[go: up one dir, main page]

CN116980164A - Access request processing method, system, device, computer equipment and storage medium - Google Patents

Access request processing method, system, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116980164A
CN116980164A CN202211648797.7A CN202211648797A CN116980164A CN 116980164 A CN116980164 A CN 116980164A CN 202211648797 A CN202211648797 A CN 202211648797A CN 116980164 A CN116980164 A CN 116980164A
Authority
CN
China
Prior art keywords
access
access control
strategy
policy
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211648797.7A
Other languages
Chinese (zh)
Inventor
吴岳廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202211648797.7A priority Critical patent/CN116980164A/en
Publication of CN116980164A publication Critical patent/CN116980164A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to an access request processing method, system, apparatus, computer device, storage medium and computer program product. The method comprises the following steps: when an access request is initiated, determining a runtime access strategy for the access request according to the pre-allocated dynamic access control strategy and access environment information associated with the access request; acquiring preset access control reference characteristics obtained by aggregation according to historical access control data; the history access control data is used for representing a history access request initiated by a history terminal in an environment described by the access environment information and carrying out history access control according to a dynamic access control strategy; comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result; and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy. The method can improve the processing efficiency of anomaly detection.

Description

Access request processing method, system, device, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technology, and in particular, to a method, a system, an apparatus, a computer device, a storage medium, and a computer program product for processing an access request.
Background
With the development of computer technology, various computer applications have been widely popularized, and various aspects such as life, work and entertainment are involved. In a computer device, such as various applications running on a terminal, the network resources can be dynamically accessed, and under different dynamic access scenes, different access controls are required to be performed so as to ensure the access security of the network resources, for example, different rules or policies can be set to perform access control on access requests of various applications running on the terminal.
At present, in the access control under different dynamic access scenes, the environment where the terminal initiating the access request is located is complex, and the abnormality of the terminal is difficult to accurately and quickly locate based on the access result, so that the processing efficiency of abnormality detection in the processing process of the access request is lower.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an access request processing method, apparatus, computer device, computer-readable storage medium, and computer program product that can improve the abnormality detection processing efficiency.
In a first aspect, the present application provides a method for processing an access request. The method comprises the following steps:
when an access request is initiated, determining a runtime access strategy for the access request according to the pre-allocated dynamic access control strategy and access environment information associated with the access request;
acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy;
comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result;
and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
In a second aspect, the present application further provides an application process detection processing system, where the system includes a server and a terminal, and the method includes:
the server is used for distributing a dynamic access control strategy and preset access control reference characteristics to the terminal;
the terminal is used for determining a runtime access strategy aiming at the access request according to the dynamic access control strategy and the access environment information associated with the access request when the access request is initiated; acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy; comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result; and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
In a third aspect, the application further provides an access request processing device. The device comprises:
the access request initiating response module is used for determining a runtime access strategy aiming at the access request according to the pre-allocated dynamic access control strategy and the access environment information associated with the access request when the access request is initiated;
the reference feature acquisition module is used for acquiring preset access control reference features; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy;
the feature comparison module is used for comparing the features of the access strategy and the access control reference feature in the running process to obtain a feature comparison result;
and the access control policy execution module is used for determining a target access control policy based on the characteristic comparison result and performing run-time access control on the access request according to the target access control policy.
In a fourth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:
When an access request is initiated, determining a runtime access strategy for the access request according to the pre-allocated dynamic access control strategy and access environment information associated with the access request;
acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy;
comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result;
and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
In a fifth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
when an access request is initiated, determining a runtime access strategy for the access request according to the pre-allocated dynamic access control strategy and access environment information associated with the access request;
Acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy;
comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result;
and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
In a sixth aspect, the application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of:
when an access request is initiated, determining a runtime access strategy for the access request according to the pre-allocated dynamic access control strategy and access environment information associated with the access request;
acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy;
Comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result;
and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
According to the access request processing method, the system, the device, the computer equipment, the storage medium and the computer program product, the runtime access strategy for the initiated access request is determined according to the pre-allocated dynamic access control strategy and the access environment information, the runtime access strategy is compared with access control reference characteristics obtained by aggregation according to historical access control data, the historical access control data characterize the historical access request initiated by the historical terminal in the environment described by the access environment information, the historical access control is performed according to the dynamic access control strategy, the target access control strategy is determined according to the characteristic comparison result, and the runtime access control is performed on the access request according to the target access control strategy. In the access request processing process, the access control reference characteristics obtained by aggregation according to the historical access control data can be utilized to carry out security detection on the access strategy in the operation process, so that the sensing capability of the abnormality in the access control process in the operation process is improved, the abnormality in the access control process in the operation process can be accurately and rapidly positioned, and the processing efficiency of abnormality detection in the access request processing process is improved.
Drawings
FIG. 1 is an application environment diagram of a method of processing an access request in one embodiment;
FIG. 2 is a flow diagram of a method of processing an access request in one embodiment;
FIG. 3 is a flow diagram of generating access control reference features in one embodiment;
FIG. 4 is a schematic diagram of an apparatus for performing an access request processing method in one embodiment;
FIG. 5 is a schematic block diagram of a resource access process in one embodiment;
FIG. 6 is an interface diagram of access policy configuration in one embodiment;
FIG. 7 is an interface diagram of an access policy configuration in yet another embodiment;
FIG. 8 is an interface diagram of an access policy configuration in yet another embodiment;
FIG. 9 is an interface diagram of an access policy configuration in yet another embodiment;
FIG. 10 is a block diagram of an access request processing system in one embodiment;
FIG. 11 is a block diagram of an access request processing apparatus in one embodiment;
FIG. 12 is an internal block diagram of a computer device in one embodiment;
fig. 13 is an internal structural view of a computer device in another embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The access request processing method provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on the cloud or other servers. The server 104 may assign a dynamic access control policy to the terminal 102, the terminal 102 determines a runtime access policy for the initiated access request according to the pre-assigned dynamic access control policy and access environment information, the terminal 102 may obtain access control reference features obtained by aggregation according to historical access control data from the server 104, the historical access control data characterizing historical access control performed according to the dynamic access control policy on historical access requests initiated by the historical terminal in the environment described by the access environment information. The terminal 102 may perform feature comparison on the runtime access policy and the obtained access control reference feature, determine a target access control policy according to the feature comparison result, and perform runtime access control on the access request according to the target access control policy. In addition, the method for processing the access request provided by the embodiment of the present application may also be implemented by the terminal 102 or the server 104 alone, that is, the terminal 102 or the server 104 alone performs runtime access control for the initiated access request.
The terminal 102 may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, there is provided an access request processing method, which is executed by a computer device, specifically, may be executed by a computer device such as a terminal or a server, or may be executed by the terminal and the server together, and in an embodiment of the present application, an example in which the method is applied to the terminal in fig. 1 is described, including the following steps:
step 202, when an access request is initiated, determining a runtime access policy for the access request according to the pre-allocated dynamic access control policy and access environment information associated with the access request.
Wherein the access request comprises a request message initiated by the terminal for accessing the required network resources. The network resources may include various forms of digital resources such as text, images, audio and video. Dynamic access control policies may include access control policies that need to be targeted for execution under various dynamic access scenarios. The dynamic access control policy may include different policy decision conditions, and access control policies correspondingly determined under various policy decision conditions, that is, the dynamic access control policy may include rules for determining the access control policy, and when a terminal satisfies a certain policy decision condition, the terminal may perform runtime access control on an access request according to the access control policy corresponding to the policy decision condition. The dynamic access control policies may be pre-assigned to the terminals by the server, which may pre-assign different dynamic access control policies for different terminals. For example, different dynamic access control policies may be pre-assigned for different device models of the terminal, different access scenarios applied by the terminal, different users, and so on.
The access environment information refers to information of an environment in which the terminal that initiates the access request is located, and may include, for example, various environment information such as an initiation application of the access request in the terminal, a terminal address, an access time, an access frequency, a terminal network state, and the like. Whether the terminal initiating the access request is in a safe state or not can be determined through the access environment information, if the terminal initiating the access request is in the safe state, normal access control can be performed on the access request, if the terminal initiating the normal text request is not in the safe state, the terminal can be considered to be in an unsafe environment, and if the terminal initiating the normal text request is possibly in abnormal behavior, the access control can be performed on the terminal, for example, the access request initiated by the terminal can be blocked, so that the safety of resource access is ensured. The terminal is in different environments, and can perform access control on the access request through different access control strategies. The access control policy determined by the run-time access policy for the terminal and aiming at the access request can specifically comprise various control policies such as blocking access control, forwarding access control, secondary authentication access control or direct access control. The run-time access strategy is determined according to the dynamic access control strategy and the access environment information, namely, under the conditions of different dynamic access control strategies and access environment information, the terminal can determine different run-time access strategies.
Specifically, when resource access is required, the terminal may initiate an access request, where the access request may carry a resource identifier of a target resource to be accessed, so as to access the target resource. When the terminal detects that an access request is initiated, a pre-allocated dynamic access control strategy can be acquired, and the dynamic access control strategy can be pre-allocated to the terminal by the server. The dynamic access control policy may include various access control policies and policy decision conditions adapted to the terminal, so that the terminal may determine, according to the various policy decision conditions, that the access control policy adapted to the terminal performs access control. The terminal obtains the access environment information associated with the access request, and the access environment information is description information of the environment where the terminal is located when the terminal initiates the access request, and specifically may include combination information of different environment dynamic factors. The environment dynamic factor is used to describe different environment information types, and different types of environment information may correspond to different environment dynamic factors, and may include various types of network address information, physical network card information, terminal application information, and the like, for example. The type of the environment information included in the access environment information, namely the type of the included environment dynamic factors, can be flexibly set according to actual needs. The terminal determines a runtime access policy for the access request according to the dynamic access control policy and the access environment information, and specifically can match the access environment information in the dynamic access control policy so as to match the dynamic access control policy with the access control policy corresponding to the terminal under the environment described by the access environment information, thereby obtaining the runtime access policy for the access request.
Step 204, obtaining a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; and the historical access control data is used for representing historical access control on the historical access request initiated by the historical terminal in the environment described by the access environment information according to the dynamic access control strategy.
The access control reference features are obtained by aggregation according to historical access control data, wherein the historical access control data characterizes historical access requests initiated by a historical terminal in an environment described by access environment information, and the historical access control is performed according to a dynamic access control strategy. The historical access control data can record historical access control on the historical terminal in the environment described by the access environment information according to the dynamic access control strategy, and the access control reference characteristic can be obtained by aggregation based on the historical access control data. The access control reference feature may represent a reference access control of the history terminal with respect to the history access request, and if the access control with respect to the access request deviates from the access control reference feature, it may be considered that there is an abnormality in the access control of the terminal, and processing is required.
Specifically, the terminal may acquire preset access control reference features, where the access control reference features may be obtained by aggregating collected historical access control data according to actual needs in advance. For example, the terminal or the server may obtain the history access control data in advance, parse the history access control data, determine the access environment information of the environment where the history terminal initiating the history access request is located in each history access control data, and determine the access control policy to which the history access control belongs when performing the history access control based on the dynamic access control policy, where the terminal or the server constructs the access control feature of the corresponding history access control data based on the access environment information, the dynamic access control policy and the access control policy, and aggregate the access control features of each history access control data, so as to obtain the access control reference feature. In a specific implementation, for the access control features of each historical access control data, the terminal or the server can aggregate according to the access control features with the same access environment information, access control policy and dynamic access control policy to form access control reference features.
Further, the terminal can acquire preset access control reference features, the access control reference features can be obtained by the server through aggregation according to historical access control data in advance and sent to the terminal, so that the terminal can perform security detection on the determined runtime access policy according to the access control reference features, and normal processing of the determination of the runtime access policy can be ensured.
And 206, comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result.
The feature comparison means that the access strategy in the operation time and the access control reference feature are subjected to feature comparison so as to determine the difference between the access strategy in the operation time and the access control reference feature, and the difference can be characterized through a feature comparison result.
Specifically, the terminal can perform feature comparison on the access policy and the access control reference feature during operation, specifically can determine a feature comparison item of the access policy during operation, and respectively perform feature comparison on the determined feature comparison item and the reference feature item in the access control reference feature, so as to obtain a feature comparison result, and can indicate whether the access policy during operation deviates from the access control reference feature through the feature comparison result.
And step 208, determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
The target access control policy is determined access control policy requiring run-time access control for the initiated access request. The target access control policy may be determined based on the feature comparison result, thereby ensuring security when processing the access request according to the target access control policy. Run-time access control refers to a specific access control processing mode in a running process aiming at an initiated access request.
Specifically, the terminal may determine a target access control policy according to the obtained feature comparison result, and perform runtime access control on the access request according to the determined target access control policy, for example, forward the access request to the gateway for access, block the access request, directly connect the access request or trigger for secondary authentication, and so on. In this embodiment, the terminal performs feature comparison on the access policy during operation and the access control reference feature, so that the access control reference feature can be used to perform security detection on the access policy during operation determined by the terminal, and the target access control policy is determined according to the feature comparison result, so that security of access control during operation can be further ensured.
In a specific application, if the feature comparison result indicates that the feature comparison result is consistent, it can be determined that the run-time access policy of the terminal is not different from the access control reference feature, it can be considered that no abnormality occurs in the process of determining the run-time access policy of the terminal, and the run-time access policy can be determined as a target access control policy so as to perform run-time access control on the access request through the target access control policy. In a specific application, if the feature comparison result indicates that the feature comparison is inconsistent, that is, the run-time access policy of the terminal has deviation from the access control reference feature, it can be considered that the terminal may be abnormal in the process of determining the run-time access policy, and the terminal can determine the configuration information according to the preset policy, and determine the target access control policy according to the run-time access policy and the access control reference feature. For example, the terminal may determine the runtime access policy as the target access control policy or the reference policy in the access control reference feature as the target access control policy according to the policy decision configuration information.
In the above access request processing method, a runtime access policy for the initiated access request is determined according to the pre-allocated dynamic access control policy and access environment information, the runtime access policy is compared with access control reference features obtained by aggregating according to historical access control data, the historical access control data characterizes historical access requests initiated by a historical terminal in an environment described by the access environment information, a target access control policy is determined according to the feature comparison result according to the historical access control performed by the dynamic access control policy, and the runtime access control is performed on the access requests according to the target access control policy. In the access request processing process, the access control reference characteristics obtained by aggregation according to the historical access control data can be utilized to carry out security detection on the access strategy in the operation process, so that the sensing capability of the abnormality in the access control process in the operation process is improved, the abnormality in the access control process in the operation process can be accurately and rapidly positioned, and the processing efficiency of abnormality detection in the access request processing process is improved.
In one embodiment, comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result, including: determining a feature comparison item according to the runtime access strategy, the dynamic access control strategy and the access environment information; and comparing the characteristic comparison item with a reference characteristic item of the access control reference characteristic to obtain a characteristic comparison result.
The feature comparison items are items for feature comparison, and different feature comparison items can correspond to different types of data, for example, a runtime access policy can be used as a feature comparison item, a dynamic access control policy can be used as a feature comparison item, and access environment information can be used as a feature comparison item. In addition, specific different types of data in the run-time access strategy, the dynamic access control strategy and the access environment information can be respectively used as the feature comparison items, so that the feature comparison items with different granularities can be constructed. The reference feature item is an item for feature comparison in the access control reference feature, and the feature dimension of the reference feature item is matched with the feature comparison item, so that the feature comparison item and the reference feature item can be subjected to feature comparison.
Specifically, the terminal may determine the feature comparison item according to the runtime access policy, the dynamic access control policy and the access environment information, for example, the terminal may use the dynamic access control policy and the access environment information as the feature comparison item for determining the access control policy, and use the runtime access policy as the feature comparison item for characterizing the specifically determined access control policy. The terminal can determine a reference feature item of the access control reference feature, and perform feature comparison on the feature comparison item and the reference feature item, for example, data included in the feature comparison item can be matched, so that a feature comparison result is obtained.
In the embodiment, the terminal performs feature comparison on the feature comparison item determined based on the runtime access policy, the dynamic access control policy and the access environment information and the reference feature item of the access control reference feature, so that the security detection on the runtime access policy determined by the terminal by using the access control reference feature is realized, the sensing capability of abnormality in the runtime access control process is improved, and thus, the abnormality occurring in the determination process of the runtime access policy can be accurately and rapidly positioned, and the processing efficiency of abnormality detection in the processing process of the access request is improved.
In one embodiment, the benchmark feature items comprise a policy decision condition feature item and a policy decision result feature item; feature comparison is carried out on the feature comparison item and a reference feature item of the access control reference feature to obtain a feature comparison result, and the feature comparison method comprises the following steps: matching the dynamic access control strategy and the access environment information in the feature comparison item with the strategy judgment condition feature item of the access control reference feature to obtain a feature item matching result; and when the feature item matching result indicates that the matching is consistent, performing feature comparison on the run-time access strategy in the feature comparison item and the strategy judgment result feature item to obtain a feature comparison result.
The policy decision condition feature item is a decision condition for deciding to perform historical access control on the historical access request according to a corresponding access control policy, and specifically may include access environment information of an environment where the historical terminal is located and a dynamic access control policy pre-allocated to the historical terminal. The policy decision result feature item is an access control policy specifically determined for performing historical access control based on the policy decision condition feature item, and may include, but not limited to, various access control policies including blocking access control, forwarding access control, secondary authentication access control, or direct access control. The reference feature items of the access control reference feature include a policy determination condition feature item for describing a control access policy specifically determined for the history access request and a policy determination result feature item that is a determination rule on which the control access policy for the history access request is determined. The policy decision condition feature items and the policy decision result feature items are related to each other, namely corresponding policy decision result feature items can be determined according to the policy decision condition feature items, and different policy decision condition feature items can respectively obtain different policy decision result feature items.
Specifically, the terminal may determine a policy decision condition feature item from the reference feature item, and match the dynamic access control policy and the access environment information in the feature comparison item with the policy decision condition feature item, and specifically may match the dynamic access control policy and the access environment information with decision conditions included in the policy decision condition feature item, respectively, to obtain a feature item matching result. If the feature item matching result indicates that the matching is consistent, the terminal is matched with the policy judgment condition feature item which is the same as the current dynamic access control policy and the access environment information, and the terminal determines the policy judgment result feature item of the reference feature item to which the policy judgment condition feature item belongs. The terminal compares the characteristics of the determined run-time access strategy with the characteristics of the strategy judging result, and can specifically compare whether the run-time access strategy is consistent with the access control strategy contained in the characteristics of the strategy judging result, so as to obtain a characteristic comparison result. In addition, if the reference feature item does not match the policy decision condition feature item consistent with the dynamic access control policy and the access environment information, the terminal may determine the runtime access policy as the target access control policy, and perform runtime access control on the access request according to the target access control policy.
In this embodiment, the terminal performs feature item matching on the current dynamic access control policy and access environment information and the policy decision condition feature item, and performs feature comparison on the policy decision result feature item in the matching consistent reference feature item and the current access policy during operation, so as to implement security detection on the access policy during operation determined by the terminal by using the policy decision condition feature item and the policy decision result feature item, and improve the sensing capability of abnormality during operation access control, thereby being capable of accurately and rapidly locating abnormality occurring during determination of the access policy during operation, and improving the processing efficiency of abnormality detection during access request processing.
In one embodiment, determining the target access control policy based on the feature comparison result includes: and when the feature comparison results show that the comparison is consistent, determining the run-time access strategy as a target access control strategy.
Specifically, the feature comparison result indicates that the comparison is consistent, which indicates that the runtime access policy determined by the terminal is the same as the reference policy included in the access control reference feature, that is, the processing process of determining the runtime access policy by the terminal does not generate an exception, and the terminal can directly determine the runtime access policy as the target access control policy so as to perform runtime access control on the access request through the runtime access policy determined by the terminal.
In the embodiment, when the feature comparison result indicates that the comparison is consistent, the determination process of the operation time access strategy is characterized that no abnormality occurs, and the terminal directly determines the operation time access strategy as the target access control strategy, so that the security detection of the operation time access strategy is realized, and the processing efficiency of the abnormality detection is improved.
In one embodiment, determining the target access control policy based on the feature comparison result includes: and when the feature comparison result shows inconsistent comparison, determining configuration information based on a preset strategy, and determining a target access control strategy according to the access strategy during operation and the reference strategy in the access control reference features.
The policy decision configuration information is preset, and when the run-time access policy determined by the terminal is different from the reference policy included in the access control reference feature, the configuration information of the access control policy decision is performed. The policy decision configuration information may be preset according to actual needs. The reference policy refers to an access control policy for the history of access requests included in the access control reference feature.
Specifically, when the feature comparison result indicates that the comparison is inconsistent, the terminal can acquire preset policy judgment configuration information, and determine a target access control policy according to the reference policy in the access control reference feature and the access policy during operation based on the acquired preset policy judgment configuration information. For example, the policy decision configuration information may be for deciding to determine the reference policy as the target access control policy, or for deciding to determine the runtime access policy as the target access control policy, or for specifying a specific access control policy, for example, may be directly specified as blocking access control.
In this embodiment, when the feature comparison result indicates that the comparison is inconsistent, the determining process of the access policy during operation is characterized in that the abnormality may occur, and the terminal determines the target access control policy based on the preset policy determination configuration information, so that the security detection of the access policy during operation is realized, and the processing efficiency of the abnormality detection is improved. Moreover, the security of the access control can be ensured by determining the target access control policy based on the policy determination configuration information.
In one embodiment, performing run-time access control on an access request according to a target access control policy includes: obtaining access control preconditions matched with a target access control policy; when the meeting of the access control preconditions is detected, the access request is subjected to the runtime access control according to the target access control policy.
The access control precondition refers to a precondition which needs to be met when the runtime access control is performed according to the target access control policy, and when the access control precondition is met, the runtime access control on the access request according to the target access control policy is triggered. The access control preconditions may be matched to the access control policies, i.e. different types of access control policies may be provided with different access control preconditions.
Specifically, the terminal obtains an access control prerequisite matched with the target access control policy, and specifically, the terminal can query the matched access control prerequisite according to the type of the target access control policy. The terminal may detect according to the access control preconditions to determine whether the preconditions for run-time access control according to the target access control policy are met. If the condition meeting the access control precondition is detected, the terminal can perform runtime access control on the access request according to the target access control policy.
In this embodiment, the terminal may perform the runtime access control on the access request according to the target access control policy under the condition that the access control preconditions matched with the target access control policy are satisfied, so as to perform security detection on the execution of the target access control policy, ensure that the normal runtime access control can be performed according to the target access control policy, implement the security detection on the execution of the runtime access policy, and facilitate to improve the processing efficiency of anomaly detection.
In one embodiment, the target access control policy includes blocking access control; the access control preconditions include blocking predicate condition items; when the condition that the access control precondition is met is detected, performing the operation time access control on the access request according to the target access control strategy, wherein the operation time access control comprises the following steps: determining judgment basis information for blocking access control; matching the judging basis information with the blocking judging condition item to obtain a precondition matching result; when the precondition matching result indicates that the blocking decision condition item is satisfied, the access control is blocked when the access request is run.
Wherein, blocking access control is an access control policy indicating that blocking processing is performed on an access request. The blocking judgment condition item is a prerequisite for detecting the judgment basis of blocking access control, namely, the judgment basis of blocking access control meets the blocking judgment condition item according to the requirement, so that the blocking access control can be determined to be obtained through normal determination. The decision basis information is a decision basis for determining blocking access control, that is, the terminal is based on blocking access control determined by the decision basis information, and the decision basis information specifically may include pre-allocated dynamic access control policy and access environment information associated with the access request. By detecting the decision basis information of blocking access control, it can be determined whether or not blocking access control satisfies the access control precondition. The precondition matching result is used to characterize the difference between the decision basis information and the blocking decision condition item.
Specifically, if the target access control policy includes blocking access control, the terminal may acquire an access control precondition matching the blocking access control, specifically including a blocking decision condition item. The blocking determination condition item may include various determination rules corresponding to the determination of blocking of access control with respect to an access request. The terminal may determine the decision basis information for blocking the access control, and specifically may include the decision basis information determined based on the pre-assigned dynamic access control policy and the access environment information associated with the access request. The terminal can match the judging basis information with the blocking judging condition item to obtain a precondition matching result. If the precondition matching result indicates a blocking judgment condition item, namely the judgment basis information of the terminal for determining blocking access control accords with the corresponding judgment rule of blocking access control, and the access control precondition is met at the moment, the terminal can block access control when running the access request.
In addition, if the precondition matching result indicates that the blocking determination condition item is not satisfied, that is, the access control precondition is not satisfied at this time, the terminal may suspend the run-time access control with respect to the access request according to the blocking access control, and generate a prompt message for blocking the access control abnormality, and the terminal may report the prompt message to the server, thereby prompting the server to block the abnormality in the execution of the access control.
In this embodiment, for blocking access control, the terminal matches the criterion information of blocking access control with the blocking criterion item, and if the criterion matching result indicates that the blocking criterion item is satisfied, the terminal blocks access control when running the access request, so as to perform security detection on execution of blocking access control, ensure that normal blocking access control can be performed for the access request, discover abnormality in execution of blocking access control in time, and facilitate improvement of processing efficiency of abnormality detection.
In one embodiment, the target access control policy includes forwarding access control; the access control preconditions include access ticket validation conditions; when the condition that the access control precondition is met is detected, performing the operation time access control on the access request according to the target access control strategy, wherein the operation time access control comprises the following steps: acquiring an access ticket of an access request; and when the access ticket meets the access ticket verification condition, forwarding the access request to the gateway to instruct the gateway to access according to the access request.
Wherein, forwarding access control refers to an access control policy that forwards an access request to a gateway for access by the gateway based on the access request. The access ticket verification condition is a prerequisite for detecting an access ticket of the access request by the pointer, namely the access ticket of the access request needs to meet the access ticket verification condition to perform run-time access control on the access request based on the forwarding access control, so that it can be determined that the forwarding access control can be normally executed. The access ticket is a certificate accessed by the access request, and the validity of the access can be ensured by performing access verification on the access ticket. The access ticket may be generated according to various parameters that need to be verified when accessing the resource, and may specifically include, but not limited to, various parameters including a source IP or domain name, a source port, a destination IP or domain name, a destination port, a process PID (Process Identity) corresponding to the application, and the like. The validity of the access ticket of the access request can be verified through the access ticket verification condition, so that the access request can be normally executed.
Specifically, if the target access control policy includes forwarding access control, the terminal may obtain an access control precondition matched with the forwarding access control, specifically including an access ticket verification condition. The access ticket authentication conditions may include various authentication conditions that require authentication of an access ticket for an access request. The terminal can acquire the access ticket of the access request, compare the access ticket with the access ticket verification condition, and if the access ticket meets the access ticket verification condition, the terminal indicates that the access request is legal, and at the moment, the terminal can forward the access request to the gateway to instruct the gateway to access according to the access request. In addition, if the access ticket does not meet the access ticket verification condition, the terminal does not meet the access control precondition, the terminal can refuse to forward the access request and generate a prompt message for forwarding the access control abnormality, and the terminal can report the prompt message to the server, so that the server is prompted to forward the abnormality in the access control execution.
In this embodiment, for forwarding access control, the terminal may perform ticket verification on an access ticket of the access request through an access ticket verification condition, and in the case that the access ticket meets the access ticket verification condition, the terminal may forward the access request to the gateway to instruct the gateway to perform access according to the access request, so as to perform security detection on execution of forwarding access control, ensure that normal forwarding access control can be performed for the access request, discover an abnormality in forwarding access control execution in time, and be favorable for improving processing efficiency of abnormality detection.
In one embodiment, the target access control policy includes a secondary authentication access control; the access control preconditions include a secondary authentication pass condition; when the condition that the access control precondition is met is detected, performing the operation time access control on the access request according to the target access control strategy, wherein the operation time access control comprises the following steps: acquiring secondary authentication information aiming at an access request; and when the secondary authentication information meets the secondary authentication passing condition, forwarding the access request to the gateway so as to instruct the gateway to access according to the access request.
The secondary authentication access control is an access control policy indicating that secondary authentication is performed on the access request, and access processing can be performed on the access request after the secondary authentication is passed. The secondary authentication passing condition is a prerequisite for detecting the secondary authentication information of the access request by the pointer, that is, the secondary authentication information of the access request needs to satisfy the secondary authentication passing condition to determine that the secondary authentication access control can be normally executed. The secondary authentication information is authentication information generated by performing authentication processing again with respect to the access request. It can be determined whether the initiated access request passes the secondary authentication based on the secondary authentication information, so that the security of access can be ensured by the secondary authentication. The secondary authentication passing condition determines the secondary authentication information to ensure that the access request can be normally executed.
Specifically, if the target access control policy includes a secondary authentication access control, the terminal may acquire an access control precondition that matches the secondary authentication access control, specifically including a secondary authentication passing condition. The secondary authentication passing conditions may include various authentication conditions that require authentication for secondary authentication information of an access request. The terminal can acquire the secondary authentication information aiming at the access request, compare the secondary authentication information with the secondary authentication passing condition, and if the secondary authentication information meets the secondary authentication passing condition, the terminal indicates that the access request is legal, and at the moment, the access request can be forwarded to the gateway to instruct the gateway to access according to the access request. In addition, if the secondary authentication information does not meet the secondary authentication passing condition, the terminal does not meet the access control precondition, the terminal can refuse to forward the access request and generate a prompting message of the secondary authentication access control abnormality, and the terminal can report the prompting message to the server so as to prompt the server of the abnormality in the secondary authentication access control execution.
In this embodiment, for the secondary authentication access control, the terminal may verify the secondary authentication information of the access request through the secondary authentication passing condition, and in the case that the secondary authentication information meets the secondary authentication passing condition, the terminal may forward the access request to the gateway to instruct the gateway to access according to the access request, so as to perform security detection on the execution of the secondary authentication access control, so as to ensure that normal secondary authentication access control can be performed for the access request, and timely discover an abnormality in the execution of the secondary authentication access control, thereby being beneficial to improving the processing efficiency of abnormality detection.
In one embodiment, the target access control policy includes direct access control; the access control preconditions include a direct connection decision condition; when the condition that the access control precondition is met is detected, performing the operation time access control on the access request according to the target access control strategy, wherein the operation time access control comprises the following steps: determining a target access resource aimed by the access request; and when the target access resource meets the direct connection judging condition, directly accessing the target access resource through the access request.
The direct access control refers to an access control policy that accesses based on an access request directly, that is, the direct access control policy does not need to perform blocking, forwarding or secondary authentication, and performs corresponding access processing based on the access request directly. The direct connection determination condition refers to a precondition for detecting a target access resource aimed at by the access request, that is, the target access resource aimed at by the access request needs to meet the direct connection determination condition, so that the direct connection access control can be determined through normal processing. The target access resource is a network resource which is required by the access request and is required to be accessed, different access control strategies can be set for different target access resources, namely the target access resource which is required by the access request belongs to the network resource which is required to be accessed and controlled according to the direct access control when running, and the direct access control can be determined to be obtained through normal processing, so that the safety of the direct access control is ensured.
Specifically, if the target access control policy includes direct access control, the terminal may obtain an access control precondition matched with the direct access control, specifically including a direct determination condition. The direct connection determination condition may include various network resources for run-time access control by direct connection access control. The terminal can determine the target access resource aimed by the access request, compare the target access resource with the direct connection judgment condition, and if the target access resource meets the direct connection judgment condition, the direct connection access control aiming at the access request is legal, and at the moment, the access control precondition is met, the terminal can directly access the target access resource through the access request. In addition, if the target access resource does not meet the direct connection judgment condition, the terminal does not meet the access control precondition, the terminal can refuse to perform the operation time access control on the access request according to the direct connection access control, generate a prompt message of the direct connection access control abnormality, and report the prompt message to the server, so that the abnormality in the direct connection access control execution of the server is prompted.
In this embodiment, for direct access control, the terminal may verify the target access resource to which the access request is directed through the direct access determination condition, and in the case that the target access resource meets the direct access determination condition, the terminal may directly access the target access resource through the access request, so as to perform security detection on execution of the direct access control, ensure that normal direct access control can be performed for the access request, and timely discover an abnormality in execution of the direct access control, thereby being beneficial to improving processing efficiency of abnormality detection.
In one embodiment, the access request processing method further includes: when the access control reference feature is not acquired, determining the run-time access strategy as a target access control strategy, and performing run-time access control on the access request according to the target access control strategy; and generating strategy determination description information according to the dynamic access control strategy, the access environment information and the runtime access strategy, and reporting the strategy determination description information to a server.
The policy determination description information is generated according to the dynamic access control policy, the access environment information and the runtime access policy and is used for describing the processing procedure of determining the target access control policy by the terminal.
Specifically, the terminal acquires a preset access control reference feature, and if the terminal does not acquire the access control reference feature, the security detection of the runtime access policy based on the access control reference feature cannot be performed. The terminal may directly determine the runtime access policy as the target access control policy, and perform runtime access control on the access request according to the target access control policy. Further, the terminal may generate policy determination description information based on the dynamic access control policy, the access environment information, and the runtime access policy, so as to describe a process of determining the target access control policy by the terminal through the policy determination description information, and the terminal may report the generated policy determination description information to the server, so that the server performs exception analysis. In a specific application, after receiving the policy determination description information, the server can analyze the policy determination description information to determine whether the terminal is abnormal, and if the terminal is abnormal, the server can perform corresponding processing, such as blocking processing, on the access of the terminal; if the terminal is not abnormal, the server can send the access control reference characteristic to the terminal so that the terminal can perform security detection on the determination process of the run-time access strategy based on the access control reference characteristic.
In this embodiment, under the condition that the access control reference feature is not acquired, the terminal may directly perform the runtime access control on the access request based on the runtime access policy, generate policy determination description information based on the dynamic access control policy, the access environment information and the runtime access policy, and report the generated policy determination description information to the server, so that the server may perform security detection on the access request initiated by the terminal, and may discover an abnormality in the runtime access control in time, thereby being beneficial to improving the processing efficiency of abnormality detection.
In one embodiment, the access request processing method further includes: and when the characteristic comparison result shows that the comparison is inconsistent, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to the server.
The abnormal alarm information is used for alarming aiming at an access request initiated by the terminal, and the terminal can report the abnormal alarm information to the server so that the server can timely learn the abnormal condition of the terminal. Specifically, the feature comparison result indicates that the comparison is inconsistent, that is, the deviation exists between the run-time access policy of the terminal and the access control reference feature, so that the terminal can be considered to be abnormal in the determination process of the run-time access policy, the terminal can generate abnormal alarm information aiming at the access request, specifically mark the abnormality aiming at the access request, and generate the abnormal alarm information according to the request information of the access request. The terminal reports the abnormal alarm information to the server so that the server can timely perform abnormal processing on the access request based on the abnormal alarm information, and if the server can timely block the access of the access request.
In this embodiment, when the feature comparison result indicates that the feature comparison is inconsistent, the terminal may generate the abnormality alert information for the access request and report the abnormality alert information to the server, so that the abnormality existing in the access policy during the operation of the terminal may be timely reported, and the sensing capability of the abnormality during the access control during the operation is improved, so that the abnormality during the access control during the operation can be accurately and rapidly located, and the processing efficiency of abnormality detection during the processing of the access request is improved.
In one embodiment, the access request processing method further includes: and when the condition that the access control precondition matched with the target access control strategy is not met is detected, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server.
The access control precondition refers to a precondition which needs to be met when the runtime access control is performed according to the target access control policy, and when the access control precondition is met, the runtime access control on the access request according to the target access control policy is triggered. Specifically, if the terminal detects that the access control precondition matched with the target access control policy is not met, which indicates that the terminal does not meet the execution condition of the target access control policy, it can be considered that the terminal may possibly generate an abnormality in the process of the access policy during operation, the terminal may generate abnormality warning information for the access request, specifically may mark the abnormality for the access request, and generate the abnormality warning information according to the request information of the access request. And the terminal reports the abnormal alarm information to the server so that the server can timely perform abnormal processing on the access request based on the abnormal alarm information.
In this embodiment, when the access control precondition matched with the target access control policy is detected not to be satisfied, the terminal may generate the abnormality warning information for the access request and report the abnormality warning information to the server, so that the abnormality existing in the execution of the access policy of the terminal during operation may be reported in time, and the sensing capability of the abnormality during the access control during operation is improved, so that the abnormality during the access control during operation may be accurately and rapidly located, and the processing efficiency of the abnormality detection during the processing of the access request is improved.
In one embodiment, the access request processing method further includes: when the access control result aiming at the access request shows that the access control is abnormal, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server.
The access control result refers to a control result generated by performing operation on the access request according to a target access control policy, and the access control result represents an access control abnormality, which indicates that the terminal generates an abnormality in the process of performing operation on the access request according to the target access control policy. Specifically, the terminal may obtain the access control result for the access request, and the terminal may determine whether the access control result is abnormal, for example, may determine whether the access control result meets the expected access control result, if the access control result does not meet the expected access control result, which indicates that an abnormality may occur in the runtime access control process of the terminal for the access request, the terminal may generate abnormality warning information for the access request, and report the abnormality warning information to the server, so that the server performs abnormality processing for the access request in time based on the abnormality warning information.
In this embodiment, when the access control result for the access request indicates that the access control is abnormal, the terminal may generate the abnormality alert information for the access request and report the abnormality alert information to the server, so that the abnormality existing in the execution result of the access policy in the operation of the terminal may be reported in time, thereby improving the sensing capability of the abnormality in the access control in the operation, so as to accurately and rapidly locate the abnormality in the access control in the operation, and improve the processing efficiency of abnormality detection in the processing of the access request.
In one embodiment, the access request processing method further includes: when the terminal information acquisition condition is met, acquiring terminal auxiliary analysis data, and reporting the terminal auxiliary analysis data to a server; the terminal-assisted analysis data includes at least one of terminal item data or terminal configuration data.
The terminal information acquisition condition is a triggering condition for acquiring terminal information, for example, the terminal information acquisition condition can be actively triggered by a user, and also can be triggered when a preset condition is met, for example, the terminal information acquisition condition can be considered to be met when an abnormality may exist in the access control process in the operation of detecting an access request. The terminal auxiliary analysis data comprises at least one of terminal project data or terminal configuration data, and the server can accurately position the abnormality of the terminal based on the terminal auxiliary analysis data. The terminal item data can comprise item data existing in the terminal, particularly conflict item data existing in the terminal, and particularly can be obtained by the terminal based on detection aiming at detection by a detection component; the terminal configuration data may include various configuration data of the terminal, and may specifically be obtained by performing configuration diagnosis processing on the terminal.
Specifically, when a preset terminal information acquisition condition is met, such as active triggering by a user, or when an abnormality may exist in the runtime access control process of the access request is detected, the terminal may acquire terminal auxiliary analysis data including at least one of terminal item data or terminal configuration data. The terminal can report the acquired terminal auxiliary analysis data to the server so that the server can control abnormal analysis on the terminal through the terminal auxiliary analysis data.
In this embodiment, when the terminal information collection condition is met, the terminal may report the collected terminal auxiliary analysis data, including at least one data of terminal project data or terminal configuration data, to the server, so as to timely report the collected terminal information, which is favorable for the server to control the anomaly analysis for the terminal based on the terminal auxiliary analysis data, so as to improve the pertinence of the anomaly analysis, and thereby, accurately and rapidly locate the anomaly in the access control process during the operation, and improve the processing efficiency of anomaly detection during the access request processing process.
In one embodiment, the access request processing method further includes: obtaining an access control result aiming at an access request; when the access control result does not meet the expected access control result, performing exception analysis based on the access control result to obtain an exception analysis result; when the abnormality analysis result characterizes the access control abnormality, generating abnormality alarm information aiming at the access request, and reporting the abnormality alarm information to the server.
The access control result refers to a control result generated by performing access control on the access request in running according to the target access control strategy. The expected access control result is a control result obtained by performing normal operation access control on the access request according to the target access control policy.
Specifically, the terminal may acquire an access control result for the access request and determine an expected access control result of the access request. The terminal can compare the access control result with the expected access control result, and if the access control result does not meet the expected access control result, if the access control result is different from the expected access control result, the terminal can perform exception analysis based on the access control result to obtain an exception analysis result. In a specific implementation, the terminal can perform exception analysis based on the access control result and in combination with the acquired terminal information to obtain an exception analysis result. If the abnormality analysis result represents that the access control is abnormal, the terminal can generate abnormality alarm information aiming at the access request and report the abnormality alarm information to the server.
In this embodiment, when the access control result for the access request does not meet the expected access control result, and the access control exception is represented by the exception analysis result obtained by exception analysis based on the access control result, the terminal may generate the exception alarm information for the access request and report the exception alarm information to the server, so that the exception existing in the execution result of the access policy in the runtime of the terminal may be reported in time, thereby improving the perceptibility of the exception in the access control process in the runtime, so as to accurately and rapidly locate the exception in the access control process in the runtime, and improve the processing efficiency of the exception detection in the access request processing process.
In one embodiment, as shown in fig. 3, the process of generating the access control reference feature, that is, the step of generating the access control reference feature, includes:
step 302, historical access control data is obtained.
The history access control data characterizes the history access control on the history access request initiated by the history terminal in the environment described by the access environment information according to the dynamic access control strategy. The historical access control data can record historical access control on the historical terminal in the environment described by the access environment information according to the dynamic access control strategy, and the access control reference characteristic can be obtained by aggregation based on the historical access control data. Specifically, the step of generating the access control reference feature may be performed by a computer device, specifically by a terminal or a server, and the computer device may query for historical access control data of various historical terminals.
And 304, determining access environment information and dynamic access control strategies in the historical access control data as strategy judgment condition characteristic items.
The policy decision condition feature item is a decision condition for deciding to perform historical access control on the historical access request according to a corresponding access control policy, and specifically may include access environment information of an environment where the historical terminal is located and a dynamic access control policy pre-allocated to the historical terminal.
Specifically, the computer device may parse each of the historical access control data, obtain the access environment information and the dynamic access control policy from the historical access control data, and determine the access environment information and the dynamic access control policy as the policy decision condition feature item.
And 306, determining an access control strategy to which the history access control belongs in the history access control data as a strategy judgment result characteristic item.
The policy decision result feature item is an access control policy specifically determined for performing historical access control based on the policy decision condition feature item, and may include, but is not limited to, various access control policies including blocking access control, forwarding access control, secondary authentication access control, direct access control, and the like. In the zero-trust network access architecture, a certain application initiates a network access request to a station, after the full-flow agent hives the flow, the full-flow agent initiates network access to the target station, namely initiates direct connection access, and the full-flow agent sends the network response of the target station to the application, wherein the access mode is called direct connection access.
Specifically, the computer device may parse each history access control data, obtain an access control policy to which the history access control belongs from the history access control data, and determine the access control policy as a policy determination result feature item.
And 308, aggregating according to the policy judgment condition characteristic item and the policy judgment result characteristic item of each history access control data to obtain access control reference characteristics.
Specifically, for each policy decision condition feature item and policy decision result feature item of the historical access control data, the computer device may aggregate the policy decision condition feature item and policy decision result feature item to obtain the access control reference feature. In a specific application, the computer device may aggregate the same policy decision condition feature item and policy decision result feature item to obtain the access control reference feature.
In this embodiment, the computer device determines a policy decision condition feature item from the access environment information and the dynamic access control policy in the history access control data; the access control method comprises the steps of determining a policy judgment result characteristic item from access control policies of historical access control data, and acquiring access control reference characteristics by aggregation based on the policy judgment condition characteristic item and the policy judgment result characteristic item of each historical access control data, so that the security detection of the access policies in the process of operation can be carried out by utilizing the access control reference characteristics acquired by aggregation according to the historical access control data, the perception capability of abnormality in the process of operation access control is improved, the abnormality in the process of operation access control can be accurately and rapidly positioned, and the processing efficiency of abnormality detection in the process of access request processing is improved.
In one embodiment, the historical access control data further includes a policy determination logic identification; determining access environment information and a dynamic access control strategy in the historical access control data as strategy judgment condition characteristic items, wherein the method comprises the following steps: and determining the environment dynamic factor combination, the strategy identification of the dynamic access control strategy and the strategy determination logic identification which are included in the access environment information as strategy determination condition characteristic items.
The policy determining logic identifier refers to identification information of determining logic for determining an access control policy, different policy determining logic identifiers represent different access control policy determining logic, and under the same access environment information and dynamic access control policy conditions, different access control policy determining logic can determine different access control policies. The environment dynamic factor is used to describe different environment information types, and different types of environment information may correspond to different environment dynamic factors, and may include various types of network address information, physical network card information, terminal application information, and the like, for example. The type of the environment information included in the access environment information, namely the type of the included environment dynamic factors, can be flexibly set according to actual needs. The combination of the environmental dynamics factors may be based on a combination of at least one environmental dynamics factor. The policy identifier is identification information of a dynamic access control policy, and different dynamic access control policies may correspond to different policy identifiers.
Specifically, the computer device may determine an environmental dynamic factor combination included in the access environment information, a policy identifier of the dynamic access control policy, and determine a policy determination logic identifier from the historical access control data, and the computer device may combine the environmental dynamic factor combination, the policy identifier, and the policy determination logic identifier to obtain a policy decision condition feature item.
In this embodiment, the computer device determines the environment dynamic factor combination, the policy identifier of the dynamic access control policy, and the policy determination logic identifier included in the access environment information as the policy determination condition feature item, and may construct the access control reference feature through multiple dimensions, so as to facilitate accuracy of the access control reference feature, thereby ensuring processing efficiency of anomaly detection based on the access control reference feature.
In one embodiment, when an access request is initiated, determining a runtime access policy for the access request based on the pre-assigned dynamic access control policy and access context information associated with the access request, comprises: when an access request is initiated, acquiring a dynamic access control strategy which is pre-allocated based on strategy configuration conditions; acquiring access environment information according to the environment dynamic factors to obtain access environment information associated with the access request; and according to the access environment information, matching from dynamic access control strategies to obtain a runtime access strategy aiming at the access request.
The policy configuration conditions are preset according to actual needs, and adaptive dynamic access control policies can be pre-allocated for various access control scenes according to the policy configuration conditions. Policy configuration conditions may include, but are not limited to, different device models including the terminal, different access scenarios to which the terminal applies, different users, etc. The environment dynamic factor is used for describing different environment information types needing to be acquired, and the different types of environment information can correspond to different environment dynamic factors and can comprise various types of network address information, physical network card information, terminal application information and the like.
Specifically, when resource access is required, the terminal can initiate an access request, and when the terminal detects that the access request is initiated, the terminal can acquire a pre-allocated dynamic access control policy, and the dynamic access control policy can be pre-allocated to the terminal by the server based on policy configuration conditions. The terminal can determine at least one environment dynamic factor, and acquire the access environment information according to the at least one environment dynamic factor to obtain the access environment information associated with the access request. The terminal determines a runtime access policy for the access request according to the dynamic access control policy and the access environment information, and specifically can match the access environment information in the dynamic access control policy so as to match the dynamic access control policy with the access control policy corresponding to the terminal under the environment described by the access environment information, thereby obtaining the runtime access policy for the access request.
In this embodiment, the terminal obtains the runtime access policy for the access request by matching from the dynamic access control policies pre-allocated based on the policy configuration conditions according to the access environment information acquired by the access environment information acquisition by the environment dynamic factor, so as to ensure that the terminal accurately determines the adaptive runtime access policy based on the dynamic access control policies and the access environment information, and ensure the security of the access request processing.
The application also provides an application scene, which applies the access request processing method.
Specifically, the application of the access request processing method in the application scene is as follows:
at present, in a dynamic access control scene, the different environment security states of the user terminal, different dynamic access control strategies issued by the server, or different versions of terminal execution logic cause completely different results of the terminal user for accessing specific resources. The policies refer to a series of rule sets for enterprise terminal management issued by an administrator at a management end, and specifically may include patch repair, zero trust network management and control, security reinforcement policies, and the like; policies may also contain sensitive information such as notes, timeliness, number of validity, etc. How does it distinguish whether the access result is normal access control or system failure? At present, more accurate distinction is difficult to make, and the system abnormality is basically handled through manual feedback or through diagnosis tool investigation or post log analysis, namely, a user is required to actively run some diagnosis tools to find partial environment abnormality, hysteresis exists, and moreover, the specific reasons that the correct control results are inconsistent with the actual results are difficult to find through the tools, so that a plurality of abnormal scenes flow into the steps of developer analysis post log analysis and the like. In the process of processing the access request, the fault information transmission fault is positioned, the processing period is long, and the perception capability of terminal system abnormality is poor.
Based on this, in the access request processing method provided in this embodiment, during the network access process of the user through the terminal, the security client in each terminal device reports the generated runtime access decision and the access environment information collected by the terminal environment sensing component to the server, and the server calculates and forms the access control reference feature for the user to determine the session disposition. The terminal generates a final runtime access rule, namely a target access control policy, based on the access control reference feature issued by the server and the runtime access policy generated by the secure client, and specifically, the terminal can perform runtime access control on the access request according to the target access control policy by a designated node, namely the access agent. The terminal access agent is deployed at the terminal agent of the controlled equipment for initiating the security access, is responsible for initiating the request of the trusted identity authentication of the access main body, verifies the trusted identity, can establish encrypted access connection with the access gateway, and is also a policy execution point of access control. In the network, the access subject refers to a party initiating access, and the person/equipment/application accessing the intranet service resource is a digital entity formed by single or combination of factors such as person, equipment, application and the like. The access agent may compare against the preconditions before executing the runtime access control, and compare the actual effect with the expected effect after executing the runtime access control. And the access request which is inconsistent in comparison and marked as abnormal is reported to the server together with the acquisition result of the software and hardware conflict item and the built-in configuration diagnosis which can endanger the usability of the terminal control system. The method and the system realize that under the control of complex terminal environment and dynamic access control (DAC, dynamic Access Control) rules, the access system is actively collected, particularly, the problems of executing abnormality of the zero trust system, abnormal state of the terminal environment and the like are solved, the early sensing and finding capability of abnormality is improved, the network access of the terminal user of the zero trust system is detected in real time to be inconsistent with the expected data, the sensing abnormality is actively detected, the abnormality is found in advance, and the availability and the user experience of the system are improved.
The access request processing method provided by the embodiment can be realized through the security service client. As shown in fig. 4, in the zero-trust system, the security client can be used as a zero-trust network security service provider, a unified portal is provided for an access subject to request to access the resource of the object through the network through the zero-trust proxy and the access gateway, the security service client provides authentication operation for the unified portal, and only the access request passing the authentication can be forwarded to the access gateway through the zero-trust proxy, and the access of the actual service system is proxied through the access gateway. The access subject refers to a person, equipment or application which initiates access to the intranet business resources in the network, and is a digital entity formed by single or combination of factors such as the person, the equipment and the application. The access object refers to a party to be accessed, namely, business resources of an enterprise intranet in a network, and the party to be accessed comprises an application, a system (development test environment, operation and maintenance environment, production environment and the like), data, interfaces, functions and the like.
Further, as shown in fig. 5, for the zero trust network access system of the PC (Personal Computer ) side, the core module mainly includes a secure client, a secure server, an access proxy and an intelligent gateway. The security client is a security client Agent installed on staff working equipment and is responsible for verifying the trusted identity of a user on the equipment, verifying whether the equipment is trusted and whether the application is trusted; the unknown process may also be applied to the server for process review. The access proxy terminal hives the equipment flow through the TUN/TAP virtual network card, is responsible for forwarding the access request to the intelligent gateway after authentication is carried out by the security client terminal, and if the access request does not pass the authentication, the access proxy terminal walks direct connection or interrupts connection. The intelligent gateway is deployed at the entrance of enterprise application program and data resource, and is responsible for the verification, authorization and forwarding of each access request for accessing enterprise resource. The security server performs security scheduling on the service flow through a policy control engine, and authorizes according to granularity of the person-equipment-software-application. The identity verification module verifies the identity of the user, the equipment trusted module verifies the equipment hardware information and the equipment safety state, and the application detection module detects whether an application process is safe or not, if so, whether a vulnerability exists, whether a virus Trojan exists or not and the like. The server periodically initiates file inspection to the threat information cloud inspection service or the cloud disinfection server, and the client is informed of executing asynchronous blocking operation after the malicious process is identified.
In the process of accessing an application on a terminal, an access subject initiates an access request aiming at an access object through the application, a security client hives the access request through an access proxy, the access proxy initiates an authentication request to the security client, namely the access proxy applies a certificate of the current access request to the security client, namely a request bill, and the request parameters comprise a source IP or domain name, a source port, a destination IP or domain name, a destination port, a process PID corresponding to the application and the like. The security client acquires process characteristics such as MD5, process paths, process latest modification time, copyright information, signature information and the like of the process through the process PID sent by the access proxy, and applies notes to the security server together with a source IP or domain name, a source port, a destination IP or domain name and a destination port of the access request transmitted by the access proxy, and specifically sends the process to the security server for notes replacement. If the application is successful, the security client sends the ticket, the maximum number of times of using the ticket, and the valid time of the ticket is used as a response to the access proxy. The access proxy end firstly initiates an Https request to the intelligent gateway, wherein an access request certificate (bill) transmitted by the security client end is carried in an Authorization header field, and the access request certificate is Authorization information issued by the security server end for a single access request and is used for identifying the Authorization state of the access request. After receiving the request of the access proxy, the intelligent gateway analyzes the bill in the head field, checks the bill to the safety server, if the check is successful, the intelligent gateway establishes connection with the access proxy successfully, then the access proxy sends the original access request to the intelligent gateway, and the intelligent gateway forwards the original access request to the corresponding service server to proxy the actual application network access; if the intelligent gateway check bill fails, the connection between the access proxy end and the access gateway is interrupted, and the flow of the specific site is accessed for the application beyond the zero trust strategy, so that the network access request can be directly initiated to the target service server through the access proxy end to realize direct connection access. In the zero-trust network access architecture, a certain application initiates a network access request to a station, after hijacking traffic by a full-traffic agent, network access is initiated to the target station via the full-traffic agent, namely direct connection access is initiated, and the full-traffic agent sends a network response of the target station to the application, wherein the access mode is called direct connection access.
The proxy client hijacking the device traffic through the TUN/TAP virtual network card. If the zero trust access control strategy judges that the access type is the proxy access type, the proxy client requests a network access bill from the security client, the security client further applies the bill from the security server, the security client responds to the access proxy after successfully applying the bill, and the access proxy sends the actual network access flow to the intelligent gateway through the physical network card, and the intelligent gateway proxies the actual service access. In the zero-trust network access architecture, a certain application initiates a network access request to a station, after hijacking traffic by a full-traffic agent, the full-traffic agent initiates traffic forwarding to an intelligent gateway, the intelligent gateway agent accesses a target service station, the intelligent gateway sends a network response of the target station to the full-traffic agent after accessing, and the full-traffic agent forwards the network response of the target station to the application, and the access mode is called agent access. If the access control policy is determined to be the direct access type through zero trust, the access proxy terminal hives the original network access flow, and then directly performs network access and response processes with the corresponding destination service site through the physical network card, so as to realize direct access. The zero-trust access control strategy consists of process information (trusted application) which can be used by a user and accessible service sites (reachable areas), and under the condition of opening the authority, the user can access any reachable area through any one trusted application. The granularity of the zero-trust access control policy is for the login user, allowing different zero-trust policies to be formulated for different login users. The reachable area refers to the list of internal sites that end users can access the enterprise set through the zero trust network. The trusted application is the application carrier of the internal service system, including application name, application MD5, signature information, etc. which is trusted by the management end and accessible by the terminal.
Further, the terminal can construct the security boundary of the access subject in a software-defined manner through the control process, the access proxy, the zero-trust core service and the access gateway, and perform continuous trust evaluation and dynamic access control on each access request aiming at the network service. The dynamic access control process may include that an enterprise administrator configures a dynamic access control policy of a user at a management end based on elements such as a device, the user, an environmental dynamic factor (e.g. network location, resource access time, access behavior rule), enterprise resources, etc., and issues the dynamic access control policy to a controlled terminal via a security server, and a security client control process distributes the dynamic access control policy to each policy execution point for execution, and specifically, together with nodes such as an access agent, an access gateway, a server, etc., controls resource access behaviors of the user.
In specific application, the security client can ensure efficient and stable remote collaborative office experience, and promote the application of the zero trust technology in the digital industry to be landed. As shown in fig. 6, in the interface for policy configuration by the secure client, the administrator may perform dynamic access control policy configuration according to actual needs based on the enterprise resource access policy configuration page provided by the management end of the secure client. The configured dynamic access control policy may include configuration items such as policy name, access prohibition user, access prohibition resource, designated network location, and access time. The access security policy is a security condition for strictly checking whether the terminal is matched when the target user accesses the Internet application; when access prohibition refers to a hit strategy, a user is prohibited from accessing a target service; and executing corresponding configuration for the relation that the terminal check condition is 'and', namely, the relation is satisfied at the same time. Further, as shown in fig. 7, the administrator user may also implement the formulation of the dynamic access control policy by combining three elements of the user, the application, and the resource. The configuration items may include, among other things, policy names, user groupings, resource access controls, end system requirements, specific applications, specific network locations, etc. Specifically, policy formulation may be accomplished by specifying user groupings and resource groupings; the policies include a release access type and a verification post access type, wherein the verification post access refers to the fact that when a user accesses a service resource, the user needs to log in a verification security client for the second time to ensure the identity security of the terminal; policy enforcement conditions such as application restrictions, network area restrictions, etc. may be additionally specified; since policies are executed in order in the policy list, the list can also be saved to the forefront (direct validation) and last (final validation).
Further, as shown in fig. 8, an administrator may configure dynamic factors such as designated network locations or network location switches, etc. In particular, the configured dynamic factors may include a specified end system, a specified application, a specified network location, and the like. Further, as shown in fig. 9, normal (forward to gateway) access, blocking, or post-secondary authentication access may be performed for the configured enterprise resources. Specifically, the policy may perform matching from top to bottom, with smaller numbers matching earlier; when the request hits a strategy, the matching is not continued; the order of the strategies determines the final strategy effect, so that the specific positions of the strategies are required to be set according to actual requirements; specifying the content of a person or group of resources that specifically needs to be managed requires careful use of a completely put-through or completely prohibited strategy. In fig. 9, the configured access policies include put-through, prohibit, and verify three.
Further, while the access subject initiates the access request, the environment sensing component of the secure client acquires the access environment information of the device terminal, which may specifically include an environment and a network state, and automatically generates a runtime access policy and a runtime access rule based on the network environment and the environment sensing result during the access request. The actual execution type of the secure client for the access request is called an actual runtime access rule, namely a target access control policy, and the runtime access policy represents the access rule to be executed theoretically. The dynamic access control strategy which is authorized in advance for each execution component of the security client side by the security server side and the runtime access strategy which is automatically generated when the user initiates the access request are used for jointly performing access control on the behavior of the access main body for accessing the enterprise resource, so that the accurate access control effect is realized. And in the network access process of the terminal user, the zero trust system continuously detects and evaluates the security states of the terminal, the user operation, the network and the environment, realizes the dynamic evaluation of the access behavior, and ensures the effective implementation of the dynamic access control strategy. When an access main body initiates access to a certain enterprise resource, different results such as blocking access, direct access, forwarding through a gateway normally, and accessing after secondary authentication are finally generated under the combined action of an access agent, a security client control process, a security server and an access grid.
The blocking access refers to a runtime access policy automatically generated based on a dynamic access control policy issued by a security server and access environment information perceived by a terminal environment, namely, a condition that an enterprise resource is not accessed under the current dynamic factor combination condition is not provided, so that access is forbidden at the terminal, and the flow of an access request is not forwarded to an access gateway through an access agent. The direct access refers to a target site non-enterprise internal service system, or the dynamic access control strategy of the security server determines that the type of forwarding is not needed to be executed by an access gateway, and network access and response can be directly carried out with the corresponding target service site through a physical network card by the flow of the original network access request hijacked by the access proxy. And secondly, the access agent can be directly connected with the target site through the physical network card without cutting off the flow of the access request. The access agent has two traffic hijacking modes: one is full traffic hijacking and one is enterprise resource traffic hijacking. The full-flow hijacking mode is to import all the flows of the user terminal into the full-flow proxy, and initiate flow forwarding or direct access through the full-flow proxy. The enterprise resource traffic hijacking only analyzes the network traffic of the IP or IP section of the business system accessing the enterprise resources including data, interfaces, functions and the like, and does not hijack the traffic of other non-enterprise resources, such as the traffic accessing public network sites. The normal gateway forwarding is a normal access flow which is forwarded to the target site by the access gateway through the access gateway when the flow of the access request is sent to the access gateway by the access agent under the control of the access ticket of the security client and the security server. This type of access is only accessible after a second authentication is a control type for configuration sensitive resource access. When the terminal recognizes that the target site belongs to a special sensitive resource, the terminal forcibly requires the user to complete secondary authentication and strengthens identity verification. And if the secondary authentication is successfully completed within the effective time period, allowing the subsequent access authentication operation, otherwise, automatically interrupting the access. The security server may also issue a rule to the terminal that the terminal network environment changes and the secondary authentication needs to be forced to continue access due to the requirement of strengthening security management and control. The secondary authentication can complete repeated enhanced authentication for the user through a plurality of means such as static passwords, one-time passwords, short message passwords, social authentication including various social applications and biological characteristics including fingerprint identification and face identification.
Therefore, under the dynamic access control scene, the environment security states of the user terminal are different, the dynamic access rules issued by the security server are different, and completely different access results can be generated. If the access of the end user is abnormal, for example, the access session which should successfully forward the traffic through the gateway is blocked in the current environment state, or the scene result which should force the user to access after the secondary authentication is not triggered as expected, the abnormal conditions such as illegal access of resources by the user are caused. The access session is based on a web session and contains a set of related features. An access session is an abstract concept that is bound to a device, a person, a network attribute, a process attribute, and an endpoint attribute combination for each network session that accesses business resources (including business applications, core systems, asset data, function interfaces, etc.) of an enterprise intranet. A network session is a process in which a user performs one information interaction with a service system, for example, a process in which data is transmitted or received after a client establishes a network link with a server, including connection establishment and termination or transmission and reception of data. The traditional mode is to find out partial environment abnormality through manual feedback or through the means that a user actively runs a diagnosis tool or analyze by means of a developer post analysis log and the like, but the specific reasons that the correct control result is inconsistent with the actual result are difficult to find out through the means, so that the fault is transmitted to the positioning problem information, the processing period is long, and the perception capability of the zero trust system abnormality is poor.
The security client and the security server play a role in controlling the access request, and as mentioned above, the security server dynamically accesses the control policy, the terminal detects the current dynamic factor specific value, such as the address location, access time, access frequency, compliance detection result, and the like, by the environment sensing component of the security client to obtain the access environment information associated with the access request, and generates the runtime access policy in combination with the dynamic access control policy. If the run-time access strategy is to block the current access, the security client informs the access agent to block the session of the access request; if the access strategy is forwarded through the gateway during operation, the security client side needs to apply for an access ticket from the server side; if the access policy is access after the secondary authentication in the running process, the terminal needs to require the user to perform the secondary authentication in a specific form, and simultaneously blocks the current session, and only after the secondary authentication is successfully passed, the terminal can continue to perform subsequent access. These belong to the control flow formed by the secure client and the secure server together, while the zero-trust data flow is formed by the access proxy and the access gateway together. The access request which is judged to be forwarded to the gateway through the control flow is forwarded to the gateway by the access agent, and the access request which is judged to be directly accessed is directly diverted to the target system by the access agent through the physical network card, or the access request is not hijacked by the access agent from the beginning. The access request processing method provided by the embodiment is constructed based on the access agent and the access gateway aiming at the detection and early discovery capability of the use abnormality of the zero trust system terminal user.
Specifically, in the access request processing method provided in this embodiment, the environment sensing component of the terminal senses access environment information of the terminal, including an environment security state. On the other hand, the environment sensing component can detect software and hardware conflict items which possibly endanger the usability of the zero trust terminal system, meanwhile, the basic logic for configuration diagnosis is built in, and the detection can be triggered at any time by receiving an instruction. The environment sensing component of the secure client can detect the terminal access environment information at any time, and specifically can include the current network and the secure state of the terminal, for example, detecting the change of the network area of the terminal (the change of the exit IP), the change of the network environment (for example, the change of the physical network card IP), the compliance detection result, or whether the terminal meets the security specification or not. An administrator can define a plurality of terminal execution sensing strategies through a security service end, issue different sensing strategies and apply the different sensing strategies to different devices, and simultaneously can control the frequency and reporting rules of terminal environment sensing.
The context aware component of the secure client may also execute configuration diagnostic logic triggered by software and hardware conflict items and by instructions received at any time that may jeopardize the availability of the zero trust terminal system. Software and hardware conflict items which may jeopardize the availability of the zero-trust terminal system include software class conflicts, terminal agent class conflicts, network card hardware conflicts, system clock anomalies, double networks existing in the terminal, and the like. The configuration diagnostic logic includes a series of execution logic for terminal connectivity to a particular network (job site lan environment, public network, etc.), specific process performance consumption, configuration of a wireless network, configuration of a wired network, diagnosis of a repair network, etc.
Further, the terminal reports the run-time access strategy generated by the secure client and the access environment information acquired by the terminal environment sensing component to the secure server so as to generate access control reference characteristics by the secure server. Specifically, when the trusted terminal initiates a network access request to the target site, the access main body automatically generates a runtime access policy by the security client based on the access environment information collected by the terminal environment sensing component, including specifically the terminal compliance information, the network environment result, the terminal security state and the like calculated during the user access request. Unlike the dynamic access control strategy issued by the enterprise manager through the security server, the access strategy is dynamic and real-time in running, and has the characteristics of strong flexibility and low time delay. In an enterprise office environment, zero trust network access is controlled by a security server issuing a policy, and a terminal triggers an actual access action based on a runtime access policy generated by the current environment state. For different terminals, when the installed secure client versions are different and have different policy determination logics, when the current environment states of the equipment are different and the dynamic access control policies issued by the secure server are different, the operation time access policies of the terminals may be different, and finally the final flow directions of the access requests initiated by the access main body are different.
For example, some versions of clients adjust the collection logic of the environment state of the terminal, so that the specific values of dynamic factors collected by different versions of the secure clients are different, and the specific access effect is influenced.
The access context information is different for the devices, i.e. the current context state of the devices is different. The access strategy is generated in real time based on the dynamic access control strategy issued by the security server and the access environment information acquired by the terminal environment sensing component, so that the current environment state of the equipment belongs to a direct factor affecting the access result.
For the dynamic access control strategy issued by the security server, in the current environmental state factor of the same device, the dynamic access control strategy issued by the security server is also one of the direct factors influencing the access result because the access strategy is generated in real time based on the dynamic access control strategy issued by the security server and the access environmental information acquired by the terminal environmental awareness component during operation. For the same equipment, if the dynamic access control strategy issued by the security server changes, the run-time access strategy generated by the terminal may change; on the other hand, if the security server issues different dynamic access control policies for terminals under different architecture, even if the environment states of the terminals are the same within a certain period of time, the security client versions may be different for the real-time run-time access policies initiated by the terminals for the same enterprise resource.
Further, traffic forwarding or blocking for access requests is performed in a node, which is an access agent. When the terminal compliance detection result or the environment awareness of the device hits the blocking category of the access control rule, the runtime access policy blocks the access request, and the access agent directly suspends the access request initiated by the original application. Otherwise, the direct access or the forwarding gateway access is executed after the flow authentication of the control flow. The terminal compliance detection comprises that a safety client end is resident in the equipment terminal, continuously and periodically quietly executing functions such as virus checking and killing, bug repairing, safety reinforcing, data protection, real-time protection, heartbeat detection and the like, and the client end executes equipment safety detection, management and control reinforcing and abnormal repairing according to a strategy issued and formulated by a server end.
Further, after the terminal generates the runtime access policy, the type of the runtime access policy, which specifically includes blocking, directly connecting, secondary access or releasing, the generation process of the runtime access policy (which indicates which dynamic factor values hit which rules in the dynamic access control policy and result of blocking or releasing is required), together with the three factors that directly affect the access result, namely, the version of the secure client, the dynamic access control policy and the access environment information, are reported to the secure server. Based on the data, the security service terminal aggregates the same environment state of the security client terminal of the same version in the access environment information description and the run-time access strategy under the same dynamic access control strategy to form access control reference characteristics. The three items of the version of the secure client, the policy id of the dynamic access control policy (a specific dynamic access control policy is identified by one id, the ids of different dynamic access control policies are different) and the dynamic factor are used as dimensions of access control reference characteristics, and the type of the runtime access policy reported by the terminal is used as a reference value. When the security server generates access control reference characteristics, based on the type of the runtime access strategy reported by the terminal and the generation process of the runtime access strategy, the security server firstly judges whether the generation logic of the runtime access strategy is normal or not; on the basis of the judgment as normal, the decision result of most devices is taken as an access control reference characteristic. If a device conforms to the three dimensions, theoretically, the runtime access policy generated on the device will be the same as the value of the corresponding access control reference feature; if not, the run-time access policy of the device deviates from the logic of most terminal devices, and the device can be marked as abnormal information and reported to the security server.
In addition, if more versions of security clients in the enterprise run simultaneously, that is, the new version of security clients are generally gradually expanded in gray scale range according to the organization architecture, are rarely upgraded to the new version directly in the whole enterprise network environment, and no version presents overwhelming advantages, the security server will issue a plurality of access control benchmark features under different dynamic access control strategies and access environment information to the terminal installed with the corresponding version of clients based on the version number of the security clients as an important basis. For example, the existing N secure clients of the enterprise run simultaneously, where the secure client version with version number Va has M items of access control reference features corresponding to different dynamic access control policies and access environment information, the access control reference feature corresponding to the secure client version with version number Vb has P items, then the M items of access control reference features are issued to the device in which the secure client version of Va is installed, and the P items of access control reference features are issued to the device in which the secure client version of Vb is installed. If only one secure client exists in the enterprise network environment, all access control reference features are issued to all terminals, and version distinction is not performed. When detecting that the access control reference features change, the security server can push the latest access control reference features to the corresponding terminals, so that the access control reference features are consistent with the access control reference features obtained by aggregation in the security server during operation of the terminals.
Further, a final target access control policy is generated based on the access control reference feature issued by the security server and the runtime access policy generated by the security client, i.e. a final runtime access rule is determined. The actual type of execution by the secure client for an access request is referred to as the actual runtime access rule, which represents the access rule that is theoretically to be executed, both of which are mostly identical.
Further, if the access control reference feature issued by the security server does not exist in the terminal device, the runtime access policy generated by the security client may be directly executed as a final runtime access rule, that is, executed as a target access control policy. Meanwhile, the terminal may send terminal control information to the security server, including the type of the access policy during operation (blocking, direct connection, secondary access or release), the generation process of the access policy during operation (indicating which dynamic factor values hit which rules in the dynamic access control policy, resulting in the result of blocking or release being required), and factors directly influencing the access result (including the security client version, the dynamic access control policy and the access environment information).
Further, if the corresponding access control reference information issued by the security server exists in the terminal equipment, the security client first compares the generated run-time access policy with the access control reference feature issued by the security server. If the reference item matched with the current environment state and the dynamic access control policy is not found, the calculated runtime access policy can be directly executed as a final runtime access rule, and terminal control information is sent to the security server, including the type of the runtime access policy (blocking, direct connection, secondary access or release), the generation process of the runtime access policy (which indicates which values of dynamic factors hit which rules in the dynamic access control policy, resulting in the result of blocking or release), and factors directly influencing the access result (including the version of the security client, the dynamic access control policy and the access environment information).
Further, if the corresponding access control reference feature issued by the security server exists in the terminal device, the security client first performs comparison on the generated run-time access policy and the access control reference feature issued by the security server. If the comparison has the reference item matched with the current environment state and the dynamic access control strategy, the type of the run-time access strategy is compared with the reference value, the result is successfully compared, the final run-time access rule is determined, and meanwhile, the terminal control information is sent to the security server side to serve as an analysis reference.
Further, if the corresponding access control reference feature issued by the security server exists in the terminal device, the security client first performs comparison on the generated run-time access policy and the access control reference feature issued by the security server. If the comparison has a reference item matched with the current environment state and the dynamic access control strategy, the type of the runtime access strategy is compared with the reference value, and if the comparison result is inconsistent with the reference item, the terminal can execute based on the current reference according to rule rules or execute based on the runtime access strategy generated by the terminal. Meanwhile, the terminal can send alarm information to the security server to request the security server to process. The security server receives the alarm information, and if the access control reference characteristic of the terminal is determined to be over time, the security server can send the latest access control reference characteristic to the terminal; if the judgment is that the operation time access strategy of some equipment terminals is abnormal, the security server marks the security client execution abnormality of the specific terminals and deviates from the access control reference characteristic. After more terminal devices report the difference data to the security server, the security server can recalculate the access control reference features and push the latest version of the access control reference features to the terminal again.
Further, the access proxy performs the actual session handling actions such as blocking session traffic of the access request, forwarding to the gateway or the direct site. The access agent may compare against the preconditions before performing session traffic handling and compare the actual effect with the expected effect after performing traffic handling. Specifically, after determining the final runtime access rule, the secure client notifies the access agent to execute the direct processing result of the access session traffic. If the access agent is of the blocking type, the access agent directly interrupts the session; if the access type is direct access type, the access agent directly transmits the flow to the target site through the physical network card; if the flow passes through the network access ticket, the access proxy transmits the flow of the access request to the gateway only after the flow authentication is successfully passed and the network access ticket is acquired; if the terminal user can access the terminal user after the secondary authentication, the security client informs the access agent to directly block the current session, and triggers the corresponding authentication form to require the terminal user to start the secondary authentication. After the user completes the secondary authentication, the subsequently initiated traffic is marked as passing the secondary authentication and can be forwarded to the gateway for subsequent access processing.
Wherein the access agent receives the runtime control results generated by the control flow, and performs various handling logic including direct connection, blocking and forwarding of the access traffic. On the other hand, the access agent can detect the actual processing result of the flow, compare the processing result of the flow with the control information appointed by the control flow, and can sense whether the abnormality occurs in the executing process of the terminal. For example, blocked sessions are not actually blocked, traffic forwarded to the gateway does not receive response information from the gateway, etc. In a specific application, when the actual effect is inconsistent with the expected effect, the actual effect is not necessarily abnormal on behalf of the terminal, and network connectivity and normal service logic are possible. For example, the traffic of the access request is forwarded to the gateway, and the normal response information of the gateway can be expected to be received, however, the actual reason is that the network of the target system is not available, and the gateway forwards the traffic to the target system, and the access agent is not responded to the expected result because the response of the target system is not received, for example, the network access code, the size of the uplink and downlink traffic, and the like are not in accordance with the expected result, and the like, which is determined by the factors such as configuration, and the like, and is not classified into the category of abnormal execution of the zero-trust terminal function. Further, after the access agent starts to execute the processing for the access request, the processing result is compared with the final effect of the processing for the access request, the scene which does not belong to the abnormal execution of the terminal function is excluded, and other scenes are all used as abnormal information of the terminal and are reported to the server as alarm information.
Further, the secure client may pull the necessary preconditions from the secure server at startup before executing each runtime access rule and synchronize to the access proxy. The access agent needs to detect whether a prerequisite necessary to execute the runtime rule is present or not before executing the access request processing.
Specifically, for the blocking type, a control flow needs to provide a decision basis of the blocking type, the access agent compares the decision basis with a prerequisite issued by the security server, and marks as abnormal if the decision basis does not conform to a list defined in the prerequisite. For example, the precondition of the server side to determine the blocking type is that the application initiating the session does not conform to the trusted application rule, access is refused, or a blocking rule item in the dynamic access control policy is hit, or a command of the server side to forcibly block the session is received, etc. If the decision basis provided by a certain session to be blocked is empty or not in this list, it is considered that the precondition is not met.
For access sessions forwarded to the gateway, the preconditions may include the inclusion of a legitimate network access ticket, indicating that the access agent failed to apply for the ticket to the control flow if the network access ticket was empty. Secondly, whether the source of the network access ticket is reasonable or not needs to be judged, if the source is applied to the security server through the security client, information such as HTTP response codes, business response codes and the like needs to be carried; if the ticket cache is from an access agent or the secure client itself, the source identifier of the ticket needs to be carried to mark a legal access ticket acquisition path, i.e. only the ticket cache acquired from a specific path is legal, and the acquired ticket is otherwise considered illegal. Finally, the address of the gateway server corresponding to the next hop of the access agent is required to be specified, and if the address is empty, the access agent can be marked as abnormal.
Aiming at the type that the access is allowed after the secondary authentication, whether the user passes the specific secondary authentication needs to be judged, and if the authentication fails or the step of the secondary authentication is not completed, the blocking type is directly marked; otherwise, the gateway type processing is transferred to.
For the type of direct access, firstly, determining whether the dynamic access control strategy issued by the security server is enterprise resource, if so, determining whether a dynamic access control rule item corresponding to the type of direct access exists. The direct access type is basically adopted according to non-enterprise resources, and in the enterprise resources, the direct access can be carried out only by configuring specific sites in the access control rule, otherwise, the type forwarded to the gateway is adopted; if a certain session does not belong to such a decision path, it is marked as abnormal.
Further, when the comparison is abnormal, software and hardware conflict items and built-in configuration diagnosis processing which possibly endanger the usability of the zero trust terminal system are triggered, and the obtained auxiliary analysis data are reported to the server. Specifically, the data marked as abnormal needs to be reported to the security server by the terminal for processing, and may belong to the problem that the zero trust system itself performs abnormality or affects user experience. Meanwhile, software and hardware conflict items and built-in configuration diagnosis which possibly endanger the usability of the zero trust terminal system are triggered, and the result is reported to a security server as auxiliary analysis data.
According to the access request processing method, under the control of a complex terminal environment and a dynamic access control strategy, the problems of executing abnormality of a zero trust system, abnormal terminal environment state and the like can be collected, the early sensing discovery capability of executing abnormality of the zero trust system is improved, the detection and discovery capability of using abnormality of a zero trust system terminal user is built by monitoring network access of the zero trust system terminal user in real time, the abnormality is actively detected, the abnormality can be discovered in advance instead of receiving the information analysis problem of easy fault after manual feedback fault, and the usability and user experience of the system can be improved.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an access request processing system for realizing the above related access request processing method. The implementation of the solution provided by the system is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the access request processing system provided below may refer to the limitation of the access request processing method in the above description, and will not be repeated here.
In one embodiment, as shown in FIG. 10, there is provided an access request processing system 1000 comprising: server 1002 and terminal 1004, wherein:
a server 1002, configured to allocate a dynamic access control policy and a preset access control reference feature to a terminal;
a terminal 1004, configured to determine, when an access request is initiated, a runtime access policy for the access request according to the dynamic access control policy and access environment information associated with the access request; acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy; comparing the characteristics of the access strategy and the access control reference characteristics in the running process to obtain a characteristic comparison result; and determining a target access control strategy based on the characteristic comparison result, and performing run-time access control on the access request according to the target access control strategy.
Based on the same inventive concept, the embodiment of the application also provides an access request processing device for implementing the above related access request processing method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the access request processing device or devices provided below may refer to the limitation of the access request processing method in the above description, which is not repeated here.
In one embodiment, as shown in fig. 11, there is provided an access request processing apparatus 1100, including: an access request initiation response module 1102, a reference feature acquisition module 1104, a feature comparison module 1106, and an access control policy enforcement module 1108, wherein:
an access request initiation response module 1102, configured to determine a runtime access policy for the access request according to the pre-allocated dynamic access control policy and access environment information associated with the access request when the access request is initiated;
a reference feature acquisition module 1104, configured to acquire a preset access control reference feature; the access control reference features are obtained by aggregation according to historical access control data; historical access control data used for representing historical access requests initiated by a historical terminal in an environment described by the access environment information and carrying out historical access control according to a dynamic access control strategy;
The feature comparison module 1106 is used for comparing the feature of the access strategy and the access control reference feature in the running process to obtain a feature comparison result;
the access control policy execution module 1108 is configured to determine a target access control policy based on the feature comparison result, and perform runtime access control on the access request according to the target access control policy.
In one embodiment, the feature comparison module 1106 is further configured to determine a feature comparison term according to the runtime access policy, the dynamic access control policy, and the access environment information; and comparing the characteristic comparison item with a reference characteristic item of the access control reference characteristic to obtain a characteristic comparison result.
In one embodiment, the benchmark feature items comprise a policy decision condition feature item and a policy decision result feature item; the feature comparison module 1106 is further configured to match the dynamic access control policy and access environment information in the feature comparison item with a policy decision condition feature item of the access control reference feature, so as to obtain a feature item matching result; and when the feature item matching result indicates that the matching is consistent, performing feature comparison on the run-time access strategy in the feature comparison item and the strategy judgment result feature item to obtain a feature comparison result.
In one embodiment, the access control policy enforcement module 1108 is further configured to at least one of: when the feature comparison results show that the comparison is consistent, determining the run-time access strategy as a target access control strategy; and when the feature comparison result shows inconsistent comparison, determining configuration information based on a preset strategy, and determining a target access control strategy according to the access strategy during operation and the reference strategy in the access control reference features.
In one embodiment, the access control policy enforcement module 1108 is further configured to obtain access control preconditions that match the target access control policy; when the meeting of the access control preconditions is detected, the access request is subjected to the runtime access control according to the target access control policy.
In one embodiment, the target access control policy includes blocking access control; the access control preconditions include blocking predicate condition items; the access control policy execution module 1108 is further configured to determine decision basis information for blocking access control; matching the judging basis information with the blocking judging condition item to obtain a precondition matching result; when the precondition matching result indicates that the blocking decision condition item is satisfied, the access control is blocked when the access request is run.
In one embodiment, the target access control policy includes forwarding access control; the access control preconditions include access ticket validation conditions; the access control policy enforcement module 1108 is further configured to obtain an access ticket of the access request; and when the access ticket meets the access ticket verification condition, forwarding the access request to the gateway to instruct the gateway to access according to the access request.
In one embodiment, the target access control policy includes a secondary authentication access control; the access control preconditions include a secondary authentication pass condition; the access control policy enforcement module 1108 is further configured to obtain secondary authentication information for the access request; and when the secondary authentication information meets the secondary authentication passing condition, forwarding the access request to the gateway so as to instruct the gateway to access according to the access request.
In one embodiment, the target access control policy includes direct access control; the access control preconditions include a direct connection decision condition; the access control policy enforcement module 1108 is further configured to determine a target access resource for which the access request is directed; and when the target access resource meets the direct connection judging condition, directly accessing the target access resource through the access request.
In one embodiment, the system further comprises a description information reporting module, which is used for determining the run-time access strategy as a target access control strategy when the access control reference feature is not acquired, and performing run-time access control on the access request according to the target access control strategy; and generating strategy determination description information according to the dynamic access control strategy, the access environment information and the runtime access strategy, and reporting the strategy determination description information to a server.
In one embodiment, the method further comprises an information reporting module, configured to execute at least one of: when the feature comparison result shows that the comparison is inconsistent, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server; when the condition that the access control precondition matched with the target access control strategy is not met is detected, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server; when the access control result aiming at the access request shows that the access control is abnormal, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server; when the terminal information acquisition condition is met, acquiring terminal auxiliary analysis data, and reporting the terminal auxiliary analysis data to a server; the terminal-assisted analysis data includes at least one of terminal item data or terminal configuration data.
In one embodiment, the system further comprises a control result exception processing module, configured to obtain an access control result for the access request; when the access control result does not meet the expected access control result, performing exception analysis based on the access control result to obtain an exception analysis result; when the abnormality analysis result characterizes the access control abnormality, generating abnormality alarm information aiming at the access request, and reporting the abnormality alarm information to the server.
In one embodiment, the method further comprises a reference feature generation module for acquiring historical access control data; determining access environment information and a dynamic access control strategy in the historical access control data as strategy judgment condition characteristic items; determining an access control strategy to which the history access control belongs in the history access control data as a strategy judgment result characteristic item; and according to the strategy judgment condition characteristic item and the strategy judgment result characteristic item of each historical access control data, the access control reference characteristic is obtained through aggregation.
In one embodiment, the historical access control data further includes a policy determination logic identification; the reference feature generation module is further used for determining the environment dynamic factor combination, the strategy identification of the dynamic access control strategy and the strategy determination logic identification which are included in the access environment information as strategy determination condition feature items.
In one embodiment, the access request initiation response module 1102 is further configured to obtain a dynamic access control policy that is pre-allocated based on a policy configuration condition when an access request is initiated; acquiring access environment information according to the environment dynamic factors to obtain access environment information associated with the access request; and according to the access environment information, matching from dynamic access control strategies to obtain a runtime access strategy aiming at the access request.
The respective modules in the above-described access request processing apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 12. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing access request handling data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of processing an access request.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 13. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a method of processing an access request. The display unit of the computer equipment is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device, wherein the display screen can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on a shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structures shown in fig. 12 and 13 are block diagrams of only portions of structures associated with the present inventive arrangements and are not limiting of the computer device to which the present inventive arrangements are applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, storing a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (20)

1. A method of processing an access request, the method comprising:
when an access request is initiated, determining a runtime access strategy aiming at the access request according to a pre-allocated dynamic access control strategy and access environment information associated with the access request;
acquiring a preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; the history access control data is used for representing a history access request initiated by a history terminal in an environment described by the access environment information and carrying out history access control according to the dynamic access control strategy;
Performing feature comparison on the run-time access strategy and the access control reference feature to obtain a feature comparison result;
and determining a target access control strategy based on the characteristic comparison result, and performing operation time access control on the access request according to the target access control strategy.
2. The method of claim 1, wherein the comparing the run-time access policy with the access control reference feature to obtain a feature comparison result comprises:
determining a feature comparison item according to the runtime access policy, the dynamic access control policy and the access environment information;
and comparing the characteristic comparison item with the reference characteristic item of the access control reference characteristic to obtain a characteristic comparison result.
3. The method of claim 2, wherein the benchmark profile comprises a policy decision condition profile and a policy decision result profile; the step of comparing the characteristic comparison item with the reference characteristic item of the access control reference characteristic to obtain a characteristic comparison result comprises the following steps:
matching the dynamic access control strategy and the access environment information in the characteristic comparison item with a strategy judgment condition characteristic item of the access control reference characteristic to obtain a characteristic item matching result;
And when the feature item matching result indicates that the matching is consistent, performing feature comparison on the run-time access strategy in the feature comparison item and the strategy judgment result feature item to obtain a feature comparison result.
4. The method of claim 1, wherein the determining a target access control policy based on the feature comparison result comprises at least one of:
when the feature comparison results show that the comparison is consistent, determining the run-time access strategy as a target access control strategy;
and when the feature comparison results show that the comparison is inconsistent, determining configuration information based on a preset strategy, and determining a target access control strategy according to the run-time access strategy and the reference strategy in the access control reference features.
5. The method of claim 1, wherein performing run-time access control on the access request in accordance with the target access control policy comprises:
obtaining access control preconditions matched with the target access control policy;
and when the condition meeting the access control precondition is detected, performing operation time access control on the access request according to the target access control strategy.
6. The method of claim 5, wherein the target access control policy comprises blocking access control; the access control preconditions include blocking predicate condition items;
and when the condition that the access control precondition is met is detected, performing operation time access control on the access request according to the target access control policy, wherein the operation time access control comprises the following steps:
determining the judgment basis information of the blocking access control;
matching the judgment basis information with the blocking judgment condition item to obtain a precondition matching result;
and when the precondition matching result indicates that the blocking judgment condition item is met, blocking access control when the access request is operated.
7. The method of claim 5, wherein the target access control policy comprises forwarding access control; the access control preconditions include access ticket validation conditions;
and when the condition that the access control precondition is met is detected, performing operation time access control on the access request according to the target access control policy, wherein the operation time access control comprises the following steps:
acquiring an access ticket of the access request;
and when the access ticket meets the access ticket verification condition, forwarding the access request to a gateway to instruct the gateway to access according to the access request.
8. The method of claim 5, wherein the target access control policy comprises a secondary authentication access control; the access control preconditions include a secondary authentication pass condition;
and when the condition that the access control precondition is met is detected, performing operation time access control on the access request according to the target access control policy, wherein the operation time access control comprises the following steps:
acquiring secondary authentication information aiming at the access request;
and when the secondary authentication information meets the secondary authentication passing condition, forwarding the access request to a gateway so as to instruct the gateway to access according to the access request.
9. The method of claim 5, wherein the target access control policy comprises direct access control; the access control preconditions include a direct connection determination condition;
and when the condition that the access control precondition is met is detected, performing operation time access control on the access request according to the target access control policy, wherein the operation time access control comprises the following steps:
determining a target access resource aimed by the access request;
and when the target access resource meets the direct connection judging condition, directly accessing the target access resource through the access request.
10. The method according to claim 1, wherein the method further comprises:
when the access control reference characteristic is not acquired, determining the run-time access strategy as a target access control strategy, and performing run-time access control on the access request according to the target access control strategy;
and generating strategy determination description information according to the dynamic access control strategy, the access environment information and the runtime access strategy, and reporting the strategy determination description information to a server.
11. The method of claim 1, further comprising at least one of:
when the characteristic comparison result shows that the comparison is inconsistent, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server;
when the condition that the access control precondition matched with the target access control strategy is not met is detected, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server;
when the access control result aiming at the access request shows that the access control is abnormal, generating abnormal alarm information aiming at the access request, and reporting the abnormal alarm information to a server;
When the terminal information acquisition condition is met, acquiring terminal auxiliary analysis data, and reporting the terminal auxiliary analysis data to a server; the terminal-assisted analysis data includes at least one of terminal item data or terminal configuration data.
12. The method according to claim 1, wherein the method further comprises:
obtaining an access control result aiming at the access request;
when the access control result does not meet the expected access control result, performing exception analysis based on the access control result to obtain an exception analysis result;
and when the abnormality analysis result represents access control abnormality, generating abnormality alarm information aiming at the access request, and reporting the abnormality alarm information to a server.
13. The method of claim 1, wherein the step of generating the access control reference feature comprises:
acquiring the historical access control data;
determining the access environment information and the dynamic access control strategy in the historical access control data as strategy judgment condition characteristic items;
determining an access control strategy to which the history access control belongs in the history access control data as a strategy judgment result characteristic item;
And according to the strategy judgment condition characteristic item and the strategy judgment result characteristic item of each historical access control data, the access control reference characteristic is obtained through aggregation.
14. The method of claim 13, wherein the historical access control data further comprises a policy determination logic identification; the determining the access environment information and the dynamic access control policy in the historical access control data as policy decision condition feature items comprises the following steps:
and determining the environment dynamic factor combination, the strategy identification of the dynamic access control strategy and the strategy determination logic identification which are included in the access environment information as strategy determination condition characteristic items.
15. The method according to any one of claims 1 to 14, wherein when an access request is initiated, determining a runtime access policy for the access request based on a pre-assigned dynamic access control policy and access context information associated with the access request, comprises:
when an access request is initiated, acquiring a dynamic access control strategy which is pre-allocated based on strategy configuration conditions;
acquiring access environment information according to the environment dynamic factors to obtain the access environment information associated with the access request;
And according to the access environment information, matching the dynamic access control strategy to obtain a runtime access strategy aiming at the access request.
16. An access request processing system, comprising a server and a terminal, wherein:
the server is used for distributing a dynamic access control strategy and preset access control reference characteristics to the terminal;
the terminal is used for determining a runtime access strategy aiming at the access request according to the dynamic access control strategy and the access environment information associated with the access request when the access request is initiated; acquiring the preset access control reference characteristic; the access control reference features are obtained by aggregation according to historical access control data; the history access control data is used for representing a history access request initiated by a history terminal in an environment described by the access environment information and carrying out history access control according to the dynamic access control strategy; performing feature comparison on the run-time access strategy and the access control reference feature to obtain a feature comparison result; and determining a target access control strategy based on the characteristic comparison result, and performing operation time access control on the access request according to the target access control strategy.
17. An access request processing apparatus, the apparatus comprising:
an access request initiating response module, configured to determine a runtime access policy for an access request according to a pre-allocated dynamic access control policy and access environment information associated with the access request when the access request is initiated;
the reference feature acquisition module is used for acquiring preset access control reference features; the access control reference features are obtained by aggregation according to historical access control data; the history access control data is used for representing a history access request initiated by a history terminal in an environment described by the access environment information and carrying out history access control according to the dynamic access control strategy;
the feature comparison module is used for comparing the feature of the access strategy during operation with the access control reference feature to obtain a feature comparison result;
and the access control policy execution module is used for determining a target access control policy based on the characteristic comparison result and performing run-time access control on the access request according to the target access control policy.
18. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 15 when the computer program is executed.
19. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 15.
20. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 15.
CN202211648797.7A 2022-12-21 2022-12-21 Access request processing method, system, device, computer equipment and storage medium Pending CN116980164A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211648797.7A CN116980164A (en) 2022-12-21 2022-12-21 Access request processing method, system, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211648797.7A CN116980164A (en) 2022-12-21 2022-12-21 Access request processing method, system, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116980164A true CN116980164A (en) 2023-10-31

Family

ID=88480321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211648797.7A Pending CN116980164A (en) 2022-12-21 2022-12-21 Access request processing method, system, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116980164A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119363492A (en) * 2024-12-30 2025-01-24 北京中诺链捷数字科技有限公司 A financial security control method and device based on the Internet of Things

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119363492A (en) * 2024-12-30 2025-01-24 北京中诺链捷数字科技有限公司 A financial security control method and device based on the Internet of Things

Similar Documents

Publication Publication Date Title
US11109229B2 (en) Security for network computing environment using centralized security system
US11526610B2 (en) Peer-to-peer network for blockchain security
JP5961638B2 (en) System and method for application certification
US9143509B2 (en) Granular assessment of device state
US20180219917A1 (en) Recommendations for security associated with accounts
CN112073400A (en) Access control method, system and device and computing equipment
CN111131176B (en) Resource access control method, device, equipment and storage medium
CN106911648B (en) A kind of environment isolation method and equipment
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
WO2021120975A1 (en) Monitoring method and apparatus
US12244643B2 (en) Software security agent updates via microcode
CN115361203A (en) Vulnerability analysis method based on distributed scanning engine
CN116980164A (en) Access request processing method, system, device, computer equipment and storage medium
US20230239270A1 (en) Synthetic audit events in workload segmentation
CN111245800B (en) Network security test method and device, storage medium and electronic device
CN116647572B (en) Access endpoint switching method, device, electronic equipment and storage medium
CN115694699A (en) Time delay parameter acquisition method and device, electronic equipment and storage medium
CN118965388A (en) Access processing method, device, equipment and storage medium
CN116975805A (en) Data processing method, device, equipment, storage medium and product
US12255923B2 (en) Stream processing of telemetry for a network topology
CN116962149A (en) Network fault detection method and device, storage medium and electronic equipment
CN116567083A (en) Service data processing method, device, equipment and medium
CN114567678A (en) Resource calling method and device of cloud security service and electronic equipment
CN117896145B (en) A test method, system, device and storage medium for simulating attacks
CN116112214B (en) Method and device for accessing resources crossing network boundary and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication