[go: up one dir, main page]

CN108011873A - A kind of illegal connection determination methods based on set covering - Google Patents

A kind of illegal connection determination methods based on set covering Download PDF

Info

Publication number
CN108011873A
CN108011873A CN201711215980.7A CN201711215980A CN108011873A CN 108011873 A CN108011873 A CN 108011873A CN 201711215980 A CN201711215980 A CN 201711215980A CN 108011873 A CN108011873 A CN 108011873A
Authority
CN
China
Prior art keywords
client
server
terminal
legal
illegal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711215980.7A
Other languages
Chinese (zh)
Other versions
CN108011873B (en
Inventor
许道强
张立东
孙虹
官国飞
葛崇慧
宋庆武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Jiangsu Electric Power Co Ltd
Jiangsu Fangtian Power Technology Co Ltd
State Grid Corp of China SGCC
Original Assignee
State Grid Jiangsu Electric Power Co Ltd
Jiangsu Fangtian Power Technology Co Ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Jiangsu Electric Power Co Ltd, Jiangsu Fangtian Power Technology Co Ltd, State Grid Corp of China SGCC filed Critical State Grid Jiangsu Electric Power Co Ltd
Priority to CN201711215980.7A priority Critical patent/CN108011873B/en
Publication of CN108011873A publication Critical patent/CN108011873A/en
Application granted granted Critical
Publication of CN108011873B publication Critical patent/CN108011873B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于集合覆盖的非法连接判断方法,包括如下步骤:步骤一,建立服务器以及多个客户端,客户端中存储有与客户端信息单一对应的注册信息;步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;步骤三,合法客户端接收到合法终端列表,当合法客户端接收其他客户端发送的通讯请求时,合法客户端对发送通讯请求的客户端的注册信息进行识别,判断注册信息是否存在与合法终端列表中。本发明在建立通信环境时,将合法终端列表发送给各个合法客户端,无需服务器再单独进行身份识别,此判断方法方便快捷,将身份识别的工作分摊给各个客户端,减轻了服务器的工作负担,并提高了工作效率。

The invention discloses a method for judging an illegal connection based on set coverage, comprising the following steps: step 1, establishing a server and a plurality of clients, where registration information corresponding to client information is stored in the client; step 2, the client Send an authentication request to the server, and the server compares the registration information of the client with the legal terminal list; step 3, the legitimate client receives the legal terminal list, when the legitimate client receives the communication request sent by other clients, the legitimate client Identify the registration information of the client that sends the communication request, and determine whether the registration information exists in the legal terminal list. When the present invention establishes a communication environment, the legal terminal list is sent to each legal client, and the server does not need to perform identity recognition separately. This judgment method is convenient and quick, and the work of identity recognition is distributed to each client, which reduces the workload of the server. , and improved work efficiency.

Description

一种基于集合覆盖的非法连接判断方法A Judgment Method of Illegal Connection Based on Set Covering

技术领域technical field

本发明创造涉及数据连接技术领域,尤其涉及一种基于集合覆盖的非法连接判断方法。The invention relates to the technical field of data connection, in particular to a method for judging an illegal connection based on set coverage.

背景技术Background technique

当前非法连接是造成数据泄漏等安全隐患的主要因素,尤其是非法外连,非法外连是指安装客户端的机器未经许可接入外部网络。At present, illegal connection is the main factor causing security risks such as data leakage, especially illegal external connection. Illegal external connection means that the machine where the client is installed accesses the external network without permission.

传统的连接合法性判断方法多利用服务器独立对多个客户端的身份进行识别,从而确保每个客户端身份的合法性,但当出现非法设备与客户端之间进行数据连接时,服务器无法及时对非法设备进行识别,非法设备能够盗取客户端上存储的信息甚至借助客户端获取存储于服务器中的数据,在一定程度上造成了信息的泄漏。The traditional connection legitimacy judgment method mostly uses the server to independently identify the identities of multiple clients, so as to ensure the legitimacy of each client identity, but when there is a data connection between an illegal device and the client, the server cannot promptly identify the Illegal devices can be identified. Illegal devices can steal information stored on the client and even use the client to obtain data stored in the server, causing information leakage to a certain extent.

发明内容Contents of the invention

为解决现有技术的不足,本发明的目的在于提供一种基于集合覆盖的非法连接判断方法,将合法终端列表发送给各个合法客户端,无需服务器再单独进行身份识别,此判断方法方便快捷,将身份识别的工作分摊给各个客户端,减轻了服务器的工作负担,并提高了工作效率。In order to solve the deficiencies of the prior art, the purpose of the present invention is to provide a method for judging illegal connections based on collective coverage, which sends a list of legal terminals to each legal client, without requiring the server to perform identity identification separately. This judging method is convenient and fast. Distributing the work of identity recognition to each client reduces the workload of the server and improves work efficiency.

为了实现上述目标,本发明采用如下的技术方案:In order to achieve the above object, the present invention adopts the following technical solutions:

一种基于集合覆盖的非法连接判断方法,包括:A method for judging an illegal connection based on set coverage, comprising:

步骤一,建立服务器以及多个客户端,客户端中存储有与客户端信息单一对应的注册信息,服务器内存储有合法终端列表,合法终端列表内含多个客户端的注册信息;Step 1, establish a server and multiple clients, the client stores registration information corresponding to the client information, the server stores a list of legal terminals, and the list of legal terminals contains the registration information of multiple clients;

步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;Step 2, the client sends an authentication request to the server, and the server compares the registration information of the client with the legal terminal list;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,并停止与客户端进行通讯;If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client;

步骤三,合法客户端采用可信网络连接技术形成网络信任链模型M-TNC,使用可信网络连接技术TNC,通过采用可信主机提供的终端技术, 在网络环境下实现终端访问控制; M-TNC的权限控制规则采用终端的完整性校验来检查终端的可信度;Step 3: The legitimate client adopts the trusted network connection technology to form a network trust chain model M-TNC, uses the trusted network connection technology TNC, and realizes terminal access control in the network environment by using the terminal technology provided by the trusted host; M- TNC's authority control rules use the integrity check of the terminal to check the credibility of the terminal;

M-TNC的架构分为如下3类实体:终端访问者AP、规则判定者RJP、规则定义者RDP; The architecture of M-TNC is divided into the following three types of entities: terminal visitor AP, rule judger RJP, and rule definer RDP;

终端访问者为终端访问设备,请求服务器的资源;规则判定者和规则定义者为终端安全接入控制系统;The terminal visitor is the terminal access device and requests the resources of the server; the rule judge and rule definer are the terminal security access control system;

M-TNC的元素定义 包括如下两个定义:The element definition of M-TNC includes the following two definitions:

第一定义:资源集R={ri|i=1…N},企业办公网络的资源集合;The first definition: resource set R={ri|i=1…N}, resource set of enterprise office network;

第二定义:资源服务域RS={R,SDP,AP,ISP},R是企业网络提供的资源集,RJP是绝对可信的规则判定者,RDP管理整个域的AP及协助网络服务提供者ISP(Internet ServiceProvider)验证M-TNC的可信性,同时受理其他域M-TNC的跨域服务请求消息;The second definition: resource service domain RS={R, SDP, AP, ISP}, R is the resource set provided by the enterprise network, RJP is an absolutely credible rule determiner, RDP manages the APs of the entire domain and assists network service providers ISP (Internet Service Provider) verifies the credibility of M-TNC, and at the same time accepts cross-domain service request messages from M-TNC in other domains;

终端可信接入算法包括如下步骤:The terminal trusted access algorithm includes the following steps:

步骤a,RDP根据AP的可信度制定相应的ACL规则: ACLPolicy←getACLPolicy();In step a, RDP formulates corresponding ACL rules according to the trustworthiness of the AP: ACLPolicy←getACLPolicy();

步骤b,AP请求接入:发出访问请求,收集该终端的可信度评估值并发送给RJP,等待RJP对终端设备的可信度判定: APCredibility←CollectAPCredibility ();CredibilityResult←SendJudgeRequest(); Step b, AP requests access: send an access request, collect the evaluation value of the terminal's credibility and send it to the RJP, and wait for the RJP to judge the credibility of the terminal device: APCredibility←CollectAPCredibility();CredibilityResult←SendJudgeRequest();

步骤c,RDP完成对MTAM(Mobile Terminal Access Module)模块的完整性及真实性验证,负责为MTAM中的终端设备颁发可信证书: CredibilityCertificate←InRealityIntegrityCheck();Step c, RDP completes the integrity and authenticity verification of the MTAM (Mobile Terminal Access Module) module, and is responsible for issuing trusted certificates for terminal devices in MTAM: CredibilityCertificate←InRealityIntegrityCheck();

步骤d,RDP负责制定和分发AP的可信度判定规则,并对其证书进行验证,以评估该接入设备的可信性: CredibilityPolicy←RDPMakeAndAllocatePolicy(); 对MTAM的身份进行鉴别,验证AP证书的有效性,校验AP设备的可信性: VerifyAPValidity();Step d, RDP is responsible for formulating and distributing AP credibility determination rules, and verifying its certificate to evaluate the credibility of the access device: CredibilityPolicy←RDPMakeAndAllocatePolicy(); Identify the identity of MTAM and verify the AP certificate , verify the authenticity of the AP device: VerifyAPValidity();

接入机制分析过程包括: MTAM向RDP注册服务,申请RDP颁发的可信评估证书,获得该证书后,MTAM即可与ISP进行交互,ISP通过验证可信评估证书的合法性完成对MTAM的可信度评估; RDP获得由终端可信判定中心CMJC签发的可信证书,证书包含RDP的公钥及CMJC签名等信息,并通过安全途径向终端等外部设备公布公钥,每个终端的实体身份证书格式如下: CertA={IDA,KPubA,DateA,LFA, EKSCAC{IDA,KPA,DateA,LFA}}其中KPubA是终端A 的公钥,EKSCA是CMJC 的私钥,DateA是证书的颁发日期, LFA是证书的有效期。The analysis process of the access mechanism includes: MTAM registers with RDP and applies for the trusted evaluation certificate issued by RDP. After obtaining the certificate, MTAM can interact with ISP, and ISP completes the authenticity of MTAM by verifying the validity of the trusted evaluation certificate Reliability evaluation; RDP obtains a trusted certificate issued by the terminal trusted judgment center CMJC. The certificate contains the RDP public key and CMJC signature and other information, and publishes the public key to external devices such as terminals through a secure way, and the entity identity of each terminal The format of the certificate is as follows: CertA={IDA,KPubA,DateA,LFA, EKSCAC{IDA,KPA,DateA,LFA}} where KPubA is the public key of terminal A, EKSCA is the private key of CMJC, DateA is the issue date of the certificate, LFA is the validity period of the certificate.

前述的一种基于集合覆盖的非法连接判断方法,M-TNC采用先安全评估后连接的接入方式。In the aforementioned method for judging an illegal connection based on collective coverage, M-TNC adopts an access method of first connecting after security assessment.

前述的一种基于集合覆盖的非法连接判断方法,注册信息包括客户端的IP地址及MAC地址。In the aforementioned method for judging an illegal connection based on set coverage, the registration information includes the IP address and MAC address of the client.

前述的一种基于集合覆盖的非法连接判断方法,步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;In the aforementioned method for judging an illegal connection based on set coverage, in step 2, the client sends an authentication request to the server, and the server compares the registration information of the client with the legal terminal list;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,停止与客户端进行通讯,同时服务器向注册信息存储于合法终端列表的多个客户端发送报警信息。If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client. At the same time, the server will send alarm information to multiple clients whose registration information is stored in the legal terminal list.

前述的一种基于集合覆盖的非法连接判断方法,The aforementioned method for judging an illegal connection based on set coverage,

步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;Step 2, the client sends an authentication request to the server, and the server compares the registration information of the client with the legal terminal list;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,停止与客户端进行通讯,同时服务器向非法客户端调用能够便于标记非法客户端的标记信息,并将标记信息存入非法连接通讯录,记录非法客户端访问的次数;上述标记信息为包含终端唯一识别标识。If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client. At the same time, the server will call the illegal client to mark the illegal client's tag information, and store the tag information in the illegal connection address book , to record the number of illegal client accesses; the above tag information contains the unique identifier of the terminal.

前述的一种基于集合覆盖的非法连接判断方法,The aforementioned method for judging an illegal connection based on set coverage,

步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对,服务器实时将本地安全政策发送给合法客户端;Step 2, the client sends an authentication request to the server, the server compares the registration information of the client with the legal terminal list, and the server sends the local security policy to the legal client in real time;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,停止与客户端进行通讯。If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client.

前述的一种基于集合覆盖的非法连接判断方法,The aforementioned method for judging an illegal connection based on set coverage,

非法客户端能够向服务器发送安全识别请求,待服务器允许非法客户端进行连接后,将非法客户端的标记信息从非法连接通讯录中删除。The illegal client can send a security identification request to the server, and after the server allows the illegal client to connect, the tag information of the illegal client will be deleted from the illegal connection address book.

前述的一种基于集合覆盖的非法连接判断方法,还包括:步骤四,服务器定期对合法终端列表中对应的多个客户端进行识别。The aforementioned method for judging an illegal connection based on set coverage further includes: step 4, the server periodically identifies the corresponding multiple clients in the legal terminal list.

本发明的有益之处在于:The benefits of the present invention are:

本发明在建立通信环境时,对客户端的身份进行识别,并将合法终端列表发送给各个合法客户端,当客户端之间进行通讯时,无需服务器再单独进行身份识别,此判断方法方便快捷,将身份识别的工作分摊给各个客户端,减轻了服务器的工作负担,并提高了工作效率。The present invention identifies the identity of the client when the communication environment is established, and sends a list of legal terminals to each legal client. When communicating between the clients, the server does not need to identify the identity separately. This judgment method is convenient and fast. Distributing the work of identity recognition to each client reduces the workload of the server and improves work efficiency.

本发明通过非法连接通讯录,能够对非法客户端进行收集整理,方便工作人员调取数据直观地对非法客户端进行查看,掌握非法客户端的访问情况,对恶意访问的设备进行识别以及后续处理。The invention can collect and organize illegal clients by illegally connecting to the address book, making it convenient for staff to retrieve data and intuitively check the illegal clients, grasp the access situation of the illegal clients, identify maliciously accessed devices and perform follow-up processing.

本发明的服务器具备再次进行识别的功能,待识别成功后,将非法客户端的标记信息从非法连接通讯录中删除,并根据非法客户端的标记信息向非法客户端分配注册信息,并将非法客户端的注册信息存储至合法终端列表,从而非法客户端的身份为合法的,能够在后续与其他客户端以及服务器进行正常连接。The server of the present invention has the function of performing identification again. After the identification is successful, the marking information of the illegal client is deleted from the illegal connection address book, and the registration information is distributed to the illegal client according to the marking information of the illegal client. The registration information is stored in the legal terminal list, so that the identity of the illegal client is legal, and it can be connected normally with other clients and servers in the future.

附图说明Description of drawings

图1是本发明的一种实施例的流程图。Figure 1 is a flowchart of an embodiment of the present invention.

具体实施方式Detailed ways

以下结合附图和具体实施例对本发明作具体的介绍。The present invention will be specifically introduced below in conjunction with the accompanying drawings and specific embodiments.

一种基于集合覆盖的非法连接判断方法,包括:A method for judging an illegal connection based on set coverage, comprising:

步骤一,建立服务器以及多个客户端,客户端中存储有与客户端信息单一对应的注册信息,服务器内存储有合法终端列表,合法终端列表内含多个客户端的注册信息;注册信息包括客户端的IP地址及MAC地址。Step 1. Establish a server and multiple clients. The client stores registration information corresponding to the client information. The server stores a list of legal terminals, which contains the registration information of multiple clients; the registration information includes client IP address and MAC address of the terminal.

步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;Step 2, the client sends an authentication request to the server, and the server compares the registration information of the client with the legal terminal list;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,并停止与客户端进行通讯;If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client;

实施例优选1,步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;Preferred embodiment 1, step 2, the client sends an authentication request to the server, and the server compares the registration information of the client with the legal terminal list;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,停止与客户端进行通讯,同时服务器向非法客户端调用能够便于标记非法客户端的标记信息,并将标记信息存入非法连接通讯录,记录非法客户端访问的次数;上述标记信息为包含终端唯一识别标识;通过标记信息,服务器以及客户端均可进行精准的身份识别。If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client. At the same time, the server will call the illegal client to mark the illegal client's tag information, and store the tag information in the illegal connection address book , to record the number of illegal client accesses; the above tag information contains the unique identification of the terminal; through the tag information, both the server and the client can perform accurate identification.

通过非法连接通讯录,能够对非法客户端进行收集整理,方便工作人员调取数据直观地对非法客户端进行查看,掌握非法客户端的访问情况,对恶意访问的设备进行识别以及后续处理。By illegally connecting to the address book, illegal clients can be collected and sorted, which is convenient for staff to retrieve data and visually view illegal clients, grasp the access status of illegal clients, identify maliciously accessed devices and follow-up processing.

实施例优选2,步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对,服务器实时将本地安全政策发送给合法客户端;通过本地安全政策,合法客户端能够根据服务器的要求进行识别、连接、拒绝等数据处理工作,以保证连接工作整体的顺畅。Preferred embodiment 2, step 2, the client sends an authentication request to the server, the server compares the registration information of the client with the legal terminal list, and the server sends the local security policy to the legal client in real time; through the local security policy, the legal client It can perform data processing tasks such as identification, connection, and rejection according to the requirements of the server, so as to ensure the overall smooth connection work.

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,停止与客户端进行通讯。If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client.

实施例优选3,步骤二,客户端向服务器发送认证请求,服务器将客户端的注册信息与合法终端列表进行比对;Preferred embodiment 3, step 2, the client sends an authentication request to the server, and the server compares the registration information of the client with the legal terminal list;

若比对成功,服务器持续建立与客户端进行通讯的通道,服务器向客户端发送合法终端列表,并将客户端记作合法客户端;If the comparison is successful, the server continues to establish a communication channel with the client, and the server sends a list of legal terminals to the client, and records the client as a legal client;

若比对不成功,则服务器将客户端记作非法客户端,停止与客户端进行通讯,同时服务器向注册信息存储于合法终端列表的多个客户端发送报警信息。If the comparison is unsuccessful, the server will record the client as an illegal client and stop communicating with the client. At the same time, the server will send alarm information to multiple clients whose registration information is stored in the legal terminal list.

这样的设计能够告知注册信息存储于合法终端列表的多个客户端,存在非法连接情况,以提醒进行信息保护。Such a design can inform multiple clients whose registration information is stored in the legal terminal list that there is an illegal connection situation, so as to remind information protection.

步骤三,合法客户端采用可信网络连接技术形成网络信任链模型M-TNC,使用可信网络连接技术TNC,通过采用可信主机提供的终端技术, 在网络环境下实现终端访问控制;M-TNC的权限控制规则采用终端的完整性校验来检查终端的可信度;Step 3: The legal client adopts the trusted network connection technology to form a network trust chain model M-TNC, uses the trusted network connection technology TNC, and realizes terminal access control in the network environment by using the terminal technology provided by the trusted host; M- TNC's authority control rules use the integrity check of the terminal to check the credibility of the terminal;

M-TNC的架构分为如下3类实体:终端访问者AP、规则判定者RJP、规则定义者RDP; The architecture of M-TNC is divided into the following three types of entities: terminal visitor AP, rule judger RJP, and rule definer RDP;

终端访问者为终端访问设备,请求服务器的资源;规则判定者和规则定义者为终端安全接入控制系统;The terminal visitor is the terminal access device and requests the resources of the server; the rule judge and rule definer are the terminal security access control system;

M-TNC的元素定义 包括如下两个定义:The element definition of M-TNC includes the following two definitions:

第一定义:资源集R={ri|i=1…N},企业办公网络的资源集合;The first definition: resource set R={ri|i=1…N}, resource set of enterprise office network;

第二定义:资源服务域RS={R,SDP,AP,ISP},R是企业网络提供的资源集,RJP是绝对可信的规则判定者,RDP管理整个域的AP及协助网络服务提供者ISP(Internet ServiceProvider)验证M-TNC的可信性,同时受理其他域M-TNC的跨域服务请求消息;The second definition: resource service domain RS={R, SDP, AP, ISP}, R is the resource set provided by the enterprise network, RJP is an absolutely credible rule determiner, RDP manages the APs of the entire domain and assists network service providers ISP (Internet Service Provider) verifies the credibility of M-TNC, and at the same time accepts cross-domain service request messages from M-TNC in other domains;

终端可信接入算法包括如下步骤:The terminal trusted access algorithm includes the following steps:

步骤a,RDP根据AP的可信度制定相应的ACL规则: ACLPolicy←getACLPolicy();In step a, RDP formulates corresponding ACL rules according to the trustworthiness of the AP: ACLPolicy←getACLPolicy();

步骤b,AP请求接入:发出访问请求,收集该终端的可信度评估值并发送给RJP,等待RJP对终端设备的可信度判定: APCredibility←CollectAPCredibility ();CredibilityResult←SendJudgeRequest();Step b, AP requests access: send an access request, collect the evaluation value of the terminal's credibility and send it to the RJP, and wait for the RJP to judge the credibility of the terminal device: APCredibility←CollectAPCredibility();CredibilityResult←SendJudgeRequest();

步骤c,RDP完成对MTAM(Mobile Terminal Access Module)模块的完整性及真实性验证,负责为MTAM中的终端设备颁发可信证书: CredibilityCertificate←InRealityIntegrityCheck();Step c, RDP completes the integrity and authenticity verification of the MTAM (Mobile Terminal Access Module) module, and is responsible for issuing trusted certificates for terminal devices in MTAM: CredibilityCertificate←InRealityIntegrityCheck();

步骤d,RDP负责制定和分发AP的可信度判定规则,并对其证书进行验证,以评估该接入设备的可信性: CredibilityPolicy←RDPMakeAndAllocatePolicy(); 对MTAM的身份进行鉴别,验证AP证书的有效性,校验AP设备的可信性: VerifyAPValidity();Step d, RDP is responsible for formulating and distributing AP credibility determination rules, and verifying its certificate to evaluate the credibility of the access device: CredibilityPolicy←RDPMakeAndAllocatePolicy(); Identify the identity of MTAM and verify the AP certificate , verify the authenticity of the AP device: VerifyAPValidity();

接入机制分析过程包括: MTAM向RDP注册服务,申请RDP颁发的可信评估证书,获得该证书后,MTAM即可与ISP进行交互,ISP通过验证可信评估证书的合法性完成对MTAM的可信度评估; RDP获得由终端可信判定中心CMJC签发的可信证书,证书包含RDP的公钥及CMJC签名等信息,并通过安全途径向终端等外部设备公布公钥,每个终端的实体身份证书格式如下: CertA={IDA,KPubA,DateA,LFA, EKSCAC{IDA,KPA,DateA,LFA}}其中KPubA是终端A 的公钥,EKSCA是CMJC 的私钥,DateA是证书的颁发日期, LFA是证书的有效期。The analysis process of the access mechanism includes: MTAM registers with RDP and applies for the trusted evaluation certificate issued by RDP. After obtaining the certificate, MTAM can interact with ISP, and ISP completes the authenticity of MTAM by verifying the validity of the trusted evaluation certificate Reliability evaluation; RDP obtains a trusted certificate issued by the terminal trusted judgment center CMJC. The certificate contains the RDP public key and CMJC signature and other information, and publishes the public key to external devices such as terminals through a secure way, and the entity identity of each terminal The format of the certificate is as follows: CertA={IDA,KPubA,DateA,LFA, EKSCAC{IDA,KPA,DateA,LFA}} where KPubA is the public key of terminal A, EKSCA is the private key of CMJC, DateA is the issue date of the certificate, LFA is the validity period of the certificate.

作为一种实施例,MTAM与RDP建立连接,申请由RDP颁发的可信证书。连接建立前MTAM基于RDP进行完整性度量,MTAM与RDP协商完成MTAM与RDP间身份认证,该身份认证是双向的,认证完成后RDP实现对MTAM平台的可信度判定。通过身份认证和可信度判定的MTAM可以获得RDP为其颁发的可信证书,在证书的有效时间内,终端用户持该证书就可以与ISP 建立服务连接。As an embodiment, the MTAM establishes a connection with the RDP, and applies for a trusted certificate issued by the RDP. Before the connection is established, MTAM performs integrity measurement based on RDP. MTAM and RDP negotiate to complete the identity authentication between MTAM and RDP. The identity authentication is two-way. After the authentication is completed, RDP realizes the credibility judgment of the MTAM platform. The MTAM that has passed identity authentication and credibility judgment can obtain a trusted certificate issued by RDP. During the validity period of the certificate, the end user can establish a service connection with the ISP by holding the certificate.

传统的接入方式为:M-TNC先连接后安全评估;本发明不同于传统方式,M-TNC采用先安全评估后连接的接入方式,这样的设计 能大大增强网络接入的安全性。The traditional access method is: M-TNC connects first and then evaluates the security; the present invention is different from the traditional method, M-TNC adopts the access method of evaluating the security first and then connecting. This design can greatly enhance the security of network access.

作为一种优选,非法客户端能够向服务器发送安全识别请求,待服务器允许非法客户端进行连接后,将非法客户端的标记信息从非法连接通讯录中删除。在实际工作过程中,建立服务器以及多个客户端,客户端中存储有与客户端信息单一对应的注册信息,服务器内存储有合法终端列表,合法终端列表内含多个客户端的注册信息,但并不能保证后续工作中,并不会增加客户端的数量,而增加客户端的数量存在两种情况:As a preference, the illegal client can send a security identification request to the server, and after the server allows the illegal client to connect, delete the tag information of the illegal client from the illegal connection address book. In the actual work process, a server and multiple clients are established. The client stores registration information corresponding to the client information, and the server stores a list of legal terminals. The list of legal terminals contains the registration information of multiple clients. There is no guarantee that the number of clients will not be increased in the follow-up work, and there are two situations for increasing the number of clients:

一种情况为,增加新的客户端,此时工作人员需要在新增的客户端中存储注册信息,并对服务器内存储的合法终端列表进行更新,将新增的客户端的注册信息存储与合法终端列表中,从而使得新增的客户端后续能够进行正常连接;One situation is that a new client is added. At this time, the staff needs to store the registration information in the newly added client, and update the legal terminal list stored in the server, and store the registration information of the newly added client with the legal terminal list. In the terminal list, so that the newly added client can connect normally in the future;

另一种情况为,此前已经与服务器进行连接,并成为非法客户端的设备,在后续工作时,可能会被允许与服务器进行连通,因此服务器具备再次进行识别的功能,待识别成功后,将非法客户端的标记信息从非法连接通讯录中删除,并根据非法客户端的标记信息向非法客户端分配注册信息,并将非法客户端的注册信息存储至合法终端列表,从而非法客户端的身份为合法的,能够在后续与其他客户端以及服务器进行正常连接。Another situation is that the device that has been connected to the server before and becomes an illegal client may be allowed to communicate with the server in the follow-up work, so the server has the function of re-identification. After the identification is successful, it will be illegal. The tag information of the client is deleted from the illegal connection address book, and the registration information is assigned to the illegal client according to the tag information of the illegal client, and the registration information of the illegal client is stored in the list of legal terminals, so that the identity of the illegal client is legal and can In the subsequent normal connection with other clients and servers.

一种基于集合覆盖的非法连接判断方法,还包括:步骤四,服务器定期对合法终端列表中对应的多个客户端进行识别。在实际工作过程中,当客户端数量较多时,服务器可能存在识别错误的情况,因此服务器定期对合法终端列表中对应的多个客户端进行识别从而确保客户端均为合法客户,避免在工作过程中,客户端在不知情的情况下造成信息的外泄。A method for judging an illegal connection based on set coverage further includes: step 4, the server periodically identifies the corresponding multiple clients in the legal terminal list. In the actual work process, when the number of clients is large, the server may have identification errors, so the server regularly identifies the corresponding multiple clients in the legal terminal list to ensure that the clients are all legitimate clients, avoiding In the case, the client causes the leakage of information without knowing it.

本发明在建立通信环境时,对客户端的身份进行识别,并将合法终端列表发送给各个合法客户端,当客户端之间进行通讯时,无需服务器再单独进行身份识别,此判断方法方便快捷,将身份识别的工作分摊给各个客户端,减轻了服务器的工作负担,并提高了工作效率。The present invention identifies the identity of the client when the communication environment is established, and sends a list of legal terminals to each legal client. When communicating between the clients, the server does not need to identify the identity separately. This judgment method is convenient and fast. Distributing the work of identity recognition to each client reduces the workload of the server and improves work efficiency.

本发明通过非法连接通讯录,能够对非法客户端进行收集整理,方便工作人员调取数据直观地对非法客户端进行查看,掌握非法客户端的访问情况,对恶意访问的设备进行识别以及后续处理。The invention can collect and organize illegal clients by illegally connecting to the address book, making it convenient for staff to retrieve data and intuitively check the illegal clients, grasp the access situation of the illegal clients, identify maliciously accessed devices and perform follow-up processing.

本发明的服务器具备再次进行识别的功能,待识别成功后,将非法客户端的标记信息从非法连接通讯录中删除,并根据非法客户端的标记信息向非法客户端分配注册信息,并将非法客户端的注册信息存储至合法终端列表,从而非法客户端的身份为合法的,能够在后续与其他客户端以及服务器进行正常连接。The server of the present invention has the function of performing identification again. After the identification is successful, the marking information of the illegal client is deleted from the illegal connection address book, and the registration information is distributed to the illegal client according to the marking information of the illegal client. The registration information is stored in the legal terminal list, so that the identity of the illegal client is legal, and it can be connected normally with other clients and servers in the future.

以上显示和描述了本发明的基本原理、主要特征和优点。本行业的技术人员应该了解,上述实施例不以任何形式限制本发明,凡采用等同替换或等效变换的方式所获得的技术方案,均落在本发明的保护范围内。The basic principles, main features and advantages of the present invention have been shown and described above. Those skilled in the industry should understand that the above-mentioned embodiments do not limit the present invention in any form, and all technical solutions obtained by means of equivalent replacement or equivalent transformation fall within the protection scope of the present invention.

Claims (8)

  1. A kind of 1. illegal connection determination methods based on set covering, it is characterised in that including:
    Step 1, establishes server and multiple client, is stored with client and the single corresponding registration of client-side information Information, server memory contain legal terminal list, and legal terminal list includes the log-on message of multiple client;
    Step 2, user end to server send certification request, and server is by the log-on message of client and legal terminal list It is compared;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stops being communicated with client;
    Step 3, legitimate client form network trust chain model M-TNC using Trusted network connection, use trustable network Interconnection technique TNC, the terminal technology provided by using trusted host, realizes terminal access control in a network environment;M- The control of authority rule of TNC checks the confidence level of terminal using the completeness check of terminal;
    The framework of M-TNC is divided into following 3 class entity:Terminal access person AP, regular judgement person RJP, regular definien RDP;
    Terminal access person is terminal access equipment, the resource of request server;Regular judgement person and regular definien pacify for terminal Full access control system;
    The element definition of M-TNC includes following two definition:
    First definition:Resource set R=ri | i=1…N }, the resource collection of enterprise's office network;
    Second definition:Resource service domain RS={ R, SDP, AP, ISP }, R are the resource sets that enterprise network provides, and RJP is definitely may be used The regular judgement person of letter, RDP manage AP and assisted network ISP ISP (the Internet Service in whole domain Provider) verify the credibility of M-TNC, while accept the cross-domain services request message of other domains M-TNC;
    Trusted end-user Access Algorithm includes the following steps:
    Step a, RDP formulate corresponding acl rule according to the confidence level of AP:ACLPolicy←getACLPolicy();
    Step b, AP request access:Access request is sent, the reliability assessment value of the terminal is collected and is sent to RJP, waits RJP The confidence level of terminal device is judged: APCredibility←CollectAPCredibility (); CredibilityResult←SendJudgeRequest();Step c, RDP completion is to MTAM (Mobile Terminal Access Module) module integrality and authenticity verification, the terminal device being responsible in MTAM is issued can Believe certificate: CredibilityCertificate←InRealityIntegrityCheck();
    Step d, RDP is responsible to define and distributes the confidence level decision rule of AP, and its certificate is verified, to assess the access The credibility of equipment: CredibilityPolicy←RDPMakeAndAllocatePolicy();To the body of MTAM Part is differentiated, verifies the validity of AP certificates, verifies the credibility of AP equipment: VerifyAPValidity();
    Access mechanism analytic process includes:The credible evaluation certificate that MTAM is issued to RDP registration services, application RDP, is somebody's turn to do After certificate, MTAM can be interacted with ISP, and ISP is by verifying that the legitimacy of credible evaluation certificate is completed to the credible of MTAM Degree assessment;RDP obtains the trusted certificates signed and issued by trusted end-user judgement center CMJC, and certificate includes the public key and CMJC label of RDP The information such as name, and public key is announced to external equipments such as terminals by secure way, the entity identities certificate format of each terminal is such as Under:CertA={ IDA, KPubA, DateA, LFA, EKSCAC { IDA, KPA, DateA, LFA } } wherein KPubA is terminal A Public key, EKSCA are the private keys of CMJC, and DateA is the date of issue of certificate, and LFA is the term of validity of certificate.
  2. A kind of 2. illegal connection determination methods based on set covering according to claim 1, it is characterised in that above-mentioned M- TNC is using the latter linked access way of first security evaluation.
  3. A kind of 3. illegal connection determination methods based on set covering according to claim 1, it is characterised in that above-mentioned note Volume information includes the IP address and MAC Address of client.
  4. A kind of 4. illegal connection determination methods based on set covering according to claim 1, it is characterised in that step Two, user end to server sends certification request, and the log-on message of client is compared server with legal terminal list;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time The multiple client that device is stored in legal terminal list to log-on message sends warning message.
  5. A kind of 5. illegal connection determination methods based on set covering according to claim 1, it is characterised in that step Two, user end to server sends certification request, and the log-on message of client is compared server with legal terminal list;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client, serviced at the same time Device calls the label information that can be easy to mark illegitimate client to illegitimate client, and label information deposit illegal connection is led to News record, the number that record illegitimate client accesses;Above-mentioned label information is to include terminal unique identifier.
  6. A kind of 6. illegal connection determination methods based on set covering according to claim 1, it is characterised in that step Two, user end to server sends certification request, and the log-on message of client is compared server with legal terminal list, Local security policy is sent to legitimate client by server in real time;
    If comparing successfully, server persistently establishes the passage communicated with client, and server sends legal end to client List is held, and client is denoted as legitimate client;
    If comparison is unsuccessful, client is denoted as illegitimate client by server, and stopping is communicated with client.
  7. A kind of 7. illegal connection determination methods based on set covering according to claim 1, it is characterised in that illegal visitor Family end can send safety identification request to server, after device to be serviced allows illegitimate client to be attached, by illegal client The label information at end is deleted from illegal connection address list.
  8. 8. a kind of illegal connection determination methods based on set covering according to claim 1, it is characterised in that also wrap Include:Step 4, server are periodically identified corresponding multiple client in legal terminal list.
CN201711215980.7A 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage Active CN108011873B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711215980.7A CN108011873B (en) 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711215980.7A CN108011873B (en) 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage

Publications (2)

Publication Number Publication Date
CN108011873A true CN108011873A (en) 2018-05-08
CN108011873B CN108011873B (en) 2020-09-04

Family

ID=62054236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711215980.7A Active CN108011873B (en) 2017-11-28 2017-11-28 Illegal connection judgment method based on set coverage

Country Status (1)

Country Link
CN (1) CN108011873B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067932A (en) * 2018-07-24 2018-12-21 广州贯行电能技术有限公司 A kind of data collection station data transmission method and data service end without fixed IP
CN110401669A (en) * 2019-07-31 2019-11-01 广州华多网络科技有限公司 A kind of proof of identity method and relevant device
CN111131255A (en) * 2019-12-25 2020-05-08 中国联合网络通信集团有限公司 Network private identification method and device
CN112243041A (en) * 2020-12-21 2021-01-19 成都雨云科技有限公司 Cross-domain connection system and method for remote desktop access protocol
CN113411190A (en) * 2021-08-20 2021-09-17 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004032421A1 (en) * 2002-10-01 2004-04-15 Huawei Technologies Co., Ltd. A method for adding devices to management system
CN102035837A (en) * 2010-12-07 2011-04-27 中国科学院软件研究所 Method and system for hierarchically connecting trusted networks
CN106992988A (en) * 2017-05-11 2017-07-28 浙江工商大学 A kind of cross-domain anonymous resource sharing platform and its implementation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004032421A1 (en) * 2002-10-01 2004-04-15 Huawei Technologies Co., Ltd. A method for adding devices to management system
CN102035837A (en) * 2010-12-07 2011-04-27 中国科学院软件研究所 Method and system for hierarchically connecting trusted networks
CN106992988A (en) * 2017-05-11 2017-07-28 浙江工商大学 A kind of cross-domain anonymous resource sharing platform and its implementation

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067932A (en) * 2018-07-24 2018-12-21 广州贯行电能技术有限公司 A kind of data collection station data transmission method and data service end without fixed IP
CN110401669A (en) * 2019-07-31 2019-11-01 广州华多网络科技有限公司 A kind of proof of identity method and relevant device
CN110401669B (en) * 2019-07-31 2021-06-11 广州方硅信息技术有限公司 Identity verification method and related equipment
CN111131255A (en) * 2019-12-25 2020-05-08 中国联合网络通信集团有限公司 Network private identification method and device
CN111131255B (en) * 2019-12-25 2022-03-15 中国联合网络通信集团有限公司 Network private identification method and device
CN112243041A (en) * 2020-12-21 2021-01-19 成都雨云科技有限公司 Cross-domain connection system and method for remote desktop access protocol
CN113411190A (en) * 2021-08-20 2021-09-17 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system

Also Published As

Publication number Publication date
CN108011873B (en) 2020-09-04

Similar Documents

Publication Publication Date Title
CN111541656B (en) Identity authentication method and system based on converged media cloud platform
US10642969B2 (en) Automating internet of things security provisioning
US10742643B2 (en) Trusted communication session and content delivery
TWI633775B (en) Terminal identification method, machine identification code registration method, corresponding system and equipment
RU2308755C2 (en) System and method for providing access to protected services with one-time inputting of password
US8875166B2 (en) Method and cloud security framework for implementing tenant license verification
CN102752319B (en) Cloud computing secure access method, device and system
CN102244664B (en) Multistage interconnection safety management centre subsystem of multistage safety interconnection platform
CN102195957A (en) Resource sharing method, device and system
CN101425899B (en) Method and system for publishing and distributing implementation
CN108011873B (en) Illegal connection judgment method based on set coverage
RU2676896C2 (en) Method and system related to authentication of users for accessing data networks
CN107835176A (en) A kind of network authentication method and platform based on eID
US20060100888A1 (en) System for managing identification information via internet and method of providing service using the same
CN116527372B (en) Internet-based data security interaction system and method
CN105681030A (en) Key management system, method and device
CN101291220B (en) System, device and method for identity security authentication
TW202217615A (en) Method for generating authorization allowance list and information security system utilizing the same registering, by at least one network service offering apparatus, authorization list notification service to a server to acquire a current content of an authorization list
CN108834146A (en) A kind of Bidirectional identity authentication method between terminal and authentication gateway
CN116233225B (en) A method, apparatus, server, and storage medium for determining location information
CN113507450A (en) Internal and external network data filtering method and device based on parameter feature vector
CN116248342B (en) A method, apparatus, server, and storage medium for accessing a destination.
CN119071004A (en) Zero-trust network access control method, device, computing device and storage medium
CN121098516A (en) Identity authentication method, device, equipment and medium in distributed data circulation environment
CN115622721A (en) Information processing method and device, block chain equipment, user equipment and network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant