include a touch panel 1071 and other input devices 1072. The touch panel 1071, also referred to as a touch screen, may collect a touch operation performed by a user on or near the touch panel 1071 (e.g., an operation performed by the user on or near the touch panel 1071 using a finger, a stylus, or any other suitable object or accessory), and drive a corresponding connection device according to a predetermined program. The touch panel 1071 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 110, and can receive and execute commands sent by the processor 110. In addition, the touch panel 1071 may be implemented in various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. In addition to the touch panel 1071, the user input unit 107 may include other input devices 1072. In particular, other input devices 1072 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like, and are not limited to these specific examples.

Further, the touch panel 1071 may cover the display panel 1061, and when the touch panel 1071 detects a touch operation thereon or nearby, the touch panel 1071 transmits the touch operation to the processor 110 to determine the type of the touch event, and then the processor 110 provides a corresponding visual output on the display panel 1061 according to the type of the touch event. Although the touch panel 1071 and the display panel 1061 are shown in fig. 1 as two separate components to implement the input and output functions of the mobile terminal, in some embodiments, the touch panel 1071 and the display panel 1061 may be integrated to implement the input and output functions of the mobile terminal, and is not limited herein.

The interface unit 108 serves as an interface through which at least one external device is connected to the mobile terminal 100. For example, the external device may include a wired or wireless headset port, an external power supply (or battery charger) port, a wired or wireless data port, a memory card port, a port for connecting a device having an identification module, an audio input/output (I/O) port, a video I/O port, an earphone port, and the like. The interface unit 108 may be used to receive input (e.g., data information, power, etc.) from external devices and transmit the received input to one or more elements within the mobile terminal 100 or may be used to transmit data between the mobile terminal 100 and external devices.

The memory 109 may be used to store software programs as well as various data. The memory 109 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 109 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

The processor 110 is a control center of the mobile terminal, connects various parts of the entire mobile terminal using various interfaces and lines, and performs various functions of the mobile terminal and processes data by operating or executing software programs and/or modules stored in the memory 109 and calling data stored in the memory 109, thereby performing overall monitoring of the mobile terminal. Processor 110 may include one or more processing units; preferably, the processor 110 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 110.

The mobile terminal 100 may further include a power supply 111 (e.g., a battery) for supplying power to various components, and preferably, the power supply 111 may be logically connected to the processor 110 via a power management system, so as to manage charging, discharging, and power consumption management functions via the power management system.

Although not shown in fig. 1, the mobile terminal 100 may further include a bluetooth module or the like, which is not described in detail herein.

In order to facilitate understanding of the embodiments of the present invention, a communication network system on which the mobile terminal of the present invention is based is described below.

Referring to fig. 2, fig. 2 is an architecture diagram of a communication Network system according to an embodiment of the present invention, where the communication Network system is an LTE system of a universal mobile telecommunications technology, and the LTE system includes a UE (User Equipment) 201, an E-UTRAN (Evolved UMTS Terrestrial Radio Access Network) 202, an EPC (Evolved Packet Core) 203, and an IP service 204 of an operator, which are in communication connection in sequence.

Specifically, the UE201 may be the terminal 100 described above, and is not described herein again.

The E-UTRAN202 includes eNodeB2021 and other eNodeBs 2022, among others. Among them, the eNodeB2021 may be connected with other eNodeB2022 through backhaul (e.g., X2 interface), the eNodeB2021 is connected to the EPC203, and the eNodeB2021 may provide the UE201 access to the EPC 203.

The EPC203 may include an MME (Mobility Management Entity) 2031, an HSS (Home Subscriber Server) 2032, other MMEs 2033, an SGW (Serving gateway) 2034, a PGW (PDN gateway) 2035, and a PCRF (Policy and charging functions Entity) 2036, and the like. The MME2031 is a control node that handles signaling between the UE201 and the EPC203, and provides bearer and connection management. HSS2032 is used to provide registers to manage functions such as home location register (not shown) and holds subscriber specific information about service characteristics, data rates, etc. All user data may be sent through SGW2034, PGW2035 may provide IP address assignment for UE201 and other functions, and PCRF2036 is a policy and charging control policy decision point for traffic data flow and IP bearer resources, which selects and provides available policy and charging control decisions for a policy and charging enforcement function (not shown).

The IP services 204 may include the internet, intranets, IMS (IP Multimedia Subsystem), or other IP services, among others.

Although the LTE system is described as an example, it should be understood by those skilled in the art that the present invention is not limited to the LTE system, but may also be applied to other wireless communication systems, such as GSM, CDMA2000, WCDMA, TD-SCDMA, and future new network systems.

Based on the above mobile terminal hardware structure and communication network system, the present invention provides various embodiments of the method.

First embodiment

A first embodiment of the present invention provides a method for protecting data, which may be applied to a terminal having a data protection function.

Here, the terminal described above may be a fixed terminal having a display screen, or may be a mobile terminal having a display screen.

The above-mentioned fixed terminal may be a computer, and the above-mentioned mobile terminal includes but is not limited to a mobile phone, a notebook computer, a camera, a PDA, a PAD, a PMP, a navigation device, and the like. The terminal can be connected to the internet, wherein the connection mode can be through a mobile internet network provided by an operator, and can also be through accessing a wireless access point to perform network connection.

Here, if the mobile terminal has an operating system, the operating system may be UNIX, Linux, Windows, Android (Android), Windows Phone, or the like.

The type, shape, size, and the like of the display screen on the terminal are not limited, and the display screen on the terminal may be a liquid crystal display screen, for example.

In the first embodiment of the present invention, the display screen described above is used to provide a human-computer interaction interface for a user.

Fig. 3 is a flowchart of a first embodiment of a method for data protection in an embodiment of the present invention, as shown in fig. 3, the method includes:

step 301: and receiving a data packet sent by the opposite end node.

In the embodiment of the present invention, the peer node may be any network node in a computer network, specifically, a workstation, a client, a network user, or a personal computer, and may also be a server, a printer, or other devices that can be connected to the network. Each workstation, server, terminal device, network device, i.e. the device having its own unique network address, is a network node. The whole network is composed of a great number of network nodes, and each network node in a computer network topology structure can be connected through a communication line to form a certain geometric relationship so as to realize the communication among the network nodes.

In practical application, the network nodes can be divided into trusted network nodes and untrusted network nodes, the trusted network nodes have higher security, the issued or requested data is generally safe data, and the user terminal can safely interact with the data; while the untrusted node is generally a node with danger in network activities, such a node may issue dangerous data to the user terminal, such as: carrying the data of the Trojan horse virus; or steal user terminal privacy data, such as: privacy information, trade secrets, scientific achievements, etc.

Step 302: and determining that the opposite node is an untrusted node.

In practical implementation, the method may further include: acquiring identification information of an opposite end node and an untrusted node set, wherein the untrusted node set comprises identification information of at least one untrusted node; and when the identification information of the opposite end node is one identification information in the non-trust node set, determining that the opposite end node is a non-trust node. Illustratively, the identification information of the untrusted node includes at least one of: IP address, domain name.

Another optional implementation is that the untrusted node set includes at least one untrusted node type, where one untrusted node type corresponds to one protection rule. After determining that the opposite end node is the non-trust node, the terminal further determines the non-trust node type of the opposite end node and the protection rule, and completes the protection operation of the opposite end node by using the determined protection rule.

In practical implementation, the method for establishing the untrusted node set may include: determining at least one untrusted node using network security techniques; establishing an untrusted node set by using the determined identification information of all untrusted nodes; the identification information of the untrusted node may be a domain name or an IP address of the untrusted node.

Specifically, a domain name or an IP address of the opposite node is obtained, and when the domain name of the opposite node is a domain name in the untrusted node set, or the IP address of the opposite node is an IP address in the untrusted node set, the opposite node is determined to be the untrusted node.

Step 303: when the data packet comprises a request message, determining a response message corresponding to the data packet, wherein the request message is used for requesting to acquire feedback data; replacing feedback data in a response message corresponding to the data packet with first preset data to obtain a replaced response message; and sending the replaced response message to the opposite end node.

For example, when the firewall cannot block the untrusted node from transmitting the data request message to the terminal, when the terminal receives the request message sent by the untrusted node, the terminal may determine a response message including feedback data according to a normal request response flow, and use the response message including the feedback data as a first response message; before sending the response message to the non-trust node, replacing the feedback data in the first response message with the first preset data to obtain a second response message, and finally sending the second response message to the opposite node by the terminal.

Illustratively, the first preset data is: the data encryption method comprises the following steps of encrypting data, messy code data, all-0 data or all-1 data, wherein the encrypting data is as follows: and encrypting the feedback data by using a preset encryption algorithm to obtain data. It can be understood that the feedback data included in the first response message is valid data, and the first preset data included in the second response message obtained after the replacement is invalid data. And the non-trusted node considers that the terminal data is normally stolen when receiving the second response message sent by the terminal, and stops the data request to the terminal.

For example, the preset encryption algorithm may be: IDEA (International Data Encryption Algorithm, chinese name International Data Encryption Standard), DES (Data Encryption Standard, chinese name Data Encryption Standard), MD5(Message-Digest Algorithm 5), and the like.

It should be noted that, when the untrusted node detects the received response message, since the encrypted data has no detection basis, it is easier for the untrusted server to believe that the data of the terminal has been stolen successfully, and stop the data request to the terminal.

In the embodiment of the present invention, the replaced response message is used to instruct the corresponding node to stop sending the data packet continuously.

Step 304: when the data packet does not include the request message, discarding the data packet, or replacing a data part in the data packet with second preset data, and storing the replaced data packet; generating a response; and sending a response to the opposite end node, wherein the response is used for indicating that the data packet is normally received.

In the embodiment of the present invention, the data packet does not include the request message, which means that the data packet is data issued to the terminal by the untrusted node, and is not used for requesting to acquire data of the terminal. The data packet includes: a header and a data part, wherein the data part may be dangerous data carrying viruses, and the terminal may threaten the security of the terminal after receiving and storing the data packet.

Illustratively, when a firewall cannot block a data packet sent by an untrusted node, a terminal directly discards the data packet when receiving the data packet sent by the untrusted node; or replacing the data part in the data packet with second preset data, and storing the replaced data packet. Illustratively, the second preset data is: scrambled data, all 0 data, or all 1 data.

Generating a response; sending the response to the opposite end node; the acknowledgement response is used to indicate that the data packet was received normally.

In the embodiment of the invention, the response is sent to the opposite end node to inform the opposite end node that the data packet sent this time is normally received, so that the opposite end node is prevented from continuously sending the data packet.

In practical implementation, storing the replaced data packet may further include: and deleting the replaced data packet after a preset time interval. In practical implementation, if the operation that the terminal directly discards the data packet can be detected by the untrusted node, the data packet is retransmitted; in order to avoid this situation, the data content in the data packet may be replaced with the first preset data, and then the replaced data packet may be stored. Dangerous data are removed from the replaced data packet, and the storage of the terminal cannot threaten the safety of the terminal.

In order to further embody the object of the present invention, the above-mentioned scheme is further exemplified on the basis of the first embodiment of the present invention.

Second embodiment

Fig. 4 is a flowchart of a second embodiment of a method for protecting data according to an embodiment of the present invention, as shown in fig. 4, the flowchart includes:

step 401: and receiving a data request message sent by the opposite end node.

In the embodiment of the present invention, the opposite node may also be a base station, and the mobile terminal receives a data request message sent by the base station. The request message may be for requesting to acquire mobile terminal data, such as: address book, user privacy, application data, etc.

Step 402: and acquiring the identification information of the opposite end node.

Step 403: judging whether the identification information of the opposite node is the identification information in the non-trust node set or not; if yes, go to step 404; if not, step 407 is performed.

Step 404: and determining that the opposite node is an untrusted node, and determining a response message corresponding to the request message.

Step 405: and replacing the feedback data in the response message with the first preset data to obtain a replaced response message.

Illustratively, the response message corresponding to the request message includes: the system comprises a state line, a message header and entity content, wherein the entity content is feedback data of the terminal. And replacing the entity content with the first preset data to obtain a replaced response message.

Another optional implementation is that the untrusted node set includes at least one untrusted node type, where one untrusted node type corresponds to one protection rule. After determining that the opposite end node is the non-trust node, the terminal further determines the non-trust node type of the opposite end node and the protection rule, and completes the protection operation of the opposite end node by using the determined protection rule. For example, different protection rules correspond to different first preset data, for example, the protection rule corresponding to the first type of untrusted node is: replacing the feedback data with encrypted data, wherein the protection rule corresponding to the second type of untrusted node is as follows: and replacing the feedback data with messy code data, wherein the protection rule corresponding to the third type of untrusted nodes is as follows: the feedback data is replaced by all-0 data, and the protection rule corresponding to the fourth type of untrusted nodes is as follows: the feedback data is replaced with all 1 data.

Step 406: and sending the replaced response message to the opposite end node.

In actual implementation, after receiving the response message, the opposite end node reads the entity content in the message, confirms that the data request process is completed, and stops sending the data request message to the terminal.

Step 407: and determining the opposite end node as a trust node, and determining a response message corresponding to the request message.

Step 408: and sending a response message corresponding to the request message to the opposite end node.

Here, after determining that the correspondent node is a trusted node, that is, the correspondent node is a secure node, the normal request response process is executed, that is, step 407 and step 408 are executed.

To further illustrate the object of the present invention, the first embodiment of the present invention is further exemplified.

Third embodiment

Fig. 5 is a flowchart of a third embodiment of a data protection method in the embodiment of the present invention, as shown in fig. 5, the flowchart includes:

step 501: and receiving a data packet sent by the opposite end node.

Here, the data packet is data sent by the opposite node to the terminal, and the terminal only needs to receive the data packet and does not need to upload the data packet to the opposite node.

Step 502: and acquiring the identification information of the opposite end node.

Step 503: judging whether the identification information of the opposite node is the identification information in the non-trust node set or not; if yes, go to step 504; if not, step 506 is performed.

Step 504: and determining that the opposite node is an untrusted node, discarding the data packet and generating a response of 'receiving confirmation'.

In actual implementation, when the opposite end node is an untrusted node, a data packet received by the terminal may carry viruses, and therefore, the data packet only needs to be discarded.

In actual implementation, the set of untrusted nodes is established by an existing network security device. The network security device also classifies the untrusted nodes, and the network security device implements different protection rules on different types of untrusted nodes. For example, a first type of untrusted node corresponds to protection rule A, and a second type of untrusted node corresponds to protection rule B. Therefore, when the terminal determines that the opposite end node is the non-trust node, the terminal can further determine the non-trust node type of the opposite end node, and determine the corresponding protection rule according to the non-trust node type.

Step 505: and sending an acknowledgement response to the correspondent node.

Step 506: a data packet is received.

Here, a specific implementation manner of receiving the data packet is a terminal data receiving method in the prior art, and details are not described here.

Fourth embodiment

Fig. 6 is a flowchart of a fourth embodiment of a method for protecting data in the embodiment of the present invention, as shown in fig. 6, the flowchart includes:

step 601: and receiving a data packet sent by the opposite end node.

Step 602: and acquiring the identification information of the opposite end node.

Step 603: judging whether the identification information of the opposite node is the identification information in the non-trust node set or not; if yes, go to step 604; if not, step 607 is performed.

Step 604: and replacing the data part in the data packet with second preset data, storing the replaced data packet, and generating a response of 'receiving confirmation'.

In actual implementation, after the terminal receives the data packet, the untrusted node may monitor the terminal within a certain time, and when the untrusted node detects that the terminal does not receive the data packet, the untrusted node retransmits the data packet. In order to avoid the situation, the terminal can replace the data part in the data packet with the second preset data before storing, so as to achieve the purpose of 'cheating'.

Specifically, the received data packet includes: and the header part and the data part are stored after the content of the header part is reserved and the data part is replaced by all 0 data.

Step 605: and sending an acknowledgement response to the correspondent node.

Step 606: and deleting the replaced data packet after a preset time interval.

In this step, the stored data packet is deleted when the untrusted node determines that the data packet issuing operation is completed this time.

Step 607: a data packet is received.

Fifth embodiment

Fig. 7 is a flowchart of a fifth embodiment of a method for data protection in the embodiment of the present invention, where a server is taken as an example for a specific description of an opposite node in the embodiment of the present invention, as shown in fig. 7, the flowchart includes:

step 701: and establishing an untrusted node set in advance.

In actual implementation, determining at least one non-trusted node through the existing network security equipment; establishing an untrusted node set by using the determined identification information of all untrusted nodes; the identification information of the untrusted node may be a domain name or an IP address of the untrusted node.

Step 702: and receiving the data packet sent by the server.

Step 703: and acquiring the domain name and the IP address of the server.

Step 704: judging whether the domain name or the IP address of the server belongs to an untrusted node set, if so, executing a step 705; if not, go to step 709.

In actual implementation, the existing network security protection means identifies all the non-trusted nodes that can be determined, and establishes a non-trusted node set by using all the identified non-trusted nodes.

The method for judging whether the domain name or the IP address of the server belongs to the untrusted node set can comprise the following steps: sending the domain name or the IP address of the server to equipment for executing data security protection, comparing the received domain name or the IP address with a stored untrusted node set by the equipment, determining whether the domain name or the IP address of the server belongs to the untrusted node set, and generating indication information; and sending the indication information to the terminal, and determining whether the server is a non-trust server or not by the terminal according to the indication information.

Or the terminal compares the domain name or the IP address of the server with a non-trust node set stored in advance to determine whether the server is a non-trust server.

Step 705: determining that the server is an untrusted server.

Step 706: judging whether the received data packet comprises a request message or not; if so, go to step 707; if not, step 708 is performed.

In actual implementation, the method for determining whether the data packet includes the request message may be: whether the data packet includes the request message is determined by detecting whether the data packet includes the identification information of the request message. Here, since the existing communication protocol specifies that the format of the transmission data has a clear definition, and different data types correspond to different data formats, the identification information of the request message may be the data format of the request message.

Step 707: determining a response message corresponding to the request message, and replacing feedback data in the response message with first preset data to obtain a replaced response message; and sending the replaced response message to the server.

Illustratively, the feedback data in the response message is replaced by scrambled data, or the feedback data in the response message is replaced by encrypted data.

Here, the encrypted data may be: and encrypting the feedback data by using a preset encryption algorithm to obtain data.

For example, when the untrusted server requests to obtain the user privacy information of the terminal, the privacy information in the response message may be encrypted, the encrypted privacy information is used to replace the correct privacy information to generate a replaced response message, and then the replaced response message is sent to the untrusted server.

It should be noted that, when the untrusted node detects the received response message, the untrusted server is more likely to believe that the data of the terminal has been stolen successfully because the encrypted data has no detection basis, and stop the data request to the terminal.

Step 708: discarding the data packet and generating an "acknowledge receipt" response; and sending the generated 'confirmation receiving' response to the server.

In the embodiment of the invention, the response of 'receiving confirmation' is used for indicating that the data packet sent by the non-trust server at this time is normally received, so that the non-trust server is prevented from continuously sending the data packet.

Step 709: and determining that the server is a trust node, receiving the data packet and executing corresponding processing operation.

In this step, when the terminal determines that the server is a trusted node, a normal data receiving operation is performed.

The method, the terminal and the computer readable storage medium for data protection provided by the embodiment of the invention receive a data packet sent by an opposite terminal node; determining that the opposite node is an untrusted node; when the data packet comprises a request message, determining a response message corresponding to the data packet, wherein the request message is used for requesting to acquire feedback data; replacing feedback data in the response message corresponding to the data packet with first preset data to obtain a replaced response message; sending the replaced response message to the opposite end node; when the data packet does not comprise the request message, discarding the data packet, or replacing a data part in the data packet with second preset data and storing the replaced data packet; generating a response; and sending the response to the opposite end node, wherein the response is used for indicating that the data packet is normally received.

Sixth embodiment

Based on the same inventive concept, the embodiment of the invention also provides a terminal. Fig. 8 is a schematic diagram of a composition structure of a terminal in an embodiment of the present invention, and as shown in fig. 8, the terminal 80 includes: a processor 801 and a memory 802, wherein,

the processor 801 is configured to execute a data protection program stored in a memory to implement the following steps: receiving a data packet sent by an opposite end node;

determining that the opposite node is an untrusted node;

when the data packet does not comprise the request message, discarding the data packet, or replacing a data part in the data packet with second preset data and storing the replaced data packet; generating a response; and sending the response to the opposite end node, wherein the response is used for indicating that the data packet is normally received.

In actual implementation, the replaced response message is used to instruct the corresponding node to stop sending the data packet continuously.

The first preset data is as follows: encrypted data, scrambled data, all-0 data or all-1 data; the encrypted data is: encrypting the feedback data by using a preset encryption algorithm to obtain data; the second preset data is: scrambled data, all 0 data, or all 1 data.

In practical implementation, after receiving the data packet sent by the peer node, the processor 801 is specifically configured to implement the following steps:

In practical implementation, the method for establishing the untrusted node set may include: determining at least one untrusted node through a network security technique; and establishing a non-trusted node set by using the determined identification information of all the non-trusted nodes.

In practical implementation, the identification information of the untrusted node includes at least one of: IP address, domain name.

In practical implementation, the terminal 80 may be the mobile terminal 100 shown in fig. 1, the processor 801 may be the processor 110 in the mobile terminal 100, and the memory 802 may be the memory 109 in the mobile terminal 100.

In practical applications, the processor 801 may be at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a controller, a microcontroller, and a microprocessor. It will be appreciated that the electronic devices used to implement the processor functions described above may be other devices, and embodiments of the present invention are not limited in particular.

The Memory 802 may be a volatile Memory (volatile Memory), such as a Random-Access Memory (RAM); or a non-volatile Memory (non-volatile Memory), such as a Read-Only Memory (ROM), a flash Memory (flash Memory), a Hard Disk (HDD), or a Solid-State Drive (SSD); or a combination of the above types of memories and provides instructions and data to the processor 801.

In addition, each functional module in this embodiment may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware or a form of a software functional module.

Based on the understanding that the technical solution of the present embodiment essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method of the present embodiment. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Seventh embodiment

Based on the same inventive concept, embodiments of the present invention also provide a computer-readable storage medium, such as a memory including a computer program, which is executable by a processor of a terminal to perform the method steps in one or more of the foregoing embodiments.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. A method of data protection, the method comprising:

receiving a data packet sent by an opposite end node;

determining that the opposite node is an untrusted node;

2. The method of claim 1, wherein the replaced response message is used to instruct the corresponding node to stop sending the data packet.

3. The method according to claim 1, wherein the first preset data is: encrypted data, scrambled data, all-0 data or all-1 data; the encrypted data is: encrypting the feedback data by using a preset encryption algorithm to obtain data;

the second preset data is: scrambled data, all 0 data, or all 1 data.

4. The method of claim 1, wherein after receiving the data packet sent by the correspondent node, the method further comprises:

acquiring identification information of an untrusted node set and the opposite end node, wherein the untrusted node set comprises identification information of at least one untrusted node;

5. The method of claim 4, wherein the identification information of the untrusted node comprises at least one of: IP address, domain name.

6. A terminal, characterized in that the terminal comprises: a processor and a memory; wherein,

determining that the opposite node is an untrusted node;

7. The terminal of claim 6, wherein the replaced response message is used to instruct the corresponding node to stop sending the data packets.

8. The terminal of claim 6, wherein after receiving the data packet sent by the correspondent node, the processor is specifically configured to implement the following steps:

9. The terminal of claim 8, wherein the identification information of the untrusted node comprises at least one of: IP address, domain name.

10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5.