[go: up one dir, main page]

CN103051608B - A kind of method and apparatus of movable equipment access monitoring - Google Patents

A kind of method and apparatus of movable equipment access monitoring Download PDF

Info

Publication number
CN103051608B
CN103051608B CN201210520765.9A CN201210520765A CN103051608B CN 103051608 B CN103051608 B CN 103051608B CN 201210520765 A CN201210520765 A CN 201210520765A CN 103051608 B CN103051608 B CN 103051608B
Authority
CN
China
Prior art keywords
access
mobile device
control server
security control
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210520765.9A
Other languages
Chinese (zh)
Other versions
CN103051608A (en
Inventor
李宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210520765.9A priority Critical patent/CN103051608B/en
Publication of CN103051608A publication Critical patent/CN103051608A/en
Application granted granted Critical
Publication of CN103051608B publication Critical patent/CN103051608B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种可移动设备的接入监控方法和装置,其中,所述方法包括:在安全控制服务器中预置合法可移动设备信息的列表;所述安全控制服务器用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;当客户端监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;将所述唯一识别标识发送给安全控制服务器,由安全控制服务器判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中,若是,则允许所述可移动设备的接入;若否,则拒绝所述可移动设备的接入。本发明能够准确追踪资料的来源以及去向,防止被病毒感染,提高可移动设备使用的安全性,保证网络信息的安全。

The invention discloses a mobile device access monitoring method and device, wherein the method includes: presetting a list of legal mobile device information in a security control server; the security control server is used to control the For the security of the client, the list of legal mobile device information includes the unique identification of the mobile device that is allowed to access; when the client monitors the access of the mobile device, the unique identification of the mobile device is calculated Identification; the unique identification is sent to the security control server, and the security control server judges whether the unique identification exists in the list of legal mobile device information, and if so, allows the access of the mobile device ; If not, reject the access of the mobile device. The invention can accurately track the source and whereabouts of data, prevent virus infection, improve the safety of mobile devices, and ensure the safety of network information.

Description

一种可移动设备接入监控的方法和装置Method and device for access monitoring of mobile equipment

技术领域 technical field

本发明涉及信息安全技术领域,具体涉及一种可移动设备接入监控的方法,以及,一种可移动设备接入监控的装置。The present invention relates to the technical field of information security, in particular to a method for access monitoring of a mobile device, and a device for access monitoring of a mobile device.

背景技术 Background technique

目前,随着可移动设备的普及和方便数据的传送和携带,可移动设备在日常生活与工作中被广泛使用,而在企业中经常会碰到文件泄密的问题,主要泄密的渠道之一就是可移动设备,对于承受不起数据丢失、泄露的企业而言是一个非常大的威胁。At present, with the popularization of mobile devices and the convenience of data transmission and portability, mobile devices are widely used in daily life and work. However, in enterprises, the problem of file leakage is often encountered. One of the main leakage channels is Removable devices are a very big threat to enterprises that cannot afford data loss and leakage.

为了保护企业内部的重要资料,有些企业会在企业内部使用安全管理软件,在文件创建、编辑的时候强制自动加密,这样文件就只能在企业内部使用;也有些企业会有各种方式管理可移动设备,比如有些企业采取封闭USB接口无法使用可移动设备以达到防止资料的泄密的目的,但这些做法带来了诸多不便,不能满足企业正常交流信息的需求。In order to protect important data within the enterprise, some enterprises use security management software within the enterprise to force automatic encryption when files are created and edited, so that files can only be used within the enterprise; For mobile devices, for example, some companies use closed USB ports to prevent the use of removable devices to prevent data leakage, but these practices have brought a lot of inconvenience and cannot meet the needs of companies for normal information exchange.

因此,本领域技术人员迫切需要解决的技术问题是:提供一种可移动设备接入监控的方法和装置,能够准确追踪资料的来源以及去向,防止被病毒感染,提高可移动设备使用的安全性,保证网络信息,尤其是内网网络信息的安全。Therefore, the urgent technical problem to be solved by those skilled in the art is to provide a method and device for access monitoring of mobile devices, which can accurately track the source and whereabouts of data, prevent virus infection, and improve the security of mobile devices. , to ensure the security of network information, especially intranet network information.

发明内容 Contents of the invention

鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的一种可移动设备接入监控的方法和相应的一种可移动设备接入监控的装置。In view of the above problems, the present invention is proposed to provide a mobile device access monitoring method and a corresponding mobile device access monitoring device that overcome the above problems or at least partially solve the above problems.

依据本发明的一个方面,提供了一种可移动设备的接入监控方法,包括:According to one aspect of the present invention, a mobile device access monitoring method is provided, including:

在安全控制服务器中预置合法可移动设备信息的列表;所述安全控制服务器用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;A list of legal removable device information is preset in the security control server; the security control server is used to control the security of the client connected to it, and the list of legal removable device information includes the unique identification mark;

当客户端监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;When the client monitors the access of the mobile device, calculate the unique identification of the mobile device;

将所述唯一识别标识发送给安全控制服务器,由安全控制服务器判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中,若是,则允许所述可移动设备的接入;若否,则拒绝所述可移动设备的接入。Send the unique identification to the security control server, and the security control server judges whether the unique identification exists in the list of legal mobile device information, and if so, allows the access of the mobile device; if If not, reject the access of the mobile device.

可选地,所述当客户端监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识的步骤包括:Optionally, when the client monitors the access of the mobile device, the step of calculating the unique identification of the mobile device includes:

获取所述可移动设备的硬件属性信息;Obtain hardware attribute information of the removable device;

判断所述可移动设备中是否具有特征标识;judging whether the mobile device has a feature identifier;

若是,则从所述可移动设备中提取特征标识;If so, then extract the feature identifier from the removable device;

若否,则依据所述硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中;If not, then calculate the signature according to the hardware attribute information, and write the signature into the removable device;

依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识。The unique identifier of the movable device is calculated according to the hardware attribute information and the characteristic identifier of the movable device.

可选地,所述的方法还包括:Optionally, the method also includes:

若将所述特征标识写入可移动设备中的操作失败时,将所述写入操作失败的信息发送至安全控制服务器;If the operation of writing the feature identifier into the removable device fails, sending information about the failure of the writing operation to the security control server;

所述安全控制服务器依据所述写入操作失败的信息,拒绝所述可移动设备的接入。The security control server rejects the access of the removable device according to the information that the writing operation fails.

可选地,所述安全控制服务器预置有可移动设备允许接入的时间区间,所述的方法还包括:Optionally, the security control server is preset with a time interval for mobile devices to allow access, and the method further includes:

判断所述可移动设备是否在所述允许接入的时间区间内接入;judging whether the mobile device accesses within the allowed access time interval;

若所述可移动设备是在所述允许接入的时间区间内接入,则安全控制服务器允许所述可移动设备的接入;If the mobile device is accessed within the allowed access time interval, the security control server allows the mobile device to access;

若所述可移动设备不是在所述允许接入的时间区间内接入,则安全控制服务器拒绝所述可移动设备的接入。If the mobile device does not access within the allowed access time interval, the security control server rejects the mobile device's access.

可选地,所述的方法还包括:Optionally, the method also includes:

当允许所述可移动设备的接入时,监控所述可移动设备的写入操作;When the access of the removable device is allowed, monitor the write operation of the removable device;

将所述写入操作的信息发送至安全控制服务器。Send the information of the writing operation to the security control server.

可选地,所述硬件属性信息包括可移动设备标识,和/或,可移动设备的制造商信息,和/或,可移动设备的空间大小。Optionally, the hardware attribute information includes a mobile device identifier, and/or, manufacturer information of the mobile device, and/or, a space size of the mobile device.

可选地,所述依据硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中的步骤包括:Optionally, the step of calculating the signature according to the hardware attribute information, and writing the signature into the removable device includes:

将所述可移动设备标识,以及,硬件属性信息组合为第一字符串;Combining the removable device identifier and hardware attribute information into a first character string;

依据所述第一字符串采用消息摘要算法MD5计算所述可移动设备的特征标识;Calculate the feature identifier of the mobile device by using the message digest algorithm MD5 according to the first character string;

将所述可移动设备的特征标识写入所述可移动设备中。Writing the feature identifier of the movable device into the movable device.

可选地,依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识的步骤包括:Optionally, the step of calculating the unique identification of the mobile device according to the hardware attribute information and feature identifier of the mobile device includes:

将所述可移动设备的特征标识,以及,硬件属性信息组合为第二字符串;Combining the feature identifier of the removable device and the hardware attribute information into a second character string;

依据所述第二字符串采用消息摘要算法MD5计算所述可移动设备的唯一识别标识。The unique identification of the mobile device is calculated by using the message digest algorithm MD5 according to the second character string.

可选地,所述可移动设备的接入由客户端中的预设驱动进行监控。Optionally, the access of the movable device is monitored by a preset driver in the client.

可选地,所述接入包括可读的接入、可写的接入和非可读可写的接入。Optionally, the access includes readable access, writable access, and non-readable and writable access.

据本发明的另一方面,提供了一种可移动设备的接入监控装置,包括:According to another aspect of the present invention, an access monitoring device for a mobile device is provided, including:

预置合法列表模块,位于安全控制服务器,用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;The preset legal list module is located in the security control server and is used to control the security of the client connected to it, and the list of legal mobile device information includes the unique identification of the mobile device that is allowed to access;

唯一识别标识计算模块,位于客户端,用于在监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;The unique identification calculation module is located at the client end and is used to calculate the unique identification of the mobile device when monitoring the access of the mobile device;

唯一识别标识发送模块,位于客户端,用于将所述唯一识别标识发送给安全控制服务器;The unique identification identification sending module is located at the client end and is used to send the unique identification identification to the security control server;

唯一识别标识判断模块,位于安全控制服务器,用于判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中,若是,则调用放行模块,若否,则调用拒绝模块;The unique identification identification judging module is located in the security control server, and is used to determine whether the unique identification identification exists in the list of legal mobile device information, if yes, call the release module, and if not, call the rejection module;

放行模块,用于允许所述可移动设备的接入;a release module, configured to allow the access of the mobile device;

拒绝模块,用于拒绝所述可移动设备的接入。A rejecting module, configured to reject the access of the mobile device.

可选地,所述唯一识别标识计算模块包括:Optionally, the unique identification calculation module includes:

硬件属性信息获取子模块,用于获取所述可移动设备的硬件属性信息;A hardware attribute information acquisition submodule, configured to acquire hardware attribute information of the removable device;

特征标识判断子模块,用于判断所述可移动设备中是否具有特征标识;若是,则调用特征标识提取子模块,若否,则调用特征标识计算子模块;The feature identification judging submodule is used to judge whether there is a feature identification in the mobile device; if so, then call the feature identification extraction submodule, if not, then call the feature identification calculation submodule;

特征标识提取子模块,用于从所述可移动设备中提取特征标识;A feature identifier extraction submodule, configured to extract a feature identifier from the mobile device;

特征标识计算子模块,用于依据所述硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中;A signature calculation submodule, configured to calculate a signature according to the hardware attribute information, and write the signature into the removable device;

唯一识别标识计算子模块,用于依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识。The unique identifier calculation submodule is configured to calculate the unique identifier of the movable device according to the hardware attribute information and feature identifier of the movable device.

可选地,所述的装置还包括:Optionally, the device also includes:

写入失败信息发送模块,位于客户端,用于若将所述特征标识写入可移动设备中的操作失败时,将所述写入操作失败的信息发送至安全控制服务器;The writing failure information sending module is located at the client, and is used to send the information of the writing operation failure to the security control server if the operation of writing the feature identifier into the removable device fails;

拒绝接入模块,位于安全控制服务器,用于依据所述写入操作失败的信息,拒绝所述可移动设备的接入。The access denying module is located in the security control server, and is used for denying the access of the removable device according to the information that the writing operation fails.

可选地,所述安全控制服务器预置有可移动设备允许接入的时间区间,所述的装置还包括:Optionally, the security control server is preset with a time interval for mobile devices to allow access, and the device further includes:

时间区间判断模块,位于安全控制服务器,用于判断所述可移动设备是否在所述允许接入的时间区间内接入;若是,则调用时间区间内允许接入模块,若否,则调用时间区间内拒绝接入模块;时间区间内允许接入模块,位于安全控制服务器,用于若所述可移动设备是在所述允许接入的时间区间内接入,则允许所述可移动设备的接入;The time interval judging module is located in the security control server and is used to judge whether the mobile device is accessed within the time interval of the allowed access; if so, call the access allowed module in the time interval, if not, call the time interval The module for denying access within the time interval; the module for allowing access within the time interval, located in the security control server, is used to allow the mobile device to access;

时间区间内拒绝接入模块,位于安全控制服务器,用于若所述可移动设备不是在所述允许接入的时间区间内接入,则拒绝所述可移动设备的接入。The module for denying access within the time interval is located in the security control server, and is configured to deny the access of the mobile device if the access of the mobile device is not within the time interval for allowing access.

可选地,所述的装置还包括:Optionally, the device also includes:

接入监控模块,位于客户端,用于在允许所述可移动设备的接入时,监控所述可移动设备的写入操作;An access monitoring module, located on the client side, is configured to monitor the write operation of the removable device when the access of the removable device is allowed;

写入信息发送模块,位于客户端,用于将所述写入操作的信息发送至安全控制服务器。The writing information sending module is located at the client and is used to send the information of the writing operation to the security control server.

可选地,所述硬件属性信息包括可移动设备标识,和/或,可移动设备的制造商信息,和/或,可移动设备的空间大小。Optionally, the hardware attribute information includes a mobile device identifier, and/or, manufacturer information of the mobile device, and/or, a space size of the mobile device.

可选地,所述特征标识计算子模块包括:Optionally, the feature identification calculation submodule includes:

第一字符串组合单元,用于将所述可移动设备标识,以及,硬件属性信息组合为第一字符串;A first character string combination unit, configured to combine the mobile device identifier and hardware attribute information into a first character string;

第二计算单元,用于依据所述第一字符串采用消息摘要算法MD5计算所述可移动设备的特征标识;The second calculation unit is used to calculate the feature identifier of the mobile device by using the message digest algorithm MD5 according to the first character string;

特征标识写入单元,用于将所述可移动设备的特征标识写入所述可移动设备中。The feature identifier writing unit is configured to write the feature identifier of the removable device into the removable device.

可选地,所述唯一识别标识计算子模块包括:Optionally, the unique identification identification calculation submodule includes:

第二字符串组合单元,用于将所述可移动设备的特征标识,以及,硬件属性信息组合为第二字符串;A second character string combination unit, configured to combine the feature identifier of the removable device and the hardware attribute information into a second character string;

第二计算单元,用于依据所述第二字符串采用消息摘要算法MD5计算所述可移动设备的唯一识别标识。The second calculation unit is configured to calculate the unique identifier of the mobile device by using the message digest algorithm MD5 according to the second character string.

可选地,所述可移动设备的接入由客户端中的预设驱动进行监控。Optionally, the access of the movable device is monitored by a preset driver in the client.

可选地,所述接入包括可读的接入、可写的接入和非可读可写的接入。Optionally, the access includes readable access, writable access, and non-readable and writable access.

根据本发明的一种可移动设备接入监控的方法及装置可以通过在安全控制服务器预置合法可移动设备信息的列表中是否存在可移动设备的唯一识别标识来判断是否允许可移动设备的接入,当可移动设备允许接入时监控可移动设备的写操作,由此解决了企业经常会碰到的可移动设备的泄密问题,取得了能够准确追踪资料的来源以及去向,防止被病毒感染,提高可移动设备使用的安全性,保证网络信息,尤其是内网网络信息的安全的有益效果。According to a method and device for monitoring access of a mobile device according to the present invention, it can be judged whether the access of the mobile device is allowed by checking whether the unique identifier of the mobile device exists in the list of legal mobile device information preset by the security control server. Input, when the removable device is allowed to access, monitor the write operation of the removable device, thereby solving the problem of leaking of the removable device that enterprises often encounter, achieving the ability to accurately track the source and whereabouts of data, and prevent virus infection , improve the safety of mobile devices, and ensure the safety of network information, especially intranet network information.

上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

附图说明 Description of drawings

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

图1示出了根据本发明一个实施例的一种可移动设备接入监控的方法实施例的步骤流程图;FIG. 1 shows a flow chart of steps of a method embodiment of access monitoring of a mobile device according to an embodiment of the present invention;

图2示出了根据本发明一个实施例的一种可移动设备接入监控的装置实施例的结构框图。Fig. 2 shows a structural block diagram of an embodiment of an apparatus for monitoring access of a mobile device according to an embodiment of the present invention.

具体实施方式 Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

本发明实施例的核心构思之一在于,通过安全控制服务器预置合法可移动设备信息的列表中是否存在可移动设备的唯一识别标识来判断是否允许可移动设备的接入,当可移动设备允许接入时监控可移动设备的写操作,由此能够准确追踪资料的来源以及去向,提高可移动设备使用的安全性,保证网络信息,尤其是内网网络信息的安全。One of the core concepts of the embodiments of the present invention is to determine whether to allow the access of the mobile device by checking whether the unique identifier of the mobile device exists in the list of legal mobile device information preset by the security control server. The write operation of the removable device is monitored during access, so that the source and destination of the data can be accurately tracked, the security of the use of the removable device is improved, and the security of network information, especially intranet network information, is ensured.

参照图1,示出了本发明的一种可移动设备接入监控的方法实施例的步骤流程图,具体可以包括以下步骤:Referring to FIG. 1 , it shows a flow chart of steps of a method embodiment of a mobile device access monitoring method according to the present invention, which may specifically include the following steps:

步骤101,在安全控制服务器中预置合法可移动设备信息的列表;所述安全控制服务器用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;Step 101, preset a list of legal removable device information in the security control server; the security control server is used to control the security of the client connected to it, and the list of legal removable device information includes removable The unique identification of the device;

以在安装了私有云客户端的PC(PersonalComputer,个人电脑)上应用本发明为例,安装了私有云客户端的PC可以监控文件,防止被病毒感染,同时会和相应的安全控制服务器进行交互,将本地电脑的一些信息发送给安全控制服务器。PC还可以监控是否有新的设备接入,接入设备的类型,是否是可移动设备等。Taking the application of the present invention on a PC (PersonalComputer, personal computer) installed with a private cloud client as an example, the PC installed with a private cloud client can monitor files to prevent infection by viruses, and will interact with the corresponding security control server at the same time. Some information of the local computer is sent to the security control server. The PC can also monitor whether a new device is connected, the type of the connected device, whether it is a removable device, etc.

需要说明的是,在本发明实施例,所述安全控制服务器与客户端形成主控与被控的关系,所述安全控制服务器用于控制与其相连的客户端的安全,例如,局域网中的服务器与客户端。It should be noted that, in the embodiment of the present invention, the security control server and the client form a master-controlled relationship, and the security control server is used to control the security of the client connected to it, for example, the server in the local area network and the client.

在具体实现中,需要在安全控制服务器中预置合法可移动设备信息的列表,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识,用于对比判断是否与接入的可移动设备的唯一识别标识一致,以此判断可移动设备的接入是否合法。In a specific implementation, it is necessary to preset a list of legal mobile device information in the security control server. The list of legal mobile device information includes the unique identification of the mobile device that is allowed to be accessed, and is used for comparison and judgment. The unique identifiers of the accessed mobile devices are consistent, so as to determine whether the access of the mobile device is legal.

步骤102,当客户端监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;Step 102, when the client monitors the access of the mobile device, calculate the unique identification of the mobile device;

在本发明的一种优选实施例中,所述可移动设备的接入可以由客户端中的预设驱动进行监控。In a preferred embodiment of the present invention, the access of the mobile device can be monitored by a preset driver in the client.

通过在客户端安装预设驱动,利用该驱动针对可移动设备的所有的写入操作进行监控。驱动监控到有可移动设备的接入时,将相关信息上抛给应用层。应用层在获取到信息后,向安全控制服务器发送信息查询是否可以接入。By installing a preset driver on the client, use the driver to monitor all write operations on the removable device. When the driver monitors the access of a removable device, it throws the relevant information to the application layer. After the application layer obtains the information, it sends information to the security control server to inquire whether it can be accessed.

在本发明实施例的一种优选示例中,由于私有云客户端是常驻的,所以可以通过消息函数WMDEVICECHANGE来监控可移动设备的接入与退出,也可以使用驱动来监控。较佳地,如果安全控制服务器查询超时,也可以弹出该可移动设备,避免占用资源。在本发明的一种优选实施例中,所述步骤102可以包括如下子步骤:In a preferred example of the embodiment of the present invention, since the private cloud client is resident, the access and exit of the mobile device can be monitored through the message function WMDEVICECHANGE, or can be monitored using a driver. Preferably, if the security control server query times out, the removable device can also be ejected to avoid resource occupation. In a preferred embodiment of the present invention, the step 102 may include the following sub-steps:

子步骤S11,获取所述可移动设备的硬件属性信息;Sub-step S11, acquiring hardware attribute information of the removable device;

子步骤S12,判断所述可移动设备中是否具有特征标识;若是,则执行子步骤S13,若否,则执行子步骤S14;Sub-step S12, judging whether there is a characteristic identifier in the mobile device; if so, execute sub-step S13, if not, execute sub-step S14;

子步骤S13,若是,则从所述可移动设备中提取特征标识;Sub-step S13, if yes, extract the feature identifier from the mobile device;

子步骤S14,若否,则依据所述硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中;Sub-step S14, if not, calculate the signature according to the hardware attribute information, and write the signature into the removable device;

子步骤S15,依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识。Sub-step S15, calculating the unique identifier of the movable device according to the hardware attribute information and feature identifier of the movable device.

当可移动设备接入到安装了私有云客户端的PC时,获取到接入客户端的可移动设备的硬件属性信息以及特征标识,其中,所述硬件属性信息可以包括可移动设备的固有的硬件属性,以及,可移动设备后续加入的硬件属性。可移动设备的特征标识为依据可移动设备的硬件属性信息计算所得的,所述特征标识可以在可移动设备的硬件属性信息上对可移动设备做进一步的标记,而唯一识别标识是依据可移动设备的硬件属性信息和特征标识计算所得的,即使可移动设备的硬件属性信息相同,也不一定允许将该可移动设备接入,以保证网络信息,尤其是企业内网信息的安全。When the mobile device is connected to the PC installed with the private cloud client, the hardware attribute information and feature identification of the mobile device connected to the client are obtained, wherein the hardware attribute information may include the inherent hardware attributes of the mobile device , and, the hardware attribute that the removable device will add later. The feature identifier of the removable device is calculated based on the hardware attribute information of the removable device. The feature identifier can further mark the removable device on the hardware attribute information of the removable device, and the unique identification is based on the Even if the hardware attribute information of the mobile device is the same as calculated by the hardware attribute information and feature identifier of the device, the removable device may not be allowed to be connected to ensure the security of network information, especially enterprise intranet information.

在本发明的一种优选实施例中,所述硬件属性信息可以包括可移动设备标识,和/或,可移动设备的制造商信息,和/或,可移动设备的空间大小。In a preferred embodiment of the present invention, the hardware attribute information may include the identifier of the mobile device, and/or the manufacturer information of the mobile device, and/or the space size of the mobile device.

在本发明的一种优选实施例中,所述子步骤S14的步骤可以包括如下子步骤:In a preferred embodiment of the present invention, the steps of the sub-step S14 may include the following sub-steps:

子步骤S21,将所述可移动设备标识,以及,硬件属性信息组合为第一字符串;Sub-step S21, combining the mobile device identifier and hardware attribute information into a first character string;

子步骤S22,依据所述第一字符串采用消息摘要算法MD5计算所述可移动设备的特征标识;Sub-step S22, calculating the characteristic identifier of the mobile device by using the message digest algorithm MD5 according to the first character string;

子步骤S23,将所述可移动设备的特征标识写入所述可移动设备中。Sub-step S23, writing the feature identifier of the movable device into the movable device.

在具体实现中,当客户端监控到有可移动设备接入后,获取该可移动设备的标识、可移动设备的制造商信息、可移动设备的空间大小并组合成一组字符串,然后采用MD5算法依据该计算出该可移动设备的特征标识。公知的是,MD5(MessageDigestAlgorithm,消息摘要算法第五版)为计算机安全领域广泛使用的一种散列函数,其将数据运算为另一固定长度值,将信息压缩成一种保密的格式。In the specific implementation, when the client monitors the access of a removable device, it obtains the identifier of the removable device, the manufacturer information of the removable device, and the space size of the removable device and combines them into a set of strings, and then uses MD5 The algorithm calculates the characteristic identifier of the mobile device based on this. As is well known, MD5 (Message Digest Algorithm, fifth edition of Message Digest Algorithm) is a hash function widely used in the field of computer security, which operates data into another fixed-length value and compresses information into a confidential format.

例如,可移动设备的标识为5001,可移动设备的制造商信息为爱国者,可移动设备的空间大小为1000000K,可以组合成一组字符串为:5001爱国者1000000,将该字符串采用MD5算法可以计算得到32位的唯一的可移动设备的特征标识为:B64D19F84EEEF997453CDD25738C082C,然后将计算所得的特征标识写入该可移动设备中。For example, the identifier of the removable device is 5001, the manufacturer information of the removable device is Patriot, and the space size of the removable device is 1000000K, which can be combined into a set of strings: 5001 Patriot 1000000, and the string uses the MD5 algorithm The 32-bit unique characteristic identifier of the removable device that can be calculated is: B64D19F84EEEF997453CDD25738C082C, and then the calculated characteristic identifier is written into the removable device.

在本发明的一种优选实施例中,所述步骤102还可以包括如下子步骤:In a preferred embodiment of the present invention, the step 102 may also include the following sub-steps:

若将所述特征标识写入可移动设备中的操作失败时,将所述写入操作失败的信息发送至安全控制服务器;If the operation of writing the feature identifier into the removable device fails, sending information about the failure of the writing operation to the security control server;

所述安全控制服务器依据所述写入操作失败的信息,拒绝所述可移动设备的接入。The security control server rejects the access of the removable device according to the information that the writing operation fails.

较佳地,若将计算所得的特征标识写入可移动设备操作失败,可以由客户端将写入操作失败的信息发送至安全控制服务器,安全控制服务器依据操作失败的信息可以拒绝该可移动设备的接入,进一步了保证网络信息,尤其是内网网络信息的安全。Preferably, if the operation of writing the calculated feature identifier to the removable device fails, the client can send the information of the failure of the writing operation to the security control server, and the security control server can reject the removable device according to the information of the operation failure. The access further guarantees the security of network information, especially intranet network information.

在本发明的一种优选实施例中,所述子步骤S15的步骤可以包括如下子步骤:In a preferred embodiment of the present invention, the steps of the sub-step S15 may include the following sub-steps:

子步骤S31,将所述可移动设备的特征标识,以及,硬件属性信息组合为第二字符串;Sub-step S31, combining the feature identifier of the removable device and the hardware attribute information into a second character string;

子步骤S32,依据所述第二字符串采用消息摘要算法MD5计算所述可移动设备的唯一识别标识。Sub-step S32, calculating the unique identifier of the mobile device by using the message digest algorithm MD5 according to the second character string.

例如,可移动设备的标识为5001,可移动设备的制造商信息为爱国者,可移动设备的空间大小为1000000K,可移动设备的特征标识为B64D19F84EEEF997453CDD25738C082C,可以组合成一组字符串为:B64D19F84EEEF997453CDD25738C082C5001爱国者1000000,将该字符串采用MD5算法可以计算得到32位的可移动设备的唯一识别标识为:45B51AE3C3445170E39801CA9ACD564D。For example, the identifier of the removable device is 5001, the manufacturer information of the removable device is Patriot, the space size of the removable device is 1000000K, and the characteristic identifier of the removable device is B64D19F84EEEF997453CDD25738C082C, which can be combined into a set of strings: B64D19F84EEEF997453CDD25738C082C5001 Patriot 1000000, the string can be calculated using the MD5 algorithm to obtain the unique identification of the 32-bit mobile device: 45B51AE3C3445170E39801CA9ACD564D.

当然,在实际应用中,不限于MD5算法,本领域技术人员还可以以MD5算法为原则,选择其它适当的算法生成可移动设备的特征标识及唯一识别标识,本发明对此不作限制。Of course, in practical applications, it is not limited to the MD5 algorithm, and those skilled in the art can also use the MD5 algorithm as a principle to select other appropriate algorithms to generate the characteristic identifier and unique identification identifier of the mobile device, which is not limited by the present invention.

步骤103,将所述唯一识别标识发送给安全控制服务器,由安全控制服务器判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中;若是,则执行步骤104,若否,则执行步骤105;Step 103: Send the unique identifier to the security control server, and the security control server judges whether the unique identifier exists in the list of legal mobile device information; if yes, execute step 104; if not, then Execute step 105;

步骤104,允许所述可移动设备的接入;Step 104, allowing access of the mobile device;

步骤105,拒绝所述可移动设备的接入。Step 105, rejecting the access of the mobile device.

本发明实施例中利用客户端与安全控制服务器之间的关联关系管理接入客户端的可移动设备。若接入客户端的可移动设备的唯一识别标识存在于安全控制服务器中合法可移动设备信息的列表中,则表示该可移动设备的接入是合法的,则安全控制服务器允许所述可移动设备的接入。若接入客户端的可移动设备的唯一识别标识不存在于安全控制服务器合法可移动设备信息的列表中,则表示该可移动设备的接入是非法的,安全控制服务器拒绝所述可移动设备的接入。In the embodiment of the present invention, the association relationship between the client and the security control server is used to manage the mobile device that accesses the client. If the unique identifier of the mobile device accessing the client exists in the list of legal mobile device information in the security control server, it means that the access of the mobile device is legal, and the security control server allows the mobile device access. If the unique identifier of the mobile device accessing the client does not exist in the list of legal mobile device information of the security control server, it means that the access of the mobile device is illegal, and the security control server rejects the access of the mobile device. access.

在本发明的一种优选实施例中,所述安全控制服务器中还可以预置可移动设备允许接入的时间区间,在这种情况下,所述的方法还可以包括如下步骤:In a preferred embodiment of the present invention, the security control server can also preset a time interval for the mobile device to allow access. In this case, the method can also include the following steps:

判断所述可移动设备是否在所述允许接入的时间区间内接入;judging whether the mobile device accesses within the allowed access time interval;

若所述可移动设备是在所述允许接入的时间区间内接入,则安全控制服务器允许所述可移动设备的接入;If the mobile device is accessed within the allowed access time interval, the security control server allows the mobile device to access;

若所述可移动设备不是在所述允许接入的时间区间内接入,则安全控制服务器拒绝所述可移动设备的接入。If the mobile device does not access within the allowed access time interval, the security control server rejects the mobile device's access.

通过针对允许接入的可移动设备设置允许接入的时间区间,使得该可移动设备只可以在允许接入的时间区间内才能够在客户端接入并运行,在允许接入的时间区间外则拒绝该可移动设备的接入,以此更进一步保证网络信息,尤其是内网网络信息的安全。在实际中,还可以针对允许接入的可移动设备设置识别名称,方便管理员的识别及后续的管理。By setting the access-allowed time interval for the mobile device that is allowed to access, the mobile device can only access and run on the client within the allowed time interval, and outside the allowed access time interval Then reject the access of the mobile device, so as to further ensure the security of network information, especially intranet network information. In practice, an identification name can also be set for the removable device that is allowed to be accessed, so as to facilitate the administrator's identification and subsequent management.

在具体实现中,可以设置允许接入的可移动设备为有可读权限的接入,有可写权限的接入,或有非可读可写权限的接入,所述可移动设备依据其对应的权限在客户端中运行。In a specific implementation, the removable device that is allowed to be accessed can be set as an access with a readable permission, an access with a writable permission, or an access with a non-readable and writable permission. The corresponding permissions run in the client.

在本发明的一种优选实施例中,所述的方法还可以包括如下步骤:In a preferred embodiment of the present invention, the method may also include the following steps:

当允许所述可移动设备的接入时,监控所述可移动设备的写入操作;When the access of the removable device is allowed, monitor the write operation of the removable device;

将所述写入操作的信息发送至安全控制服务器。Send the information of the writing operation to the security control server.

较佳地,当可移动设备允许接入可正常使用后,安全控制服务器监控该可移动设备的写入操作,并将每一个写入到可移动设备的情况都发给安全控制服务器。写入的操作包括文件保存到可移动设备和从可移动设备保存到本地磁盘的操作,只要对源路径或目标路径是可移动设备的都进行记录并发送给安全控制服务器,这样能够准确追踪资料的来源以及去向,防止被病毒感染,提高了可移动设备使用的安全性。Preferably, when the removable device is allowed to be used normally, the security control server monitors the writing operation of the removable device, and sends each write operation to the removable device to the security control server. The writing operation includes the operation of saving files to removable devices and from removable devices to local disks. As long as the source path or target path is a removable device, it will be recorded and sent to the security control server, so that the data can be accurately tracked The source and whereabouts of the mobile device can be prevented from being infected by viruses, and the security of mobile devices can be improved.

当可移动设备在客户端中的相关操作完成之后,需要退出该可移动设备时,可以通过SetupDiDestroyDeviceInfoList来卸载的,销毁可移动设备信息集合,并且释放所有关联的内存,在ring3(CPU最低特权级别)上弹出可移动设备,另外也可以使用驱动来进行卸载。When the relevant operations of the removable device in the client are completed and the removable device needs to be exited, it can be uninstalled through SetupDiDestroyDeviceInfoList, destroy the removable device information collection, and release all associated memory, in ring3 (CPU lowest privilege level ) to pop up the removable device, and you can also use the driver to uninstall.

需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that, for the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action order, because according to this According to the invention, certain steps may be performed in other order or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

参照图2,示出了本发明的一种可移动设备接入监控的装置实施例的结构框图,具体可以包括如下模块:Referring to Fig. 2, it shows a structural block diagram of an embodiment of an apparatus for access monitoring of a mobile device according to the present invention, which may specifically include the following modules:

预置合法列表模块201,位于安全控制服务器,用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;The preset legal list module 201 is located in the security control server and is used to control the security of the client connected to it, and the list of legal mobile device information includes the unique identification of the mobile device that is allowed to access;

唯一识别标识计算模块202,位于客户端,用于在监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;The unique identification calculation module 202, located at the client, is used to calculate the unique identification of the mobile device when monitoring the access of the mobile device;

在本发明的一种优选实施例中,所述可移动设备的接入可以由客户端中的预设驱动进行监控。In a preferred embodiment of the present invention, the access of the mobile device can be monitored by a preset driver in the client.

在本发明的一种优选实施例中,所述唯一识别标识计算模块202可以包括如下子模块:In a preferred embodiment of the present invention, the unique identification mark calculation module 202 may include the following submodules:

硬件属性信息获取子模块,用于获取所述可移动设备的硬件属性信息;A hardware attribute information acquisition submodule, configured to acquire hardware attribute information of the removable device;

特征标识判断子模块,用于判断所述可移动设备中是否具有特征标识;若是,则调用特征标识提取子模块,若否,则调用特征标识计算子模块;The feature identification judging submodule is used to judge whether there is a feature identification in the mobile device; if so, then call the feature identification extraction submodule, if not, then call the feature identification calculation submodule;

特征标识提取子模块,用于从所述可移动设备中提取特征标识;A feature identifier extraction submodule, configured to extract a feature identifier from the mobile device;

特征标识计算子模块,用于依据所述硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中;A signature calculation submodule, configured to calculate a signature according to the hardware attribute information, and write the signature into the removable device;

唯一识别标识计算子模块,用于依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识。The unique identifier calculation submodule is configured to calculate the unique identifier of the movable device according to the hardware attribute information and feature identifier of the movable device.

在本发明的一种优选实施例中,所述的装置还可以包括如下模块:In a preferred embodiment of the present invention, the device may also include the following modules:

写入失败信息发送模块,位于客户端,用于若将所述特征标识写入可移动设备中的操作失败时,将所述写入操作失败的信息发送至安全控制服务器;The writing failure information sending module is located at the client, and is used to send the information of the writing operation failure to the security control server if the operation of writing the feature identifier into the removable device fails;

拒绝接入模块,位于安全控制服务器,用于依据所述写入操作失败的信息,拒绝所述可移动设备的接入。The access denying module is located in the security control server, and is used for denying the access of the removable device according to the information that the writing operation fails.

在本发明的一种优选实施例中,所述安全控制服务器预置有可移动设备允许接入的时间区间,所述的装置还可以包括如下模块:In a preferred embodiment of the present invention, the security control server is preset with a time interval for mobile devices to allow access, and the device may also include the following modules:

时间区间判断模块,位于安全控制服务器,用于判断所述可移动设备是否在所述允许接入的时间区间内接入;若是,则调用时间区间内允许接入模块,若否,则调用时间区间内拒绝接入模块;The time interval judging module is located in the security control server and is used to judge whether the mobile device is accessed within the time interval of the allowed access; if so, call the access allowed module in the time interval, if not, call the time interval Refuse to access the module within the interval;

时间区间内允许接入模块,位于安全控制服务器,用于若所述可移动设备是在所述允许接入的时间区间内接入,则允许所述可移动设备的接入;The module for allowing access within the time interval, located in the security control server, is used to allow the access of the mobile device if the access of the mobile device is within the time interval for allowing access;

时间区间内拒绝接入模块,位于安全控制服务器,用于若所述可移动设备不是在所述允许接入的时间区间内接入,则拒绝所述可移动设备的接入。The module for denying access within the time interval is located in the security control server, and is configured to deny the access of the mobile device if the access of the mobile device is not within the time interval for allowing access.

在本发明的一种优选实施例中,所述硬件属性信息可以包括可移动设备标识,和/或,可移动设备的制造商信息,和/或,可移动设备的空间大小。In a preferred embodiment of the present invention, the hardware attribute information may include the identifier of the mobile device, and/or the manufacturer information of the mobile device, and/or the space size of the mobile device.

在本发明的一种优选实施例中,所述特征标识计算子模块可以包括如下单元:In a preferred embodiment of the present invention, the feature identification calculation submodule may include the following units:

第一字符串组合单元,用于将所述可移动设备标识,以及,硬件属性信息组合为第一字符串;A first character string combination unit, configured to combine the mobile device identifier and hardware attribute information into a first character string;

第二计算单元,用于依据所述第一字符串采用消息摘要算法MD5计算所述可移动设备的特征标识;The second calculation unit is used to calculate the feature identifier of the mobile device by using the message digest algorithm MD5 according to the first character string;

特征标识写入单元,用于将所述可移动设备的特征标识写入所述可移动设备中。The feature identifier writing unit is configured to write the feature identifier of the removable device into the removable device.

在本发明的一种优选实施例中,所述唯一识别标识计算子模块可以包括如下单元:In a preferred embodiment of the present invention, the unique identification identification calculation submodule may include the following units:

第二字符串组合单元,用于将所述可移动设备的特征标识,以及,硬件属性信息组合为第二字符串;A second character string combination unit, configured to combine the feature identifier of the removable device and the hardware attribute information into a second character string;

第二计算单元,用于依据所述第二字符串采用消息摘要算法MD5计算所述可移动设备的唯一识别标识。The second calculation unit is configured to calculate the unique identifier of the mobile device by using the message digest algorithm MD5 according to the second character string.

唯一识别标识发送模块203,位于客户端,用于将所述唯一识别标识发送给安全控制服务器;The unique identifier sending module 203, located at the client, is used to send the unique identifier to the security control server;

唯一识别标识判断模块204,位于安全控制服务器,用于判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中,若是,则调用放行模块205,若否,则调用拒绝模块206;The unique identification identification judging module 204 is located in the security control server, and is used to determine whether the unique identification identification exists in the list of the legal mobile device information, if yes, then call the release module 205, if not, then call the rejection module 206 ;

放行模块205,用于允许所述可移动设备的接入;A pass module 205, configured to allow access of the mobile device;

拒绝模块206,用于拒绝所述可移动设备的接入。A rejecting module 206, configured to reject the access of the mobile device.

在本发明的一种优选实施例中,所述接入可以包括可读的接入、可写的接入和非可读可写的接入。In a preferred embodiment of the present invention, the access may include readable access, writable access, and non-readable and writable access.

在本发明的一种优选实施例中,所述的装置还可以包括如下模块:In a preferred embodiment of the present invention, the device may also include the following modules:

接入监控模块,位于客户端,用于在允许所述可移动设备的接入时,监控所述可移动设备的写入操作;An access monitoring module, located on the client side, is configured to monitor the write operation of the removable device when the access of the removable device is allowed;

写入信息发送模块,位于客户端,用于将所述写入操作的信息发送至安全控制服务器。The writing information sending module is located at the client and is used to send the information of the writing operation to the security control server.

对于图2的装置实施例而言,由于其与图1的方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。As for the device embodiment in FIG. 2 , since it is basically similar to the method embodiment in FIG. 1 , the description is relatively simple, and for relevant parts, please refer to the part of the description of the method embodiment.

在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的一种可移动设备接入监控的设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the components in a mobile device access monitoring device according to an embodiment of the present invention Or full functionality. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

Claims (16)

1.一种可移动设备的接入监控方法,包括:1. A method for access monitoring of a mobile device, comprising: 在安全控制服务器中预置合法可移动设备信息的列表;所述安全控制服务器用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;A list of legal removable device information is preset in the security control server; the security control server is used to control the security of the client connected to it, and the list of legal removable device information includes the unique identification mark; 当客户端监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;When the client monitors the access of the mobile device, calculate the unique identification of the mobile device; 将所述唯一识别标识发送给安全控制服务器,由安全控制服务器判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中,若是,则允许所述可移动设备的接入;若否,则拒绝所述可移动设备的接入;Send the unique identification to the security control server, and the security control server judges whether the unique identification exists in the list of legal mobile device information, and if so, allows the access of the mobile device; if If not, reject the access of the mobile device; 所述当客户端监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识的步骤包括:When the client monitors the access of the mobile device, the step of calculating the unique identification of the mobile device includes: 获取所述可移动设备的硬件属性信息;Obtain hardware attribute information of the removable device; 判断所述可移动设备中是否具有特征标识;judging whether the mobile device has a feature identifier; 若是,则从所述可移动设备中提取特征标识;If so, then extract the feature identifier from the removable device; 若否,则依据所述硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中;If not, then calculate the signature according to the hardware attribute information, and write the signature into the removable device; 依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识。The unique identifier of the movable device is calculated according to the hardware attribute information and the characteristic identifier of the movable device. 2.如权利要求1所述的方法,还包括:2. The method of claim 1, further comprising: 若将所述特征标识写入可移动设备中的操作失败时,将所述写入操作失败的信息发送至安全控制服务器;If the operation of writing the feature identifier into the removable device fails, sending information about the failure of the writing operation to the security control server; 所述安全控制服务器依据所述写入操作失败的信息,拒绝所述可移动设备的接入。The security control server rejects the access of the removable device according to the information that the writing operation fails. 3.如权利要求1所述的方法,所述安全控制服务器预置有可移动设备允许接入的时间区间,所述的方法还包括:3. The method according to claim 1, wherein the security control server is preset with a time interval during which the mobile device is allowed to access, and the method further comprises: 判断所述可移动设备是否在所述允许接入的时间区间内接入;judging whether the mobile device accesses within the allowed access time interval; 若所述可移动设备是在所述允许接入的时间区间内接入,则安全控制服务器允许所述可移动设备的接入;If the mobile device is accessed within the allowed access time interval, the security control server allows the mobile device to access; 若所述可移动设备不是在所述允许接入的时间区间内接入,则安全控制服务器拒绝所述可移动设备的接入。If the mobile device does not access within the allowed access time interval, the security control server rejects the mobile device's access. 4.如权利要求1所述的方法,还包括:4. The method of claim 1, further comprising: 当允许所述可移动设备的接入时,监控所述可移动设备的写入操作;When the access of the removable device is allowed, monitor the write operation of the removable device; 将所述写入操作的信息发送至安全控制服务器。Send the information of the writing operation to the security control server. 5.如权利要求1所述的方法,所述硬件属性信息包括可移动设备标识,和/或,可移动设备的制造商信息,和/或,可移动设备的空间大小。5. The method according to claim 1, wherein the hardware attribute information includes a mobile device identifier, and/or, manufacturer information of the mobile device, and/or, a space size of the mobile device. 6.如权利要求1或5所述的方法,所述依据硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中的步骤包括:6. The method according to claim 1 or 5, said calculating the signature according to the hardware attribute information, and writing the signature into the removable device comprises: 将所述可移动设备标识,以及,硬件属性信息组合为第一字符串;Combining the removable device identifier and hardware attribute information into a first character string; 依据所述第一字符串采用消息摘要算法MD5计算所述可移动设备的特征标识;Calculate the feature identifier of the mobile device by using the message digest algorithm MD5 according to the first character string; 将所述可移动设备的特征标识写入所述可移动设备中。Writing the feature identifier of the movable device into the movable device. 7.如权利要求1或5所述的方法,依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识的步骤包括:7. The method according to claim 1 or 5, wherein the step of calculating the unique identification of the removable device according to the hardware attribute information and the characteristic identifier of the removable device comprises: 将所述可移动设备的特征标识,以及,硬件属性信息组合为第二字符串;Combining the feature identifier of the removable device and the hardware attribute information into a second character string; 依据所述第二字符串采用消息摘要算法MD5计算所述可移动设备的唯一识别标识。The unique identification of the mobile device is calculated by using the message digest algorithm MD5 according to the second character string. 8.如权利要求1所述的方法,所述可移动设备的接入由客户端中的预设驱动进行监控。8. The method of claim 1, the access of the removable device is monitored by a preset driver in the client. 9.如权利要求1所述的方法,所述接入包括可读的接入、可写的接入和非可读可写的接入。9. The method according to claim 1, the access includes readable access, writable access and non-readable and writable access. 10.一种可移动设备的接入监控装置,包括:10. An access monitoring device for a mobile device, comprising: 预置合法列表模块,位于安全控制服务器,用于控制与其相连的客户端的安全,所述合法可移动设备信息的列表中包括允许接入的可移动设备的唯一识别标识;The preset legal list module is located in the security control server and is used to control the security of the client connected to it, and the list of legal mobile device information includes the unique identification of the mobile device that is allowed to access; 唯一识别标识计算模块,位于客户端,用于在监控到有可移动设备的接入时,计算所述可移动设备的唯一识别标识;The unique identification calculation module is located at the client end and is used to calculate the unique identification of the mobile device when monitoring the access of the mobile device; 唯一识别标识发送模块,位于客户端,用于将所述唯一识别标识发送给安全控制服务器;The unique identification identification sending module is located at the client end and is used to send the unique identification identification to the security control server; 唯一识别标识判断模块,位于安全控制服务器,用于判断所述唯一识别标识是否存在于所述合法可移动设备信息的列表中,若是,则调用放行模块,若否,则调用拒绝模块;The unique identification identification judging module is located in the security control server, and is used to determine whether the unique identification identification exists in the list of legal mobile device information, if yes, call the release module, and if not, call the rejection module; 放行模块,用于允许所述可移动设备的接入;a release module, configured to allow the access of the mobile device; 拒绝模块,用于拒绝所述可移动设备的接入;a rejecting module, configured to reject the access of the mobile device; 所述唯一识别标识计算模块包括:The unique identification identification calculation module includes: 硬件属性信息获取子模块,用于获取所述可移动设备的硬件属性信息;A hardware attribute information acquisition submodule, configured to acquire hardware attribute information of the removable device; 特征标识判断子模块,用于判断所述可移动设备中是否具有特征标识;若是,则调用特征标识提取子模块,若否,则调用特征标识计算子模块;The feature identification judging submodule is used to judge whether there is a feature identification in the mobile device; if so, then call the feature identification extraction submodule, if not, then call the feature identification calculation submodule; 特征标识提取子模块,用于从所述可移动设备中提取特征标识;A feature identifier extraction submodule, configured to extract a feature identifier from the mobile device; 特征标识计算子模块,用于依据所述硬件属性信息计算特征标识,并将所述特征标识写入可移动设备中;A signature calculation submodule, configured to calculate a signature according to the hardware attribute information, and write the signature into the removable device; 唯一识别标识计算子模块,用于依据所述可移动设备的硬件属性信息和特征标识计算所述可移动设备的唯一识别标识。The unique identifier calculation submodule is configured to calculate the unique identifier of the movable device according to the hardware attribute information and feature identifier of the movable device. 11.如权利要求10所述的装置,还包括:11. The apparatus of claim 10, further comprising: 写入失败信息发送模块,位于客户端,用于若将所述特征标识写入可移动设备中的操作失败时,将所述写入操作失败的信息发送至安全控制服务器;The writing failure information sending module is located at the client, and is used to send the information of the writing operation failure to the security control server if the operation of writing the feature identifier into the removable device fails; 拒绝接入模块,位于安全控制服务器,用于依据所述写入操作失败的信息,拒绝所述可移动设备的接入。The access denying module is located in the security control server, and is used for denying the access of the removable device according to the information that the writing operation fails. 12.如权利要求10所述的装置,所述安全控制服务器预置有可移动设备允许接入的时间区间,所述的装置还包括:12. The device according to claim 10, wherein the security control server is preset with a time interval during which the mobile device is allowed to access, and the device further comprises: 时间区间判断模块,位于安全控制服务器,用于判断所述可移动设备是否在所述允许接入的时间区间内接入;若是,则调用时间区间内允许接入模块,若否,则调用时间区间内拒绝接入模块;The time interval judging module is located in the security control server and is used to judge whether the mobile device is accessed within the time interval of the allowed access; if so, call the access allowed module in the time interval, if not, call the time interval Refuse to access the module within the interval; 时间区间内允许接入模块,位于安全控制服务器,用于若所述可移动设备是在所述允许接入的时间区间内接入,则允许所述可移动设备的接入;The module for allowing access within the time interval, located in the security control server, is used to allow the access of the mobile device if the access of the mobile device is within the time interval for allowing access; 时间区间内拒绝接入模块,位于安全控制服务器,用于若所述可移动设备不是在所述允许接入的时间区间内接入,则拒绝所述可移动设备的接入。The module for denying access within the time interval is located in the security control server, and is configured to deny the access of the mobile device if the access of the mobile device is not within the time interval for allowing access. 13.如权利要求10所述的装置,还包括:13. The apparatus of claim 10, further comprising: 接入监控模块,位于客户端,用于在允许所述可移动设备的接入时,监控所述可移动设备的写入操作;An access monitoring module, located on the client side, is configured to monitor the write operation of the removable device when the access of the removable device is allowed; 写入信息发送模块,位于客户端,用于将所述写入操作的信息发送至安全控制服务器。The writing information sending module is located at the client and is used to send the information of the writing operation to the security control server. 14.如权利要求10所述的装置,所述硬件属性信息包括可移动设备标识,和/或,可移动设备的制造商信息,和/或,可移动设备的空间大小。14. The apparatus according to claim 10, wherein the hardware attribute information comprises a removable device identifier, and/or, manufacturer information of the movable device, and/or, a space size of the movable device. 15.如权利要求10或14所述的装置,所述特征标识计算子模块包括:15. The device according to claim 10 or 14, said signature calculation submodule comprising: 第一字符串组合单元,用于将所述可移动设备标识,以及,硬件属性信息组合为第一字符串;a first character string combination unit, configured to combine the mobile device identifier and hardware attribute information into a first character string; 第二计算单元,用于依据所述第一字符串采用消息摘要算法MD5计算所述可移动设备的特征标识;The second calculation unit is used to calculate the feature identifier of the mobile device by using the message digest algorithm MD5 according to the first character string; 特征标识写入单元,用于将所述可移动设备的特征标识写入所述可移动设备中。The feature identifier writing unit is configured to write the feature identifier of the removable device into the removable device. 16.如权利要求10或14所述的装置,所述唯一识别标识计算子模块包括:16. The device according to claim 10 or 14, said unique identification identification calculation submodule comprising: 第二字符串组合单元,用于将所述可移动设备的特征标识,以及,硬件属性信息组合为第二字符串;A second character string combination unit, configured to combine the feature identifier of the removable device and the hardware attribute information into a second character string; 第二计算单元,用于依据所述第二字符串采用消息摘要算法MD5计算所述可移动设备的唯一识别标识。The second calculation unit is configured to calculate the unique identifier of the mobile device by using the message digest algorithm MD5 according to the second character string.
CN201210520765.9A 2012-12-06 2012-12-06 A kind of method and apparatus of movable equipment access monitoring Active CN103051608B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210520765.9A CN103051608B (en) 2012-12-06 2012-12-06 A kind of method and apparatus of movable equipment access monitoring

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210520765.9A CN103051608B (en) 2012-12-06 2012-12-06 A kind of method and apparatus of movable equipment access monitoring

Publications (2)

Publication Number Publication Date
CN103051608A CN103051608A (en) 2013-04-17
CN103051608B true CN103051608B (en) 2015-11-25

Family

ID=48064107

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210520765.9A Active CN103051608B (en) 2012-12-06 2012-12-06 A kind of method and apparatus of movable equipment access monitoring

Country Status (1)

Country Link
CN (1) CN103051608B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580116B (en) * 2013-10-25 2018-09-14 新华三技术有限公司 A kind of management method and equipment of security strategy
JP6739036B2 (en) * 2015-08-31 2020-08-12 パナソニックIpマネジメント株式会社 controller
CN110188079B (en) * 2019-04-03 2020-05-12 特斯联(北京)科技有限公司 External equipment management method based on distributed storage database

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364986A (en) * 2008-09-19 2009-02-11 广东南方信息安全产业基地有限公司 Credible equipment authentication method under network environment
CN102710588A (en) * 2011-09-23 2012-10-03 新奥特(北京)视频技术有限公司 Method, device, server and system for identifying code in data safety monitoring and controlling

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364986A (en) * 2008-09-19 2009-02-11 广东南方信息安全产业基地有限公司 Credible equipment authentication method under network environment
CN102710588A (en) * 2011-09-23 2012-10-03 新奥特(北京)视频技术有限公司 Method, device, server and system for identifying code in data safety monitoring and controlling

Also Published As

Publication number Publication date
CN103051608A (en) 2013-04-17

Similar Documents

Publication Publication Date Title
CN105320883B (en) File security loads implementation method and device
CN104484599B (en) A kind of behavior treating method and apparatus based on application program
WO2015096695A1 (en) Installation control method, system and device for application program
US10079835B1 (en) Systems and methods for data loss prevention of unidentifiable and unsupported object types
CN105095768B (en) Virtualization-based trusted server trust chain construction method
US11706237B2 (en) Threat detection and security for edge devices
JP6055574B2 (en) Context-based switching to a secure operating system environment
JP2019096339A (en) System and method for monitoring and controlling business information saved on cloud computing service (ccs), and encrypting business information for each document
CN107643940A (en) Container creation method, relevant device and computer-readable storage medium
CN104537310B (en) The management method of movable storage device and client
JP2015508540A (en) System and method for enhancing security in mobile computing
WO2015070633A1 (en) Privacy authority management method and apparatus
CN104112089A (en) Multi-strategy integration based mandatory access control method
US9633199B2 (en) Using a declaration of security requirements to determine whether to permit application operations
CN104735091A (en) Linux system-based user access control method and device
CN105550593A (en) Cloud disk file monitoring method and device based on local area network
CN104270467A (en) A virtual machine management and control method for hybrid cloud
CN107463839A (en) A kind of system and method for managing application program
WO2019037521A1 (en) Security detection method, device, system, and server
CN106844097A (en) A kind of means of defence and device for malice encryption software
CN104169939B (en) Method and system realizing virtualization safety
CN104063669A (en) Method for monitoring file integrity in real time
CN103647753B (en) LAN file security management method, server and system
CN103051608B (en) A kind of method and apparatus of movable equipment access monitoring
CN103023651B (en) Be used for the method and apparatus of the access of monitoring movable equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20161212

Address after: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Patentee after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder

Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee after: QAX Technology Group Inc.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder