CN111711612B - Communication control method, method and device for processing communication request - Google Patents
Communication control method, method and device for processing communication request Download PDFInfo
- Publication number
- CN111711612B CN111711612B CN202010453471.3A CN202010453471A CN111711612B CN 111711612 B CN111711612 B CN 111711612B CN 202010453471 A CN202010453471 A CN 202010453471A CN 111711612 B CN111711612 B CN 111711612B
- Authority
- CN
- China
- Prior art keywords
- container
- information
- communication
- safety
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a communication control method, a method for processing a communication request piece and a device thereof. The communication method comprises the following steps: detecting a communication operation; determining container information of a first security container initiating a communication operation among a plurality of security containers currently running in a terminal; determining container information of a second safety container pointed by the selected communication operation based on the container information corresponding to each of a plurality of pre-configured safety containers to be selected; generating a communication request according to the container information of the first safety container and the container information of the second safety container; and sending the communication request to the server so that the server controls the communication between the first safety container and the second safety container according to the communication request. According to the method and the system, the communication request is processed through the server side, data does not need to be checked before communication, the influence on service development caused by data checking before communication is avoided, and the effect of preventing data leakage is achieved.
Description
Technical Field
The present application relates to the field of computer network security technologies, and in particular, to a communication control method, a method for processing a communication request, and an apparatus thereof.
Background
With the development of intelligent technology, data leakage events frequently occur. The data leakage event is mainly represented as: data leakage caused by attack on an intranet of an enterprise, data leakage caused by illegal access, data leakage caused by illegal password cracking, illegal copy of confidential data by using a mobile storage medium and the like.
In order to solve the data leakage problem, the following methods mainly exist: the method comprises the following steps of firstly, intercepting in advance, wherein a large amount of audits are required before data transmission; secondly, protection in the middle of affairs, wherein the method mainly realizes the cross protection of the network full flow and the terminal full channel by introducing a data driving mode, finds the leakage behavior of the sensitive data and supervises the reasonable use of the sensitive data; thirdly, audit after events, the mode is mainly that the leakage event is completely played back, so that a leakage place, a leakage person, action time and the like are positioned, and the function of tracing and obtaining evidence can be achieved.
There are some drawbacks to the above approaches. For example, for the prior interception mode, since a large amount of data needs to be checked, there are problems that the service development is affected and the service operation is inconvenient. For the protection in the affairs and the audit mode afterwards, the problem that the consequences caused by the generated data leakage cannot be remedied exists, or the problem that the cost of the remedy is high afterwards and the whole influence caused by the data leakage cannot be avoided exists due to the consumption of manpower, material resources, financial resources and the like.
Disclosure of Invention
The present application provides a communication control method, a method for processing a communication request, and an apparatus, a terminal and a storage medium thereof to solve at least one of the above technical problems.
According to a first aspect of the present application, there is provided a communication control method including:
detecting a communication operation;
determining container information of a first security container initiating a communication operation among a plurality of security containers currently running in a terminal;
determining container information of a second safety container pointed by the selected communication operation based on the container information corresponding to each of a plurality of pre-configured safety containers to be selected;
generating a communication request according to the container information of the first safety container and the container information of the second safety container;
and sending the communication request to the server so that the server controls the communication between the first safety container and the second safety container according to the communication request.
According to a second aspect of the present application, there is provided a method of processing a communication request, the method comprising:
acquiring a communication request;
determining container information of a third secure container which initiates the communication request and container information of a fourth secure container which receives the communication request;
determining a plurality of second set of container information based on a preconfigured communication control policy;
judging whether the container information of the third safety container and the container information of the fourth safety container are in the same second container information set or not;
and processing the communication request according to the judgment result.
According to a third aspect of the present application, there is provided a communication control apparatus comprising:
the operation detection module is used for detecting communication operation;
the first safety container determining module is used for determining container information of a first safety container initiating communication operation in a plurality of safety containers running in the current terminal;
the second safety container determining module is used for determining the container information of a second safety container pointed by the selected communication operation based on the container information corresponding to each of a plurality of pre-configured safety containers to be selected;
the communication request generating module is used for generating a communication request according to the container information of the first safety container and the container information of the second safety container;
and the communication request sending module is used for sending the communication request to the server so that the server controls the communication between the first safety container and the second safety container according to the communication request.
According to a fourth aspect of the present application, there is provided an apparatus for processing a communication request, the apparatus comprising:
a communication request acquisition module for acquiring a communication request;
the request information determining module is used for determining the container information of a third safety container which initiates the communication request and the container information of a fourth safety container which receives the communication request;
a communication policy information determination module to determine a plurality of second container information sets based on a preconfigured communication control policy;
the container information judging module is used for judging whether the container information of the third safety container and the container information of the fourth safety container are positioned in the same second container information set or not;
and the communication request processing module is used for processing the communication request according to the judgment result.
According to a fifth aspect of the present application, there is provided a terminal comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor when executing the computer program to implement the communication control method.
According to a sixth aspect of the present application, there is provided a server, where the terminal includes: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor when executing the computer program implementing the method of processing a communication request as described above.
According to a seventh aspect of the present application, there is provided a computer-readable storage medium storing computer-executable instructions for performing the above-described communication control method.
According to an eighth aspect of the present application, there is provided a computer-readable storage medium storing computer-executable instructions for performing the method of processing a communication request described above.
According to the data classification method and device, a plurality of safety containers provide a space for isolating data for a current terminal, and the data classification function for data of different safety levels is achieved by means of the container isolation method; the determination of the first secure container and the second secure container provides a judgment basis for the security domains to which the two communicating containers belong, so that a communication request initiated by the first secure container is processed according to a judgment result, and the purpose of controlling communication between the first secure container and the second secure container is achieved.
The method determines the respective container information of the safety containers of both communication parties through the communication request, determines the plurality of second container information sets according to the pre-configured communication control strategy, judges whether the respective container information of the safety containers of both communication parties is located in the same second container information set according to the plurality of second container information sets, and processes the communication request according to the judgment result.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic flowchart of a communication control method according to an embodiment of the present application;
fig. 2 is a flowchart illustrating a method for processing a communication request according to an embodiment of the present application;
fig. 3 is a block diagram structural diagram of an application system of a communication control method and a method for processing a communication request according to an embodiment of the present application;
fig. 4 is a schematic block diagram of a communication control apparatus according to an embodiment of the present application; and
fig. 5 is a block diagram schematically illustrating a structure of an apparatus for processing a communication request according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It is noted that while functional block divisions are provided in device diagrams and logical sequences are shown in flowcharts, in some cases, steps shown or described may be performed in sequences other than block divisions within devices or flowcharts.
The terms appearing in the embodiments of the present application are explained below:
in the embodiment of the application, the secure container is a light-weight operating system virtualization mode, and accesses to external resources, including operating system resources such as a file system, a network, interprocess communication and the like, are performed by isolating programs started inside the container. It is possible to provide an isolated environment for the applications within the secure container and to make provisions for the network behavior of the applications, etc. Different safety containers may have different functions, and a change in one safety container does not affect the operating environment of the other safety containers.
In the embodiment of the present application, a security domain refers to a network or a system in the same environment, which has the same security protection requirement, mutual trust, and has the same security access control and boundary control policies. The security domain, as a security mechanism, may be a closed environment consisting of a plurality of security containers. Specifically, the security domain provides an isolation environment for the containers in the security domain, and makes provisions for network behaviors and the like in the security domain, and a plurality of security containers in the same security domain can perform network behaviors such as data flow and the like.
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
One embodiment of the present application provides a communication control method, as shown in fig. 1, the method including: step S101 to step S105.
Step S101: a communication operation is detected.
Specifically, the detection of the communication operation may be performed after the terminal is started.
Step S102: among a plurality of security containers currently operating in a terminal, container information of a first security container that initiates a communication operation is determined.
Specifically, the first secure container refers to a secure container in which a communication operation is currently initiated in the terminal.
Specifically, a plurality of security containers operating in the current terminal may each be represented by respective container information.
For example, assume that a secure container a, a secure container b, and a secure container c are currently operating in the terminal, and the container information of each of these three secure containers is: m1, M2 and M3. If it is detected that the user initiates a communication operation in the secure container a, M1 is used as the container information of the first secure container.
Step S103: and determining the container information of the second safety container pointed by the selected communication operation based on the container information corresponding to the plurality of safety containers to be selected.
Specifically, the container information generally includes a container name, a container number, and the like.
Specifically, a container information list may be provided through a preconfigured interactive interface, where the container information list is provided with container information corresponding to each of a plurality of secure containers to be selected, so that a user of a current terminal selects from the container information list, and selects a second secure container to which a communication operation is directed.
Specifically, the number of the second secure containers is generally determined depending on the user's selected operation, i.e., the user-selected second secure containers may be one or more.
Specifically, the second secure container may operate in both the current terminal and the other terminal. For example, the current terminal is a PC client, and if the second secure container operates at the current terminal, the current terminal initiates a communication operation between different secure containers in the same terminal; if the second security container runs on other PC clients, the current terminal initiates communication operation among different PC clients.
Step S104: and generating a communication request according to the container information of the first safety container and the container information of the second safety container.
Specifically, the communication request may be a request for storing data transmitted to another terminal, a request for reading data in another terminal, or a request for reading data or transmitting data between different secure containers in the current terminal.
Step S105: and sending the communication request to the server so that the server controls the communication between the first safety container and the second safety container according to the communication request.
According to the embodiment of the application, the space for isolating the data is provided by the plurality of the safety containers, and the data are classified by the way of isolating the data by the safety containers; the determination of the container information of the first safety container and the container information of the second safety container provides a container information basis for generating the communication request, so that the communication request is sent to the server, and the purpose of controlling the communication between the first safety container and the second safety container according to the server is achieved.
In some embodiments, as shown in fig. 1, before the step of step S102, the method further includes:
step S1021 (not shown): determining configuration information corresponding to a current terminal;
step S1022 (not shown in the figure): and according to the configuration information, performing container creation processing in the current terminal to obtain a plurality of safety containers operated in the current terminal, and determining container information corresponding to each of the plurality of safety containers.
In the embodiment of the present application, the configuration information is used to characterize information required to perform the container creation process.
Specifically, the configuration information corresponding to the current terminal may be stored locally at the current terminal, or may be stored at the server.
The embodiment of the application provides a function of creating the container for the terminal equipment through a container creating technology, so that the terminal performs container creating processing when executing the method provided by the application, and a plurality of security containers run in the terminal are obtained.
In an embodiment including step S1021, as shown in fig. 1, the step of step S1021 further includes: sending the equipment information of the current terminal to a server; and acquiring configuration information from the server.
The method and the device for providing the configuration information of the current terminal for the current terminal through the server side have the function of managing the configuration information corresponding to different terminals through the server side.
Specifically, the device information may include a terminal IP Address, a MAC Address (Media Access Control Address), and the like.
Specifically, before the current terminal sends the device information to the server, the user identity of the current terminal may also be verified. For example, the identity certificate is obtained through a pre-configured login interface, the identity certificate input by the user is matched with the authenticated identity certificate stored locally, and if the matching is successful, the identity of the user is confirmed to be verified; or the current terminal sends the identity certificate input by the user to the server so that the server matches the identity certificate with the authenticated identity certificate prestored in the server, and if the matching is successful, the user identity is confirmed to pass the verification. In particular, the identity credential may include a user account and an account key.
In some embodiments, the configuration information includes: the security domain configuration information comprises a plurality of security domain configuration information and encryption keys corresponding to the plurality of security domain configuration information.
In the embodiment of the present application, the security domain configuration information is used to characterize the security domain to which the created container belongs and its related information. In particular, the information relating to the security domain typically includes a range of IP addresses within the security domain.
In this embodiment of the present application, the encryption key is used to encrypt the virtual disk created for the container, so as to obtain a virtual encrypted disk.
In an embodiment including step S1022, as shown in fig. 1, the step of step S1022 further includes:
performing container creation processing according to the plurality of security domain configuration information to obtain a plurality of security containers operated in the current terminal;
creating a virtual disk and a virtual network card corresponding to each of the plurality of safety containers;
encrypting virtual disks corresponding to the plurality of security containers into virtual encrypted disks according to encryption keys corresponding to the plurality of security domain configuration information;
and determining container information corresponding to each of the plurality of secure containers according to the container creation processing result.
Specifically, the security domains to which the security containers created according to the different security domain configuration information belong are different.
Specifically, the multiple security containers running in the current terminal created according to the multiple security domain configuration information may belong to the same security domain or may belong to different security domains.
Specifically, the container information corresponding to any secure container generally includes an IP address of the current terminal, a container identifier, a container name, and other information uniquely characterizing the container. The container identifier may be represented in the form of a serial number, a document tag, or the like.
Specifically, when the current terminal sends a communication request to the server, the communication channel allocated to the current terminal may be encrypted by using the encryption key corresponding to the security domain configuration information, so as to achieve an effect of encrypting the communication channel.
In the embodiment of the application, the virtual network card is used for acquiring the allocated virtual IP address from the virtual IP address allocation server, so as to implement mutual communication between different security containers.
Specifically, when the security domain configuration information generally includes an IP address range of the terminal, the current terminal may send the security domain configuration information to the virtual IP address allocation server, so that the virtual IP address allocation server allocates virtual IP addresses to the multiple security containers in the current terminal according to the IP address range, so that the virtual IP addresses acquired by the multiple security domain containers respectively conform to the IP address range of the security domain to which the virtual IP addresses belong, and the security container is accessed to the local area network of the security domain to which the virtual IP address range belongs.
According to the method and the device, the container is created, the corresponding virtual encryption disk and the virtual network card are created for the created container, so that the created container can perform file operation according to the virtual encryption disk, the operated file is encrypted and decrypted, the effect of performing access control on data in the safety container is achieved, the data in the safety container is prevented from being leaked, and the purpose of improving the file confidentiality is achieved; meanwhile, the virtual IP address is obtained through the virtual network card, so that the container for receiving the communication request is determined for the subsequent operation terminal of the second safety container.
When applied, the new container creation process can be performed in the current terminal with reference to this embodiment. Specifically, after determining the security domain configuration information selected by the user, the corresponding encryption key is also determined. After the virtual disk is created at the current terminal, encryption processing is carried out by using an encryption key corresponding to the security domain configuration information selected by the user, and a virtual encryption disk is obtained; calling a local command, creating a new container according to security domain configuration information selected by a user, and mounting a virtual encryption disk to the new container; and calling a local command to create a virtual network card for the new container, and acquiring a virtual IP address from the virtual IP address allocation server through the virtual network card. Specifically, the current terminal may send the security domain configuration information according to the new container to the virtual IP address allocation server, so that the virtual IP address allocation server allocates a virtual IP address to the virtual network card of the new container, and the virtual IP address acquired by the new container conforms to the IP address range of the security domain pointed by the security domain configuration information selected by the user.
In some embodiments, the communication control method as shown in fig. 1 further comprises:
step S106 (not shown in the figure): and determining a file storage path query table of each of the plurality of security containers according to the virtual encryption disk corresponding to each of the plurality of security containers, so as to perform file query according to the file storage path query table.
In an embodiment of the present application, the file storage path query is used to characterize respective storage paths of different files in the secure container. The file storage path lookup table provides a function of positioning files for a terminal user, and the time of querying the files in the virtual encrypted disk by the user is shortened.
In some embodiments, before step S105, the method further includes: step S1051 (not shown in the figure): matching the container information of the second safety container with the container information corresponding to the plurality of safety containers operated in the current terminal, and judging whether the second safety container operates in the current terminal according to a matching result; step S105 further includes: step S1052 (not shown in the figure): and if the second safety container does not operate in the current terminal, sending the communication request to the server.
Specifically, the container information of the second secure container is inquired in a container information table pre-stored in the current terminal, and the container information table comprises the container information corresponding to each of the plurality of secure containers operating in the current terminal, so that whether the second secure container operates in the current terminal can be determined through inquiry, and when the communication operation is the communication operation between the cross-terminal secure containers, the communication between the cross-terminal secure containers is processed through the server, and the purpose of controlling the communication range is achieved.
In some embodiments, before step S105, the method further includes: judging whether the second safety container operates at the current terminal or not according to the container information of the second safety container; step S105 further includes: if the second safety container runs at the current terminal, a communication control strategy is obtained from the server; determining a plurality of first container information sets according to the communication control strategy; and if the container information of the first safety container and the container information of the second safety container are in the same first container information set, sending the communication request to the second safety container.
Specifically, the current terminal sends a request for obtaining a communication control policy to the server, so as to obtain the communication control policy fed back by the server.
In an embodiment of the present application, the first container information set includes container information corresponding to each of a plurality of secure containers that allow communication.
Specifically, the communication control policy is generally set to: different secure containers within the same secure domain are allowed to communicate, i.e. the first set of container information comprises respective container information of all secure containers within the same secure domain. Through the setting of the first container information set, the communication range is controlled in the same security domain, the access of a terminal outside the security domain to data in the security domain is prevented, the data in the domain is prevented from being leaked, and the security of data access is improved.
For example, assuming that the container information includes container identifiers, if the container identifier of the first secure container and the container identifier of the second secure container are both located in the same first container information set, it may be determined that the first secure container and the second secure container belong to the same security domain, and communication is allowed.
For example, assuming that the container information includes a virtual IP address, if the virtual IP address of the first secure container and the virtual IP address of the second secure container are both located in the same first container information set, it may be determined that the first secure container and the second secure container belong to the same security domain, and communication is allowed.
For example, assuming that the container information includes a security domain identifier, if the security domain identifier DEV of the first secure container and the security domain identifier OA of the second secure container are both located in the same first container information set, it may be determined that the first secure container and the second secure container belong to the same security domain, and communication is allowed.
In the embodiment of the application, the boundary of the security domain is not limited by a physical environment, and the security domain can be accessed by configuring related information dynamic networking, so that the software definition and the self-adaptive adjustment of the boundary of the security domain are realized. The physical environment includes a physical network environment (e.g., a local area network, a metropolitan area network, a wide area network, the internet, etc.), a physical machine environment (e.g., an internal device, an owned device, a mobile device, an IDC room, etc.), and the like.
Specifically, the communication control policy may be further set as: allowing designated multiple secure containers within the same secure domain to communicate. For example, assuming that secure domain 1 includes secure container a1, secure container b1, secure container c1, secure container d1, and secure container e1, the communication control policy is: allowing secure container a1, secure container b1, and secure container c1, which communicate. Thus, the first set of container information includes container information for secure container a1, secure container b1, and secure container c1 that allow communication within secure domain 1.
Specifically, the communication control policy may also be set as a communication policy between security containers across security domains, that is, the first container information set includes container information corresponding to a plurality of security containers corresponding to different security domains. For example, assuming that secure container a1, secure container b1 and secure container c1 are included in secure domain 1, secure container a2, secure container b2 and secure container c2 are included in secure domain 2, if the first set of container information includes the container information of secure container a1 and the container information of secure container a2, then secure container a1 located in secure domain 1 and secure container a2 located in secure domain 2 are allowed to communicate. That is to say, the container information of the security containers corresponding to the different security domains is set in the first container information set, so that the purpose of controlling communication between different security domains is achieved.
More specifically, a communication range label may be set for each of the plurality of first container information sets, and a security domain range allowing communication may be characterized by the communication range label. For example, the communication control policy includes two first container information sets, and the communication range labels of the two first container information sets are: the label is used for representing intra-domain communication labels allowing communication among different security containers in the same security domain, and the label is used for representing out-of-domain communication labels allowing communication of different security containers across security domains. Wherein, the intra-domain communication label can be a domain label of the security domain; the out-of-domain communication tags may include domain tags for each of two or even more security domains. When the communication range label is applied, whether the communication is intra-domain communication or cross-domain communication is determined.
In the embodiment of the application, the current terminal acquires a pre-configured communication control policy from the server, so as to determine whether the first security container and the second security container allow communication according to the communication control policy.
In some embodiments, before step S104, the method further includes: step S1041 and step S1042 (not shown in the figure), and step S104 includes step S1043 (not shown in the figure).
Step S1041: determining a security domain to which the first security container belongs and a target application initiating communication operation in the first security container;
step S1042: determining whether the target application is an authorized application of the security domain based on an application program control strategy pre-configured in the security domain;
step S1043: and if the target application is determined to be the authorized application of the security domain, generating a communication request according to the container information of the first security container and the container information of the second security container.
In particular, the security domain configuration information upon which the first security container is created determines the security domain to which it belongs.
The container information corresponding to each of the plurality of secure containers of the current terminal is determined according to the security domain configuration information according to which each secure container is created and the virtual IP addresses obtained by the virtual network cards corresponding to each of the plurality of secure containers. Therefore, the container information corresponding to each of the plurality of security containers of the current terminal may include the virtual IP address and the security domain pointed to by the security domain configuration information. Therefore, the security domain to which the first security container belongs can also be determined from the container information of the first security container.
According to the method and the device, the application program allowed to run in the security domain is controlled through the application program control strategy, so that unauthorized application is prevented from running in the container.
For example, assuming that the first secure container includes an icon of the application program x, when a start operation of the icon of the application program x is detected, whether the application program x is a legal application of the first secure container is determined according to an application program control policy of the first secure container, if it is determined that the application program x is the legal application of the first secure container, the application program x is controlled to run in the first secure container, otherwise, the application program x is restricted from running in the first secure container.
In some embodiments, after the step of determining that the target application is an authorized application of the security domain in step S1043, the method further includes:
determining access control information corresponding to the target application based on an access program control strategy pre-configured in a security domain;
and controlling the target application according to the access control information corresponding to the target application.
In this embodiment, the target application may be an application program such as a browser and an instant messaging tool.
According to the embodiment of the application, the access control strategy is used for controlling the access address of the application program such as the browser, and the effect of limiting the access range of the application program such as the browser is achieved.
In this embodiment of the present application, the access control policy is used to characterize a network address of an application allowed in the security domain or a network address prohibited from being accessed, and the network address allowed to be accessed by the application may be represented in the form of an IP address, a port number, and a URL (Uniform Resource Locator).
For example, assuming that the access control policy includes a plurality of websites of the game web pages which are prohibited from being accessed, if the accessed address is the website of the game web page which is prohibited from being accessed, the website access request may be intercepted or the network interface may be closed; and if the accessed address is not the website of the game webpage which is prohibited to be accessed, sending the website access request to a server for providing service for the browser.
In another embodiment of the present application, a method for processing a communication request is provided, as shown in fig. 2, including: step S201 to step S205.
Step S201: a communication request is obtained.
Specifically, the server acquires a communication request sent by the terminal.
Step S202: the container information of a third secure container that initiates the communication request is determined, and the container information of a fourth secure container that receives the communication request.
Specifically, the container information is generally set as information that uniquely characterizes the secure container, such as a container identifier.
Step S203: a plurality of second set of container information is determined based on a preconfigured communication control policy.
In an embodiment of the application, the plurality of second container information sets are used to characterize a plurality of allowed communication ranges.
Specifically, respective communication range tags may be set for the plurality of second container information sets, and whether to communicate within the domain or across the domain may be determined by the communication range tags.
For example, if the communication range tag of the second container information set is an intra-domain communication tag, the second container information set includes container information corresponding to each of a plurality of secure containers that are allowed to communicate.
Step S204: it is determined whether the container information of the third secure container and the container information of the fourth secure container are in the same second set of container information.
Specifically, the container information of the third secure container and the container information of the fourth secure container may be simultaneously queried in a plurality of second container information sets, and it is determined whether any second container information set is included and simultaneously includes the container information of the third secure container and the container information of the fourth secure container, so as to determine whether to allow the third secure container and the fourth secure container to communicate.
Step S205: and processing the communication request according to the judgment result.
In the embodiment of the present application, the respective container information of the secure containers of both the communication parties is determined by the communication request, and the plurality of second container information sets are determined according to the pre-configured communication control policy, so that whether the respective container information of the secure containers of both the communication parties is in the same second container information set is determined according to the plurality of second container information sets, and the communication request is processed according to the determination result.
In some embodiments, step S205 includes at least one of:
if the container information of the third secure container and the container information of the fourth secure container are in the same second container information set, sending the communication request to the fourth secure container;
and if the container information of the third secure container and the container information of the fourth secure container are in different second container information sets, intercepting the communication request.
Specifically, the third secure container and the fourth secure container may operate in the same terminal or in different terminals. For example, if the third secure container operates in a PC terminal, the fourth secure container may operate in the PC terminal, other PC terminals, or an IDC server.
Specifically, the second container information set may include container information of each of a plurality of secure containers in the same secure domain, or may also include container information corresponding to each of a plurality of secure containers belonging to different secure domains, that is, by configuring the second container information set, the purpose of controlling the range of the secure containers that allow communication is achieved.
It should be noted that the second container information set may be set with reference to the first container information set, and will not be described in detail here.
In some embodiments, the sending the communication request to the fourth secure container in step S205 further includes: step S2051 to step S2054 (not shown in the figure).
Step S2051: determining the association relationship between the device information and the container information corresponding to the plurality of terminals respectively;
step S2052: determining equipment information corresponding to container information of a fourth security container according to the association relationship between the equipment information and the container information corresponding to the terminals respectively;
step S2053: determining a receiving terminal for receiving the communication request based on the device information corresponding to the container information of the fourth secure container;
step S2054: and sending the communication request to the receiving terminal so that the fourth safety container of the receiving terminal acquires the communication request.
In the embodiment of the application, the server stores the association relationship between the device information and the container information corresponding to the plurality of terminals, so that the server determines the receiving terminal and forwards the communication request under the condition that the third secure container and the fourth secure container are allowed to communicate.
An embodiment of the present application further provides an application system, as shown in fig. 3, the application system includes: a trusted platform 100 and an electronic device. The electronic device may be a mobile terminal or a fixed terminal preinstalled with an operating system, such as a smart phone, a tablet computer, a desktop computer, and the like; the IDC server (i.e., internet data center) may also be used, for example, the IDC server generally includes a cloud, a central control room inside an enterprise, and the like. The application covers any suitable computer with an electronic device preinstalled with a Windows system, preferably a Linux system server.
In the embodiment of the present application, the electronic device includes a PC terminal 201, a PC terminal 202, a PC terminal 203, an IDC server 301, an IDC server 302, an IDC server 303, and an IDC server 304.
The following describes an interaction process between an electronic device and the trusted platform 100 by taking the PC terminal 201 and the IDC server 302 as an example.
The login process of the PC terminal 201 is:
when detecting the account login operation, the PC terminal 201 acquires an authentication credential input by the user. The authentication credentials typically include a username and a user password. The PC terminal 201 may verify the user identity of the user according to the locally stored registered user credential, or may send the authentication credential input by the user to the trusted platform 100, so that the trusted platform 100 verifies the user identity of the user. And if the user name and the user password are both correct, the user identity of the user passes the verification, and the user is a valid legal user. Under the condition that the user identity of the user is verified, the PC terminal 201 sends the device information of the PC terminal 201 to the trusted platform 100 to obtain a plurality of configuration-related information corresponding to the PC terminal 201, which is fed back by the trusted platform. After the PC terminal 201 acquires the configuration related information, it creates a container and a virtual encrypted disk of the container according to the security domain configuration information and the security domain key in the configuration related information, and creates a virtual network card for the container, so that the container acquires a virtual IP address through its virtual network card. To this end, the container creation processing is completed at the PC terminal 201, and it is determined that the PC terminal 201 completes the account login.
In a specific application, other PC terminals, such as the PC terminal 202 and the PC terminal 203, refer to the completed account registration of the PC terminal 201.
After the PC terminal 201 completes the account login, the PC terminal 201 acquires configuration information from the trusted platform 100, and thereby performs container creation processing on the PC terminal 201 to obtain a plurality of secure containers a11 and a12 operating in the PC terminal 201.
The login process of the IDC server 302 is as follows:
when the login operation of the IDC server 302 is detected, the authentication credential input by the user of the IDC server 302 may be acquired with reference to the PC terminal 201, and the user identity of the user of the IDC server 302 may be verified. After the verification is passed, the IDC server 302 sends the device information of the IDC server 302 to the trusted platform 100 to obtain the configuration-related information of the IDC server 302 fed back by the trusted platform 100. The IDC server 302 may include a physical MAC address, host information, and the like. After the IDC server 302 obtains the configuration related information, a container and a virtual encrypted disk of the container are created according to the security domain configuration information and the security domain key in the configuration related information, and a virtual network card is created for the container, so that the container obtains a virtual IP address through the virtual network card. To this end, the login of the IDC server 302 is completed. In particular, other IDC servers, such as IDC server 301, IDC server 303, and IDC server 304, may complete the login with reference to IDC server 302.
After the IDC server 302 completes account login, the configuration information is acquired from the trusted platform 100 by referring to the PC terminal 201, so that container creation processing is performed in the IDC server 302, and a secure container b11 and a secure container b12 running in the IDC server 302 are obtained. Thereafter, the IDC server 302 obtains the policies configured at the trusted platform 100, which may include communication control policies, application control policies, and access control policies, from the trusted platform. Wherein the communication control policy is configured to allow different security containers within the same security domain to communicate; the application control strategy is configured to be the application program allowed to run in the security domain; the access control policy is information such as accessible port, URL, etc. of the application allowed to run in the security domain.
In the embodiment shown in fig. 3, dashed boxes are used to characterize the same security domain. As shown in fig. 3, the PC terminal 201 is located in the same security domain as the IDC server 301 and the IDC server 302, and thus, the PC terminal 201 can communicate with the IDC server 301 and the IDC server 301 can communicate with the IDC server 302. The IDC server 304 is located in the same security domain as the IDC server 303 and can communicate with each other. The PC terminal 202 and the PC terminal 203 are located in the same security domain, and can communicate with each other. In the embodiment of the application, the communication transmission between different security containers in the same security domain adopts an encryption mode.
In fig. 3, the PC terminal 201 and the IDC server 304 are not located in the same security domain, and therefore, communication between the PC terminal 201 and the IDC server 304 is disabled. That is, whether the PC terminal 201 sends a communication request to the IDC server 304 or the IDC server 304 sends a communication request to the PC terminal 201, the trusted platform 100 performs the interception processing on the acquired communication request sent by the IDC server 304 or the communication request sent by the PC terminal 201.
An embodiment of the present application further provides a communication control apparatus, as shown in fig. 4, the apparatus includes: an operation detection module 401, a first secure container determination module 402, a second secure container determination module 403, a communication request generation module 404, and a communication request processing module 405.
The operation detection module 401 is configured to detect a communication operation;
a first secure container determining module 402, configured to determine container information of a first secure container that initiates a communication operation, among a plurality of secure containers that are currently running in a terminal;
a second safety container determination module 403, configured to determine, based on container information corresponding to each of a plurality of safety containers to be selected that are preconfigured, container information of a second safety container to which the selected communication operation is directed;
a communication request generating module 404, configured to generate a communication request according to the container information of the first secure container and the container information of the second secure container;
a communication request sending module 405, configured to send a communication request to the server, so that the server controls communication between the first secure container and the second secure container according to the communication request.
According to the embodiment of the application, the space for isolating the data is provided by the plurality of the safety containers, and the data are classified by the way of isolating the data by the safety containers; and the determination of the container information of the first safety container and the container information of the second safety container provides a container information basis for generating a communication request, so that the communication request is sent to a server, and the purpose of controlling the communication between the first safety container and the second safety container according to the server is realized.
Further, before determining container information of a first secure container initiating a communication operation among a plurality of secure containers currently operating in the terminal, the apparatus further includes: a configuration information determination module and a container creation processing module (not shown in the figure).
The configuration information determining module is used for determining the configuration information corresponding to the current terminal;
and the container creation processing module is used for performing container creation processing in the current terminal according to the configuration information to obtain a plurality of safety containers operated in the current terminal and determining container information corresponding to the plurality of safety containers.
Further, the configuration information determining module includes: a device information determination sub-module and a configuration information acquisition sub-module (not shown in the figure).
The equipment information determining submodule is used for sending the equipment information of the current terminal to the server;
and the configuration information acquisition submodule is used for acquiring the configuration information from the server.
Further, the configuration information includes:
the security domain management system comprises a plurality of security domain configuration information and a plurality of encryption keys corresponding to the security domain configuration information.
Further, the container creation processing module includes: a creation processing sub-module, a disk encryption sub-module, and a container information determination sub-module (not shown in the figure).
The creating processing submodule is used for creating a plurality of security containers which operate in the current terminal based on the configuration information of the plurality of security domains, and virtual disks and virtual network cards which correspond to the plurality of security containers respectively;
the disk encryption submodule is used for encrypting virtual disks corresponding to the plurality of security containers into virtual encrypted disks according to encryption keys corresponding to the plurality of security domain configuration information;
and the container information determining submodule is used for determining the container information corresponding to the plurality of the security containers according to the configuration information of the plurality of the security domains and the virtual IP addresses obtained by the virtual network cards corresponding to the plurality of the security containers.
Further, before sending the communication request to the server, the apparatus further includes:
a terminal determining module (not shown in the figure) for determining whether the second secure container operates in the current terminal according to the container information of the second secure container;
the communication request transmission module 405 includes:
and a first request sending submodule (not shown in the figure) for sending the communication request to the server side if the second secure container is not operated in the current terminal.
Further, the communication request sending module 405 includes: a communication policy acquisition sub-module, a container information set determination sub-module, and a second request transmission sub-module (not shown in the figure).
The communication strategy acquisition submodule is used for acquiring a communication control strategy from the server side if the second safety container operates at the current terminal;
a container information set determination submodule for determining a plurality of first container information sets according to a communication control policy;
and the second request sending submodule is used for sending the communication request to the second safety container if the container information of the first safety container and the container information of the second safety container are in the same first container information set.
Further, before generating the communication request according to the container information of the first secure container and the container information of the second secure container, the apparatus further includes: an application determination sub-module and an application judgment sub-module (not shown in the figure),
the application determination submodule is used for determining a security domain to which the first security container belongs and a target application initiating communication operation in the first security container;
the application judgment sub-module is used for determining whether the target application is an authorized application of the security domain based on an application program control strategy pre-configured in the security domain;
the communication request generation module comprises:
and the communication request generation submodule is used for generating a communication request according to the container information of the first safety container and the container information of the second safety container if the target application is determined to be the authorized application of the safety domain.
Further, after determining that the target application is an authorized application of the security domain, the apparatus further includes: an access control policy determination module and an application control module (not shown in the figure).
The access control strategy determining module is used for determining access control information corresponding to the target application based on an access program control strategy pre-configured in the security domain;
and the application control module is used for controlling the target application according to the access control information corresponding to the target application.
The communication control apparatus of this embodiment can execute the communication control method provided in this embodiment, and the implementation principles thereof are similar and will not be described herein again.
An embodiment of the present application further provides an apparatus for processing a communication request, as shown in fig. 5, the apparatus includes: a communication request acquisition module 501, a request information determination module 502, a communication policy information determination module 503, a container information judgment module 504, and a communication request processing module 505.
The communication request obtaining module 501 is configured to obtain a communication request;
a request information determining module 502, configured to determine container information of a third secure container that initiates the communication request, and container information of a fourth secure container that receives the communication request;
a communication policy information determination module 503 for determining a plurality of second container information sets based on a preconfigured communication control policy;
a container information determining module 504, configured to determine whether the container information of the third secure container and the container information of the fourth secure container are located in the same second container information set;
and a communication request processing module 505, configured to process the communication request according to the determination result.
The embodiment of the application determines the container information of the third safety container and the container information of the fourth safety container through the communication request, and determines a plurality of second container information sets based on the preconfigured communication control strategy, so as to judge whether the container information of the third safety container and the container information of the fourth safety container are located in the same second container information set, and further process the communication request according to the judgment result, thereby playing a role in controlling the communication range according to the communication control strategy, not only needing not to audit data before communication, but also avoiding the influence on service development caused by auditing data before communication, and also playing a role in preventing data from being leaked.
In some embodiments, the communication request processing module 505 comprises at least one sub-module of:
a first processing sub-module (not shown in the figure) for sending a communication request to a fourth secure container if the container information of the third secure container and the container information of the fourth secure container are in the same second container information set;
and a second processing sub-module (not shown in the figure) for intercepting the communication request if the container information of the third secure container and the container information of the fourth secure container are located in different second container information sets.
In some embodiments, the first processing submodule includes: a pre-storage terminal information determining unit, a reception terminal determining unit, and a request transmitting unit (not shown in the figure).
A pre-stored terminal information determining unit, configured to determine an association relationship between device information and container information corresponding to each of the multiple terminals;
the receiving terminal information determining unit is used for determining the equipment information corresponding to the container information of the fourth safety container according to the association relationship between the equipment information and the container information respectively corresponding to the plurality of terminals;
a receiving terminal determining unit configured to determine a receiving terminal for receiving the communication request based on the device information corresponding to the container information of the fourth secure container;
and the request sending unit is used for sending the communication request to the receiving terminal so that the fourth safety container of the receiving terminal acquires the communication request.
The apparatus for processing a communication request in this embodiment may execute the method for processing a communication request provided in this embodiment, which is similar to the implementation principle, and is not described here again.
An embodiment of the present application further provides a terminal, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor when executing the computer program to implement the communication control method.
An embodiment of the present application further provides a server, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor when executing the computer program implementing the method of processing a communication request as described above.
In particular, the processor may be a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.
In particular, the processor is connected to the memory by a bus, which may include pathways for communicating information. The bus may be a PCI bus or an EISA bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc.
The memory may be, but is not limited to, a ROM or other type of static storage device that can store static information and instructions, a RAM or other type of dynamic storage device that can store information and instructions, an EEPROM, a CD-ROM or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
Optionally, the memory is used for storing codes of computer programs for executing the scheme of the application, and the processor is used for controlling the execution. The processor is configured to execute application program code stored in the memory to implement the actions of the communication control apparatus provided in the embodiment shown in fig. 4 or to implement the actions of the apparatus for processing a communication request provided in the embodiment shown in fig. 5.
An embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions, where the computer-executable instructions are used to execute the communication control method shown in fig. 1.
An embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions for performing the method for processing a communication request shown in fig. 2.
The above-described embodiments of the apparatus are merely illustrative, and the units illustrated as separate components may or may not be physically separate, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (12)
1. A communication control method, comprising:
detecting a communication operation;
determining container information of a first security container initiating the communication operation in a plurality of security containers operating in a current terminal;
determining container information of a second safety container pointed by the selected communication operation based on the container information corresponding to each of a plurality of pre-configured safety containers to be selected;
generating a communication request according to the container information of the first safety container and the container information of the second safety container;
matching the container information of the second safety container with the container information corresponding to the plurality of safety containers operated in the current terminal, and judging whether the second safety container operates in the current terminal or not according to a matching result;
if the second safety container does not operate in the current terminal, sending the communication request to a server side so that the server side can control the communication between the first safety container and the second safety container according to the communication request;
if the second safety container operates at the current terminal, a communication control strategy is obtained from the server;
determining a plurality of first container information sets according to the communication control strategy;
and if the container information of the first safety container and the container information of the second safety container are in the same first container information set, sending the communication request to the second safety container.
2. The method according to claim 1, wherein before the step of determining the container information of the first secure container initiating the communication operation among the plurality of secure containers currently running in the terminal, the method further comprises:
determining configuration information corresponding to the current terminal;
according to the configuration information, container creation processing is carried out in the current terminal to obtain a plurality of safety containers operated in the current terminal;
and determining container information corresponding to each of the plurality of safety containers.
3. The method of claim 2, wherein the configuration information comprises:
the encryption key management system comprises a plurality of security domain configuration information and a plurality of encryption keys corresponding to the security domain configuration information.
4. The method according to claim 3, wherein the step of performing a container creation process in the current terminal according to the configuration information to obtain a plurality of the secure containers operating in the current terminal comprises:
performing container creation processing according to the plurality of security domain configuration information to obtain a plurality of security containers operated in the current terminal;
creating a virtual disk and a virtual network card corresponding to each of the plurality of the secure containers;
encrypting virtual disks corresponding to the plurality of security containers into virtual encrypted disks according to encryption keys corresponding to the plurality of security domain configuration information;
and determining container information corresponding to each of the plurality of secure containers according to the container creation processing result.
5. The method of claim 1,
before the step of generating the communication request according to the container information of the first secure container and the container information of the second secure container, the method further includes:
determining a security domain to which the first secure container belongs and a target application initiating the communication operation in the first secure container;
determining whether the target application is an authorized application of the secure domain based on an application control policy preconfigured within the secure domain;
the step of generating a communication request according to the container information of the first secure container and the container information of the second secure container includes:
and if the target application is determined to be an authorized application of the security domain, generating the communication request according to the container information of the first security container and the container information of the second security container.
6. The method of claim 5, wherein after the step of determining that the target application is an authorized application of the security domain, the method further comprises:
determining access control information corresponding to the target application based on an access program control policy pre-configured in the security domain;
and controlling the target application according to the access control information corresponding to the target application.
7. A method of processing a communication request, comprising:
acquiring a communication request;
determining container information of a third secure container which initiates the communication request, and container information of a fourth secure container which receives the communication request;
determining a plurality of second container information sets based on a preconfigured communication control policy;
judging whether the container information of the third safety container and the container information of the fourth safety container are in the same second container information set;
and processing the communication request according to the judgment result.
8. An apparatus for processing a communication request, comprising:
a communication request acquisition module for acquiring a communication request;
the request information determining module is used for determining the container information of a third safety container which initiates the communication request and the container information of a fourth safety container which receives the communication request;
a communication policy information determination module to determine a plurality of second container information sets based on a preconfigured communication control policy;
the container information judging module is used for judging whether the container information of the third safety container and the container information of the fourth safety container are in the same second container information set or not;
and the communication request processing module is used for processing the communication request according to the judgment result.
9. A terminal comprising a memory and a processor, the memory having stored thereon computer instructions executable on the processor, wherein the processor, when executing the computer instructions, performs the method of any one of claims 1 to 6.
10. A server comprising a memory and a processor, the memory having stored thereon computer instructions executable on the processor, wherein the processor, when executing the computer instructions, performs the method of claim 7.
11. A storage medium having stored thereon computer instructions, wherein the computer instructions when executed perform the method of any of claims 1 to 6.
12. A storage medium having stored thereon computer instructions which, when executed, perform the method of claim 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010453471.3A CN111711612B (en) | 2020-05-25 | 2020-05-25 | Communication control method, method and device for processing communication request |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010453471.3A CN111711612B (en) | 2020-05-25 | 2020-05-25 | Communication control method, method and device for processing communication request |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111711612A CN111711612A (en) | 2020-09-25 |
CN111711612B true CN111711612B (en) | 2022-07-12 |
Family
ID=72537891
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010453471.3A Active CN111711612B (en) | 2020-05-25 | 2020-05-25 | Communication control method, method and device for processing communication request |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111711612B (en) |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5920861A (en) * | 1997-02-25 | 1999-07-06 | Intertrust Technologies Corp. | Techniques for defining using and manipulating rights management data structures |
US20140281539A1 (en) * | 2012-03-30 | 2014-09-18 | Goldman, Sachs & Co. | Secure Mobile Framework With Operating System Integrity Checking |
WO2012126432A2 (en) * | 2012-05-29 | 2012-09-27 | 华为技术有限公司 | Method, device and system for data transmission |
US20140108793A1 (en) * | 2012-10-16 | 2014-04-17 | Citrix Systems, Inc. | Controlling mobile device access to secure data |
US20190230130A1 (en) * | 2013-09-20 | 2019-07-25 | Open Text Sa Ulc | System and method for updating downloaded applications using managed container |
CN104573507A (en) * | 2015-02-05 | 2015-04-29 | 浪潮电子信息产业股份有限公司 | Secure container and design method thereof |
CN105847108B (en) * | 2016-05-24 | 2019-01-15 | 中国联合网络通信集团有限公司 | Communication means and device between container |
US10439987B2 (en) * | 2017-06-12 | 2019-10-08 | Ca, Inc. | Systems and methods for securing network traffic flow in a multi-service containerized application |
-
2020
- 2020-05-25 CN CN202010453471.3A patent/CN111711612B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN111711612A (en) | 2020-09-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10652226B2 (en) | Securing communication over a network using dynamically assigned proxy servers | |
US11223480B2 (en) | Detecting compromised cloud-identity access information | |
US20180367528A1 (en) | Seamless Provision of Authentication Credential Data to Cloud-Based Assets on Demand | |
EP3014847B1 (en) | Secure hybrid file-sharing system | |
US11032270B1 (en) | Secure provisioning and validation of access tokens in network environments | |
US10587605B2 (en) | Certificate pinning in highly secure network environments using public key certificates obtained from a DHCP (dynamic host configuration protocol) server | |
EP3687140B1 (en) | On-demand and proactive detection of application misconfiguration security threats | |
EP3674938B1 (en) | Identifying computing processes on automation servers | |
US11855993B2 (en) | Data shield system with multi-factor authentication | |
CN113347072A (en) | VPN resource access method, device, electronic equipment and medium | |
US11977620B2 (en) | Attestation of application identity for inter-app communications | |
CN113992387A (en) | Resource management method, device, system, electronic equipment and readable storage medium | |
US11296878B2 (en) | Private key updating | |
CN111711612B (en) | Communication control method, method and device for processing communication request | |
US11757933B1 (en) | System and method for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links | |
US12143411B2 (en) | On-demand and proactive detection of application misconfiguration security threats | |
US11757934B1 (en) | Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links | |
CN114021094B (en) | Remote server login method, electronic device and storage medium | |
US20210314339A1 (en) | On-demand and proactive detection of application misconfiguration security threats | |
Tank et al. | Security analysis of OpenStack keystone | |
CN117061140A (en) | Penetration defense method and related device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |