CN102055813A - Access controlling method for network application and device thereof - Google Patents
Access controlling method for network application and device thereof Download PDFInfo
- Publication number
- CN102055813A CN102055813A CN2010105518131A CN201010551813A CN102055813A CN 102055813 A CN102055813 A CN 102055813A CN 2010105518131 A CN2010105518131 A CN 2010105518131A CN 201010551813 A CN201010551813 A CN 201010551813A CN 102055813 A CN102055813 A CN 102055813A
- Authority
- CN
- China
- Prior art keywords
- access control
- domain name
- dns
- address
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012544 monitoring process Methods 0.000 claims description 28
- 230000003993 interaction Effects 0.000 claims description 26
- 238000003860 storage Methods 0.000 claims description 9
- 230000008878 coupling Effects 0.000 claims description 6
- 238000010168 coupling process Methods 0.000 claims description 6
- 238000005859 coupling reaction Methods 0.000 claims description 6
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 230000006855 networking Effects 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 abstract 1
- 230000008569 process Effects 0.000 description 15
- 241000568436 Namea Species 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 101150049032 ACL1 gene Proteins 0.000 description 4
- 101100448894 Arabidopsis thaliana GLR3.1 gene Proteins 0.000 description 4
- 101150023061 acpP gene Proteins 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 101100054598 Hordeum vulgare ACL1.2 gene Proteins 0.000 description 1
- 230000001149 cognitive effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an access controlling method for network application and a device thereof. The method comprises the following steps: network equipment acquires a domain name of a DNS (Domain Name Server) of network application which a client requests to access according to a monitored DNS search message in a control interacting phase of network application access; or the network equipment acquires an internet protocol (IP) address of an application server according to a monitored interactive message between the client and the application server in a data interacting phase of the network application access, and acquires the domain name of the DNS corresponding to the IP address of the application server through reversely searching the DNS; the network equipment searches a corresponding access control policy from the corresponding relationship of the preset domain name of the DNS and the access control policy according to the domain name of the DNS; and the network equipment determines an access control rule according to the searched access control policy, and controls the message of the network application transmitted from the client correspondingly according to the access control rule. By adopting the method and the device, the accuracy of network application identification can be improved.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of access control method and device thereof of network application.
Background technology
Fast-developing and the process that changes are being experienced in network application in recent years, its application program by simple to complexity, by rudimentary to senior, for the user provides colourful content and convenient service.For the behavior that accesses network is used manages, and for the consideration of aspects such as enterprise security, current enterprise has the demand of using the behavior of web application to manage and control to enterprise staff usually.
From the angle of traffic management and monitoring, early stage web application all is to use fixed port number, is detected easily and is convenient to manage.The web application that emerges in large numbers in the recent period then imitates http protocol (HyperText Transfer Protocol, HTML (Hypertext Markup Language)) and waits and escape identification and detect, and therefore some traditional web application detection methods have lost effect.
Usually, web application has following characteristics: at the beginning of using, need elder generation and server to connect, carrying out certain control according to client operation consults, the follow-up exchanges data of carrying out again, the interaction models that is these application programs can be thought to control earlier alternately, carries out data interaction again.With FTP (File Transfer Protocol, file transfer protocol (FTP)) file in download is applied as example, it and server connect behind the passage, can carry out " obtaining file " control earlier and consult, and just can proceed the exchanges data of file content after consulting successfully according to the result of negotiation.
The feature of consulting according to control can more accurately identify a large amount of web applications.General normal employing message characteristic sign indicating number carries out application identification at present.
The identification of message characteristic sign indicating number is the technology of a kind of similar datagram deep layer scanning (DPI), promptly utilizes the feature of upper-layer protocol to come recognition application.After it analyzes a large amount of messages of a certain application program, summarize all contain in all messages or the highest feature string of the frequency of occurrences be keyword, carry specific content such as certain message at certain ad-hoc location, perhaps certain content of message meets form of certain agreement or the like.In actual use, message characteristic sign indicating number identification meeting is searched, is mated message, if it has satisfied the condition code of certain application program, it just thinks that this message belongs to this application program so.
Still be applied as example with " FTP file in download ", ftp client is before file in download, can send the order of " RETR " to server, the condition code that therefore can draw " FTP file in download " application is: the initial content of TCP message content is " RETR " (character string " RETR " back is again immediately following a space).Like this, if there is message to satisfy this feature, can think that it is to carry out the FTP file in download.
Because in the data interaction stage, even the entrained content of identical network application is also various, be difficult to find general rule or feature, control the mutual stage mutual content relative fixed then, therefore, condition code is discerned normally according to the mutual message of the control of a certain network application, through macromethod, therefrom extract some condition codes, and think when the message coupling of some has suffered condition code, carrying out the network application corresponding exactly with this condition code.The identification of use characteristic sign indicating number can be discerned most network applications, therefore uses comparatively extensive at present.
The inventor finds existingly to utilize condition code that network application is discerned and have following defective at least according to the technology that recognition result carries out the network application access control in realizing process of the present invention:
(1) there is the problem that flase drop is surveyed inevitably in the use characteristic sign indicating number, be that different web applications matches identical condition code probably and is identified as identical web application, cause the access control measure taked according to recognition result unreasonable thus.
(2) for finishing the data interaction message of control after mutual, be difficult to discern by condition code, causing thus can't be according to the recognition result control that conducts interviews.Such as, (as opening characteristics sign indicating number measuring ability or the like not in early stage) for some reason after missing network application and controlling mutual message in earlier stage, can't be used and the control that conducts interviews by recognition network alternately by the follow-up data message.
Summary of the invention
The object of the present invention is to provide a kind of access control method and device thereof of network application, in order to improve the reasonability of network application discrimination and access control, for this reason, the present invention by the following technical solutions:
A kind of access control method of network application comprises:
The network equipment is in the mutual stage of control of network application visit, mails to the DNS query message of domain name system DNS server according to the client that listens to, and obtains the DNS domain name of the network application of client-requested visit; Perhaps, in the data interaction stage of network application visit, obtain the IP address of described application server according to message mutual between client that listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server;
The described network equipment is according to described DNS domain name, the corresponding access control policy of inquiry from the corresponding relation of the DNS domain name that sets in advance and access control policy;
The described network equipment is determined access control rule according to the access control policy that inquires, and according to described access control rule the message that described client mails to described network application is carried out corresponding control.
In the said method, in the control mutual stage of the described network equipment in the network application visit, mail to the DNS query message of dns server according to the client that listens to, under the situation of the DNS domain name of the network application of acquisition client-requested visit, the described network equipment is determined access control rule according to the access control policy that inquires, and is specially:
The described network equipment obtains the pairing IP of the DNS domain name address of described network application by monitoring the Query Result that dns server returns at described DNS query message;
The described network equipment is set up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the pairing IP of the DNS domain name address of described network application and controls.
In the said method, the described network equipment is in the data interaction stage of network application visit, obtain the IP address of described application server according to message mutual between client that listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server, be specially:
In the data interaction stage of network application visit, the message acquisition purpose IP address that the described network equipment sends by monitoring client, and according to this purpose IP address from the corresponding DNS domain name of dns server inquiry, and the DNS domain name that inquires asked the DNS domain name of the network application of visiting as described client;
The described network equipment is determined access control rule according to the access control policy that inquires, and is specially:
The described network equipment is set up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the IP address of described application server and controls.
In the said method, had not verified access control rule on the described network equipment;
The described network equipment is in the data interaction stage of network application visit, obtain the IP address of described application server according to message mutual between client that listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server, be specially:
Mate with the corresponding IP address in the described not verified access control rule source IP address and purpose IP address in the message that the described network equipment sends the client that listens to; If coupling then by oppositely inquiring about dns server, obtains the DNS domain name of this purpose IP address correspondence;
The described network equipment is determined access control rule according to the access control policy that inquires, and is specially:
If the access control policy that the described network equipment inquires, different with the pairing access control policy of the access control rule that matches, then set up access control rule, and it is designated checking passes through the access control rule that deletion matches according to the access control policy that inquires; The access control rule of being set up is used for described client is mail to the message of described purpose IP address and controls.
In the said method, described access control policy comprises: fixedly quota restrictions, changing down or interception message.
A kind of network equipment comprises:
Memory module is used for DNS domain name and corresponding access control policy that storage networking is used;
Monitor module, be used for monitoring the DNS query message that client mails to dns server, perhaps monitor mutual message between client and the application server in the data interaction stage of network application visit in the mutual stage of control of network application visit;
Acquisition module, the DNS query message that is used for listening to according to described monitoring module obtains the DNS domain name of the network application of client-requested visit; Perhaps, message mutual between client that listens to according to described monitoring module and the application server obtains the IP address of described application server, and obtains the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server;
Enquiry module is used for according to described DNS domain name, inquires about corresponding access control policy from the corresponding relation of the DNS domain name of described memory module storage and access control policy;
The rule determination module is used for determining access control rule according to the access control policy that inquires;
Control module is used for the access control rule definite according to described regular determination module, and the message that described client is mail to described network application carries out corresponding control.
In the above-mentioned network equipment, described regular determination module specifically is used for, the DNS inquiry of the domain name result who listens to according to described monitoring module, obtain the pairing IP of the DNS domain name address of described network application, and set up access control rule according to the access control policy that described enquiry module inquires, described access control rule is used for described client is mail to the message of the pairing IP of the DNS domain name address of described network application and controls.
In the above-mentioned network equipment, described acquisition module specifically is used for, in the data interaction stage of network application visit, the message that the client that listens to according to described monitoring module sends obtains purpose IP address, and according to this purpose IP address from the corresponding DNS domain name of dns server inquiry, and the DNS domain name that inquires asked the DNS domain name of the network application of visiting as described client;
Described regular determination module specifically is used for, and sets up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the IP address of described application server and controls.
In the above-mentioned network equipment, had not verified access control rule on the described network equipment;
Described acquisition module specifically is used for, and mate with the corresponding IP address in the described not verified access control rule source IP address and purpose IP address in the message that the client that listens to is sent; If coupling then by oppositely inquiring about dns server, obtains the DNS domain name of this purpose IP address correspondence;
Described regular determination module specifically is used for, if the access control policy that the described network equipment inquires, different with the pairing access control policy of the access control rule that matches, then set up access control rule according to the access control policy that inquires, and it is designated checking passes through the access control rule that matches of deletion; The access control rule of being set up is used for described client is mail to the message of described purpose IP address and controls.
In the above-mentioned network equipment, the access control policy of described memory module storage comprises: fixedly quota restrictions, changing down or interception message.
In the above embodiment of the present invention, the network equipment is by monitoring mutual message between client and the dns server, obtain the DNS domain name of the network application of client-access, thereby can conduct interviews control according to the corresponding access control policy that the DNS domain name foundation that acquires is preset.Adopting the condition code recognition network to use with prior art compares, on the one hand, because the DNS domain name of network application is marked network application comparatively accurately usually, therefore come recognition network to use the accuracy rate that can improve network application identification according to the DNS domain name of network application, and then improve the reasonability that access control policy uses; On the other hand, be directed to the data interaction message of finishing in the prior art after controlling alternately, be difficult to the problem discerned by condition code, the embodiment of the invention can be in the data interaction stage, by monitoring message mutual between client and the application server and passing through oppositely inquiry dns server, obtain the DNS domain name of the network application of client-access, thereby realize the identification of network application and carry out corresponding access control.
Description of drawings
Fig. 1 is the system architecture schematic diagram of the embodiment of the invention;
Fig. 2 is one of network application identification in the embodiment of the invention and schematic flow sheet of access control;
Fig. 3 be network application identification in the embodiment of the invention and access control schematic flow sheet two;
Fig. 4 be network application identification in the embodiment of the invention and access control schematic flow sheet three;
The structural representation of the network equipment that Fig. 5 provides for the embodiment of the invention.
Embodiment
The problems referred to above at the prior art existence, the embodiment of the invention provides a kind of DNS of utilization (Domain Name System, domain name system) server to carry out the identification of network application and method and the device of the behavior of this network application of client-access being controlled according to recognition result thereof.
As everyone knows, the communication on the current Internet is finished by the IP address, because the IP address is digital, people generally are difficult to memory, so proposed DNS Protocol again, " domain name addresses that is easy to remember " are converted to the IP address.
Such as, after the ftp.kernel.org domain name is resolved by dns server, obtain one of corresponding IP address and be 204.152.191.37.The IP address is that the client of 192.200.200.135 can be initiated DNS request carrying out domain name mapping earlier, convert domain name to be visited " ftp.kernel.org " to IP address 204.152.191.37, and then to this IP address initiation TCP (Transmission Control Protocol, transmission control protocol) connection.
In the world, the UDP of the unified use of DNS at present (User Datagram Protocol, User Datagram Protocol) 53 ports, and public global organization of DNS existence, the user can open, freely find the corresponding relation of DNS domain name and IP address.
In general, website or the domain name that network application externally provided, all be that (wherein service represents COS for the form of " service.domain ", domain is a domain name part), ratio is ftp.kernel.org as previously mentioned, by analyzing the service part (being ftp) of this domain name, can know the type of the network application of its use, download such as the corresponding ftp file of ftp, in conjunction with domain part (being kernel.org), just can distinguish is which kind of network application (promptly the FTP to kernel.org visits) again.Similarly, service represents it is Video service during for video, and service represents it is Map Services during for map.As seen, can distinguish different network applications by DNS domain name completely.
Like this, more existing problems of use characteristic sign indicating number recognition network application program in the prior art can solve by the embodiment of the invention:
When (1) carrying out network application identification at the use characteristic sign indicating number, the problem that recognition accuracy is low, in the embodiment of the invention, in the mutual stage of control, obtain client and ask the domain name of visiting by monitoring message mutual between client and the dns server, and, determine the network application corresponding with this domain name according to the corresponding relation of domain name that sets in advance and network application, this network application is the network application of the client-requested that the network equipment identifies.Be example still with above-mentioned FTP visit ftp.kernel.org, the network equipment detects the request of DNS in the mutual stage of control, behind the response message, the IP address that can learn client is 192.200.200.135, ask the visit domain name be ftp.kernel.org, the IP address of this domain name correspondence is 204.152.191.37, the follow-up like this TCP communication of initiating from 192.200.200.135 toward 204.152.191.37, just can think the FTP visit of kernel.org, and then pre-configured according to the keeper, take corresponding access control policy that this FTP visit behavior of client is controlled.
Because the server of common network application, the server of well-known network application particularly, its employed application server domain name is relatively-stationary, utilizes this characteristic, can be effectively determines it according to the domain name of client-requested visit and asks the network application title or the type of visiting.
(2) for missing the situation that to carry out network application identification behind the condition code cognitive phase, the embodiment of the invention can be monitored the purpose IP address of client message in real time by the network equipment, the DNS domain name that inquiry is corresponding, and according to the inquiry of the domain name result it is referred in the corresponding network application and goes.Be example still with " FTP file in download ", client and application server are when carrying out the FTP transfer of data, router can be according to the IP address of the purpose application server of client message, by DNS oppositely inquiry learn its domain name be ftp.xxxxx.yyy (wherein, " ftp.xxxxx.yyy " refers to actual domain name, such as being forms such as ftp.kernel.org, ftp.onlinedown.net), thus learn that it is the FTP data interaction.
In addition, the embodiment of the invention also can be used in combination the technology that the condition code recognition network uses and further improves the discrimination of network application.Concrete, after the use characteristic sign indicating number identifies certain network application, also can judge further according to this domain name whether network application title or type that the use characteristic sign indicating number identifies be accurate then according to the purpose IP inquiry DNS domain name of client message.
Below in conjunction with accompanying drawing the embodiment of the invention is described in detail.
Referring to Fig. 1, be the system architecture schematic diagram in the embodiment of the invention.As shown in the figure, comprise client 1 in this system architecture, router two, Internet network 3, dns server 4 and SP (Service Provider, ISP) server 5.Wherein, dns server 4 is used to provide the domain name mapping service, stores the corresponding relation of domain name and IP address on it, and SP server 5 is used to provide the network application service.
Based on system architecture shown in Figure 1, Fig. 2 shows the network application identification that the embodiment of the invention provides and the flow process of access control, and wherein, the DNS domain name of the network application that SP server 5 is provided is NameA, and corresponding IP address is IPA.When client 1 (the IP address is IPB) request visit DNS domain name was the network application of NameA, in the mutual stage of control, the identification of its network application and access control flow process can comprise:
Step 201, client 1 send the DNS query message by router two to dns server 4, with the pairing IP of request nslookup NameA address.
In this step, router two intercepts the DNS query message, and the source IP address that obtains query message is IPB, and the domain name of client-requested inquiry is NameA.Concrete, router two can be by monitoring the DNS domain name that client mails to the UDP message acquisition client-requested inquiry of port 53.
Step 202, the query requests of dns server 4 acknowledged client ends is returned the IP address ip A of domain name NameA correspondence.
In this step, router two intercepts the DNS response message, obtains the IP address ip A that it is replied.
Step 203, router two is according to DNS domain name that sets in advance and corresponding access control policy, the access control policy of nslookup NameA correspondence, and be that IPB, destination address are that the message (being the message that client 1 mails to SP server 5) of IPA carries out respective handling according to the access control policy that inquires to source address.
In this step, router two can be set up corresponding ACL (Access Control List according to the access control policy that inquires, Access Control List (ACL)), wherein stipulated to source address to be that IPB, destination address are the rule that the message of IPA carries out corresponding control, follow-up in the data interaction stage, router two is after IPB, destination address are the message of IPA receiving source address, just can conduct interviews according to this ACL and control.
Based on system architecture shown in Figure 1, Fig. 3 shows the network application identification that another embodiment of the present invention provides and the flow process of access control, and wherein, the DNS domain name of the network application that SP server 5 is provided is NameA, and corresponding IP address is IPA.Client 1 is carried out in the process of data interaction with SP server 5, if missed network application identification in the mutual stage of control, then in the data interaction stage, the identification of its network application and access control flow process can comprise:
In this step, router two can be at first according to the source IP address and the purpose IP address of this message, searches whether to have corresponding ACL, if there is no, then continues to carry out subsequent step; If exist, then show the network application that may visit the before this ACL that carried out identification and relative set to this message, this moment, router two need not to carry out subsequent step again, but according to the ACL that this has been set up the control that conducts interviews.In the present embodiment, handle, therefore do not have corresponding ACL owing to missed the network application identification of controlling the mutual stage.
Concrete, router two can pass through the message of the specific protocol of monitoring client 1 transmission, as the TCP message, obtains purpose IP address ip A.Certainly, router two also can obtain the IP address of client 1 and the IP address of transmitting terminal by the message that client 1 is mail in monitoring.
In this step, router two can be set up corresponding ACL according to the access control policy that inquires, wherein stipulated to source address to be that IPB, destination address are the rule that the message of IPA carries out corresponding control, follow-up, router two to receive source address be IPB, when destination address is the message of IPA, can be directly according to this ACL control that conducts interviews, and need not to carry out again that the DNS domain name is counter has inquired about.
Above-mentioned network application identification and access control process can be used separately, also can use (or other network application RMs) conduct interviews flow process of control by the condition code recognition network and are used in combination with existing.
When being used in combination, if in the mutual stage of control, by feature identification sign indicating number (or other RMs) access control rule that identified network application and relative set, then follow-up when the mode of using the embodiment of the invention to provide is carried out network application identification and access control (as access opening feature identification code knowledge function at first, follow-uply open the domain name recognition function that the embodiment of the invention provides again), the network equipment can be by monitoring the source IP address and the purpose IP address of the mutual message acquisition message that client sent of client and network side, then with the access control rule that has been provided with in corresponding IP matching addresses, if it is (identical as source IP address that the match is successful, purpose IP address is identical), then the network equipment gets access to the DNS domain name of this purpose IP address correspondence by the anti-DNS of looking into domain name, and the DNS domain name of setting up in advance by inquiry and the corresponding relation of access control policy, obtain the access control policy of this DNS domain name correspondence, if the access control policy that inquires is different with the pairing strategy of the access control rule of having set up, then set up access control rule according to the access control policy that inquires, and in the control that conducts interviews of this newly-established rule of follow-up basis, otherwise still use original access control rule.
Be example with system architecture shown in Figure 1 still, if in the mutual stage of control, the network application that has identified by condition code also is provided with corresponding ACL, then open the domain name recognition function in the data interaction stage after, as shown in Figure 4, carry out following flow process:
Step 406 is designated checking with ACL1 and passes through.
After opening the domain name recognition function, the ACL that is set up by domain name identification needs to identify (as be designated checking by), distinguish with the ACL that is set up with the condition code recognition function, make the domain name recognition function not return the processing of looking into DNS, to save Internet resources to the ACL that includes this sign.
According to flow process shown in Figure 4, if in the mutual stage of control, router two is identical with the condition code of network application B by the network application A that condition code identifies, then router two is that client-access network application A is provided with ACL10, use B for accesses network and all be provided with ACL11, ACL10 is identical with the control strategy of ACL11.After opening the domain name recognition function in the data interaction stage, router two inquires the pairing DNS domain name in IP address that destination address is network application A by above-mentioned flow process, and the pairing access control policy of this DNS domain name is different with ACL10, then be that client-access network application A generates new ACL, and deletion ACL10.As can be seen, adopt above-mentioned flow process, avoided the employing condition code to discern caused heterogeneous networks is used and be identified as identical network application, improved recognition accuracy, and improved the reasonability that access control policy is provided with.
In the above embodiment of the present invention, the access control policy corresponding with domain name that sets in advance can comprise: fixedly quotas administered, changing down is thoroughly tackled etc.In actual applications, can built-in most of domain name in the network equipment (as the router two among Fig. 2) and the corresponding relation of network application information (as the network application title), administrator just specifies will dispose each self-corresponding access control policy of each network application and get final product.The keeper also can be as required, the corresponding relation of customization domain name and network application.Because the domain name that common renowned company is had is more limited and seldom change, so the maintenance work of the access control policy of domain name, network application title and correspondence is less usually.
Based on identical technical conceive, the embodiment of the invention also provides a kind of network equipment, as router, can be applicable to above-mentioned flow process.
Referring to Fig. 5, the structural representation of the network equipment that provides for the embodiment of the invention.As shown in the figure, this network equipment can comprise:
Memory module 501 is used for DNS domain name and corresponding access control policy that storage networking is used;
Monitor module 502, be used for monitoring the DNS query message that client mails to dns server, perhaps monitor mutual message between client and the application server in the data interaction stage of network application visit in the mutual stage of control of network application visit;
Acquisition module 503, the DNS domain name of the network application that the DNS query message acquisition client-requested that is used for listening to according to monitoring module 501 is visited; Perhaps, obtain the IP address of described application server according to monitoring message mutual between client that module 501 listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server;
Enquiry module 504 is used for according to described DNS domain name, inquires about corresponding access control policy from the corresponding relation of the DNS domain name of memory module 501 storage and access control policy;
Rule determination module 505 is used for determining access control rule according to the access control policy that inquires;
Control module 506 is used for the access control rule determined according to regular determination module 505, and the message that described client is mail to described network application carries out corresponding control.
In the mutual stage of control:
Monitor module 502 and can monitor the DNS query message that client sends; And, monitor the DNS inquiry of the domain name result that dns server returns at described DNS query message;
Rule determination module 505 can be according to monitoring the Query Result that module 502 listens to, obtain the pairing IP of the DNS domain name address of described network application, and set up access control rule according to the access control policy that enquiry module 504 inquires, described access control rule is used for described client is mail to the message of the pairing IP of the DNS domain name address of described network application and controls.
In the data interaction stage:
Monitor module 502 and can monitor the message that client sends;
The message that acquisition module 503 can send according to the client that monitoring module 502 listens to obtains purpose IP address, and according to this purpose IP address from the corresponding DNS domain name of dns server inquiry, and the DNS domain name that inquires asked the DNS domain name of the network application of visiting as described client;
Rule determination module 505 can be set up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the IP address of described application server and controls.
When the described network equipment is applied to use and use the scene that combines by DNS domain name recognition network by the condition code recognition network, and had on the described network equipment under the situation of not verified access control rule:
Mate with the corresponding IP address in the described not verified access control rule source IP address and purpose IP address in the message that acquisition module 503 can send the client that listens to; If coupling then by oppositely inquiring about dns server, obtains the DNS domain name of this purpose IP address correspondence;
Rule determination module 505 can specifically be used for, if the access control policy that the described network equipment inquires, different with the pairing access control policy of the access control rule that matches, then set up access control rule according to the access control policy that inquires, and it is designated checking passes through the access control rule that matches of deletion; The access control rule of being set up is used for described client is mail to the message of described purpose IP address and controls.
In the above-mentioned network equipment, the access control policy of memory module 501 storages comprises: fixedly quota restrictions, changing down or interception message.
In sum, in the embodiment of the invention, the domain name that network equipment is asked according to client, the network application that client asks to visit is discerned, thereby do operation such as further access control and lay the first stone for follow-up, solved for some reason (such as opening characteristics sign indicating number measuring ability or the like not in early stage) and after missing the control intercorrelation message of network application access request, the follow-up problem that can't use according to the accurate recognition network of data message, and reduce network application false recognition rate because of adopting condition code identification to be caused.The embodiment of the invention also can further reduce the false recognition rate of network application in conjunction with the condition code detection technique.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (10)
1. the access control method of a network application is characterized in that, comprising:
The network equipment is in the mutual stage of control of network application visit, mails to the DNS query message of domain name system DNS server according to the client that listens to, and obtains the DNS domain name of the network application of client-requested visit; Perhaps, in the data interaction stage of network application visit, obtain the IP address of described application server according to message mutual between client that listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server;
The described network equipment is according to described DNS domain name, the corresponding access control policy of inquiry from the corresponding relation of the DNS domain name that sets in advance and access control policy;
The described network equipment is determined access control rule according to the access control policy that inquires, and according to described access control rule the message that described client mails to described network application is carried out corresponding control.
2. the method for claim 1, it is characterized in that, in the control mutual stage of the described network equipment in the network application visit, mail to the DNS query message of dns server according to the client that listens to, under the situation of the DNS domain name of the network application of acquisition client-requested visit, the described network equipment is determined access control rule according to the access control policy that inquires, and is specially:
The described network equipment obtains the pairing IP of the DNS domain name address of described network application by monitoring the Query Result that dns server returns at described DNS query message;
The described network equipment is set up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the pairing IP of the DNS domain name address of described network application and controls.
3. the method for claim 1, it is characterized in that, the described network equipment is in the data interaction stage of network application visit, obtain the IP address of described application server according to message mutual between client that listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server, be specially:
In the data interaction stage of network application visit, the message acquisition purpose IP address that the described network equipment sends by monitoring client, and according to this purpose IP address from the corresponding DNS domain name of dns server inquiry, and the DNS domain name that inquires asked the DNS domain name of the network application of visiting as described client;
The described network equipment is determined access control rule according to the access control policy that inquires, and is specially:
The described network equipment is set up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the IP address of described application server and controls.
4. as each described method of claim 1 to 3, it is characterized in that, had not verified access control rule on the described network equipment;
The described network equipment is in the data interaction stage of network application visit, obtain the IP address of described application server according to message mutual between client that listens to and the application server, and obtain the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server, be specially:
Mate with the corresponding IP address in the described not verified access control rule source IP address and purpose IP address in the message that the described network equipment sends the client that listens to; If coupling then by oppositely inquiring about dns server, obtains the DNS domain name of this purpose IP address correspondence;
The described network equipment is determined access control rule according to the access control policy that inquires, and is specially:
If the access control policy that the described network equipment inquires, different with the pairing access control policy of the access control rule that matches, then set up access control rule, and it is designated checking passes through the access control rule that deletion matches according to the access control policy that inquires; The access control rule of being set up is used for described client is mail to the message of described purpose IP address and controls.
5. as each described method of claim 1 to 3, it is characterized in that described access control policy comprises: fixedly quota restrictions, changing down or interception message.
6. a network equipment is characterized in that, comprising:
Memory module is used for DNS domain name and corresponding access control policy that storage networking is used;
Monitor module, be used for monitoring the DNS query message that client mails to dns server, perhaps monitor mutual message between client and the application server in the data interaction stage of network application visit in the mutual stage of control of network application visit;
Acquisition module, the DNS query message that is used for listening to according to described monitoring module obtains the DNS domain name of the network application of client-requested visit; Perhaps, message mutual between client that listens to according to described monitoring module and the application server obtains the IP address of described application server, and obtains the DNS domain name of the IP address correspondence of described application server by reverse inquiry dns server;
Enquiry module is used for according to described DNS domain name, inquires about corresponding access control policy from the corresponding relation of the DNS domain name of described memory module storage and access control policy;
The rule determination module is used for determining access control rule according to the access control policy that inquires;
Control module is used for the access control rule definite according to described regular determination module, and the message that described client is mail to described network application carries out corresponding control.
7. the network equipment as claimed in claim 6, it is characterized in that, described regular determination module specifically is used for, the DNS inquiry of the domain name result who listens to according to described monitoring module, obtain the pairing IP of the DNS domain name address of described network application, and set up access control rule according to the access control policy that described enquiry module inquires, described access control rule is used for described client is mail to the message of the pairing IP of the DNS domain name address of described network application and controls.
8. the network equipment as claimed in claim 6, it is characterized in that, described acquisition module specifically is used for, in the data interaction stage of network application visit, the message that the client that listens to according to described monitoring module sends obtains purpose IP address, and according to this purpose IP address from the corresponding DNS domain name of dns server inquiry, and the DNS domain name that inquires asked the DNS domain name of the network application of visiting as described client;
Described regular determination module specifically is used for, and sets up access control rule according to the access control policy that inquires, and described access control rule is used for described client is mail to the message of the IP address of described application server and controls.
9. as each described network equipment of claim 6 to 8, it is characterized in that, had not verified access control rule on the described network equipment;
Described acquisition module specifically is used for, and mate with the corresponding IP address in the described not verified access control rule source IP address and purpose IP address in the message that the client that listens to is sent; If coupling then by oppositely inquiring about dns server, obtains the DNS domain name of this purpose IP address correspondence;
Described regular determination module specifically is used for, if the access control policy that the described network equipment inquires, different with the pairing access control policy of the access control rule that matches, then set up access control rule according to the access control policy that inquires, and it is designated checking passes through the access control rule that matches of deletion; The access control rule of being set up is used for described client is mail to the message of described purpose IP address and controls.
10. as each described network equipment of claim 6 to 8, it is characterized in that the access control policy of described memory module storage comprises: fixedly quota restrictions, changing down or interception message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105518131A CN102055813A (en) | 2010-11-22 | 2010-11-22 | Access controlling method for network application and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105518131A CN102055813A (en) | 2010-11-22 | 2010-11-22 | Access controlling method for network application and device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102055813A true CN102055813A (en) | 2011-05-11 |
Family
ID=43959731
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105518131A Pending CN102055813A (en) | 2010-11-22 | 2010-11-22 | Access controlling method for network application and device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102055813A (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420833A (en) * | 2011-12-27 | 2012-04-18 | 华为技术有限公司 | Method, device and system for network protocol identification |
| CN102624878A (en) * | 2012-02-23 | 2012-08-01 | 汉柏科技有限公司 | Method and system for identifying P2P (peer-to-peer) protocol on basis of DNS (domain name server) protocol |
| CN102647341A (en) * | 2012-03-28 | 2012-08-22 | 北京星网锐捷网络技术有限公司 | A message processing method, device and system |
| WO2013068789A1 (en) * | 2011-11-11 | 2013-05-16 | Pismo Labs Technology Ltd. | Method and system for allowing the use of domain names in enforcing network policy |
| CN103457878A (en) * | 2013-09-05 | 2013-12-18 | 电子科技大学 | Network accessing control method based on streams |
| CN103685601A (en) * | 2013-12-10 | 2014-03-26 | 华为技术有限公司 | Application identification method and device |
| CN103986769A (en) * | 2014-05-20 | 2014-08-13 | 东南大学 | An identification network service access control method |
| WO2016127634A1 (en) * | 2015-02-09 | 2016-08-18 | 中兴通讯股份有限公司 | Service processing method, device and system for application program, and storage medium |
| CN105978866A (en) * | 2016-04-28 | 2016-09-28 | 北京网康科技有限公司 | User access control implementation method, system and third party user server |
| CN106375318A (en) * | 2016-09-01 | 2017-02-01 | 北京神州绿盟信息安全科技股份有限公司 | Network access control system and method |
| CN106506729A (en) * | 2017-01-11 | 2017-03-15 | 中国互联网络信息中心 | DNS policy analysis method and device based on DNS view |
| CN106713059A (en) * | 2015-11-16 | 2017-05-24 | 任子行网络技术股份有限公司 | HTTP-based news APP data acquisition method and system |
| CN106792892A (en) * | 2016-11-23 | 2017-05-31 | 北京小米移动软件有限公司 | The access control method and device of application program |
| CN109618023A (en) * | 2019-01-11 | 2019-04-12 | 福建天泉教育科技有限公司 | A kind of method and terminal detecting cell phone network |
| CN109921935A (en) * | 2019-03-12 | 2019-06-21 | 北京百度网讯科技有限公司 | Method and apparatus for sending information |
| CN110149349A (en) * | 2019-06-21 | 2019-08-20 | 北京天融信网络安全技术有限公司 | A kind of method for network access control and device |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
| CN110891025A (en) * | 2019-10-31 | 2020-03-17 | 上海众链科技有限公司 | System and method for acquiring destination address of opposite end of application program, intelligent terminal and computer readable storage medium |
| US10666771B2 (en) | 2013-08-05 | 2020-05-26 | Pismo Labs Technology Limited | Method and system for allowing the use of domain name based network policies stored in a second device in enforcing network policy at a first device |
| CN112363578A (en) * | 2020-11-13 | 2021-02-12 | 浪潮电子信息产业股份有限公司 | Server |
| CN112954055A (en) * | 2021-02-08 | 2021-06-11 | 杭州迪普科技股份有限公司 | Access control method and device based on FTP |
| CN113194076A (en) * | 2021-04-16 | 2021-07-30 | 中盈优创资讯科技有限公司 | Safety controller and implementation method thereof |
| CN113676561A (en) * | 2021-07-16 | 2021-11-19 | 阿里巴巴新加坡控股有限公司 | Domain name access control method and device |
| CN113746738A (en) * | 2020-05-29 | 2021-12-03 | 华为技术有限公司 | Data forwarding method, device and related equipment |
| CN113810510A (en) * | 2021-07-30 | 2021-12-17 | 绿盟科技集团股份有限公司 | Domain name access method and device and electronic equipment |
| CN118353719A (en) * | 2024-06-17 | 2024-07-16 | 北京火山引擎科技有限公司 | Access control method, system, device, medium and program product for application |
| CN119363806A (en) * | 2024-12-16 | 2025-01-24 | 北京字跳网络技术有限公司 | Application connection method, device, medium, electronic device and program product |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852263A (en) * | 2006-05-23 | 2006-10-25 | 杭州华为三康技术有限公司 | Message access controlling method and a network apparatus |
| CN1953455A (en) * | 2006-11-15 | 2007-04-25 | 北京北大方正电子有限公司 | A method, module and server to control access to network resource |
| CN101448264A (en) * | 2008-12-22 | 2009-06-03 | 杭州华三通信技术有限公司 | Access control method and system of access subscribers |
| CN101453424A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Network information resource access control method and system |
| US7623518B2 (en) * | 2004-04-08 | 2009-11-24 | Hewlett-Packard Development Company, L.P. | Dynamic access control lists |
-
2010
- 2010-11-22 CN CN2010105518131A patent/CN102055813A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7623518B2 (en) * | 2004-04-08 | 2009-11-24 | Hewlett-Packard Development Company, L.P. | Dynamic access control lists |
| CN1852263A (en) * | 2006-05-23 | 2006-10-25 | 杭州华为三康技术有限公司 | Message access controlling method and a network apparatus |
| CN1953455A (en) * | 2006-11-15 | 2007-04-25 | 北京北大方正电子有限公司 | A method, module and server to control access to network resource |
| CN101448264A (en) * | 2008-12-22 | 2009-06-03 | 杭州华三通信技术有限公司 | Access control method and system of access subscribers |
| CN101453424A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Network information resource access control method and system |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9369345B2 (en) | 2011-11-11 | 2016-06-14 | Pismo Labs Technology Limited | Method and system for allowing the use of domain names in enforcing network policy |
| CN107959732B (en) * | 2011-11-11 | 2021-08-27 | 柏思科技有限公司 | Method and system for allowing domain name to be used in enforcing network policy |
| WO2013068789A1 (en) * | 2011-11-11 | 2013-05-16 | Pismo Labs Technology Ltd. | Method and system for allowing the use of domain names in enforcing network policy |
| CN107959732A (en) * | 2011-11-11 | 2018-04-24 | 柏思科技有限公司 | Method and system for allowing domain name to be used in enforcing network policy |
| CN103621044A (en) * | 2011-11-11 | 2014-03-05 | 柏思科技有限公司 | Method and system for allowing use of domain names in enforcing network policies |
| CN103621044B (en) * | 2011-11-11 | 2017-12-12 | 柏思科技有限公司 | Method and system for allowing domain name to be used in enforcing network policy |
| CN102420833A (en) * | 2011-12-27 | 2012-04-18 | 华为技术有限公司 | Method, device and system for network protocol identification |
| CN102624878B (en) * | 2012-02-23 | 2014-06-18 | 汉柏科技有限公司 | Method and system for identifying P2P (peer-to-peer) protocol on basis of DNS (domain name server) protocol |
| CN102624878A (en) * | 2012-02-23 | 2012-08-01 | 汉柏科技有限公司 | Method and system for identifying P2P (peer-to-peer) protocol on basis of DNS (domain name server) protocol |
| CN102647341B (en) * | 2012-03-28 | 2014-10-29 | 北京星网锐捷网络技术有限公司 | Message processing method, device and system |
| CN102647341A (en) * | 2012-03-28 | 2012-08-22 | 北京星网锐捷网络技术有限公司 | A message processing method, device and system |
| US10666771B2 (en) | 2013-08-05 | 2020-05-26 | Pismo Labs Technology Limited | Method and system for allowing the use of domain name based network policies stored in a second device in enforcing network policy at a first device |
| CN103457878B (en) * | 2013-09-05 | 2016-03-23 | 电子科技大学 | A kind of access control method based on stream |
| CN103457878A (en) * | 2013-09-05 | 2013-12-18 | 电子科技大学 | Network accessing control method based on streams |
| CN103685601A (en) * | 2013-12-10 | 2014-03-26 | 华为技术有限公司 | Application identification method and device |
| CN103986769B (en) * | 2014-05-20 | 2015-01-21 | 东南大学 | Service access control method of identification network |
| CN103986769A (en) * | 2014-05-20 | 2014-08-13 | 东南大学 | An identification network service access control method |
| WO2016127634A1 (en) * | 2015-02-09 | 2016-08-18 | 中兴通讯股份有限公司 | Service processing method, device and system for application program, and storage medium |
| CN105991465B (en) * | 2015-02-09 | 2020-12-04 | 中兴通讯股份有限公司 | A method, device and system for application business processing |
| CN105991465A (en) * | 2015-02-09 | 2016-10-05 | 中兴通讯股份有限公司 | Service processing method, device and system for application |
| CN106713059A (en) * | 2015-11-16 | 2017-05-24 | 任子行网络技术股份有限公司 | HTTP-based news APP data acquisition method and system |
| CN105978866B (en) * | 2016-04-28 | 2019-04-23 | 北京网康科技有限公司 | A kind of method and system of user access control, third party's client server |
| CN105978866A (en) * | 2016-04-28 | 2016-09-28 | 北京网康科技有限公司 | User access control implementation method, system and third party user server |
| CN106375318A (en) * | 2016-09-01 | 2017-02-01 | 北京神州绿盟信息安全科技股份有限公司 | Network access control system and method |
| CN106792892A (en) * | 2016-11-23 | 2017-05-31 | 北京小米移动软件有限公司 | The access control method and device of application program |
| CN106792892B (en) * | 2016-11-23 | 2020-03-17 | 北京小米移动软件有限公司 | Access control method and device for application program |
| CN106506729A (en) * | 2017-01-11 | 2017-03-15 | 中国互联网络信息中心 | DNS policy analysis method and device based on DNS view |
| CN106506729B (en) * | 2017-01-11 | 2019-11-19 | 中国互联网络信息中心 | DNS policy analysis method and device based on DNS view |
| CN109618023A (en) * | 2019-01-11 | 2019-04-12 | 福建天泉教育科技有限公司 | A kind of method and terminal detecting cell phone network |
| CN109921935A (en) * | 2019-03-12 | 2019-06-21 | 北京百度网讯科技有限公司 | Method and apparatus for sending information |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
| CN110149349A (en) * | 2019-06-21 | 2019-08-20 | 北京天融信网络安全技术有限公司 | A kind of method for network access control and device |
| CN110891025A (en) * | 2019-10-31 | 2020-03-17 | 上海众链科技有限公司 | System and method for acquiring destination address of opposite end of application program, intelligent terminal and computer readable storage medium |
| CN113746738A (en) * | 2020-05-29 | 2021-12-03 | 华为技术有限公司 | Data forwarding method, device and related equipment |
| CN112363578A (en) * | 2020-11-13 | 2021-02-12 | 浪潮电子信息产业股份有限公司 | Server |
| CN112954055A (en) * | 2021-02-08 | 2021-06-11 | 杭州迪普科技股份有限公司 | Access control method and device based on FTP |
| CN112954055B (en) * | 2021-02-08 | 2023-04-07 | 杭州迪普科技股份有限公司 | Access control method and device based on FTP |
| CN113194076A (en) * | 2021-04-16 | 2021-07-30 | 中盈优创资讯科技有限公司 | Safety controller and implementation method thereof |
| CN113194076B (en) * | 2021-04-16 | 2023-04-21 | 中盈优创资讯科技有限公司 | Safety controller and implementation method thereof |
| CN113676561A (en) * | 2021-07-16 | 2021-11-19 | 阿里巴巴新加坡控股有限公司 | Domain name access control method and device |
| CN113810510A (en) * | 2021-07-30 | 2021-12-17 | 绿盟科技集团股份有限公司 | Domain name access method and device and electronic equipment |
| CN118353719A (en) * | 2024-06-17 | 2024-07-16 | 北京火山引擎科技有限公司 | Access control method, system, device, medium and program product for application |
| CN118353719B (en) * | 2024-06-17 | 2024-10-22 | 北京火山引擎科技有限公司 | Access control method, system, device, medium and program product for application |
| CN119363806A (en) * | 2024-12-16 | 2025-01-24 | 北京字跳网络技术有限公司 | Application connection method, device, medium, electronic device and program product |
| CN119363806B (en) * | 2024-12-16 | 2026-01-16 | 北京字跳网络技术有限公司 | Applications of secure connection methods, devices, media, electronic equipment, and software products |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102055813A (en) | Access controlling method for network application and device thereof | |
| US9451036B2 (en) | Method and apparatus for fingerprinting systems and operating systems in a network | |
| US11696110B2 (en) | Distributed, crowdsourced internet of things (IoT) discovery and identification using Block Chain | |
| CN102394885B (en) | Information classification protection automatic verification method based on data stream | |
| US20050060425A1 (en) | Application-based autonomic connectivity | |
| CN110213212A (en) | A kind of classification method and device of equipment | |
| CN103369531B (en) | A kind of method and device that control of authority is carried out based on end message | |
| CN104640114B (en) | A kind of verification method and device of access request | |
| CN101582856B (en) | Session setup method of portal server and BAS (broadband access server) device and system thereof | |
| JP2011154622A (en) | Access control system and access control method | |
| AU2022213452B2 (en) | Evaluating access requests using assigned common actor identifiers | |
| CN102739811B (en) | The method and apparatus of domain name mapping | |
| CN103188104A (en) | Method and device for analyzing user behaviors | |
| CN110430188A (en) | A kind of quick url filtering method and device | |
| CN101127108B (en) | Method for accessing a information source via a computer system | |
| CN102347964B (en) | Log in the method for website, system, information aggregation platform and website | |
| US11394687B2 (en) | Fully qualified domain name (FQDN) determination | |
| CN102075504B (en) | Method and system for realizing two-layer Portal authentication and Portal server | |
| KR20200087467A (en) | System and method for detecting malicious links using block chain and computer program for the same | |
| CN106411819A (en) | Method and apparatus for recognizing proxy Internet protocol address | |
| KR101087291B1 (en) | Method and system to distinguish all terminals using internet | |
| CN108737407A (en) | A kind of method and device for kidnapping network flow | |
| WO2015123990A1 (en) | Page push method, device, server and system | |
| KR102314557B1 (en) | System for managing security control and method thereof | |
| Dong et al. | E-DoH: elegantly detecting the depths of open DoH service on the internet: C. Dong et al. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110511 |