CN110798423B - Message processing method and device, safety protection equipment and terminal equipment - Google Patents
Message processing method and device, safety protection equipment and terminal equipment Download PDFInfo
- Publication number
- CN110798423B CN110798423B CN201810862897.7A CN201810862897A CN110798423B CN 110798423 B CN110798423 B CN 110798423B CN 201810862897 A CN201810862897 A CN 201810862897A CN 110798423 B CN110798423 B CN 110798423B
- Authority
- CN
- China
- Prior art keywords
- message
- service
- service port
- service address
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 20
- 230000005540 biological transmission Effects 0.000 claims description 15
- 238000001914 filtration Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 5
- 230000008859 change Effects 0.000 claims description 3
- 238000004148 unit process Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 17
- 238000004891 communication Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a message processing method and device, safety protection equipment and terminal equipment. The method comprises the following steps: dynamically calculating a service port or a service address for the terminal device; receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and processing the message based on the status of the service port or service address. Therefore, safety protection can be carried out from the architecture level, the condition that normal traffic is killed by mistake is greatly reduced or avoided, attack traffic can be filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
Description
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to a message processing method and device, security protection equipment and terminal equipment.
Background
With the popularization of the internet, more and more devices transmit information by establishing a Transmission Control Protocol (TCP) connection. For example, the terminal device may establish a TCP connection with the server via a three-way handshake protocol.
Specifically, for example, at the first handshake, the terminal device (which may also be referred to as a client) SENDs a SYN packet (SYN j) to the server, and the client enters a SYN _ SEND state, waiting for the server to acknowledge. At the second handshake, the server receives the SYN packet, confirms SYN (ACK ═ j +1) of the client, and simultaneously sends a SYN packet (SYN ═ k), that is, sends a SYN + ACK packet to the client, and at this time, the server enters a SYN _ RECV state. At the third handshake, the client receives a SYN + ACK packet from the server, and sends an acknowledgement packet ACK (ACK ═ k +1) to the server. After the confirmation packet is sent, the client and the server enter an ESTABLISHED state to complete three-way handshake. After the three-way handshake is completed, the client and the server may begin to transmit data.
It should be noted that the above background description is only for the sake of clarity and complete description of the technical solutions of the present invention and for the understanding of those skilled in the art. Such solutions are not considered to be known to the person skilled in the art merely because they have been set forth in the background section of the invention.
Disclosure of Invention
However, the inventors found that: since the ports set by the server for establishing the TCP connection with the terminal device are fixed, an illegal attacker can easily know which ports are used for establishing the TCP connection with the terminal device, which brings attack opportunities to the illegal attacker. For example: an illegal attacker can exhaust the TCP connection resource of the server by initiating a large number of TCP connection requests to the server, so that legal terminal equipment cannot establish TCP connection with the server.
In addition, currently, in the existing schemes, security protection is generally performed from the aspects of source IP address trust and behavior analysis, such as black and white list technology, abnormal session checking mechanism, and the like. However, the security protection technologies have the condition that normal traffic is killed by mistake, attack traffic cannot be filtered completely, and weak links exist in the protection scheme.
In view of at least one of the above problems, embodiments of the present invention provide a message processing method and apparatus, a security protection device, and a terminal device, which are expected to perform security protection from an architecture level.
According to a first aspect of the embodiments of the present invention, there is provided a message processing method, including:
dynamically calculating a service port or a service address for the terminal device;
receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and
and processing the message based on the state of the service port or the service address.
According to a second aspect of the embodiments of the present invention, there is provided a message processing method, including:
dynamically calculating a service port or a service address for the safety protection equipment;
and sending a message to the safety protection equipment by using the dynamically calculated service port or service address.
According to a third aspect of the embodiments of the present invention, there is provided a message processing apparatus configured in a safety protection device, including:
a calculation unit that dynamically calculates a service port or a service address for the terminal device;
a receiving unit that receives a message from the terminal device using the dynamically calculated service port or service address; and
a processing unit that processes the message based on a state of the service port or service address.
According to a fourth aspect of the embodiments of the present invention, there is provided a message processing apparatus, configured to a terminal device, including:
a computing unit that dynamically computes a service port or a service address for the safeguard device;
and the sending unit is used for sending a message to the safety protection equipment by utilizing the dynamically calculated service port or service address.
According to a fifth aspect of the embodiments of the present invention, there is provided a safety protection device, including a memory and a processor, where the memory stores a computer program, and the processor executes the computer program to implement the message processing method according to the first aspect.
According to a sixth aspect of the embodiments of the present invention, there is provided a terminal device, including a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the message processing method according to the second aspect.
The embodiment of the invention has the beneficial effects that: the safety protection equipment dynamically calculates a service port or a service address aiming at the terminal equipment; receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and processing the message based on the status of the service port or service address. Therefore, safety protection can be carried out from the architecture level, the condition of mistaken killing of normal flow is greatly achieved, the attack flow can be completely filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
Specific embodiments of the present invention are disclosed in detail with reference to the following description and drawings, indicating the manner in which the principles of the invention may be employed. It should be understood that the embodiments of the invention are not so limited in scope. The embodiments of the invention include many variations, modifications and equivalents within the spirit and scope of the appended claims.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments, in combination with or instead of the features of the other embodiments.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps or components.
Drawings
Elements and features described in one drawing or one implementation of an embodiment of the invention may be combined with elements and features shown in one or more other drawings or implementations. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views, and may be used to designate corresponding parts for use in more than one embodiment.
FIG. 1 is a schematic view of a safety shield system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a message processing method according to embodiment 1 of the present invention;
FIG. 3 is a schematic diagram of dynamic port synchronization according to embodiment 1 of the present invention;
fig. 4 is another schematic diagram of the message processing method according to embodiment 1 of the present invention;
fig. 5 is a schematic diagram of a message processing method according to embodiment 2 of the present invention;
fig. 6 is a schematic diagram of a message processing apparatus according to embodiment 3 of the present invention;
FIG. 7 is a schematic diagram of a safety protection device or a terminal device according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a message processing apparatus according to embodiment 4 of the present invention.
Detailed Description
The foregoing and other features of the invention will become apparent from the following description taken in conjunction with the accompanying drawings. In the description and drawings, particular embodiments of the invention have been disclosed in detail as being indicative of some of the embodiments in which the principles of the invention may be employed, it being understood that the invention is not limited to the embodiments described, but, on the contrary, is intended to cover all modifications, variations, and equivalents falling within the scope of the appended claims.
In the embodiments of the present invention, the terms "first", "second", and the like are used for distinguishing different elements by name, but do not denote a spatial arrangement, a temporal order, or the like of the elements, and the elements should not be limited by the terms. The term "and/or" includes any and all combinations of one or more of the associated listed terms. The terms "comprising," "including," "having," and the like, refer to the presence of stated features, elements, components, and do not preclude the presence or addition of one or more other features, elements, components, and elements.
In embodiments of the invention, the singular forms "a", "an", and the like include the plural forms and are to be construed broadly as "a" or "an" and not limited to the meaning of "a" or "an"; furthermore, the term "comprising" should be understood to include both the singular and the plural, unless the context clearly dictates otherwise. Further, the term "according to" should be understood as "at least partially according to … …," and the term "based on" should be understood as "based at least partially on … …," unless the context clearly dictates otherwise.
In the embodiments of the present invention, the term "Terminal Equipment" (TE) or client refers to, for example, a device that accesses a communication network through a network device and receives a network service. End devices may be fixed or mobile and may also be referred to as terminals, user terminals, access terminals, stations, and the like.
The terminal device may include, but is not limited to, the following devices: personal computers, workstations, Cellular telephones (Cellular phones), Personal Digital Assistants (PDAs), wireless modems, wireless communication devices, handheld devices, machine-type communication devices, laptop computers, cordless telephones, smartphones, smartwatches, Digital cameras, and the like.
In the embodiment of the present invention, the term "security protection device" may be a gateway or a firewall device, or may be other devices. The safety protection device can be positioned between the terminal device and the server and is used for carrying out safety protection on communication between the terminal device and the server. The security protection device may be a network device independent from the server, or may be a network security application integrated with the server, and the present invention does not limit the specific forms of the security protection device and the terminal device.
The following illustrates the scenarios of the embodiments of the present invention by way of example, but the present invention is not limited thereto.
Fig. 1 is a schematic diagram of a security protection system according to an embodiment of the present invention, schematically illustrating the situations of a terminal device, a security protection device, and a server, as shown in fig. 1, a security protection system 100 may include a terminal device 101, a security protection device 102, and a server 103. For simplicity, fig. 1 only illustrates one terminal device, one security device, and one server, but the embodiments of the present invention are not limited thereto.
As shown in fig. 1, the safety device 102 is communicatively connected to the terminal device 101 and the server 103, respectively. For example, the public network IP address of the safety protection device 102 and the public network IP address of the server 103 may be the same, and meanwhile, the intranet IP address of the safety protection device 102 and the intranet IP address of the server 103 are different; but the invention is not limited thereto. For example, since the public network IP address of security device 102 is the same as the public network IP address of server 103, the message sent by terminal 101 to server 103 is intercepted by security device 102, and terminal 101 cannot know the existence of security device 102.
The above description has been made only by way of example for the scenario of the present invention, but the present invention is not limited thereto, and may be applied to other scenarios according to practical situations. The following examples further illustrate the invention.
Example 1
The embodiment of the invention provides a message processing method. Fig. 2 is a schematic diagram of a message processing method according to an embodiment of the present invention, which is illustrated from the perspective of a security protection device. As shown in fig. 2, the message processing method includes:
In this embodiment, the terminal device (for example, a game client) and the secure device may perform dynamic synchronization of the ports (or may also be dynamic IP) in an offline manner, for example, the dynamic synchronization may be periodic dynamic synchronization or aperiodic dynamic synchronization; however, the present invention is not limited thereto, and for example, only the two are required to perform dynamic synchronization of the ports.
In this embodiment, the security protection device may use the same dynamic key (both software mode and hardware mode) as the terminal device to periodically calculate a service port or a service address for the terminal device offline in real time. The dynamically calculated service port or service address varies over time and is within a predetermined range.
Fig. 3 is a schematic diagram of port dynamic synchronization according to an embodiment of the present invention, and as shown in fig. 3, the service port calculated by the client 1 and the security guard at time t is N, and the service port calculated at time t +1 is M. And the client 2 and the safeguard device calculate the service port as M at the time of the sequence t and calculate the service port as N at the time of the sequence t + 1. For example, the port variation range is between 1 and 65535.
Therefore, the safety protection equipment enables the client to access through the dynamic service port (or service address), so that an attacker cannot know the service port (or service address) in advance, and safety protection can be performed from the architecture level.
In this embodiment, the security protection device may also dynamically change the state of the service port or the service address. For example, the status of the service port or service address may include one of: open state, quiet state, and closed state; the present invention is not limited to this, and may include other states or more states, for example.
For example, the silence state and the closed state may be collectively referred to as a non-open state. In practical applications, there may be a plurality of ports of the safety protection device, and the port states of the ports at the same time may be the same or different. For example: at a first time, the states of the ports 1 to 1000 are open states, the states of the ports 1001 to 2000 are silent states, and the rest ports are closed states; at the second time, the states of the ports 1 to 1000 are in the silent state, the states of the ports 1001 to 2000 are in the open state, and the remaining ports are in the closed state.
In addition, the safety protection device can also process the message based on the state of the service port or the service address; the message may be sent to a server, for example, or filtered out. Therefore, the safety protection equipment can perform strategy adjustment at a port level or an address level, can realize dynamic opening or closing of a service port or a service address, and increases the flexibility and the expandability of safety protection.
Fig. 4 is another schematic diagram of a message processing method according to an embodiment of the present invention, which is illustrated from the perspective of a security device and a terminal device. As shown in fig. 4, the message processing method includes:
step 401, the safety protection device dynamically calculates a service port or a service address;
step 402, the terminal device dynamically calculates a service port or a service address;
in step 403, the security device dynamically changes the state of the service port or the service address.
Step 404, the terminal device sends a message by using the dynamically calculated service port or service address;
step 405, the safety protection device determines the type of the message from the terminal device.
Step 406, the message is processed based on the status of the service port or service address.
It should be noted that fig. 4 above is only a schematic illustration of the embodiment of the present invention, but the present invention is not limited thereto. For example, the execution sequence of the steps may be adjusted as appropriate, and other steps may be added or some of the steps may be reduced. Those skilled in the art can appropriately modify the above description without being limited to the description of fig. 4.
In this embodiment, the type of the message may include: a connection request type (e.g., referred to as a SYN type) and a non-connection request type (e.g., referred to as a non-SYN type); and/or the types of the messages comprise: TCP type and non-TCP type. Further, the above types may be combined, such as a TCP type for connection requests, a TCP type for data transfer (e.g., a TCP type referred to as a non-connection request), and so forth.
The above is only an exemplary description of the type of the message, but the present invention is not limited thereto, and may include other types, for example. The specific type of the message may be specifically determined according to a security protection policy or scenario, etc. The invention is described below schematically by means of the above examples only.
In one embodiment, the processing the message based on the status of the service port or the service address in step 203 or 406 may include: under the condition that the state of the service port or the service address is an open state, sending the message of the TCP type to a server, and/or filtering the message of the non-TCP type; and recording the session for which the TCP connection was successfully established. For the details of the session, reference may be made to related technologies, and details are not repeated in the present invention.
In one embodiment, the processing the message based on the status of the service port or the service address in step 203 or 406 may include: in case the status of the service port or service address is a silence state, filtering out the messages of SYN type and/or non-TCP type and/or checking the messages of TCP type not SYN.
For example, in the case that the message of the TCP type of non-SYN has a session record, sending the message of the TCP type of non-SYN to the server; filtering out the messages of TCP types other than SYN in the event that the messages of TCP types other than SYN do not have a session record.
In one embodiment, the processing the message based on the status of the service port or the service address in step 203 or 406 may include: and filtering the message from the terminal equipment under the condition that the state of the service port or the service address is a closed state.
In this embodiment, for example, during port activation, a SYN type message of TCP three-way handshake may pass through the port of the server and record a successful handshake session, and during port silence, only a non-SYN type data message in the session table is passed through.
Therefore, safety protection can be carried out from the architecture level, the condition that normal traffic is killed by mistake is greatly reduced or avoided, attack traffic can be filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
It should be noted that the above description only takes the open state, the silence state, and the closed state, and the SYN type and the TCP type as examples, but the present invention is not limited thereto. Other port states (address states) and/or message types may also be determined based on the actual scenario.
According to the embodiment, the safety protection device dynamically calculates the service port or the service address aiming at the terminal device; receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and processing the message based on the status of the service port or service address. Therefore, safety protection can be carried out from the architecture level, the condition that normal traffic is killed by mistake is greatly reduced or avoided, attack traffic can be filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
Example 2
The embodiment of the present invention provides a message processing method, which is described from a terminal device side, and the same contents as those in embodiment 1 are not described again.
Fig. 5 is a schematic diagram of a message processing method according to an embodiment of the present invention, which is illustrated from the perspective of a terminal device. As shown in fig. 5, the message processing method includes:
In this embodiment, the terminal device may use the same dynamic key as the security protection device to periodically calculate a service port or a service address for the security protection device in real time and offline.
It should be noted that fig. 5 above is only a schematic illustration of the embodiment of the present invention, but the present invention is not limited thereto. For example, the execution sequence of the steps may be adjusted as appropriate, and other steps may be added or some of the steps may be reduced. Those skilled in the art can appropriately modify the above description without being limited to the description of fig. 5.
According to the embodiment, the terminal device dynamically calculates the service port or the service address aiming at the safety protection device; and sending a message to the safety protection equipment by using the dynamically calculated service port or service address. Therefore, safety protection can be carried out from the architecture level, the condition that normal traffic is killed by mistake is greatly reduced or avoided, attack traffic can be filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
Example 3
The embodiment of the invention provides a message processing device. The apparatus may be, for example, a safety shield device, or may be a component or assembly configured with one or more parts of a safety shield device. The same contents of embodiment 3 as embodiment 1 will not be described again.
Fig. 6 is a schematic diagram of a message processing apparatus according to an embodiment of the present invention, and as shown in fig. 6, a message processing apparatus 600 includes:
a calculation unit 601 that dynamically calculates a service port or a service address for the terminal device;
a receiving unit 602, which receives a message from the terminal device using the dynamically calculated service port or service address; and
a processing unit 603, which processes the message based on the status of the service port or service address.
In one embodiment, the calculation unit 601 may be configured to: and periodically calculating a service port or a service address aiming at the terminal equipment in real time off-line by using the same dynamic key as the terminal equipment.
As shown in fig. 6, the apparatus 600 may further include:
a state change unit 604 that dynamically changes the state of the service port or service address.
As shown in fig. 6, the apparatus 600 may further include:
a type determining unit 605 that determines the type of the message from the terminal device.
It should be noted that the above description only describes the components or modules related to the present invention, but the present invention is not limited thereto. The message processing apparatus 600 may also include other components or modules, and with regard to the specific contents of these components or modules, reference may be made to the related art.
The embodiment of the invention also provides safety protection equipment.
Figure 7 is a schematic diagram of the construction of a safety shield apparatus in accordance with an embodiment of the present invention. As shown in fig. 7, the safety shield apparatus 700 may include: a processor 710 (e.g., a central processing unit, CPU) and a memory 720; a memory 720 is coupled to the processor 710. Wherein the memory 720 may store various data; also, a program 730 for information processing is stored, and the program 730 is executed under the control of the processor 710.
For example, the processor 710 may be configured to execute the program 730 to implement the message processing method as described in embodiment 1. For example, the processor 710 may be configured to control as follows: dynamically calculating a service port or a service address for the terminal device; receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and processing the message based on the status of the service port or service address.
In addition, as shown in fig. 7, the safety shield apparatus 700 may further include: input/output (I/O) section 740, etc.; the functions of the above components are similar to those of the prior art, and are not described in detail here. It is noted that the safety shield apparatus 700 does not necessarily include all of the components shown in FIG. 7; in addition, the safety shield apparatus 700 may also include components or modules not shown in FIG. 7, as may be found in the prior art.
An embodiment of the present invention further provides a computer-readable program, where when the program is executed in a security protection device, the program enables the security protection device to execute the message processing method described in embodiment 1.
An embodiment of the present invention further provides a storage medium storing a computer-readable program, where the computer-readable program enables a security protection device to execute the message processing method described in embodiment 1.
According to the embodiment, the safety protection device dynamically calculates the service port or the service address aiming at the terminal device; receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and processing the message based on the status of the service port or service address. Therefore, safety protection can be carried out from the architecture level, the condition that normal traffic is killed by mistake is greatly reduced or avoided, attack traffic can be filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
Example 4
The embodiment of the invention also provides a message processing device. The apparatus may be, for example, a terminal device, or may be some component or assembly configured in the terminal device. The same contents of this embodiment 4 as those of embodiment 1 or 2 will not be described again.
Fig. 8 is a schematic diagram of a message processing apparatus according to an embodiment of the present invention, and as shown in fig. 8, a message processing apparatus 800 includes:
a calculation unit 801 that dynamically calculates a service port or a service address for the safeguard device;
a sending unit 802, which sends a message to the safety protection device by using the dynamically calculated service port or service address.
In this embodiment, the computing unit 801 may be configured to: periodically calculating a service port or a service address aiming at the safety protection equipment in real time off-line by using the same dynamic secret key as the safety protection equipment.
It should be noted that the above description only describes the components or modules related to the present invention, but the present invention is not limited thereto. The message processing apparatus 800 may also include other components or modules, and reference may be made to the related art regarding the specific contents of the components or modules.
An embodiment of the present invention further provides a terminal device, and the terminal device may refer to fig. 7. For example, the processor 710 may be configured to execute the program 730 to implement the message processing method according to embodiment 2. For example, the processor 710 may be configured to control as follows: dynamically calculating a service port or a service address for the safety protection equipment; and sending a message to the safety protection equipment by using the dynamically calculated service port or service address.
An embodiment of the present invention further provides a computer-readable program, where when the program is executed in a terminal device, the program enables the terminal device to execute the message processing method described in embodiment 2.
An embodiment of the present invention further provides a storage medium storing a computer-readable program, where the computer-readable program enables a terminal device to execute the message processing method described in embodiment 2.
According to the embodiment, the terminal device dynamically calculates the service port or the service address aiming at the safety protection device; and sending a message to the safety protection equipment by using the dynamically calculated service port or service address. Therefore, safety protection can be carried out from the architecture level, the condition that normal traffic is killed by mistake is greatly reduced or avoided, attack traffic can be filtered to a great extent, weak links do not exist in the protection scheme, and the resource overhead of the protection system is low.
The above devices and methods of the present invention can be implemented by hardware, or can be implemented by hardware and software. The present invention relates to a computer-readable program which, when executed by a logic section, enables the logic section to realize the above-described apparatus or constituent section, or to realize the above-described various methods or steps. The present invention also relates to a storage medium such as a hard disk, a magnetic disk, an optical disk, a DVD, a flash memory, or the like, for storing the above program.
The methods/apparatus described in connection with the embodiments of the invention may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. For example, one or more of the functional block diagrams and/or one or more combinations of the functional block diagrams illustrated in the figures may correspond to individual software modules, or may correspond to individual hardware modules of a computer program flow. These software modules may correspond to various steps shown in the figures, respectively. These hardware modules may be implemented, for example, by solidifying these software modules using a Field Programmable Gate Array (FPGA).
A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. A storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium; or the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The software module may be stored in the memory of the mobile terminal or in a memory card that is insertable into the mobile terminal. For example, if the device (e.g., mobile terminal) employs a relatively large capacity MEGA-SIM card or a large capacity flash memory device, the software module may be stored in the MEGA-SIM card or the large capacity flash memory device.
One or more of the functional blocks and/or one or more combinations of the functional blocks described in the figures can be implemented as a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any suitable combination thereof designed to perform the functions described herein. One or more of the functional blocks and/or one or more combinations of the functional blocks described in connection with the figures may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP communication, or any other such configuration.
While the invention has been described with reference to specific embodiments, it will be apparent to those skilled in the art that these descriptions are illustrative and not intended to limit the scope of the invention. Various modifications and alterations of this invention will become apparent to those skilled in the art based upon the spirit and principles of this invention, and such modifications and alterations are also within the scope of this invention.
Claims (13)
1. A method of message processing, the method comprising:
dynamically calculating a service port or a service address for the terminal device;
receiving a message from the terminal equipment by using the dynamically calculated service port or service address; and
processing the message based on the status of the service port or service address,
after receiving the message from the terminal device, the method further comprises:
determining a type of message from the terminal device,
processing the message based on the status of the service port or service address includes:
sending the message of the transmission control protocol type to a server and/or filtering the message of the non-transmission control protocol type under the condition that the state of the service port or the service address is an open state; and
the session in which the transmission control protocol connection was successfully established is recorded.
2. The method of claim 1, wherein dynamically calculating a service port or service address for a terminal device comprises: and periodically calculating a service port or a service address aiming at the terminal equipment in real time off-line by using the same dynamic key as the terminal equipment.
3. The method of claim 1, wherein the dynamically computed service port or service address varies over time and is within a predetermined range.
4. The method of claim 1, further comprising:
dynamically changing the state of the service port or service address.
5. The method of claim 1, wherein the status of the service port or service address comprises one of: open state, quiet state, and closed state.
6. The method of claim 1, wherein the type of the message comprises: a connection request type and a non-connection request type; and/or
The types of the messages include: a transmission control protocol type and a non-transmission control protocol type.
7. The method of claim 1, wherein processing the message based on the status of the service port or service address comprises:
and in the case that the state of the service port or the service address is a silent state, filtering out the message of the connection request type and/or the non-transmission control protocol type, and/or checking the message of the non-connection request transmission control protocol type.
8. The method of claim 7, further comprising:
under the condition that the message of the transmission control protocol type of the non-connection request has a session record, sending the message of the transmission control protocol type of the non-connection request to a server; filtering out the message of the non-connection requested transmission control protocol type in case the message of the non-connection requested transmission control protocol type has no session record.
9. The method of claim 1, wherein processing the message based on the status of the service port or service address comprises:
and filtering the message from the terminal equipment under the condition that the state of the service port or the service address is a closed state.
10. A message processing apparatus configured in a safety device, the apparatus comprising:
a calculation unit that dynamically calculates a service port or a service address for the terminal device;
a receiving unit that receives a message from the terminal device using the dynamically calculated service port or service address;
a processing unit that processes the message based on a state of the service port or service address; and
a type determination unit that determines a type of a message from the terminal device,
wherein the processing unit processes the message based on the state of the service port or the service address, including:
sending the message of the transmission control protocol type to a server and/or filtering the message of the non-transmission control protocol type under the condition that the state of the service port or the service address is an open state; and
the session in which the transmission control protocol connection was successfully established is recorded.
11. The apparatus of claim 10, wherein the computing unit is configured to: and periodically calculating a service port or a service address aiming at the terminal equipment in real time off-line by using the same dynamic key as the terminal equipment.
12. The apparatus of claim 10, further comprising:
a state change unit that dynamically changes a state of the service port or the service address.
13. A safety device comprising a memory and a processor, the memory storing a computer program, wherein the processor executes the computer program to implement the message processing method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810862897.7A CN110798423B (en) | 2018-08-01 | 2018-08-01 | Message processing method and device, safety protection equipment and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810862897.7A CN110798423B (en) | 2018-08-01 | 2018-08-01 | Message processing method and device, safety protection equipment and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110798423A CN110798423A (en) | 2020-02-14 |
| CN110798423B true CN110798423B (en) | 2022-04-15 |
Family
ID=69424965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810862897.7A Active CN110798423B (en) | 2018-08-01 | 2018-08-01 | Message processing method and device, safety protection equipment and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798423B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037755B (en) * | 2021-03-10 | 2023-06-16 | 海能达通信股份有限公司 | Method and equipment for defending network connection attack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
| CN107070927A (en) * | 2017-04-19 | 2017-08-18 | 中国石油大学(华东) | A kind of saltus step concealed communication method encrypted based on DNA |
| CN107241406A (en) * | 2017-06-02 | 2017-10-10 | 中国石油大学(华东) | A kind of red fox browser plug-in implementation method of end hopping Web system |
| CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
| CN107707559A (en) * | 2017-11-01 | 2018-02-16 | 中国石油大学(华东) | Mixed synchronization method is expanded in a kind of jump for client information high speed saltus step |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100333188A1 (en) * | 2009-06-29 | 2010-12-30 | Politowicz Timothy J | Method for protecting networks against hostile attack |
| US8495738B2 (en) * | 2011-10-21 | 2013-07-23 | Lockheed Martin Corporation | Stealth network node |
-
2018
- 2018-08-01 CN CN201810862897.7A patent/CN110798423B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
| CN107070927A (en) * | 2017-04-19 | 2017-08-18 | 中国石油大学(华东) | A kind of saltus step concealed communication method encrypted based on DNA |
| CN107241406A (en) * | 2017-06-02 | 2017-10-10 | 中国石油大学(华东) | A kind of red fox browser plug-in implementation method of end hopping Web system |
| CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
| CN107707559A (en) * | 2017-11-01 | 2018-02-16 | 中国石油大学(华东) | Mixed synchronization method is expanded in a kind of jump for client information high speed saltus step |
Non-Patent Citations (5)
| Title |
|---|
| 基于Netfilter的地址与端口跳变通信系统同步算法研究与实现;白磊;《中国优秀硕士学位论文全文数据库(电子期刊)》;20180415;I139-361 * |
| 基于OpenFlow的网络层移动目标防御方案;胡毅勋,郑康锋,杨义先,钮心忻;《通信学报》;20171031;第102-112页 * |
| 基于端信息自适应跳变的主动网络防御模型;刘江,张红旗,代向东,王义功;《电子与信息学报》;20151130;第2642-2649页 * |
| 基于端信息跳变 DoS 攻击防护机制中的插件策略;贾春福,林楷,鲁凯;《通信学报》;20091031;第114-118页 * |
| 抵御 DoS 攻击的端信息跳变 Web 插件机制;石乐义,孙慧,崔玉文,郭宏彬,李剑蓝;《通信学报》;20171031;第19-24页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110798423A (en) | 2020-02-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11050786B2 (en) | Coordinated detection and differentiation of denial of service attacks | |
| JP5043957B2 (en) | Provide secure application-to-application communication for mobile operating environments | |
| US7404210B2 (en) | Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs | |
| EP2916508B1 (en) | Data packet processing method, electronic device, and storage medium | |
| EP3685569A1 (en) | Mitigating attacks on emergency telephone services | |
| TW201644238A (en) | Efficient policy enforcement using network tokens for services-user-plane approach | |
| CN110611723A (en) | A method and device for scheduling service resources | |
| WO2015018303A1 (en) | Method and device for detecting distributed denial of service attack | |
| EP2627032A1 (en) | Method, policy server and gateway for determining policies | |
| CN103166996B (en) | HTTP connects and HTTPS connects self-adaptation method, Apparatus and system | |
| CN110754101A (en) | Enhancing mobile subscriber privacy in a telecommunications network | |
| US9641485B1 (en) | System and method for out-of-band network firewall | |
| CN110798423B (en) | Message processing method and device, safety protection equipment and terminal equipment | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| KR101463873B1 (en) | Method and apparatus for preventing data loss | |
| CN116846614A (en) | Trusted computing-based MQTT protocol message security processing method and system | |
| CN101127744B (en) | Separation prompt method and system for illegal client and gateway device | |
| CN109905352B (en) | Method, device and storage medium for auditing data based on encryption protocol | |
| CN102984153A (en) | Hacker preventing method, equipment and system | |
| HK40023522A (en) | Message processing method and apparatus, security protection device and terminal device | |
| CN110198298B (en) | Information processing method, device and storage medium | |
| CN109150919B (en) | Network attack prevention method and network equipment | |
| CN102752189B (en) | A kind of method and apparatus processing message | |
| TWI791322B (en) | Traffic controlling server and traffic controlling method | |
| CN109861999A (en) | Control method, device and the storage medium of data transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40023522 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |