CN115374407A - Service access method, device, electronic equipment and computer readable storage medium - Google Patents

Service access method, device, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN115374407A
CN115374407A CN202110543549.5A CN202110543549A CN115374407A CN 115374407 A CN115374407 A CN 115374407A CN 202110543549 A CN202110543549 A CN 202110543549A CN 115374407 A CN115374407 A CN 115374407A
Authority
CN
China
Prior art keywords
verification
risk
service
risk verification
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110543549.5A
Other languages
Chinese (zh)
Inventor
曾祥楷
王旭
于松亚
王犇
李俊浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110543549.5A priority Critical patent/CN115374407A/en
Publication of CN115374407A publication Critical patent/CN115374407A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/957Browsing optimisation, e.g. caching or content distillation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a service access method, a service access device, electronic equipment and a computer readable storage medium; after receiving a service access request and a service identifier of a target service to be accessed by the service access request, authenticating the user corresponding to the service access request, acquiring risk authentication setting information corresponding to the service identifier when the user passes the authentication, screening risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication policy configuration information, authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and finally controlling the user to access the target service based on the risk authentication result; the scheme can improve the safety of service access.

Description

Service access method, device, electronic equipment and computer readable storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a service access method and apparatus, an electronic device, and a computer-readable storage medium.
Background
In recent years, with the rapid development of internet technology, more and more services are provided in the internet. The user can access these services through the access request, and in order to ensure the security of the service resources corresponding to the services, the access request often needs to be verified, and the service access can be performed after the verification. The existing service access method mainly carries out identity authentication on a user, sends an identity authentication result to service systems, and carries out risk authentication on an access request by each service system.
In the research and practice process of the prior art, the inventor of the invention finds that after the user identity authentication is completed, each service system carries out risk authentication on the access request by itself, so that uniform risk control on service access is lacked, and a security gap is easily formed, thereby resulting in lower security of service access.
Disclosure of Invention
Embodiments of the present invention provide a service access method, an apparatus, an electronic device, and a computer-readable storage medium, which can improve security of service access.
A service access method, comprising:
receiving a service access request and a service identifier of a target service required to be accessed by the service access request, and performing identity authentication on a user corresponding to the service access request;
when the user passes the identity verification, acquiring risk verification setting information corresponding to the service identifier, wherein the risk verification setting information comprises at least one risk verification logic identifier;
screening out risk verification logic corresponding to the risk verification logic identification from a preset risk verification logic set, and adding the risk verification logic to the risk verification setting information to obtain risk verification configuration information;
verifying the service access request according to the risk verification configuration information to obtain a risk verification result;
and controlling the user to access the target service based on the risk verification result.
Correspondingly, an embodiment of the present invention provides a service access apparatus, including:
a receiving unit, configured to receive a service access request and a service identifier of a target service that needs to be accessed by the service access request, and perform identity authentication on a user corresponding to the service access request;
an obtaining unit, configured to obtain risk verification setting information corresponding to the service identifier when the user passes identity verification, where the risk verification setting information includes at least one risk verification logic identifier;
the screening unit is used for screening out risk verification logics corresponding to the risk verification logic identifications from a preset risk verification logic set, and loading the risk verification logics to the risk verification setting information to obtain risk verification configuration information;
the verification unit is used for verifying the service access request according to the risk verification configuration information to obtain a risk verification result;
and the control unit is used for controlling the user to access the target service based on the risk verification result.
Optionally, in some embodiments, the verification unit may be specifically configured to obtain a historical risk verification record corresponding to the service access request; and verifying the service access request according to the historical risk verification record and the risk verification configuration information to obtain a risk verification result.
Optionally, in some embodiments, the verification unit may be specifically configured to determine an initial risk verification result of the service access request according to the historical risk verification record; extracting access parameters corresponding to risk verification logic in the risk verification configuration information from the service access request, and verifying the access parameters based on the risk verification logic; and fusing the initial risk verification result and the verification result of the access parameter to obtain the risk verification result.
Optionally, in some embodiments, the verification unit may be specifically configured to screen out risk verification logic corresponding to the historical risk verification record from the risk verification configuration information; extracting a target historical risk verification record of the service access request within a preset time range from the historical risk verification records; counting the verification times corresponding to the historical risk verification result of each type in the target historical risk verification record; and substituting the verification times into the verification conditions of the risk verification logic corresponding to the risk verification records for verification to obtain the initial risk verification result of the service access request.
Optionally, in some embodiments, the verification unit may be specifically configured to obtain attribute information of the risk verification logic, and determine a verification path of the risk verification logic according to the attribute information of the risk verification logic; when the verification path is local verification, verifying the access parameter by adopting the risk verification logic; and when the verification path is verified by a third party, sending the corresponding access parameter to a verification server for verification according to the risk verification logic, and receiving a verification result corresponding to the access parameter returned by the verification server.
Optionally, in some embodiments, the verification unit may be specifically configured to determine a verification type of the risk verification logic and a verification condition corresponding to the verification type; extracting an access parameter value corresponding to the verification type from the access parameters; and substituting the access parameter values into corresponding verification conditions for verification to obtain a verification result of the access parameters.
Optionally, in some embodiments, the verification unit may be specifically configured to determine that the risk verification result is a risk when the initial risk verification result indicates that a risk exists, or when at least one verification result in the verification results of the access parameters indicates that verification fails; and when the initial risk verification result is that no risk exists and the verification results of the access parameters are all verified, determining that the risk verification result is that no risk exists.
Optionally, in some embodiments, the screening unit may specifically identify at least one loading address for loading the risk verification logic in the risk verification setting information; determining a loading address corresponding to the risk verification logic according to the type of the loading address; and loading the risk verification logic to a corresponding loading address in the risk verification setting information to obtain risk verification configuration information.
Optionally, in some embodiments, the obtaining unit may be specifically configured to obtain index information of a risk verification setting information set, where the index information is used to indicate an association relationship between a service identifier of a service and the risk verification setting information; screening risk verification setting information corresponding to the service identification from the risk verification setting information set when the service identification exists in the index information; and when the service identification does not exist in the index information, using preset risk verification setting information as risk verification setting information corresponding to the service identification.
Optionally, in some embodiments, the service access apparatus may further include a configuration unit, where the configuration unit may be specifically configured to obtain security configuration information of a service, where the security configuration information carries a service identifier of the service; establishing risk verification setting information corresponding to the service according to the safety configuration information; and establishing an incidence relation between the service identification of the service and risk verification setting information, and adding the risk verification setting information of the service to the risk verification setting information set.
Optionally, in some embodiments, the configuration unit may be specifically configured to receive a first security configuration request of a service, where the first security configuration request carries a service identifier of the service; generating a configuration page according to the first security configuration request, wherein the configuration page comprises a preset risk verification logic identification set; receiving a risk verification logic identifier selected aiming at a risk verification logic identifier set based on the configuration page, and taking the selected risk verification logic identifier and a selection sequence as security configuration information; the establishing of the risk verification setting information corresponding to the service according to the security configuration information includes: and combining the selected risk verification logic identifications according to the selection sequence to obtain risk verification setting information corresponding to the service.
Optionally, in some embodiments, the configuration unit may be specifically configured to receive a second security configuration request for a service, where the second security configuration request carries a service identifier of the service and a target risk verification logic corresponding to the service; acquiring a preset risk verification logic set according to the second security configuration request; when the target risk verification logic exists in the preset risk verification logic set, acquiring a risk verification logic identifier of the target risk verification logic, and taking the risk verification logic identifier of the target risk verification logic as security configuration information; when the target risk verification logic does not exist in the preset risk verification logic set, adding the target risk verification logic to the preset risk verification logic set, and generating a risk verification logic identifier of the target risk verification logic in the preset risk verification logic set; the establishing of the risk verification setting information corresponding to the service according to the security configuration information includes: and combining the risk verification logic identifications to obtain risk verification setting information corresponding to the service.
In addition, an embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where the memory stores an application program, and the processor is configured to run the application program in the memory to implement the service access method provided in the embodiment of the present invention.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a plurality of instructions are stored, and the instructions are suitable for being loaded by a processor to perform steps in any service access method provided in the embodiment of the present invention.
After receiving a service access request and a service identifier of a target service to be accessed by the service access request, performing identity authentication on a user corresponding to the service access request, acquiring risk authentication setting information corresponding to the service identifier when the user passes the identity authentication, screening risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and finally controlling the user to access the target service based on the risk authentication result; according to the scheme, different risk verification configuration information is adopted for different services, and the risk verification configuration information is obtained based on a specific wind verification logic in a unified preset risk verification logic set, so that unified risk control can be performed on service access, a safety gap is avoided, and the safety of the service access can be improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario of a service access method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a service access method provided in an embodiment of the present invention;
FIG. 3 is a schematic page diagram of a security policy management page provided by an embodiment of the present invention;
FIG. 4 is a schematic page diagram of a security policy configuration page provided by an embodiment of the present invention;
FIG. 5 is another schematic flow diagram of service access provided by an embodiment of the present invention;
FIG. 6 is a schematic diagram of a get risk verification policy framework provided by an embodiment of the present invention;
FIG. 7 is a diagram illustrating a data structure of index information provided by an embodiment of the invention;
FIG. 8 is a diagram illustrating a determination of a risk verification result according to an embodiment of the present invention;
FIG. 9 is a block diagram of an overall framework for an identity recognition and access management system (IAM) provided by an embodiment of the present invention;
fig. 10 is a schematic flowchart of the authentication of the service access request by the identity recognition and access management system according to the embodiment of the present invention;
fig. 11 is a schematic structural diagram of a service access device according to an embodiment of the present invention;
fig. 12 is another schematic structural diagram of a service access device provided in an embodiment of the present invention;
fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a service access method, a service access device, electronic equipment and a computer readable storage medium. The service access device may be integrated in an electronic device, and the electronic device may be a server or a terminal.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, network acceleration service (CDN), big data, an artificial intelligence platform, and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
For example, referring to fig. 1, taking an example that a service access device is integrated in an electronic device, after receiving a service access request and a service identifier of a target service to be accessed by the service access request, the electronic device performs authentication on a user corresponding to the service access request, obtains risk authentication setting information corresponding to the service identifier when the user passes the authentication, then screens out risk authentication logic corresponding to a risk authentication logic identifier in the risk authentication setting information from a preset risk authentication logic set, adds the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, then authenticates the service access request according to the risk authentication configuration information to obtain a risk authentication result, and finally controls the user to access the target service based on the risk authentication result to achieve the purpose of controlling the service access security.
The identity verification of the user corresponding to the service access request and the verification of the service access request by adopting the risk verification configuration information can be carried out on the cloud platform, and the risk verification result can be stored in the cloud platform. The cloud platform is also called a cloud computing platform, and is a service based on hardware resources and software resources, and provides computing, network and storage capabilities. Cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand.
As a basic capability provider of cloud computing, a cloud computing resource pool (called as an ifas (Infrastructure as a Service) platform for short is established, and multiple types of virtual resources are deployed in the resource pool and are selectively used by external clients.
According to the logic function division, a Platform as a Service (PaaS a Service) layer can be deployed on an Infrastructure as a Service (IaaS a Service) layer, a Software as a Service (SaaS a Service) layer is deployed on the PaaS layer, and the SaaS layer can be directly deployed on the IaaS layer. PaaS is a platform on which software runs, such as a database, a web container, etc. SaaS is a variety of business software, such as web portal, sms group sender, etc. Generally speaking, saaS and PaaS are upper layers relative to IaaS.
The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
In this embodiment, a service access apparatus will be described, where the service access apparatus may be specifically integrated in an electronic device, and the electronic device may be a server or a terminal; the terminal may include a tablet Computer, a notebook Computer, a Personal Computer (PC), a wearable device, a virtual reality device, or other intelligent devices capable of performing service access.
A method of service access, comprising:
receiving a service access request and a service identifier of a target service to be accessed by the service access request, authenticating a user corresponding to the service access request, acquiring risk authentication setting information corresponding to the service identifier when the user passes the authentication, wherein the risk authentication setting information comprises at least one risk authentication logic identifier, screening out a risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and controlling the user to access the target service based on the risk authentication result.
As shown in fig. 2, the specific flow of the service access method is as follows:
101. and receiving the service access request and the service identification of the target service required to be accessed by the service access request, and performing identity authentication on the user corresponding to the service access request.
For example, the method may directly receive the service identifier of the service access request target service sent by the service server corresponding to the target service, or may also receive the service identifier of the target service that the service access request needs to access and the service access request sent by the client of the user corresponding to the service access request, and the like, and specifically may include the following steps:
(1) And receiving a service access request sent by the service server and a service identifier of the target service.
For example, when a service server corresponding to a target service receives a service access request, a service access device may directly receive the service access request and a service identifier of the target service sent by the service server, or the service access device may also receive an authentication request sent by the service server, where the authentication request is used to authenticate a user corresponding to the service access request, and the service access device extracts the service access request and the service identifier of the target service from the authentication request.
(2) And receiving a service access request sent by a client of a user corresponding to the service access request and a service identifier of a target service required to be accessed by the service access request.
For example, the service access device directly receives a service access request sent by a user through a client and a service identifier of a target service that the service access request needs to access, or may receive a service access request sent by a user through a client and obtain a service identifier of a target service that the service access request needs to access in the service access request, or may further obtain a service identifier of a target service that the service access request needs to access by intercepting a service access request sent by a user through a client to a service server corresponding to the target service.
After receiving the service access request and the service identifier of the target service, the identity authentication method may perform identity authentication on a user corresponding to the service access request, and the identity authentication on the user may be multiple, specifically as follows:
and constructing an information channel between the client corresponding to the user according to the service access request, receiving the current identity information input by the user through the information channel, and determining that the identity of the user passes the authentication when the current identity information is the same as the preset identity information.
For example, an information request may be sent to the client, and according to the information request, an information channel such as a long link or a short connection may be constructed with the client of the user.
After the information channel is constructed, the current identity information of the user can be obtained through the information channel, and various ways of obtaining the current identity information are available, for example, the service access apparatus may send information acquisition page information to the client, so that an information acquisition page corresponding to the information acquisition page information is displayed at the client, and information input by an account number, a fixed password, a One Time Password (OTP) or a scanning information acquisition identifier, which is input by the user through the information acquisition page, is received as the current identity information; or, preset information may be sent to the client corresponding to the user through the information channel, where the preset information may include a verification code or other information used for verifying the identity, and then a short message or other information containing the preset information returned by the client is received, so as to obtain the current identity information of the user.
After the current identity information of the user is received, the current identity information can be compared with the preset identity information, when the current identity information is the same as the preset identity information, the identity authentication of the user can be determined to be passed, and when the current identity information is different from the preset identity information, the identity authentication of the user can be determined to be failed.
When the user fails to pass the authentication, the method for controlling the user to access the target service may be various, for example, the service access request may be directly denied to access the target service, or the authentication result that the user fails to pass the authentication may be sent to the service server corresponding to the target service, so that the service server denies the service access request to access the target service.
The source of the preset identity information may be various, for example, the preset identity information may be obtained from a service server corresponding to the target service, or may be preset information such as a verification code sent to a client of the user when the user performs identity verification, or may also be identity information in a third-party identity information base, where the third-party identity information base may be an identity information base performing information sharing with the target service.
102. And when the user passes the identity verification, acquiring risk verification setting information corresponding to the service identification.
The risk verification setting information comprises at least one risk verification logic identifier, and the risk verification setting information is used for indicating the information of the risk verification logic for performing risk verification on the service access request.
When the user passes the authentication, the mode of acquiring the risk authentication setting information may specifically be as follows:
for example, the index information of the risk verification setting information set may be obtained, where the index information is used to indicate an association relationship between a service identifier and the risk verification setting information, and the manner of obtaining the index information may be various, for example, the attribute information of the risk verification setting information set may be obtained, and the index information may be extracted from the attribute information, or a service identifier corresponding to each risk verification setting information in the risk verification setting information set may be read, and the index information of the risk verification setting information set may be constructed based on the read service identifier, where the risk verification setting information set may include risk verification setting information corresponding to different services, for example, risk verification setting information of an instant messaging service, risk verification setting information of a live broadcast service, risk verification setting information of a text processing service, and risk setting information of an image processing service, and so on.
After the index information of the risk verification setting information set is obtained, whether the business identification of the target business exists or not can be inquired in the index information, when the business identification exists in the index information, the risk verification setting information corresponding to the business identification is screened out from the risk verification setting information set, and when the business identification does not exist in the index information, the preset risk verification setting information is used as the risk verification setting information corresponding to the business identification.
The preset risk verification setting information may be any risk verification in the risk verification setting information set, and the preset risk verification setting information is risk verification setting information common to the service, which means that if the service administrator does not configure corresponding risk verification configuration information, the service access request is risk verified according to the risk verification configuration information corresponding to the preset risk verification setting information.
Optionally, before acquiring the index information of the risk verification setting information set, the risk verification policy configuration information of the service may be configured, so that before the step "acquiring the index information of the risk verification setting information set", the service access method may further include:
the method comprises the steps of acquiring security configuration information of a service, wherein the security configuration information carries a service identifier of the service, establishing risk verification setting information corresponding to the service according to the security configuration, establishing an association relationship between the service identifier of the service and the risk verification setting information, and adding the risk verification setting information of the service to a risk verification setting information set, and specifically comprises the following steps:
(1) And acquiring the security configuration information of the service.
The security configuration information carries a service identifier of a service, and the security configuration information may be security information configured for a service administrator to perform risk verification on a service access request of the service.
The security configuration information may be obtained in various ways, which may specifically be as follows:
a1, obtaining security configuration information through a configuration page.
For example, a first security configuration request of a service may be received, where the first security configuration request carries a service identifier of the service, a configuration page is generated according to the first security configuration request, the configuration page includes a preset risk verification logic identifier set, a risk verification logic identifier selected for the risk verification logic identifier is received based on the configuration page, and the selected risk selection logic identifier and the selection order are used as security configuration information.
For example, a service identifier of a service may be extracted from the first security configuration request, a service type of the service is determined according to the service identifier, configuration page information corresponding to the service type is screened from a preset configuration page information set, and a configuration page is generated according to the configuration page information, or preset configuration page information may be obtained according to the first security configuration request, and then a configuration page is generated according to the preset configuration page information, and so on.
After the configuration page is generated, the risk verification logic identifier selected for the risk verification logic identifier set may be received based on the configuration page, and the specific receiving manner may be multiple, for example, the configuration page may be sent to a service terminal corresponding to a service, so that the configuration page is displayed at the service terminal, and the risk verification logic identifier obtained by the user through the selection operation of the service terminal on the configuration page for the risk verification logic identifier set and the selection sequence corresponding to the selection operation are received.
And A2, obtaining the security configuration information through a target risk verification logic carried in the security configuration request.
For example, a second security configuration request of the service may be received, where the second security configuration request carries a service identifier of the service and a target risk verification logic corresponding to the service, a preset risk verification logic set is obtained according to the second security configuration request, when the target risk verification logic exists in the preset risk verification logic set, a risk verification logic identifier of the target risk verification logic is obtained, the risk verification logic identifier of the target risk logic is used as security configuration information, and when the target risk verification logic does not exist in the preset risk verification logic set, the target risk verification logic is added to the preset risk verification logic set, and a risk verification logic identifier of the target risk verification logic in the preset risk verification logic set is generated.
For example, the information of the security management page may be sent to a service terminal corresponding to the service, so that the security management page is displayed at the service terminal, and the second security configuration request generated after the security configuration is performed on the security management page by the user is received.
The security management page may be as shown in fig. 3, and includes a service selection control 31 and a security configuration control 32, where the service selection control 31 is used for a service that needs to be configured by a service administrator on a security configuration page option, the security configuration control 32 is used for the service administrator to configure risk verification corresponding to the service, and main operations of the security configuration control 32 may be multiple, for example, the risk verification logic may be uploaded to obtain a target risk verification logic, or a preset risk verification logic may be modified to obtain a target risk verification logic, or a logic parameter may be added to a risk verification logic framework to generate a target risk verification logic.
After the service terminal generates the target risk verification logic, a second security configuration request which is sent by the service terminal and carries the target risk verification logic and the service identifier of the service can be received.
(2) And constructing risk verification setting information corresponding to the service according to the security policy configuration information.
For example, there may be multiple methods for constructing risk verification setting information corresponding to a service, for example, the selected risk verification logic identifiers may be combined according to a selection order to obtain risk verification setting information corresponding to a service, or the risk verification logic identifiers of a target risk verification logic may be directly combined to obtain risk verification setting information corresponding to a service, and the like.
For example, the risk verification logic identifiers may be combined, after the combined risk verification logic identifiers are obtained, risk verification setting information corresponding to the combined risk verification logic identifiers is screened from a preset risk verification setting information set, and risk verification setting information corresponding to the service is obtained, or the risk verification logic identifiers may be combined, after the combined risk verification logic identifiers are obtained, initial risk verification setting information is obtained, the combined risk verification logic identifiers are added to the initial risk verification setting information, and risk verification setting information corresponding to the service is obtained, or the risk verification logic identifiers and the initial risk verification setting information may be directly combined, and risk verification setting information corresponding to the service is obtained.
(3) And establishing an incidence relation between the service identification of the service and the risk verification setting information, and adding the risk verification setting information of the service to the risk verification setting information set.
For example, an association relationship between the service identifier of the service and the risk verification setting information may be established, and the association relationship may be stored in the form of an index. And adding the risk verification setting information of the service into the risk verification setting information set, and associating the index with the risk verification setting information set so as to obtain the index information of the risk verification setting information.
103. And screening out risk verification logics corresponding to the risk verification logic identifications from a preset risk verification logic set, and adding the risk verification logics to the risk verification setting information to obtain risk verification configuration information.
The risk verification configuration information may be configuration information for verifying whether the service access request is at risk, and the configuration information may include one or more loaded risk verification logics.
The method for obtaining the risk verification configuration information may be various, and specifically may be as follows:
for example, a risk verification logic corresponding to the risk verification logic identifier is screened from a preset risk verification logic set, then at least one loading address used for loading the risk verification logic is identified in risk verification setting information, the loading address corresponding to the risk verification logic is determined according to the type of the loading address, and the risk verification logic is loaded to the corresponding loading address in the risk verification setting information to obtain risk verification configuration information.
For example, the logic type corresponding to the load address can be obtained, the logic type corresponding to the load address is matched with the risk verification logic, and the load address corresponding to each risk verification logic can be determined according to the matching result.
After determining the loading address corresponding to each risk verification logic, the risk verification logic may be loaded to the corresponding loading address in the risk verification setting information, and the specific loading manner may be multiple, for example, the loading time of each risk verification logic may be determined according to the verification type of the risk verification logic, and the risk verification logic is loaded to the loading address in the risk verification setting information based on the loading time, so as to obtain the risk verification configuration information, or the loading order of each risk verification logic may be determined according to the verification type of the risk verification logic, and the risk verification logic is loaded to the loading address in the risk verification setting information based on the loading order, so as to obtain the risk verification configuration information.
104. And verifying the service access request according to the risk verification configuration information to obtain a risk verification result.
For example, a historical risk verification record corresponding to the service access request may be obtained, and the service access request is verified according to the historical risk verification record and the risk verification configuration information, so as to obtain a risk verification result, which may specifically be as follows:
and B1, acquiring a historical risk verification record corresponding to the service access request.
The historical risk verification record is used for recording a verification result of risk verification of the business access request before the current time.
The mode of obtaining the historical risk verification record may be various, and specifically may be as follows:
for example, the historical risk verification record corresponding to the service access request may be directly obtained from a risk verification record library, for example, a query condition may be constructed according to a service identifier and a terminal identifier carried in the service access request, and the risk verification record corresponding to the query condition may be queried in a preset risk verification record library, so as to obtain the historical risk verification record corresponding to the service access request, or the attribute information of the service access request may be obtained, a query condition may be constructed based on the attribute information, and the risk verification record corresponding to the query condition may be queried in the preset risk verification record library, so as to obtain the historical risk verification record corresponding to the service access request; or, a candidate historical risk verification record corresponding to the target service may be obtained from the risk verification record library, a historical risk verification record corresponding to the service access request is screened from the candidate historical risk verification record, for example, according to a service identifier carried in the service access request, a candidate historical risk verification record corresponding to the target service is screened from the risk verification record library, a terminal identifier carried in the service access request or a historical risk verification record corresponding to the user identifier is screened from the candidate historical risk verification record, and a historical risk verification record corresponding to the service access request is obtained.
And B2, verifying the service access request according to the historical risk verification record and the risk verification configuration information to obtain a risk verification result.
For example, an initial risk verification result of the service access request may be determined according to the historical risk verification record, an access parameter corresponding to the risk verification logic in the risk verification configuration information is extracted from the service access request, the access parameter is verified based on the risk verification logic, and the initial risk verification result and the verification result of the access parameter are fused to obtain a risk verification result, which may specifically be as follows:
(1) And determining an initial risk verification result of the service access request according to the historical risk verification record.
For example, risk verification logic corresponding to historical risk verification records can be screened from the risk verification configuration information, target historical risk verification records of the service access request within a preset time range are extracted from the historical risk verification records, verification times corresponding to historical risk verification results of each type are counted from the target risk verification records, the verification times are substituted into verification conditions of the risk verification logic corresponding to the risk verification records for verification, and an initial risk verification result of the service access request is obtained.
The predetermined time range may be various, for example, it may be a specific time period, for example, it may be 10 minutes, 1 hour or 1 day, etc., or it may also be a plurality of specific time periods, for example, it may be 1-2 pm and 3-5 pm, etc.
The types of the historical risk verification result may include multiple types, for example, there may be two types of risk and risk absence, or there may also be multiple risk levels, namely, risk level 1, risk level 2, and risk level 3.
For example, the number of times of the type in the target historical risk verification record may be directly counted to obtain the corresponding verification number, or the verification number of the type of the historical risk verification result may be counted in the target historical risk verification record according to a preset condition, for example, the preset condition may be the verification number of the same type of risk verification result continuously, or the verification number of the same type of risk verification result in the same period, and the like.
After the verification times corresponding to each type of historical risk verification result are counted, the verification times can be substituted into the verification conditions of the risk verification logic corresponding to the risk verification records for verification, and the verification modes can be various, for example, taking the verification times as the verification times corresponding to the verification results with risks, the verification times and the quantity threshold corresponding to the verification conditions can be compared, when the times of the verification results with risks in a preset time range exceed the preset quantity threshold, the existence of risks in the service access request can be determined, otherwise, the nonexistence of risks in the service access request can be determined, or the verification times can be converted into verification probabilities, for example, the ratio of the verification times to the total verification times is calculated to obtain the verification times risk ratio with the risk verification results, the risk ratio is compared with the preset risk ratio threshold, when the risk ratio exceeds the preset risk ratio threshold, the existence of risks in the service access request can be determined, otherwise, the nonexistence of risks in the service access request can be determined, and thus the initial risk verification result of the service access request can be obtained.
(2) And extracting the access parameters corresponding to the risk verification logic in the risk verification configuration information from the service access request, and verifying the access parameters based on the risk verification logic.
The access parameter may be access information and the like carried in the service access request, and for example, the access parameter may include an access address (ip), a proxy address (agent), a request frequency, a custom parameter, and a parameter required by a third party authentication server.
The access parameter may be specifically verified as follows:
for example, an access parameter corresponding to a risk verification logic loaded in risk verification configuration information is extracted from a service access request, then attribute information of the risk verification logic information is obtained, a verification path of the risk verification logic is determined according to the attribute information of the risk verification logic, when the verification path is local verification, the access parameter corresponding to the risk verification logic is adopted for verification, when the verification path is third-party verification, the corresponding access parameter is sent to a verification server for verification according to the risk verification logic, and a verification result corresponding to the access parameter returned by the verification server is received.
For example, head data of the service access request can be obtained, and parameters corresponding to the risk verification logic are screened out from the head data to obtain access parameters, or a parameter type of a parameter to be verified is extracted from the risk verification logic, and a parameter corresponding to the parameter type is extracted from the service access request to obtain access parameters corresponding to the risk verification logic.
For example, whether a third party verification address exists in the attribute information of the risk verification logic is queried, when the third party verification address exists in the attribute information of the risk verification logic, the verification path of the risk verification logic can be determined to be third party verification, otherwise, the verification path of the risk verification logic can be determined to be local verification, or whether a third party verification condition exists in the attribute information of the risk verification logic can be queried, the third party verification condition can be a verification condition different from the verification condition corresponding to each risk verification logic in the preset risk verification logic set, when a third verification condition exists in the attribute information of the risk verification logic, the verification path of the risk verification logic can be determined to be third party verification, otherwise, the verification path of the risk verification logic can be determined to be local verification, or the attribute information of the risk verification logic can be compared with the preset attribute information, when the attribute information of the risk verification logic is the same as the preset attribute information, the verification path of the risk verification logic can be determined to be local verification, and vice versa, the verification path of the risk verification logic can be determined to be local verification.
When the verification path of the risk verification logic is local verification, the risk verification logic may also be referred to as built-in risk verification logic, and when the verification path of the risk verification logic is third-party verification, the risk verification logic may also be referred to as third-party risk verification logic.
C1, when the verification path is local verification.
When the verification path is local verification, the verification mode for the access parameter may also include multiple modes, for example, the verification type of the risk verification logic and the verification condition corresponding to the verification type may be determined, the access parameter value corresponding to the verification type is extracted from the access parameter, and the access parameter is substituted into the corresponding verification condition for verification, so as to obtain the verification result of the access parameter.
For example, when the verification path of the risk verification logic is local verification, the verification type of the risk verification logic may include black and white list verification, request frequency verification, multi-factor combinational logic verification, and the like. When the verification approach of the risk verification logic is third party verification, the verification type of the risk verification logic can be third party verification and the like. For example, when the verification type is black-and-white list verification, the corresponding verification condition may be a condition for determining whether the access parameter is a black-and-white list, when the verification type is request frequency verification, the corresponding verification condition may be a threshold of the request frequency, when the verification type is multi-factor combinational logic verification, the corresponding verification condition may be a determination condition of the multi-factor combinational logic, and the like.
After the verification type and the verification condition are determined, an access parameter value corresponding to the verification type can be extracted from the access parameter, the extraction mode can be various, for example, when the verification type is black and white list verification, a parameter value corresponding to a black and white list can be extracted from the access parameter to obtain the access parameter value, when the verification type is a request frequency, a request frequency value of a service access request can be extracted from the access parameter to obtain the access parameter value, when the verification type is multi-factor combination logic verification, a parameter value corresponding to multi-factor combination can be extracted from the access parameter to obtain the access parameter value, and the like.
After the access parameter value is extracted, the access parameter value may be substituted into the corresponding verification condition for verification, and the verification manner may also include various manners, for example, when the access parameter value is a parameter value corresponding to a black-and-white list, the parameter value is substituted into the corresponding black-and-white list verification condition, and when the parameter value satisfies the verification condition, the service access request may be determined as a white list, so that the black-and-white list is verified, otherwise, the black-and-white list is verified, when the verification type is the request frequency verification, the request frequency value is compared with the threshold value of the request frequency, when the threshold value of the request frequency is not exceeded, the request frequency verification may be determined to be passed, otherwise, the request frequency verification may be determined to be failed, when the verification type is the multi-factor combinational logic verification, the parameter value corresponding to the multi-factor combination is substituted into the multi-factor combinational verification condition, when the parameter value satisfies the multi-factor combinational verification condition, the multi-factor combinational logic verification may be determined to be verified, otherwise, the multi-factor combinational logic verification may be determined to be failed, and so on the like.
And C2, when the verification path is verified by a third party.
For example, according to the risk verification logic, the corresponding access parameter may be sent to the verification server for verification, and there are various verification manners, for example, a verification address verified by a third party may be extracted from the risk verification logic, and the access parameter corresponding to the risk verification logic is sent to the verification server, so that the verification server verifies the access parameter, or a type or an identifier of a third party verification model may be extracted from the risk verification logic, a verification address corresponding to the third party verification model is determined according to the type or the identifier of the third party verification model, and the access parameter corresponding to the risk verification logic is sent to the verification address, so that the verification server verifies the access parameter.
The third party verification model may also be understood as substituting the access parameter value in the access parameter into one or more verification conditions stored in the third party verification model for verification, and if the verification conditions are met, it may be determined that the access parameter passes verification, otherwise, it may be determined that the access parameter fails verification.
After the authentication server authenticates the access parameter, the authentication result corresponding to the access parameter returned by the authentication server can be received.
It should be noted that, the verification of the access parameter by the risk verification logic may be independent and parallel binary judgment, or may also be multivariate judgment.
(3) And fusing the initial risk verification result and the verification result of the access parameter to obtain a risk verification result.
For example, when the initial risk verification result indicates that a risk exists or at least one verification result in the verification results of the access parameters indicates that the verification fails, determining that the risk verification result indicates that the service access request has a risk; and when the initial risk verification result is that no risk exists and the verification results of the access parameters are all verified, determining that the risk verification result of the service access request is that no risk exists.
The judgment that the risk verification result is that a risk exists can be understood as that when the service access request is verified through the historical risk verification record and the risk verification logic, the risk verification result of the service access request can be determined to be that a risk exists as long as any judgment result is a malicious request. The judgment that the risk verification result is no risk can be understood as that when the service access request is verified through the historical risk verification record and the risk verification logic, the risk verification result of the service access request can be determined to be no risk when all judgment results are non-malicious requests.
105. And controlling the user to access the target service based on the risk verification result.
For example, there may be various ways to control the user to access the target service based on the risk verification result, for example, the user may be directly controlled to access the target service, or the user may also be indirectly controlled to access the target service, which may specifically be as follows:
(1) Directly controlling the user to access the target service.
For example, when the risk verification result indicates that the service access request is at risk, the user is denied access to the target service in various ways, for example, the service access request may be directly intercepted, so that the user cannot access the target service, for example, an interception parameter is added to a data packet of the service access request, so that the service access request cannot access a service server of the target service, or the service access request may be isolated to a preset isolation area to intercept the service access request, or the access right of the service access request may be directly set to be inaccessible to intercept the service access request; or, the access address in the service access request is modified to be an empty address or other preset address, so that the user cannot access the target service through the service access request.
When the risk verification result indicates that the service access request has no risk, the user is allowed to access the target service, for example, an information channel between the client of the user and the target service can be directly constructed according to the service access request, and the channel can be a long-chain connection channel or a short-chain connection channel between the client and a service server of the target service, so that the user can access the target service through the client.
(2) And indirectly controlling the user to access the target service.
For example, the risk verification result is sent to the service server corresponding to the target service, so that the service server controls the user to access the target service in various ways, for example, when the risk verification result indicates that the service access request has a risk, the service server denies the service access request. And when the risk verification result shows that the service access request has no risk, the service server can access the service access request, so that the user can normally access the target service.
Optionally, the risk verification result may be sent to a client corresponding to the user to prompt the user whether the user may access the target service.
Optionally, in an embodiment, the service access device further stores the risk verification result of the service access request to the blockchain.
As can be seen from the above, in the embodiment of the present invention, after receiving a service access request and a service identifier of a target service to be accessed by the service access request, performing authentication on a user corresponding to the service access request, when the user passes the authentication, obtaining risk authentication setting information corresponding to the service identifier, then screening out risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, then authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and finally, controlling the user to access the target service based on the risk authentication result; according to the scheme, different risk verification configuration information is adopted for different services, and the risk verification configuration information is obtained based on a specific wind verification logic in a unified preset risk verification logic set, so that unified risk control can be performed on service access, a safety gap is avoided, and the safety of the service access can be improved.
The method described in the above examples is further illustrated in detail below by way of example.
In this embodiment, the service access device is specifically integrated in an electronic device, the electronic device is a security server, the risk verification setting information is a risk verification policy framework, the risk verification configuration information is a risk verification policy, the risk verification logic includes a built-in risk verification logic and a risk verification logic of a third party, and the built-in risk verification logic includes a black-and-white list verification logic, a frequency request verification logic, and a multi-factor combination verification logic as examples for description.
And (I) the security server configures the security policy of the service to obtain the security policy configuration information corresponding to the service.
(1) The security server obtains security policy configuration information of the service.
For example, the security server may obtain the security policy configuration information of the service in various ways, which may specifically be as follows:
and D1, the security server acquires the security policy configuration information through the configuration page.
For example, a service administrator may send a first security policy configuration request to a security server through a configuration terminal, where the first security configuration request carries a service identifier of a service, the security server extracts the service identifier of the service from the first security policy configuration request, determines a service type of the service according to the service identifier, screens configuration page information corresponding to the service type from a preset configuration page information set, and generates a configuration page according to the configuration page information, or may also obtain preset configuration page information according to the first security policy configuration request, and then generates a configuration page according to the preset configuration page information, the security server sends the configuration page to the configuration terminal, the configuration page is displayed on the configuration terminal, the service administrator performs selection operation on the configuration page with respect to a risk verification logic identifier set, the configuration terminal sends a risk verification logic identifier and a selection order selected by service management to the security server, and the security server takes the selected risk selection logic identifier and the selection order as security policy configuration information.
And D2, the security server acquires the security policy configuration information through the target risk verification logic in the security policy configuration request.
For example, the security server sends information of a security policy management page to a service terminal corresponding to a service, so that the service terminal displays the security policy management page, a service administrator selects a service requiring security policy configuration by triggering a service selection control in the security policy management page, and then triggers the security policy configuration control, and a security policy configuration page can be displayed on the configuration terminal, as shown in fig. 4, the security policy configuration page may include a security policy selection area 41 and a determination condition configuration area 42, a security policy such as black and white, frequency control, multi-factor determination, history record, and third-party policy may be selected in the security policy selection area 41, and a specific configuration process that may be performed on the selected security policy in the determination condition configuration area 42 may be to configure a determination keyword, a determination condition, a determination value, a logical relationship, a determination operation, and the like. After the user determines that the condition configuration area configuration is completed, the user can obtain the target risk verification logic for generating the service at the configuration terminal, then the configuration terminal triggers to generate a second security policy configuration request, the service identifier and the target risk verification logic of the service are added to the second security policy configuration request, and the second security policy configuration request is sent to the security server, so that the security server receives the second security policy configuration request.
The security server acquires a preset risk verification logic set according to the second security policy configuration request, acquires a risk verification logic identifier of the target risk verification logic when the target risk verification logic exists in the preset risk verification logic set, takes the risk verification logic identifier of the target risk logic as security policy configuration information, adds the target risk verification logic to the preset risk verification logic set when the target risk verification logic does not exist in the preset risk verification logic set, and generates a risk verification logic identifier of the target risk verification logic in the preset risk verification logic set.
(2) And the security server constructs a risk verification strategy framework corresponding to the service according to the security strategy configuration information.
For example, the security server may combine the selected risk verification logic identifiers according to a selection order, and after the combined risk verification logic identifiers are obtained, a risk verification policy frame corresponding to the combined risk verification logic identifiers is screened from a preset risk verification policy frame set, and a risk verification policy frame corresponding to the service is obtained, or may combine the risk verification logic identifiers, and after the combined risk verification logic identifiers are obtained, an initial risk verification policy frame is obtained, and the combined risk verification logic identifiers are added to the initial risk verification policy frame, and a risk verification policy frame corresponding to the service is obtained, or may directly combine the risk verification logic identifiers and the initial risk verification policy frame, and a risk verification policy frame corresponding to the service is obtained.
(3) The security server establishes an association relationship between the service identifier of the service and the risk verification strategy framework, and adds the risk verification strategy framework of the service to the risk verification strategy framework set.
For example, the security server establishes an association relationship between the service identifier of the service and the risk verification policy framework, and stores the association relationship in the form of an index. And adding the risk verification strategy frame of the service into the risk verification strategy frame set, and associating the index with the risk verification strategy frame set, thereby obtaining the index information of the risk verification strategy frame.
And (II) the security server controls the user to access the target service based on the security policy configuration information and the risk verification policy framework set.
As shown in fig. 5, a service access method specifically includes the following processes:
201. the security server receives the service access request and the service identification of the target service required to be accessed by the service access request.
For example, the security server may directly receive a service access request and a service identifier of a target service sent by the service server, or the security server may also receive an authentication request sent by the service server, where the authentication request is used to authenticate a user corresponding to the service access request, and the security server extracts the service access request and the service identifier of the target service from the authentication request.
The security server may also directly receive a service access request sent by a user through the client and a service identifier of a target service that the service access request needs to access, or may receive a service access request sent by the user through the client and obtain a service identifier of a target service that the service access request needs to access in the service access request, or may further obtain the service identifier of a target service that the service access request needs to access by intercepting a service access request sent by the user through the client to a service server corresponding to the target service.
202. And the safety server carries out identity authentication on the user corresponding to the service access request.
For example, the security server sends information acquisition page information to the client according to the service access request, so that an information acquisition page corresponding to the information acquisition page information is displayed at the client, and information input by an account number, a fixed password, a one-time password or a scanning information acquisition identifier, which is input by a user through the information acquisition page, is received as current identity information; or, preset information may be sent to the client corresponding to the user through the information channel, where the preset information may include a verification code or other information used for verifying the identity, and then a short message or other information containing the preset information returned by the client is received, so as to obtain the current identity information of the user.
The security server compares the current identity information with the preset identity information, when the current identity information is the same as the preset identity information, the identity authentication of the user can be determined to be passed, and when the current identity information is different from the preset identity information, the identity authentication of the user can be determined to be failed.
When the user's identity authentication fails, the security server may directly deny the service access request to access the target service, or may also send the authentication result that the identity authentication fails to pass to the service server corresponding to the target service, so that the service server denies the service access request to access the target service.
203. And when the user passes the identity authentication, the security server acquires a risk authentication strategy framework corresponding to the service identifier.
For example, when the identity authentication of the user passes, the security server obtains attribute information of the risk authentication policy framework set, and extracts index information from the attribute information, or may also read a service identifier corresponding to each risk authentication policy framework in the risk authentication policy framework set, and construct index information of the risk authentication policy framework set based on the read service identifier.
After obtaining the index information of the risk verification policy frame set, the security server may query whether a service identifier of the target service exists in the index information, screen a risk verification policy frame corresponding to the service identifier in the risk verification policy frame set when the service identifier exists in the index information, and use a preset risk verification policy frame as a risk verification policy frame corresponding to the service identifier when the service identifier does not exist in the index information, where an obtaining process is shown in fig. 6, and a data structure of the index information may be shown in fig. 7.
204. And the security server screens out risk verification logics corresponding to the risk verification logic identifications from a preset risk verification logic set, and loads the risk verification logics to a risk verification strategy framework to obtain a risk verification strategy.
For example, the security server screens risk verification logics corresponding to risk verification logic identifiers from a preset risk verification logic set, obtains at least one loading address used for loading the risk verification logics in a risk verification policy framework, obtains a logic type corresponding to the loading address, matches the logic type corresponding to the loading address with the risk verification logics, and can determine the loading address corresponding to each risk verification logic according to a matching result.
After determining the loading address corresponding to each risk verification logic, the security server determines the loading time of each risk verification logic according to the verification type of the risk verification logic, and loads the risk verification logic to the loading address in the risk verification policy framework based on the loading time, so as to obtain a risk verification policy, or determines the loading sequence of each risk verification logic according to the verification type of the risk verification logic, and loads the risk verification logic to the loading address in the risk verification policy framework based on the loading sequence, so as to obtain the risk verification policy.
205. And the security server acquires a historical risk verification record corresponding to the service access request.
For example, the security server directly obtains the historical risk verification record corresponding to the service access request from the risk verification record library, or may also obtain a candidate historical risk verification record corresponding to the target service from the risk verification records, and screen the historical risk verification record corresponding to the service access request from the candidate historical risk verification records.
206. And the security server determines an initial risk verification result of the service access request according to the historical risk verification record.
For example, the security server screens out risk verification logic corresponding to the historical risk verification records in the risk verification policy, and extracts a target historical risk verification record of the service access request within a preset time range from the historical risk verification records. Then, the security server directly counts the number of times of the type in the target historical risk verification record to obtain the corresponding verification number of times, or may also count the verification number of times of each type of historical risk verification result in the target historical risk verification record according to a preset condition, for example, the preset condition may be the verification number of times of the same type of risk verification results continuously, or may also be the verification number of times of the same type of risk verification results in the same period, and the like.
After counting the verification times corresponding to each type of historical risk verification result, the security server may compare the verification times with a quantity threshold corresponding to a verification condition, when the number of verification results with risks in a preset time range exceeds a preset quantity threshold, it may be determined that the service access request has risks, otherwise, it may be determined that the service access request does not have risks, or the verification times may be converted into a verification probability, for example, a ratio of the verification times to the total verification times is calculated to obtain a verification time risk ratio with a risk verification result, the risk ratio is compared with a preset risk ratio threshold, when the risk ratio exceeds the preset risk ratio threshold, it may be determined that the service access request has risks, otherwise, it may be determined that the service access request does not have risks, and thus, an initial risk verification result of the service access request may be obtained.
207. And the security server extracts the access parameters corresponding to the risk verification logic from the service access request, and verifies the access parameters based on the risk verification logic.
For example, the security server extracts an access parameter corresponding to a risk verification logic in the service access request, then obtains attribute information of risk verification logic information, queries whether a third party verification address exists in the attribute information of the risk verification logic, and when the third party verification address exists in the attribute information of the risk verification logic, determines that a verification path of the risk verification logic is third party verification, otherwise, determines that the verification path of the risk verification logic is local verification, or queries whether a third party verification condition exists in the attribute information of the risk verification logic, and when the third party verification condition exists in the attribute information of the risk verification logic, determines that the verification path of the risk verification logic is third party verification, and conversely, determines that the verification path of the risk verification logic is local verification, or compares the attribute information of the risk verification logic with preset attribute information, and when the attribute information of the risk verification logic is the same as the preset attribute information, determines that the verification path of the risk verification logic is local verification, and vice versa, determines that the verification path of the risk verification logic is third party verification. The risk verification logic with the verification path being local verification can be built-in risk verification logic, and the risk verification logic with the verification path being third-party verification can be third-party risk verification logic.
(1) Verifying logic for built-in risk.
The method comprises the steps that a safety server determines a verification type of built-in risk verification logic and a verification condition corresponding to the verification type, so that built-in risk verification logic such as black and white list verification, request frequency verification and multi-factor combinational logic verification and risk conditions corresponding to the risk verification types are obtained, for example, the safety server obtains a risk verification logic identifier of the built-in risk verification logic, determines the verification type of the risk verification logic according to the risk verification logic identifier, for example, compares the risk verification logic identifier with a preset risk verification logic identifier corresponding to the preset verification type, when the risk verification logic identifier is the risk verification logic identifier of black and white list verification, the verification type of the risk verification logic can be determined to be black and white list verification, then, the verification condition corresponding to black and white list verification is extracted from the risk verification logic, and the like, so that black and white list verification, request frequency verification, multi-factor combinational logic verification and other built-in risk verification logic and the risk conditions corresponding to the risk verification types can be obtained.
The security server extracts parameter values corresponding to the black and white list, the request frequency value of the service access request and the parameter values corresponding to the multi-factor combination from the access parameters to obtain access parameter values. And substituting the parameter value corresponding to the black-and-white list in the access parameter value into the black-and-white list verification condition, and determining that the service access request is the white list when the parameter value corresponding to the black-and-white list meets the black-and-white list verification condition, so that the black-and-white list verification is passed, otherwise, the black-and-white list verification is not passed. And comparing the request frequency value with a threshold value of the request frequency, and determining that the request frequency verification fails when the request frequency value exceeds the threshold value, otherwise determining that the request frequency verification passes. And substituting the parameter values corresponding to the multi-factor combination into the multi-factor combination verification condition, and determining that the multi-factor combination logic verification passes when the residual values corresponding to the multi-factor combination meet the multi-factor combination verification condition, or otherwise determining that the multi-factor combination logic verification fails.
(2) Verifying logic for third party risk.
For example, the security server may extract a verification address of third party verification in the third party risk verification logic, and send an access parameter corresponding to the third party risk verification logic to the verification server, so that the verification server verifies the access parameter, or may extract a type or an identifier of a third party verification model in the third party risk verification logic, determine a verification address corresponding to the third party verification model according to the type or the identifier of the third party verification model, and send the access parameter corresponding to the third party risk verification logic to the verification address, so that the verification server verifies the access parameter.
The verification of the access parameter by the verification server can also be understood as that the access parameter value in the access parameter is substituted into one or more verification conditions stored in the third party verification model for verification, and if the verification conditions are met, the third party verification can be determined to be passed, otherwise, the third party verification can be determined to be failed. After the authentication server authenticates the access parameter, the security server may receive an authentication result corresponding to the access parameter returned by the authentication server.
208. And the security server fuses the initial risk verification result and the verification result of the access parameter to obtain a risk verification result.
For example, when the initial risk verification result indicates that a risk exists, or at least one verification result in the verification results of the access parameters indicates that the verification fails, the security server determines that the risk verification result indicates that the service access request has a risk; and when the initial risk verification result is that no risk exists and the verification results of the access parameters are all verified, the security server determines that the risk verification result of the service access request is that no risk exists.
The judgment that the risk verification result is that a risk exists can be understood as that when the service access request is verified through the historical risk verification record and the risk verification logic, the risk verification result of the service access request can be determined to be that a risk exists as long as any judgment result is a malicious request. The judgment that the risk verification result is no risk can be understood as that when the service access request is verified through the historical risk verification record and the risk verification logic, the risk verification result of the service access request can be determined to be no risk when all judgment results are non-malicious requests. When the risk verification result indicates that there is a risk, a rejection may be returned, and when the risk verification result indicates that there is no risk, a pass may be returned, which may be specifically shown in fig. 8.
209. And the safety server controls the user to access the target service based on the risk verification result.
For example, the security server may control the user to access the target service based on the risk verification result in various ways, for example, the security server may directly control the user to access the target service, or may also indirectly control the user to access the target service, which may specifically be as follows:
(1) The security server directly controls the user to access the target service.
For example, when the risk verification result indicates that the service access request has a risk, the security server may directly intercept the service access request, so that the user cannot access the target service, or modify an access address in the service access request, so that the user cannot access the target service through the service access request.
When the risk verification result indicates that the service access request has no risk, the security server can directly construct an information channel between the client of the user and the target service according to the service access request, so that the user can access the target service through the client.
(2) The security server indirectly controls the user to access the target service.
For example, the security server sends the risk verification result to the service server corresponding to the target service, so that the service server controls the user to access the target service, for example, when the risk verification result indicates that the service access request has a risk, the service server denies the access of the service access request. And when the risk verification result shows that the service access request has no risk, the service server can access the service access request, so that the user can normally access the target service.
Optionally, the security server may further send the risk verification result to the client corresponding to the user, so as to prompt the user whether the user may access the target service.
The security server is mainly used for performing Identity authentication on a user corresponding to the service Access request and performing risk authentication on the service Access request, and may be regarded as an Identity and Access Management (IAM). The traditional IAM usually only has an identity verification module, and is docked with each service system to complete the identity authentication operation of the service system, and a risk verification module (also referred to as a wind control module) is added in the scheme, and specifically, as shown in fig. 9, the module and the identity verification module interact through internal calling, so that the configured authentication risk control capability of the IAM side is realized. In the scheme, taking a target service as a service a as an example, an administrator of the service a configures security policy configuration information through a configuration page of a management console, where the security policy configuration information may include an identity verification policy and a risk verification policy, a user sends a service access request to a service system a through a client, a service server corresponding to the service system a sends a verification request to an IAM, the IAM system verifies the identity of the user according to the verification request, and after the identity verification passes, a risk verification module of the service system a is called internally, the risk verification module includes a built-in risk verification logic module and a third-party risk verification logic module, where the built-in risk verification logic module includes 4 functional sub-modules, such as a black-and-white list, a frequency control policy, multi-factor determination, and an authentication record. And performing risk verification on the service access request through a historical access record corresponding to the service access request in the authentication record to obtain an initial risk verification result. Then, whether the service access request is a blacklist or not can be verified through the blacklist and the blacklist, whether the access frequency of the service access request exceeds the frequency limit or not can be verified through the frequency control strategy, whether the service access request meets a multi-factor combination or not can be judged through multiple factors, the access parameters of the service access request can be sent to a third party auditing server for auditing through a submodule of a third party verifying logic, the judgments are independent and parallel binary judgments, and the service access request can be determined to have risks as long as one of the judgment results is judged to be a malicious service access request. After risk verification (judgment) is carried out on the service access request by the IAM system, the service access request can be processed according to the verification result by self to control the user to access the service A, and the verification result can be sent to a service server corresponding to the service system A, so that the service system A can process the service access request by self, and the user is controlled to access the service A.
The risk verification module is internally provided with a built-in risk verification logic module and a third-party risk verification logic module, the built-in risk verification logic module is responsible for executing a specific risk verification strategy, the third-party risk verification logic is in butt joint with the third-party strategy in an external calling mode, a judgment result of an external third-party wind control strategy is returned through a synchronous request, and the expansion of the risk verification module is completed.
The overall process of verifying the service access request by the IAM system may be as shown in fig. 10, and specifically includes receiving the service access request, performing identity verification on a user corresponding to the service access request, and querying a risk verification policy of a specific service system after the identity verification is passed.
As can be seen from the above, in this embodiment, after the security server receives the service access request and the service identifier of the target service to be accessed by the service access request, the identity of the user corresponding to the service access request is verified, when the identity of the user passes verification, the risk verification policy framework corresponding to the service identifier is obtained, then the risk verification logic corresponding to the risk verification logic identifier is screened out from the preset risk verification logic set, and the risk verification logic is loaded to the risk verification policy framework to obtain a risk verification policy, then the service access request is verified according to the risk verification policy to obtain a risk verification result, and finally, the user is controlled to access the target service based on the risk verification result; according to the scheme, different risk verification strategies are adopted for different services, and the risk verification strategies are loaded based on specific wind test verification logics in a unified preset risk verification logic set, so that unified risk control can be performed on service access, a safety gap is prevented from being formed, and the safety of the service access can be improved.
In order to better implement the above method, an embodiment of the present invention further provides a service access apparatus, which may be integrated in an electronic device, such as a server or a terminal, where the terminal may include a tablet computer, a notebook computer, and/or a personal computer.
For example, as shown in fig. 11, the service access apparatus may include a receiving unit 301, an obtaining unit 302, a screening unit 303, an authentication unit 304, and a control unit 305, as follows:
(1) A receiving unit 301;
a receiving unit 301, configured to receive the service access request and a service identifier of a target service that the service access request needs to access, and perform identity authentication on a user corresponding to the service access request.
For example, the receiving unit 301 may be specifically configured to receive a service access request sent by a service server and a service identifier of a target service that the service access request needs to access, or receive a service access request sent by a client of a user corresponding to the service access request and a service identifier of a target service that the service access request needs to access. And constructing an information channel between the client corresponding to the user according to the service access request, receiving the current identity information input by the user through the information channel, and determining that the identity of the user passes the authentication when the current identity information is the same as the preset identity information.
(2) An acquisition unit 302;
an obtaining unit 302, configured to obtain risk verification setting information corresponding to the service identifier when the user passes identity verification, where the risk verification setting information includes at least one risk verification logic identifier.
For example, the obtaining unit 302 may be specifically configured to, when the identity of the user passes authentication, obtain index information of a risk authentication setting information set, query whether a service identifier of the target service exists in the index information, screen risk authentication setting information corresponding to the service identifier from the risk authentication setting information set when the service identifier exists in the index information, and use preset risk authentication setting information as risk authentication setting information corresponding to the service identifier when the service identifier does not exist in the index information.
(3) A screening unit 303;
the screening unit 303 is configured to screen a risk verification logic corresponding to the risk verification logic identifier from the preset risk verification logic set, and add the risk verification logic to the risk verification setting information to obtain risk verification configuration information.
For example, the screening unit 303 may be specifically configured to screen a risk verification logic corresponding to the risk verification logic identifier from a preset risk verification logic set, identify at least one loading address used for loading the risk verification logic in the risk verification setting information, determine a loading address corresponding to the risk verification logic according to a type of the loading address, and load the risk verification logic to the corresponding loading address in the risk verification setting information to obtain the risk verification policy configuration information.
(4) An authentication unit 304;
and the verifying unit 304 is configured to verify the service access request according to the risk verification configuration information to obtain a risk verification result.
For example, the verification unit 304 may be specifically configured to obtain a historical risk verification record corresponding to the service access request, determine an initial risk verification result of the service access request according to the historical risk verification record, extract an access parameter corresponding to the risk verification logic in the risk verification configuration information from the service access request, verify the access parameter based on the risk verification logic, and fuse the initial risk verification result and the verification result of the access parameter to obtain a risk verification result.
(5) A control unit 305;
a control unit 305 for controlling the user to access the target service based on the risk verification result.
For example, the control unit 305 may be specifically configured to deny the user access to the target service when the risk verification result indicates that the service access request is at risk, and allow the user access to the target service when the risk verification result indicates that the service access request is not at risk, or send the risk verification result to a service server corresponding to the target service, so that the service server controls the user access to the target service.
Optionally, the service access apparatus may further include a configuration unit 306, as shown in fig. 12, which may specifically be as follows:
a configuration unit 306, configured to configure risk verification configuration information of the service.
For example, the configuration unit 306 may be specifically configured to obtain security configuration information of a service, where the security configuration information carries a service identifier of the service, construct a risk verification framework corresponding to the service according to the security configuration, establish an association relationship between the service identifier of the service and risk verification setting information, and add the risk verification setting information of the service to a risk verification setting information set.
In a specific implementation, the above units may be implemented as independent entities, or may be combined arbitrarily to be implemented as the same or several entities, and the specific implementation of the above units may refer to the foregoing method embodiments, which are not described herein again.
As can be seen from the above, in this embodiment, after the receiving unit 301 receives the service access request and the service identifier of the target service to be accessed by the service access request, the user corresponding to the service access request is authenticated, when the user passes the authentication, the obtaining unit 302 obtains the risk authentication setting information corresponding to the service identifier, then, the screening unit 303 screens out the risk authentication logic corresponding to the risk authentication logic identifier from the preset risk authentication logic set, and adds the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, then, the authenticating unit 304 authenticates the service access request according to the risk authentication configuration information to obtain a risk authentication result, and finally, the control unit 305 controls the user to access the target service based on the risk authentication result; according to the scheme, different risk verification configuration information is adopted for different services, and the risk verification configuration information is obtained based on the specific wind verification logic in the unified preset risk verification logic set, so that unified risk control can be performed on service access, a safety gap is prevented from being formed, and the safety of the service access can be improved.
An embodiment of the present invention further provides an electronic device, as shown in fig. 13, which shows a schematic structural diagram of the electronic device according to the embodiment of the present invention, specifically:
the electronic device may include components such as a processor 401 of one or more processing cores, memory 402 of one or more computer-readable storage media, a power supply 403, and an input unit 404. Those skilled in the art will appreciate that the electronic device configuration shown in fig. 13 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 401 is a control center of the electronic device, connects various parts of the entire electronic device using various interfaces and lines, performs various functions of the electronic device and processes data by operating or executing software programs and/or modules stored in the memory 402 and calling data stored in the memory 402, thereby integrally monitoring the electronic device. Alternatively, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401.
The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by operating the software programs and modules stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the electronic device, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 access to the memory 402.
The electronic device further comprises a power supply 403 for supplying power to the various components, and preferably, the power supply 403 is logically connected to the processor 401 through a power management system, so that the functions of charging, discharging, and power consumption management are managed through the power management system. The power supply 403 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
The electronic device may further include an input unit 404, and the input unit 404 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the electronic device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 401 in the electronic device loads the executable file corresponding to the process of one or more application programs into the memory 402 according to the following instructions, and the processor 401 runs the application program stored in the memory 402, thereby implementing various functions as follows:
the method comprises the steps of receiving a service access request and a service identifier of a target service required to be accessed by the service access request, authenticating a user corresponding to the service access request, obtaining risk authentication setting information corresponding to the service identifier when the user passes the authentication, screening risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and controlling the user to access the target service based on the risk authentication result.
For example, the electronic device receives a service access request sent by a service server and a service identifier of a target service that the service access request needs to access, or receives a service access request sent by a client of a user corresponding to the service access request and a service identifier of a target service that the service access request needs to access. And constructing an information channel between the client corresponding to the user according to the service access request, receiving the current identity information input by the user through the information channel, and determining that the identity of the user passes the authentication when the current identity information is the same as the preset identity information. When the identity of a user passes verification, index information of a risk verification setting information set is obtained, whether a service identifier of a target service exists or not is inquired in the index information, when the service identifier exists in the index information, risk verification setting information corresponding to the service identifier is screened out from the risk verification setting information set, and when the service identifier does not exist in the index information, preset risk verification setting information is used as risk verification setting information corresponding to the service identifier. Screening risk verification logic corresponding to the risk verification logic identification from a preset risk verification logic set, then identifying at least one loading address for loading the risk verification logic from the risk verification setting information, determining the loading address corresponding to the risk verification logic according to the type of the loading address, and loading the risk verification logic to the corresponding loading address in the risk verification setting information to obtain risk verification configuration information. Acquiring a historical risk verification record corresponding to the service access request, determining an initial risk verification result of the service access request according to the historical risk verification record, extracting an access parameter corresponding to a risk verification logic in the risk verification configuration information from the service access request, verifying the access parameter based on the risk verification logic, and fusing the initial risk verification result and the verification result of the access parameter to obtain a risk verification result. And when the risk verification result indicates that the service access request has a risk, the user is denied access to the target service, and when the risk verification result indicates that the service access request does not have a risk, the user is allowed to access the target service, or the risk verification result is sent to a service server corresponding to the target service, so that the service server controls the user to access the target service.
The above operations can be implemented in the foregoing embodiments, and are not described herein.
As can be seen from the above, in the embodiment of the present invention, after receiving a service access request and a service identifier of a target service to be accessed by the service access request, performing authentication on a user corresponding to the service access request, when the user passes the authentication, obtaining risk authentication setting information corresponding to the service identifier, then screening out a risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, then authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and finally controlling the user to access the target service based on the risk authentication result; according to the scheme, different risk verification configuration information is adopted for different services, and the risk verification configuration information is obtained based on a specific wind verification logic in a unified preset risk verification logic set, so that unified risk control can be performed on service access, a safety gap is avoided, and the safety of the service access can be improved.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, the embodiment of the present invention provides a computer-readable storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute steps in any service access method provided by the embodiment of the present invention. For example, the instructions may perform the steps of:
the method comprises the steps of receiving a service access request and a service identifier of a target service required to be accessed by the service access request, authenticating a user corresponding to the service access request, obtaining risk authentication setting information corresponding to the service identifier when the user passes the authentication, screening risk authentication logic corresponding to the risk authentication logic identifier from a preset risk authentication logic set, adding the risk authentication logic to the risk authentication setting information to obtain risk authentication configuration information, authenticating the service access request according to the risk authentication configuration information to obtain a risk authentication result, and controlling the user to access the target service based on the risk authentication result.
For example, a service access request sent by a service server and a service identifier of a target service that the service access request needs to access are received, or a service access request sent by a client of a user corresponding to the service access request and a service identifier of a target service that the service access request needs to access are received. And constructing an information channel between the client corresponding to the user according to the service access request, receiving the current identity information input by the user through the information channel, and determining that the identity of the user passes the authentication when the current identity information is the same as the preset identity information. When the identity of a user passes verification, index information of a risk verification setting information set is obtained, whether a service identifier of a target service exists or not is inquired in the index information, when the service identifier exists in the index information, risk verification setting information corresponding to the service identifier is screened out from the risk verification setting information set, and when the service identifier does not exist in the index information, preset risk verification setting information is used as risk verification setting information corresponding to the service identifier. Screening risk verification logic corresponding to the risk verification logic identification from a preset risk verification logic set, then identifying at least one loading address for loading the risk verification logic from the risk verification setting information, determining the loading address corresponding to the risk verification logic according to the type of the loading address, and loading the risk verification logic to the corresponding loading address in the risk verification setting information to obtain risk verification configuration information. Acquiring a historical risk verification record corresponding to the service access request, determining an initial risk verification result of the service access request according to the historical risk verification record, extracting an access parameter corresponding to a risk verification logic in the risk verification configuration information from the service access request, verifying the access parameter based on the risk verification logic, and fusing the initial risk verification result and the verification result of the access parameter to obtain a risk verification result. And when the risk verification result indicates that the service access request has a risk, the user is denied access to the target service, and when the risk verification result indicates that the service access request does not have a risk, the user is allowed to access the target service, or the risk verification result is sent to a service server corresponding to the target service, so that the service server controls the user to access the target service.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the computer-readable storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the computer-readable storage medium may execute the steps in any service access method provided in the embodiment of the present invention, beneficial effects that can be achieved by any service access method provided in the embodiment of the present invention may be achieved, for which details are described in the foregoing embodiment and are not repeated herein.
According to one aspect of the application, there is provided, among other things, a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to execute the method provided in the various alternative implementations of the service access aspect or the service access request verification aspect described above.
The service access method, the service access device, the electronic device, and the computer-readable storage medium provided in the embodiments of the present invention are described in detail above, and specific embodiments are applied in this document to explain the principles and embodiments of the present invention, and the description of the above embodiments is only used to help understanding the method and its core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (15)

1. A method for service access, comprising:
receiving a service access request and a service identifier of a target service to be accessed by the service access request, and performing identity authentication on a user corresponding to the service access request;
when the identity of the user passes verification, acquiring risk verification setting information corresponding to the service identifier, wherein the risk verification setting information comprises at least one risk verification logic identifier;
screening out risk verification logics corresponding to the risk verification logic identifications from a preset risk verification logic set, and adding the risk verification logics to the risk verification setting information to obtain risk verification configuration information;
verifying the service access request according to the risk verification configuration information to obtain a risk verification result;
and controlling the user to access the target service based on the risk verification result.
2. The service access method according to claim 1, wherein the verifying the service access request according to the risk verification configuration information to obtain a risk verification result comprises:
acquiring a historical risk verification record corresponding to the service access request;
and verifying the service access request according to the historical risk verification record and the risk verification configuration information to obtain a risk verification result.
3. The business access method according to claim 2, wherein the verifying the business access request according to the historical risk verification record and risk verification configuration information to obtain a risk verification result comprises:
determining an initial risk verification result of the service access request according to the historical risk verification record;
extracting access parameters corresponding to risk verification logic in the risk verification configuration information from the service access request, and verifying the access parameters based on the risk verification logic;
and fusing the initial risk verification result and the verification result of the access parameter to obtain the risk verification result.
4. The service access method according to claim 3, wherein the determining an initial risk verification result of the service access request according to the historical risk verification record comprises:
screening out risk verification logic corresponding to the historical risk verification record from the risk verification configuration information;
extracting a target historical risk verification record of the service access request within a preset time range from the historical risk verification records;
counting the verification times corresponding to the historical risk verification result of each type in the target historical risk verification record;
and substituting the verification times into the verification conditions of the risk verification logic corresponding to the historical risk verification records for verification to obtain the initial risk verification result of the service access request.
5. The business access method of claim 3, wherein the verifying the access parameter based on the risk verification logic comprises:
acquiring attribute information of the risk verification logic, and determining a verification path of the risk verification logic according to the attribute information of the risk verification logic;
when the verification path is local verification, verifying the access parameter by adopting the risk verification logic;
and when the verification path is verified by a third party, sending the corresponding access parameter to a verification server for verification according to the risk verification logic, and receiving a verification result corresponding to the access parameter returned by the verification server.
6. The business access method of claim 5, wherein the verifying the access parameter with the risk verification logic comprises:
determining a verification type of the risk verification logic and a verification condition corresponding to the verification type;
extracting an access parameter value corresponding to the verification type from the access parameters;
and substituting the access parameter values into corresponding verification conditions for verification to obtain a verification result of the access parameters.
7. The service access method according to claim 3, wherein the fusing the initial risk verification result and the verification result of the access parameter to obtain the risk verification result comprises:
when the initial risk verification result indicates that a risk exists or at least one verification result in the verification results of the access parameters indicates that the verification fails, determining that the risk verification result indicates that a risk exists;
and when the initial risk verification result is that no risk exists and the verification results of the access parameters are all verified, determining that the risk verification result is that no risk exists.
8. The business access method according to any one of claims 1 to 7, wherein the adding the risk verification logic to the risk verification setting information to obtain risk verification configuration information comprises:
identifying at least one load address for loading risk verification logic in the risk verification setting information;
determining a loading address corresponding to the risk verification logic according to the type of the loading address;
and loading the risk verification logic to a corresponding loading address in the risk verification setting information to obtain risk verification configuration information.
9. The service access method according to any one of claims 1 to 7, wherein the obtaining risk verification setting information corresponding to the service identifier includes:
acquiring index information of a risk verification setting information set, wherein the index information is used for indicating an incidence relation between a service identifier of a service and the risk verification setting information;
screening risk verification setting information corresponding to the service identification from the risk verification setting information set when the service identification exists in the index information;
and when the service identification does not exist in the index information, using preset risk verification setting information as risk verification setting information corresponding to the service identification.
10. The service access method according to claim 9, wherein before the obtaining the index information of the risk verification setting information set, the method further comprises:
acquiring security configuration information of a service, wherein the security configuration information carries a service identifier of the service;
establishing risk verification setting information corresponding to the business according to the safety configuration information;
and establishing an incidence relation between the service identification of the service and risk verification setting information, and adding the risk verification setting information of the service to the risk verification setting information set.
11. The service access method of claim 10, wherein the obtaining security configuration information of the service comprises:
receiving a first security configuration request of a service, wherein the first security configuration request carries a service identifier of the service;
generating a configuration page according to the first security configuration request, wherein the configuration page comprises a preset risk verification logic identification set;
receiving a risk verification logic identifier selected aiming at a risk verification logic identifier set based on the configuration page, and taking the selected risk verification logic identifier and a selection sequence as security configuration information;
the establishing of the risk verification setting information corresponding to the service according to the security policy configuration information includes: and combining the selected risk verification logic identifications according to the selection sequence to obtain risk verification setting information corresponding to the service.
12. The service access request of claim 10, wherein the obtaining security configuration information of the service comprises:
receiving a second security configuration request of a service, wherein the second security configuration request carries a service identifier of the service and a target risk verification logic corresponding to the service;
acquiring a preset risk verification logic set according to the second security configuration request;
when the target risk verification logic exists in the preset risk verification logic set, acquiring a risk verification logic identifier of the target risk verification logic, and using the risk verification logic identifier of the target risk verification logic as security configuration information;
when the target risk verification logic does not exist in the preset risk verification logic set, adding the target risk verification logic to the preset risk verification logic set, and generating a risk verification logic identifier of the target risk verification logic in the preset risk verification logic set;
the establishing of the risk verification setting information corresponding to the service according to the security configuration information includes: and combining the risk verification logic identifications to obtain risk verification setting information corresponding to the service.
13. A service access device, comprising:
a receiving unit, configured to receive a service access request and a service identifier of a target service that needs to be accessed by the service access request, and perform identity authentication on a user corresponding to the service access request;
an obtaining unit, configured to obtain risk verification setting information corresponding to the service identifier when the user passes identity verification, where the risk verification setting information includes at least one risk verification logic identifier;
the screening unit is used for screening out risk verification logic corresponding to the risk verification logic identification from a preset risk verification logic set, and adding the risk verification logic to the risk verification setting information to obtain risk verification configuration information;
the verification unit is used for verifying the service access request according to the risk verification configuration information to obtain a risk verification result;
and the control unit is used for controlling the user to access the target service based on the risk verification result.
14. An electronic device comprising a processor and a memory, the memory storing an application program, the processor being configured to run the application program in the memory to perform the steps of the service access method of any one of claims 1 to 13.
15. A computer readable storage medium storing instructions adapted to be loaded by a processor to perform the steps of the service access method according to any of claims 1 to 13.
CN202110543549.5A 2021-05-19 2021-05-19 Service access method, device, electronic equipment and computer readable storage medium Pending CN115374407A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110543549.5A CN115374407A (en) 2021-05-19 2021-05-19 Service access method, device, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110543549.5A CN115374407A (en) 2021-05-19 2021-05-19 Service access method, device, electronic equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN115374407A true CN115374407A (en) 2022-11-22

Family

ID=84059627

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110543549.5A Pending CN115374407A (en) 2021-05-19 2021-05-19 Service access method, device, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115374407A (en)

Similar Documents

Publication Publication Date Title
EP3120290B1 (en) Techniques to provide network security through just-in-time provisioned accounts
US9948681B1 (en) Access control monitoring through policy management
US9077758B1 (en) Test mode authorization logging
CN103491056B (en) The control method and device of application permission
US9614855B2 (en) System and method for implementing a secure web application entitlement service
CN111400676A (en) Service data processing method, device, equipment and medium based on sharing authority
CN108848113B (en) Client device login control method and device, storage medium and server
US20180332017A1 (en) Authenticating a device based on communication patterns in a group of devices
US9225744B1 (en) Constrained credentialed impersonation
CN112653681B (en) Multi-feature fusion user login access method, device and system
CN109889517A (en) Data processing method, permissions data collection creation method, device and electronic equipment
WO2011162750A1 (en) Authorization control
US20220200999A1 (en) Authentication Using Device and User Identity
CN106656985B (en) Backup account login method, device and system
CN109428893A (en) A kind of identity identifying method, apparatus and system
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
CN112995357B (en) Domain name management method, device, medium and electronic equipment based on cloud hosting service
CN116647572B (en) Access endpoint switching method, device, electronic equipment and storage medium
US10140443B2 (en) Authentication source selection
US20230254146A1 (en) Cybersecurity guard for core network elements
CN115374407A (en) Service access method, device, electronic equipment and computer readable storage medium
US20190253455A1 (en) Policy strength of managed devices
CN112153130A (en) Business resource access method and device
CN114157472A (en) Network access control method, device, equipment and storage medium
CN108574658B (en) Application login method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination