HK1240422B - Method, apparatus and system for constructing virtual private network - Google Patents

Description

Method, device and system for building a virtual private network

Technical Field

The present invention relates to the field of communication technology applications, and in particular to a method, device and system for building a virtual private network.

Background Art

With the widespread use of Internet technology, in addition to making it convenient for people to obtain information online, how to ensure safety during the use of the Internet has also become an issue that Internet security has always concerned about.

To ensure internet security between businesses, groups, or individuals, a virtual private network (VPN) is a commonly used communication method for connecting private networks within enterprises or groups. VPN messages are transmitted over a public network infrastructure, such as the Internet, utilizing encrypted tunneling protocols to ensure confidentiality, sender authentication, and message accuracy. VPN technology enables reliable and secure messaging over insecure networks, such as the Internet. VPNs can be categorized in various ways, primarily by protocol. VPNs can be implemented using servers, hardware, or software. Currently, software VPNs are the most widely used. Common software protocols include Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSEC), and Generic Routing Encapsulation (GRE).

However, the implementation process of VPN in related technologies is very complicated, and it is necessary to add devices such as virtual network cards on the client side and the server side. It cannot meet the usage requirements in certain application scenarios. For example, in a diskless workstation environment, adding hardware devices such as network cards requires a restart, but in the case of a diskless workstation, all changes will be restored once the restart. Therefore, plug-and-play is not possible in such a scenario. Most importantly, during the process of establishing a VPN tunnel, if the network device does not support a specific tunnel protocol, the tunnel will not be established. The most typical application scenario is that most home routers cannot support Generic Routing Encapsulation (GRE) tunnels. It can be seen that when the devices on both sides of the VPN network are incompatible with a specific communication protocol, the VPN tunnel will not be established.

With respect to the problem in the above-mentioned related technologies that the VPN tunnel cannot be established due to the incompatibility of the devices on both sides of the VPN network with the specific communication protocol, no effective solution has been proposed so far.

Summary of the Invention

The embodiments of the present invention provide a method, apparatus and system for building a virtual private network, so as to at least solve the technical problem that a VPN tunnel cannot be established due to incompatibility of devices on both sides of the VPN network with a specific communication protocol.

According to one aspect of an embodiment of the present invention, a method for building a virtual private network is provided, comprising: detecting the message type of a pre-received protocol message; when the message type of the protocol message is a first-class protocol message, converting the protocol message into a second-class protocol message used for communication in the virtual private network; detecting message parameters in the second-class protocol message, and determining whether the message parameters contain attack characteristics of a network attack; and if the determination result is negative, sending the second-class protocol message.

According to one aspect of an embodiment of the present invention, another method for building a virtual private network is provided, including: receiving a second-type protocol message sent by a client; determining whether the message parameters in the second-type protocol message contain attack characteristics of a network attack; and if the determination result is no, sending the second-type protocol message to a corresponding sending port based on the type of server.

According to another aspect of an embodiment of the present invention, a device for constructing a virtual private network is also provided, including: a detection module for detecting the message type of a pre-received protocol message; a conversion module for converting the protocol message into a second-type protocol message used for communication in the virtual private network when the message type of the protocol message is a first-type protocol message; a judgment module for detecting message parameters in the second-type protocol message and judging whether the message parameters contain attack characteristics of a network attack; and a sending module for sending the second-type protocol message if the judgment result is no.

Optionally, the conversion module includes: an acquisition unit, configured to acquire data in the protocol message; and an encapsulation unit, configured to encapsulate the data according to the format of the second type of protocol message to obtain a protocol message of the second type of protocol message.

Optionally, the device also includes: an encryption module, which is used to obtain corresponding encryption rules based on the business type of the protocol message before detecting the message parameters in the second type of protocol message, and encrypt the second type of protocol message according to the encryption rules, wherein the encryption rules are used to indicate that the encryption level is changed according to the business type during the encryption process.

Optionally, the encryption module includes: an encryption unit, configured to perform feature encryption on the second-type protocol message according to the encryption rule, wherein the feature encryption is encryption based on message parameters in the second-type protocol message.

Optionally, the judgment module includes: a detection unit, used to detect the message length, characteristic value, sending rate and data size in the message parameters in the second type of protocol message; a first judgment unit, used to judge whether at least one of the message length, characteristic value, sending rate and data size in the message parameters matches the preset attack feature; a second judgment unit, used to judge whether the protocol message contains the network attack based on the matching result of the message parameters and the attack feature.

Optionally, the device further includes: an execution module, configured to discard the protocol message if the judgment result is yes.

Optionally, the device also includes: a receiving module for receiving the second type of protocol message returned by the server; a matching module for matching the corresponding forwarding port according to the destination address of the second type of protocol message; and a feedback module for returning the second type of protocol message through the forwarding port.

Optionally, the feedback module includes: a type detection unit, configured to detect the type of protocol message supported by the forwarding port corresponding to the destination address; and a sending unit, configured to send the second type of protocol message according to the type of protocol message supported by the forwarding port.

Optionally, the sending unit includes: an acquisition subunit, used to acquire data in the second type of protocol message when it is detected that the type of the protocol message supported by the forwarding port is a first type of protocol message; and a first sending subunit, used to return the data through the corresponding forwarding port.

Optionally, the sending unit includes: a second sending subunit, configured to return the second-type protocol message through the corresponding forwarding port when detecting that the type of the protocol message supported by the forwarding port is a second-type protocol message.

According to another aspect of an embodiment of the present invention, another device for building a virtual private network is provided, including: a receiving module for receiving a second-type protocol message sent by a client; a judging module for judging whether the message parameters in the second-type protocol message contain attack characteristics of a network attack; and a sending module for sending the second-type protocol message to a corresponding sending port based on the type of server when the judgment result is no.

Optionally, the device further includes: a decryption module, configured to decrypt the second-type protocol message according to a preset decryption rule before sending the second-type protocol message to a corresponding sending port according to the type of the server.

Optionally, the decryption module includes: a matching unit for matching corresponding decryption rules based on the business type of the second-type protocol message; a decryption unit for performing feature decryption on the second-type protocol message based on the decryption rules, and the feature decryption is used to indicate that decryption is performed based on message parameters in the second-type protocol message, and the message parameters include: at least one of message length, feature value, sending rate and data size.

Optionally, the sending module includes: a first sending unit, used to send the second-type protocol message to the server through a first-type sending port when the type of the server is to support the second-type protocol message, wherein the first-type sending port is the port corresponding to the server that supports the second-type protocol message; a second sending unit, used to obtain data in the second-type protocol message when the type of the server is to support the first-type protocol message, and send the data to the server through a second-type sending port, wherein the second-type sending port is the port corresponding to the server that supports the first-type protocol message.

According to another aspect of an embodiment of the present invention, a system for constructing a virtual private network is also provided, including: a client tunnel device and a tunnel network device, the client tunnel device and the tunnel network device are communicatively connected, wherein the client tunnel device is used to convert a protocol message of a first type of protocol message into a second type of protocol message for communication in the virtual private network by detecting the message type of the received protocol message, and judge whether the protocol message contains attack characteristics of a network attack by detecting message parameters in the second type of protocol message, and send the protocol message if the judgment result is no; the tunnel network device is communicatively connected to the client tunnel device, and is used to receive the second type of protocol message sent by the client tunnel device, and detect whether the second type of protocol message contains a network attack, and send the decrypted second type of protocol message to the corresponding sending port according to the type of server if the judgment result is no; wherein the client tunnel device is the above-mentioned device for constructing a virtual private network; the tunnel network device is the above-mentioned other device for constructing a virtual private network.

In an embodiment of the present invention, by detecting the message type of a pre-received protocol message; when the message type of the protocol message is a first-type protocol message, converting the protocol message into a second-type protocol message used for communication in a virtual private network; detecting message parameters in the second-type protocol message, and judging whether the message parameters contain attack characteristics of a network attack; and sending the second-type protocol message if the judgment result is no, the purpose of achieving compatibility between devices supporting different communication protocols on both sides of the VPN network is achieved, thereby realizing the technical effect of establishing a VPN tunnel, and further solving the technical problem that the VPN tunnel cannot be established due to the incompatibility of devices on both sides of the VPN network with respect to a specific communication protocol.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings described herein are used to provide a further understanding of the present invention and constitute a part of this application. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the drawings:

1 is a hardware structure block diagram of a computer terminal for a method of building a virtual private network according to an embodiment of the present invention;

2 is a flow chart of a method for building a virtual private network according to a first embodiment of the present invention;

3 is a schematic structural diagram of a client tunnel device in a method for building a virtual private network according to a first embodiment of the present invention;

4 is a schematic structural diagram of a tunnel service device in a client tunnel device in a method for building a virtual private network according to a first embodiment of the present invention;

5 is a flowchart of a method for building a virtual private network according to a second embodiment of the present invention;

FIG6( a ) is a schematic structural diagram of a tunnel termination device in a method for building a virtual private network according to a second embodiment of the present invention;

FIG6( b ) is a flow chart of a method for constructing a virtual private network according to an embodiment of the present invention;

7 is a schematic structural diagram of an apparatus for building a virtual private network according to a third embodiment of the present invention;

8 is a schematic structural diagram of an apparatus for building a virtual private network according to a third embodiment of the present invention;

9 is a schematic structural diagram of another apparatus for building a virtual private network according to Embodiment 3 of the present invention;

10 is a schematic structural diagram of another apparatus for building a virtual private network according to Embodiment 3 of the present invention;

11 is a schematic structural diagram of another apparatus for building a virtual private network according to Embodiment 3 of the present invention;

12 is a schematic structural diagram of an apparatus for building a virtual private network according to a fourth embodiment of the present invention;

13 is a schematic structural diagram of an apparatus for building a virtual private network according to a fourth embodiment of the present invention;

14 is a schematic structural diagram of another apparatus for building a virtual private network according to Embodiment 4 of the present invention;

15 is a schematic structural diagram of another apparatus for building a virtual private network according to Embodiment 4 of the present invention;

FIG16 is a schematic structural diagram of a system for building a virtual private network according to an embodiment of the present application.

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the embodiments described are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without making creative efforts should fall within the scope of protection of the present invention.

It should be noted that the terms "first", "second", etc. in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that the numbers used in this way can be interchanged where appropriate, so that the embodiments of the present invention described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

To facilitate understanding of the embodiments of the present application, the technical terms involved in the embodiments of the present application are explained as follows:

A virtual private network (VPN) is a temporary, secure connection established over a public network. It's a safe, stable tunnel that traverses the chaotic public network. It can be thought of as a virtual, dedicated internal line within a company. Using a special encrypted communication protocol, it establishes a dedicated communication line between two or more corporate intranets located in different locations and connected to the Internet.

User Datagram Protocol, User Datagram Protocol, referred to as UDP, is a connectionless transport layer protocol in the Open System Interconnection (OSI) reference model, providing simple, unreliable information transmission services for transactions.

Transmission Control Protocol, TCP for short, is a connection-oriented, reliable, byte stream-based transport layer communication protocol;

Cyclic Redundancy Check, or CRC for short, is a method of detecting errors using the principle of division and remainder.

Network attack: refers to an attack on the hardware, software and data of a network system by exploiting loopholes and security flaws in the network;

Attack characteristics of network attacks: including network packet sniffing, address spoofing, password attacks, denial of service attacks, etc.

Example 1

According to an embodiment of the present invention, a method embodiment for building a virtual private network is also provided. It should be noted that the steps shown in the flowchart of the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

The method embodiment provided in the first embodiment of the present application can be executed in a mobile terminal, a computer terminal or a similar computing device. Taking operation on a computer terminal as an example, FIG1 is a hardware structure block diagram of a computer terminal for a method for building a virtual private network according to an embodiment of the present invention. As shown in FIG1 , the computer terminal 10 may include one or more (only one is shown in the figure) processors 102 (the processor 102 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in FIG1 is only for illustration and does not limit the structure of the above-mentioned electronic device. For example, the computer terminal 10 may also include more or fewer components than those shown in FIG1 , or have a configuration different from that shown in FIG1 .

The memory 104 can be used to store software programs and modules of application software, such as the program instructions/modules corresponding to the method for building a virtual private network in the embodiment of the present invention. The processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, thereby implementing the vulnerability detection method for the application described above. The memory 104 may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, and these remote memories may be connected to the computer terminal 10 via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The transmission device 106 is used to receive or send data via a network. A specific example of the aforementioned network may include a wireless network provided by the communications provider of the computer terminal 10. In one embodiment, the transmission device 106 includes a network interface controller (NIC), which can be connected to other network devices via a base station to enable communication with the Internet. In another embodiment, the transmission device 106 may be a radio frequency (RF) module, which is used to communicate with the Internet wirelessly.

In the above operating environment, the present application provides a method for constructing a virtual private network as shown in Figure 2. Figure 2 is a flow chart of a method for constructing a virtual private network according to a first embodiment of the present invention.

Step S202, detecting the message type of the pre-received protocol message;

The method for constructing a virtual private network provided in an embodiment of the present application can be applied to the establishment of a virtual private network (VPN), wherein the User Datagram Protocol (UDP) is used as the VPN tunnel communication protocol to solve the problem of incompatibility between devices on both sides of the VPN tunnel for specific communication protocols.

In step S202 of the present application, on the client side, a client tunnel device is configured at the application layer of the client, and the application layer protocol docking device detects the message type of the received protocol message. In the client provided in the embodiment of the present application, the client may include: a laptop computer, a desktop computer, a tablet computer, and a personal computer (Personal Computer, referred to as PC), etc., which can access a client supporting the UDP protocol. In the embodiment of the present application, the terminal is described using a PC as an example, specifically as follows: The application layer protocol docking device of the PC detects the message type of the protocol message sent by the application of the PC, and detects whether the message type of the current protocol message is UDP protocol or TCP protocol.

The method for building a virtual private network provided in the embodiment of the present application here takes the docking device processing tunnel and how to dock the existing 7-layer protocol (TCP and UDP) as an example to solve the problem of incompatibility of devices on both sides of the VPN tunnel with specific communication protocols.

Among them, the message types of the protocol messages in the embodiment of the present application include: User Datagram Protocol (UDP) or Transmission Control Protocol (TCP). In the embodiment of the present application, the message encapsulated in the TCP protocol structure is regarded as the first type of protocol message, and the message encapsulated in the UDP protocol structure is regarded as the second type of protocol message.

In the embodiment of the present application, the communication protocol of the VPN tunnel is the UDP protocol. Since the UDP protocol is a commonly used protocol, all network devices support the protocol, thereby solving the compatibility risk.

Step S204: when the message type of the protocol message is a first type protocol message, convert the protocol message into a second type protocol message used for communication in the virtual private network;

Based on step S202, the message type is still UDP protocol and TCP protocol as an example. In the above step S204 of the present application, when the above application layer protocol docking device detects that the message type of the received protocol message is a TCP protocol message, in order to avoid the server on the other side of the VPN tunnel being a device that supports the UDP protocol, the TCP protocol message is converted into a message encapsulated in the UDP protocol structure, thereby obtaining a message converted into a UDP protocol message. The second type of protocol message described below is a UDP protocol message.

Step S206: Detect message parameters in the second type of protocol message to determine whether the message parameters contain attack characteristics of a network attack;

The method for building a virtual private network provided in the embodiment of the present application solves the compatibility issues encountered when establishing a VPN network, and also solves the problem of whether the UDP protocol message sent by the PC during the establishment of the VPN network poses a network attack on the server at the other end of the VPN tunnel.

Based on step S204, after obtaining the UDP protocol message suitable for communication in the VPN tunnel, in the above step S206 of the present application, before the PC sends the UDP protocol message, it is necessary to perform data detection on the UDP protocol message through the tunnel service device in the PC, and by detecting the message parameters in the UDP protocol message, it is determined whether the message parameters have features that match the attack features of the network attack.

Here, the message parameters in the UDP protocol message may include: the parity check value of the data in the UDP protocol message, the cyclic redundancy check value (CRC) of the data, the message length, the destination IP and destination port used for communication, and other data information.

If at least one of the aforementioned message parameters matches a network attack signature, the UDP protocol message is considered a protocol message used to carry out a network attack. If this determination is positive, the UDP protocol message is discarded. Specifically, if at least one of the aforementioned message parameters in the UDP protocol message matches a network attack signature, the UDP protocol message is determined to pose a network attack threat and is discarded, thereby protecting the VPN network, particularly protecting the server from attacks by the client.

Here, if the tunnel service device determines that none of the message parameters in the UDP protocol message matches the attack characteristics of the network attack, step S208 is executed.

Step S208: If the judgment result is no, send the second type protocol message.

Based on step S206, on the basis of determining whether the message parameters have attack characteristics of a network attack, in the above step S208 of the present application, when the tunnel service device determines that the above message parameters in the UDP protocol message do not match the attack characteristics of a network attack, the UDP message will be sent.

In combination with steps S202 to S208, the method for building a virtual private network provided by the embodiment of the present application is provided with a tunnel device on the client, that is, the above-mentioned client tunnel device. Figure 3 is a structural diagram of the client tunnel device in the method for building a virtual private network according to embodiment 1 of the present invention. As shown in Figure 3, the client tunnel device includes: an application protocol docking device and a tunnel service device. The application layer protocol docking device is used to check the received protocol message and determine the message type of the protocol message. When the message type is a TCP protocol message, the protocol message is converted into a UDP protocol message, that is, the above-mentioned steps S202 and S204 are executed; the tunnel service device is used to detect whether the message type is converted into a UDP protocol message and whether there is a threat of network attack. If the UDP protocol message does not pose a threat of network attack, the UDP protocol message is sent, that is, the above-mentioned steps S206 and S208 are executed.

As can be seen from the above, the solution provided in the first embodiment of the present application detects the message type of the protocol message received in advance; when the message type of the protocol message is a first type of protocol message, the protocol message is converted into a second type of protocol message used for communication in the virtual private network; the message parameters in the second type of protocol message are detected to determine whether the message parameters contain attack characteristics of a network attack; if the judgment result is no, the second type of protocol message is sent, thereby achieving the purpose of compatibility of devices supporting different communication protocols on both sides of the VPN network, thereby achieving the technical effect of establishing a VPN tunnel, and further solving the technical problem that the VPN tunnel cannot be established due to the incompatibility of devices on both sides of the VPN network with specific communication protocols. The network attack provided in the embodiment of the present application here at least includes a classified data sending attack or a specific application layer data protocol attack, and is subject to the method for building a virtual private network provided in the embodiment of the present application, and is not specifically limited.

Optionally, converting the protocol message into a second type of protocol message for communication in the virtual private network in step S204 includes:

Step 1, obtain the data in the protocol message;

In Step 1 of the above-mentioned step S204 of the present application, as shown in FIG3 , when the message type of the protocol message is a TCP protocol message, the data in the protocol message is obtained by the TCP tunnel conversion device in the application layer protocol docking device. The process of the TCP tunnel conversion device obtaining the data in the protocol message is as follows:

First, establish a TCP server locally;

Second, obtain the data that the TCP protocol needs to transmit through the TCP server.

Step 2: encapsulate the data according to the format of the second type of protocol message to obtain a protocol message of the second type of protocol message.

Based on Step 1, after obtaining the data in the protocol message, in the above-mentioned Step 2 of this application, if the data is to be sent to the server through the VPN tunnel, the data needs to be encapsulated into a protocol message with the same protocol format as the communication protocol used by the VPN tunnel. Thus, the data is encapsulated in the UDP protocol structure to obtain a UDP protocol message that can be transmitted in the VPN tunnel.

Optionally, before detecting the message parameters in the second type of protocol message in step S206, the method for establishing a virtual private network provided by the embodiment of the present application further includes:

Step S205: Obtain corresponding encryption rules based on the service type of the protocol message, and encrypt the second type of protocol message based on the encryption rules, wherein the encryption rules are used to indicate that the encryption level should be changed based on the service type during the encryption process.

In the above step S205 of the present application, before detecting the message parameters in the UDP protocol message, the UDP protocol message needs to be encrypted to ensure that the UDP protocol message is not easily intercepted and cracked during transmission, thereby ensuring information security. As shown in Figure 4, Figure 4 is a structural diagram of the tunnel service device in the client tunnel device in the method for building a virtual private network according to embodiment 1 of the present invention. The tunnel service device obtains the UDP protocol message through the tunnel pipeline device in the application layer protocol docking device, and dynamically matches the corresponding encryption rule according to the service type of the UDP protocol message through the tunnel core configuration module in the tunnel service device, and encrypts the UDP protocol message through the data encryption module according to the encryption rule.

Specifically, the tunnel core configuration module can obtain the working status of the data encryption module through the data encryption module, and thus inform the data encryption module based on the security level and delay sensitive information. Then the data encryption module will flexibly generate encryption rules based on the above requirements and encrypt the UDP protocol message.

Further, optionally, encrypting the second type of protocol message according to the encryption rule in step S205 includes:

Step 1: Perform feature encryption on the second type of protocol message according to the encryption rule, wherein the feature encryption is performed based on message parameters in the second type of protocol message.

In Step 1 of the above-mentioned step S205 of the present application, the encryption rules define the encryption method and encryption level of the UDP protocol message. It should be noted that feature encryption will be dynamically encrypted based on the features of each part of the UDP protocol structure in the UDP protocol message, that is, the complexity of the encryption process is adjusted according to the business type of the UDP protocol message. For example, the request message sent only for establishing the communication process can be set to a low level of confidentiality, so that the server can quickly detect and decrypt it, and feedback the response message based on the request message, thereby improving the data transmission efficiency of the overall VPN network; or, when transmitting the client's business message, in order to ensure that the content in the UDP protocol message is not leaked, the encryption level can be improved through encryption rules, and encryption can be performed through multiple features (message parameters) on the UDP protocol structure.

Specifically, in the method for building a virtual private network provided in the embodiment of the present application, the data encryption module will perform abstract calculations based on the characteristics of the data (such as the parity value of the data, the cyclic redundancy check value (CRC) of the data, the length of the message, the destination IP and destination port used for communication, and other data information). After calculating this information, it will be carried inside the encrypted data as the encryption result and characteristic value, and mainly provided to the data detection module on the server side for rapid screening of the data. In addition, according to the configuration of the encryption rules, multiple such points will be embedded in the UDP protocol message for detection. The advantage of this is that it not only reduces the processing pressure on the server, but also improves the processing performance compared to traditional overall encryption. Therefore, when suffering a large-scale CC attack, data detection based on this mechanism can alleviate the pressure on the server to the greatest extent and improve the anti-attack performance.

Optionally, in step S206, detecting message parameters in the second type of protocol message and determining whether the message parameters contain attack features of a network attack include:

Step 1: Detect the message length, characteristic value, transmission rate and data size in the message parameters of the second type of protocol message;

In Step 1 of the above S206 of the present application, as shown in FIG3 , the data detection module will detect the message parameters in the UDP protocol message, such as the message length, characteristic value, sending rate and data size in the detection message parameters.

In addition, the data detection module will also detect the message content in the UDP protocol message to ensure that if a network attack threat is found before the UDP protocol message is sent to the server, it can be prevented from happening in time, thereby ensuring the security of the server side. It can be seen that when the detection is performed on the client side, the security level of the server side will be improved from network attacks. Moreover, since the UDP protocol message is dynamically encrypted according to the encryption rules before detection, the server side detects the UDP protocol message before decrypting the received UDP protocol message. Once it is found that the UDP has a network attack risk, the UDP protocol message will be discarded, avoiding the problem of low data processing efficiency caused by the conventional decryption and then security detection after receiving the protocol message.

Step 2: Determine whether at least one of the message length, feature value, transmission rate, and data size in the message parameters matches a preset attack feature;

In the above Step 2 of this application, it is determined whether the above message parameters in the UDP protocol message match the preset attack characteristics, and then based on the matching results, it is determined whether the UDP protocol message contains a network attack, see Step 3 for details.

Step 3: Determine whether the protocol message contains a network attack based on the matching results between the message parameters and the attack signature.

Based on the matching result in Step 2, in the above Step 3 of the present application, when at least one of the message length, characteristic value, sending rate and data size in the message parameters determined in Step 2 matches the preset attack feature, the protocol message will be subject to a network attack.

As shown in FIG4 , in the method for building a virtual private network provided by an embodiment of the present application, the data detection module of the client tunnel device itself can prevent malicious attacks from being launched using the client tunnel device.

Optionally, the method for establishing a virtual private network provided in the embodiment of the present application further includes:

Step S209: If the judgment result is yes, discard the second type protocol message.

Based on step S206, on the basis of determining whether the message parameters contain attack characteristics of a network attack, in the above step S209 of the present application, when the tunnel service device determines that the above message parameters in the UDP protocol message match the attack characteristics of a network attack, the UDP message is discarded.

Optionally, the method for establishing a virtual private network provided in the embodiment of the present application further includes:

Step S301, receiving the second type protocol message returned by the server;

In the above-mentioned step S301 of the present application, different from step S208, as shown in Figure 4, in the process of sending the UDP protocol message, when it is detected that the message parameters in the UDP protocol message do not match the attack characteristics of the network attack, the UDP protocol message will be sent through the sending module. In step S301, the UDP protocol message returned by the server is received by the receiving module, and the data from the server is set to be regarded as safe data to speed up the processing speed, and then the decrypted UDP protocol message is transmitted to the application layer protocol docking device through feature decryption.

Specifically, in the method for establishing a virtual private network provided in an embodiment of the present application, when a UDP protocol packet arrives at the receiving module in the tunnel service device, it is directly sent to the data monitoring module for legitimacy verification. Alternatively, to speed up processing, this module can be directly skipped on the client side, and the data sent by the server can be unconditionally trusted.

Step S302, matching the corresponding forwarding port according to the destination address of the second type protocol message;

Different from step S206, as shown in Figure 4, when receiving UDP protocol messages, in order to speed up the processing speed, the tunnel core configuration module can configure the data detection module to directly skip the detection, unconditionally believe the data sent by the server, and perform decryption on the received UDP protocol messages through the data decryption module, and then the decrypted UDP protocol messages are received by the tunnel pipeline device in the application layer protocol docking device.

In the above step S302 of the present application, after the tunnel pipeline device receives the decrypted UDP protocol message, it will match the forwarding port according to the destination address in the protocol message. If the UDP protocol message returned by the server corresponds to the UDP protocol message sent by the TCP tunnel conversion device of the client, then after the tunnel pipeline device receives the decrypted UDP protocol message, it will return the UDP protocol message to the TCP tunnel conversion device, and send it to the client application through the local TCP server created in the TCP tunnel conversion device; similarly, if the UDP protocol message returned by the server corresponds to the UDP protocol message sent by the UDP takeover device of the client, then after the tunnel pipeline device receives the decrypted UDP protocol message, it will return the UDP protocol message to the UDP takeover device, and the UDP takeover device will send the UDP protocol message to the client application.

Step S303: Return the second type protocol message through the forwarding port.

Based on step S302, the tunnel pipeline device matches the destination address of UDP and obtains the forwarding port. In the above step S303 of this application, the obtained forwarding port is used to return the UDP protocol message to the client application through the forwarding port.

Further, optionally, returning the second type of protocol message through the forwarding port in step S303 includes:

Step 1: Detect the type of protocol message supported by the forwarding port corresponding to the destination address;

In Step 1 of step S303 of this application, if the second type of protocol message is to be returned through the forwarding port, the type of protocol message supported by the forwarding port corresponding to the destination address is detected, that is, it is determined whether the type of protocol message supported by the forwarding port corresponding to the destination address in the UDP protocol message is a TCP protocol message or a UDP protocol message.

Step 2: Send the second type of protocol message according to the type of protocol message supported by the forwarding port.

Based on Step 1, the type of protocol message supported by the forwarding port is detected. In Step 2 of this application, the UDP protocol message is sent through the corresponding forwarding port by detecting the type of protocol message supported by the forwarding port. For specific information on how to send the second type of protocol message based on the type of protocol message supported by the forwarding port, see Step A and Step B, or Step A’.

Optionally, in Step 2, sending the second type of protocol message according to the type of protocol message supported by the forwarding port includes:

Step A, when it is detected that the type of the protocol message supported by the forwarding port is the first type of protocol message, obtaining data in the second type of protocol message;

Step B: Return data through the corresponding forwarding port.

In combination with step A and step B, when the tunnel pipeline device detects that the protocol message type supported by the forwarding port is a TCP protocol message, the TCP tunnel conversion device obtains the data in the UDP protocol message through the local TCP server, and then returns the obtained data in the UDP protocol message through the forwarding port corresponding to the TCP tunnel conversion device.

Optionally, in Step 2, sending the second type of protocol message according to the type of protocol message supported by the forwarding port includes:

Step A': when it is detected that the type of the protocol message supported by the forwarding port is the second type protocol message, the second type protocol message is returned through the corresponding forwarding port.

In step A' of the present application, when the tunnel pipeline device detects that the protocol message type supported by the forwarding port is a UDP protocol message, the UDP takeover device returns the received UDP protocol message through the corresponding port.

In the method for establishing a virtual private network provided by an embodiment of the present application, the client short tunnel device shown in Figure 2 is configured on the client side. By detecting the message type of the received protocol message, it is determined whether the message type of the protocol message is the message type used for communication in the VPN tunnel. If the determination result is negative, the protocol message is converted to the message type used for communication in the VPN tunnel. The protocol message is matched with a corresponding encryption rule based on the service type of the protocol message, and the protocol message is encrypted according to the encryption rule. Then, after determining whether the protocol message has attack characteristics of a network attack, it is determined whether the protocol message is sent to the server. The method for establishing a virtual private network provided by the embodiment of the present application can be applied to a Challenge Collapsar (CC) environment. By deploying a data detection module on the client side, malicious attacks launched by the tunnel device are prevented. In addition, by using a communication protocol such as UDP protocol messages, which are supported by all network devices, the embodiment of the present application solves the compatibility problem of the VPN network. Moreover, by matching the service type of the protocol message with the corresponding encryption rule, the encryption range and measurement can be flexibly adjusted, thereby shortening data processing time and improving data processing efficiency during the detection and decryption process on the server side.

In addition, the method for building a virtual private network provided in the embodiment of the present application is based on the UDP protocol, which is equivalent to an application layer program. Therefore, it is different from the related technology in a diskless workstation environment, where adding hardware devices such as network cards requires a restart. However, in the case of a diskless workstation, all changes will be restored once the workstation is restarted. Therefore, the method for building a virtual private network provided in the embodiment of the present application does not require adding hardware devices such as network cards.

Example 2

The present application provides a method for constructing a virtual private network as shown in Figure 5. Figure 5 is a flow chart of a method for constructing a virtual private network according to a second embodiment of the present invention.

Step S502: receiving a second type protocol message sent by the client;

The method for constructing a virtual private network provided in an embodiment of the present application can be applied to the establishment of a virtual private network (VPN), wherein the User Datagram Protocol (UDP) is used as the VPN tunnel communication protocol to solve the problem of incompatibility between devices on both sides of the VPN tunnel for specific communication protocols.

In the above step S502 of the present application, corresponding to the first embodiment, the client tunnel device is configured on the client side. Figure 6(a) is a structural diagram of the tunnel termination device in the method for building a virtual private network according to the second embodiment of the present application. As shown in Figure 6(a), in the second embodiment of the present application, on the network device side, a tunnel termination device is configured to receive the second type of protocol message sent by the client tunnel device, and parse and process the second type of protocol message. In the embodiment of the present application, the second type of protocol message is a User Datagram Protocol (UDP) message. In the process of configuring the tunnel termination device on the network device side, as with the client, UDP protocol messages are used as the general communication protocol to achieve compatibility between the client and the network side device, thereby avoiding the incompatibility problem caused by the devices on both sides of the VPN tunnel not supporting a specific communication protocol in the related technology, and avoiding the occurrence of the failure of VPN tunnel establishment.

Among them, the message types of the protocol messages in the embodiment of the present application include: User Datagram Protocol (UDP) or Transmission Control Protocol (TCP). In the embodiment of the present application, the message encapsulated in the TCP protocol structure is regarded as the first type of protocol message, and the message encapsulated in the UDP protocol structure is regarded as the second type of protocol message.

Step S504, determining whether the message parameters in the second type of protocol message contain attack characteristics of a network attack;

Based on step S502, the UDP protocol message sent from the client is received through the packet receiving and sending module in the tunnel termination device. In the above step S504 of the present application, the data detection module in the tunnel termination device is used to determine whether the message parameters in the UDP protocol message have attack characteristics of a network attack.

Unlike the client side, the data inspection module on the network device side is a non-skippable module. That is, all UDP protocol packets received by the packet transceiver module in step S502 must be checked for legitimacy by the data inspection module. This module checks the legitimacy of the packets as quickly as possible and discards any illegal data. This reduces the pressure on the data decryption module and the overall system load.

Step S506: If the judgment result is no, the second type protocol message is sent to the corresponding sending port according to the type of the server.

Based on the judgment check on the security of the UDP protocol message in step S504, in the above step S504 of the present application, when the judgment result is obtained that the message parameters in the UDP protocol message do not exist and the attack characteristics of the network attack are not met, the member device in the tunnel termination device allocates a corresponding sending port for the UDP protocol message according to the type of server.

Here, when the judgment result is yes, the network device side will discard the illegal UDP protocol message through the data detection module, thereby reducing the pressure on the data decryption module and ensuring security on the server side.

As can be seen from the above, the solution provided in the second embodiment of the present application receives a second-type protocol message sent by a client; determines whether the message parameters in the second-type protocol message contain attack characteristics of a network attack; and if the determination result is negative, sends the second-type protocol message to the corresponding sending port based on the server type. This achieves the goal of compatibility between devices supporting different communication protocols on both sides of the VPN network, thereby achieving the technical effect of establishing a VPN tunnel, and further solving the technical problem of being unable to establish a VPN tunnel due to incompatibility between devices on both sides of the VPN network for specific communication protocols.

Optionally, before sending the second type of protocol message to the corresponding sending port according to the type of server in step S506, the method for establishing a virtual private network provided in an embodiment of the present application includes:

Step S505: decrypt the second type of protocol message according to a preset decryption rule.

In step S505 of the present application, before sending the second type of protocol message to the corresponding sending port according to the type of server in step S506, as shown in Figure 6(a), the tunnel termination device also needs to decrypt the UDP protocol message that has passed the data detection module detection through the data decryption module.

The decryption rule is used to match the UDP protocol message with the corresponding decryption rule according to the service type of the UDP protocol message, so that the instruction data decryption module performs feature decryption according to the decryption rule. See Step 1 and Step 2 in step S505 for details.

Further, optionally, step S505, decrypting the second type of protocol message according to a preset decryption rule includes:

Step 1: Match the corresponding decryption rule according to the service type of the second type of protocol message;

In Step 1 of the above-mentioned step S505 of the present application, due to the different business types of the UDP protocol message, the encryption method of the UDP protocol message will also change with the different business types, that is, the protocol message used by the client and the network device side to communicate and establish a communication link can be regarded as applying a simple encryption rule, so that on the network device side, according to the business type of the protocol message, a simple decryption is performed accordingly, which saves data processing time and reduces the data processing burden of the system; and when performing actual business data transmission, by performing multi-bit encryption on the business data in the UDP protocol message, multi-bit decryption is performed on the network device side accordingly, thereby ensuring data security, wherein the multi-bit encryption can be encryption performed according to the characteristics of each message parameter in the UDP protocol message, and similarly, the multi-bit decryption can be the corresponding decryption behavior performed for the multi-bit encryption.

As can be seen from the above, by obtaining the service type of the UDP protocol message, the decryption rule corresponding to the UDP protocol message is matched.

Step 2, perform feature decryption on the second type of protocol message according to the decryption rules, feature decryption is used to indicate that decryption is performed based on message parameters in the second type of protocol message, and the message parameters include: at least one of message length, feature value, sending rate and data size.

Based on the decryption rules obtained in Step 1, in the above Step 2 of the present application, the decryption rules corresponding to the UDP protocol message are obtained, and feature decryption is performed on the UDP protocol message according to the decryption rules, wherein, according to the decryption rules, the corresponding encrypted area in the UDP protocol message is extracted, and the encrypted area corresponds to the corresponding message parameters in the UDP protocol message structure, for example, at least one of the message length, feature value, sending rate and data size, and according to the instructions of the decryption rules, the corresponding features in the UDP protocol message are decrypted.

Here, the characteristic value in the message parameter may be a parity check value in a UDP protocol message.

In addition, as shown in Figure 6(a), after the UDP protocol message is decrypted, in order to avoid damage to the UDP protocol message during the decryption process, the decrypted UDP protocol message is restored through the data restoration module to obtain the complete UDP protocol message after decryption, so as to ensure that the UDP protocol message received by the server is accurate and complete.

Optionally, step S506 includes sending the decrypted second-type protocol message to a corresponding sending port according to the type of the server:

Step 1: When the server type supports the second type of protocol message, the second type of protocol message is sent to the server through the first type of sending port, wherein the first type of sending port is the port corresponding to the server that supports the second type of protocol message;

In the above Step 1 of this application, if the decrypted second-type protocol message is sent to the corresponding sending port according to the type of server, it is necessary to determine the type of server, so as to allocate corresponding sending ports for UDP protocol messages according to different server types.

When the server type supports UDP protocol messages, the UDP protocol messages will be sent to the server through the first sending port, wherein the first sending port may be a sending port of the data forwarding module as shown in FIG6(a).

Step 2: When the server type supports the first type of protocol message, obtain the data in the second type of protocol message and send the data to the server through the second type of sending port, where the second type of sending port is the port corresponding to the server that supports the first type of protocol message.

In the above Step 2 of the present application, when the type of the server is to support TCP protocol messages, the TCP protocol messages will be sent to the server through the second sending port, wherein the second sending port can be the sending port of the data proxy module as shown in Figure 6(a).

Combining Step 1 and Step 2, as shown in Figure 6(a), the back-to-source device includes two different options: a data proxy mode and a data forwarding module. The biggest difference between the data forwarding module and the data proxy module is whether they can resolve the heterogeneity of the tunnel and server protocols. When the server uses the TCP protocol to provide services, the proxy module is required to convert the data. When the server uses the UDP protocol to provide services, the forwarding module can be used to transparently transmit the data. The back-to-source device ensures compatibility between the server and the client, avoiding the incompatibility issues caused by the devices on both sides of the VPN tunnel not supporting specific communication protocols in related technologies, and circumventing the failure of VPN tunnel establishment.

The method for building a virtual private network provided in the embodiment of the present application can also be deployed together with the server side. Therefore, the method for building a virtual private network in the embodiment of the present application is only described as applicable to the network device side. The method for building a virtual private network in the embodiment of the present application shall prevail and is not specifically limited.

In an optional solution provided in the above embodiment of the present application, as shown in FIG6( b ), the method for constructing a virtual private network in the embodiment of the present application may include the following steps:

In step a, the client detects the message type of the protocol message received in advance.

Among them, a client tunnel device is configured at the application layer of the client, and the message type of the received protocol message is detected through the application layer protocol docking device. Among them, in the client provided in the embodiment of the present application, the client may include: laptop computers, desktop computers, tablet computers and personal computers (Personal Computer, referred to as PC), etc. that can access clients that support the UDP protocol.

Step b: When the message type of the protocol message is a first type protocol message, convert the protocol message into a second type protocol message used for communication in the virtual private network.

Step c: detecting message parameters in the second type of protocol message and determining whether the message parameters contain attack features of a network attack.

Step d: If the judgment result is no, send the second type protocol message to the server.

If the judgment result is yes, the second type of protocol message is discarded.

In step e, the server determines whether the message parameters in the second type of protocol message contain attack features of a network attack.

Step f: If the judgment result is no, the second type protocol message is sent to the corresponding sending port according to the type of the server.

Among them, when the judgment result is yes, the server will discard the illegal UDP protocol message through the data detection module, thereby reducing the pressure on the data decryption module and ensuring security on the server side.

It should be noted that for the aforementioned method embodiments, for simplicity of description, they are all expressed as a series of action combinations. However, those skilled in the art should be aware that the present invention is not limited by the order of the actions described, because according to the present invention, certain steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in this specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

Through the description of the above embodiments, those skilled in the art can clearly understand that the method for building a virtual private network according to the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. The computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a number of instructions for enabling a terminal device (which can be a mobile phone, computer, server, or network device, etc.) to execute the methods described in each embodiment of the present invention.

Example 3

According to an embodiment of the present invention, a device embodiment for implementing the above method is also provided. The device provided in the above embodiment of the present application can be run on a client.

FIG7 is a schematic structural diagram of an apparatus for building a virtual private network according to a third embodiment of the present invention.

As shown in FIG. 7 , the device includes: a detection module 72 , a conversion module 74 , a judgment module 76 and a sending module 78 .

Among them, the detection module 72 is used to detect the message type of the protocol message received in advance; the conversion module 74 is used to convert the protocol message into a second type of protocol message used for communication in the virtual private network when the message type of the protocol message is a first type of protocol message; the judgment module 76 is used to detect the message parameters in the second type of protocol message and judge whether the message parameters have attack characteristics of a network attack; the sending module 78 is used to send the second type of protocol message when the judgment result is no.

As can be seen from the above, the solution provided in the above-mentioned embodiment 3 of the present application detects the message type of the protocol message received in advance; when the message type of the protocol message is a first-class protocol message, the protocol message is converted into a second-class protocol message used for communication in the virtual private network; the message parameters in the second-class protocol message are detected to determine whether the message parameters contain attack characteristics of a network attack; if the judgment result is no, the second-class protocol message is sent, thereby achieving the purpose of compatibility between devices on both sides of the VPN network that support different communication protocols, thereby realizing the technical effect of establishing a VPN tunnel, and further solving the technical problem that the VPN tunnel cannot be established due to the incompatibility of devices on both sides of the VPN network with specific communication protocols.

It should be noted that the detection module 72, conversion module 74, judgment module 76, and sending module 78 described above correspond to steps S202 to S208 in the first embodiment. The examples and application scenarios implemented by these four modules and the corresponding steps are the same, but are not limited to the contents disclosed in the first embodiment. It should be noted that the above modules, as part of the device, can run in the client tunnel device provided in the first embodiment and can be implemented via software or hardware.

Optionally, FIG8 is a schematic diagram of the structure of a device for building a virtual private network according to the third embodiment of the present invention. As shown in FIG8, the conversion module 74 includes: an acquisition unit 741 and an encapsulation unit 742,

The acquisition unit 741 is used to acquire data in the protocol message; the encapsulation unit 742 is used to encapsulate the data according to the format of the second type of protocol message to obtain a protocol message of the second type of protocol message.

It should be noted that the acquisition unit 741 and encapsulation unit 742 correspond to Step 1 and Step 2 in Step S204 in the first embodiment. The examples and application scenarios implemented by the two modules and the corresponding steps are the same, but are not limited to the contents disclosed in the first embodiment. It should be noted that the above modules, as part of the device, can run in the client tunnel device provided in the first embodiment and can be implemented through software or hardware.

Optionally, FIG9 is a structural diagram of another device for building a virtual private network according to embodiment 3 of the present invention. As shown in FIG9, the device for building a virtual private network provided by the embodiment of the present application further includes: an encryption module 95,

Among them, the encryption module 95 is used to obtain the corresponding encryption rules based on the business type of the protocol message before detecting the message parameters in the second type of protocol message, and encrypt the second type of protocol message according to the encryption rules, wherein the encryption rules are used to indicate that the encryption level is changed according to the business type during the encryption process.

It should be noted that the encryption module 95 corresponds to step S205 in the first embodiment. The examples and application scenarios implemented by this module and the corresponding steps are the same, but are not limited to the contents disclosed in the first embodiment. It should be noted that the module, as part of the device, can run in the client tunnel device provided in the first embodiment and can be implemented via software or hardware.

Further, optionally, FIG10 is a structural diagram of another apparatus for building a virtual private network according to the third embodiment of the present invention. As shown in FIG10 , the encryption module 95 includes: an encryption unit 951,

The encryption unit 951 is configured to perform characteristic encryption on the second type of protocol message according to the encryption rule, wherein the characteristic encryption is encryption based on message parameters in the second type of protocol message.

It should be noted that the encryption unit 951 corresponds to Step 1 in Step S205 of the first embodiment. The examples and application scenarios implemented by this module and the corresponding steps are the same, but are not limited to the contents disclosed in the first embodiment. It should be noted that the module, as part of the device, can run in the client tunnel device provided in the first embodiment and can be implemented via software or hardware.

Optionally, FIG11 is a schematic diagram of the structure of another apparatus for building a virtual private network according to the third embodiment of the present invention. As shown in FIG11, the judgment module 76 includes: a detection unit 761, a first judgment unit 762 and a second judgment unit 963,

Among them, the detection unit 761 is used to detect the message length, characteristic value, sending rate and data size in the message parameters of the second type of protocol message; the first judgment unit 762 is used to determine whether at least one of the message length, characteristic value, sending rate and data size in the message parameters matches the preset attack feature; the second judgment unit 763 is used to determine whether the protocol message has a network attack based on the matching result between the message parameters and the attack feature.

It should be noted that the detection unit 761, first judgment unit 762, and second judgment unit 763 described above correspond to Steps 1 to 3 of Step S206 in Example 1. The examples and application scenarios implemented by these three modules and the corresponding steps are the same, but are not limited to those disclosed in Example 1. It should be noted that the above modules, as part of the device, can run in the client tunnel device provided in Example 1 and can be implemented via software or hardware.

Optionally, the apparatus for constructing a virtual private network provided in the embodiment of the present application further includes: an execution module,

The execution module is configured to discard the protocol message if the judgment result is yes.

It should be noted that the execution module described above corresponds to step S209 in Example 1. The examples and application scenarios implemented by this module and the corresponding step are the same, but are not limited to the content disclosed in Example 1. It should be noted that the module described above, as part of the device, can run in the client tunnel device provided in Example 1 and can be implemented via software or hardware.

Optionally, the apparatus for constructing a virtual private network provided in the embodiment of the present application further includes: a receiving module, a matching module and a feedback module.

Among them, the receiving module is used to receive the second type protocol message returned by the server; the matching module is used to match the corresponding forwarding port according to the destination address of the second type protocol message; and the feedback module is used to return the second type protocol message through the forwarding port.

It should be noted that the receiving module, matching module, and feedback module described above correspond to steps S301 to S303 in Example 1. The examples and application scenarios implemented by these three modules and the corresponding steps are the same, but are not limited to the contents disclosed in Example 1. It should be noted that the above modules, as part of the device, can run in the client tunnel device provided in Example 1 and can be implemented via software or hardware.

Further, optionally, the feedback module includes: a type detection unit and a sending unit,

The type detection unit is used to detect the type of protocol message supported by the forwarding port corresponding to the destination address; and the sending unit is used to send the second type of protocol message according to the type of protocol message supported by the forwarding port.

It should be noted that the above-mentioned type detection unit and sending unit correspond to Steps S303 to Step 1 and Step 2 in Example 1. The examples and application scenarios implemented by these two modules and the corresponding steps are the same, but are not limited to the contents disclosed in Example 1. It should be noted that the above-mentioned modules, as part of the device, can run in the client tunnel device provided in Example 1 and can be implemented through software or hardware.

Optionally, the sending unit includes: an acquiring subunit and a first sending subunit,

The acquiring subunit is used to acquire data in the second type of protocol message when it is detected that the type of protocol message supported by the forwarding port is the first type of protocol message; the first sending subunit is used to return data through the corresponding forwarding port.

It should be noted that the above-mentioned type detection unit and sending unit correspond to steps A and B in Step 2 of Example 1. The examples and application scenarios implemented by the two modules and the corresponding steps are the same, but are not limited to the contents disclosed in Example 1. It should be noted that the above-mentioned modules, as part of the device, can run in the client tunnel device provided in Example 1 and can be implemented through software or hardware.

Optionally, the sending unit includes: a second sending subunit,

The second sending subunit is configured to return the second type of protocol message through the corresponding forwarding port when detecting that the type of the protocol message supported by the forwarding port is the second type of protocol message.

It should be noted that the second sending subunit corresponds to step A' in Step 2 of Example 1. This module and the corresponding steps implement the same examples and application scenarios, but are not limited to the contents disclosed in Example 1. It should be noted that the module, as part of the device, can run in the client tunnel device provided in Example 1 and can be implemented through software or hardware.

Example 4

According to an embodiment of the present invention, a device embodiment for implementing the method described in 2 is also provided. The device provided in the above embodiment of the present application can be run on a client.

FIG12 is a schematic structural diagram of an apparatus for building a virtual private network according to a fourth embodiment of the present invention.

As shown in FIG12 , the device includes: a receiving module 1202, a judging module 1204 and a sending module 1206.

Among them, the receiving module 1202 is used to receive the second-type protocol message sent by the client; the judging module 1204 is used to judge whether the message parameters in the second-type protocol message have attack characteristics of a network attack; the sending module 1206 is used to send the second-type protocol message to the corresponding sending port according to the type of server when the judgment result is no.

As can be seen from the above, the solution provided in the fourth embodiment of the present application receives a second-type protocol message sent by a client; determines whether the message parameters in the second-type protocol message contain attack characteristics of a network attack; and if the determination result is negative, sends the second-type protocol message to the corresponding sending port based on the server type. This achieves the purpose of compatibility between devices supporting different communication protocols on both sides of the VPN network, thereby achieving the technical effect of establishing a VPN tunnel, and further solving the technical problem of being unable to establish a VPN tunnel due to incompatibility between devices on both sides of the VPN network for specific communication protocols.

It should be noted that the receiving module 1202, the judging module 1204, and the sending module 1206 correspond to steps S502 to S506 in the second embodiment. The examples and application scenarios implemented by the three modules and the corresponding steps are the same, but are not limited to the contents disclosed in the second embodiment. It should be noted that the above modules, as part of the device, can run in the tunnel termination device provided in the second embodiment and can be implemented by software or hardware.

Optionally, FIG13 is a schematic diagram of the structure of a device for building a virtual private network according to a fourth embodiment of the present invention. As shown in FIG13, the device for building a virtual private network provided by the embodiment of the present application further includes: a decryption module 1205,

The decryption module 1205 is configured to decrypt the second type of protocol message according to a preset decryption rule before sending the second type of protocol message to a corresponding sending port according to the type of server.

It should be noted that the decryption module 1205 corresponds to step S505 in Example 2. The examples and application scenarios implemented by this module and the corresponding steps are the same, but are not limited to the contents disclosed in Example 2. It should be noted that the above module, as part of the device, can run in the tunnel termination device provided in Example 2 and can be implemented through software or hardware.

Further, optionally, FIG14 is a structural diagram of another apparatus for building a virtual private network according to Embodiment 4 of the present invention. As shown in FIG14 , the decryption module 1205 includes: a matching unit 12051 and a decryption unit 12052.

Among them, the matching unit 12051 is used to match the corresponding decryption rules according to the business type of the second type of protocol message; the decryption unit 12052 is used to perform feature decryption on the second type of protocol message according to the decryption rules, and the feature decryption is used to indicate that decryption is performed based on the message parameters in the second type of protocol message, and the message parameters include: at least one of: message length, feature value, sending rate and data size.

It should be noted that the matching unit 12051 and the decryption unit 12052 correspond to Step 1 and Step 2 in Step S505 of Example 2. The examples and application scenarios implemented by the two modules and the corresponding steps are the same, but are not limited to the contents disclosed in Example 2. It should be noted that the above modules, as part of the device, can run in the tunnel termination device provided in Example 2 and can be implemented through software or hardware.

Optionally, FIG15 is a structural diagram of another apparatus for building a virtual private network according to Embodiment 4 of the present invention. As shown in FIG15 , the sending module 1206 includes: a first sending unit 12061 and a second sending unit 12062,

Among them, the first sending unit 12061 is used to send the second type of protocol message to the server through the first type of sending port when the type of server supports the second type of protocol message, wherein the first type of sending port is the port corresponding to the server that supports the second type of protocol message; the second sending unit 12062 is used to obtain the data in the second type of protocol message when the type of server supports the first type of protocol message, and send the data to the server through the second type of sending port, wherein the second type of sending port is the port corresponding to the server that supports the first type of protocol message.

It should be noted that the first sending unit 12061 and the second sending unit 12062 correspond to Step 1 and Step 2 in step S506 of Example 2. The examples and application scenarios implemented by the two modules and the corresponding steps are the same, but are not limited to the contents disclosed in Example 2. It should be noted that the above modules, as part of the device, can run in the tunnel termination device provided in Example 2 and can be implemented through software or hardware.

Example 5

According to an embodiment of the present invention, a system embodiment for implementing the above-mentioned method embodiment for building a virtual private network is also provided. The client tunnel device in the system for building a virtual private network provided by the above-mentioned embodiment of the present application can be software of the client application layer.

FIG16 is a schematic structural diagram of a system for building a virtual private network according to an embodiment of the present application.

As shown in Figure 16, the system includes: a client tunnel device 1601 and a tunnel network device 1602, the client tunnel device and the tunnel network device are communicatively connected, wherein the client tunnel device is used to convert a protocol message of the first type of protocol message into a second type of protocol message for communication in a virtual private network by detecting the message type of the received protocol message, and judge whether the protocol message has attack characteristics of a network attack by detecting message parameters in the second type of protocol message, and send the protocol message if the judgment result is no; the tunnel network device is communicatively connected to the client tunnel device, and is used to receive the second type of protocol message sent by the client tunnel device, and detect whether the second type of protocol message has attack characteristics of a network attack by detecting whether the second type of protocol message has attack characteristics of a network attack, and send the decrypted second type of protocol message to the corresponding sending port according to the type of server if the judgment result is no; wherein the client tunnel device is the device for building a virtual private network shown in any one of Figures 9 to 11; the tunnel network device is the device for building a virtual private network shown in any one of Figures 12 to 15.

Optionally, the system further includes: a server, and the tunnel network device is embedded in the server.

Example 6

The embodiment of the present invention further provides a storage medium. Optionally, in this embodiment, the storage medium can be used to store the program code executed by the method for building a virtual private network provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any computer terminal in a computer terminal group in a computer network, or in any mobile terminal in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store program code for executing the following steps: detecting the message type of a pre-received protocol message; when the message type of the protocol message is a first-class protocol message, converting the protocol message into a second-class protocol message used for communication in a virtual private network; detecting message parameters in the second-class protocol message, and determining whether the message parameters have attack characteristics of a network attack; and if the determination result is no, sending the second-class protocol message.

Optionally, the storage medium is further configured to store program code for executing the following steps: obtaining data in the protocol message; encapsulating the data according to the format of the second type of protocol message to obtain a protocol message of the second type of protocol message.

Optionally, the storage medium is also configured to store program code for executing the following steps: before detecting the message parameters in the second type of protocol message, obtaining corresponding encryption rules based on the business type matching of the protocol message, and encrypting the second type of protocol message based on the encryption rules, wherein the encryption rules are used to indicate that the encryption level is changed according to the business type during the encryption process.

Optionally, the storage medium is further configured to store program code for executing the following steps: performing feature encryption on the second type of protocol message according to encryption rules, wherein the feature encryption is encryption based on message parameters in the second type of protocol message.

Optionally, the storage medium is also configured to store program code for executing the following steps: detecting the message length, characteristic value, sending rate and data size in the message parameters of the second type of protocol message; determining whether at least one of the message length, characteristic value, sending rate and data size in the message parameters matches a preset attack feature; and determining whether the protocol message contains a network attack based on the matching result between the message parameters and the attack feature.

Optionally, the storage medium is further configured to store program codes for executing the following steps: if the judgment result is yes, discard the second type of protocol message.

Optionally, the storage medium is further configured to store program codes for executing the following steps: receiving the second type of protocol message returned by the server; receiving the second type of protocol message returned by the server; and returning the second type of protocol message through the forwarding port.

Optionally, the storage medium is further configured to store program codes for executing the following steps: detecting the type of protocol message supported by the forwarding port corresponding to the destination address; and sending the second type of protocol message according to the type of protocol message supported by the forwarding port.

Optionally, the storage medium is further configured to store program codes for executing the following steps: detecting the type of protocol message supported by the forwarding port corresponding to the destination address; and returning data through the corresponding forwarding port.

Optionally, the storage medium is further configured to store program code for executing the following steps: when it is detected that the type of the protocol message supported by the forwarding port is the second type of protocol message, returning the second type of protocol message through the corresponding forwarding port.

Optionally, in this embodiment, the above-mentioned storage medium may include but is not limited to: a USB flash drive, a read-only memory (ROM), a random access memory (RAM), a mobile hard disk, a magnetic disk or an optical disk, and other media that can store program codes.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiment 1, and this embodiment will not be described in detail here.

The serial numbers of the above embodiments of the present invention are for description only and do not represent the advantages or disadvantages of the embodiments.

In the above embodiments of the present invention, the description of each embodiment has its own focus. For parts that are not described in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. Among them, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of units or modules, which can be electrical or other forms.

The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed across multiple network units. Some or all of these units may be selected to achieve the purpose of this embodiment according to actual needs.

In addition, the functional units in the various embodiments of the present invention may be integrated into a single processing unit, each unit may exist physically separately, or two or more units may be integrated into a single unit. The aforementioned integrated units may be implemented in the form of hardware or software functional units.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for enabling a computer device (which can be a personal computer, server or network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk, etc. Various media that can store program codes.

The above is only a preferred embodiment of the present invention. It should be pointed out that for ordinary technicians in this technical field, several improvements and modifications can be made without departing from the principles of the present invention. These improvements and modifications should also be regarded as within the scope of protection of the present invention.

Claims (24)

1. A method for constructing a Virtual Private Network, characterized in that it includes: Detect the message type of the pre-received protocol messages; When the message type of the protocol message is a first type protocol message, the protocol message is converted into a second type protocol message used for communication in a virtual private network; Detect the message parameters in the second type of protocol message and determine whether the message parameters have the characteristics of a network attack; If the determination result is negative, send the second type of protocol message; The message parameters include at least one of the following: parity check value of data in the second type of protocol message, cyclic redundancy check value of data, message length, destination IP used for communication, destination port, sending rate, and data size; determining whether the message parameters have network attack characteristics includes: determining whether at least one of the message parameters is the same as the network attack characteristics. Before detecting the message parameters in the second type of protocol message, the method further includes: matching the corresponding encryption rule according to the service type of the protocol message, and encrypting the second type of protocol message according to the encryption rule, wherein the encryption rule is used to indicate the change of encryption level according to the service type during the encryption process. 2. The method according to claim 1, wherein converting the protocol message into a second type of protocol message for communication in a virtual private network includes: Obtain the data from the protocol message; The data is encapsulated according to the format of the second type of protocol message to obtain a protocol message of the second type of protocol message. 3. The method according to claim 1, wherein encrypting the second type of protocol message according to the encryption rule includes: The second type of protocol message is subjected to feature encryption according to the encryption rules, wherein the feature encryption is performed based on the message parameters in the second type of protocol message. 4. The method according to claim 3, wherein detecting the message parameters in the second type of protocol message and determining whether the message parameters possess attack characteristics of a network attack includes: The presence of the network attack in the protocol message is determined based on the matching result between the message parameters and the attack characteristics. 5. The method according to claim 1, characterized in that the method further comprises: If the determination result is yes, discard the second type of protocol message. 6. The method according to claim 1, characterized in that the method further comprises: Receive the second type of protocol message returned by the server; Match the corresponding forwarding port based on the destination address of the second type of protocol message; The second type of protocol message is returned through the forwarding port. 7. The method according to claim 6, wherein returning the second type of protocol message through the forwarding port includes: Detect the types of protocol packets supported by the forwarding port corresponding to the destination address; The second type of protocol message is sent according to the type of protocol message supported by the forwarding port. 8. The method according to claim 7, wherein sending the second type of protocol message according to the type of protocol message supported by the forwarding port includes: When it is detected that the type of protocol message supported by the forwarding port is the first type of protocol message, the data in the second type of protocol message is obtained; The data is returned through the corresponding forwarding port. 9. The method according to claim 7, wherein sending the second type of protocol message according to the type of protocol message supported by the forwarding port includes: When it is detected that the protocol message type supported by the forwarding port is a second type of protocol message, the second type of protocol message is returned through the corresponding forwarding port. 10. A method for constructing a virtual private network, characterized in that it includes: The client receives a second type of protocol message sent by the client, wherein the client detects the message type of the previously received protocol message; when the message type of the protocol message is a first type of protocol message, the client converts the protocol message into a second type of protocol message used for communication in the virtual private network. Determine whether the message parameters in the second type of protocol message contain attack characteristics of a network attack; If the result is negative, the second type of protocol message will be sent to the corresponding sending port according to the type of server. The message parameters include at least one of the following: parity check value of data in the second type of protocol message, cyclic redundancy check value of data, message length, destination IP used for communication, destination port, sending rate, and data size; determining whether the message parameters in the second type of protocol message have network attack characteristics includes: determining whether at least one of the message parameters is the same as the network attack characteristics. Before sending the second type of protocol message to the corresponding sending port according to the server type, the method further includes: The second type of protocol message is decrypted according to the preset decryption rules; The step of decrypting the second type of protocol message according to the preset decryption rules includes: Match the corresponding decryption rules based on the service type of the second type of protocol message; The second type of protocol message is subjected to feature decryption according to the decryption rules. The feature decryption is used to instruct the decryption to be performed based on the message parameters in the second type of protocol message. 11. The method according to claim 10, wherein sending the decrypted second type of protocol message to the corresponding sending port according to the type of server comprises: When the server type supports the second type of protocol message, the second type of protocol message is sent to the server through the first type of sending port, wherein the first type of sending port is the port corresponding to the server that supports the second type of protocol message; When the server type supports the first type of protocol message, the data in the second type of protocol message is obtained, and the data is sent to the server through the second type of sending port, wherein the second type of sending port is the port corresponding to the server that supports the first type of protocol message. 12. An apparatus for constructing a virtual private network, characterized in that it comprises: The detection module is used to detect the message type of the pre-received protocol messages; The conversion module is used to convert the protocol message into a second type of protocol message used for communication in a virtual private network when the message type of the protocol message is a first type protocol message. The judgment module is used to detect the message parameters in the second type of protocol message and determine whether the message parameters have the characteristics of a network attack. The sending module is used to send the second type of protocol message if the determination result is negative; The message parameters include at least one of the following: parity check value of data in the second type of protocol message, cyclic redundancy check value of data, message length, destination IP used for communication, destination port, sending rate, and data size; determining whether the message parameters have network attack characteristics includes: determining whether at least one of the message parameters is the same as the network attack characteristics. An encryption module is used to obtain a corresponding encryption rule based on the service type of the protocol message before detecting the message parameters in the second type of protocol message, and to encrypt the second type of protocol message according to the encryption rule, wherein the encryption rule is used to indicate the encryption level to be changed according to the service type during the encryption process. 13. The apparatus according to claim 12, wherein the conversion module comprises: The acquisition unit is used to acquire data from the protocol message; The encapsulation unit is used to encapsulate the data according to the format of the second type of protocol message to obtain a protocol message of the second type of protocol message. 14. The apparatus according to claim 12, wherein the encryption module comprises: An encryption unit is configured to perform feature encryption on the second type of protocol message according to the encryption rules, wherein the feature encryption is based on the message parameters in the second type of protocol message. 15. The apparatus according to claim 14, wherein the determining module comprises: The judgment unit is used to determine whether the protocol message contains the network attack based on the matching result of the message parameters and the attack characteristics. 16. The apparatus according to claim 12, wherein the apparatus further comprises: The execution module is used to discard the protocol message if the determination result is yes. 17. The apparatus according to claim 12, wherein the apparatus further comprises: The receiving module is used to receive the second type of protocol messages returned by the server; The matching module is used to match the corresponding forwarding port based on the destination address of the second type of protocol message; The feedback module is used to return the second type of protocol message through the forwarding port. 18. The apparatus according to claim 17, wherein the feedback module comprises: A type detection unit is used to detect the type of protocol packets supported by the forwarding port corresponding to the destination address; The sending unit is used to send the second type of protocol message according to the type of protocol message supported by the forwarding port. 19. The apparatus according to claim 18, wherein the transmitting unit comprises: The acquisition subunit is used to acquire data from the second type of protocol message when it is detected that the type of protocol message supported by the forwarding port is the first type of protocol message; The first sending subunit is used to return the data through the corresponding forwarding port. 20. The apparatus according to claim 18, wherein the transmitting unit comprises: The second sending subunit is used to return the second type of protocol message through the corresponding forwarding port when it is detected that the type of protocol message supported by the forwarding port is the second type of protocol message. 21. An apparatus for constructing a virtual private network, characterized in that it comprises: A receiving module is configured to receive a second type of protocol message sent by a client, wherein the client detects the message type of a previously received protocol message; when the message type of the protocol message is a first type of protocol message, the client converts the protocol message into a second type of protocol message used for communication in a virtual private network. The judgment module is used to determine whether the message parameters in the second type of protocol message have the characteristics of a network attack. The sending module is used to send the second type of protocol message to the corresponding sending port according to the type of server if the determination result is negative; The message parameters include at least one of the following: parity check value of data in the second type of protocol message, cyclic redundancy check value of data, message length, destination IP used for communication, destination port, sending rate, and data size; determining whether the message parameters in the second type of protocol message have network attack characteristics includes: determining whether at least one of the message parameters is the same as the network attack characteristics. The device further includes: The decryption module is used to decrypt the second type of protocol message according to a preset decryption rule before sending the second type of protocol message to the corresponding sending port based on the type of server. The decryption module includes: The matching unit is used to match the corresponding decryption rules based on the service type of the second type of protocol message; The decryption unit is used to perform feature decryption on the second type of protocol message according to the decryption rules, wherein the feature decryption is used to instruct decryption to be performed based on the message parameters in the second type of protocol message. 22. The apparatus according to claim 21, wherein the transmitting module comprises: The first sending unit is configured to send the second type of protocol message to the server through a first type sending port when the server type is supporting the second type of protocol message, wherein the first type sending port is the port corresponding to the server that supports the second type of protocol message; The second sending unit is used to obtain data from the second type of protocol message when the server type is supporting the first type of protocol message, and send the data to the server through the second type of sending port, wherein the second type of sending port is the port corresponding to the server that supports the first type of protocol message. 23. A system for constructing a Virtual Private Network (VPN), characterized in that it comprises: a client tunneling device and a tunnel network device, wherein the client tunneling device and the tunnel network device are communicatively connected, wherein... The client tunneling device is used to detect the message type of the received protocol message, convert the protocol message of the first type of protocol message into a second type of protocol message for communication in the virtual private network, and determine whether the protocol message has network attack characteristics by detecting the message parameters in the second type of protocol message. If the determination result is no, the protocol message is sent. The tunnel network device is communicatively connected to the client tunnel device and is used to receive the second type of protocol message sent by the client tunnel device. By detecting whether the second type of protocol message is a network attack, if the result is negative, the decrypted second type of protocol message is sent to the corresponding sending port according to the type of server. Wherein, the client tunnel device is the device for constructing a virtual private network according to any one of claims 12 to 20; the tunnel network device is the device for constructing a virtual private network according to any one of claims 21 to 22. 24. The system according to claim 23, wherein the system further comprises: a server, and the tunnel network device is embedded in the server.