[go: up one dir, main page]

CN115550289B - Data transmission method, device and storage medium - Google Patents

Data transmission method, device and storage medium Download PDF

Info

Publication number
CN115550289B
CN115550289B CN202211498156.8A CN202211498156A CN115550289B CN 115550289 B CN115550289 B CN 115550289B CN 202211498156 A CN202211498156 A CN 202211498156A CN 115550289 B CN115550289 B CN 115550289B
Authority
CN
China
Prior art keywords
isolation
gatekeeper
candidate list
sub
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211498156.8A
Other languages
Chinese (zh)
Other versions
CN115550289A (en
Inventor
秦冲
杨莉
罗禹铭
黄铄琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangyu Safety Technology Shenzhen Co ltd
Original Assignee
Wangyu Safety Technology Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangyu Safety Technology Shenzhen Co ltd filed Critical Wangyu Safety Technology Shenzhen Co ltd
Priority to CN202211498156.8A priority Critical patent/CN115550289B/en
Publication of CN115550289A publication Critical patent/CN115550289A/en
Application granted granted Critical
Publication of CN115550289B publication Critical patent/CN115550289B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • H04L49/253Routing or path finding in a switch fabric using establishment or release of connections between ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a data transmission method, a device and a storage medium based on an isolation gatekeeper, wherein the method comprises the steps of pre-storing a gatekeeper candidate list, wherein ID identifications of n isolation gatekeepers are recorded in the gatekeeper candidate list; sequentially acquiring a plurality of sub data packets obtained by splitting data to be sent; when one sub data packet is obtained before, randomly selecting an ID from the network gate candidate list as a target identifier, wherein the ID selected corresponding to at least two sub data packets is different; the currently obtained sub-data packet is sent to a receiving end in an external network through the isolation network gate corresponding to the target identifier, so that the invention can randomly send out a plurality of sub-data packets in the data to be sent through different isolation network gates, and can increase the difficulty of completely restoring the transmitted data, thereby reducing the leakage of information and improving the safety of data transmission.

Description

Data transmission method, device and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data transmission method, an apparatus, and a storage medium.
Background
The unidirectional isolation gatekeeper is widely used in networks with high requirements on security, such as an industrial control network, and is deployed at a network boundary to ensure the unidirectionality of data transmission, so as to isolate internal networks and external networks with different security levels.
With the continuous aggravation of competition, the threat of network security becomes more serious, and the presented attack means are more and more diversified, and as the most core equipment for ensuring the security of the isolated network, the isolation gatekeeper is necessarily the key striking target of network attack. Although it is difficult to launch remote attack on the isolation gatekeeper, an attacker can still implant a backdoor in the isolation gatekeeper in advance through means such as supply chain attack or social engineering attack, and the like, thereby achieving the purpose of controlling the isolation gatekeeper.
As shown in fig. 1, in the current data transmission based on the unidirectional isolation gatekeeper, a unidirectional isolation gatekeeper is usually deployed between an internal network and an external network, and if a client device of the internal network needs to transmit data to the external network, the data must pass through the isolation gatekeeper, that is, data sent by each client device is transmitted to the external network through the same isolation gatekeeper, so once the isolation gatekeeper is controlled, most or even all of transmission data sent by the internal network can be obtained through the isolation gatekeeper, and then useful information is extracted to obtain high-value information in the internal network, leakage of the information will cause unpredictable loss, and the security is greatly reduced.
Disclosure of Invention
Embodiments of the present invention provide a data transmission method, an apparatus, and a storage medium, which can greatly increase the difficulty of completely restoring transmission data, and reduce information leakage, thereby improving the security of data transmission.
In order to solve the above technical problem, an aspect of the present invention provides a data transmission method based on an isolation gatekeeper, including:
pre-storing a network gate candidate list, wherein ID identifications of n isolation network gates are recorded in the network gate candidate list, the ID identification of each isolation network gate has uniqueness, and n is more than or equal to 2;
sequentially acquiring a plurality of sub data packets obtained by splitting data to be sent, wherein the data to be sent comes from a sending end in an internal network;
when one sub data packet is obtained before, randomly selecting an ID from the network gate candidate list as a target identifier, wherein the ID selected corresponding to at least two sub data packets is different;
and sending the currently acquired sub data packet to a receiving end in an external network through an isolation gateway corresponding to the target identifier.
Optionally, after the sending the currently obtained sub-packet to a receiving end in an external network through an isolation gatekeeper corresponding to the target identifier, the method further includes:
and shifting the ID identifier which is selected as the target identifier out of the gatekeeper candidate list, wherein when the ID identifier does not remain in the gatekeeper candidate list, the shifted ID identifier is added into the gatekeeper candidate list again.
Optionally, when the sub-packet is obtained before, randomly selecting an ID from the gatekeeper candidate list as a target identifier includes:
when one sub data packet is obtained before, if the currently obtained sub data packet is the last sub data packet, judging whether the selected ID identification is the same identification;
if the ID identifications are the same, the selected ID identifications are moved out of the gatekeeper candidate list, and one ID identification is randomly selected from the rest ID identifications in the gatekeeper candidate list to serve as a target identification;
and if at least two different identifications exist in the selected ID identifications, randomly selecting one ID identification from the n ID identifications in the gatekeeper candidate list as a target identification.
Optionally, when the sub-packet is obtained before, randomly selecting an ID identifier from the gatekeeper candidate list as a target identifier includes:
and starting from the 2 nd sub-data packet, when the sub-data packet is obtained before, randomly selecting one ID from n-1 ID identifications except the ID identification selected last time in the gateway candidate list as a target identification.
Optionally, the step of sending the currently obtained sub-packet to a receiving end in an external network through the isolation gateway corresponding to the target identifier further includes:
acquiring a hardware address of an isolation gatekeeper corresponding to the target identifier from the gatekeeper candidate list;
and encapsulating the currently acquired sub-data packet into an MAC frame according to the hardware address of the isolation gatekeeper corresponding to the target identifier, and sending the MAC frame obtained by encapsulation to a receiving end in an external network through the isolation gatekeeper corresponding to the target identifier.
Optionally, before randomly selecting an ID from the gatekeeper candidate list as the target identifier, the method further includes:
monitoring whether the outlet flow of the isolation gateway corresponding to each ID in the gateway candidate list is greater than a threshold value;
if the isolation gatekeeper with the outlet flow larger than the threshold exists, moving the ID identification of the isolation gatekeeper with the outlet flow larger than the threshold out of the gatekeeper candidate list;
the randomly selecting an ID from the gatekeeper candidate list as a target identifier comprises the following steps: and randomly selecting one ID from the rest ID identifications in the gatekeeper candidate list as a target identification.
Optionally, before randomly selecting an ID from the gatekeeper candidate list as a target identifier, the method further includes:
and storing the currently acquired sub-data packet when the sub-data packet is acquired before.
In a second aspect of the present invention, there is also provided a data transmission device based on an isolation gatekeeper, including:
the first storage module is used for pre-storing a gateway candidate list, wherein ID identifications of n isolation gateways are recorded in the gateway candidate list, the ID identification of each isolation gateway has uniqueness, and n is more than or equal to 2;
the system comprises an acquisition module, a sending module and a receiving module, wherein the acquisition module is used for sequentially acquiring a plurality of sub data packets obtained by splitting data to be sent, and the data to be sent is from a sending end in an internal network;
a selecting module, configured to randomly select an ID from the gatekeeper candidate list as a target identifier whenever one sub-packet is obtained, where the ID selected corresponding to at least two sub-packets are different identifiers;
and the sending module is used for sending the currently acquired sub data packet to a receiving end in an external network through the isolation gateway corresponding to the target identifier.
Optionally, the data processing apparatus further comprises:
and the ID identification processing module is used for shifting the ID identification which is selected as the target identification out of the gateway candidate list, wherein when the ID identification does not remain in the gateway candidate list, the shifted ID identification is added into the gateway candidate list again.
Optionally, the selecting module is specifically configured to:
when one sub data packet is obtained before, if the currently obtained sub data packet is the last sub data packet, judging whether the selected ID identification is the same identification;
if the ID identifications are the same, the selected ID identifications are moved out of the gatekeeper candidate list, and one ID identification is randomly selected from the rest ID identifications in the gatekeeper candidate list to serve as a target identification;
if at least two different identifications exist in the selected ID identifications, randomly selecting one ID identification from n ID identifications in the gatekeeper candidate list as a target identification.
Optionally, the selecting module is specifically configured to:
and starting from the 2 nd sub-data packet, when the sub-data packet is obtained before, randomly selecting one ID from n-1 ID identifications except the ID identification selected last time in the gateway candidate list as a target identification.
Optionally, the data transmission apparatus is an independent device and is independent of a sending end in the internal network; or, the data transmission device is integrated at a sending end in the internal network;
the gatekeeper candidate list also records hardware addresses of n isolation gatekeepers, and the sending module is specifically configured to:
acquiring a hardware address of an isolation gatekeeper corresponding to the target identifier from the gatekeeper candidate list;
and encapsulating the currently acquired sub data packet into an MAC frame according to the hardware address of the isolation gatekeeper corresponding to the target identifier, and sending the MAC frame obtained by encapsulation to a receiving end in an external network through the isolation gatekeeper corresponding to the target identifier.
Optionally, the data processing apparatus further comprises:
the monitoring module is used for monitoring whether the outlet flow of the isolation gateway corresponding to each ID in the gateway candidate list is greater than a threshold value; if the isolation gatekeeper with the outlet flow larger than the threshold exists, moving the ID identification of the isolation gatekeeper with the outlet flow larger than the threshold out of the gatekeeper candidate list;
the selection module is specifically used for randomly selecting one ID from the rest ID identifiers in the gatekeeper candidate list as a target identifier.
Optionally, the data processing apparatus further comprises:
and the second storage module is used for storing the currently acquired sub data packet when one sub data packet is currently acquired.
In a third aspect of the present invention, there is also provided a storage medium storing a plurality of instructions, the instructions being suitable for being loaded by a processor to perform the steps in the data transmission method described in any one of the above.
Has the advantages that: in the data transmission method of the invention and the isolation gatekeeper, firstly, a gatekeeper candidate list is stored, ID identifications of n isolation gatekeepers are recorded in the gatekeeper candidate list, then, a plurality of sub-packets obtained by splitting data to be transmitted are sequentially obtained, when a sub-packet is obtained before, an ID identification is randomly selected from the gatekeeper candidate list as a target identification, then, the currently obtained sub-packet is transmitted to a receiving end in an external network through an isolation gatekeeper corresponding to the target identification, wherein the ID identifications selected respectively corresponding to at least two sub-packets are different identifications, therefore, at least two sub-packets of the data to be transmitted are randomly transmitted to different isolation gatekeepers to be transmitted through different isolation gatekeepers, so that no isolation gatekeeper can obtain all data to be transmitted, an attacker needs to find out an isolation gatekeeper actually transmitting the data from all the isolation gatekeepers if the attacker intercepts and restores the data to be transmitted, and the security of the data to be transmitted by the conventional isolation gatekeenly and the data to be transmitted by the conventional isolation gatekeeper is increased, and the security of the data transmission gatekeeper can be further increased, and the security of the data transmission of the data which is not easy to be transmitted by adopting the isolation gatekeeper.
Drawings
The technical scheme and the beneficial effects of the invention are obvious through the detailed description of the specific embodiments of the invention in combination with the attached drawings.
FIG. 1 is a block diagram of a prior art data transmission system;
fig. 2 is a schematic view of an application scenario of a data transmission method according to an embodiment of the present invention;
fig. 3 is a flow chart of a data transmission method according to an embodiment of the present invention;
fig. 4 is another schematic flow chart of a data transmission method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a data transmission apparatus according to an embodiment of the present invention;
fig. 6 is another schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention.
Detailed Description
Referring to the drawings, wherein like reference numbers refer to like elements, the principles of the present invention are illustrated as being implemented in a suitable computing environment. The following description is based on illustrated embodiments of the invention and should not be taken as limiting the invention with regard to other embodiments that are not detailed herein.
The embodiment of the invention provides a data transmission method and device based on an isolation gatekeeper and a storage medium.
It should be noted that, in the data transmission method based on the isolated gatekeeper of the present invention, data transmission between an internal network and an external network is involved, where the internal network may be understood as a local area network or a private network, such as an intranet, and only computer devices in the enterprise perform communication with each other, and the external network may be referred to as the internet or a wide area network, or may be understood as a public network.
Referring to fig. 2, fig. 2 is a schematic view of an application scenario of the data transmission method based on the isolated gatekeeper according to the embodiment of the present invention, where the data transmission method may be applied to the data transmission apparatus 100, and the data transmission apparatus 100 may be integrated in a terminal device in an internal network, or may be deployed between the terminal device in the internal network and the isolated gatekeeper as an independent device. Taking the latter as an example, the data transmission device 100 is deployed as an independent device between the terminal devices 201 to 20m and the isolation gateways 301 to 30n of the internal network, the data transmission device 100 may have m input ports, n output ports, and an exchange module, where m is greater than or equal to 1, the m input ports may be respectively connected to the terminal devices 201 to 20m to receive data sent from the terminal devices 201 to 20m, n output ports may be respectively connected to the isolation gateways 301 to 30n, the exchange module may store a gateway candidate list in advance, where the gateway candidate list records ID identifiers of n isolation gateways, the ID identifier of each isolation gateway has uniqueness, and n is greater than or equal to 2. Then, the switching module sequentially obtains a plurality of subpackets obtained by splitting data to be transmitted, where the data to be transmitted comes from a transmitting end in the internal network, that is, a terminal device, such as terminal device 201, and terminal device 201 may be, for example, a mobile phone, a tablet computer, or a notebook computer, and the data to be transmitted is transmitted to the switching module by terminal device 201 in the internal network through an input port of data transmission device 100. When the exchange module acquires one sub data packet at present, randomly selecting an ID from the network gate candidate list as a target identifier, wherein the ID selected corresponding to at least two sub data packets are different identifiers; and then, sending the currently acquired sub-data packet to a receiving end in an external network through an isolation gateway corresponding to the target identifier.
Therefore, through the data transmission device 100 of the embodiment of the present invention, at least two subpackets of data to be transmitted are randomly transmitted to different isolation gatekeepers to be transmitted through different isolation gatekeepers, so that none of the isolation gatekeepers can obtain all data of the data to be transmitted, an attacker needs to find out an isolation gatekeeper for actually transmitting data from all the isolation gatekeepers if trying to intercept and restore all the data, and needs to control multiple isolation gatekeepers simultaneously.
It should be noted that the application scenario diagram of the data transmission method shown in fig. 2 is only an example, and the scenario of data transmission described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not constitute a limitation to the technical solution provided in the embodiment of the present invention.
The present invention will be described in detail below.
In the present embodiment, description will be made from the perspective of the data transmission device 100, and the data transmission device 100 may be deployed specifically as an independent device between the terminal devices 201 to 20m and the isolation gateways 301 to 30n of the internal network. Through the data transmission device 100 of the embodiment, plug and play can be realized without adjusting the original network architecture or changing the software setting of the terminal equipment or the isolation gatekeeper.
Referring to fig. 3 in combination with fig. 2, in the data transmission method based on an isolation gatekeeper provided in this embodiment, a plurality of isolation gatekeepers are used, each isolation gatekeeper has a unique ID identifier, and the data transmission method may include the following steps:
step S101: the method comprises the steps of pre-storing a network gate candidate list, wherein ID identifications of n isolation network gates are recorded in the network gate candidate list, the ID identification of each isolation network gate has uniqueness, and n is larger than or equal to 2.
The ID may be represented by a number, for example, the ID of n isolation gatekeepers may be represented by 1,2, \8230;, n, or may be represented by a letter, which is not limited thereto.
Step S102: and sequentially acquiring a plurality of sub data packets obtained by splitting data to be sent, wherein the data to be sent comes from a sending end in an internal network.
The sending end in the internal network is also a terminal device, and may be a mobile phone, a tablet computer, a notebook computer, or the like. A sending end of the internal network, such as the terminal 201, may first split data to be sent into a plurality of sub packets, and then sequentially send the plurality of sub packets to the data transmission apparatus 100, so that the data transmission apparatus 100 may sequentially obtain the plurality of sub packets. Each sub-packet may be an IP packet encapsulated by a UDP (User data Protocol) packet, or may also be an IP packet encapsulated by a TCP (Transmission Control Protocol).
Step S103: and when one sub data packet is obtained currently, randomly selecting an ID from the network gate candidate list as a target identifier, wherein the ID selected corresponding to at least two sub data packets is different.
Optionally, the random selection of an ID may be implemented by randomly generating a random identifier, for example, when a sub-packet is obtained before, a random identifier may be randomly generated according to ID identifiers in a gatekeeper candidate queue, for example, if the ID identifiers in the gatekeeper candidate queue are 1,2, \ 8230 \ 8230;, n, a random identifier of 1 to n is randomly generated, and then an ID identifier in the gatekeeper candidate queue that is consistent with the random identifier is determined, so that the ID identifier consistent with the random identifier is selected as the target identifier.
Step S104: and sending the currently acquired sub data packet to a receiving end in an external network through an isolation network gate corresponding to the target identifier.
In this embodiment, the terminal device 201 sequentially sends a plurality of sub-packets constituting data to be sent to the data transmission device 100, and each time the data transmission device 100 obtains one sub-packet, one ID is randomly selected from the gatekeeper candidate list as a target identifier, so that the obtained sub-packet is sent to an external network through an isolation gatekeeper corresponding to the target identifier. The ID identifiers respectively corresponding to the at least two subpackets are different identifiers, that is, there are at least two subpackets, and when the data transmission device 100 sequentially obtains the at least two subpackets, the ID identifiers corresponding to each subpacket and randomly selected from the gateway candidate list as the target identifiers are different identifiers, so that the at least two subpackets are respectively sent to the low-level dense-class network through the isolation gateways corresponding to the different target identifiers, that is, the at least two subpackets are respectively sent out through different isolation gateways.
Therefore, the data transmission method of this embodiment can enable a plurality of subpackets of data to be transmitted to be randomly transmitted to different isolation gatekeepers to be transmitted through different isolation gatekeepers, so that none of the isolation gatekeepers can obtain all data of the data to be transmitted, an attacker needs to find out an isolation gatekeeper for actually transmitting the data from all the isolation gatekeepers if trying to intercept and restore all the data, and needs to control a plurality of isolation gatekeepers simultaneously.
Further, in the embodiment of the present invention, at least a part of the n isolation gatekeepers used may be different isolation gatekeepers, for example, 2, 3, or even all of the isolation gatekeepers are different isolation gatekeepers, the different isolation gatekeepers may be different, for example, different software architectures, different hardware structures, or different software and hardware structures, and in the actual selection, the isolation gatekeepers of different suppliers may be selected to implement, or the isolation gatekeepers of different models of the same supplier may be selected to implement, as long as the structures of the isolation gatekeepers are different. Therefore, the isolation gatekeepers with different software and hardware architectures are selected for transmission, so that the difficulty of controlling the isolation gatekeepers can be further increased, the difficulty of successfully attacking the isolation gatekeepers is increased, and the data transmission safety is favorably improved further.
Before randomly selecting an ID from the gatekeeper candidate list as a target identifier, the method further comprises the following steps: and storing the currently acquired sub-data packet when one sub-data packet is acquired before. Thus, in step S104, the temporarily stored currently obtained sub-packet is sent out.
Further, the network gate candidate list further records hardware addresses of n isolation network gates, and sends the currently obtained sub-packet to a receiving end in an external network through the isolation network gate corresponding to the target identifier, which may specifically include: acquiring a hardware address of an isolation gatekeeper corresponding to the target identifier from the gatekeeper candidate list; and encapsulating the currently acquired sub-data packet into an MAC (Media Access Control) frame according to the hardware address of the isolation gatekeeper corresponding to the target identifier, and sending the MAC frame obtained by encapsulation to a receiving end in an external network through the isolation gatekeeper corresponding to the target identifier.
It should be noted that, for some different sub-packets, the same ID may also be selected as the target identifier, so that different sub-packets are transmitted through the same isolation gatekeeper, and it is only necessary to ensure that different identifiers exist in all the selected ID identifiers.
In addition, it can be understood that, corresponding to all the sub-packets, the more different identifiers exist in the selected ID identifiers, which means that the more sub-packets are transmitted through different isolation gatekeepers, so that the difficulty in restoring all the data is higher, and the more isolation gatekeepers that need to be controlled or broken at the same time, the higher the attack difficulty is, and the higher the security of data transmission is. For example, if there are 5 sub-data packets, if there are 6 ID identifiers in the gatekeeper candidate list, the 5 ID identifiers selected corresponding to the 5 sub-data packets may be different from each other, so that the 5 sub-data packets are respectively sent out through 5 different isolation gatekeepers, and therefore, if all data are to be obtained, the 5 isolation gatekeepers need to be simultaneously broken, which greatly increases the difficulty, thereby greatly increasing the difficulty of data reduction, and further improving the security of data transmission. Certainly, the 5 ID identifications selected corresponding to the 5 sub-packets may also be partially the same, for example, for the sub-packet obtained for the first time, the ID identification with identification number 2 may be selected as the target identification, for the sub-packet obtained for the third time, the ID identification with identification number 2 may also be selected as the target identification, so that the sub-packets obtained for the first time and the third time are both sent out through the isolation network gate with ID identification 2, and for the sub-packet obtained for the second time, the ID identification with identification number 1 may be selected as the target identification, and so on, which is not to be mentioned one by one.
There are various ways of making the ID identifiers respectively corresponding to the at least two sub-packets different, and the following three ways will be exemplified:
the first method comprises the following steps: in an embodiment of the present invention, after sending the currently obtained sub-packet to the receiving end in the external network through the isolation gatekeeper corresponding to the target identifier, that is, after step S104, the method may further include: and shifting the ID identification which is selected as the target identification currently out of the gateway candidate list, wherein when the ID identification does not remain in the gateway candidate list, the shifted ID identification is added into the gateway candidate list again.
Specifically, each time the sub-data packet is obtained and sent through the isolation gateway corresponding to the target identifier, the ID identifier corresponding to the target identifier is removed from the candidate list of gateways, so that when the sub-data packet is received next time, the ID identifier is randomly selected from the candidate list of gateways, and the ID identifier of the candidate list of gateways that has been removed is not selected, and thus the ID identifier is not overlapped with the ID identifier selected before. When no ID mark remains in the network gate candidate list, the moved ID mark is added into the network gate candidate list again, so that the condition that no sub-data packet is sent and no ID mark can be selected is prevented, and by the method, at least the sub-data packets with the same number as the ID marks originally recorded in the network gate candidate list are sent out through different isolation network gates.
For example, assuming that n =4, that is, the number of ID identifiers in the gatekeeper candidate list is 4, and correspondingly, there are 4 isolation gatekeepers, and the number of subpackets is assumed to be 3, when a subpacket is currently obtained, when an ID identifier is randomly selected from the gatekeeper candidate list as a target identifier, and after the currently obtained subpacket is sent through the target identifier, the ID identifier currently selected as the target identifier is removed from the gatekeeper candidate list, so that when the subpacket is next obtained, one ID identifier is randomly selected from the remaining 3 ID identifiers in the gatekeeper candidate list as the target identifier, and so on. Therefore, the ID identifications selected each time are different identifications, and 3 sub-data packets are sent out through 3 different isolation gateways respectively.
And when the number of the sub-data packets exceeds the number of the isolation gateways, for example, when the number of the sub-data packets is 6, after the 4 th sub-data packet is sent out, the ID identifier selected correspondingly to the 4 th sub-data packet, that is, the last ID identifier in the gateway candidate list is shifted out of the gateway candidate list, so that no ID identifier remains in the gateway candidate list, at this time, the shifted 4 ID identifiers are re-added into the gateway candidate list, so that when the 5 th sub-data packet is received, random selection can be performed again from the 4 ID identifiers in the gateway candidate list.
And the second method comprises the following steps: in another embodiment of the present invention, for step S103, when a sub-packet is obtained before, randomly selecting an ID identifier from the gatekeeper candidate list as the target identifier, which may specifically include:
when a sub data packet is obtained at present, if the currently obtained sub data packet is the last sub data packet, judging whether the selected ID identification is the same identification;
if the ID identifications are the same, the selected ID identifications are moved out of the gatekeeper candidate list, and one ID identification is randomly selected from the rest ID identifications in the gatekeeper candidate list to serve as a target identification;
and if at least two different identifications exist in the selected ID identifications, randomly selecting one ID identification from the n ID identifications in the gatekeeper candidate list as a target identification.
Specifically, when a sub-packet is obtained before, it may be determined whether the sub-packet is the last sub-packet, and if not, an ID identifier is randomly selected from the gatekeeper candidate list as the target identifier, where the number of ID identifiers in the gatekeeper candidate list is still n. If the currently obtained sub-packet is the last sub-packet, further determining whether the selected ID is the same, for example, recording the ID selected each time, for example, recording the ID selected for the first time as 1, the ID selected for the second time as 1, the ID selected for the third time as 3, and so on, thereby determining whether the selected ID is the same according to the recording result. Or, after the ID is selected each time, the ID is marked, for example, a hooking mark may be added to indicate that the ID has been selected. It should be noted that, when the received sub data packet is not the last sub data packet, the ID identifier to be marked may still be listed in the randomly selected range, and if the ID identifier to be marked is selected, the ID identifier does not need to be marked repeatedly; and when the received sub-data packet is the last sub-data packet, traversing all the ID identifications to obtain the ID identifications with the marks, if only one ID identification has the mark indicating that the selected ID identification is the same, indicating that the ID identifications selected before are the same, and if two or more ID identifications have the mark indicating that the selected ID identifications are different, indicating that two or more ID identifications selected before are different.
When the selected ID is judged to be the same ID, the sub-data packets sent before are all sent out through the same isolation gateway, so that the selected ID is moved out of the gateway candidate list, and one ID is randomly selected from the rest ID in the gateway candidate list as a target ID, and the last sub-data packet can be sent out through an isolation gateway different from the previous sub-data packet. Of course, in other embodiments, the ID selected may not be moved out of the gatekeeper candidate list, and the ID selected may be avoided during selection. If two different identifiers exist in the selected ID identifiers, it is indicated that at least two of the sub-packets sent before are sent out through different isolation gateways, and at this time, when the last sub-packet is received, one ID identifier can be randomly selected from n ID identifiers in the gateway candidate list as a target identifier.
Of course, in other implementation manners, after receiving two, three, or five sub-packets, the step of determining whether the selected ID identifier is the same identifier may be performed once, so that more sub-packets can be sent out through different isolation gateways, and the security of data transmission is improved.
And the third is that: in another embodiment of the present invention, for step S103, when a sub-packet is obtained before, randomly selecting an ID from the gatekeeper candidate list as a target identifier, which may specifically include: and starting from the 2 nd sub-data packet, when a sub-data packet is obtained before, randomly selecting one ID from n-1 ID identifications except the ID identification selected last time in the network gate candidate list as a target identification. Therefore, for the sub data packets obtained every time, the selected ID identification is different from the ID identification selected last time, namely the ID identifications selected twice in the neighborhood are different identifications, and therefore the two adjacent sub data packets are respectively sent out through different isolation gates.
By the above-mentioned exemplary manner, it is possible to realize that the ID identifications respectively selected corresponding to the at least two sub packets are different identifications. Of course, other ways may be implemented besides the above-mentioned exemplary ways, for example, each time one ID is selected as the target ID, the ID is marked as the selected ID, so that at the next selection, the ID that is not marked is determined, and then one ID is randomly selected from the ID that is not marked as the target ID, wherein when all the ID are marked, if the sub-data packet is further received, the marks of all the ID are removed, so as to re-select randomly from all the ID.
In some embodiments of the present invention, before randomly selecting an ID identifier from the gatekeeper candidate list as the target identifier, the following steps may be further included: monitoring whether the outlet flow of the isolation gateway corresponding to each ID identifier in the gateway candidate list is greater than a threshold value; and if the isolation gatekeeper with the outlet flow larger than the threshold exists, moving the ID identification of the isolation gatekeeper with the outlet flow larger than the threshold out of the gatekeeper candidate list. Therefore, when the ID identification is randomly selected, one ID identification is randomly selected from the rest ID identifications in the gatekeeper candidate list to serve as the target identification. Therefore, by monitoring the outlet flow of the isolation gatekeeper, when the outlet flow of a certain isolation gatekeeper is monitored to be larger, the uncontrollable risk or the fault can be judged, and the isolation gatekeeper can be directly removed from the internal network without influencing normal communication.
The above embodiments have been described with the data transmission apparatus as a stand-alone device. In another embodiment of the invention provided below, the description will be made from the perspective of a data transmission apparatus, which is particularly integrated in a terminal device.
Specifically, as shown in fig. 4, a data transmission method according to another embodiment of the present invention includes the following steps:
step S201: the method comprises the steps of pre-storing a network gate candidate list, wherein ID identifications and hardware addresses of n isolation network gates are recorded in the network gate candidate list, the ID identification of each isolation network gate has uniqueness, and n is larger than or equal to 2.
Step S202: and sequentially acquiring a plurality of sub-data packets obtained by splitting the data to be sent, wherein the data to be sent comes from a sending end in the internal network.
Each sub-data packet is an IP data packet formed by packaging a UDP packet or a TCP packet. In this embodiment, when it is detected that service software in the terminal device generates an IP data packet, it is checked whether the IP data packet is an external network address, and if the IP data packet is an external network address, the IP data packet is obtained and stored.
Step S203: and when one sub data packet is obtained currently, randomly selecting an ID from the network gate candidate list as a target identifier, wherein the ID selected corresponding to at least two sub data packets is different.
Optionally, the random selection of an ID may be implemented by randomly generating a random identifier, for example, when a sub-packet is obtained before, a random identifier may be randomly generated according to ID identifiers in a gatekeeper candidate queue, for example, if the ID identifiers in the gatekeeper candidate queue are 1,2, \ 8230 \ 8230;, n, a random identifier of 1 to n is randomly generated, and then an ID identifier in the gatekeeper candidate queue that is consistent with the random identifier is determined, so that the ID identifier consistent with the random identifier is selected as the target identifier.
Step S204: and acquiring the hardware address of the isolation gatekeeper corresponding to the target identifier from the gatekeeper candidate list.
Step S205: and encapsulating the currently acquired sub-data packet into an MAC frame according to the hardware address of the isolation gateway corresponding to the target identifier, and transmitting the encapsulated MAC frame to a receiving end in the external network through the isolation gateway corresponding to the target identifier.
By the embodiment, at least two sub-data packets of the data to be transmitted can be randomly transmitted to different isolation gatekeepers to be transmitted through the different isolation gatekeepers, so that no isolation gatekeeper can obtain all data of the data to be transmitted, the difficulty of obtaining all data is greatly increased, the leakage of information can be reduced, and the safety of data transmission is improved.
In order to better implement the data transmission method provided by the embodiment of the present invention, an embodiment of the present invention further provides a device based on the data transmission method. The terms are the same as those in the above data transmission method, and details of implementation may refer to the description in the method embodiment.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a data transmission device based on an isolation gatekeeper according to an embodiment of the present invention. The data transmission device 100 includes a first storage module 11, an obtaining module 12, a selecting module 13, and a sending module 14.
The first storage module 11 is configured to store a gatekeeper candidate list in advance, where ID identifiers of n isolation gatekeepers are recorded in the gatekeeper candidate list, the ID identifier of each isolation gatekeeper has uniqueness, and n is greater than or equal to 2. The ID may be represented by a number, for example, the ID of n isolation gatekeepers may be represented by 1,2, \8230;, n, respectively, or may be represented by a letter, which is not limited thereto.
The obtaining module 12 is configured to sequentially obtain a plurality of sub data packets obtained by splitting data to be sent, where the data to be sent is from a sending end in an internal network. The selecting module 13 is configured to randomly select an ID from the gatekeeper candidate list as a target identifier every time a sub-packet is currently acquired, where the ID selected corresponding to at least two sub-packets are different identifiers. The sending module 14 is configured to send the currently obtained sub data packet to a receiving end in an external network through an isolation gatekeeper corresponding to the target identifier.
In this embodiment, each time the obtaining module 13 obtains one sub data packet, one ID identifier is randomly selected from the gatekeeper candidate list as a target identifier, so that the sending module 14 sends the obtained sub data packet to the external network through the isolation gatekeeper corresponding to the target identifier. The ID identifiers respectively corresponding to the at least two sub-packets are different identifiers, that is, there are at least two sub-packets, and when the obtaining module 13 sequentially obtains the at least two sub-packets, the ID identifiers corresponding to the target identifiers randomly selected from the gateway candidate list by each sub-packet are different identifiers, so that the at least two sub-packets are respectively sent to the low-level dense-class network through the isolation gateways corresponding to the different target identifiers, that is, the at least two sub-packets are respectively sent out through different isolation gateways.
Therefore, the data transmission device 100 of this embodiment can randomly transmit at least two subpackets of data to be transmitted to different isolation gatekeepers to transmit the subpackets through different isolation gatekeepers, so that none of the isolation gatekeepers can obtain all data of the data to be transmitted, and an attacker needs to find out an isolation gatekeeper for actually transmitting data from all the isolation gatekeepers if trying to intercept and restore all the data, and needs to control multiple isolation gatekeepers simultaneously.
In the embodiment of the present invention, at least a part of the n isolation gatekeepers used may be different isolation gatekeepers, for example, 2, 3, or even all of the isolation gatekeepers are different isolation gatekeepers, the isolation gatekeepers may be different, for example, different in software architecture, different in hardware structure, or different in software and hardware structure, and in the actual selection, the isolation gatekeepers of different suppliers may be selected to implement, or the isolation gatekeepers of different models of the same supplier may be selected to implement, as long as the structures of the isolation gatekeepers are different. Therefore, the isolation gatekeepers with different software and hardware architectures are selected for transmission, so that the difficulty of controlling the isolation gatekeepers can be further increased, the difficulty of successfully attacking the isolation gatekeepers is increased, and the data transmission safety is favorably improved further.
Further, as shown in fig. 5, the data processing apparatus 100 may further include a second storage module 15, where the second storage module 15 is configured to store the currently obtained sub data packet every time a sub data packet is currently obtained. The sending module 14 obtains the temporarily stored current sub data packet from the second storage module 15, and sends out the current sub data packet through the isolation gateway corresponding to the target identifier.
In some embodiments of the present invention, the selecting module 13 may be specifically configured to, when a sub packet is currently obtained, if a currently obtained sub packet is a last sub packet, determine whether the selected ID identifier is the same identifier; if the ID identification is the same identification, the selected ID identification is moved out of the gateway candidate list, and one ID identification is randomly selected from the rest ID identifications in the gateway candidate list to serve as a target identification; and if at least two different identifications exist in the selected ID identifications, randomly selecting one ID identification from the n ID identifications in the gatekeeper candidate list as a target identification. Therefore, the ID identifications respectively corresponding to the at least two sub data packets are different identifications.
In other embodiments of the present invention, the selecting module 13 may be specifically configured to, starting from the 2 nd sub-packet, randomly select one ID from n-1 ID IDs except the ID selected last time in the gatekeeper candidate list as the target ID each time a sub-packet is obtained previously. Therefore, the ID identifications respectively corresponding to the at least two sub-data packets can be different identifications.
Referring to fig. 6, the data processing apparatus 100 according to another embodiment of the present invention further may further include an ID identifier processing module 16, where the ID identifier processing module 16 is configured to, after the sending module 14 sends out the currently obtained sub data packet through the isolation gatekeeper corresponding to the target identifier, move out the ID identifier that has been currently selected as the target identifier from the gatekeeper candidate list, and when the gatekeeper candidate list does not have any remaining ID identifier, add the moved ID identifier into the gatekeeper candidate list again. Therefore, the ID identifications respectively corresponding to the at least two sub-data packets can be different identifications.
It is understood that the data transmission apparatus 100 of the present invention may be a stand-alone device disposed between the transmitting end of the internal network and the isolation gatekeeper. Alternatively, the data transmission apparatus 100 may be integrated in a transmitting end in an internal network.
The gateway candidate list is further recorded with n hardware addresses of isolation gateways, and the sending module 14 is specifically configured to obtain the hardware address of the isolation gateway corresponding to the target identifier from the gateway candidate list; and encapsulating the currently acquired sub-data packet into an MAC frame according to the hardware address of the isolation gateway corresponding to the target identifier, and transmitting the encapsulated MAC frame to a receiving end in the external network through the isolation gateway corresponding to the target identifier.
Referring to fig. 7, the data transmission apparatus 100 according to another embodiment of the present invention further may further include a monitoring module 17, where the monitoring module 17 is configured to monitor whether an exit traffic of the isolated gatekeeper corresponding to each ID in the gatekeeper candidate list is greater than a threshold; and if the isolation gatekeeper with the outlet flow larger than the threshold exists, moving the ID identification of the isolation gatekeeper with the outlet flow larger than the threshold out of the gatekeeper candidate list. The selecting module 13 is specifically configured to randomly select one ID from the remaining ID tags in the gatekeeper candidate list as a target tag.
As can be seen from the above, in the embodiment of the present invention, the multiple subpackets in the data to be transmitted are randomly transmitted by different isolation gatekeepers, so that none of the isolation gatekeepers can obtain all data of the data to be transmitted, and if an attacker wants to intercept and restore all data, the multiple isolation gatekeepers are simultaneously controlled, which greatly increases the difficulty of completely restoring the transmitted data, reduces information leakage, and improves the security of data transmission.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, the present invention provides a storage medium, in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any one of the data processing methods provided by the embodiments of the present invention.
The principle and the embodiment of the present invention are explained by applying specific examples, and the above description of the embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A data transmission method based on an isolation gatekeeper is characterized by comprising the following steps:
pre-storing a network gate candidate list, wherein ID identifications of n isolation network gates are recorded in the network gate candidate list, the ID identification of each isolation network gate has uniqueness, and n is more than or equal to 2; at least part of the n isolation gatekeepers are different isolation gatekeepers, wherein the different isolation gatekeepers refer to the isolation gatekeepers with different software architectures or different hardware structures or different software and hardware structures;
sequentially acquiring a plurality of sub-data packets obtained by splitting data to be sent, wherein the data to be sent comes from a sending end in an internal network and is split by the sending end;
when one sub data packet is obtained before, randomly selecting an ID identification from the network gate candidate list as a target identification, wherein the ID identifications selected corresponding to at least two sub data packets are different identifications;
and sending the currently acquired sub data packet to a receiving end in an external network through an isolation gateway corresponding to the target identification.
2. The data transmission method according to claim 1, wherein after the sending the currently obtained sub-packet to a receiving end in an external network through an isolation gatekeeper corresponding to the target identifier, the method further comprises:
and shifting the ID identifier which is selected as the target identifier out of the gatekeeper candidate list, wherein when the ID identifier does not remain in the gatekeeper candidate list, the shifted ID identifier is added into the gatekeeper candidate list again.
3. The data transmission method according to claim 1, wherein randomly selecting an ID from the gatekeeper candidate list as a target ID every time one of the subpackets is currently obtained comprises:
when one sub data packet is obtained before, if the currently obtained sub data packet is the last sub data packet, judging whether the selected ID identification is the same identification;
if the ID identifications are the same, the selected ID identifications are moved out of the gatekeeper candidate list, and one ID identification is randomly selected from the rest ID identifications in the gatekeeper candidate list to serve as a target identification;
and if at least two different identifications exist in the selected ID identifications, randomly selecting one ID identification from the n ID identifications in the gatekeeper candidate list as a target identification.
4. The data transmission method according to claim 1, wherein randomly selecting an ID from the gatekeeper candidate list as a target ID every time one of the subpackets is currently obtained comprises:
and starting from the 2 nd sub-data packet, when the sub-data packet is obtained before, randomly selecting one ID from n-1 ID identifications except the ID identification selected last time in the gateway candidate list as a target identification.
5. The data transmission method according to claim 1, wherein hardware addresses of n isolation gatekeepers are further recorded in the gatekeeper candidate list, and the sending the currently obtained sub-packet to a receiving end in an external network through the isolation gatekeeper corresponding to the target identifier includes:
acquiring a hardware address of an isolation gatekeeper corresponding to the target identifier from the gatekeeper candidate list;
and encapsulating the currently acquired sub data packet into an MAC frame according to the hardware address of the isolation gatekeeper corresponding to the target identifier, and sending the MAC frame obtained by encapsulation to a receiving end in an external network through the isolation gatekeeper corresponding to the target identifier.
6. The data transmission method of claim 1, further comprising, before randomly selecting an ID from the gatekeeper candidate list as a target ID:
monitoring whether the outlet flow of the isolation gateway corresponding to each ID in the gateway candidate list is greater than a threshold value;
if the isolation gatekeeper with the outlet flow larger than the threshold exists, moving the ID identification of the isolation gatekeeper with the outlet flow larger than the threshold out of the gatekeeper candidate list;
the randomly selecting an ID from the gatekeeper candidate list as a target identifier comprises: and randomly selecting one ID from the rest ID identifications in the gatekeeper candidate list as a target identification.
7. The data transmission method according to claim 1,
before randomly selecting an ID from the gatekeeper candidate list as a target identifier, the method further comprises the following steps:
and storing the currently acquired sub-data packet when one sub-data packet is acquired before.
8. A data transmission device based on an isolation gatekeeper, comprising:
the first storage module is used for pre-storing a gateway candidate list, wherein ID (identity) identifications of n isolation gateways are recorded in the gateway candidate list, the ID identification of each isolation gateway has uniqueness, and n is more than or equal to 2; at least part of the n isolation gatekeepers are different isolation gatekeepers, wherein the different isolation gatekeepers refer to different isolation gatekeepers with different software architectures or different hardware structures, or different software and hardware structures;
the device comprises an acquisition module, a sending module and a sending module, wherein the acquisition module is used for sequentially acquiring a plurality of sub data packets obtained by splitting data to be sent, the data to be sent is from a sending end in an internal network, and the data to be sent is split by the sending end;
a selecting module, configured to randomly select an ID from the gatekeeper candidate list as a target identifier whenever one sub-packet is obtained, where the ID selected corresponding to at least two sub-packets are different identifiers;
and the sending module is used for sending the currently acquired sub data packet to a receiving end in an external network through the isolation gateway corresponding to the target identifier.
9. The data transmission apparatus according to claim 8, wherein the data transmission apparatus is a stand-alone device and is independent of a transmitting end in the internal network; or, the data transmission device is integrated at a sending end in the internal network;
the gatekeeper candidate list also records hardware addresses of n isolation gatekeepers, and the sending module is specifically configured to:
acquiring a hardware address of an isolation gatekeeper corresponding to the target identifier from the gatekeeper candidate list;
and encapsulating the currently acquired sub data packet into an MAC frame according to the hardware address of the isolation gatekeeper corresponding to the target identifier, and sending the MAC frame obtained by encapsulation to a receiving end in an external network through the isolation gatekeeper corresponding to the target identifier.
10. A storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the steps of the data transmission method according to any one of claims 1 to 7.
CN202211498156.8A 2022-11-28 2022-11-28 Data transmission method, device and storage medium Active CN115550289B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211498156.8A CN115550289B (en) 2022-11-28 2022-11-28 Data transmission method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211498156.8A CN115550289B (en) 2022-11-28 2022-11-28 Data transmission method, device and storage medium

Publications (2)

Publication Number Publication Date
CN115550289A CN115550289A (en) 2022-12-30
CN115550289B true CN115550289B (en) 2023-03-21

Family

ID=84722687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211498156.8A Active CN115550289B (en) 2022-11-28 2022-11-28 Data transmission method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115550289B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111355752A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 File transmission method, device and equipment based on gatekeeper

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107508907A (en) * 2017-09-13 2017-12-22 北京明朝万达科技股份有限公司 A kind of data transmission method and device
CN108933774A (en) * 2018-05-04 2018-12-04 北京明朝万达科技股份有限公司 Data interaction system and method
CN113507480B (en) * 2021-07-23 2023-10-27 北京众享比特科技有限公司 Network equipment, gateway equipment and system and inter-network data transmission and reporting method
CN113794765B (en) * 2021-09-10 2024-10-01 奇安信科技集团股份有限公司 Network gate load balancing method and device based on file transmission
CN114189347B (en) * 2021-10-14 2022-08-05 北京连山科技股份有限公司 Data safety transmission method combining data granulation and gatekeeper
CN113746866B (en) * 2021-11-02 2022-02-08 国网浙江省电力有限公司 Multi-dimensional internetwork information transmission method and device based on middleboxes and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111355752A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 File transmission method, device and equipment based on gatekeeper

Also Published As

Publication number Publication date
CN115550289A (en) 2022-12-30

Similar Documents

Publication Publication Date Title
US8495738B2 (en) Stealth network node
US7610622B2 (en) Supporting options in a communication session using a TCP cookie
EP1844596B1 (en) Method and system for mitigating denial of service in a communication network
US9118719B2 (en) Method, apparatus, signals, and medium for managing transfer of data in a data network
US7950053B2 (en) Firewall system and firewall control method
US7444408B2 (en) Network data analysis and characterization model for implementation of secure enclaves within large corporate networks
US20050240989A1 (en) Method of sharing state between stateful inspection firewalls on mep network
EP0910197A2 (en) Methods and apparatus for a computer network firewall with dynamic rule processing
US7404210B2 (en) Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs
US20070258456A1 (en) Network-based call interface device for real-time packet protocol calls
EP2037656B1 (en) Signature-free intrusion detection
US11171915B2 (en) Server apparatus, client apparatus and method for communication based on network address mutation
US9686311B2 (en) Interdicting undesired service
CN115550289B (en) Data transmission method, device and storage medium
KR102027438B1 (en) Apparatus and method for blocking ddos attack
US11218449B2 (en) Communications methods, systems and apparatus for packet policing
CN109040112A (en) network control method and device
CN107707486A (en) A kind of message processing method and device based on openflow passages
Aura et al. Effects of mobility and multihoming on transport-protocol security
CN111385285B (en) Method and device for preventing illegal external connection
RU2696330C1 (en) Method of protecting computer networks
RU2686023C1 (en) Method of protecting computer networks
US20220030011A1 (en) Demand management of sender of network traffic flow
CN113225314A (en) SDN network Dos resisting method based on port hopping MTD
KR101095878B1 (en) System and method for detecting and blocking SIP protocol denial-of-service attack using hidden Markov model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant