CN114710334A - Access policy adjustment method and system for server - Google Patents
Access policy adjustment method and system for server Download PDFInfo
- Publication number
- CN114710334A CN114710334A CN202210290728.7A CN202210290728A CN114710334A CN 114710334 A CN114710334 A CN 114710334A CN 202210290728 A CN202210290728 A CN 202210290728A CN 114710334 A CN114710334 A CN 114710334A
- Authority
- CN
- China
- Prior art keywords
- access
- host
- application service
- information
- access policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an access strategy adjusting method for a server, which comprises the following steps: acquiring access information of an application service; analyzing the obtained access information of the application service, and if the access information has abnormal access, generating an access policy table based on the abnormal access; and writing the access policy table into a first database, and pushing the access policy table to a host for access policy adjustment through a mapping relation between the first database and the host carrying the application service. The invention can effectively solve the problems of server inaccessibility and access error caused by the scenes of service access volume, application version replacement and the like.
Description
Technical Field
Embodiments of the present invention relate to the field of network security, and in particular, to a method, a system, a computer device, and a computer-readable storage medium for adjusting an access policy of a server.
Background
With the continuous development of the internet and the endless emergence of various application services, the server end responding to the application continuously faces new challenges. For example, the shopping platform holds a sales promotion, and the access of the user can be greatly increased, or the application generates new version replacement, so that a new service port uploads data. However, the traditional firewall policy can only effectively manage a single network security policy, but cannot sense the change of the access relationship between application systems, so that the problems of access errors and the like often occur.
Disclosure of Invention
In view of the above, it is desirable to provide an access policy adjustment method, system, computer device and computer readable storage medium for a server, so as to solve the technical problems of server inaccessibility and access error caused by scenarios such as service access volume and application version replacement.
In order to achieve the above object, an embodiment of the present invention provides an access policy adjustment method for a server, where the method includes:
acquiring access information of an application service;
analyzing the obtained access information of the application service, and if the access information has abnormal access, generating an access policy table based on the abnormal access;
and writing the access policy table into a first database, and pushing the access policy table to a host for access policy adjustment through a mapping relation between the first database and the host carrying the application service.
Optionally, the step of analyzing the obtained access information of the application service includes:
determining a host bearing value based on the service access amount in the access information;
and judging whether the number of the current bearing hosts of the application service is smaller than the host bearing value, if so, judging that abnormal access exists in the access information.
Optionally, the step of generating an access policy table based on the abnormal access includes:
inputting the host bearing value and the name of the corresponding application service into a preset strategy library to obtain a matched first strategy;
and generating an access policy table according to the first policy.
Optionally, the step of analyzing the obtained access information of the application service further includes:
judging whether the access information contains the access behavior of the unregistered port or not;
if yes, judging that abnormal access exists in the access information.
Optionally, the step of generating an access policy table based on the abnormal access includes:
authenticating the unregistered port and judging whether the unregistered port is an authorized port;
and if so, inputting the number of the unregistered ports and the data access quantity of the unregistered ports into a preset strategy library to obtain a matched second strategy.
And generating an access policy table according to the second policy.
Optionally, the step of obtaining the access information of the application service includes:
acquiring an access behavior uploaded by a host bearing the application service;
and performing information arrangement on the access behavior to obtain the access information of the application service.
Optionally, the step of writing the access policy table to the first database includes:
respectively taking each host as an object, and giving an object for representing the host by taking strategy information corresponding to each host in the access strategy table as an attached value;
writing the object and the subject value input for the object to the first database.
To achieve the above object, an embodiment of the present invention further provides an access policy adjustment system, including:
the acquisition module is used for acquiring access information of the application service;
the analysis module is used for analyzing the obtained access information of the application service, and if the access information has abnormal access, an access policy table is generated based on the abnormal access;
and the adjusting module is used for writing the access policy table into a first database, and pushing the access policy table to a host for access policy adjustment through a mapping relation between the first database and the host bearing the application service.
In order to achieve the above object, an embodiment of the present invention further provides a computer device, where the computer device includes a memory, a processor, and a computer program stored in the memory and being executable on the processor, and the computer program is characterized in that when executed by the processor, the computer device implements the steps of the access policy adjustment method as described above.
To achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, where the computer program is executable by at least one processor, so as to cause the at least one processor to execute the steps of the access policy adjustment method as described above.
The method, the device, the computer equipment and the computer readable storage medium for adjusting the access strategy of the server provided by the embodiment of the invention can effectively solve the problems of server inaccessibility and access error caused by scenes such as service access volume, application version replacement and the like.
Drawings
Fig. 1 is a schematic flowchart of an access policy adjustment method for a server according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a step of analyzing the obtained access information of the application service in step S200 according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a step of generating an access policy table based on the abnormal access in step S200 according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of another implementation of the step of analyzing the obtained access information of the application service in step S200 according to the embodiment of the present invention;
fig. 5 is a flowchart illustrating another implementation of the step of generating the access policy table based on the abnormal access in step S200 according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating a step S100 of acquiring access information of an application service according to an embodiment of the present invention;
FIG. 7 is a flowchart illustrating a step of writing the access policy table into the first database in step S300 according to an embodiment of the present invention;
FIG. 8 is a block diagram of a second embodiment of an access policy adjustment system according to the present invention;
fig. 9 is a schematic diagram of a hardware structure of a third embodiment of the computer apparatus according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the description relating to "first", "second", etc. in the present invention is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
In the following embodiments, the computer device 2 will be exemplarily described as an execution subject.
Example one
Referring to fig. 1, a flowchart of the steps of a source code extracting method for a page component according to an embodiment of the invention is shown. It is to be understood that the flow charts in the embodiments of the present method are not intended to limit the order in which the steps are performed. The following description is made by way of example with the computer device 2 as the execution subject. The method comprises the following specific steps:
step S100 obtains access information of the application service.
The access information of the application service is information related to the mutual access among different programs, components, ports or devices based on a certain service. For example, user device a accesses server a, which is responsible for page data; or the user clicks the loan payment on the settlement page, the server host B specially responsible for the ordering and settlement function accesses the server host C responsible for the financial data and the like.
The application service may be one or more. That is, only the access information of one application service may be acquired as a reference for generating the access policy table, and the access information of part or all of the application services may also be acquired as a reference for generating the access policy table, so as to perform overall monitoring and adjustment of the global service.
The access information of the application service may include a request port of the application service, an address of the request port, a subnet address of the request port, a service transmission protocol, a network management involved in service transmission, a service access amount, and the like.
Step S200 analyzes the obtained access information of the application service, and if there is an abnormal access in the access information, generates an access policy table based on the abnormal access.
Specifically, after the access information of the application service is acquired, the acquired access information of the application service is analyzed, and whether the application service has abnormal access or not is judged, for example, the number of accesses to the server a is too high, or an unidentified port access behavior exists, and the abnormal access is treated. And after the abnormal access occurs, calling a preset strategy library, searching an access strategy matched with the abnormal access obtained by current analysis, and setting the access configuration of each service host according to the matched access strategy.
The preset strategy library can be set manually or obtained by training and learning. The strategy library at least comprises three elements, an abnormal access set, an access strategy configuration set and a mapping relation between the two elements. And calling the strategy library to input abnormal access to the strategy library, searching a matched access strategy in the strategy library by the strategy library, and returning the access strategy as a calling result.
For example, the policy library may be configured with multiple abnormal accesses and corresponding access policies as perfect samples manually in advance, and then a large number of training samples are input to be trained together with the perfect samples, so as to finally generate multiple classification cluster groups, where each classification cluster group corresponds to one access policy, and the cluster group includes one or more abnormal accesses. Each classification cluster group forms a policy repository.
Step S300 writes the access policy table into a first database, and pushes the access policy table to a host carrying the application service for access policy adjustment through a mapping relationship between the first database and the host.
Specifically, a mapping relationship and a synchronization period are preset between the first database and each host bearing the application service. The host computer stores an access address of the host computer in the first database, and the corresponding key value information in the first database can be further acquired through the access address. The key information may be information such as an access policy table. In addition, when the key value information in the first database is changed, the first database sends the changed key value information to the corresponding host for synchronization based on the host to which the changed key value information is mapped.
In a specific embodiment, after the access policy table is generated based on abnormal access, the access policy table is written into the first database, and the first database synchronizes the adjustment policy corresponding to the host to each host according to the mapping relationship between the key value information and the host.
Illustratively, the first database stores table1, table2 and table3, table1 maps to host a, table2 maps to host B, and table3 maps to host C. The generated policy table is: host a is accessible by host C, host B is not accessible by any device, host C is accessible by hosts a and D, and hosts a and C are accessible by ports 1-399. The first database synchronizes the policy fields relating to host A, i.e. "host A is accessible by host C", the first database synchronizes the policy fields relating to host B, i.e. "host B is not accessible by any device", the first database synchronizes the policy fields relating to host C, i.e. "host C is accessible by host C, i.e. host D, and host C is accessible by ports 1 ~ 399".
The first database is preferably an etcd database, the generated access policy table can be directly written into the etcd database, the database modifies the corresponding key value based on the access policy table, and sends the changed key value to the corresponding host in a synchronization period so as to convey the adjusted access policy.
The method for adjusting the access strategy of the server provided by the embodiment of the invention can effectively solve the problems of server inaccessibility and access error caused by scenes such as service access volume, application version replacement and the like.
As an alternative embodiment, in step S200, the step of analyzing the obtained access information of the application service includes:
step S210, determining a host bearing value based on the service access amount in the access information;
step S220 determines whether the number of current host bearers of the application service is smaller than the host bearer value, and if so, determines that there is an abnormal access in the access information.
For example, a certain user accessing a secure financial official network may be used as an application service, and a server bearing the application service is a host a, and the service access amount may be determined by obtaining the average number of times of access in a certain period of the host a, and then whether an access surge occurs is discriminated to determine whether capacity expansion is required.
And calculating to obtain a host bearing value based on the service access amount and a preset calculation formula. The host bearing value is the host bearing quantity required by normal operation of the application service, for example, the order settlement service is issued, if the current access frequency of the service reaches 5 thousand times per second, 2 hosts are correspondingly required to bear the service, otherwise, an access error occurs at the equipment end requesting access, or the return value of the host is not obtained, so that the page display is stuck. If the number of times of accessing the service currently reaches 3 ten thousand times per second, 6 hosts are correspondingly needed to carry the service. Different services can be stored manually in advance by different operation rules. The operation rule can be linear calculation, nonlinear calculation or comprehensive calculation by adding factors such as network speed and the like.
As an optional embodiment, the step of generating the access policy table based on the abnormal access in step S200 includes:
step S230 inputs the host bearer value and the name of the corresponding application service into a preset policy library to obtain a matched first policy;
step S240 generates an access policy table according to the first policy.
Illustratively, a safe financial institution holds an activity of purchasing fund to reduce or avoid redemption cost, the access amount of the safe financial application is greatly increased during the activity, the access behavior reported by a host is analyzed to obtain the increase of the access amount in the current time period, the host bearing value required by the normal operation of the current access amount is calculated to be 5, if the host currently bearing the safe financial application service is only 2, the abnormal access is judged to occur, the abnormal access characteristic is input into a preset policy library, and the corresponding access policy is obtained as 'randomly selecting 3 hosts in standby hosts to expand the service'
The abnormal access characteristics may be "2 hosts are currently loaded, the host load value is 5 hosts", or "3 additional hosts are needed to load the current service", and the abnormal access characteristics are used as a call parameter input to the policy library, and the expression field of the abnormal access characteristics may be set by a technician according to an actual application scenario.
It should be noted that, if the number of the host for the current application service is greater than the host load value, it is also determined as an abnormal access, and the corresponding adjustment policy is matched through the policy repository for processing. For example, for the safe financial APP service and the safe community APP service, the number of current host computers bearing the safe financial APP service is 8, and it is known through calculation that the host bearing value of the safe financial APP service is 2, then 6 host computers can be extracted for idling or other scheduling, so that the utilization rate of the host computers is improved. And if the host bearing value of the safe community APP service is larger than the current host bearing the safe community APP service, the host bearing the safe community APP service can be separated from the safe financial APP service in time, and the safe community APP service is borne. Specifically, 6 hosts are selected to be all idle or immediately participate in the bearing of APP services of the safe community, and the bearing is determined by the access strategy matched with the strategy library.
As an optional embodiment, the step of analyzing the obtained access information of the application service in step S200 further includes:
step S250, determining whether the access information includes an access behavior of an unregistered port;
if yes, judging that abnormal access exists in the access information in step S260.
Specifically, in addition to the change of the access amount, if the version of the application terminal is updated, a new function is added, a new service port is generated to access the host, and this situation is also determined as abnormal access, and the host needs to be added to the abnormal access to ensure the normal operation of the new service.
And judging whether the access information of the application service carries the access behavior of the registered port. For example, the reporting port for the corresponding settlement service in the safe financial APP is 1 to 399, that is, the host for the safe financial APP service knows that the message uploaded by the port 1 to 399 is the relevant data of the settlement service of the safe financial APP. And if the data reported by the 486-567 port appears in the access information, the safe financial APP software is judged to be subjected to iterative updating, the application software has a new function, and the load is increased along with the increase of the service, so that the capacity is correspondingly expanded, a host bearing the newly increased service is added, the load is adjusted in time, and the problems of slow access loading and the like of the new service are solved.
As an optional embodiment, the step of generating the access policy table based on the abnormal access in step S200 includes:
step S270, authenticating the unregistered port, and judging whether the unregistered port is an authorized port;
and if yes, inputting the number of the unregistered ports and the data access quantity of the unregistered ports into a preset strategy library to obtain a matched second strategy.
Step S290 generates an access policy table according to the second policy.
Specifically, when the behavior that the abnormal access is initiated by the unregistered port is judged to be obtained, an authentication request is initiated to the application terminal or the cloud platform, whether the unregistered port is an authorized port is judged based on the returned authentication result, and if the unregistered port is the authorized port, the unregistered port is input into a preset policy library through the port number and the data access amount in the access information of the unregistered port to obtain a matched second policy.
As an alternative embodiment, the step S100 of obtaining the access information of the application service includes:
step S110, acquiring an access behavior uploaded by a host bearing the application service;
step S120 performs information sorting on the access behavior to obtain access information of the application service.
Specifically, the service host is a server for carrying an application service, a function, or a service response. The service host can automatically report access behaviors for a certain period of time, for example, a 17:50 user side A192.168.1.56 requests access; the 17:52 client B192.168.1.57 requests access and the 17:53 sends a call request to the server B for financial loan.
The method can also directly access the service host to obtain the access behavior data stored by the service host, and after the access behavior data uploaded by one or more service hosts is obtained, the information of all the access behaviors is sorted to obtain the access information of a certain application service or a plurality of application services. Illustratively, the consolidated access information may be: host a has 1000 total accesses, an average of 20 accesses per second, 88 total accesses to host B, and 32 total accesses to host C. Host B is accessed 851 times total, on average 18 times per second, host B is accessed 722 times total, and so on.
In addition, the service host can be configured to arrange the access behavior data retained by the service host according to a preset format, and the arranged behavior data can be directly uploaded. For example, the "1000 total times visited" field is directly uploaded.
As an alternative embodiment, the step of writing the access policy table into the first database in step S300 includes:
step S310, each host is taken as an object, the strategy information corresponding to each host in the access strategy table is taken as an attached value, and the object used for representing the host is endowed;
step S320 writes the object and the attached value input of the object into the first database.
In particular, the auxiliary value may be one or more attributes for recording the policy information corresponding to the host. The object used to characterize the host may be a class, for example, host A is defined by class hostA. The single host is used as an object to be written into the first database, the first database can directly find the designated object stored locally through the input object name, and the data of the object is changed, so that the data transmission efficiency is improved.
Example two
Fig. 8 is a schematic diagram illustrating program modules of a second embodiment of the access policy adjustment system according to the present invention. The access policy adjustment system 20 may include or be divided into one or more program modules, which are stored in a storage medium and executed by one or more processors to implement the present invention and implement the access policy adjustment method for a server described above. The program module referred to in the embodiments of the present invention refers to a series of computer program instruction segments capable of performing specific functions, and is more suitable for describing the execution process of the access policy adjustment system 20 in the storage medium than the program itself. The following description will specifically describe the functions of the program modules of the present embodiment:
an obtaining module 200, configured to obtain access information of an application service;
the analyzing module 210 is configured to analyze the obtained access information of the application service, and if the access information has an abnormal access, generate an access policy table based on the abnormal access;
an adjusting module 220, configured to write the access policy table into a first database, and push the access policy table to a host that carries the application service for access policy adjustment through a mapping relationship between the first database and the host.
As an optional embodiment, the parsing module 210 is further configured to:
determining a host bearing value based on the service access amount in the access information;
and judging whether the number of the current bearing hosts of the application service is smaller than the host bearing value, if so, judging that abnormal access exists in the access information.
As an optional embodiment, the parsing module 210 is further configured to:
inputting the host bearing value and the name of the corresponding application service into a preset strategy library to obtain a matched first strategy;
and generating an access policy table according to the first policy.
As an optional embodiment, the parsing module 210 is further configured to:
judging whether the access information contains the access behavior of the unregistered port or not;
if yes, judging that abnormal access exists in the access information.
As an optional embodiment, the parsing module 210 is further configured to:
authenticating the unregistered port and judging whether the unregistered port is an authorized port;
and if so, inputting the number of the unregistered ports and the data access quantity of the unregistered ports into a preset strategy library to obtain a matched second strategy.
And generating an access policy table according to the second policy.
As an alternative embodiment, the obtaining module 200 is further configured to:
acquiring an access behavior uploaded by a host bearing the application service;
and performing information arrangement on the access behavior to obtain the access information of the application service.
As an alternative embodiment, the adjusting module 220 is further configured to:
respectively taking each host as an object, taking the corresponding strategy information of each host in the access strategy table as an attached value, and giving an object for representing the host;
writing the object and the subject value input for the object to the first database.
EXAMPLE III
Fig. 9 is a schematic diagram of a hardware architecture of a computer device according to a third embodiment of the present invention. In the present embodiment, the computer device 2 is a device capable of automatically performing numerical calculation and/or information processing in accordance with a preset or stored instruction. The computer device 2 may be a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers), and the like. As shown, the computer device 2 includes, but is not limited to, at least a memory 21, a processor 22, a network interface 23, and an access policy adjustment system 20, which may be communicatively coupled to each other via a system bus.
In this embodiment, the memory 21 includes at least one type of computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 21 may be an internal storage unit of the computer device 2, such as a hard disk or a memory of the computer device 2. In other embodiments, the memory 21 may also be an external storage device of the computer device 2, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like provided on the computer device 2. Of course, the memory 21 may also comprise both internal and external memory units of the computer device 2. In this embodiment, the memory 21 is generally used for storing an operating system and various application software installed in the computer device 2, such as the program codes of the access policy adjustment system 20 in the second embodiment. Further, the memory 21 may also be used to temporarily store various types of data that have been output or are to be output.
The network interface 23 may comprise a wireless network interface or a wired network interface, and the network interface 23 is generally used for establishing communication connection between the computer device 2 and other electronic apparatuses. For example, the network interface 23 is used to connect the computer device 2 to an external terminal through a network, establish a data transmission channel and a communication connection between the computer device 2 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a Global System of Mobile communication (GSM), Wideband Code Division Multiple Access (WCDMA), a 4G network, a 5G network, Bluetooth (Bluetooth), Wi-Fi, and the like.
It is noted that fig. 9 only shows the computer device 2 with components 20-23, but it is to be understood that not all shown components are required to be implemented, and that more or less components may be implemented instead.
In this embodiment, the access policy adjustment system 20 stored in the memory 21 can be further divided into one or more program modules, and the one or more program modules are stored in the memory 21 and executed by one or more processors (in this embodiment, the processor 22) to complete the present invention.
For example, fig. 8 is a schematic diagram of program modules for implementing the access policy adjustment system 20 according to a second embodiment of the present invention, in this embodiment, the access policy adjustment system 20 may be divided into an obtaining module 200, a parsing module 210, and an adjusting module 220. The program module referred to in the present invention refers to a series of computer program instruction segments capable of performing specific functions, and is more suitable than a program for describing the execution process of the access policy adjustment system 20 in the computer device 2. The specific functions of the program modules 200 and 210 have been described in detail in the second embodiment, and are not described herein again.
Example four
The present embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer-readable storage medium of the present embodiment is used for the access policy adjustment system 20, and when executed by a processor, implements the access policy adjustment method for a server of the first embodiment.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An access policy adjustment method for a server, the method comprising:
acquiring access information of an application service;
analyzing the obtained access information of the application service, and if the access information has abnormal access, generating an access policy table based on the abnormal access;
and writing the access policy table into a first database, and pushing the access policy table to a host for access policy adjustment through a mapping relation between the first database and the host carrying the application service.
2. The method according to claim 1, wherein the step of parsing the obtained access information of the application service comprises:
determining a host bearing value based on the service access amount in the access information;
and judging whether the number of the current bearing hosts of the application service is smaller than the host bearing value, if so, judging that abnormal access exists in the access information.
3. The method according to claim 2, wherein the step of generating an access policy table based on the abnormal access comprises:
inputting the host bearing value and the name of the corresponding application service into a preset strategy library to obtain a matched first strategy;
and generating an access policy table according to the first policy.
4. The method according to claim 1, wherein the step of parsing the obtained access information of the application service further comprises:
judging whether the access information contains the access behavior of the unregistered port or not;
if yes, judging that abnormal access exists in the access information.
5. The method according to claim 1, wherein the step of generating an access policy table based on the abnormal access comprises:
authenticating the unregistered port and judging whether the unregistered port is an authorized port;
if yes, inputting the number of the unregistered ports and the data access quantity of the unregistered ports into a preset strategy library to obtain a matched second strategy;
and generating an access policy table according to the second policy.
6. The access policy method according to claim 1, wherein the step of obtaining access information of the application service comprises:
acquiring an access behavior uploaded by a host bearing the application service;
and performing information sorting on the access behavior to obtain the access information of the application service.
7. The method according to claim 1, wherein the step of writing the access policy table to the first database comprises:
respectively taking each host as an object, and giving an object for representing the host by taking strategy information corresponding to each host in the access strategy table as an attached value;
writing the object and the subject value input for the object to the first database.
8. An access policy adjustment system, comprising:
the acquisition module is used for acquiring the access information of the application service;
the analysis module is used for analyzing the obtained access information of the application service, and if the access information has abnormal access, an access policy table is generated based on the abnormal access;
and the adjusting module is used for writing the access policy table into a first database, and pushing the access policy table to a host for access policy adjustment through a mapping relation between the first database and the host bearing the application service.
9. A computer arrangement comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the computer program, when executed by the processor, carries out the steps of the access policy adjustment method according to any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored which is executable by at least one processor to cause the at least one processor to perform the steps of the access policy adjustment method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210290728.7A CN114710334A (en) | 2022-03-23 | 2022-03-23 | Access policy adjustment method and system for server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210290728.7A CN114710334A (en) | 2022-03-23 | 2022-03-23 | Access policy adjustment method and system for server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114710334A true CN114710334A (en) | 2022-07-05 |
Family
ID=82169335
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210290728.7A Pending CN114710334A (en) | 2022-03-23 | 2022-03-23 | Access policy adjustment method and system for server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114710334A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108377241A (en) * | 2018-02-12 | 2018-08-07 | 平安普惠企业管理有限公司 | Monitoring method, device, equipment based on access frequency and computer storage media |
| CN111443870A (en) * | 2020-03-26 | 2020-07-24 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN112291258A (en) * | 2020-11-12 | 2021-01-29 | 杭州比智科技有限公司 | Gateway risk control method and device |
| CN113918341A (en) * | 2021-10-20 | 2022-01-11 | 中国平安人寿保险股份有限公司 | Equipment scheduling method, device, equipment and storage medium |
-
2022
- 2022-03-23 CN CN202210290728.7A patent/CN114710334A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108377241A (en) * | 2018-02-12 | 2018-08-07 | 平安普惠企业管理有限公司 | Monitoring method, device, equipment based on access frequency and computer storage media |
| CN111443870A (en) * | 2020-03-26 | 2020-07-24 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN112291258A (en) * | 2020-11-12 | 2021-01-29 | 杭州比智科技有限公司 | Gateway risk control method and device |
| CN113918341A (en) * | 2021-10-20 | 2022-01-11 | 中国平安人寿保险股份有限公司 | Equipment scheduling method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111580874B (en) | System safety control method and system for data application and computer equipment | |
| CN110213234B (en) | Application program file developer identification method, device, equipment and storage medium | |
| CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
| CN110191097B (en) | Method, system, equipment and storage medium for detecting security of login page | |
| CN110046181B (en) | Data routing method and device based on database distributed storage | |
| CN111475494A (en) | Mass data processing method, system, terminal and storage medium | |
| CN117493309A (en) | Standard model generation method, device, equipment and storage medium | |
| CN111124883B (en) | Test case library introduction method, system and equipment based on tree form | |
| CN112579608A (en) | Case data query method, system, device and computer readable storage medium | |
| CN112035676A (en) | User operation behavior knowledge graph construction method and device | |
| CN114710334A (en) | Access policy adjustment method and system for server | |
| CN116150200A (en) | Data processing method, device, electronic equipment and storage medium | |
| CN111131393B (en) | User activity data statistical method, electronic device and storage medium | |
| CN114528010A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115033551A (en) | Database migration method and device, electronic equipment and storage medium | |
| CN112231232A (en) | Method, device and equipment for determining test data model and generating test data | |
| CN112417324A (en) | Chrome-based URL (Uniform resource locator) interception method and device and computer equipment | |
| CN113392138B (en) | Statistical analysis method, device, server and storage medium for private data | |
| CN115396277B (en) | Login state management method, device, equipment and storage medium | |
| CN113568682B (en) | Rule data verification method, device, computer equipment and storage medium | |
| US11972018B2 (en) | Data categories for purpose-based processing of personal data | |
| CN109039691B (en) | Server, method for predicting system call amount and storage medium | |
| CN115687385A (en) | Data query method and system | |
| CN117743721A (en) | Data processing method and device | |
| CN114741408A (en) | Data scheduling method, system, computer device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |