CN111835728B - Method and device for hiding privileges to access real network and protocol - Google Patents

Method and device for hiding privileges to access real network and protocol Download PDF

Info

Publication number
CN111835728B
CN111835728B CN202010543491.XA CN202010543491A CN111835728B CN 111835728 B CN111835728 B CN 111835728B CN 202010543491 A CN202010543491 A CN 202010543491A CN 111835728 B CN111835728 B CN 111835728B
Authority
CN
China
Prior art keywords
access
protocol
session
engine
protocol conversion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010543491.XA
Other languages
Chinese (zh)
Other versions
CN111835728A (en
Inventor
邓祯恒
陈明朗
李志炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Haiyi Information Security Technology Co ltd
Original Assignee
Guangzhou Haiyi Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Haiyi Information Security Technology Co ltd filed Critical Guangzhou Haiyi Information Security Technology Co ltd
Priority to CN202010543491.XA priority Critical patent/CN111835728B/en
Publication of CN111835728A publication Critical patent/CN111835728A/en
Application granted granted Critical
Publication of CN111835728B publication Critical patent/CN111835728B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method for hiding privilege access to a real network and a protocol, which comprises the following steps: a) The target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine; b) The resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine; c) The access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal; d) And the access terminal receives the information encapsulated by the secondary protocol. The invention also relates to a device for realizing the method. The method and the device for implementing the hidden privilege access to the real network and the protocol have the following beneficial effects: the risk that the real protocol is hijacked and the target end type architecture is probed can be greatly reduced, and the security of privileged access of the access end and the target end is improved.

Description

Method and device for hiding privileges to access real network and protocol
Technical Field
The invention relates to the field of privilege access, in particular to a method and a device for hiding privilege access to a real network and a protocol.
Background
When the access terminal and the target terminal directly access the privileges, the real protocol used by the target terminal to create the session can be probed, which leads to the risk of leakage of the target type. In the process of establishing a session between an access terminal and a target terminal, a protocol may be hijacked maliciously. The hijacking person can even know the architecture of the target end through the flow direction of the protocol. The existence of these risks can undermine significant safety hazards. Fig. 1 is a flowchart of a conventional access method for directly performing privileged access with a target, where the privileged access method has the following risks: the type of the target end can be known by probing the real protocol; the protocol may be hijacked; the architecture of the target end can be known through the protocol flow direction.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method and a device for hiding privilege access to a real network and a protocol, which can greatly reduce the risks that a real protocol is hijacked and a target end type architecture is probed and increase the security of privilege access of an access end and a target end.
The technical scheme adopted for solving the technical problems is as follows: a method of constructing a hidden privileged access to a real network and protocol comprising the steps of:
a) The target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
b) The resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine;
c) The access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
d) And the access terminal receives the information encapsulated by the secondary protocol.
In the method for hiding privileged access to real network and protocol according to the present invention, before said step a), further comprising:
a01 The access terminal sends the request access to the access proxy engine;
a02 The access proxy engine forwards the requested access to the resource connection and protocol conversion engine;
a03 The resource connection and protocol conversion engine sends the request access to the target end.
In the method for hiding the privilege to access the real network and the protocol, the encapsulation protocol adopted by the secondary protocol encapsulation is over https.
The invention also relates to a device for realizing the method for hiding the privilege to access the real network and the protocol, which comprises the following steps:
session creation unit: the method comprises the steps that a target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
session forwarding unit: the protocol conversion engine is used for carrying out protocol conversion on the session from the target end and forwarding the session after protocol conversion to the access agent engine;
protocol encapsulation unit: the access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
an information receiving unit: and the access terminal is used for receiving the information encapsulated by the secondary protocol.
In the device of the invention, the device further comprises:
the first request access transmitting unit: the access terminal is used for sending the request access to the access agent engine;
request access forwarding unit: the access agent engine is used for forwarding the request access to the resource connection and protocol conversion engine;
the second request access transmitting unit: and the resource connection and protocol conversion engine is used for sending the request access to the target end.
In the device of the present invention, the encapsulation protocol adopted by the secondary protocol encapsulation is over https.
The method and the device for implementing the hidden privilege access to the real network and the protocol have the following beneficial effects: because the target end uses the real protocol to create the session, the created session is processed by the resource connection and protocol conversion engine; the resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine; the access agent engine performs secondary protocol encapsulation on the session after protocol conversion and forwards the session to the access terminal; the access terminal receives the information encapsulated by the secondary protocol; the invention can greatly reduce the risks that the real protocol is hijacked and the target end type architecture is probed, and increase the security of privilege access of the access end and the target end.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a conventional access terminal directly performing privileged access with a target terminal;
FIG. 2 is a flow chart of one embodiment of a method and apparatus for hiding privileged access to a real network and protocol of the present invention;
FIG. 3 is a flow diagram of a method of hiding privileged access to a real network and protocol in the embodiment;
fig. 4 is a schematic view of the structure of the device in the embodiment.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In an embodiment of the method and apparatus for hiding privileged access to real networks and protocols of the present invention, a flow chart of the method for hiding privileged access to real networks and protocols is shown in fig. 2. A flow diagram of the method of hiding privileged access to real networks and protocols is shown in fig. 3. In fig. 2, the method of hiding privileged access to a real network and protocol includes the steps of:
step S01, the target end uses a real protocol to create a session, and the created session is processed by a resource connection and protocol conversion engine: in this step, the target uses the real protocol to create a session, and the created session is processed by the resource connection and protocol conversion engine.
Step S02, the resource connection and protocol conversion engine carries out protocol conversion on the session from the target end, and forwards the session after protocol conversion to the access agent engine: in this step, the resource connection and protocol conversion engine performs protocol conversion on the session from the target end, and forwards the session after protocol conversion to the access proxy engine for further encapsulation.
Step S03, the access agent engine performs secondary protocol encapsulation on the session after protocol conversion and then forwards the session to the access terminal: in this step, the access proxy engine performs secondary protocol encapsulation on the session after the protocol conversion, and forwards the session after the secondary encapsulation to the access terminal. The encapsulation protocol adopted by the secondary protocol encapsulation is over https.
Step S04, the access terminal receives the information encapsulated by the secondary protocol: in this step, the access terminal receives the information encapsulated by the secondary protocol.
The method for hiding the privilege to access the real network and the protocol adopts a method of adding protocol conversion and protocol encapsulation between the access terminal and the target terminal, and hiding the real network and the protocol in the privilege access process. The method comprises the steps of adding a resource connection and protocol conversion engine and an access proxy engine between an access terminal and a target terminal, and carrying out protocol conversion and protocol encapsulation on a real protocol from the target terminal. Compared with the prior art that an access terminal directly performs privilege access to a target terminal, the method for hiding the privilege access to the real network and the protocol adds the resource connection and protocol conversion engine and the access proxy engine between the access terminal and the target terminal, converts and encapsulates the real protocol used for creating the session, achieves the purpose of hiding the privilege access to the real network and the protocol, can greatly reduce the risk that the real protocol is hijacked and the type architecture of the target terminal is probed, and increases the security of privilege access by the access terminal and the target terminal.
It should be noted that, in this embodiment, the following steps are further included before step S01:
step S001, the access terminal sends the request access to the access proxy engine: in this step, the access terminal sends the request access to the access proxy engine.
Step S002 the access proxy engine forwards the request access to the resource connection and protocol conversion engine: in this step, the access proxy engine forwards the requested access to the resource connection and protocol conversion engine.
Step S003, the resource connection and protocol conversion engine sends the request access to the target end: in this step, the resource connection and protocol conversion engine sends the request access to the target.
The embodiment also relates to a device for realizing the method for hiding the privilege to access the real network and the protocol, and the structure schematic diagram of the device is shown in fig. 3. In fig. 3, the apparatus includes a session creation unit 1, a session forwarding unit 2, a protocol encapsulation unit 3, and an information reception unit 4; the session creation unit 1 is used for creating a session by using a real protocol by a target end, and the created session is processed by a resource connection and protocol conversion engine; the session forwarding unit 2 is used for performing protocol conversion on the session from the target end by the resource connection and protocol conversion engine, and forwarding the session after the protocol conversion to the access agent engine; the protocol encapsulation unit 3 accesses the proxy engine to carry out secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to the access terminal; the encapsulation protocol adopted by the secondary protocol encapsulation is over https. The information receiving unit 4 is configured to receive the information encapsulated by the secondary protocol at the access terminal.
The device adopts a method of adding protocol conversion and protocol encapsulation between the access terminal and the target terminal, and conceals the real network and protocol in the privilege access process. The method comprises the steps of adding a resource connection and protocol conversion engine and an access proxy engine between an access terminal and a target terminal, and carrying out protocol conversion and protocol encapsulation on a real protocol from the target terminal. Compared with the prior art that an access terminal directly accesses a target terminal with privileges, the device adds the resource connection and protocol conversion engine and the access agent engine between the access terminal and the access terminal, converts and encapsulates the real protocol used for creating the session, achieves the aim of hiding the privileges to access the real network and the protocol, can greatly reduce the risks that the real protocol is hijacked and the type architecture of the target terminal is probed, and increases the security of the privilege access of the access terminal and the target terminal.
In this embodiment, the apparatus further includes a first request access transmitting unit 5, a request access forwarding unit 6, and a second request access transmitting unit 7; the first request access sending unit 5 is configured to send a request access to the access proxy engine by the access terminal; the request access forwarding unit 6 is used for forwarding the request access to the resource connection and protocol conversion engine by the access proxy engine; the second request access sending unit 7 is configured to send the request access to the target end by using the resource connection and the protocol conversion engine.
In summary, in this embodiment, in order to reduce risks existing in the conventional technology, a protocol conversion and a protocol encapsulation are added between the access terminal and the target terminal, so as to implement a real network and a protocol in the process of hiding the privileged access, and increase security of performing the privileged access. The invention can greatly reduce the risks that the real protocol is hijacked and the target end type architecture is probed, and increase the security of privilege access of the access end and the target end.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the invention.

Claims (5)

1. A method for hiding privileged access to real networks and protocols, comprising the steps of:
a) The target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
b) The resource connection and protocol conversion engine carries out protocol conversion on the session from the target end and forwards the session after protocol conversion to the access agent engine;
c) The access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
d) The access terminal receives the information encapsulated by the secondary protocol;
wherein before said step a), further comprising:
a01 The access terminal sends the request access to the access proxy engine;
a02 The access proxy engine forwards the requested access to the resource connection and protocol conversion engine;
a03 The resource connection and protocol conversion engine sends the request access to the target end.
2. The method of claim 1, wherein the secondary protocol encapsulation employs an encapsulation protocol of over https.
3. An apparatus for implementing the method for hiding privileged access to a real network and protocol as claimed in claim 1, comprising:
session creation unit: the method comprises the steps that a target end uses a real protocol to establish a session, and the established session is processed by a resource connection and protocol conversion engine;
session forwarding unit: the protocol conversion engine is used for carrying out protocol conversion on the session from the target end and forwarding the session after protocol conversion to the access agent engine;
protocol encapsulation unit: the access agent engine performs secondary protocol encapsulation on the session after the protocol conversion and then forwards the session to an access terminal;
an information receiving unit: and the access terminal is used for receiving the information encapsulated by the secondary protocol.
4. A device according to claim 3, further comprising:
the first request access transmitting unit: the access terminal is used for sending the request access to the access agent engine;
request access forwarding unit: the access agent engine is used for forwarding the request access to the resource connection and protocol conversion engine;
the second request access transmitting unit: and the resource connection and protocol conversion engine is used for sending the request access to the target end.
5. The apparatus of claim 3 or 4, wherein the secondary protocol encapsulation employs an encapsulation protocol of over https.
CN202010543491.XA 2020-06-15 2020-06-15 Method and device for hiding privileges to access real network and protocol Active CN111835728B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010543491.XA CN111835728B (en) 2020-06-15 2020-06-15 Method and device for hiding privileges to access real network and protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010543491.XA CN111835728B (en) 2020-06-15 2020-06-15 Method and device for hiding privileges to access real network and protocol

Publications (2)

Publication Number Publication Date
CN111835728A CN111835728A (en) 2020-10-27
CN111835728B true CN111835728B (en) 2023-09-01

Family

ID=72898830

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010543491.XA Active CN111835728B (en) 2020-06-15 2020-06-15 Method and device for hiding privileges to access real network and protocol

Country Status (1)

Country Link
CN (1) CN111835728B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753531A (en) * 2008-12-19 2010-06-23 上海安达通信息安全技术股份有限公司 Method utilizing https/http protocol to realize encapsulation of IPsec protocol
CN105323310A (en) * 2015-09-30 2016-02-10 深圳市先河***技术有限公司 Network communication method, device and network attached storage device
CN107453861A (en) * 2016-05-30 2017-12-08 中国科学院声学研究所 A kind of collecting method based on SSH2 agreements
CN109284296A (en) * 2018-10-24 2019-01-29 北京云睿科技有限公司 A kind of big data PB grades of distributed informationm storage and retrieval platforms
CN109756501A (en) * 2019-01-02 2019-05-14 中国科学院信息工程研究所 A kind of high concealment network agent method and system based on http protocol
CN110611594A (en) * 2019-09-23 2019-12-24 广州海颐信息安全技术有限公司 Method and device for multiple access and fault switching of main node of privileged system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9065856B2 (en) * 2013-02-01 2015-06-23 Vidder, Inc. Securing communication over a network using client system authorization and dynamically assigned proxy servers

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753531A (en) * 2008-12-19 2010-06-23 上海安达通信息安全技术股份有限公司 Method utilizing https/http protocol to realize encapsulation of IPsec protocol
CN105323310A (en) * 2015-09-30 2016-02-10 深圳市先河***技术有限公司 Network communication method, device and network attached storage device
CN107453861A (en) * 2016-05-30 2017-12-08 中国科学院声学研究所 A kind of collecting method based on SSH2 agreements
CN109284296A (en) * 2018-10-24 2019-01-29 北京云睿科技有限公司 A kind of big data PB grades of distributed informationm storage and retrieval platforms
CN109756501A (en) * 2019-01-02 2019-05-14 中国科学院信息工程研究所 A kind of high concealment network agent method and system based on http protocol
CN110611594A (en) * 2019-09-23 2019-12-24 广州海颐信息安全技术有限公司 Method and device for multiple access and fault switching of main node of privileged system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种隐匿网络结构实现方案及安全性分析;韩首魁;张铮;苏昆仑;邰铭;;信息工程大学学报(第06期);全文 *

Also Published As

Publication number Publication date
CN111835728A (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN109688586B (en) Network function authentication method and device and computer readable storage medium
US10498831B2 (en) Communication sessions at a CoAP protocol layer
EP3637844B1 (en) Data transmission methods, data transmitting end, data receiving end, data transmission system and computer-readable storage media
CN101335758B (en) Method and system for access service in SIM card by dual-processor terminal
US9426767B2 (en) Method, gateway, proxy and system for implementing mobile internet services
CN106817341B (en) A kind of Session Initiation Protocol throttling Transmission system and method towards mobile Internet
CN113900429B (en) Gateway system design method for converting CAN bus into vehicle-mounted Ethernet bus
US9756113B2 (en) Method and apparatus of performing remote command dispatching
CN108093041A (en) Single channel VDI proxy servers and implementation method
CN104994061A (en) Intelligent transformer station process layer switch MMS safety communication device and method
CN111541718A (en) Internal and external network interaction method and system of power terminal and data transmission method
CN111835728B (en) Method and device for hiding privileges to access real network and protocol
CN110602112A (en) MQTT (multiple quantum dots technique) secure data transmission method
KR101554760B1 (en) Network message transformation device and methods thereof
CN112235734B (en) Method, device and equipment for realizing unicast service in broadcast mode
CN105721509A (en) Server system
CN114710568B (en) Audio and video data communication method, device and storage medium
CN114070606B (en) Network security terminal device based on domestic operating system and working method
CN114363427A (en) Method for acquiring information of host equipment in real time based on browser
CN102625288B (en) The method and multiprocessor terminal of multiprocessor terminal air downloading
CN113839872B (en) Virtual link oriented security label distribution protocol method and system
CN111770099B (en) Data transmission method and device, electronic equipment and computer readable medium
EP2512166A1 (en) Method for realizing secret key mapping, authentication server, terminal and system thereof
CN117201577B (en) Communication method and system of cross-platform API and SPI based on PISA
WO2018112756A1 (en) User offline method and system, and network device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant