CN115314229B - Data access method, device, equipment and storage medium - Google Patents

Data access method, device, equipment and storage medium Download PDF

Info

Publication number
CN115314229B
CN115314229B CN202110426937.5A CN202110426937A CN115314229B CN 115314229 B CN115314229 B CN 115314229B CN 202110426937 A CN202110426937 A CN 202110426937A CN 115314229 B CN115314229 B CN 115314229B
Authority
CN
China
Prior art keywords
client
information
data access
level
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110426937.5A
Other languages
Chinese (zh)
Other versions
CN115314229A (en
Inventor
黄少卿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hebei Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hebei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hebei Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110426937.5A priority Critical patent/CN115314229B/en
Publication of CN115314229A publication Critical patent/CN115314229A/en
Application granted granted Critical
Publication of CN115314229B publication Critical patent/CN115314229B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a data access method, a device, equipment and a storage medium. The data access method comprises the steps of receiving and checking authentication information sent by a client, wherein the authentication information comprises user identity information and client information corresponding to the client; when the user identity information and the client information are checked to pass, and a data access request sent by the client is received, a communication link corresponding to the data access request is established, so that the client accesses data corresponding to the data access request through the communication link. The scheme performs verification before the communication link between the client and the electronic equipment is established, so that the risk of data leakage caused by network attack of connected network resources is effectively prevented, and when the verification is performed, the user identity information is verified, the client information is also verified, the authentication strength is enhanced, and the safety of data is improved.

Description

Data access method, device, equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a data access method, apparatus, device, and storage medium.
Background
With the gradual maturation and popularization of technologies such as the internet, the internet of things, artificial intelligence, cloud computing and the like, complex network access environments, changeable personnel roles and ubiquitous security attacks continuously threaten enterprise network facilities, and how to safely access an internal network for data access in the complex network environments becomes one of important research directions of network security.
When data access is performed at present, a data channel is built in advance by utilizing a tunnel technology, then an accessed user is checked, the security is poor, and the current requirement on network security cannot be met.
Disclosure of Invention
The embodiment of the invention provides a data access method, a device, equipment and a storage medium, which are used for solving the problem of poor safety in the prior art when data access is performed.
In a first aspect, an embodiment of the present invention provides a data access method, including:
receiving and checking authentication information sent by a client, wherein the authentication information comprises user identity information and client information corresponding to the client;
when the user identity information and the client information are checked to pass, and a data access request sent by the client is received, a communication link corresponding to the data access request is established, so that the client accesses data corresponding to the data access request through the communication link.
In a second aspect, an embodiment of the present invention provides a data access apparatus, including:
the verification module is used for receiving and verifying authentication information sent by the client, wherein the authentication information comprises user identity information and client information corresponding to the client;
and the communication link establishment module is used for establishing a communication link corresponding to the data access request when the user identity information and the client information are checked to pass and the data access request sent by the client is received, so that the client accesses the data corresponding to the data access request through the communication link.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
a processor;
a memory storing computer program instructions;
the computer program instructions are read and executed by a processor to implement the data access method as described in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium having stored thereon computer program instructions which, when executed by a processor, implement a data access method according to the first aspect.
The data access method, the device, the equipment and the storage medium provided by the embodiment of the invention have the advantages that the verification is carried out before the communication link between the client and the electronic equipment is established, the risk of data leakage caused by network attack of connected network resources is effectively prevented, in addition, when the verification is carried out, the user identity information is verified, the client information is also verified, the authentication strength is enhanced, and the data security is improved.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present invention, the drawings that are needed to be used in the embodiments of the present invention will be briefly described, and it is possible for a person skilled in the art to obtain other drawings from these drawings without inventive effort.
FIG. 1 is a block diagram of a data access method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a data access method according to an embodiment of the present invention;
fig. 3 is an application scenario schematic diagram of a data access method according to an embodiment of the present invention;
FIG. 4 is a flowchart of another data access method according to an embodiment of the present invention;
FIG. 5 is a block diagram of a data access device according to an embodiment of the present invention;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings. It should be understood that the particular embodiments described herein are meant to be illustrative of the invention only and not limiting. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the invention by showing examples of the invention.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The current data access is realized through a virtual private network (Virtual Private Network, VPN), namely, a communication tunnel is established by utilizing a tunneling technology, and then the identity of a user is verified to ensure the security and the credibility of the data access. The method comprises the following specific steps:
(1) Establishing a trusted communication tunnel: when a communication tunnel is established, network protocol packets are packaged and loaded into a two-Layer tunnel protocol or a three-Layer tunnel protocol, meanwhile, the communication tunnel is encrypted by utilizing a symmetric key or a public key encryption technology and combining key management, so that the safety of data transmission is ensured, wherein the two-Layer tunnel protocol can adopt a Point-to-Point (Point) -Point Tunneling Protocol, PPTP) or a second-Layer tunnel protocol (Layer 2Tunneling Protocol,L2TP), and the three-Layer tunnel communication protocol can adopt IPSec (IP Security) protocol or/and multiprotocol label switching (Multi-Protocol Label Switching, MPLS).
(2) User identity authentication: after the communication tunnel is established, the identity of the access user is authenticated, the resources in the access authority are authorized, and the unauthorized access resources are shielded.
(3) Packet level authentication: in view of the fact that VPN is constructed on an untrusted public network, private data of a user are likely to be intercepted illegally and retransmitted after being tampered, the VPN can enable the receiver to identify whether tampering exists or not by enabling data verification, integrity of transmitted data is guaranteed, and attacks of the type are effectively avoided.
The scheme has the communication characteristics of connection and authentication, the connected network resources are easy to be attacked by the network, and risks of attack, data leakage and the like of equipment exist; secondly, the existing identity authentication is mainly carried out around the identity of the user, and along with digital transformation, the access relationship of the user is complex, the equipment diversity, the uncertainty of personnel, equipment, application and the like brings security policy and security protection challenges, and the existing identity authentication can not meet the requirement of the existing information on network security.
In order to solve the problems in the prior art, the embodiment of the invention provides a data access method, a device, equipment and a storage medium. The data access method provided by the embodiment of the invention can be applied to the architecture shown in fig. 1, and is described below with reference to fig. 1.
Fig. 1 is a schematic diagram of a data access method according to an embodiment of the present invention.
As shown in fig. 1, the architecture diagram may include at least one client 10 and an electronic device 11. The client 10 and the electronic device 11 may establish a connection and interact data via a network protocol such as the hypertext transfer security protocol (Hyper Text Transfer Protocol over Secure Socket Layer, HTTPS). The client 10 may be a device with a communication function, such as a mobile phone, a tablet computer, etc., and supports a secure terminal or SDK (Software Development Kit ) mode, and may send a data access request to the electronic device 11, or may detect and check itself, so as to help a user to know the security of the operating environment of the client 10, ensure the reliability of accessing the client 10, and further realize that accessing the protected resource at the client 10 is secure and controllable.
The electronic device 11 may be a device or a cluster of devices having storage and computing capabilities. The electronic device 11 may include a first processor 110, a second processor 111, a third processor 112, and a memory 113. The first processor 110 in combination with the third processor 112 may verify the client 10 and provide access to secure access to the client 10. The second processor 111 is configured to add a layer of stealth protection shell to the protected resources at the back end, that is, all the protected back end resources have no service or port exposed to the outside, and only the user that passes the verification and is authorized can access the stealth resources through the second processor 111, thereby enhancing the security level of the system architecture and improving the defending coefficient against the bad attack. The memory 113 may store protected backend resources.
Based on the above architecture, the client 10 needs to send authentication information to the electronic device 11 before accessing the data on the electronic device 11, and the first processor 110 checks the client 10 based on the authentication information to determine whether the client 10 can access the resource on the memory 113. If it is determined that the client 10 can access the resource on the memory 113, the first processor 110 feeds back the result of the verification pass to the client 10 while determining the resource access right possessed by the client 10, and transmits the result of the verification and the resource access right possessed by the client 10 to the second processor 111. The second processor 111 establishes a communication link between the client 10 and the electronic device 11 based on the received information such that the client 10 accesses the resources on the memory 113 based on the communication link. The above architecture performs verification before establishing the communication link, not only verifies the user identity corresponding to the client 10, but also verifies the client 10, thereby enhancing the strength of access authentication and ensuring the security of data access.
It should be understood that the number of electronic devices 11 in fig. 1 is merely illustrative. According to practical needs, the architecture can be flexibly adjusted, for example, the first processor 110, the second processor 111, the third processor 112 and the memory 113 can also be respectively integrated in one electronic device to form a device cluster, so as to interact with the client 10 to complete data access. The following embodiments may all apply the system architecture of the present embodiment for data access, and the embodiments may refer to and apply to each other.
According to the above architecture, the data access method provided by the embodiment of the invention is described in detail below. The method may be performed by the electronic device 11 shown in fig. 1, or may be performed by a device cluster formed by the first processor 110, the second processor 111, and the third processor 112, which is not limited in particular in the embodiment.
Fig. 2 is a flowchart of a data access method according to an embodiment of the present invention. As shown in fig. 1, the method may include steps S110 and S120.
S110, receiving and checking authentication information sent by the client.
The authentication information may include user identity information and client information corresponding to the client.
The user identity information may be information indicating the identity of the user, and may include, but not limited to, a user name and a password for the user to log in to the client, where the user name may be a mobile phone number, an identity card number, or other information meeting the registration requirement of the client.
The client information may include intrinsic information and extrinsic information of the client. The intrinsic information may be network behavior information of the client, which may be obtained by analyzing network traffic information of the client and network log information, and the network behavior information may include, but is not limited to, a total request, a web attack request, an attack request proportion, an unauthorized request proportion, an access unauthorized resource request proportion, a batch scan device request (including IP and port), a batch scan device request proportion, a normal access request, a batch authorization device request proportion, and a request method disallowing proportion. The external information may be environment information in which the client is located, which may include physical environment information in which the client is located and software environment information, wherein the physical environment information may include, but is not limited to, memory, a central processing unit (Central Processing Unit, CPU), a hard disk, a network card, a graphics card, a keyboard, and mouse information, and the software environment information may include, but is not limited to, version of an operating system, virus version, process information, vulnerability information, and other related software information.
In order to ensure accuracy of data transmission, when the client sends the authentication information, a traditional single-packet authorization authentication (Single Packet Authorization, SPA) mode can be adopted, the authentication information is encrypted, and the embodiment is not limited to a specific encryption mode, for example, a message digest algorithm (Message Digest Algorithm MD) or a hash encryption algorithm can be adopted. After receiving the authentication information, the electronic device may first verify the data format of the authentication information. When the data format is incorrect, the client has no access right, if the connection between the client and the electronic equipment is established before, the connection between the client and the electronic equipment is disconnected at the moment, so that the client stops continuously accessing the data on the electronic equipment; if the client and the electronic equipment are not connected, an indication result of access failure can be fed back to the client, so that the condition that an illegal user accesses the protected data is prevented, and the data security is ensured. When the data format is correct, the authentication information can be decrypted, the user identity information and the client information contained in the authentication information can be obtained, and then the user identity information and the client information are checked.
When checking the user identity information and the client information, optionally, in some embodiments, the user identity information may be checked first, and if the user identity information passes the check, the client information is further checked, and if the user identity information fails the check, the client information is not checked any more, thereby saving time and improving efficiency.
In some embodiments, the user identity information sent by the client may be compared with a pre-stored identity authentication policy, and if the user identity information and the pre-stored identity authentication policy are consistent, the user identity information is considered to pass the verification, otherwise, the user identity information is considered to fail the verification. The authentication policy may be stored in the third processor 112 shown in fig. 1, and the embodiment does not specifically limit the specific content of the authentication policy. In order to ensure the reliability of the user identity, when verifying the user identity, risk report information sent by the client 10 may also be received, where the risk report information may include, but is not limited to, occupancy of a CPU of the client, occupancy of a memory, currently opened process information, port information, whether a firewall is opened, and the like, and the identity of the user is verified in combination with the risk report information.
It should be noted that the verification process is a dynamic and continuous process, that is, input information of the access user, such as user identity information and corresponding client information, can be continuously analyzed, and corresponding results are output, especially when the user identity information or the client information changes, connection between the client and the electronic device can be timely disconnected, so that safety and reliability of the access user are ensured.
Taking the example that the client information includes the environment information where the client is located and the network behavior information corresponding to the client as an example, optionally, in some embodiments, the environment information where the client is located and the current network behavior information of the client may be collected, the trusted level of the client information is determined based on the environment information and the network behavior information, and the verification result of the client information is determined based on the trusted level.
For example, a trust level 1 indicates that the client information is trusted, a trust level 2 indicates that the client information is basically trusted, a trust level 3 indicates that the client information is not trusted, when the trust level is 1 or 2, the client information is considered to pass the verification, and when the trust level is 3, the client information is considered to fail the verification. Of course, other representation modes can be adopted, for example, the trust level 1 indicates that the client information is not trusted, the trust level 2 indicates that the client information is basically trusted, the trust level 3 indicates that the client information is trusted, when the trust level is 2 or 3, the client information is considered to pass the verification, and when the trust level is 1, the client information is considered to fail the verification.
The above-described verification process may be performed by the first processor 110 shown in fig. 1, by the third processor 112 shown in fig. 1, or by the first processor 110 in part and the third processor 112 in part.
To relieve processor stress, optionally, in some embodiments, client information may be checked by the first processor 110 and user identity information may be checked by the third processor 112.
Taking the third processor 112 to check the user identity information as an example, when the first processor 110 determines that the data format of the authentication information is correct, the analyzed user identity information may be sent to the third processor 112, checked by the third processor 112, and the check result fed back by the third processor 112 is sent to the second processor 111, so that the second processor 111 determines whether to establish a communication link between the client 10 and the electronic device 11 based on the check result.
It should be understood that when the client 10 performs data access, the network behavior information and the environment information thereof may also change, so as to affect the security of the data access.
And S120, when the user identity information and the client information are checked to pass, and a data access request sent by the client is received, establishing a communication link corresponding to the data access request, so that the client accesses the data corresponding to the data access request through the communication link.
The data access request may include information about the data to be accessed, for example, may include identification information of the data to be accessed, which is used to uniquely identify the data to be accessed. When the user identity information and the client information pass the verification, the first processor 110 feeds back the result of the verification to the client 10, and after the client 10 receives the result, the data access request can be sent to the electronic device 11. Specifically, after receiving the data access request, the second processor 111 may search the access control list (Access Control Lists, ACL) sent by the first processor 110, determine whether the data corresponding to the data access request is within the data access rights owned by the client 10, and if the data corresponding to the data access request is within the data access rights owned by the client 10, establish a communication link between the client 10 and the electronic device 11, so that the client 10 accesses the data corresponding to the data access request on the electronic device 11 through the communication link. The access control list is used to store the information of the client 10 that passes the verification and the data access rights possessed by the client 10.
It should be noted that, when the information of the client 10 corresponding to the data access request is recorded in the access control list, but the data corresponding to the data access request is not in the data access authority owned by the client 10, the client 10 cannot access the data on the electronic device 11, that is, only when the user identity information and the client information are authenticated and the data to be accessed by the client 10 is in the data access authority owned by the client, the second processor 111 will show the port corresponding to the data access authority to the client 10, and further establish a communication link between the electronic device 11 and the client 10 through the port, so that the client 10 can access the corresponding data, otherwise, the port of the electronic device 11 will be hidden, the protected resource is helped to be stealth, the protected resource is prevented from being attacked by other networks or accessed by other clients, and the security of the protected resource is ensured.
For example, referring to fig. 3, taking accessing an intranet application on the electronic device 11 as an example, the client 10 checks that the accessed data is within the data access right owned by the client 10, at this time, the electronic device 11 may present a corresponding port to the client 10, and establish a corresponding communication link based on the port, so that the client 10 may access the intranet application on the electronic device 11 based on the communication link. The electronic device 11 does not expose any port to the common browser and the virus, trojan and web attacks due to verification failure and other reasons, so that a communication link between the common browser and the virus, trojan and web attacks is not established, the intranet application is prevented from being accessed by an unknown client or attacked by other networks, and the safety of the intranet application is ensured.
Therefore, the embodiment performs verification before the communication link between the client and the electronic equipment is established, so that the risk of data leakage caused by network attack of connected network resources is effectively prevented, and when the verification is performed, the user identity information is verified, the client information is also verified, the authentication strength is enhanced, and the safety of data is improved.
Taking the example that the client information includes the environment information where the client is located and the network behavior information corresponding to the client, in addition to the above S110-S120, in a possible implementation manner, as shown in fig. 4, the data access method provided by the embodiment of the present invention may further include steps S200-S290:
S200, receiving authentication information sent by the client.
S210, checking the user identity information in the authentication information.
The process of verifying the user identity information may refer to the previous embodiment, and will not be described herein.
S220, whether the user identity information passes the verification, if so, S230 is executed, otherwise S290 is executed.
Specifically, if the user identity information passes the verification, S230 is executed to continue to verify the client information to enhance the authentication strength and improve the security of the access user, otherwise S290 is executed to disconnect the existing connection or continue to hide the port, thereby prohibiting the access user from accessing the protected resource.
S230, determining a first credibility level of the environment information according to the index item in the environment information.
The index item is one or more items of environment information selected from the environment information according to actual needs and is used for determining the credibility level of the environment information. In some embodiments, software environment information in the environment information may be used as an index item, for example, an operating system version, a virus version, process information, system vulnerability information, and other related software of the client may be used as an index item.
Alternatively, in some embodiments, the risk level of the index item may be determined from the index value of the index item; determining the score and the weight of the index item according to the risk level; and determining a first credibility level of the environment information according to the scores and the weights of the index items.
The index value is used for reflecting the current condition of the index item, for example, the index value of the operating system version is used for reflecting the level of the operating system version; the index value of the virus version is used for reflecting the height of the virus version; the index value of the process information is used for reflecting the blacklist process existing at present at the client; the index value of the system vulnerability information is used for reflecting the high-risk vulnerability existing at the current time of the client; the index values of other related software can reflect whether the compliance of other related software meets the standards. The current risk level of the index item may be determined based on the index value, for example, if the current index value of the operating system version is high, which indicates that the version of the operating system software is high, the risk level of the index item may be determined to be two-level, whereas if the current index value of the operating system version is low, which indicates that the version of the operating system software is low, the risk level of the index item may be determined to be four-level, and the higher the risk level, the lower the security of the index item.
The corresponding scores and weights of different risk levels are different, the corresponding relation between the risk levels and the scores and weights can be used for searching a risk level information table, and the higher the risk level is, the lower the corresponding score is, and the larger the corresponding weight is. For example, the risk level is a grade of 20, the risk level is a grade of 40, the risk level is a grade of 60, the risk level is a grade of 80, and the risk level is a grade of 100. The sum of the weights corresponding to the index items is 1.
After the scores and weights of the index items are determined, the scores and weights of the index items can be weighted and summed to obtain a comprehensive score F, and the credibility level of the environment information is determined based on the comprehensive score F. For example, when F is greater than or equal to 80, the level of trust of the environmental information may be determined to be one level, indicating that the environmental information is trusted; when F is greater than or equal to 40 and less than 80, the credibility level of the environment information can be determined to be two levels, and the environment information is basically credible; when F is less than 40, the confidence level of the environmental information may be determined to be three-level, indicating that the environmental information is not trusted.
S240, determining a first trust value of the client in the current time period and a second trust value of the client in the previous time period according to the network behavior information.
The previous time period is a time period before the current time period, e.g. the current time period is t n Then the previous time period may be t n-1 . The trust value of the client in the current time period reflects the overall performance of the client in the current time period, and the trust value of the client in the previous time period reflects the overall performance of the client in the previous time period. The embodiment of the invention represents the overall performance of the client in the current time period through the first trust value, and represents the overall performance of the client in the previous time period through the second trust value.
The trust level of the network behavior information is related to the overall performance of the client in the current time period, the overall performance is related to all network traffic information and log behavior information in the current time period, and the trust level of the network behavior information can be obtained by analyzing all network traffic information and log behavior information in the current time period.
Considering that the network traffic information and the log behavior information of the client have large data size, if all the network traffic information and the log behavior information are extracted, a great deal of time is consumed, and thus the calculation efficiency is affected. In some embodiments, the network traffic information and the log behavior information may be preprocessed, so as to save time and improve computing efficiency.
It should be appreciated that the overall performance of the client over the current time period is related to the overall performance of the client over the current time period and the overall performance over the previous time period, and in some embodiments, the trust level of the network behavior information may also be determined based on the overall performance of the client over the current time period and the overall performance over the previous time period.
The method for determining the overall performance of the client in the current time period is not limited by the embodiment of the invention, for example, the regression algorithm in the machine learning model can be adopted to determine the overall performance of the client in the current time period, for example:
DT tn =w 0 +w 1 ATTR+w 2 URR+w 3 UERR+w 4 SRR+w 5 VLRR+w 6 MANRR,
wherein DT is tn For the overall performance of the client in the current time period, namely the first trust value, w 0 -w 6 For the parameters of the multiple linear regression model, ATTR represents attack request proportion, URR represents unauthorized request proportion, UERR represents access unauthorized resource request proportion, SRR represents batch scanning device request proportion, VLRR represents batch authorized device request proportion, and MANRR represents request method disallowed proportion. The cost function of the model is:
wherein MSE is the cost value, n is the number of training samples, DT i To train the actual trust value of the ith sample in the samples, DT i p Is the target trust value for the i-th sample. And when the cost value meets the preset condition, training is finished, and a first trust value is obtained.
S250, determining a second credibility level of the network behavior information according to the first trust value and the second trust value.
The corresponding trust level is different in consideration of different liveness of the clients. In some embodiments, the activity of the client up to the current time period may be determined, and the first weight of the first trust value and the second weight of the second trust value are determined according to the activity; determining a target trust value of the client in the current time period according to the first trust value and the first weight, and the second trust value and the second weight; and determining a second credibility level of the network behavior information according to the target trust value.
The liveness may reflect the number of interactions or the frequency of interactions between the client and the server in the current time period, and the higher the number of interactions or the higher the frequency of interactions, the higher the liveness of the client. The liveness is different, and the weights corresponding to the first trust value and the second trust value are different.
For example, when the liveness is greater than or equal to a set threshold, the target trust value of the client at the time of the current time period may be determined by the following formula:
ADT tn =αADT tn-1 +(1-α)DT tn
Wherein ADT tn For the target trust value of the client in the current time period, alpha is a weight and is between 0 and 1, ADT tn-1 Is a second trust value. When the client is active for the current period of time, a target trust value may be determined based on the first trust value and the second trust value.
When the activity is less than the set threshold, the target trust value of the client at the current time period can be determined by the following method:
ADT tn =βADT tn-1
wherein, beta is weight and is between 0 and 1. When the client has poor activity in the current time period, the first trust value can be ignored, and the target trust value can be determined based on the second trust value. The size of β may be determined according to a specific application scenario, for example, a scenario with high tolerance to an inactive device, β may take a larger value, and β may take a smaller value for a scenario with low tolerance to an inactive device.
After the target trust value is determined, the trust level of the network behavior information can be determined according to the target trust value. For example, when the target trust value is greater than or equal to 80, the trust level of the network information can be determined to be one level, which indicates that the network information is trusted; when the target trust value is greater than or equal to 60 and less than 80, determining the trust level of the network information as a second level, and indicating that the network information is basically trusted; when the target trust value is greater than 0 and less than 60, the trust level of the network information can be determined to be three-level, which indicates that the network information is not trusted.
And S260, determining a verification result of the client information according to the first credibility level and the second credibility level.
The verification result is used for indicating whether the client information passes verification or not. Optionally, in some embodiments, when the first trust level meets a first preset condition and the second trust level meets a second preset condition, determining that the verification result of the client information is verification passing; otherwise, determining that the verification result of the client information is verification failure.
The first preset condition and the second preset condition may be determined according to specific application scenarios, for example, for scenarios with higher requirements for environment information and network behavior information, the first preset condition may be level information reflecting the reliability degree of the environment information, for example, the reliability degree of the environment information may be represented by a reliability level 1 to be high, the reliability level 2 to be high, and the reliability level 3 to be low. The second preset condition may be level information reflecting the degree of reliability of the network behavior information, for example, it may be used that the level of reliability 4 indicates that the degree of reliability of the network behavior information is high, the level of reliability 5 indicates that the degree of reliability of the network behavior information is high, and the level of reliability 6 indicates that the degree of reliability of the network behavior information is low. The first preset condition in the scenario may be a trusted level 1 or a trusted level 2, and the second preset condition may be a trusted level 4 or a trusted level 5.
For a scenario with a high requirement for environmental information, the first preset condition may be a trusted level 1, and the second preset condition may be a trusted level 4, a trusted level 5, or a trusted level 6.
For a scenario with higher network behavior information requirements, the first preset condition may be a trust level 1, a trust level 2 or a trust level 3, and the second preset condition may be a trust level 4.
S270, whether the verification result is verification pass or not, if so, executing S280, otherwise executing S290.
And S280, when a data access request sent by the client is received, establishing a communication link corresponding to the data access request, so that the client accesses data corresponding to the data access request through the communication link.
It should be appreciated that even if the authentication information of the client is verified, if the authentication information does not have access rights, the protected resource still cannot be accessed, so that when both the user identity information and the client information are verified, the data access rights owned by the client can be further determined. When a data access request is received, whether the client has the access right corresponding to the data access request or not can be determined by combining the verification result and the data access right owned by the verification result. If the accessed data is within the data access authority possessed by the client, the corresponding port can be displayed to the client, a communication link corresponding to the data access request is established based on the port, otherwise, the port is continuously hidden, and the client is forbidden to access.
S290, disconnecting a communication link corresponding to the client so that the client stops accessing the corresponding data; or feeding back an indication result to the client to indicate that the client cannot access the corresponding data.
When user identity information and/or client information verification fails or data to be accessed by the client is not in the access right, if the previous connection between the client and the electronic equipment is needed, the connection between the client and the electronic equipment is disconnected, so that the client cannot continuously access the data on the electronic equipment; if the connection between the client and the electronic device is not established before, the indication result can be fed back to the client at the moment to inform the client that the corresponding data cannot be accessed currently, so that the safety and reliability of the access user are ensured, and meanwhile, the protected resource is prevented from being leaked.
Before the electronic equipment is connected, the scheme firstly checks whether the user identity, the environment where the client is located and the corresponding network behavior are legal or not, after the user identity, the environment where the client is located and the corresponding network behavior are legal, a port corresponding to the authority of the user identity, the environment where the client is located and the corresponding network behavior are opened to the client, and a communication link is established based on the port, so that an authentication system of the user, the equipment and the environment is constructed, the authentication strength is enhanced, the traditional security threat is effectively avoided, meanwhile, a dynamic authentication strategy is adopted, the user identity information and the client information are continuously collected, the security of the whole network is improved, and the risk of information leakage is reduced; besides, a scoring weighting algorithm and a network behavior analysis algorithm are utilized, so that the overall detection efficiency and the perceptibility of the environment credibility are improved, and a basis is provided for dynamic continuous control.
Based on the same inventive concept, the embodiment of the invention also provides a data access device. This is described in detail with reference to fig. 5.
Fig. 5 is a block diagram of a data access device according to an embodiment of the present invention.
As shown in fig. 5, the data access apparatus may include:
the verification module 31 is configured to receive and verify authentication information sent by a client, where the authentication information includes user identity information and client information corresponding to the client;
and the communication link establishment module 32 is configured to establish a communication link corresponding to the data access request when the user identity information and the client information pass verification and the data access request sent by the client is received, so that the client accesses the data corresponding to the data access request through the communication link.
In one embodiment, the client information includes environment information where the client is located and network behavior information corresponding to the client;
the verification module 31 includes:
a first trust level determining unit, configured to determine a first trust level of the environmental information according to an index item in the environmental information;
a trust value determining unit, configured to determine, according to the network behavior information, a first trust value of the client in a current time period and a second trust value of the client in a previous time period;
A second trust level determining unit, configured to determine a second trust level of the network behavior information according to the first trust value and the second trust value;
and the verification result determining unit is used for determining the verification result of the client information according to the first credibility level and the second credibility level, wherein the verification result is used for indicating whether the client information passes the verification.
In one embodiment, the first trust level determining unit is specifically configured to:
determining the risk level of the index item according to the index value of the index item;
determining the score and the weight of the index item according to the risk level;
and determining a first credibility level of the environment information according to the scores and the weights of the index items.
In an embodiment, the second trust level determining unit is specifically configured to:
determining the activity of the client in the current time period;
determining a first weight of the first trust value and a second weight of the second trust value according to the liveness;
determining a target trust value of the client in the current time period according to the first trust value and the first weight and the second trust value and the second weight;
And determining a second credibility level of the network behavior information according to the target trust value.
In one embodiment, the verification result determining unit is specifically configured to:
when the first credibility level meets a first preset condition and the second credibility level meets a second preset condition, determining that the verification result of the client information is verification passing; otherwise, determining that the verification result of the client information is verification failure.
In one embodiment, the communication link establishment module 32 is specifically configured to:
determining the data access authority of the client;
and when the data corresponding to the data access request is within the data access authority owned by the client, establishing a communication link corresponding to the data access request.
In one embodiment, the apparatus may further include a communication link disconnection module, configured to disconnect a communication link corresponding to the client when the user identity information and/or the client information fails to be checked, so that the client stops accessing the corresponding data; or feeding back an indication result to the client to indicate that the client cannot access the corresponding data.
The modules and units in the apparatus shown in fig. 5 have functions of implementing the steps in fig. 2 and fig. 4 and achieve corresponding technical effects, and are not described herein for brevity.
Based on the same inventive concept, the embodiment of the invention further provides an electronic device, and the detailed description is specifically provided with reference to fig. 6.
Fig. 6 is a block diagram of an electronic device according to an embodiment of the present invention.
As shown in fig. 6, the electronic device may include a processor 41 and a memory 42 storing computer program instructions.
In particular, the processor 41 may comprise a central processing unit (Central Processing Unit, CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured as one or more integrated circuits implementing embodiments of the present invention.
Memory 42 may include mass storage for data or instructions. By way of example, and not limitation, memory 42 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, magnetic tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. In one example, memory 42 may include removable or non-removable (or fixed) media, or memory 42 may be a non-volatile solid state memory. Memory 42 may be internal or external to the integrated gateway disaster recovery device. In one example, memory 42 may be Read Only Memory (ROM). In one example, the ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory, or a combination of two or more of these.
The processor 41 reads and executes the computer program instructions stored in the memory 42 to implement the method in the embodiment shown in fig. 2 and 4, and achieve the corresponding technical effects achieved by executing the method in the embodiment shown in fig. 2 and 4, which are not described herein for brevity.
In one example, the electronic device may also include a communication interface 43 and a bus 44. As shown in fig. 6, the processor 41, the memory 42, and the communication interface 43 are connected to each other via a bus 44 and perform communication with each other.
The communication interface 43 is mainly used for implementing communication between each module, device and/or apparatus in the embodiment of the present invention.
Bus 44 includes hardware, software, or both, that couple the components of the online data flow billing device to each other. By way of example, and not limitation, the buses may include an accelerated graphics port (Accelerated Graphics Port, AGP) or other graphics Bus, an enhanced industry standard architecture (Extended Industry Standard Architecture, EISA) Bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an industry standard architecture (Industry Standard Architecture, ISA) Bus, an infiniband interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a micro channel architecture (MCa) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a video electronics standards association local (VLB) Bus, or other suitable Bus, or a combination of two or more of the above. Bus 44 may include one or more buses, where appropriate. Although embodiments of the invention have been described and illustrated with respect to a particular bus, the invention contemplates any suitable bus or interconnect.
The electronic device may perform the data access method according to the embodiment of the present invention based on the currently received authentication information, thereby implementing the data access method and apparatus described in connection with fig. 1 to 5.
In addition, in combination with the data access method in the above embodiment, the embodiment of the present invention may be implemented by providing a computer storage medium. The computer storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the data access methods of the above embodiments.
It should be understood that the invention is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the order between steps, after appreciating the spirit of the present invention.
The functional blocks shown in the above-described structural block diagrams may be implemented in hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transfer information. Examples of machine-readable media include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and the like. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this disclosure describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, or may be performed in a different order from the order in the embodiments, or several steps may be performed simultaneously.
Aspects of embodiments of the present invention are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to being, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware which performs the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the foregoing, only the specific embodiments of the present invention are described, and it will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the systems, modules and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein. It should be understood that the scope of the present invention is not limited thereto, and any equivalent modifications or substitutions can be easily made by those skilled in the art within the technical scope of the present invention, and they should be included in the scope of the present invention.

Claims (9)

1. A method of data access, comprising:
receiving and checking authentication information sent by a client, wherein the authentication information comprises user identity information and client information corresponding to the client;
when the user identity information and the client information are checked to pass, and a data access request sent by the client is received, a communication link corresponding to the data access request is established, so that the client accesses data corresponding to the data access request through the communication link;
the client information comprises environment information of the client and network behavior information corresponding to the client;
The verification process of the client information comprises the following steps:
determining a first credibility level of the environment information according to the index item in the environment information;
determining a first trust value of the client in a current time period and a second trust value of the client in a previous time period according to the network behavior information;
determining a second trust level of the network behavior information according to the first trust value and the second trust value;
and determining a verification result of the client information according to the first credibility level and the second credibility level, wherein the verification result is used for indicating whether the client information passes verification or not.
2. The method of claim 1, wherein determining a first level of trust of the environmental information from an indicator term in the environmental information comprises:
determining the risk level of the index item according to the index value of the index item;
determining the score and the weight of the index item according to the risk level;
and determining a first credibility level of the environment information according to the scores and the weights of the index items.
3. The method of claim 1, wherein the determining a second trust level for the network behavior information based on the first trust value and the second trust value comprises:
Determining the activity of the client in the current time period;
determining a first weight of the first trust value and a second weight of the second trust value according to the liveness;
determining a target trust value of the client in the current time period according to the first trust value and the first weight and the second trust value and the second weight;
and determining a second credibility level of the network behavior information according to the target trust value.
4. The method of claim 1, wherein the determining the verification result of the client information according to the first trust level and the second trust level comprises:
when the first credibility level meets a first preset condition and the second credibility level meets a second preset condition, determining that the verification result of the client information is verification passing; otherwise, determining that the verification result of the client information is verification failure.
5. The method of claim 1, wherein the establishing a communication link corresponding to the data access request comprises:
determining the data access authority of the client;
and when the data corresponding to the data access request is within the data access authority owned by the client, establishing a communication link corresponding to the data access request.
6. The method of any one of claims 1-5, further comprising:
when the verification of the user identity information and/or the client information fails, disconnecting a communication link corresponding to the client so that the client stops accessing corresponding data; or feeding back an indication result to the client to indicate that the client cannot access the corresponding data.
7. A data access device, comprising:
the verification module is used for receiving and verifying authentication information sent by the client, wherein the authentication information comprises user identity information and client information corresponding to the client;
the communication link establishment module is used for establishing a communication link corresponding to the data access request when the user identity information and the client information pass verification and the data access request sent by the client is received, so that the client accesses the data corresponding to the data access request through the communication link;
the client information comprises environment information of the client and network behavior information corresponding to the client;
the verification module comprises:
a first trust level determining unit, configured to determine a first trust level of the environmental information according to an index item in the environmental information;
A trust value determining unit, configured to determine, according to the network behavior information, a first trust value of the client in a current time period, and a second trust value of the client in a previous time period;
a second trust level determining unit, configured to determine a second trust level of the network behavior information according to the first trust value and the second trust value;
and the verification result determining unit is used for determining the verification result of the client information according to the first credibility level and the second credibility level, wherein the verification result is used for indicating whether the client information passes the verification.
8. An electronic device, comprising:
a processor;
a memory storing computer program instructions;
the processor reads and executes the computer program instructions to implement the data access method according to any of claims 1-6.
9. A computer storage medium having stored thereon computer program instructions which, when executed by a processor, implement the data access method of any of claims 1-6.
CN202110426937.5A 2021-04-20 2021-04-20 Data access method, device, equipment and storage medium Active CN115314229B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110426937.5A CN115314229B (en) 2021-04-20 2021-04-20 Data access method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110426937.5A CN115314229B (en) 2021-04-20 2021-04-20 Data access method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115314229A CN115314229A (en) 2022-11-08
CN115314229B true CN115314229B (en) 2024-03-19

Family

ID=83854226

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110426937.5A Active CN115314229B (en) 2021-04-20 2021-04-20 Data access method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115314229B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1992590A (en) * 2005-12-29 2007-07-04 盛大计算机(上海)有限公司 Identity authentication system of network user and method
CN106649772A (en) * 2016-12-27 2017-05-10 上海上讯信息技术股份有限公司 Method and equipment for accessing data
CN106815255A (en) * 2015-11-27 2017-06-09 阿里巴巴集团控股有限公司 The method and device of detection data access exception
CN109309684A (en) * 2018-10-30 2019-02-05 红芯时代(北京)科技有限公司 A kind of business access method, apparatus, terminal, server and storage medium
CN109862562A (en) * 2019-01-02 2019-06-07 武汉极意网络科技有限公司 A kind of dynamic verification code choosing method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007581B (en) * 2015-08-12 2018-03-20 腾讯科技(深圳)有限公司 A kind of network access authentication method and client
CN106789851A (en) * 2015-11-24 2017-05-31 阿里巴巴集团控股有限公司 Auth method, system, service server and authentication server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1992590A (en) * 2005-12-29 2007-07-04 盛大计算机(上海)有限公司 Identity authentication system of network user and method
CN106815255A (en) * 2015-11-27 2017-06-09 阿里巴巴集团控股有限公司 The method and device of detection data access exception
CN106649772A (en) * 2016-12-27 2017-05-10 上海上讯信息技术股份有限公司 Method and equipment for accessing data
CN109309684A (en) * 2018-10-30 2019-02-05 红芯时代(北京)科技有限公司 A kind of business access method, apparatus, terminal, server and storage medium
CN109862562A (en) * 2019-01-02 2019-06-07 武汉极意网络科技有限公司 A kind of dynamic verification code choosing method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一个基于用户网络行为的访问控制模型;刘畅;何泾沙;;信息网络安全(10);全文 *
计算机网络信息安全及其防护对策;吴剑平;;科学家(06);全文 *

Also Published As

Publication number Publication date
CN115314229A (en) 2022-11-08

Similar Documents

Publication Publication Date Title
US8819803B1 (en) Validating association of client devices with authenticated clients
US8869279B2 (en) Detecting web browser based attacks using browser response comparison tests launched from a remote source
US8543471B2 (en) System and method for securely accessing a wirelessly advertised service
CN111917714B (en) Zero trust architecture system and use method thereof
US20110202992A1 (en) method for authenticating a trusted platform based on the tri-element peer authentication(tepa)
US20190199711A1 (en) System and method for secure online authentication
CN109167780B (en) Method, device, system and medium for controlling resource access
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
CN106899561B (en) TNC (network node controller) authority control method and system based on ACL (Access control List)
CN114629719B (en) Resource access control method and resource access control system
US9332432B2 (en) Methods and system for device authentication
CN115550069B (en) Intelligent charging system of electric automobile and safety protection method thereof
Ahmad et al. A novel context-based risk assessment approach in vehicular networks
Fakhfakh et al. Cybersecurity attacks on CAN bus based vehicles: a review and open challenges
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
CN110177113B (en) Internet protection system and access request processing method
CN115314229B (en) Data access method, device, equipment and storage medium
Visoottiviseth et al. PITI: Protecting Internet of Things via Intrusion Detection System on Raspberry Pi
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
CN112769731B (en) Process control method, device, server and storage medium
Raja et al. Threat Modeling and IoT Attack Surfaces
CN113824678A (en) System and method for processing information security events to detect network attacks
AlAmeen Building a robust client-side protection against cross site request forgery

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant