[go: up one dir, main page]

TWI581124B - A data packet of internet security system and a method thereof - Google Patents

A data packet of internet security system and a method thereof Download PDF

Info

Publication number
TWI581124B
TWI581124B TW101101436A TW101101436A TWI581124B TW I581124 B TWI581124 B TW I581124B TW 101101436 A TW101101436 A TW 101101436A TW 101101436 A TW101101436 A TW 101101436A TW I581124 B TWI581124 B TW I581124B
Authority
TW
Taiwan
Prior art keywords
data packet
computer system
internet
tcp
blank
Prior art date
Application number
TW101101436A
Other languages
Chinese (zh)
Other versions
TW201329775A (en
Inventor
蔡宜霖
李日崎
Original Assignee
精品科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 精品科技股份有限公司 filed Critical 精品科技股份有限公司
Priority to TW101101436A priority Critical patent/TWI581124B/en
Publication of TW201329775A publication Critical patent/TW201329775A/en
Application granted granted Critical
Publication of TWI581124B publication Critical patent/TWI581124B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

網際網路之資料封包防護系統與方法Internet data packet protection system and method

本發明係關於一種網際網路之資料封包防護系統,特別是關於一種防止不具權限之電腦系統連結進入區域網路之防護系統。The present invention relates to a data packet protection system for an Internet, and more particularly to a protection system for preventing an unprivileged computer system from being connected to a regional network.

伴隨著科技進步,企業經營逐漸發展利用一種企業資源計劃系統(Enterprise Resource Planning,以下簡稱ERP系統)進行整合式管理,其主要內涵係應用資訊系統技術,對企業的各種資源,例如物流、資金流、資訊流、人力資源等進行整合集成管理,結合各種資源形成一供銷鏈管理,亦即,將企業經營的每一個環節交由科學管理,使企業資源得到最佳化配置。With the advancement of science and technology, enterprise management has gradually developed an enterprise resource planning system (Enterprise Resource Planning, hereinafter referred to as ERP system) for integrated management. Its main connotation is the application of information system technology to various resources of enterprises, such as logistics and capital flow. , information flow, human resources, etc. to integrate and integrate management, combined with various resources to form a supply chain management, that is, to transfer every link of business management to scientific management, so that enterprise resources are optimally configured.

請參考第一圖,係EPR系統10的架構主要由客戶端(client)12及伺服終端(server)14以網路介面連結兩端進行資料傳輸,另外伺服終端14連結資料庫主機16。客戶端12發出查詢需求給伺服終端14,伺服終端14再將查詢到的資料傳回給客戶端12。有些EPR系統10的架構更包含在客戶端12與伺服終端14中間加入中介軟體(middleware)(未圖示)負責聯繫兩端的溝通,減少兩端的負荷並增加效能。此種架構下,每一客戶端12之電腦系統不需分別安裝存取介面軟體,只需負責執行使用者介面即可。Please refer to the first figure. The architecture of the EPR system 10 is mainly composed of a client 12 and a server 14 connecting the two ends of the network for data transmission, and the server 14 is connected to the database host 16. The client 12 issues a query request to the server terminal 14, and the server terminal 14 transmits the queried data back to the client 12. Some EPR system 10 architectures include the inclusion of a middleware (not shown) between the client 12 and the server terminal 14 to communicate with the two ends, reducing the load on both ends and increasing performance. Under this architecture, the computer system of each client 12 does not need to separately install the access interface software, and only needs to execute the user interface.

目前,市面上使用的ERP系統20的系統架構為多層式(n-tier)架構,使用者透過瀏覽器讀取網頁(web-based)的方式來執行,如第二圖所示。使用者透過網路應用入口(Web Application Portal)22登入,透過資訊流引擎(Information Flow Engine)24導向至中介軟體26,連接至中央資料庫28,利用網際網路之資料封包進行資料傳輸。At present, the system architecture of the ERP system 20 used in the market is an n-tier architecture, and the user performs the web-based browsing method by the browser, as shown in the second figure. The user logs in through the Web Application Portal 22, and is directed to the mediation software 26 via the Information Flow Engine 24, to the central repository 28, and uses the data packet of the Internet to transmit data.

由於EPR系統係利用網路間連結的結果,安全性對於連結的伺服終端以及網路相當重要,未經授權而存取公司資料網路可能導致公司重要的資訊遺失,或者受到外部電腦入侵竊取資料。習知技術中有許多方法用來加強網路安全,包含使用身分認證許可(Identification and Authentication,I&A)、加密系統(cryptography)等。As the EPR system utilizes the results of inter-network connections, security is important for the connected server and network. Unauthorized access to the company's data network may result in the loss of important company information or the intrusion of external computers. . There are many methods in the prior art for enhancing network security, including the use of Identification and Authentication (I&A), cryptography, and the like.

然而,身分認證許可經常發生人為設定漏洞的疏失,一旦員工離職後,若漏未將帳密移除,則可能發生管理漏洞,使離職員工利用未經授權之電腦系統進入伺服終端竊取公司內部重要資訊,或有心人士將帳密洩漏或遭竊取,此些缺失將使得公司內部重要資訊之安全遭受危機。However, identity authentication licenses often cause human error in setting up loopholes. Once an employee leaves the company, if the account is not removed, a management loophole may occur, causing the departing employee to use an unauthorized computer system to enter the server to steal the internal importance of the company. Information, or people with a willingness to leak or steal the account, these shortcomings will make the security of important information within the company suffer from crisis.

有鑒於上述需求,本發明之目的係為提供一種網際網路之資料封包防護系統,特別是關於一種防止未經授權之電腦系統連結進入區域網路,進而修改或存取內部資料之防護系統。In view of the above needs, the object of the present invention is to provide a data packet protection system for the Internet, and more particularly to a protection system for preventing an unauthorized computer system from connecting to a local area network to modify or access internal data.

為了達到上述之目的,本發明提供一種網際網路之資料封包防護系統,其包含多個第一電腦系統(即客戶端電腦系統),其作業系統包含一過濾單元。所述過濾單元可攔截由作業系統輸出之資料封包,並於資料封包之TCP/IP檔頭之空白處加入一識別記號。另外包含第二電腦系統(即伺服終端電腦系統),其作業系統包含一控制單元。所述控制單元可過濾及監控由第一電腦系統輸出之資料封包。第一電腦系統透過網路傳輸所述資料封包至第二電腦系統,而第二電腦系統的控制單元確認所述資料封包之TCP/IP檔頭的空白處是否具有識別記號。若該資料封包之TCP/IP檔頭之空白處具有識別記號,則通過該資料封包;若該資料封包之TCP/IP檔頭之空白處不具有識別記號,則阻擋該資料封包。In order to achieve the above object, the present invention provides an Internet data packet protection system comprising a plurality of first computer systems (ie, client computer systems), the operating system of which includes a filtering unit. The filtering unit can intercept the data packet output by the operating system and add an identification mark to the blank of the TCP/IP file header of the data packet. In addition, a second computer system (ie, a servo terminal computer system) is included, and the operating system includes a control unit. The control unit can filter and monitor data packets output by the first computer system. The first computer system transmits the data packet to the second computer system via the network, and the control unit of the second computer system confirms whether the blank of the TCP/IP file header of the data packet has an identification mark. If the blank of the TCP/IP header of the data packet has an identification mark, the data is encapsulated; if the blank of the TCP/IP header of the data packet does not have an identification mark, the data packet is blocked.

本發明另提供一種網際網路之資料封包防護系統,其包含一處理單元,耦合於一網路介面單元,通過網際網路與複數個使用者終端連接,用以接收由複數個使用者終端之電腦系統透過該網路介面單元傳輸之資料封包;以及一控制單元,耦合於所述處理單元,主要執行過濾及監控該資料封包。所述控制單元確認所述資料封包之TCP/IP檔頭的空白處是否具有識別記號。若該資料封包之TCP/IP檔頭具有識別記號,則通過資料封包。反之若該資料封包之TCP/IP檔頭不具有識別記號,則阻擋資料封包。The present invention further provides an Internet data packet protection system, comprising a processing unit coupled to a network interface unit and connected to a plurality of user terminals via the Internet for receiving a plurality of user terminals. a data packet transmitted by the computer system through the network interface unit; and a control unit coupled to the processing unit for performing filtering and monitoring of the data packet. The control unit confirms whether the blank of the TCP/IP header of the data packet has an identification mark. If the TCP/IP header of the data packet has an identification mark, the data packet is encapsulated. On the other hand, if the TCP/IP header of the data packet does not have an identification mark, the data packet is blocked.

本發明更提供一種網際網路之資料封包防護系統,其包含一處理單元,耦合於一網路介面單元,通過網際網路與一伺服終端連接,用以傳輸一資料封包至所述伺服終端;以及一過濾單元,其攔截由所述處理單元傳輸之資料封包,並於傳輸至伺服終端前於該資料封包之TCP/IP檔頭之空白處加入一識別記號。The present invention further provides an Internet data packet protection system, comprising a processing unit coupled to a network interface unit and connected to a servo terminal via the Internet for transmitting a data packet to the servo terminal; And a filtering unit that intercepts the data packet transmitted by the processing unit and adds an identification mark to a blank of the TCP/IP file header of the data packet before being transmitted to the server terminal.

本發明更提供一種網際網路之資料封包防護方法,藉由一網路介面系統在一伺服終端和使用者終端間傳輸一資料封包,其步驟包含,首先,利用電腦系統之處理單元發送該資料封包,並以過濾單元攔截所述資料封包,所述過濾單元於攔截之資料封包之TCP/IP檔頭的空白處加入一識別記號。接著,完成加入識別記號步驟後,透過網路介面單元傳送所述資料封包至伺服終端。利用所述伺服終端之控制單元進行確認所接收之資料封包之TCP/IP檔頭是否具有該識別記號。若所接受之資料封包之TCP/IP檔頭之空白處具有識別記號,則該控制單元通過該資料封包,而若該資料封包之TCP/IP檔頭不具有識別記號,則該控制單元阻擋該資料封包。The present invention further provides an internet packet data packet protection method, wherein a data interface is transmitted between a server terminal and a user terminal by a network interface system, and the steps include: first, transmitting the data by using a processing unit of the computer system The packet is encapsulated, and the data packet is intercepted by a filtering unit, and the filtering unit adds an identification mark to a blank of the TCP/IP header of the intercepted data packet. Then, after the step of adding the identification mark is completed, the data packet is transmitted to the servo terminal through the network interface unit. The control unit of the servo terminal is used to confirm whether the TCP/IP header of the received data packet has the identification mark. If the blank of the TCP/IP header of the received data packet has an identification mark, the control unit encapsulates the data, and if the TCP/IP header of the data packet does not have an identification mark, the control unit blocks the Data packet.

本發明更提供一種網際網路之資料封包防護系統,其包含第一電腦系統,其包含第一處理單元及過濾單元,所述過濾單元耦合於第一處理單元,以及第二電腦系統,其包含第二處理單元及控制單元,所述控制單元耦合於第二處理單元。所述第一電腦系統係透過網際網路傳輸一資料封包至該第二電腦系統,而傳輸步驟包含:(a)第一電腦系統發送資料封包;(b)第一電腦系統之過濾單元攔截資料封包,並於資料封包之TCP/IP檔頭之空白處加入一識別記號;(c)第二電腦系統接收該資料封包;(d)第二電腦系統之控制單元,確認該資料封包之TCP/IP檔頭之空白處具有該識別記號。本發明之傳輸步驟更包含若該資料封包之TCP/IP檔頭之空白處具有識別記號,則所述第二電腦系統之控制單元通過資料封包;以及若該資料封包之TCP/IP檔頭之空白處不具有識別記號,則所述第二電腦系統之控制單元阻擋資料封包。The invention further provides an internet data packet protection system, comprising a first computer system comprising a first processing unit and a filtering unit, the filtering unit being coupled to the first processing unit, and a second computer system comprising a second processing unit and a control unit, the control unit being coupled to the second processing unit. The first computer system transmits a data packet to the second computer system via the Internet, and the transmitting step comprises: (a) the first computer system sends the data packet; (b) the filtering unit of the first computer system intercepts the data Encapsulating, and adding an identification mark to the blank of the TCP/IP header of the data packet; (c) receiving the data packet by the second computer system; (d) controlling the data of the data packet by the control unit of the second computer system The identification mark is located in the blank of the IP header. The transmitting step of the present invention further includes: if the blank of the TCP/IP header of the data packet has an identification mark, the control unit of the second computer system passes the data packet; and if the TCP/IP header of the data packet is The blank unit does not have an identification mark, and the control unit of the second computer system blocks the data packet.

本發明係利用使用端之電腦系統之過濾單元於資料封包之TCP/IP檔頭之空白處加入識別記號,並於接收資料封包之伺服終端設定防火牆,以伺服終端之電腦系統的控制單元篩選確認所述資料封包是否具有識別記號。若具有識別記號則可順利通過防火牆,而進入公司內部網頁進行修改或讀取重要資料。The invention adds the identification mark to the blank of the TCP/IP file header of the data packet by using the filtering unit of the computer system of the use end, and sets the firewall on the servo terminal receiving the data packet, and filters and confirms by the control unit of the computer system of the servo terminal. Whether the data packet has an identification mark. If you have the identification mark, you can successfully pass through the firewall and enter the company's internal webpage to modify or read important data.

換言之,若使用端使用未經授權之電腦連接公司內部網頁,由於電腦系統未包含過濾單元,無法於發送之資料封包之TCP/IP檔頭的空白處加入識別記號,當資料封包傳送至伺服終端後,伺服終端之電腦系統的控制單元無法確認資料封包之TCP/IP檔頭之空白處具有識別記號,而資料封包受到阻擋,無法進入公司內部網頁。故,可有效避免未經授權之外部電腦存取公司資料或公司資料網路受到外部電腦入侵竊取資料,避免資料外洩。In other words, if the user uses an unauthorized computer to connect to the company's internal webpage, since the computer system does not contain the filtering unit, the identification token cannot be added to the blank of the TCP/IP header of the sent data packet, and the data packet is transmitted to the servo terminal. After that, the control unit of the computer system of the servo terminal cannot confirm that the blank portion of the TCP/IP header of the data packet has an identification mark, and the data packet is blocked from entering the company internal webpage. Therefore, it can effectively prevent unauthorized external computers from accessing company data or the company data network from external computer intrusion to steal data and avoid data leakage.

以上所述係用以闡明本發明之目的、達成此目的之技術手段、以及其產生的優點等等。而本發明可從以下較佳實施例之敘述並伴隨後附圖式及申請專利範圍使讀者得以清楚了解。The above is used to clarify the object of the present invention, the technical means for achieving the object, the advantages thereof, and the like. The invention will be apparent to those skilled in the art from the description of the appended claims.

本發明將以較佳實施例及觀點加以敘述,此類敘述係解釋本發明之結構及步驟,僅用以說明而非用以限制本發明之申請專利範圍。因此,除說明書中之較佳實施例以外,本發明亦可廣泛實行於其他實施例中。The present invention will be described in terms of the preferred embodiments and aspects of the invention, which are intended to be illustrative and not to limit the scope of the invention. Therefore, the present invention may be widely practiced in other embodiments in addition to the preferred embodiments described in the specification.

本發明係運用防火牆技術來實現本發明之網際網路之資料封包防護系統。一般來說,將特定內部網路(intranet)及網際網路的其他部分隔離,即所有資料封包進出都必須透過防火牆。防火牆主要藉由某些協定進入保護範圍或過濾所有未明確列出的協定,而保護機構的內部資源免受到外部網際網路的侵入。The present invention utilizes firewall technology to implement the data packet protection system of the Internet of the present invention. In general, the specific internal network (intranet) and other parts of the Internet are isolated, that is, all data packets must pass through the firewall. The firewall mainly enters the protection scope or filters all the agreements that are not explicitly listed by certain agreements, and protects the internal resources of the organization from the invasion of the external Internet.

本發明係運用電腦系統設備執行本發明之網際網路之資料封包防護系統。如第三圖所示,本發明所述及之使用者終端及伺服終端之電腦系統分別包含中央處理器(CPU) 301以及系統記憶體312,包含唯讀記憶體(ROM) 313以及隨機存取記憶體(RAM) 314,其耦合到中央處理器(CPU)301。電腦系統利用存於ROM 313之BIOS運作,BIOS為一組基本(basic routines)以協助於電腦移轉資訊。熟知該項技藝者,應得以瞭解本發明亦可用於不具BIOS之電腦,如"POWER PC"。一般電腦系統包含硬碟310耦合到中央處理器(CPU) 301,CD-ROM裝置309耦合到中央處理器(CPU) 301。使用者藉由輸入裝置如鍵盤305、滑鼠306輸入指令。顯示單元304耦合至中央處理器(CPU) 301。電腦系統經由網路介面連接到遠端電腦或伺服器。作業系統311、應用程式307藉由電腦可讀取媒介輸入至電腦系統。作業系統311使得應用軟體307、程式得以處理各種應用。麥克風與揚聲器(喇叭)308與中央處理器301耦接,影像擷取裝置302耦合於該中央處理器301用於擷取影像。資料封包防護系統303耦合至中央處理器301,係用於處理本發明之網際網路之資料封包防護系統及其方法。The present invention uses a computer system device to perform the data packet protection system of the Internet of the present invention. As shown in the third figure, the computer system of the user terminal and the servo terminal according to the present invention respectively includes a central processing unit (CPU) 301 and a system memory 312, including a read only memory (ROM) 313 and random access. Memory (RAM) 314, which is coupled to a central processing unit (CPU) 301. The computer system operates using the BIOS stored in ROM 313, which is a set of basic routines to assist the computer in transferring information. Those skilled in the art should understand that the present invention can also be applied to computers without a BIOS, such as "POWER PC." A typical computer system includes a hard disk 310 coupled to a central processing unit (CPU) 301, and a CD-ROM device 309 coupled to a central processing unit (CPU) 301. The user inputs an instruction by an input device such as a keyboard 305 or a mouse 306. Display unit 304 is coupled to a central processing unit (CPU) 301. The computer system is connected to a remote computer or server via a network interface. The operating system 311 and the application 307 are input to the computer system by a computer readable medium. The operating system 311 enables the application software 307, the program to process various applications. The microphone and speaker (horn) 308 are coupled to the central processing unit 301, and the image capturing device 302 is coupled to the central processing unit 301 for capturing images. The data packet protection system 303 is coupled to the central processing unit 301 for processing the data packet protection system of the Internet of the present invention and methods therefor.

本發明係利用傳輸控制協定/互聯網協定(Transmission Control Protocol/Internet Protocol,以下簡稱TCP/IP)之檔頭設定,提供本發明之網際網路之資料封包防護系統。TCP/IP為一種網路通訊協定,係由網際網路工作委員會推動制定,使不同的電腦設備及作業系統透過相同的通訊協定互通訊息。TCP/IP為堆疊式的階層架構,最上層為「應用層」,提供各種網路應用程式(例如www、FTP、E-Mail)等,而最底層則是「實體層」,提供實體網路線(例如乙太網路、光纖電纜等)的傳輸。當使用者終端執行網際網路上的應用程式時,例如用瀏覽器觀看網頁,產生資料封包後,會由TCP/IP的階層架構的最上層到最底層,經過一層層的通訊協定,經由網路線傳送出去;當伺服終端收到資料封包後,則反向由最底層往上通過一層層的通訊協定到最上層,最後再由最上層的應用程式來解釋訊息。The present invention provides a data packet protection system for the Internet of the present invention by using a transmission control protocol/Internet Protocol (TCP/IP) header setting. TCP/IP is a network communication protocol developed by the Internet Working Committee to enable different computer devices and operating systems to communicate with each other through the same communication protocol. TCP/IP is a stacked hierarchical architecture. The top layer is the "application layer", which provides various network applications (such as www, FTP, E-Mail), and the bottom layer is the "physical layer", which provides physical network routes. (eg Ethernet, fiber optic cable, etc.) transmission. When the user terminal executes the application on the Internet, for example, using a browser to view the webpage, after generating the data packet, it will be from the top to the bottom of the TCP/IP hierarchy, through a layer of communication protocol, via the network route. Transmitted; when the servo terminal receives the data packet, it reverses from the bottom to the top through a layer of communication protocol to the top layer, and finally the uppermost application to interpret the message.

TCP/IP協定的工作主要為把資料訊息分拆成資料封包,並檢驗封包是否正確傳送至目的地,同時提供傳送資料封包的路徑,當資料封包到達目的地後,再將各資料封包重組成原本的訊息。因此當傳送資料封包時,除了本身檔案的內容之外,在資料封包的檔頭地方還加入了起始地址、目的地地址、封包編號等數據。其中,各數據間包含多個空白處,存在於該些空白處之數據於傳送時將不會被讀取,亦不會影響資料封包重組。本發明之實施例係利用於TCP/IP檔頭之空白處加入一識別記號,作為識別所接受之資料封包是否經由授權之電腦系統傳送,以提供網際網路之資料封包防護系統。The work of the TCP/IP protocol is mainly to split the data message into data packets, and check whether the packet is correctly transmitted to the destination, and provide a path for transmitting the data packet. When the data packet arrives at the destination, the data packet is reassembled. The original message. Therefore, when the data packet is transmitted, in addition to the content of the file itself, data such as a start address, a destination address, and a packet number are added to the header of the data packet. Wherein, each data includes a plurality of blank spaces, and the data existing in the blank spaces will not be read during transmission, and the data packet reorganization will not be affected. Embodiments of the present invention utilize an identification token in the blank of the TCP/IP header to identify whether the accepted data packet is transmitted via an authorized computer system to provide an Internet data packet protection system.

請參閱第四圖,係為本發明之網際網路之資料封包防護系統之架構示意圖。如圖所示,本發明一實施例中,提供一種網際網路之資料封包防護系統303,其包含第一電腦系統(使用者終端)401及第二電腦系統(伺服終端)402。所述第一電腦系統401之作業系統包含一過濾單元4013,其可攔截由第一電腦系統401之作業系統傳輸之資料封包(未圖示),並於資料封包之TCP/IP檔頭之空白處加入一識別記號。而所述第二電腦系統402之作業系統包含一控制單元4023,其可過濾及監控由第一電腦系統401傳輸之資料封包。Please refer to the fourth figure, which is a schematic diagram of the architecture of the data packet protection system of the Internet of the present invention. As shown in the figure, an embodiment of the present invention provides an Internet data packet protection system 303, which includes a first computer system (user terminal) 401 and a second computer system (servo terminal) 402. The operating system of the first computer system 401 includes a filtering unit 4013 that intercepts data packets (not shown) transmitted by the operating system of the first computer system 401 and is blank in the TCP/IP header of the data packet. Add an identification mark. The operating system of the second computer system 402 includes a control unit 4023 that filters and monitors data packets transmitted by the first computer system 401.

本實施例中,第一電腦系統401透過網際網路403傳輸資料封包至第二電腦系統402,第二電腦系統402之控制單元4023確認從第一電腦系統401傳送之資料封包之TCP/IP檔頭的空白處是否具有該識別記號。若資料封包之TCP/IP檔頭的空白處具有識別記號,則通過資料封包,反之,若資料封包之TCP/IP檔頭的空白處不具有識別記號,則阻擋資料封包。In this embodiment, the first computer system 401 transmits the data packet to the second computer system 402 via the Internet 403, and the control unit 4023 of the second computer system 402 confirms the TCP/IP file of the data packet transmitted from the first computer system 401. Whether the blank space of the head has the identification mark. If the blank of the TCP/IP header of the data packet has an identification mark, the data packet is encapsulated. Otherwise, if the blank of the TCP/IP file header of the data packet does not have the identification mark, the data packet is blocked.

本實施例中,所述資料封包之TCP/IP檔頭之空白處為但不限定特定位置。當第一電腦系統(使用者終端)401過濾單元4013攔截欲發送之資料封包,並於所述資料封包之TCP/IP檔頭之特定位置加入識別記號,當第二電腦系統402接受到該資料封包後,其控制單元4023過濾及監控由第一電腦系統401傳輸之資料封包,並於所述資料封包之TCP/IP檔頭之特定位置尋找識別記號。若有識別記號,則通過所述資料封包;反之,則阻擋所述資料封包。In this embodiment, the blank of the TCP/IP header of the data packet is but not limited to a specific location. When the first computer system (user terminal) 401 filtering unit 4013 intercepts the data packet to be sent, and adds an identification mark to a specific location of the TCP/IP file header of the data packet, when the second computer system 402 receives the data After the packet, its control unit 4023 filters and monitors the data packet transmitted by the first computer system 401, and searches for a identification mark at a specific location of the TCP/IP file header of the data packet. If there is an identification mark, the data is encapsulated; otherwise, the data package is blocked.

本發明之實施例中,所述之識別記號可為任意英文字母、數字或符號之組合,例如可設定但不限定為1234-ABC,使用者可依據需求而設定。In the embodiment of the present invention, the identification mark may be any combination of English letters, numbers or symbols, for example, but not limited to 1234-ABC, and the user can set according to requirements.

本實施例中,所述之第二電腦系統402更包含一封包緩衝單元4024,用以儲存該網路介面單元通過之該資料封包。另外,可以選擇性地包含一加解密單元,當該資料封包儲存於該封包緩衝單元後,該第二電腦系統之作業系統自動加解密該資料封包。其中,所述之加密方式係透過加密演算法進行加密(例如:高階加密標準(AES,Advanced Encryption Standard)、DES、3DES、Blowfish),以AES高階加密標準為例,但不限定於AES高階加密標準,其鑰匙長度分別為128bits、192bits、256bits,並利用透明式加解密的格式。In this embodiment, the second computer system 402 further includes a packet buffer unit 4024 for storing the data packet that the network interface unit passes. In addition, an encryption and decryption unit may be optionally included. After the data packet is stored in the packet buffer unit, the operating system of the second computer system automatically encrypts and decrypts the data packet. The encryption method is encrypted by an encryption algorithm (for example, Advanced Encryption Standard (AES), DES, 3DES, Blowfish), and the AES high-order encryption standard is taken as an example, but is not limited to AES high-order encryption. The standard has a key length of 128 bits, 192 bits, and 256 bits, and uses a transparent encryption and decryption format.

請參閱第五圖,本發明之一實施例中,本發明提供一種網際網路之資料封包防護系統500,其包含一處理單元501及一控制單元503。所述處理單元501耦合於一網路介面單元502,通過網際網路507與複數個使用者終端506連接,用以接收由複數個使用者終端506之電腦系統透過網路介面單元502傳輸之資料封包。而所述控制單元503係耦合於處理單元501,用以過濾及監控資料封包。Referring to FIG. 5, in an embodiment of the present invention, the present invention provides an Internet data packet protection system 500, which includes a processing unit 501 and a control unit 503. The processing unit 501 is coupled to a network interface unit 502, and is connected to a plurality of user terminals 506 via the Internet 507 for receiving data transmitted by the computer system of the plurality of user terminals 506 through the network interface unit 502. Packet. The control unit 503 is coupled to the processing unit 501 for filtering and monitoring data packets.

本實施例中,當處理單元501從使用者終端506接收到資料封包後,控制單元503則確認所接收之資料封包的TCP/IP檔頭是否具有識別記號。所述之識別記號係於輸出時,利用複數個使用者終端506之電腦系統加入,作為識別該資料封包是否由具授權之電腦系統傳送。若資料封包之TCP/IP檔頭之空白處具有識別記號,則通過資料封包,而使用者終端506可連接公司內部網頁,可讀取或修改內部網頁資料。反之,若該資料封包之TCP/IP檔頭之空白處不具有識別記號,則阻擋資料封包,而使用者終端506則無法連接公司內部網頁。In this embodiment, after the processing unit 501 receives the data packet from the user terminal 506, the control unit 503 confirms whether the TCP/IP file header of the received data packet has an identification mark. The identification token is added to the computer system of the plurality of user terminals 506 for identification to determine whether the data packet is transmitted by an authorized computer system. If the blank of the TCP/IP header of the data packet has an identification mark, the data packet is encapsulated, and the user terminal 506 can connect to the internal webpage of the company, and can read or modify the internal webpage data. On the other hand, if the blank of the TCP/IP header of the data packet does not have the identification mark, the data packet is blocked, and the user terminal 506 cannot connect to the company internal webpage.

本實施例中,所述網際網路之資料封包防護系統500更包含一封包緩衝單元504,用以儲存所述網路介面單元502通過之資料封包。另外,可以選擇性地包含一加解密單元505,當資料封包儲存於封包緩衝單元505後,網際網路之資料封包防護系統500將會自動加解密資料封包,使用者終端每一動作,將會透過加解密單元505自動加解密,而無需待使用者全部修改或讀取完畢後才執行加解密動作,避免使用者遺漏而產生資訊安全漏洞。其中,所述之加密方式係透過加密演算法進行加密(例如:高階加密標準(AES,Advanced Encryption Standard)、DES、3DES、Blowfish),以AES高階加密標準為例,但不限定於AES高階加密標準,其鑰匙長度分別為128bits、192bits、256bits,並利用透明式加解密的格式。In this embodiment, the data packet protection system 500 of the Internet further includes a packet buffer unit 504 for storing data packets passed by the network interface unit 502. In addition, an encryption and decryption unit 505 may be optionally included. After the data packet is stored in the packet buffer unit 505, the data packet protection system 500 of the Internet will automatically encrypt and decrypt the data packet, and each action of the user terminal will be The encryption and decryption unit 505 automatically encrypts and decrypts, and does not need to wait for the user to modify or read all the encryption and decryption actions to avoid the user's omission and generate information security vulnerabilities. The encryption method is encrypted by an encryption algorithm (for example, Advanced Encryption Standard (AES), DES, 3DES, Blowfish), and the AES high-order encryption standard is taken as an example, but is not limited to AES high-order encryption. The standard has a key length of 128 bits, 192 bits, and 256 bits, and uses a transparent encryption and decryption format.

請參閱第六圖,本發明之一實施例中,本發明提供一種網際網路之資料封包防護系統600,其包含處理單元601及過濾單元603。所述處理單元601係耦合於網路介面單元602,通過網際網路605與伺服終端604連接,用以傳輸一資料封包至伺服終端604。所述過濾單元603,耦合於處理單元601,用以攔截由處理單元601傳輸之資料封包,並於傳輸至伺服終端604前於資料封包之TCP/IP檔頭之空白處加入一識別記號。當過濾單元603完成加入識別記號後,則處理單元601將資料封包透過網路介面單元602傳送至伺服終端604。本實施例中,所述資料封包之TCP/IP檔頭之空白處可以但不限定為特定位置。Referring to the sixth figure, in an embodiment of the present invention, the present invention provides an Internet data packet protection system 600, which includes a processing unit 601 and a filtering unit 603. The processing unit 601 is coupled to the network interface unit 602 and connected to the server terminal 604 via the Internet 605 for transmitting a data packet to the server terminal 604. The filtering unit 603 is coupled to the processing unit 601 for intercepting the data packet transmitted by the processing unit 601, and adding an identification mark to the blank of the TCP/IP file header of the data packet before being transmitted to the servo terminal 604. After the filtering unit 603 finishes adding the identification mark, the processing unit 601 transmits the data packet to the servo terminal 604 through the network interface unit 602. In this embodiment, the blank of the TCP/IP header of the data packet may be, but is not limited to, a specific location.

透過本實施例之過濾單元603加入的識別記號,可以判別資料封包是否從具授權的電腦系統傳送,若具有識別記號,則由具授權的電腦系統傳送;反之,則否。伺服終端604可藉此判斷是否願意通過該資料封包,以控管網路資訊安全。Through the identification mark added by the filtering unit 603 of the embodiment, it can be determined whether the data packet is transmitted from an authorized computer system, and if there is an identification mark, it is transmitted by an authorized computer system; otherwise, no. The server 604 can determine whether it is willing to pass the data packet to control network information security.

本發明另提供一種網際網路之資料封包防護方法,藉由一網路介面系統在一伺服終端和使用者終端間傳輸一資料封包,其步驟如下所述,請搭配參閱第四圖及第七圖本發明之網際網路之資料封包防護方法流程圖。The invention further provides a data packet protection method for the Internet, which transmits a data packet between a server terminal and a user terminal by using a network interface system, and the steps are as follows, please refer to the fourth picture and the seventh A flow chart of a data packet protection method for the Internet of the present invention.

首先,步驟S701,利用使用者終端(即第一電腦系統401)之處理單元4011發送一資料封包(未圖示)。例如,使用瀏覽器點選瀏覽公司內部網頁。步驟S702,使用者終端(即第一電腦系統401)之過濾單元4013攔截欲發送之資料封包,並於所述資料封包之TCP/IP檔頭之空白處加入一識別記號。所述識別記號可為任意但不限定為英文字母、數字或符號組成,且所述空白處可以但不限定為特定位置。First, in step S701, a data packet (not shown) is transmitted by the processing unit 4011 of the user terminal (ie, the first computer system 401). For example, use a browser to browse through the company's internal web pages. In step S702, the filtering unit 4013 of the user terminal (ie, the first computer system 401) intercepts the data packet to be sent, and adds an identification mark to the blank of the TCP/IP file header of the data packet. The identification mark may be any, but not limited to, an English alphabet, a number or a symbol, and the blank may be, but not limited to, a specific position.

步驟S703,完成加入識別記號後,使用者終端之處理單元4011將資料封包經由網路介面單元4012傳送至伺服終端(即第二電腦系統402)。最後,步驟S704,伺服終端402透過網路介面單元4022接收所述資料封包後,伺服終端402之控制單元4023負責監控所有接收之資料封包,確認資料封包之TCP/IP檔頭之空白處具有識別記號,以過濾具授權之資料封包。Step S703, after the addition of the identification mark is completed, the processing unit 4011 of the user terminal transmits the data packet to the servo terminal (ie, the second computer system 402) via the network interface unit 4012. Finally, in step S704, after the servo terminal 402 receives the data packet through the network interface unit 4022, the control unit 4023 of the servo terminal 402 is responsible for monitoring all the received data packets, and confirming that the blank of the TCP/IP file header of the data packet has identification. Mark, with the information enveloped by the filter.

本實施例中,網際網路之資料封包防護方法之步驟更包含,步驟S705,若伺服終端402所接收之資料封包之TCP/IP檔頭之空白處具有識別記號,則控制單元4023通過資料封包。亦即,使用者終端401可透過網際網路瀏覽伺服終端402之資料內容,對於公司之內部網頁可讀取或修改。反之,步驟S706,若伺服終端402所接收之資料封包之TCP/IP檔頭之空白處不具有識別記號,則控制單元4023阻擋資料封包,即使用者終端401無法成功連結伺服終端402,而無法讀取或修改公司之內部網頁。In this embodiment, the step of protecting the data packet protection method of the Internet further includes, in step S705, if the blank of the TCP/IP header of the data packet received by the server 402 has an identification mark, the control unit 4023 passes the data packet. . That is, the user terminal 401 can browse the data content of the server terminal 402 through the Internet, and can read or modify the internal webpage of the company. On the other hand, in step S706, if the blank of the TCP/IP header of the data packet received by the server 402 does not have the identification mark, the control unit 4023 blocks the data packet, that is, the user terminal 401 cannot successfully connect to the server 402, and cannot Read or modify the company's internal web pages.

本實施例中,若控制單元4023通過資料封包,而使用者終端401成功透過網際網路連結伺服終端402後,繼續執行步驟S707,所述資料封包儲存於伺服終端402之封包緩衝單元4024中。同時,當資料封包儲存於封包緩衝單元4024後,繼續執行步驟S708,伺服終端402之加解密單元4025自動加解密該資料封包。由於使用者終端401讀取或修改伺服終端402之動作,皆傳送至少一資料封包至伺服終端402,當使用者終端401之資料封包通過伺服終端402之控制單元4023號之識別後,伺服終端402之加解密單元4025自動加解密該資料封包,可增加公司內部資料之隱密性與安全性。In this embodiment, if the control unit 4023 passes the data packet and the user terminal 401 successfully connects to the server 402 through the Internet, the process proceeds to step S707, where the data packet is stored in the packet buffer unit 4024 of the server 402. At the same time, after the data packet is stored in the packet buffer unit 4024, the process proceeds to step S708, and the encryption and decryption unit 4025 of the server terminal 402 automatically encrypts and decrypts the data packet. Since the user terminal 401 reads or modifies the action of the server 402, at least one data packet is transmitted to the server terminal 402. When the data packet of the user terminal 401 is identified by the control unit 4023 of the server terminal 402, the server terminal 402 The encryption and decryption unit 4025 automatically encrypts and decrypts the data packet, which can increase the privacy and security of the company's internal data.

另外,應注意的是,本發明所述之中央處理器301、處理單元102及各第一電腦系統(使用者終端)或第二電腦系統(伺服終端)之電腦作業系統包含但不限於Windows作業系統、Linux作業系統、Mac OS系統及其他作業系統。本發明係可進一步限定於特定作業系統之瀏覽器執行本發明,例如IE、Firefox或Google...等。In addition, it should be noted that the central processing unit 301, the processing unit 102, and the computer operating systems of the first computer system (user terminal) or the second computer system (servo terminal) according to the present invention include, but are not limited to, Windows operations. Systems, Linux operating systems, Mac OS systems, and other operating systems. The present invention is further limited to a browser of a particular operating system executing the invention, such as IE, Firefox or Google...etc.

本發明之優點在於,可有效防止未經授權之電腦系統登入公司內部網頁,而任意修改或竊取公司保密資料,有效避免資料外洩而損害公司利益。The invention has the advantages that the unauthorized computer system can be effectively prevented from logging into the company's internal webpage, and the company's confidential information can be arbitrarily modified or stolen, thereby effectively preventing the data leakage and damaging the company's interests.

本發明之另一優點在於,本發明系統之過濾單元,係可依據不同作業系統之瀏覽器進行修改設定,亦即可進一步限定以特定瀏覽器進行連結伺服終端,並搭配身分驗證,可增加安全控管多元化,有效減少安全控管漏洞。Another advantage of the present invention is that the filtering unit of the system of the present invention can be modified according to the browser of different operating systems, and can further limit the connection of the servo terminal with a specific browser, and can be combined with identity verification to increase security. Control diversification, effectively reduce security control loopholes.

上述敘述係為本發明之較佳實施例。此領域之技藝者應得以領會其係用以說明本發明而非用以限定本發明所主張之專利權利範圍。其專利保護範圍當視後附之申請專利範圍及其等同領域而定。凡熟悉此領域之技藝者,在不脫離本專利精神或範圍內,所作之更動或潤飾,均屬於本發明所揭示精神下所完成之等效改變或設計,且應包含在下述之申請專利範圍內。 The above description is a preferred embodiment of the invention. Those skilled in the art should be able to understand the invention and not to limit the scope of the patent claims claimed herein. The scope of patent protection is subject to the scope of the patent application and its equivalent fields. Any modification or refinement made by those skilled in the art without departing from the spirit or scope of the present invention is equivalent to the equivalent change or design made in the spirit of the present disclosure, and should be included in the following patent application scope. Inside.

10‧‧‧EPR系統 10‧‧‧EPR system

12‧‧‧客戶端(client) 12‧‧‧Client (client)

14‧‧‧伺服終端(server) 14‧‧‧Servo terminal (server)

16‧‧‧資料庫主機 16‧‧‧Database Host

20‧‧‧ERP系統 20‧‧‧ERP system

22‧‧‧網路應用入口(Web Application Portal)22‧‧‧Web Application Portal

24...資訊流引擎(Information Flow Engine)twenty four. . . Information Flow Engine

26...中介軟體26. . . Mediation software

28...中央資料庫28. . . Central database

301...中央處理器(CPU)301. . . Central processing unit (CPU)

302...影像擷取裝置302. . . Image capture device

303...網際網路之資料封包防護系統303. . . Internet data packet protection system

304...顯示單元304. . . Display unit

305...鍵盤305. . . keyboard

306...滑鼠306. . . mouse

307...應用程式307. . . application

308...麥克風與揚聲器(喇叭)308. . . Microphone and speaker (horn)

309...CD-ROM裝置309. . . CD-ROM device

310...硬碟310. . . Hard disk

311...作業系統311. . . working system

312...系統記憶體312. . . System memory

313...唯讀記憶體(ROM)313. . . Read only memory (ROM)

314...記憶體(RAM)314. . . Memory (RAM)

401...第一電腦系統(使用者終端)401. . . First computer system (user terminal)

4013...過濾單元4013. . . Filter unit

402...第二電腦系統(伺服終端)402. . . Second computer system (servo terminal)

4023...控制單元4023. . . control unit

4024...封包緩衝單元4024. . . Packet buffer unit

403、507、605...網際網路403, 507, 605. . . Internet

500...網際網路之資料封包防護系統500. . . Internet data packet protection system

501‧‧‧處理單元 501‧‧‧Processing unit

502‧‧‧網路介面單元 502‧‧‧Network interface unit

503‧‧‧控制單元 503‧‧‧Control unit

504‧‧‧封包緩衝單元 504‧‧‧Packing buffer unit

505‧‧‧加解密單元 505‧‧‧Addition and decryption unit

506‧‧‧使用者終端 506‧‧‧user terminal

600‧‧‧網際網路之資料封包防護系統 600‧‧‧Internet data packet protection system

601‧‧‧處理單元 601‧‧‧Processing unit

603‧‧‧過濾單元 603‧‧‧Filter unit

602‧‧‧網路介面單元 602‧‧‧Network Interface Unit

604‧‧‧伺服終端連接 604‧‧‧Servo terminal connection

S701‧‧‧發送資料封包 S701‧‧‧Send data packet

S702‧‧‧攔截資料封包,並於TCP/IP空白處加入識別記號 S702‧‧‧ intercept the data packet and add the identification mark to the TCP/IP blank

S703‧‧‧傳送至伺服終端 S703‧‧‧Transfer to the servo terminal

S704‧‧‧確認識別記號 S704‧‧‧Confirm identification mark

S705‧‧‧通過具有識別記號之資料封包 S705‧‧‧ Packets with identification marks

S706‧‧‧阻擋不具識別記號之資料封包 S706‧‧‧ Blocking data packets without identification marks

S707‧‧‧儲存資料封包 S707‧‧‧Storage data package

S708‧‧‧加解密 S708‧‧‧Addition and decryption

第一圖係為EPR系統的架構;第二圖係為ERP系統的多層式(n-tier)架構;第三圖係為本發明運用電腦系統設備執行網際網路之資料封包防護之系統架構圖;第四圖係為本發明一實施例之網際網路之資料封包防護系統之系統架構圖;第五圖係為本發明另一實施例之網際網路之資料封包防護系統之系統架構圖;第六圖係為本發明另一實施例之網際網路之資料封包防護系統之系統架構圖;第七圖係為本發明之網際網路之資料封包防護系統之方法流程圖。 The first picture is the architecture of the EPR system; the second picture is the multi-layer (n-tier) architecture of the ERP system; the third picture is the system architecture diagram of the data packet protection of the Internet system using the computer system equipment The fourth diagram is a system architecture diagram of the data packet protection system of the Internet according to an embodiment of the present invention; and the fifth diagram is a system architecture diagram of the data packet protection system of the Internet according to another embodiment of the present invention; The sixth figure is a system architecture diagram of the data packet protection system of the Internet according to another embodiment of the present invention; and the seventh diagram is a flowchart of the method of the data packet protection system of the Internet of the present invention.

401...第一電腦系統(使用者終端)401. . . First computer system (user terminal)

4013...過濾單元4013. . . Filter unit

402...第二電腦系統(伺服終端)402. . . Second computer system (servo terminal)

4023...控制單元4023. . . control unit

4024...封包緩衝單元4024. . . Packet buffer unit

403...網際網路403. . . Internet

Claims (21)

一種網際網路之資料封包防護系統,其包含:(a)至少一第一電腦系統,該第一電腦系統之作業系統包含一過濾單元,該過濾單元可攔截由該作業系統傳輸之資料封包,並於該資料封包之TCP/IP檔頭之空白處加入一識別記號;以及(b)一第二電腦系統,該第二電腦系統之作業系統包含一控制單元,該控制單元可過濾及監控由該第一電腦系統傳輸之該資料封包;(c)其中,該第一電腦系統透過一網路傳輸該資料封包至該第二電腦系統,該第二電腦系統之該控制單元確認從該第一電腦系統傳送之該資料封包之TCP/IP檔頭的空白處是否具有該識別記號;若該資料封包之TCP/IP檔頭之空白處具有識別記號,則通過該資料封包;若該資料封包之TCP/IP檔頭之空白處不具有識別記號,則阻擋該資料封包。An Internet data packet protection system includes: (a) at least a first computer system, the operating system of the first computer system includes a filtering unit, and the filtering unit can intercept a data packet transmitted by the operating system. And adding an identification mark to the blank of the TCP/IP header of the data packet; and (b) a second computer system, the operating system of the second computer system includes a control unit, and the control unit can filter and monitor The data packet transmitted by the first computer system; (c) wherein the first computer system transmits the data packet to the second computer system via a network, the control unit of the second computer system confirms from the first Whether the blank space of the TCP/IP header of the data packet transmitted by the computer system has the identification mark; if the blank of the TCP/IP file header of the data packet has an identification mark, the data is encapsulated; if the data packet is If there is no identification mark in the blank of the TCP/IP file header, the data packet is blocked. 如申請專利範圍第1項所述之網際網路之資料封包防護系統,其中該資料封包之TCP/IP檔頭之空白處為特定位置。For example, the data packet protection system of the Internet according to Item 1 of the patent application, wherein the blank of the TCP/IP file header of the data packet is a specific location. 如申請專利範圍第1項所述之網際網路之資料封包防護系統,其中該第二電腦系統更包含一封包緩衝單元,用以儲存該網路介面單元通過之該資料封包。The data packet protection system of the Internet as described in claim 1, wherein the second computer system further comprises a packet buffer unit for storing the data packet passed by the network interface unit. 如申請專利範圍第3項所述之網際網路之資料封包防護系統,其中該第二電腦系統更包含一加解密單元,當該資料封包儲存於該封包緩衝單元後,該第二電腦系統之作業系統自動加解密該資料封包。The data packet protection system of the Internet as described in claim 3, wherein the second computer system further comprises an encryption and decryption unit, and after the data packet is stored in the packet buffer unit, the second computer system The operating system automatically encrypts and decrypts the data packet. 一種網際網路之資料封包防護系統,其包含:(a)一處理單元,耦合於一網路介面單元,通過網際網路與複數個使用者終端連接,用以接收由複數個使用者終端之電腦系統透過該網路介面單元傳輸之資料封包;以及(b)一控制單元,耦合於該處理單元,用以過濾及監控由該資料封包;(c)其中,該控制單元確認該資料封包之TCP/IP檔頭的空白處是否具有識別記號;若該資料封包之TCP/IP檔頭之空白處具有識別記號,則通過該資料封包;若該資料封包之TCP/IP檔頭之空白處具有識別記號,則阻擋該資料封包。An internet data packet protection system includes: (a) a processing unit coupled to a network interface unit and connected to a plurality of user terminals via an internet for receiving a plurality of user terminals a data packet transmitted by the computer system through the network interface unit; and (b) a control unit coupled to the processing unit for filtering and monitoring the data packet; (c) wherein the control unit confirms the data packet Whether the blank of the TCP/IP header has an identification mark; if the blank of the TCP/IP header of the data packet has an identification mark, the data is encapsulated; if the blank of the TCP/IP header of the data packet has Identifying the token blocks the data packet. 如申請專利範圍第5項所述之網際網路之資料封包防護系統,其中該識別記號係利用該複數個使用者終端之電腦系統於輸出時加入。The data packet protection system of the Internet as described in claim 5, wherein the identification code is added by the computer system of the plurality of user terminals at the time of output. 如申請專利範圍第5項所述之網際網路之資料封包防護系統,其中該資料封包之TCP/IP檔頭之空白處為特定位置。For example, the data packet protection system of the Internet as described in claim 5, wherein the blank of the TCP/IP header of the data packet is a specific location. 如申請專利範圍第5項所述之網際網路之資料封包防護系統,其中更包含一封包緩衝單元,耦合於該處理單元,用以儲存該網路介面單元通過之該資料封包。The data packet protection system of the Internet as described in claim 5, further comprising a packet buffer unit coupled to the processing unit for storing the data packet passed by the network interface unit. 如申請專利範圍第8項所述之網際網路之資料封包防護系統,其中更包含一加解密單元,耦合於該處理單元與該封包緩衝單元,當該資料封包儲存後,該加解密單元自動加密該資料封包。The data packet protection system of the Internet as described in claim 8 further includes an encryption and decryption unit coupled to the processing unit and the packet buffer unit. When the data packet is stored, the encryption and decryption unit is automatically Encrypt the data packet. 一種網際網路之資料封包防護系統,其包含:(a)一處理單元,耦合於一網路介面單元,通過網際網路與一伺服終端連接,用以傳輸一資料封包至該伺服終端;以及(b)一過濾單元,耦合於該處理單元,用以攔截由該處理單元傳輸之該資料封包,並於傳輸至該伺服終端前於該資料封包之TCP/IP檔頭之空白處加入一識別記號。An internet data packet protection system includes: (a) a processing unit coupled to a network interface unit and connected to a servo terminal via the Internet for transmitting a data packet to the server; (b) a filtering unit coupled to the processing unit for intercepting the data packet transmitted by the processing unit and adding an identification to a blank of the TCP/IP header of the data packet before transmitting to the server terminal mark. 如申請專利範圍第10項所述之網際網路之資料封包防護系統,其中該資料封包之TCP/IP檔頭之空白處為特定位置。For example, the data packet protection system of the Internet as described in claim 10, wherein the blank of the TCP/IP file header of the data packet is a specific location. 一種網際網路之資料封包防護方法,藉由一網路介面系統在一伺服終端和使用者終端間傳輸一資料封包,其步驟包含:(a) 一處理單元發送該資料封包;(b) 以一過濾單元攔截該資料封包,並於該資料封包之TCP/IP檔頭之空白處加入一識別記號;(c) 透過該網路介面單元傳送該資料封包至該伺服終端;以及(d) 該伺服終端之控制單元,確認該資料封包之TCP/IP檔頭之空白處具有該識別記號。An internet packet protection method for transmitting data packets between a server terminal and a user terminal by a network interface system, the steps comprising: (a) a processing unit transmitting the data packet; and (b) a filtering unit intercepts the data packet and adds an identification mark to a blank of the TCP/IP header of the data packet; (c) transmitting the data packet to the server through the network interface unit; and (d) the The control unit of the servo terminal confirms that the blank of the TCP/IP file header of the data packet has the identification mark. 如申請專利範圍第12項所述之網際網路之資料封包防護系統,其步驟更包含:(a) 若該資料封包之TCP/IP檔頭之空白處具有識別記號,則該控制單元通過該資料封包;以及(b) 若該資料封包之TCP/IP檔頭之空白處不具有識別記號,則該控制單元阻擋該資料封包。For example, in the data packet protection system of the Internet as described in claim 12, the steps further include: (a) if the blank of the TCP/IP header of the data packet has an identification mark, the control unit passes the The data packet; and (b) if the blank of the TCP/IP header of the data packet does not have an identification mark, the control unit blocks the data packet. 如申請專利範圍第12項所述之網際網路之資料封包防護方法,其中更包含於該控制單元通過該資料封包後,該資料封包儲存於該伺服終端之一封包緩衝單元。The data packet protection method of the Internet according to claim 12, wherein the data packet is stored in a packet buffer unit of the server after the control unit encapsulates the data. 如申請專利範圍第14項所述之網際網路之資料封包防護方法,其中更包含於該資料封包儲存於該封包緩衝單元後,利用該伺服終端之一加解密單元自動加解密該資料封包。The data packet protection method of the Internet according to claim 14, wherein the data packet is stored in the packet buffer unit, and the data packet is automatically encrypted and decrypted by using one of the servo terminals. 如申請專利範圍第12項所述之網際網路之資料封包防護系統,其中該資料封包之TCP/IP檔頭之空白處為特定位置。For example, the data packet protection system of the Internet as described in claim 12, wherein the blank of the TCP/IP header of the data packet is a specific location. 一種網際網路之資料封包防護系統,其包含:至少一第一電腦系統,其包含一第一處理單元及一過濾單元,該過濾單元耦合於該第一處理單元;以及一第二電腦系統,其包含一第二處理單元及一控制單元,該控制單元耦合於該第二處理單元;其中,該第一電腦系統係透過網際網路傳輸一資料封包至該第二電腦系統,其傳輸步驟包含:(a) 該第一電腦系統發送該資料封包;(b) 該第一電腦系統之該過濾單元攔截該資料封包,並於該資料封包之TCP/IP檔頭之空白處加入一識別記號;(c) 該第二電腦系統接收該資料封包;(d) 該第二電腦系統之該控制單元,確認該資料封包之TCP/IP檔頭之空白處具有該識別記號。An Internet data packet protection system includes: at least a first computer system including a first processing unit and a filtering unit, the filtering unit coupled to the first processing unit; and a second computer system The second processing unit is coupled to the second processing unit, wherein the first computer system transmits a data packet to the second computer system via the Internet, and the transmission step includes (a) the first computer system sends the data packet; (b) the filtering unit of the first computer system intercepts the data packet, and adds an identification mark to a blank space of the TCP/IP file header of the data packet; (c) the second computer system receives the data packet; (d) the control unit of the second computer system confirms that the blank of the TCP/IP file header of the data packet has the identification mark. 如申請專利範圍第17項所述之網際網路之資料封包防護系統,其中該第一電腦系統傳輸該資料封包至該第二電腦系統的傳輸步驟更包含:(a) 若該資料封包之TCP/IP檔頭之空白處具有識別記號,則該控制單元通過該資料封包;以及(b) 若該資料封包之TCP/IP檔頭之空白處不具有識別記號,則該控制單元阻擋該資料封包。The data packet protection system of the Internet as described in claim 17, wherein the transmitting step of the first computer system transmitting the data packet to the second computer system further comprises: (a) if the data packet is TCP The blank of the /IP header has an identification mark, and the control unit encapsulates the data; and (b) if the blank of the TCP/IP header of the data packet does not have an identification mark, the control unit blocks the data packet . 如申請專利範圍第17項所述之網際網路之資料封包防護系統,其中該資料封包之TCP/IP檔頭之空白處為特定位置。For example, the data packet protection system of the Internet as described in claim 17 wherein the blank of the TCP/IP header of the data packet is a specific location. 如申請專利範圍第17項所述之網際網路之資料封包防護系統,其中該第二電腦系統更包含一封包緩衝單元,耦合於該第二處理單元及該控制單元,用以儲存該資料封包。The data packet protection system of the Internet according to claim 17, wherein the second computer system further comprises a packet buffer unit coupled to the second processing unit and the control unit for storing the data packet. . 如申請專利範圍第20項所述之網際網路之資料封包防護系統,其中該第二電腦系統更包含一加解密單元,耦合於該第二處理單元及該封包緩衝單元,當該資料封包儲存於該封包緩衝單元後,該第二電腦系統之作業系統自動加解密該資料封包。The data packet protection system of the Internet as described in claim 20, wherein the second computer system further comprises an encryption and decryption unit coupled to the second processing unit and the packet buffer unit, when the data packet is stored After the packet buffer unit, the operating system of the second computer system automatically encrypts and decrypts the data packet.
TW101101436A 2012-01-13 2012-01-13 A data packet of internet security system and a method thereof TWI581124B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW101101436A TWI581124B (en) 2012-01-13 2012-01-13 A data packet of internet security system and a method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101101436A TWI581124B (en) 2012-01-13 2012-01-13 A data packet of internet security system and a method thereof

Publications (2)

Publication Number Publication Date
TW201329775A TW201329775A (en) 2013-07-16
TWI581124B true TWI581124B (en) 2017-05-01

Family

ID=49225755

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101101436A TWI581124B (en) 2012-01-13 2012-01-13 A data packet of internet security system and a method thereof

Country Status (1)

Country Link
TW (1) TWI581124B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1353383A (en) * 2000-11-02 2002-06-12 优硕资讯科技股份有限公司 Electronic document transaction method and system
US20060195687A1 (en) * 2005-02-28 2006-08-31 International Business Machines Corporation System and method for mapping an encrypted HTTPS network packet to a specific URL name and other data without decryption outside of a secure web server
CN101291247A (en) * 2007-04-19 2008-10-22 研华股份有限公司 Information transmission method for information service server

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1353383A (en) * 2000-11-02 2002-06-12 优硕资讯科技股份有限公司 Electronic document transaction method and system
US20060195687A1 (en) * 2005-02-28 2006-08-31 International Business Machines Corporation System and method for mapping an encrypted HTTPS network packet to a specific URL name and other data without decryption outside of a secure web server
CN101291247A (en) * 2007-04-19 2008-10-22 研华股份有限公司 Information transmission method for information service server

Also Published As

Publication number Publication date
TW201329775A (en) 2013-07-16

Similar Documents

Publication Publication Date Title
US12177189B2 (en) Data computation in a multi-domain cloud environment
US12425376B2 (en) Mapping between user interface fields and protocol information
JP6188832B2 (en) Method, computer program product, data processing system, and database system for processing database client requests
CN106295367A (en) Data ciphering method and device
JP2017112592A (en) System and method for encrypted transmission of web page
US11822643B2 (en) Method and system for creating quarantined workspaces through controlled interaction between a host and virtual guests
CN101741818B (en) Independent network safety encryption isolator arranged on network cable and isolation method thereof
CN117459327A (en) A cloud data transparent encryption protection method, system and device
CN112613000A (en) Sensitive information protection method and device, electronic equipment and readable storage medium
CN118869237B (en) Power grid physical asset data protection method and system based on G-AES algorithm
CN111209544B (en) Web application security protection method and device, electronic equipment and storage medium
Gai et al. Introduction to Cybersecurity in the Internet of Things
TWI581124B (en) A data packet of internet security system and a method thereof
JP2005309846A (en) Database protection system
CN108701195A (en) A kind of data security protection method and device
Kilic et al. iDeFEND: Intrusion detection framework for encrypted network data
RU2614928C1 (en) System and method for encryption during webpage transmitting to the user application
Anandappa et al. Cloud computing and security issues in the cloud
CN103259773A (en) An Internet data packet protection system and method thereof
CN106302454A (en) Sensitive data recognition methods and device
KR20200039550A (en) Method for real-time encryption packet separation and identification in high speed traffic and interworking with yara detection on identified packet, and apparatus thereof
Tharayil et al. Enhancing performance and security for data in motion in BIG DATA
KR20260018794A (en) A bidirectional application programming interface that enables the ability to perform operations in a unidirectional transmission system.
CN107124389A (en) A cloud data encryption analysis processing method
Jain et al. Session Layer Security Enhancement Using Customized Protocol and Strong Cryptographic Mechanism