CN116566742A - Security access control method and system for data center - Google Patents

Abstract

The invention belongs to the technical field of data security protection, and particularly relates to a security access control method and system of a data center. The invention discloses a secure access control method of a data center, which comprises the following steps: accessing a resource library by a user based on a configured proxy server; acquiring a target resource according to resource request operation of a user, wherein the target resource contains a hidden identifier; the proxy server of the user obtains the content of the target resource; the security manager determines whether the resource characteristics of the user contain more than one abnormal characteristic according to the resource acquisition path diagram; determining the source of the abnormal resources according to the abnormal characteristics of the user; and determining that the user processes the target data according to the source of the abnormal resource and the user authority. The invention can provide the safe access of the data center.

Description

Security access control method and system for data center

Technical Field

The invention belongs to the technical field of data security protection, and particularly relates to a security access control method and system of a data center.

Background

With the construction of the "core-edge" architecture feature, the interfaces of each logical region connecting the core region become the network security boundary for that region. From the aspects of service and security control requirements, security control technical means, such as firewall hardware equipment and VPN equipment, are required to be deployed at the boundary of each logic area, so that independent security areas are constructed. If the networks in different security areas need to access each other to acquire data, constraint rules are set according to the authority, and different access control strategies are adopted on the security boundary by combining security trust levels in different logic areas. In general, direct interworking of networks between different areas is not allowed without taking any security control measures.

Access control of data is particularly important due to the centralized storage of data. The traditional method is system-centric security, and with the ubiquitous nature of attacks, the internal environment and personnel can also act as the initiator of the attack. Data-centric security requires focusing security on the data itself, building security capabilities around the lifecycle of the data. Data-centric security, the problem of risk control for internal personnel abuse, business misuse and external theft prevention is to be solved.

Disclosure of Invention

It is an object of the present invention to provide a way of controlled secure access of data within a data center that solves one of the aforementioned security problems.

According to a first aspect of the present invention, there is provided a secure access control method for a data center, comprising:

accessing a resource library by a user based on a configured proxy server;

acquiring a target resource according to resource request operation of a user, wherein the target resource contains a hidden identifier;

the proxy server of the user obtains the content of the target resource;

the security manager determines whether the resource characteristics of the user contain more than one abnormal characteristic according to the resource acquisition path diagram;

determining the source of the abnormal resources according to the abnormal characteristics of the user;

and determining that the user processes the target data according to the source of the abnormal resource and the user authority.

Preferably, the proxy server obtains a configuration file of a user, wherein the configuration file of the user comprises an access mode, an access position and a request resource category;

and when the proxy server resources are insufficient or the user configuration files are not verified, terminating the connection initiated by the user, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, creating a new proxy server, and sending a resource request and receiving target resources by the user based on the proxy server.

Preferably, the proxy server receives the resource request of the user and sends the resource address and the identification of the proxy server to the security manager; the security manager updates the authority of the resource according to the user resource request information and the identification of the proxy server, and returns a token to the proxy server, and the proxy server initiates a resource request operation to the resource address, wherein the parameter of the resource request operation contains the token.

Preferably, the authority of the user and the current token are obtained according to the identification of the proxy server of the user, when the current token is consistent with the token contained in the resource request operation, the resource of the target address contained in the resource request operation is obtained, a hidden identification is added to the obtained target resource, and the generation algorithm of the hidden identification is sent to the security manager after the hidden identification is added.

Preferably, the proxy server receives the target resource, acquires the generation algorithm of the hidden identifier from the security manager according to the identifier of the proxy server, and removes the hidden identifier from the target resource.

Preferably, the determining, by the security manager according to the resource acquisition path diagram, whether the resource feature of the user includes more than one abnormal feature specifically includes:

the security manager analyzes the resource call dependence based on the resource acquisition path diagram transmitted by the proxy server, determines a called resource set according to the resource call process, acquires a user resource call behavior diagram according to the resource dependence, compares the user resource call behavior diagram with a standard user resource behavior white list diagram to acquire a difference diagram, and configures an access strategy of the proxy server based on the difference diagram.

Preferably, when the node and the edge included in the difference graph are not empty, the node included in the difference graph is analyzed to obtain a security risk level, and when the risk level is determined to be unauthorized access, the security risk level is identified as an abnormal feature

Preferably, the source of the risk is determined according to the relationship of the edges of the difference graph, and when the source of the risk is a user resource request operation, the user is forbidden to access the target resource.

Preferably, the source of the risk is determined according to the relationship of the edges of the difference graph, and when the source of the risk is in the resource library, the user is allowed to access the target resource.

According to a second aspect of the present invention, there is provided a secure access control system for a data center, comprising:

the proxy server generating unit is used for generating a proxy server, and a user accesses a resource library based on the configured proxy server;

the safety manager is used for determining whether the resource characteristics of the user contain more than one abnormal characteristics according to the resource acquisition path diagram;

an abnormal source determining unit for determining the source of the abnormal resource according to the abnormal characteristics of the user;

and the abnormal access processing unit is used for determining that the user processes the target data according to the source of the abnormal resource and the user authority.

The invention can realize the safe access to the data in the data center, reduce the risk through the proxy server, and acquire the data according to the access context and the resource relationship of the user.

Drawings

FIG. 1 is a schematic diagram of a network architecture for accessing a data center in one embodiment of the present invention;

FIG. 2 is a schematic diagram of an access flow of an access data center according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a user authentication acquisition token in one embodiment of the invention;

FIG. 4 is a diagram of secure access to data in accordance with one embodiment of the present invention;

FIG. 5 is a flow chart of determining whether to override in one embodiment of the invention.

Detailed Description

The following are several embodiments of the present invention, which are intended to be illustrative of the invention and not limiting.

Referring to example 1 shown in fig. 1 and 2, an access control system for accessing a data center is disclosed.

The data center to which the present invention relates is an operating environment for providing services and applications to customers, which may include networking and storage systems, as well as networks that may be accessed by customers.

The data center includes a plurality of application servers. Each application server may be a physical host or a virtual host. The virtual hosts can be arranged in the divided network, and the physical machines can be positioned in the same network segment or positioned in different network segments and connected through a switch or a configuration routing table.

The application server provides access to data and services for which access is made through a Restful interface or driver.

In the invention, the application server is accessed in the execution data center and communicates with the accessed user terminal through Socket or HTTP protocol; when it serves externally, through such as IP: the form of the port provides the service.

In the present invention, the access procedure is packaged for controlling unauthorized access to the internal access, as follows.

First, the access of the user terminal in the data center is not directly performed through a protocol, but is further packaged before a protocol layer, and the access to the resources in the data center is provided through the form of controlling authentication and authorization by a security manager.

The access mode provided by the invention comprises an authentication server.

When a user initiates an access request, for example, after connection is established through HTTP or Socket, the user provides own credentials, the access control system firstly judges whether the user has authority to access according to the credentials provided by the user, and access authentication can be provided according to passwords, biological characteristics, media and the like.

The first login may be performed by means of a Web system. In the Web system, the user provides a user name and a password to log in for interaction, and the user returns to the proxy server after authentication is completed. This process may also be performed through an API.

After the first security authentication is performed, the request initiated by the user is performed through the established proxy server, and the security control of the proxy server is performed based on the behavior of the user, so that the security risk in the system is reduced.

The proxy server is used for acquiring resources according to credentials provided by the access control system, such as resources of users in various forms including driving, restful interface, direct file access, FTP protocol and the like, and the acquired resources are accompanied by behavioral analysis, so that the data actually acquired by the proxy server should be salted data, and the salted data is obtained by mixing irrelevant data in the actually acquired result, so that the non-set users cannot acquire the directly available real data. A fixed proxy server may be configured for the user when the user is a stable and persistent presence of access needs.

In order to further improve the security coefficient, the access of the proxy server to the resource is also performed according to the credentials, the access control system generates a token for the proxy server to access the resource, and issues the token to the proxy server, the proxy server acquires the resource from the data center based on the token, and the obtained resource contains a salt mixed by the application server, namely, contains hidden data for interference or confusion data generated by a data protection algorithm. At this time, the mixed salt generation algorithm may or may not be sent to the security manager, and when the mixed salt generation algorithm is only sent to the proxy server, the proxy server may perform desalination on the data according to the authentication result of the security manager; and when the data is sent to the security manager, the proxy server does not grasp the salt generation algorithm, so that the security isolation of the data is realized.

After receiving the resource acquisition path diagram transmitted by the proxy server, the security manager compares the address information in the resource acquisition path diagram with the user authority, for example, through a series of prefabricated resource lists or matching relations (such as labels) between data and users, so as to judge whether the access operation is unauthorized.

If the access control system is unauthorized, the access control system can send an instruction to the proxy server, the proxy server releases the connection, and the user cannot access the network at the moment; if not, the access control system sends the obfuscator to a proxy server, which generates obfuscated data based on the obfuscator, and removes salt from the target resource based on the obfuscated data. Or obtaining a obfuscator from the security manager based on the override analysis result, removing hidden data from the target resource.

The proxy server can configure the access policy when generating, and configure multiple authorities such as error, namely disconnection, error maintenance connection and error (AbortOnError, keepAliveOnError and IgnoreError) when any abnormality or override is regarded as error, namely actively disconnect the proxy server and the user terminal when the error occurs; or allowing execution of non-erroneous data when an error occurs; or disregarding any errors, forwarding the target resource containing the hidden identifier to the user as it is, and processing the target resource by the user.

On the basis, the invention provides a security access control system of a data center, which specifically comprises the following steps:

the proxy server generating unit is used for generating a proxy server, and a user accesses a resource library based on the configured proxy server;

the safety manager is used for determining whether the resource characteristics of the user contain more than one abnormal characteristics according to the resource acquisition path diagram;

an abnormal source determining unit for determining the source of the abnormal resource according to the abnormal characteristics of the user;

and the abnormal access processing unit is used for determining that the user processes the target data according to the source of the abnormal resource and the user authority.

Examples are provided below in order to explain the present invention in more detail.

Example 1

(1) The user accesses a server provided with a security manager through an account name and a password, and accesses through an address and a port provided by the security manager;

when the access is performed, the address of the proxy server is obtained based on the security manager; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

when the proxy server is acquired, the security manager receives an access request of a user, wherein the user passes through the authentication of the credentials and accesses the predetermined network; acquiring a name and a permission group of a user, creating a proxy server based on the name, the position and the permission group of the user, loading the proxy server in a server Docker container pre-configured in a network close to a user side, after loading is completed, recording information of an access server started by an access system, transmitting the started server address and port to the user, and accessing resources by the user by using the proxy server;

(2) Referring to fig. 3, a resource request of a proxy server is obtained, wherein the resource request of a user comprises an application address and a request parameter, and a security manager authenticates the resource requested by the user; if the resource is unauthorized, no token is provided; if the resource is not unauthorized, providing an accessed token; the accessed token is pre-configured and simultaneously stored in the application server and the credentials of the access control system;

(3) Referring to fig. 4, a user initiates a request through a proxy server, an application server obtains target data after performing authority verification through a token, binary data generated based on a data protection algorithm is mixed into the target data as salt, the target data is sent to the proxy server, and meanwhile, resource information traversed for obtaining resource information and a data protection algorithm for generating a hidden identifier are received, wherein the resource information is a series of resource addresses and calling relations which are actually accessed by obtaining target resources; the binary data generating method is to generate 64bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined; for example, for an integer N of 32 bits (32 bits), the same binary sequence can be obtained by calculating, if the target length is 32, it can be converted into one other integer in the integer domain by one method, if the target length is greater than 32, an integer N1 can be generated according to the seed number, i.e. the integer N, and a second integer N2 can be generated for the seed number by using N1, at this time, a 64bit sequence is obtained, if the seed production is continued by using N2, the extension can be continued, for example, a binary sequence with a length of 1M can be generated. It should be noted that when generating integers, the use of time stamps is avoided to circumvent randomness. This will not be described later. For example, by the method, a binary sequence B with the sequence length of 1M can be generated, the first 8 bits of the binary sequence can be taken as a first offset, then 32 bits are taken as hidden marks (salts), and the salts are written at the first offset of the target data; then 8 bits are taken from the binary sequence number as a second offset, and 32 bits are continuously taken as hidden identifications (salts); continuing to skip the second offset length after the first inserted salt position of the target data to write the second salt; repeating this step to write a binary sequence B; where the target resource length is large, the length of the longer binary sequence may be set or the salt and offset obtained by cyclic recursion.

(4) The proxy server sends a resource acquisition path diagram generated based on the resource information to the security manager, the security manager compares the resource information with the rights actually owned by the user corresponding rights group to judge whether unexpected access exists, and when unexpected access exists, the security manager considers that the rights are override; if not, the access is legal; when comparing, the resource calling process forms a relation graph according to the calling level, and the difference points are obtained through comparing; the difference points here include edges and nodes;

(5) Referring to FIG. 5, whether a source of a difference point is included in the request is analyzed; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, indicating the defect inside the application server;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

Example 2

(1) The user accesses through the address of the pre-configured proxy server; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

after the proxy server is connected, when the proxy server resources are insufficient or the user configuration files are not verified, the connection initiated by the user is terminated, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, the user sends a resource request and receives target resources based on the proxy server; the checked resources can comprise the resource information such as memory availability, disk availability, network availability and the like, and the configuration file comprises the operating system version, hardware conditions and the like of the user;

(2) Acquiring a resource request of a proxy server, wherein the resource request of a user comprises an application address and a request parameter, and a security manager does not authenticate the resource requested by the user;

(3) The user initiates a request through the proxy server, the application server only verifies according to the parameters used by the resource request without additionally verifying token information, target data are obtained, binary data generated based on a data protection algorithm are mixed into the target data as salt, the target data are sent to the proxy server, and meanwhile, the resource information traversed for obtaining the resource information and the data protection algorithm for generating the hidden mark are received, wherein the resource information is a series of resource addresses and calling relations which are actually accessed by obtaining target resources; the binary data generating method is to generate 32bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined;

(4) The proxy server sends a resource acquisition path diagram generated based on the resource information to the security manager, the security manager compares the resource information with the rights actually owned by the user corresponding rights group to judge whether unexpected access exists, and when unexpected access exists, the security manager considers that the rights are override; if not, the access is legal; when comparing, the resource calling process forms a relation graph according to the calling level, and the difference points are obtained through comparing;

(5) Analyzing whether the source of the difference point is included in the request; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, indicating the defect inside the application server;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

Example 3

(1) The user accesses through the address of the pre-configured proxy server; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

after the proxy server is connected, when the proxy server resources are insufficient or the user configuration files are not verified, the connection initiated by the user is terminated, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, the user sends a resource request and receives target resources based on the proxy server; the checked resources can comprise the resource information such as memory availability, disk availability, network availability and the like, and the configuration file comprises the operating system version, hardware conditions and the like of the user;

(2) Acquiring a resource request of a proxy server, wherein the resource request of a user comprises an application address and a request parameter, and authenticating the resource requested by the user by a security manager; if the resource is unauthorized, no token is provided; if the resource is not unauthorized, providing an accessed token; the accessed token is pre-configured and simultaneously stored in the application server and the credentials of the access control system;

(3) The user initiates a request through the proxy server, the application server performs authority verification through the token to obtain target data, binary data is generated based on a data protection algorithm and mixed into the target data as salt, the target data is sent to the proxy server, and meanwhile, the resource information traversed for obtaining the resource information and the data protection algorithm for generating a hidden mark are received, wherein the resource information is a series of resource addresses and calling relations which are actually accessed by the obtained target resource; the binary data generating method is to generate 64bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined;

(4) The proxy server sends a resource acquisition path diagram generated based on the resource information to the security manager, the security manager compares the resource information of the application server with the rights actually owned by the user corresponding rights group to judge whether unexpected access exists, and when unexpected access exists, the security manager considers override; if not, the access is legal; when comparing, the resource calling process forms a relation graph according to the calling level, and the difference points are obtained through comparing;

(5) Analyzing whether the source of the difference point is included in the request; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, indicating the defect inside the application server;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

Example 4

(1) The user accesses through the address of the pre-configured proxy server; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

after the proxy server is connected, when the proxy server resources are insufficient or the user configuration files are not verified, the connection initiated by the user is terminated, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, the user sends a resource request and receives target resources based on the proxy server; the checked resources can comprise the resource information such as memory availability, disk availability, network availability and the like, and the configuration file comprises the operating system version, hardware conditions and the like of the user;

(2) Acquiring a resource request of a proxy server, wherein the resource request of a user comprises an application address and a request parameter, and authenticating the resource requested by the user by a security manager; if the resource is unauthorized, no token is provided; if the resource is not unauthorized, providing an accessed token; the accessed token is a newly generated token with timeliness, the duration of the token can be set to be 10 minutes, the token corresponds to the key value combination of the resource-user one by one, the token is used for initiating the resource request in the step (3), and the request of the user for the same resource is permitted in the valid period of the token, and the consistent token can be always obtained from the security manager;

(3) The user initiates a request through the proxy server, the application server performs authority verification through the token to obtain target data, binary data is generated based on a data protection algorithm and mixed into the target data as salt, the target data is sent to the proxy server, and meanwhile, the resource information traversed for obtaining the resource information and the data protection algorithm for generating a hidden mark are received, wherein the resource information is a series of resource addresses and calling relations which are actually accessed by the obtained target resource; the binary data generating method is to generate 32bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined;

(4) The proxy server sends a request for acquiring a data protection algorithm to the security manager, the security manager acquires corresponding resource information based on the identification of the proxy server, generates a resource call path diagram based on the resource information, compares the resource call diagram with the rights actually owned by the user corresponding rights group, judges whether unexpected access exists, and considers override when unexpected access exists; if not, the access is legal; when comparing, the resource calling process forms a relation graph according to the calling level, and the difference points are obtained through comparing;

(5) Analyzing whether the source of the difference point is included in the request; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, indicating the defect inside the application server;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

Example 5

(1) The user accesses through the address of the pre-configured proxy server; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

after the proxy server is connected, when the proxy server resources are insufficient or the user configuration files are not verified, the connection initiated by the user is terminated, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, the user sends a resource request and receives target resources based on the proxy server; the checked resources can comprise the resource information such as memory availability, disk availability, network availability and the like, and the configuration file comprises the operating system version, hardware conditions and the like of the user;

(2) Acquiring a resource request of a proxy server, wherein the resource request of a user comprises an application address and a request parameter, and authenticating the resource requested by the user by a security manager; if the resource is unauthorized, no token is provided; if the resource is not unauthorized, providing an accessed token; the accessed token is a newly generated token with timeliness, the duration of the token can be set to be 10 minutes, the token corresponds to the key value combination of the resource-user one by one, the token is used for initiating the resource request in the step (3), and the request of the user for the same resource is permitted in the valid period of the token, and the consistent token can be always obtained from the security manager;

(3) The user initiates a request through the proxy server, the application server performs authority verification through the token to obtain target data, binary data generated based on a data protection algorithm is mixed into the target data as salt, the target data and resource information traversed by acquiring the resource information are sent to the proxy server, and a security manager receives the data protection algorithm for generating a hidden mark, wherein the resource information actually accesses a series of resource addresses and calling relations for acquiring target resources; the binary data generating method is to generate 32bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined;

(4) The proxy server sends a resource acquisition path diagram generated based on the resource information to the security manager, the security manager compares the resource information of the application server with the rights actually owned by the user corresponding rights group to judge whether unexpected access exists, and when unexpected access exists, the security manager considers override; if not, the access is legal; when comparing, the resource calling process forms a relation graph according to the calling level, and the difference points are obtained through comparing;

(5) Analyzing whether the source of the difference point is included in the request; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, indicating the defect inside the application server;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

Example 6

(1) The user accesses through the address of the pre-configured proxy server; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

after the proxy server is connected, when the proxy server resources are insufficient or the user configuration files are not verified, the connection initiated by the user is terminated, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, the user sends a resource request and receives target resources based on the proxy server; the checked resources can comprise the resource information such as memory availability, disk availability, network availability and the like, and the configuration file comprises the operating system version, hardware conditions and the like of the user;

(2) Acquiring a resource request of a proxy server, wherein the resource request of a user comprises an application address and a request parameter, and authenticating the resource requested by the user by a security manager; if the resource is unauthorized, no token is provided; if the resource is not unauthorized, providing an accessed token; the accessed token is a newly generated token with timeliness, the time length of the token can be set to be disposable, when a request is initiated each time, the token is required to be requested, and the application server can judge whether the access is authorized or not through verifying the token;

(3) The user initiates a request through the proxy server, the application server performs authority verification through the token to obtain target data, binary data generated based on a data protection algorithm is mixed into the target data as salt, the target data and resource information traversed by acquiring the resource information are sent to the proxy server, and a security manager receives the data protection algorithm for generating a hidden mark, wherein the resource information actually accesses a series of resource addresses and calling relations for acquiring target resources; the binary data generating method is to generate 32bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined;

(4) The security manager analyzes resource calling dependence based on a resource acquisition path diagram transmitted by the proxy server, determines a called resource set according to a resource calling process, acquires a user resource calling behavior diagram according to a resource dependence relationship, compares the user resource calling behavior diagram with a standard user resource behavior white list diagram to acquire a difference diagram, and configures an access strategy of the proxy server based on the difference diagram;

(5) Analyzing whether the source of the difference point is included in the request; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, indicating the defect inside the application server;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

Example 7

(1) The user accesses through the address of the pre-configured proxy server; the proxy server is arranged in a network where a user is located and operates in a Docker container of a physical machine;

after the proxy server is connected, when the proxy server resources are insufficient or the user configuration files are not verified, the connection initiated by the user is terminated, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, the user sends a resource request and receives target resources based on the proxy server; the checked resources can comprise the resource information such as memory availability, disk availability, network availability and the like, and the configuration file comprises the operating system version, hardware conditions and the like of the user;

(2) Acquiring a resource request of a proxy server, wherein the resource request of a user comprises an application address and a request parameter, and authenticating the resource requested by the user by a security manager; if the resource is unauthorized, no token is provided; if the resource is not unauthorized, providing an accessed token; the accessed token is a newly generated token with timeliness, the time length of the token can be set to be disposable, when a request is initiated each time, the token is required to be requested, and the application server can judge whether the access is authorized or not through verifying the token;

(3) The user initiates a request through the proxy server, the application server performs authority verification through the token to obtain target data, binary data generated based on a data protection algorithm is mixed into the target data as salt, the target data and resource information traversed by acquiring the resource information are sent to the proxy server, and a security manager receives the data protection algorithm for generating a hidden mark, wherein the resource information actually accesses a series of resource addresses and calling relations for acquiring target resources; the binary data generating method is to generate 32bit binary and corresponding offset, and insert corresponding binary data based on the offset; wherein binary data is randomly generated, but fixed when the selected seed is determined, and the generated offset is fixed when the selected seed is determined;

(4) The security manager analyzes resource calling dependence based on a resource acquisition path diagram transmitted by the proxy server, determines a called resource set according to a resource calling process, acquires a user resource calling behavior diagram according to a resource dependence relationship, compares the user resource calling behavior diagram with a standard user resource behavior white list diagram to acquire a difference diagram, and configures an access strategy of the proxy server based on the difference diagram;

(5) Analyzing whether the source of the difference point is included in the request; when the source of the difference point is a request initiated by a user, indicating that the user is overtime in the request; otherwise, further judging whether the difference point is higher authority operation, if yes, regarding as the defect in the application server, and if no, regarding as the authority operation;

(6) When the user accesses the override, an instruction is sent to the proxy server to prompt the user, and if the user does not finish the response within the appointed time, the proxy server exits; when the user access is legal, the proxy server executes a data protection algorithm corresponding to the obfuscator, generates binary data, and removes salt from target data according to the binary data to obtain the target data;

(7) After the user disconnects the proxy server, the access control system deletes proxy server configuration information from the active proxy server set.

The use of any and all examples, or exemplary language (e.g., "such as") provided herein, is intended merely to better illuminate embodiments of the disclosure and does not pose a limitation on the scope of the disclosure unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure.

In the description and claims, the terms "coupled" and "connected," along with their derivatives, may be used. It should be understood that these terms may not be intended as synonyms for each other.

Unless specifically stated otherwise, it is appreciated that throughout the description, terms such as "processing," "computing," "determining," or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices.

The server and access system of the present invention comprise a processor, the term "processor" may refer to any device or part of a device that processes electronic data from registers and/or memory and converts the electronic data into other electronic data that may be stored in registers and/or memory. As a non-limiting example, a "processor" may be a CPU or GPU. A "server" may include one or more processors. As used herein, a "software" process may include, for example, software and/or hardware entities, such as tasks, threads, and intelligent agents, that perform work over time. Furthermore, each process may refer to a plurality of processes for executing instructions sequentially or in parallel, continuously or intermittently. In at least one embodiment, the terms "system" and "method" are used interchangeably herein as long as the system can embody one or more methods and the methods can be considered as systems.

In this document, reference may be made to obtaining, acquiring, receiving or inputting analog or digital data into a subsystem, computer system or computer-implemented machine. In at least one embodiment, the process of obtaining, acquiring, receiving, or inputting analog and digital data may be accomplished in a variety of ways, such as by receiving the data as a parameter of a function call or a call to an application program interface. In at least one embodiment, the process of obtaining, acquiring, receiving, or inputting analog or digital data may be accomplished by transmitting the data via a serial or parallel interface. In at least one embodiment, the process of obtaining, acquiring, receiving, or inputting analog or digital data may be accomplished by transmitting the data from a providing entity to an acquiring entity via a computer network. In at least one embodiment, analog or digital data may also be provided, output, transmitted, sent, or presented with reference. In various examples, the process of providing, outputting, transmitting, sending, or presenting analog or digital data may be implemented by taking the data as input or output parameters for a function call, parameters for an application programming interface, or an inter-process communication mechanism.

While the description herein sets forth example embodiments of the described technology, other architectures may be used to implement the described functionality and are intended to fall within the scope of the present disclosure. Furthermore, while specific allocations of responsibilities may be defined above for purposes of description, various functions and responsibilities may be allocated and partitioned in a different manner depending on the circumstances.

Claims (10)

1. A method for controlling secure access to a data center, comprising:

accessing a resource library by a user based on a configured proxy server;

acquiring a target resource according to resource request operation of a user, wherein the target resource contains a hidden identifier;

the proxy server of the user obtains the content of the target resource;

the security manager determines whether the resource characteristics of the user contain more than one abnormal characteristic according to the resource acquisition path diagram;

determining the source of the abnormal resources according to the abnormal characteristics of the user;

and determining that the user processes the target data according to the source of the abnormal resource and the user authority.

2. The method for controlling secure access to a data center according to claim 1, wherein the proxy server obtains a profile of a user, the profile of the user including an access mode, an access location, and a request resource category;

and when the proxy server resources are insufficient or the user configuration files are not verified, terminating the connection initiated by the user, and when the proxy server resources meet the requirements and the user configuration files meet the requirements, creating a new proxy server, and sending a resource request and receiving target resources by the user based on the proxy server.

3. The method for controlling security access to a data center according to claim 2, wherein the proxy server receives a resource request from a user, and transmits a resource address and an identification of the proxy server to the security manager; the security manager updates the authority of the resource according to the user resource request information and the identification of the proxy server, and returns a token to the proxy server, and the proxy server initiates a resource request operation to the resource address, wherein the parameter of the resource request operation contains the token.

4. A method for controlling secure access to a data center according to claim 3, wherein the authority of the user and the current token are obtained according to the identity of the proxy server of the user, and when the current token is identical to the token included in the resource request operation, the resource of the target address included in the resource request operation is obtained, a hidden identity is added to the obtained target resource, and the hidden identity generation algorithm is sent to the security manager after the hidden identity is added.

5. The method of claim 4, wherein the proxy server receives the target resource, obtains a generation algorithm of the hidden identifier from the security manager according to the identifier of the proxy server, and removes the hidden identifier from the target resource.

6. The method for controlling secure access of a data center according to claim 1, wherein the determining, by the security manager according to the resource acquisition path diagram, whether the resource characteristics of the user include one or more abnormal characteristics specifically includes:

the security manager analyzes the resource calling dependence based on the resource acquisition path diagram transmitted to the proxy server, determines the called resource set according to the resource calling process, acquires the user resource calling behavior diagram according to the resource dependence, compares the user resource calling behavior diagram with the standard user resource behavior white list diagram to acquire a difference diagram, and configures the access strategy of the proxy server based on the difference diagram.

7. The method according to claim 6, wherein when the node and the edge included in the difference graph are not empty, the node included in the difference graph is analyzed to obtain a security risk level, and when the risk level is determined to be unauthorized access, the security risk level is identified as an abnormal feature.

8. The method for controlling security access to a data center according to claim 7, wherein the source of risk is determined based on the relationship of edges of the difference graph, and access of the user to the target resource is prohibited when the source of risk is a user resource request operation.

9. The method for controlling secure access to a data center according to claim 7, wherein the source of risk is determined based on the relationship of edges of the difference graph, and the user is allowed to access the target resource when the source of risk is within the repository.

10. A secure access control system for a data center, comprising:

the proxy server generating unit is used for generating a proxy server, and a user accesses a resource library based on the configured proxy server;

the safety manager is used for determining whether the resource characteristics of the user contain more than one abnormal characteristics according to the resource acquisition path diagram;

an abnormal source determining unit for determining the source of the abnormal resource according to the abnormal characteristics of the user;

and the abnormal access processing unit is used for determining that the user processes the target data according to the source of the abnormal resource and the user authority.