Abstract: A certificate obtaining method, an authentication method, and a network device, where a certificate is used for permission authentication when an application APP accesses an application programming interface (API) of a controller. The certificate includes one or more of: (a) information about operation permission of the APP on N application programming interfaces APIs of the controller, (b) identifiers of L APIs that are of the N APIs and that the APP has permission to operate, or (c) identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate.

Abstract: A device identifier (ID) obtaining method, a terminal, and a network device, where the method includes sending, by a terminal to a network device, a first message used to obtain a device ID, where the device ID is used to globally identify the terminal uniquely, receiving, by the terminal, an encrypted key pair sent by the network device, where the key pair includes a first public key and a first private key, receiving, by the terminal, information sent by the network device, where the information is used to identify that the first public key is the device ID of the terminal, and determining, by the terminal, that the first public key is the device ID.

Abstract: Embodiments of the present disclosure disclose an application program integrity verification method and a network device. The method includes: performing characteristic value calculation on data of an application program when the application program starts, to obtain a first digest of the application program; decrypting a stored digital signature of the application program according to a public key in an embedded key pair to obtain a second digest of the application program, where the digital signature is obtained, according to a private key in the key pair, by signing data of the application program each time the application program is updated, and the key pair is a manufacturer key pair corresponding to the application program; and determining that integrity verification of the application program passes if the first digest and the second digest are the same, otherwise, determining that integrity verification of the application program does not pass.

Abstract: A device identifier (ID) obtaining method, a terminal, and a network device, where the method includes sending, by a terminal to a network device, a first message used to obtain a device ID, where the device ID is used to globally identify the terminal uniquely, receiving, by the terminal, an encrypted key pair sent by the network device, where the key pair includes a first public key and a first private key, receiving, by the terminal, information sent by the network device, where the information is used to identify that the first public key is the device ID of the terminal, and determining, by the terminal, that the first public key is the device ID.

Abstract: Embodiments of the present disclosure disclose an application program integrity verification method and a network device. The method includes: performing eigenvalue calculation on data of an application program when the application program starts, to obtain a first digest of the application program (101); decrypting a stored digital signature of the application program according to a public key in an embedded key pair to obtain a second digest of the application program, where the digital signature is obtained, according to a private key in the key pair, by signing data of the application program each time the application program is updated (102), and the key pair is a manufacturer key pair corresponding to the application program; and determining that integrity verification of the application program passes if the first digest and the second digest are the same, otherwise, determining that integrity verification of the application program does not pass (103).

Abstract: A network attack defense policy sending method and apparatus are presented. The method includes receiving attack information which includes a target Internet Protocol (IP) address, and the attack information is used to indicate that a network attack packet whose destination address is the target IP address exists in a first network; determining that the network attack packet enters the first network through a first edge network device, where the first edge network device is an edge device in the first network; sending a defense policy to the first edge network device, where the defense policy is used to instruct the first edge network device to process, according to the defense policy, a packet whose destination address is the target IP address. By means of this application, network resources occupied by a network attack packet can be reduced, and an effect of defending against the network attack packet can be improved.

Abstract: A method and an apparatus for trusted measurement, where the method includes: obtaining a first processing result by performing a first-manner processing on a code segment, and using a result obtained by performing a second-manner processing on the first processing result as a reference value; obtaining, at a first moment when the system is running, a second processing result by performing the first-manner processing on the code segment, and obtaining a first measurement value by performing the second-manner processing on the second processing result; and determining whether the first measurement value and the reference value are equal, and when the first measurement value and the reference value are equal, the system is trusted, where the code segment in the memory is a code segment that does not change with normal running of the system during one start-up and a running process of the system.

Abstract: This application provides a certificate obtaining method, an authentication method, and a network device, to improve control over operation permission of an APP on an API. The certificate is used for permission authentication when the APP accesses an API of a controller. The certificate includes one or more of (a) to (c): (a) information about operation permission of the APP on N application programming interfaces APIs of the controller, (b) identifiers of L APIs that are of the N APIs and that the APP has permission to operate, and (c) identifiers of R APIs that are of the N APIs and that the APP has no permission to operate.

Abstract: The present invention provides a distributed cluster processing system and a packet processing method thereof. The system includes at least one external interface unit, multiple processing units, and a switching unit, where each of the at least one external interface unit is connected between a corresponding processing unit of the multiple processing units and an external network element, and is configured to receive a packet from the external network element, forward the packet to a corresponding processing unit of the multiple directly connected processing units, and send a processed packet to the external network element; and each of the multiple processing units performs specified service processing and is respectively connected to the switching unit, so that the multiple processing units and the switching unit form a star topology structure. According to the system and the method, through a logical combination between the processing units, end-to-end high performance may be achieved.

Abstract: A network attack defense policy sending method and apparatus are presented. The method includes receiving attack information which includes a target Internet Protocol (IP) address, and the attack information is used to indicate that a network attack packet whose destination address is the target IP address exists in a first network; determining that the network attack packet enters the first network through a first edge network device, where the first edge network device is an edge device in the first network; sending a defense policy to the first edge network device, where the defense policy is used to instruct the first edge network device to process, according to the defense policy, a packet whose destination address is the target IP address. By means of this application, network resources occupied by a network attack packet can be reduced, and an effect of defending against the network attack packet can be improved.

Abstract: A network device executes a method including receiving a request message for a first service sent by a user equipment; determining a first service requested by the request message for the first service; and sending the request message for the first service to a first value added service server.

Abstract: This application relates to the field of network security technologies, and provides a method and a device for detecting a network attack. The method includes: collecting characteristic information of each of N sessions in a network, where N is an integer greater than 1; obtaining a statistical result, where the statistical result is a result obtained by collecting statistics on the characteristic information of the N sessions by using each of the N sessions as a sampling unit and by using the characteristic information as a sample value; and when a difference between the statistical result and a reference result exceeds a preset condition, determining the network is under a network attack. According to this application, a session-type network attack can be effectively detected because instead of a packet, a session is used as a sampling unit.

Abstract: A data packet extraction method and apparatus is disclosed. Two hash values calculated based on quintuple information of different data packets of a same session are the same, that is, two calculated remainders are also the same at a same sampling ratio. When one remainder of the two calculated remainders is a preset sampling remainder, all the data packets in a network that belong to the session are extracted, so as to implement data packet extraction based on a session. When the quintuple information of the different data packets of the same session matches a first mapping table, either all the data packets of the same session can match the first mapping table, or none of the data packets of the same session can match the first mapping table, so as to implement data packet extraction based on a session.

Abstract: Embodiments of the present disclosure disclose an application program integrity verification method and a network device. The method includes: performing eigenvalue calculation on data of an application program when the application program starts, to obtain a first digest of the application program (101); decrypting a stored digital signature of the application program according to a public key in an embedded key pair to obtain a second digest of the application program, where the digital signature is obtained, according to a private key in the key pair, by signing data of the application program each time the application program is updated (102), and the key pair is a manufacturer key pair corresponding to the application program; and determining that integrity verification of the application program passes if the first digest and the second digest are the same, otherwise, determining that integrity verification of the application program does not pass (103).

Abstract: Disclosed are a security control method and a network device. The method includes: a network device obtains confidential data generated by a software trusted platform module (TPM) running in the network device, where the confidential data includes permanent confidential data and refreshable confidential data, the permanent confidential data is data that cannot be updated during a startup process of the network device and the refreshable confidential data is data that can be updated during a startup process of the network device; the network device encrypts the permanent confidential data by using a white box algorithm and stores the permanent confidential data encrypted by using the white box algorithm and the refreshable confidential data in a storage unit whose address is hidden.

Abstract: Disclosed are a method and an apparatus for trusted measurement, where the method includes: obtaining a first processing result by performing a first-manner processing on a code segment, and using a result obtained by performing a second-manner processing on the first processing result as a reference value; obtaining, at a first moment when the system is running, a second processing result by performing the first-manner processing on the code segment, and obtaining a first measurement value by performing the second-manner processing on the second processing result; and determining whether the first measurement value and the reference value are equal, and when the first measurement value and the reference value are equal, the system is trusted, where the code segment in the memory is a code segment that does not change with normal running of the system during one start-up and a running process of the system.

Abstract: A network device executes a method including receiving a request message for a first service sent by a user equipment; determining a first service requested by the request message for the first service; and sending the request message for the first service to a first value added service server.

Abstract: The present invention provides a distributed cluster processing system and a packet processing method thereof. The system includes at least one external interface unit, multiple processing units, and a switching unit, where each of the at least one external interface unit is connected between a corresponding processing unit of the multiple processing units and an external network element, and is configured to receive a packet from the external network element, forward the packet to a corresponding processing unit of the multiple directly connected processing units, and send a processed packet to the external network element; and each of the multiple processing units performs specified service processing and is respectively connected to the switching unit, so that the multiple processing units and the switching unit form a star topology structure. According to the system and the method, through a logical combination between the processing units, end-to-end high performance may be achieved.

Abstract: A network dial-up method includes: performing a negotiation in a Point-to-Point Protocol (PPP) discovery stage for each dial-up request respectively when more than one dial-up request is received,; creating a virtual PPP interface for each dial-up request; configuring the virtual PPP interfaces; coupling the virtual PPP interfaces to a physical PPP interface, where the physical PPP interface is coupled to more than one of the virtual PPP interfaces, and the physical PPP interface performs round robin processing for the virtual PPP interfaces; and performing negotiations in a PPP session stage by way of the virtual PPP interfaces, thereby succeeding in dial-up after completing the negotiations in the PPP session stage.