CN101917443A - Security gateway and method thereof for controlling sensitive link - Google Patents
Security gateway and method thereof for controlling sensitive link Download PDFInfo
- Publication number
- CN101917443A CN101917443A CN2010102633462A CN201010263346A CN101917443A CN 101917443 A CN101917443 A CN 101917443A CN 2010102633462 A CN2010102633462 A CN 2010102633462A CN 201010263346 A CN201010263346 A CN 201010263346A CN 101917443 A CN101917443 A CN 101917443A
- Authority
- CN
- China
- Prior art keywords
- url
- message
- state
- responsive
- pond
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000012545 processing Methods 0.000 claims abstract description 8
- 230000007704 transition Effects 0.000 claims description 38
- 238000001514 detection method Methods 0.000 claims description 8
- 230000008878 coupling Effects 0.000 claims description 6
- 238000010168 coupling process Methods 0.000 claims description 6
- 238000005859 coupling reaction Methods 0.000 claims description 6
- 239000002574 poison Substances 0.000 claims description 5
- 231100000614 poison Toxicity 0.000 claims description 5
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 4
- 239000003607 modifier Substances 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 claims description 2
- 238000006243 chemical reaction Methods 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 8
- 238000001914 filtration Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000003712 anti-aging effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000002203 pretreatment Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a security gateway and a method thereof for controlling a sensitive link. The method comprises the following steps of: reading a preassigned sensitive URL (Universal Resource Locator) and establishing a state conversion table; analyzing a DNS (Domain Name System) data flow to acquire a two-tuples message which comprise the URL and IP (Internet Protocol) information; searching the state conversion table, detecting whether the URL in the two-tuples message is the sensitive link or not, if so, storing the two-tuples message in a pre-configured sensitive URL pond; and receiving a HTTP (Hyper Text Transport Protocol) message, searching the sensitive URL pond and processing the HTTP message according to a pre-configured strategy if a target IP address of the HTTP message is matched with an item in the sensitive URL pond. The method of the invention can effectively carry out access control on the sensitive HTTP link on the basis of a link layer.
Description
Technical field
The present invention relates to network safety filed, relate in particular to the method for a kind of security gateway and control sensitive link thereof.
Background technology
Along with present security gateway constantly develops, customer requirements improves constantly, environment of applications also becomes increasingly complex, this just must cause the network of relation safety means not only will improve on hardware designs, the more important thing is the software architecture framework that needs a design more reasonable, healthy and strong, stable more.Under such trend, require that the user interactions interface is more perfect, understandable, languageization.
This is mainly used in the safety means of network level security gateway, and thousands of connection all can be played restriction to illegal connection through the filtration of access control rule.In this thousands of connection, inevitable HTTP link can account for quite great proportion, and the part URL that the some of them user is concerned about, we are referred to as responsive URL, for example, and some illegal reaction websites or the like.
Suppose current need be at articulamentum in the face of the HTTP control that conducts interviews; so with the common residing environment of current network safety; per second is concurrent hundreds of thousands of meeting even connection clauses and subclauses up to a million usually, and in these connected, the connection meeting without exception of HTTP occupied the overwhelming majority so.Yet if the current network safety means are linked into the Internet outlet or central area, the application scenarios of top is obviously set up so.Just must face following problem this time so: (1) how rapidly and efficiently from these links, filter out the connection that the user need control; (2) how the link that filters out provides interface to network safety system.Yet prior art does not really provide good solution for the problems referred to above.
Summary of the invention
In order to solve problems of the prior art, the invention provides the method for a kind of security gateway and control sensitive link thereof, can filter out the connection that the user need control effectively, promote the defending performance of Network Security Device, make the access control function of Network Security Device more powerful, more secure and trusted.
Concrete, the method for security gateway control sensitive link provided by the invention comprises:
Read preassigned responsive URL and set up state transition table;
Resolve the DNS data flow and obtain two tuple message, described two tuple message comprise URL and IP information;
Search described state transition table, detect whether URL is sensitive link in the described two tuple message, if then described two tuple message are deposited in the pre-configured responsive URL pond;
Receive the HTTP message, search described responsive URL pond, if the purpose IP address of described HTTP message and the coupling of the list item in the responsive URL pond are then handled described HTTP message according to pre-configured strategy.
Wherein, record each intercharacter state redirect relation among all responsive URL in the described state transition table.
Further, in the method for the invention, set up state transition table and be specially:
The number of the responsive URL that step 30, calculating are read, and detect each responsive URL one by one;
Step 31, judge whether the character state exists among the responsive URL of current detection in state transition table, if there is not execution in step 32; Otherwise, execution in step 33;
Step 32, in state transition table the storage this character state, execution in step 33;
Step 33, judge whether the character of the responsive URL of current detection is last character, if carry out 34; Otherwise next character of the responsive URL of processing current detection returns step 31;
Step 34, storage done state detect next responsive URL, return step 31.
Further, after setting up state transition table, also comprise: travel through each state of record in the described state transition table, and when detecting certain state redirect mistake, the malloc failure malloc function carries out status modifier.
In the method for the invention, pre-configured strategy comprises: let pass, forbid, write daily record or look into poison.
The method of the invention also comprises:
Regularly detect each list item in the described responsive URL pond, in the time of setting, be not used, then the list item of correspondence is deleted if detect some or a plurality of list items.
The present invention also provides a kind of security gateway, comprising: finite-state automata, DNS find module and access control module;
Described finite-state automata is used for setting up state transition table based on the responsive URL that reads; And receive DNS find the module input comprise two tuple message of URL and IP information the time, search described state transition table, detect whether URL is sensitive link in the described two tuple message, if then described two tuple message are deposited in the pre-configured responsive URL pond;
Described DNS finds module, is used to resolve the DNS data flow of obtaining and obtains two tuple message, and export this two tuples message to described finite-state automata;
Described access control module is used for searching described responsive URL pond based on the HTTP message that receives, if the purpose IP address of this message and the coupling of the list item in the responsive URL pond are then handled described HTTP message according to pre-configured strategy.
Wherein, described state transition table records each intercharacter state redirect relation among all responsive URL.
Described pre-configured strategy comprises: let pass, forbid, write daily record or look into poison.
Further, security gateway of the present invention also comprises:
Responsive URL pond maintenance module is used for regularly detecting each list item in the described responsive URL pond, is not used in the time of setting if detect some or a plurality of list items, then the list item of correspondence is deleted.
Compared with prior art, beneficial effect of the present invention is as follows:
Security gateway provided by the invention can directly control effectively in the face of the HTTP link based on packet filtering and at articulamentum, and and the filtering of unconventional application layer based on message content, promoted the defending performance of Network Security Device greatly, pay(useful) load simultaneously the work of the huge application layer content detection of expense, make the access control function of safety means more powerful, secure and trusted has also been opened up a new application for access control function more.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow diagram of a kind of security gateway control sensitive link provided by the invention;
Fig. 2 is the structure chart of security gateway provided by the invention;
Fig. 3 is the stage flow chart that security gateway of the present invention is realized the control sensitive link.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In order to solve problems of the prior art, the invention provides the method for a kind of security gateway and control sensitive link thereof.Before setting forth the method for the invention, at first explain following notion:
URL (Universal Resource Locator, URL(uniform resource locator)) is the information that is carried on the message, and the URL of user's appointment or part URL then are responsive or need to pay close attention to so, and the present invention is referred to as keyword.Since be keyword, the present invention is when doing strategy matching so, if just become the most important thing that we realize this function in the connection of finding an expectation thousands of connection high speed, zero-lag (URL information), for realizing this purpose, the present invention uses a pattern matching finite-state automata to accelerate the matching speed of character string.
Wherein, finite-state automata is the device that burst is carried out logical process, and it can change some condition of self according to the variation in the external world dynamically with extraneous mutual, or even the storage inside structure, to adapt to extraneous the variation.Finite-state automata has fixing inherent remember condition, some crucial information is being write down in these state representatives, be that automaton has memory capability, judgement and decision-making capability, therefore these characteristics are suitable for the blocking-up that HTTP is linked with access control policy based on the aspect of link very much, and raising is mated the joint efficiency that contains the designated character string in magnanimity in succession.
For can be efficiently based on linking layer in the face of the sensitive link control that conducts interviews, the invention provides a kind of method of security gateway control sensitive link, its principle is: utilize finite-state automata to improve the link matching speed, and matching result deposited in specify in the responsive URL pond, corresponding access control module mates filtration based on described responsive URL pond to the HTTP data message that receives in the security gateway then.As shown in Figure 1, the method for the invention specifically may further comprise the steps:
Step S101, read preassigned responsive URL and set up state transition table by finite-state automata.
DNS (Domain Name System, the domain name system) data flow that step S102, parsing get access to obtains two tuple message, and described two tuple message comprise URL and IP information.
Step S103, search described state transition table, detect whether URL is sensitive link in the described two tuple message, if then described two tuple message are deposited in the pre-configured responsive URL pond.
Step S104, reception HTTP message are searched responsive URL pond, if the IP address of HTTP message and the coupling of the list item in the responsive URL pond are then handled the HTTP message that receives according to pre-configured strategy.
Provide preferred embodiment of the present invention according to Fig. 2 below, and, further provide ins and outs of the present invention, make it that specific implementation process of the method that provides of the present invention can be described better in conjunction with description to embodiment.
As shown in Figure 2, concrete for the structure chart of security gateway provided by the invention, described security gateway comprises: finite-state automata 210, DNS find module 220 and access control module 230; Wherein:
Finite-state automata 210, read keyword and generate state transition graph and state transition table based on the keyword that reads:
Wherein, a sensitive link URL represented in each keyword, and this keyword is that the user sets up on their own according to real needs.
Concrete, the process that finite-state automata 210 generates state transition graph, table is as follows:
(1) calculates the number of input keyword, and handle each keyword successively; To handle each character successively when wherein, handling each keyword.For example, keyword is
Www.sina.com, then on behalf of a character, each character, w, s, i etc. all represent a state.Wherein jump to state exchange of another character representation by a character.
(2) judge whether this keyword character equal state exists in state transition table, if there is not execution in step (3); Otherwise, execution in step (4);
The concrete implication of this step is: if work as the keyword of pre-treatment be
Www.sina.comTreated keyword is
Www.sohu.com, then when handling w, because the processing keyword to the state redirect of w
Www.sohu.comThe time stored this state, so when handling current keyword, just can directly use existing state outcome.
(3) store status in state transition table, execution in step (4);
Whether (4) detect current keyword character is last character, if, execution in step (5); Otherwise the character late of processing keyword returns step (2);
(5) the storage done state is handled next keyword, repeats above-mentioned processing procedure, up to all keywords of handling input.
After handling all keywords, calculate and generate the final state number that uses of state transition graph, and be state transition graph and state transition table memory allocated space based on state number.
Preferably, after state transition graph foundation is finished, also travel through whole state transition graph, table, during as if the failure of state exchange in ergodic process (promptly can't find next state), the malloc failure malloc function carries out status modifier, and then state exchange can be continued smoothly.
Wherein, the state transition graph of finite-state automata forms the structure of a directed tree, and initial state 0 is exactly a root node.Use the tree finding algorithm of a depth-first, successively state is inserted in this round-robin queue according to the degree of depth.For each keyword, it all is the little state of first insertion depth, the big state of insertion depth again, the latter only just may be inserted under the situation that the former falls out, and has only a meeting to appear in the formation at most so arbitrary moment is represented n state of a keyword.For example, the degree of depth of state A is exactly the length of the shortest path from initial state to state A.
DNS finds module 220, is used to obtain the DNS data flow, and resolves this DNS data flow and obtain the two tuple message that include URL and IP information, and this two tuples message is exported to finite-state automata 210.
Wherein, DNS finds that DNS data flow that module 220 is found is a part that enters in " connecting stream " of fire compartment wall, can screen affirmation by port numbers or message format.Do not give unnecessary details owing to not doing at this for known technology.
Finite-state automata 210, after receiving two tuple message of DNS discovery module 220 inputs, based on the URL information searching state transition table in this two tuples message, when include in the state transition table with two tuple message in the keyword of URL coupling the time, finite-state automata 210 deposits the URL and the IP information of correspondence in the pre-configured responsive URL pond in.
Wherein, responsive URL pond also has anti-aging mechanism, and whether the list item information that security gateway can regularly detect in the responsive URL pond exists untapped for a long time, if, then the information of this list item correspondence is deleted from responsive URL pond,, reduce overhead to improve the internal memory service efficiency.
Wherein, processing policy comprises clearance, forbids, writes daily record or looks into poison etc.
For clearer realization said process, implementation method of the present invention can be divided into 5 stages, as shown in Figure 3, be respectively the access control stage that set of keywords is collected stage, finite-state automata generation state transition table stage, finite-state automata learning phase and link.
Can directly control effectively in the face of the HTTP link based on packet filtering and at articulamentum by security gateway provided by the invention, and and the filtering of unconventional application layer based on message content, promoted the defending performance of Network Security Device greatly, pay(useful) load simultaneously the work of the huge application layer content detection of expense, make the access control function of safety means more powerful, secure and trusted has also been opened up a new application for access control function more.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (10)
1. the method for a security gateway control sensitive link is characterized in that, comprising:
Read preassigned responsive URL and set up state transition table;
Resolve the DNS data flow and obtain two tuple message, described two tuple message comprise URL and IP information;
Search described state transition table, detect whether URL is sensitive link in the described two tuple message, if then described two tuple message are deposited in the pre-configured responsive URL pond;
Receive the HTTP message, search described responsive URL pond, if the purpose IP address of described HTTP message and the coupling of the list item in the responsive URL pond are then handled described HTTP message according to pre-configured strategy.
2. the method for claim 1 is characterized in that, records each intercharacter state redirect relation among all responsive URL in the described state transition table.
3. method as claimed in claim 2 is characterized in that, the described state transition table of setting up is specially:
The number of the responsive URL that step 30, calculating are read, and detect each responsive URL one by one;
Step 31, judge whether the character state exists among the responsive URL of current detection in state transition table, if there is not execution in step 32; Otherwise, execution in step 33;
Step 32, in state transition table the storage this character state, execution in step 33;
Step 33, judge whether the character of the responsive URL of current detection is last character, if carry out 34; Otherwise next character of the responsive URL of processing current detection returns step 31;
Step 34, storage done state detect next responsive URL, return step 31.
4. as claim 1,2 or 3 described methods, it is characterized in that, after setting up state transition table, also comprise: travel through each state of record in the described state transition table, and when detecting certain state redirect mistake, the malloc failure malloc function carries out status modifier.
5. the method for claim 1 is characterized in that, described pre-configured strategy comprises: let pass, forbid, write daily record or look into poison.
6. the method for claim 1 is characterized in that, also comprises:
Regularly detect each list item in the described responsive URL pond, in the time of setting, be not used, then the list item of correspondence is deleted if detect some or a plurality of list items.
7. a security gateway is characterized in that, comprising: finite-state automata, DNS find module and access control module;
Described finite-state automata is used for setting up state transition table based on the responsive URL that reads; And receive DNS find the module input comprise two tuple message of URL and IP information the time, search described state transition table, detect whether URL is sensitive link in the described two tuple message, if then described two tuple message are deposited in the pre-configured responsive URL pond;
Described DNS finds module, is used to resolve the DNS data flow of obtaining and obtains two tuple message, and export this two tuples message to described finite-state automata;
Described access control module is used for searching described responsive URL pond based on the HTTP message that receives, if the purpose IP address of this message and the coupling of the list item in the responsive URL pond are then handled described HTTP message according to pre-configured strategy.
8. security gateway as claimed in claim 7 is characterized in that, described state transition table records each intercharacter state redirect relation among all responsive URL.
9. security gateway as claimed in claim 7 is characterized in that, described pre-configured strategy comprises: let pass, forbid, write daily record or look into poison.
10. security gateway as claimed in claim 7 is characterized in that, also comprises:
Responsive URL pond maintenance module is used for regularly detecting each list item in the described responsive URL pond, is not used in the time of setting if detect some or a plurality of list items, then the list item of correspondence is deleted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102633462A CN101917443A (en) | 2010-08-26 | 2010-08-26 | Security gateway and method thereof for controlling sensitive link |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102633462A CN101917443A (en) | 2010-08-26 | 2010-08-26 | Security gateway and method thereof for controlling sensitive link |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101917443A true CN101917443A (en) | 2010-12-15 |
Family
ID=43324827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102633462A Pending CN101917443A (en) | 2010-08-26 | 2010-08-26 | Security gateway and method thereof for controlling sensitive link |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101917443A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033399A (en) * | 2018-08-02 | 2018-12-18 | 挖财网络技术有限公司 | A method of detection link validity |
| CN109167758A (en) * | 2018-08-07 | 2019-01-08 | 新华三技术有限公司 | A kind of message processing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1592229A (en) * | 2003-08-25 | 2005-03-09 | 微软公司 | Electronic communications and web pages filtering based on URL |
| CN101517570A (en) * | 2006-07-10 | 2009-08-26 | 网圣公司 | System and method for analyzing web content |
| CN101794318A (en) * | 2010-03-26 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | URL (Uniform Resource Location) analyzing method and equipment |
-
2010
- 2010-08-26 CN CN2010102633462A patent/CN101917443A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1592229A (en) * | 2003-08-25 | 2005-03-09 | 微软公司 | Electronic communications and web pages filtering based on URL |
| CN101517570A (en) * | 2006-07-10 | 2009-08-26 | 网圣公司 | System and method for analyzing web content |
| CN101794318A (en) * | 2010-03-26 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | URL (Uniform Resource Location) analyzing method and equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033399A (en) * | 2018-08-02 | 2018-12-18 | 挖财网络技术有限公司 | A method of detection link validity |
| CN109167758A (en) * | 2018-08-07 | 2019-01-08 | 新华三技术有限公司 | A kind of message processing method and device |
| CN109167758B (en) * | 2018-08-07 | 2021-07-23 | 新华三技术有限公司 | Message processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Khare et al. | Big data in IoT | |
| US11546380B2 (en) | System and method for creation and implementation of data processing workflows using a distributed computational graph | |
| RU2419986C2 (en) | Combining multiline protocol accesses | |
| CN1886705B (en) | Method and apparatus for efficient implementation and evaluation of state machines and programmable finite state automata | |
| US12225049B2 (en) | System and methods for integrating datasets and automating transformation workflows using a distributed computational graph | |
| US9083748B2 (en) | Modelling network to assess security properties | |
| CN101639861B (en) | String matching method and device based on definite state automaton | |
| US20150310022A1 (en) | Searching documentation across interconnected nodes in a distributed network | |
| CN106649837B (en) | Database compatibility method | |
| CN108064379A (en) | Query engine for remote endpoint information retrieval | |
| WO2020024895A1 (en) | Method and apparatus for searching blockchain data, and storage medium | |
| US12298981B1 (en) | Generation of queries using non-textual input | |
| US10635662B2 (en) | Signature detection | |
| WO2020024898A1 (en) | Method and apparatus for searching blockchain data, and storage medium | |
| TW200541260A (en) | System security approach methods using state tables, related computer-readable medium, and related systems | |
| CN116991929A (en) | Micro-service system based on big hospital data | |
| CN108573171A (en) | Greenplum data desensitization method, device, equipment and medium | |
| CN114006868B (en) | Flow screening method and device | |
| CN101917443A (en) | Security gateway and method thereof for controlling sensitive link | |
| Zhou et al. | Multi-view correlation-aware network traffic detection on flow hypergraph | |
| Cui et al. | An Algorithm for Finding Functional Modules and Protein Complexes in Protein‐Protein Interaction Networks | |
| CN115277586B (en) | Pod flow processing method, system, equipment and storage medium | |
| CN117033033A (en) | Method for efficient configuration and interaction of public service in service bus | |
| US7707141B1 (en) | Use of a set based approach to constructing complex queries for managing resources built from a set of simple underlying operations | |
| CN111835791B (en) | BGP security event rapid detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20101215 |