CN115022008A - Access risk assessment method, device, equipment and medium - Google Patents

Access risk assessment method, device, equipment and medium Download PDF

Info

Publication number
CN115022008A
CN115022008A CN202210599418.3A CN202210599418A CN115022008A CN 115022008 A CN115022008 A CN 115022008A CN 202210599418 A CN202210599418 A CN 202210599418A CN 115022008 A CN115022008 A CN 115022008A
Authority
CN
China
Prior art keywords
access
target
information
risk assessment
environment information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210599418.3A
Other languages
Chinese (zh)
Inventor
孙良辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202210599418.3A priority Critical patent/CN115022008A/en
Publication of CN115022008A publication Critical patent/CN115022008A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an access risk assessment method, device, equipment and medium, relating to the technical field of hardware and comprising the following steps: acquiring an access request aiming at a target application sent by a user side to obtain access request information, and acquiring local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information; screening out a target access strategy from all pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information; and performing risk evaluation on the target access strategy by using the access risk evaluation information and the target environment information to obtain an access risk evaluation result. By the technical scheme, the access safety can be improved, and the diversity and flexibility of access risk assessment are improved, so that the development time of an access risk assessment system and application is shortened, and the research and development cost is reduced.

Description

Access risk assessment method, device, equipment and medium
Technical Field
The present invention relates to the field of hardware technologies, and in particular, to a method, an apparatus, a device, and a medium for access risk assessment.
Background
At present, with the continuous acceleration of digital transformation, an enterprise has a plurality of networks, a plurality of systems, a plurality of applications, cloud services and the like, once an attacker breaks through the boundary protection of the enterprise network, the attacker can further move transversely in an internal network to attack and damage the network without being blocked and controlled.
Access control is a technique for restricting a user's access to certain information items, or for restricting the use of certain control functions, per a defined set of user identities and to which they belong. Access control is mainly to prevent illegal principals from entering protected network resources; allowing legitimate users to access protected network resources; unauthorized access to protected network resources by legitimate users is prevented. The access control technology is usually implemented by establishing authority management for all subsystems needing access control, and the subsystems are invaded to a certain extent in the integration process, for example, the integration process is applied to multiple systems and multiple applications, so that the problems of increased development and integration cost, unfavorable maintenance and control logic change of authority management, low compatibility with other systems and applications and the like exist.
In addition, the conventional dynamic authorization adopts an authorization code mechanism, a system authorization library is searched according to user identification, a basic authorization code and a dynamic authorization code corresponding to the current account authorization of a user are determined, the basic authorization code is determined according to preset user authorization configuration, and the dynamic authorization code is determined according to an environment authorization library comprising a plurality of environment dimensions and a privilege authorization library comprising a plurality of privilege dimensions; and determining an authorization result of the user according to the matching state of the to-be-accessed authority identifier with the basic authorization code and the dynamic authorization code, wherein when the to-be-accessed authority identifier is matched with the basic authorization code and the dynamic authorization code, the authorization result of the user is determined to be successful. Although the authorization code mechanism can realize risk perception and dynamic fine-grained authorization, the authorization rules, the security policy formed based on the requirements, and other access control rules are predefined and cannot be changed. If the rules need to be changed in the application scene, the solution cannot be met, flexible control over the access control rules is lacked, systems and applications with different access control business logics cannot be compatible, and the customized development cost is high.
Therefore, in the process of access risk assessment, how to improve the security of access and increase the diversity and flexibility of access risk assessment so as to reduce the development time of an access risk assessment system and application and reduce the development cost is a problem to be solved in the field.
Disclosure of Invention
In view of this, an object of the present invention is to provide an access risk assessment method, apparatus, device and medium, which can effectively improve access security, and increase diversity and flexibility of access risk assessment, thereby reducing development time of an access risk assessment system and an application, and reducing development cost. The specific scheme is as follows:
in a first aspect, the present application discloses an access risk assessment method, including:
acquiring an access request aiming at a target application sent by a user side to obtain access request information, and acquiring local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information;
screening out a target access strategy from all pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information;
and performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result.
Optionally, the obtaining an access request for a target application sent by a user side to obtain access request information includes:
acquiring the access request aiming at the target application sent by the user side, and analyzing the access request to obtain target interface information of a target server side connected with the user side;
and judging whether the target interface information is consistent with the local interface information, if so, determining access request information comprising user identity information, the interface information and access request parameters aiming at the target application based on the access request.
Optionally, the screening out a target access policy from all the pre-acquired access policies based on the access request information and the target environment information includes:
obtaining a security policy, performing classification operation on the security policy according to policy types to obtain an access policy and a control policy, and screening out a first access policy from all the access policies based on the access request information and the target environment information;
and performing Boolean operation on the first access strategy by using the control strategy to obtain a Boolean value, and determining the target access strategy based on the Boolean value.
Optionally, the performing boolean operation on the first access policy by using the control policy to obtain a boolean value, and determining the target access policy based on the boolean value includes:
determining the number of the first access strategies, performing Boolean operation on the first access strategies by using the control strategies to obtain Boolean values, and judging whether the number of the Boolean values is consistent with the number of the first access strategies;
if the number of the Boolean values is consistent with the number of the first access strategies, ending Boolean operation, and determining the first access strategy with the Boolean value being True as the target access strategy.
Optionally, the performing risk assessment on the target access policy by using the access risk assessment information and the target environment information to obtain an access risk assessment result includes:
performing Boolean operation on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment sub-result containing a Boolean value;
and determining an access risk evaluation result based on the Boolean values in all the access risk evaluation sub-results.
Optionally, the determining an access risk assessment result based on boolean values in all the access risk assessment sub-results includes:
judging whether the Boolean values in all the access risk assessment sub-results are True or not;
and if the Boolean values in all the access risk assessment sub-results are True, the access risk assessment result is risk-free, and if the Boolean values in all the access risk assessment sub-results are not uniform to be True, the access risk assessment result is risk-free.
Optionally, after obtaining the access risk assessment result, the method further includes:
judging whether the access risk evaluation result is risk-free or not;
and if the access risk evaluation result is no risk, forwarding the access risk evaluation result to a target application end so that the user end can access the target application based on the access risk evaluation result.
In a second aspect, the present application discloses an access risk assessment apparatus, comprising:
the information acquisition module is used for acquiring an access request aiming at a target application sent by a user side so as to obtain access request information, and acquiring local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information;
the access policy screening module is used for screening a target access policy from all pre-acquired access policies based on the access request information and the target environment information and determining access risk evaluation information according to the access request information;
and the risk evaluation module is used for carrying out risk evaluation on the target access strategy by utilizing the access risk evaluation information and the target environment information so as to obtain an access risk evaluation result.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the aforementioned access risk assessment method.
In a fourth aspect, the present application discloses a computer storage medium for storing a computer program; wherein the computer program realizes the steps of the access risk assessment method disclosed in the foregoing when executed by a processor.
The access risk assessment method comprises the steps of obtaining an access request aiming at a target application and sent by a user side to obtain access request information, obtaining local service-side environment information and user-side environment information of the user side, and determining target environment information according to the service-side environment information and the user-side environment information; screening out a target access strategy from all pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information; and performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result. According to the method and the device, the access request information is obtained, the current target environment information is determined, and the target access strategy is screened out by utilizing the access request information and the target environment information, so that the diversity and the flexibility of access risk assessment are increased, the access risk assessment information is determined, then the access risk assessment information and the target environment information are utilized to carry out risk assessment on the target access strategy so as to obtain an access risk assessment result, the access safety can be effectively improved, the development time of an access risk assessment system and application is shortened, and the research and development cost is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of an access risk assessment method disclosed herein;
FIG. 2 is a flow chart of a particular access risk assessment method disclosed herein;
FIG. 3 is a flow chart of an access risk assessment method disclosed herein;
FIG. 4 is a flow chart of a particular access risk assessment method disclosed herein;
FIG. 5 is an integrated diagram of a specific access risk assessment method apparatus disclosed in the present application;
fig. 6 is a schematic structural diagram of an access risk assessment apparatus disclosed in the present application;
fig. 7 is a block diagram of an electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the current background, with the continuous acceleration of digital transformation, an enterprise has a plurality of networks, a plurality of systems, a plurality of applications, cloud services and the like, once an attacker breaks through the boundary protection of the enterprise network, the attacker can further move transversely in the internal network to attack and destroy the network without being blocked and controlled. Access control is a technique for restricting a user's access to certain information items, or for restricting the use of certain control functions, per a defined set of user identities and to which they belong. Access control is mainly to prevent illegal principals from entering protected network resources; allowing legitimate users to access protected network resources; unauthorized access to protected network resources by legitimate users is prevented. The access control technology is usually implemented by establishing authority management for all subsystems needing access control, and the subsystems are invaded to a certain extent in the integration process, for example, the integration process is applied to multiple systems and multiple applications, so that the problems of increased development and integration cost, unfavorable maintenance and control logic change of authority management, low compatibility with other systems and applications and the like exist. In addition, the conventional dynamic authorization adopts an authorization code mechanism, a system authorization library is searched according to user identification, a basic authorization code and a dynamic authorization code corresponding to the current account authorization of a user are determined, the basic authorization code is determined according to preset user authorization configuration, and the dynamic authorization code is determined according to an environment authorization library comprising a plurality of environment dimensions and a privilege authorization library comprising a plurality of privilege dimensions; and determining an authorization result of the user according to the matching state of the to-be-accessed authority identifier with the basic authorization code and the dynamic authorization code, wherein when the to-be-accessed authority identifier is matched with the basic authorization code and the dynamic authorization code, the authorization result of the user is determined to be successful. Although the authorization code mechanism can realize risk perception and dynamic fine-grained authorization, the authorization rules, the security policy formed based on the requirements, and other access control rules are predefined and cannot be changed. If the rules need to be changed in the application scene, the solution cannot be met, flexible control over the access control rules is lacked, systems and applications with different access control business logics cannot be compatible, and the customized development cost is high.
Therefore, in the process of access risk assessment, how to improve the security of access and increase the diversity and flexibility of access risk assessment so as to reduce the development time of an access risk assessment system and application and reduce the development cost is a problem to be solved in the field.
Referring to fig. 1, an embodiment of the present invention discloses an access risk assessment method, which may specifically include:
step S11: the method comprises the steps of obtaining an access request aiming at a target application sent by a user side to obtain access request information, and obtaining local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information.
In this embodiment, the access request for the target application sent by the user side is obtained and analyzed to obtain target interface information of a target server side connected to the user side, and then whether the target interface information is consistent with local interface information is determined, and if the target interface information is consistent with the local interface information, access request information is determined based on the access request.
The access request information includes user identity information, the interface information, and access request parameters for the target application, where the user identity information includes, but is not limited to, a belonging organization, a role, and according to the identity information of the user entity and the belonging organization, the role, and the like, basic permissions corresponding to the user may be allocated and controlled, and when the user identity information is obtained, all information affecting the access control user identity carried in Session control or Token may be further analyzed from the access request. The interface information includes but is not limited to an interface address and an interface request mode, and because the user side is connected with the interface of the target server side, the user side sends the interface information of the target server side to the server side so that the server side can judge whether the interface information of the target server side is consistent with the local interface information, and therefore the interface information can confirm whether the current request access is the target server side. The access request parameters for the target application include parameters of the current access operation behavior of the user, for example, Query parameters and Path parameters in GET and DELETE requests, Body parameters and form parameters in POST and PUT requests, and the like. And performing fine-grained authority management and dynamic authority management and control according to the access request parameters.
In this embodiment, local service-side environment information and user-side environment information of the user side are obtained, where the environment information is information of an environment factor that can affect access risk assessment, for example, information of a user terminal environment, a system environment, an access environment, a network environment, and the like, so as to determine target environment information according to the service-side environment information and the user-side environment information, such as browser information and an IP address of the user terminal environment, cluster information of a service cluster in the system environment, a network topology structure in the network environment, and the like.
Step S12: and screening out a target access strategy from all the pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information.
In this embodiment, a security policy formed based on security access rules and security requirements of a current system, a current platform, and a current application is obtained, and the security policy is classified according to policy types to obtain an access policy and a control policy, where the access policy is an access control rule used to evaluate whether a request under factors such as a current environment and a user identity is allowed, and the control policy is used to evaluate an access policy applicable under factors such as a current environment and a user identity.
And screening out a first access policy from all the access policies based on the access request information and the target environment information, then performing Boolean operation on the first access policy by using the control policy to obtain a Boolean value, and determining the target access policy based on the Boolean value.
In this embodiment, after a first access policy is screened out, the number of the first access policy is determined, boolean operation is performed on the first access policy by using the control policy to obtain a boolean value, and whether the number of the boolean value is consistent with the number of the first access policy is determined; if the number of the Boolean values is consistent with the number of the first access strategies, ending Boolean operation, and determining the first access strategy with the Boolean value being True as the target access strategy.
For example, as shown in fig. 2, all security policies formed based on the security access rules and security requirements of the current system, platform and application are obtained, then, a classification operation is performed to obtain access policies and control policies, then, based on the access request information and the target environment information, all the access policies are traversed, and an access policy number (i.e. a first access policy number) is obtained, then, the control strategy is used to judge whether the access strategy is applicable (equivalent to performing Boolean operation) in the current situation so as to obtain a Boolean value, if the Boolean value is True, the access policy is taken as a target access policy, and whether the current Boolean value number is consistent with the first access policy number or not is judged, namely whether the current access policy is the last one or not is judged, and if the two access policies are consistent, ending the Boolean operation, and taking the access policy with the Boolean value of True as the target access policy.
Step S13: and performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result.
In this embodiment, after determining access risk assessment information based on access request information including user identity information, the interface information, and an access request parameter for the target application, the access risk assessment information and the target environment information are used as parameters for risk assessment, and then risk assessment is performed on a target access policy to finally obtain an access risk assessment result.
In this embodiment, an access request for a target application sent by a user side is obtained to obtain access request information, and local service-side environment information and user-side environment information of the user side are obtained, so that target environment information is determined according to the service-side environment information and the user-side environment information; screening out a target access strategy from all pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information; and performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result. According to the method and the device, the access request information is obtained, the current target environment information is determined, and the target access strategy is screened out by utilizing the access request information and the target environment information, so that the diversity and the flexibility of access risk assessment are increased, the access risk assessment information is determined, then the access risk assessment information and the target environment information are utilized to carry out risk assessment on the target access strategy so as to obtain an access risk assessment result, the access safety can be effectively improved, the development time of an access risk assessment system and application is shortened, and the research and development cost is reduced.
Referring to fig. 3, an embodiment of the present invention discloses an access risk assessment method, which may specifically include:
step S21: the method comprises the steps of obtaining an access request aiming at a target application sent by a user side to obtain access request information, and obtaining local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information.
Step S22: and screening out a target access strategy from all the pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information.
Please refer to the foregoing embodiments for a more detailed processing procedure in steps S21 and S22, which are not repeated herein.
Step S23: performing Boolean operation on the target access policy by using the access risk assessment information and the target environment information to obtain access risk assessment sub-results containing Boolean values, and determining the access risk assessment results based on the Boolean values in all the access risk assessment sub-results.
In this embodiment, after determining access risk assessment information according to the access request information, performing boolean operation on the target access policy by using the access risk assessment information and the target environment information, and the specific process is as follows: judging whether the Boolean values in all the access risk assessment sub-results are True or not; and if the Boolean values in all the access risk assessment sub-results are True, the access risk assessment result is risk-free, and if the Boolean values in all the access risk assessment sub-results are not uniform to be True, the access risk assessment result is risk-free.
In this embodiment, after obtaining the access risk assessment result, the method further includes: judging whether the access risk evaluation result is risk-free; and if the access risk evaluation result is no risk, forwarding the access risk evaluation result to a target application end so that the user end can access the target application based on the access risk evaluation result.
For example, as shown in fig. 4, after the target access policies are screened and determined, all the target access policies are traversed by using the obtained access risk assessment information and the target environment information, and then it is determined whether to apply (which is equivalent to performing boolean operations) to obtain access risk assessment sub-results including boolean values, it should be noted that the currently described boolean operations are different from the boolean operations in fig. 2, and it is determined whether the current target access policy is the last one, and if so, the boolean operations are ended to obtain all the access risk assessment sub-results. If the boolean values in all the access risk assessment sub-results are True, obtaining an access risk assessment result without risk, if the boolean values in all the access risk assessment sub-results have a False, obtaining an access risk assessment result with risk, and if the access risk assessment result is risk-free, allowing access, that is, if the access risk assessment result is risk-free, forwarding the access risk assessment result to a target application terminal, so that the user terminal accesses the target application based on the access risk assessment result, and if the access risk assessment result is risk, denying access and not forwarding the access risk assessment result.
For example, as shown in fig. 5, the flow according to the present embodiment may be specifically divided into five different sub-devices, including: the system comprises a request receiving sub-device, a environment sensing sub-device, a security strategy sub-device, a risk assessment sub-device and a request forwarding sub-device. The request receiving sub-device is used for receiving an access request sent by a user side and then analyzing the access request to obtain access request information containing user identity information, the interface information and access request parameters aiming at the target application; the environment sensing sub-device is used for acquiring local service-side environment information and user-side environment information of the user side, wherein the environment information is information of environment factors influencing access risk assessment; the security policy sub-device is used for acquiring all security policies formed based on security access rules and security requirements of the current system, platform and application, performing classification operation, then acquiring the access request information and the target environment information in the request receiving sub-device and the environment sensing sub-device, and screening out a target access policy from all pre-acquired access policies based on the access request information and the target environment information; the risk assessment sub-device is used for acquiring the access risk assessment information, the target environment information and the target access strategy in the request receiving sub-device, the environment perception sub-device and the security strategy sub-device, performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result, and sending the access risk assessment result to the request forwarding sub-device; and the request forwarding sub-device is used for judging whether the access risk evaluation result is risk-free or not, if the access risk evaluation result is risk-free, the access risk evaluation result is forwarded to a target application end (application 1, application 2 and application 3), and if the access risk evaluation result is risky, the access risk evaluation result is not forwarded.
Referring to fig. 6, an embodiment of the present invention discloses an access risk assessment apparatus, which may specifically include:
the information acquisition module 11 is configured to acquire an access request for a target application sent by a user to obtain access request information, and acquire local service-side environment information and user-side environment information of the user, so as to determine target environment information according to the service-side environment information and the user-side environment information;
an access policy screening module 12, configured to screen a target access policy from all pre-acquired access policies based on the access request information and the target environment information, and determine access risk evaluation information according to the access request information;
and the risk evaluation module 13 is configured to perform risk evaluation on the target access policy by using the access risk evaluation information and the target environment information to obtain an access risk evaluation result.
In this embodiment, an access request for a target application sent by a user side is obtained to obtain access request information, and local service-side environment information and user-side environment information of the user side are obtained, so that target environment information is determined according to the service-side environment information and the user-side environment information; screening out a target access strategy from all pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information; and performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result. According to the method and the device, the access request information is obtained, the current target environment information is determined, and the target access strategy is screened out by using the access request information and the target environment information, so that the diversity and the flexibility of access risk assessment are increased, the access risk assessment information is determined, then the access risk assessment information is used for carrying out risk assessment on the target access strategy to obtain an access risk assessment result, the access security can be effectively improved, the development time of an access risk assessment system and application is shortened, and the research and development cost is reduced.
In some specific embodiments, the information obtaining module 11 may specifically include:
the access request acquisition module is used for acquiring the access request aiming at the target application sent by the user side and analyzing the access request to obtain target interface information of a target server side connected with the user side;
and the access request information determining module is used for judging whether the target interface information is consistent with the local interface information or not, and if the target interface information is consistent with the local interface information, determining access request information comprising user identity information, the interface information and access request parameters aiming at the target application based on the access request.
In some specific embodiments, the access policy screening module 12 may specifically include:
the security policy acquisition module is used for acquiring security policies, classifying the security policies according to policy types to obtain access policies and control policies, and screening out a first access policy from all the access policies based on the access request information and the target environment information;
and the target access policy determining module is used for performing Boolean operation on the first access policy by using the control policy to obtain a Boolean value and determining the target access policy based on the Boolean value.
In some specific embodiments, the target access policy determining module may specifically include:
the Boolean operation module is used for determining the number of the first access strategies, performing Boolean operation on the first access strategies by using the control strategies to obtain Boolean values, and judging whether the number of the Boolean values is consistent with the number of the first access strategies;
and the target access strategy determining module is used for ending the Boolean operation if the number of the Boolean values is consistent with the number of the first access strategies, and determining the first access strategy with the Boolean value being True as the target access strategy.
In some embodiments, the risk assessment module 13 may specifically include:
the access risk assessment sub-result determining module is used for performing Boolean operation on the target access policy by using the access risk assessment information and the target environment information to obtain an access risk assessment sub-result containing a Boolean value;
and the visit risk assessment result determining module is used for determining a visit risk assessment result based on the Boolean values in all the visit risk assessment sub-results.
In some embodiments, the risk assessment module 13 may specifically include:
the first judgment module is used for judging whether the Boolean values in all the access risk assessment sub-results are True or not;
and the visit risk assessment result determining module is used for determining that the visit risk assessment result is risk-free if the Boolean values in all the visit risk assessment sub-results are True, and determining that the visit risk assessment result is risk if the Boolean values in all the visit risk assessment sub-results are not uniform to be True.
In some embodiments, the risk assessment module 13 may specifically include:
the second judgment module is used for judging whether the access risk evaluation result is risk-free;
and the forwarding module is used for forwarding the access risk evaluation result to a target application end if the access risk evaluation result is risk-free, so that the user side can access the target application based on the access risk evaluation result.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein, the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the access risk assessment method executed by an electronic device disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol that can be applied to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for storing resources, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., the resources stored thereon include an operating system 221, a computer program 222, data 223, etc., and the storage may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the data 223 in the memory 22 by the processor 21, which may be Windows, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the access risk assessment method disclosed in any of the foregoing embodiments and executed by the electronic device 20. The data 223 may include data received by the access risk assessment device and transmitted from an external device, data collected by the self input/output interface 25, and the like.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Further, an embodiment of the present application also discloses a computer-readable storage medium, in which a computer program is stored, and when the computer program is loaded and executed by a processor, the steps of the access risk assessment method disclosed in any of the foregoing embodiments are implemented.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above detailed description is provided for the access risk assessment method, apparatus, device and storage medium, and the specific examples are applied herein to illustrate the principles and embodiments of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. An access risk assessment method is applied to a server side and comprises the following steps:
acquiring an access request aiming at a target application sent by a user side to obtain access request information, and acquiring local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information;
screening out a target access strategy from all pre-acquired access strategies based on the access request information and the target environment information, and determining access risk evaluation information according to the access request information;
and performing risk assessment on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment result.
2. The method for assessing access risk according to claim 1, wherein the obtaining an access request for a target application sent by a user side to obtain access request information comprises:
acquiring the access request aiming at the target application sent by the user side, and analyzing the access request to obtain target interface information of a target server side connected with the user side;
and judging whether the target interface information is consistent with the local interface information, if so, determining access request information comprising user identity information, the interface information and access request parameters aiming at the target application based on the access request.
3. The access risk assessment method according to claim 1, wherein the screening out the target access policy from all the pre-acquired access policies based on the access request information and the target environment information comprises:
obtaining a security policy, classifying the security policy according to policy types to obtain an access policy and a control policy, and screening out a first access policy from all the access policies based on the access request information and the target environment information;
and performing Boolean operation on the first access strategy by using the control strategy to obtain a Boolean value, and determining the target access strategy based on the Boolean value.
4. The access risk assessment method according to claim 3, wherein the performing a Boolean operation on the first access policy by using the control policy to obtain a Boolean value, and determining the target access policy based on the Boolean value comprises:
determining the number of the first access strategies, performing Boolean operation on the first access strategies by using the control strategies to obtain Boolean values, and judging whether the number of the Boolean values is consistent with the number of the first access strategies;
if the number of the Boolean values is consistent with the number of the first access strategies, ending Boolean operation, and determining the first access strategy with the Boolean value being True as the target access strategy.
5. The access risk assessment method according to claim 1, wherein the performing risk assessment on the target access policy by using the access risk assessment information and the target environment information to obtain an access risk assessment result comprises:
performing Boolean operation on the target access strategy by using the access risk assessment information and the target environment information to obtain an access risk assessment sub-result containing a Boolean value;
and determining an access risk evaluation result based on the Boolean values in all the access risk evaluation sub-results.
6. The method according to claim 5, wherein determining the risk assessment result based on the boolean value of all the sub-results of the risk assessment comprises:
judging whether the Boolean values in all the access risk assessment sub-results are True or not;
and if the Boolean values in all the access risk assessment sub-results are True, the access risk assessment results are risk-free, and if the Boolean values in all the access risk assessment sub-results are not True, the access risk assessment results are at risk.
7. The visit risk assessment method according to any one of claims 5 to 6, further comprising, after obtaining the visit risk assessment result:
judging whether the access risk evaluation result is risk-free;
and if the access risk evaluation result is no risk, forwarding the access risk evaluation result to a target application end so that the user end can access the target application based on the access risk evaluation result.
8. An access risk assessment apparatus, comprising:
the information acquisition module is used for acquiring an access request aiming at a target application sent by a user side so as to obtain access request information, and acquiring local service-side environment information and user-side environment information of the user side so as to determine target environment information according to the service-side environment information and the user-side environment information;
the access policy screening module is used for screening a target access policy from all pre-acquired access policies based on the access request information and the target environment information and determining access risk evaluation information according to the access request information;
and the risk evaluation module is used for carrying out risk evaluation on the target access strategy by utilizing the access risk evaluation information and the target environment information so as to obtain an access risk evaluation result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the access risk assessment method according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the access risk assessment method according to any one of claims 1 to 7.
CN202210599418.3A 2022-05-30 2022-05-30 Access risk assessment method, device, equipment and medium Withdrawn CN115022008A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210599418.3A CN115022008A (en) 2022-05-30 2022-05-30 Access risk assessment method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210599418.3A CN115022008A (en) 2022-05-30 2022-05-30 Access risk assessment method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN115022008A true CN115022008A (en) 2022-09-06

Family

ID=83070662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210599418.3A Withdrawn CN115022008A (en) 2022-05-30 2022-05-30 Access risk assessment method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115022008A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116433004A (en) * 2023-02-20 2023-07-14 深圳耀东安全科技有限公司 Urban public security-oriented risk prevention and control method and system based on coding traceability

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116433004A (en) * 2023-02-20 2023-07-14 深圳耀东安全科技有限公司 Urban public security-oriented risk prevention and control method and system based on coding traceability
CN116433004B (en) * 2023-02-20 2024-04-09 深圳耀东安全科技有限公司 Urban public security-oriented risk prevention and control method and system based on coding traceability

Similar Documents

Publication Publication Date Title
US10044765B2 (en) Method and apparatus for centralized policy programming and distributive policy enforcement
CN109688105B (en) Threat alarm information generation method and system
EP2370928B1 (en) Access control
CN111488595A (en) Method for realizing authority control and related equipment
CN110287660A (en) Access right control method, device, equipment and storage medium
CN110971569A (en) Network access authority management method and device and computing equipment
US6988280B2 (en) System and method for enhancing authorization request in a computing device
US20070055666A1 (en) Personalisation
CN112270011A (en) Method, device and system for protecting service and data security of existing application system
CN116418568A (en) Data security access control method, system and storage medium based on dynamic trust evaluation
CN113949579B (en) Website attack defense method and device, computer equipment and storage medium
CN115022008A (en) Access risk assessment method, device, equipment and medium
CN114726547A (en) Industrial internet access control method based on data exchange middleware and readable medium
WO2012001475A1 (en) Consigning authentication method
WO2012001476A2 (en) Consigning authentication method
CN109740328B (en) Authority identification method and device, computer equipment and storage medium
CN115879156A (en) Dynamic desensitization method, device, electronic equipment and storage medium
CN113590180B (en) Detection strategy generation method and device
CN115221553A (en) Data protection system based on artificial intelligence and block chain intelligent contract partition
US20220334869A1 (en) Distributed Attribute Based Access Control as means of Data Protection and Collaboration in Sensitive (Personal) Digital Record and Activity Trail Investigations
CN114567678A (en) Resource calling method and device of cloud security service and electronic equipment
CN114244555A (en) Method for adjusting security policy
CN113507463A (en) Construction method of zero trust network
CN113645060A (en) Network card configuration method, data processing method and device
CN112970021A (en) Method for realizing system state perception security policy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20220906

WW01 Invention patent application withdrawn after publication