CN110851819A - Multi-application access authority control method and device and electronic equipment - Google Patents
Multi-application access authority control method and device and electronic equipment Download PDFInfo
- Publication number
- CN110851819A CN110851819A CN201911138430.9A CN201911138430A CN110851819A CN 110851819 A CN110851819 A CN 110851819A CN 201911138430 A CN201911138430 A CN 201911138430A CN 110851819 A CN110851819 A CN 110851819A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- access
- applications
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the invention provides a method, a device and electronic equipment for controlling access authority of multiple applications, and relates to the field of communication, wherein the method is used for predetermining registration information aiming at the multiple applications, the registration information comprises a first authority level and a communication address which are associated with a user, and the user is detected to access any one or more of the multiple applications based on login information; when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user; receiving second verification information input by a user; and when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level. The method not only realizes the unified control of the authority, but also can dynamically adjust the authority when detecting the abnormity, limit the authority or recover the authority, and improve the defense capability of the threat; meanwhile, the method is beneficial to protecting the information safety of the user and improving the safety.
Description
Technical Field
The invention relates to the field of communication, in particular to a multi-application access right control method and device and electronic equipment.
Background
At present, with the development of computer science and technology, the types of application systems are more and more, and if each application system logs in by using an account password, each application system needs to maintain a set of own account password, so that the maintenance cost is higher.
In order to solve the problem of high maintenance cost, currently, a unified permission control system is provided in the prior art, which can perform unified permission control on multiple sets of application systems, however, although the unified permission control system can greatly facilitate the management of users, the prior art has the following disadvantages: only has a uniform authority control function, and the function is single; the prevention of the threat is useless; in addition, because multiple sets of application systems share the same account password, loss caused by leakage of the account password is very huge.
Disclosure of Invention
In view of the above, the present invention provides a method, an apparatus, an electronic device, and a computer-readable storage medium for controlling access rights of multiple applications.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a method for controlling access permissions of multiple applications, where registration information for the multiple applications is predetermined, where the registration information includes a first permission level and a communication address associated with a user, and the method includes:
detecting access by the user to any one or more of the plurality of applications based on login information;
when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user;
receiving second verification information input by the user;
and when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the method further includes:
and when the user logs in again after the access abnormity is detected, prompting the user to improve the safety intensity of the login information.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the login information is used to log in the multiple applications, and the login information includes a user name and a password.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the method further includes:
receiving a login information modification indication of the user based on a first application in the plurality of applications;
and synchronizing the login information of other applications except the first application in the plurality of applications into the modified login information.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where there is one exception threshold corresponding to each application, and the exception threshold is related to a safety factor of the application, where the safety factor is used to indicate a trustworthiness of the application.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the method further includes:
and determining that an access anomaly is detected after detecting that the traffic of a second application in the plurality of applications continuously exceeds an anomaly threshold corresponding to the second application for a period of time.
In a second aspect, an embodiment of the present invention further provides a multi-application access permission control apparatus, which determines registration information for a plurality of applications in advance, where the registration information includes a first permission level and a communication address associated with a user, and includes:
a detection module to detect access by the user to any one or more of the plurality of applications based on login information;
the sending module is used for limiting the access authority of the user to a second authority level and sending first verification information to a communication address associated with the user when the abnormal access is detected;
the receiving module is used for receiving second verification information input by the user;
and the recovery module is used for recovering the access authority of the user to the first authority level when the second verification information is matched with the first verification information.
With reference to the second aspect, an embodiment of the present invention provides a first possible implementation manner of the second aspect, where the apparatus further includes:
and the prompting module is used for prompting the user to improve the safety intensity of the login information when the user logs in again after the access abnormity is detected.
In a third aspect, an embodiment provides an electronic device, including a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor can execute the machine executable instructions to implement the multi-application access right control method described in any one of the foregoing embodiments.
In a fourth aspect, an embodiment provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the multi-application access right control method according to any one of the foregoing embodiments.
The embodiment of the invention has the following beneficial effects:
according to the multi-application access authority control method, the multi-application access authority control device, the electronic equipment and the computer readable storage medium, registration information for a plurality of applications is determined in advance, the registration information comprises a first authority level and a communication address which are associated with a user, and the user is detected to access any one or more of the plurality of applications based on login information; when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user; then receiving second verification information input by the user; and finally, when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level. Therefore, the technical scheme provided by the embodiment of the invention not only can realize unified control of the authority, but also can dynamically adjust the authority of the user when an exception (threat) is found, thereby avoiding loss of a large amount of data, protecting the privacy of the user and improving the safety and user experience. The method not only protects the privacy of the user, but also ensures the convenience brought by unified authority control.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a diagram illustrating a user right configuration according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for controlling access rights of multiple applications according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating another method for controlling access rights of multiple applications according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating an access right control device for multiple applications according to an embodiment of the present invention;
FIG. 5 is a block diagram of an overall framework of a traffic-based security unified rights control system according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of the central rights control system of FIG. 5;
FIG. 7 shows a schematic diagram of a system application;
fig. 8 shows a schematic diagram of an electronic device provided by an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
At present, a unified permission control system is provided in the prior art, which can perform unified permission control on multiple sets of application systems, however, although the unified permission control system can greatly facilitate the management of users, the prior art has the following disadvantages: only has a uniform authority control function, and the function is single; in addition, because multiple sets of application systems share the same account password, loss caused by leakage of the account password is very huge.
Based on this, the embodiment provides a multi-application access permission control method, a multi-application access permission control device and an electronic device, which can achieve unified management, dynamically adjust permissions, and simultaneously avoid user information leakage, protect information security of users, and have higher security performance.
For convenience of understanding, the following first describes an access right control method for multiple applications according to an embodiment of the present invention:
the embodiment of the invention provides a multi-application access authority control method, which is used for predetermining registration information aiming at a plurality of applications, wherein the registration information comprises a first authority level and a communication address which are associated with a user.
The applications include, but are not limited to, application-type applications (app applications for short), web-type applications (web applications for short), and HTML 5-type applications (H5 applications for short);
the plurality of applications here refers to a plurality of applications sharing the same registration information. Specifically, the plurality of applications may be, for example, a plurality of applications of the same type, for example, a plurality of app applications on a mobile terminal sharing the same registration information; the plurality of applications may also be a plurality of applications of different types, such as a hybrid application of an app application and a web application that share the same registration information.
The first permission level refers to an initial permission configured for the user when the user registers; referring to fig. 1, during configuration, firstly, the relationship between a user and a role is determined, where the role includes but is not limited to a common user and an administrator, and then different permissions are configured for different users, that is, the permissions are associated with the users; the authority comprises three types of inquiry authority, editing authority and deleting authority, and each type of the authority comprises menu authority and data authority.
The communication address can be a mailbox, a short message or other address for communication.
Referring to fig. 2, the method includes:
step S202, detecting the access of a user to any one or more of a plurality of applications based on login information;
step S204, when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user;
step S206, receiving second verification information input by a user;
and step S208, when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level.
For step S202, the login information is used to log in any one or more of a plurality of applications, including but not limited to an account (user name) and a password of the user, and may further include a login verification code, which may be, for example, a graphical verification code, a slider verification code, or a text verification code (e.g., a numeric verification code, an alphabetic verification code, a chinese character verification code, etc.), and other preset login verification manners.
In a specific implementation, the step S202 may include the following steps:
1. and detecting access data traffic generated by any one or more applications after the user logs in any one or more applications based on the login information.
It should be noted that, when a user only logs in one application, the data traffic generated by the user accessing the application within a preset time is detected;
when a user logs in a plurality of applications, detecting the total data flow generated by the user accessing the plurality of applications within a preset time; the data traffic summation refers to the accumulation of data traffic generated by each application. During detection, data traffic of each application can be counted respectively and then summed to obtain a data traffic sum, and a statistical interface mirrored from a plurality of interfaces of the data traffic of a plurality of applications can be detected to directly obtain the data traffic sum of the plurality of applications.
Whether a plurality of applications generate access anomalies (such as malicious attacks or illegal intrusions) can be determined by detecting access data traffic. When the flow is abnormal, determining that the plurality of applications generate access abnormity.
In an alternative embodiment, the login information is used to log in to a plurality of applications, the login information including a username and password.
For step S204, the second permission level is the permission of the user after the adjustment to the first permission level.
The first authentication information may be an authentication code, typically a dynamic authentication code, for authentication of the user.
In an alternative embodiment, the first authentication information is valid for a single use. I.e. the first authentication information can only be used once.
In an alternative embodiment, the scope of authority of the second level of authority is smaller than the scope of authority of the first level of authority.
In an alternative embodiment, the second permission level is the user's permission excluding the permissions associated with the user's privacy (e.g., private photos, private logs, etc.) in the first permission level.
In the present embodiment, step S204 is performed by:
1) when the access abnormality is detected, cutting off (or closing) the authority of the privacy related part of the user to make the user unable to be accessed, and limiting the authority of the user to a second authority level;
2) and sending the first verification information to a mailbox or a short message folder of the user in a mail or short message mode.
The user must fill in the first authentication information to log in again. At the moment, if the user is not the user, the user can know that the user name and the password are leaked, and the user name and the password can be changed, so that the safety of the data of the user is protected, and the safety awareness is improved. If the attacker cannot necessarily get the first verification information, the authority can be continuously closed, and the privacy of the user is protected.
For step S206, the user may input authentication information to indicate his/her identity (for example, input when the user logs in again or input when the user pops up a login interface), where the second authentication information is the information input when the user performs authentication;
if the second authentication information is matched (consistent) with the first authentication information, the user can confirm that the user is the user through identity authentication, the switching or closing authority is opened, and the access authority of the user is restored to the first authority level.
The multi-application access authority control method provided by the embodiment of the invention is characterized in that registration information aiming at a plurality of applications is predetermined, the registration information comprises a first authority level and a communication address associated with a user, and the user is detected to access any one or more of the plurality of applications based on login information; when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user; then receiving second verification information input by a user; and finally, when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level. Therefore, the technical scheme provided by the embodiment of the invention not only can realize unified control of the authority, but also can dynamically adjust the authority to limit the authority or restore the authority when the abnormity is detected, thereby not only improving the prevention of the threat, but also improving the experience degree of the user; meanwhile, the method is beneficial to protecting the information safety of the user and improving the safety.
As shown in fig. 3, the present embodiment further provides another multi-application access right control method, where registration information for a plurality of applications is predetermined, and the registration information includes a first right level and a communication address associated with a user, and the method further includes:
step S302, detecting the access of a user to any one or more of a plurality of applications based on login information;
step S304, when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user;
step S306, receiving second verification information input by a user;
and step S308, when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level.
And step S310, prompting the user to improve the safety intensity of login information when the user logs in again after the access abnormity is detected.
When the user is prompted to log in again after the access abnormality is detected in the execution of S310, the strength can be strengthened (for example, the complexity of the password is increased) when the password is set, and a preventive effect is achieved. Some more security measures can be taken, for example, security enhancement measures such as an identity card or a bank card of the bound user.
In an alternative embodiment, the method further comprises:
step S312, receiving a login information modification instruction of a user based on a first application in a plurality of applications; and synchronizing the login information of other applications except the first application in the plurality of applications into the modified login information.
The first application described above may be any one or more of a number of applications.
Through the step S312, the registration information or the login information changed for one application can be synchronized to other applications, thereby avoiding the problem of low efficiency caused by respectively modifying one application.
In an alternative embodiment, each application corresponds to an exception threshold, and the exception threshold is associated with a security factor of the application, and the security factor is used for indicating the trustworthiness of the application.
Wherein the higher the safety factor, the higher the anomaly threshold for the alarm will be. The safety factor and the abnormal threshold value of the alarm have a one-to-one correspondence relationship, and can be maintained through a relationship table.
With respect to how to determine the problem of access abnormality in step S304 and step S310, in an alternative embodiment, the method further includes:
and A, after detecting that the flow of a second application in the plurality of applications continuously exceeds the abnormal threshold corresponding to the second application for a period of time, determining that the access abnormality is detected.
The second application is any one or more of a plurality of applications, that is, the second application may be the same type of application as the first application or may be a different type of application from the first application; the second application may or may not be the same application as the first application; wherein the login information of the first application and the second application are the same.
The flow detection principle of step a is briefly explained as follows:
the flow detection is to calculate the loop ratio of the time series, record the flow at the current moment as vt and the flow at the previous moment as vt-1 for the flow sample, and subtract the two to obtain a flow map with the time series as the abscissa.
For each flow sample, all flows/total time are used to obtain an average flow, denoted as vn, where n is (1, 2, 3.. eta., n). Judging standard of flow abnormity: (v1+ v2+. + Vn)/n as an abnormality threshold.
And drawing a flow map of the actually acquired flow, and if the flow in the flow map is higher than (v1+ v2+. + Vn)/n (abnormal threshold) for a period of time, determining that the flow is abnormal.
The multi-application access authority control method provided by the embodiment of the invention can not only realize unified processing by a unified authority authentication mode and ensure that all clients can finish unified operation at one time, but also can dynamically adjust the authority, such as limiting the authority or recovering the authority. In addition, compared with the traditional unified authority control system, the method can sense the abnormity of the client based on the change of the flow, and when the abnormity occurs, the safety of asset information is protected in a mode of timely cutting off the authority, and meanwhile, the user is reminded, so that the user can sense the existence of the threat, and the information safety of the user is also protected. Meanwhile, under the condition that the flow is normal, the authority is kept unchanged. The normal use of the user can be ensured. When the user is abnormal, the user can fill in the corresponding verification code, so that the authority can be recovered, and the normal use of the user cannot be influenced.
Based on the same inventive concept, the embodiment of the present application further provides a multi-application access right control device corresponding to the multi-application access right control method, and as the principle of solving the problem of the device in the embodiment of the present application is similar to that of the above-mentioned mobile state control method in the embodiment of the present application, the implementation of the device may refer to the implementation of the method, and repeated details are omitted.
Fig. 4 is a schematic diagram of an access right control device for multiple applications according to an embodiment of the present application.
Referring to fig. 4, the apparatus determines registration information for a plurality of applications in advance, the registration information including a first authority level and a communication address associated with the user, including: a detection module 401, a sending module 402, a receiving module 403 and a recovery module 404;
wherein the detecting module 401 is configured to detect an access of the user to any one or more of the plurality of applications based on the login information;
a sending module 402, configured to, when an access anomaly is detected, limit an access right of the user to a second right level, and send first verification information to a communication address associated with the user;
a receiving module 403, configured to receive second verification information input by the user;
a restoring module 404, configured to restore the access right of the user to the first right level when the second verification information matches the first verification information.
In an alternative embodiment, the apparatus further comprises:
and a prompting module 405, configured to prompt the user to improve the security strength of the login information when the user logs in again after detecting that the access is abnormal.
In an alternative embodiment, the login information is used to log in to the plurality of applications, and the login information includes a user name and a password.
In an optional implementation, the receiving module 403 is further configured to: receiving a login information modification indication of the user based on a first application in the plurality of applications; and synchronizing the login information of other applications except the first application in the plurality of applications into the modified login information.
In an alternative embodiment, each application corresponds to an exception threshold, and the exception threshold is related to a security factor of the application, and the security factor is used for indicating the trustworthiness of the application.
In an optional implementation manner, the detecting module 401 is configured to determine that an access exception is detected after detecting that traffic of a second application of the multiple applications continuously exceeds an exception threshold corresponding to the second application for a period of time.
The multi-application access right control device provided by the embodiment of the application has the same technical characteristics as the multi-application access right control method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
The prior art only has a unified authority control function. Even if a threat is perceived, access cannot be restricted by decreasing the permissions.
In addition, the prevention of threats in the prior art is not uniformly controlled, and most of the threats are respectively controlled by a single application system.
In view of this, the embodiment of the present invention further provides a flow-based secure unified authority control system, which aims to overcome the defects in the existing authority control technology and retain the advantages of unified authority authentication, so that the improved unified authority control system can not only complete unified management of the authority, but also dynamically adjust the size of the authority when the flow is abnormal.
The safety unified authority control system based on the flow provided by the embodiment of the invention mainly comprises a central authority control system and system application. An attacker and a user can access the system application through the user terminal; the system applications are mainly divided into app applications, web applications and H5 applications, and the general block diagram is detailed in fig. 5.
Referring to fig. 6, the inside of the central authority control system is divided into an authority configuration module, an authority management module, a verification code sending module and a security statistical analysis module of the system, wherein the authority configuration module is divided into role configuration, user configuration and authority configuration corresponding to roles; the authority management module is divided into role management, user management and authority management corresponding to the role. The verification code sending module is divided into a mailbox notification part and a short message notification part. The security statistic analysis module of the system is divided into a statistic module and an analysis module.
The user configuration in the authority configuration module is used for carrying out user registration;
the role configuration of the permission configuration module is used for setting the permission of the corresponding user, namely binding the user and the role;
the authority configuration corresponding to the role of the authority configuration module can be used for setting the corresponding authority of the user, namely binding the role with the authority;
the authority management module is used for managing the distributed authority, role and user, for example, an administrator can manually manage the distributed authority, role and user through the authority management module; when the flow is abnormal, the authority management module can automatically limit the authority; meanwhile, the verification code sending module is linked with the authority management module and sends the verification code to the mobile phone and the mailbox of the user.
The analysis module is as follows: detecting the entering flow, and calling a statistical module if the flow is detected to be abnormal; the statistical module is as follows: and substituting the times of the abnormal flow into the statistical model, and obtaining an optimal solution, namely the safety coefficient of the system in an iterative mode.
In an alternative embodiment, the statistical model may be based on a linear regression equation, where y is b0+ b1X1+ b2X2+ … + bnXn, where X is the degree and y is the safety factor of the system.
It should be noted that the higher the safety factor of the system, the higher the alarm threshold value will be. The safety factor and the alarm threshold value have a one-to-one correspondence relationship and are maintained through a relationship table.
Referring to fig. 7, the web application is integrated with a traffic sensing module and a traffic alarm module, the app application is integrated with a traffic sensing module and a traffic alarm module, and the H5 application is integrated with a traffic sensing module and a traffic alarm module.
The following describes an application scenario of the security unified authority control system based on traffic:
1 user side access app application, web application or H5 application; the user terminal can be a mobile client or a desktop client.
2, the flow sensing module senses that the flow is increased and continues for a period of time; triggering a flow alarm module and reporting alarm information to a central control system;
3, the central authority control system receives the instruction and limits the authority corresponding to the user;
4, the central authority control system calls a verification code sending module to send the verification code to a mailbox and a mobile phone of the user;
5 if the user is not the user (such as an attacker) operating at the moment, the user knows that the system of the user has a problem, and the strength can be enhanced when the password is set next time, so that the prevention effect is achieved. Certainly, the bar user can also take some safer measures; when the user logs in the system again, the authority can be automatically restored to the originally set authority by filling in the verification code issued by the central authority control system, and the use of the user is not influenced; and an analysis module in a safety statistic analysis module of the central authority control system analyzes the local behavior and carries out statistic processing in a statistic module.
The user can modify the password in one system, and the password for logging in other systems is updated at the same time.
7 if the user operates himself at the moment, the user can give way to the right limit and recover by filling in a user name, a password and a verification code sent by the system; the analysis module in the security statistic analysis module of the system analyzes the local behavior and carries out statistic processing in the statistic module.
8, the safety factor of the system can be known through the analysis of a statistical module; aiming at the difference of safety factors, the credibility of the system changes, and the corresponding change is reflected in that the alarm threshold value changes when the flow is abnormal, so that the possibility of misjudgment is reduced; finally, the system achieves closed-loop control of dynamic regulation of authority when the flow changes.
The rights of the app application, the web application and the H5 application can be controlled uniformly by the central rights control system. When the traffic from an application suddenly increases in a period of time, the authority of the part of the system related to the user privacy can be cut off and cannot be accessed. The central authority control system sends a verification code to the mobile phone of the user, the verification code can be used only once, and the user can log in only by filling the verification code when logging in again. At the moment, if the user is not the user, the user can know that the user name and the password are leaked, and the user name and the password can be changed, so that the safety of the data of the user is protected, and the safety awareness is improved. If the attacker cannot take the verification code, the authority can be closed continuously, and the privacy of the user is protected. If the user logs in through the verification code at the moment, the user can be confirmed, and the authority is opened.
The security unified authority control method based on the flow provided by the embodiment of the invention has the following characteristics:
one, unified control of authority can be achieved, and unified management and control are carried out on the client.
And secondly, when the flow is abnormal, the authority of the user can be dynamically adjusted, the authority is reduced to the minimum, even no authority is accessed, and therefore the information security of the user is protected.
And thirdly, when the flow is abnormal, the verification code is sent to the mailbox and the mobile phone of the user, the user can know whether the safety of the system is in a problem or not at the first time, and the threat is felt to be the time when the system is really in occurrence, so that the safety awareness of the user is improved.
And fourthly, due to the unified authority control system, all the authorities of the user can be recovered instantly, and the problem of starting the authorities one by one is reduced.
And fifthly, the central authority control system records the abnormal flow information every time and performs statistical analysis on the abnormal flow information. If the flow levels off or decreases over time, the rights may be kept unchanged.
Referring to fig. 8, an embodiment of the present invention further provides an electronic device 100, which determines registration information for a plurality of applications in advance, where the registration information includes a first permission level and a communication address associated with the user, and includes:
a processor 41, a memory 42, and a bus 43; the memory 42 is used for storing execution instructions and includes a memory 421 and an external memory 422; the memory 421 is also referred to as an internal memory, and is used for temporarily storing the operation data in the processor 41 and the data exchanged with the external memory 422 such as a hard disk, the processor 41 exchanges data with the external memory 422 through the memory 421, and when the computer apparatus 400 operates, the processor 41 communicates with the memory 42 through the bus 43, so that the processor 41 executes the following instructions in a user mode:
detecting access by the user to any one or more of the plurality of applications based on login information; when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user; receiving second verification information input by the user; and when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level.
Optionally, the instructions executed by the processor 41 further include:
and when the user logs in again after the access abnormity is detected, prompting the user to improve the safety intensity of the login information.
Optionally, the processor 41 executes instructions in which the login information is used to login the plurality of applications, and the login information includes a user name and a password.
Optionally, the instructions executed by the processor 41 further include:
receiving a login information modification indication of the user based on a first application in the plurality of applications; and synchronizing the login information of other applications except the first application in the plurality of applications into the modified login information.
Optionally, processor 41 executes instructions in which each of the applications corresponds to an exception threshold, where the exception threshold is associated with a security factor of the application, and the security factor is used to indicate the trustworthiness of the application. Optionally, the instructions executed by the processor 41 further include:
and determining that an access anomaly is detected after detecting that the traffic of a second application in the plurality of applications continuously exceeds an anomaly threshold corresponding to the second application for a period of time.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for controlling access rights of multiple applications provided in the above embodiment are executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative and, for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, each functional module or unit in each embodiment of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention or a part of the technical solution that contributes to the prior art in essence can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a smart phone, a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention.
Claims (10)
1. A multi-application access authority control method, characterized in that registration information for a plurality of applications is predetermined, the registration information including a first authority level and a communication address associated with a user, comprising:
detecting access by the user to any one or more of the plurality of applications based on login information;
when the access abnormality is detected, limiting the access authority of the user to a second authority level, and sending first verification information to a communication address associated with the user;
receiving second verification information input by the user;
and when the second verification information is matched with the first verification information, restoring the access authority of the user to the first authority level.
2. The method of claim 1, further comprising:
and when the user logs in again after the access abnormity is detected, prompting the user to improve the safety intensity of the login information.
3. The method of claim 1, wherein the login information is used to log in to the plurality of applications, and wherein the login information comprises a username and a password.
4. The method of claim 3, further comprising:
receiving a login information modification indication of the user based on a first application in the plurality of applications;
and synchronizing the login information of other applications except the first application in the plurality of applications into the modified login information.
5. The method of claim 1, wherein each of the applications corresponds to an exception threshold, and wherein the exception threshold is associated with a security factor of the application, and wherein the security factor is used to indicate a trustworthiness of the application.
6. The method of claim 5, further comprising:
and determining that an access anomaly is detected after detecting that the traffic of a second application in the plurality of applications continuously exceeds an anomaly threshold corresponding to the second application for a period of time.
7. An access authority control apparatus for multiple applications, characterized in that registration information for multiple applications including a first authority level and a communication address associated with a user is predetermined, comprising:
a detection module to detect access by the user to any one or more of the plurality of applications based on login information;
the sending module is used for limiting the access authority of the user to a second authority level and sending first verification information to a communication address associated with the user when the abnormal access is detected;
the receiving module is used for receiving second verification information input by the user;
and the recovery module is used for recovering the access authority of the user to the first authority level when the second verification information is matched with the first verification information.
8. The apparatus of claim 7, further comprising:
and the prompting module is used for prompting the user to improve the safety intensity of the login information when the user logs in again after the access abnormity is detected.
9. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the method of any one of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911138430.9A CN110851819A (en) | 2019-11-20 | 2019-11-20 | Multi-application access authority control method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911138430.9A CN110851819A (en) | 2019-11-20 | 2019-11-20 | Multi-application access authority control method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110851819A true CN110851819A (en) | 2020-02-28 |
Family
ID=69602586
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911138430.9A Pending CN110851819A (en) | 2019-11-20 | 2019-11-20 | Multi-application access authority control method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110851819A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113535501A (en) * | 2020-04-15 | 2021-10-22 | 中移动信息技术有限公司 | Information auditing method, device, equipment and computer storage medium |
| CN114095189A (en) * | 2020-07-31 | 2022-02-25 | 中国电信股份有限公司 | Configuration method and device for device permission |
| CN115296874A (en) * | 2022-07-26 | 2022-11-04 | 北京科能腾达信息技术股份有限公司 | Computer network security system, method, medium, equipment and terminal |
| CN116361760A (en) * | 2023-06-01 | 2023-06-30 | 湖南三湘银行股份有限公司 | Identity authentication device based on biological probe technology |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102981906A (en) * | 2012-11-16 | 2013-03-20 | 广东欧珀移动通信有限公司 | Application program background process management method and device |
| CN103514386A (en) * | 2012-06-22 | 2014-01-15 | 纬创资通股份有限公司 | Permission control method of application program, electronic device and computer readable medium |
| CN105528535A (en) * | 2015-12-25 | 2016-04-27 | 北京奇虎科技有限公司 | Log information based user behavior analysis method and apparatus |
| US20160267026A1 (en) * | 2013-11-21 | 2016-09-15 | Huawei Technologies Co., Ltd. | Method and apparatus for accessing physical resources |
| CN106506471A (en) * | 2016-10-31 | 2017-03-15 | 百度在线网络技术(北京)有限公司 | Application control method and device |
| CN106650399A (en) * | 2015-10-30 | 2017-05-10 | 北京国双科技有限公司 | Processing method and device for user access permissions |
| CN109743755A (en) * | 2018-12-19 | 2019-05-10 | Oppo广东移动通信有限公司 | Link aggregation right management method and Related product |
| CN110365684A (en) * | 2019-07-17 | 2019-10-22 | 中国工商银行股份有限公司 | Access control method, device and the electronic equipment of application cluster |
-
2019
- 2019-11-20 CN CN201911138430.9A patent/CN110851819A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514386A (en) * | 2012-06-22 | 2014-01-15 | 纬创资通股份有限公司 | Permission control method of application program, electronic device and computer readable medium |
| CN102981906A (en) * | 2012-11-16 | 2013-03-20 | 广东欧珀移动通信有限公司 | Application program background process management method and device |
| US20160267026A1 (en) * | 2013-11-21 | 2016-09-15 | Huawei Technologies Co., Ltd. | Method and apparatus for accessing physical resources |
| CN106650399A (en) * | 2015-10-30 | 2017-05-10 | 北京国双科技有限公司 | Processing method and device for user access permissions |
| CN105528535A (en) * | 2015-12-25 | 2016-04-27 | 北京奇虎科技有限公司 | Log information based user behavior analysis method and apparatus |
| CN106506471A (en) * | 2016-10-31 | 2017-03-15 | 百度在线网络技术(北京)有限公司 | Application control method and device |
| CN109743755A (en) * | 2018-12-19 | 2019-05-10 | Oppo广东移动通信有限公司 | Link aggregation right management method and Related product |
| CN110365684A (en) * | 2019-07-17 | 2019-10-22 | 中国工商银行股份有限公司 | Access control method, device and the electronic equipment of application cluster |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113535501A (en) * | 2020-04-15 | 2021-10-22 | 中移动信息技术有限公司 | Information auditing method, device, equipment and computer storage medium |
| CN114095189A (en) * | 2020-07-31 | 2022-02-25 | 中国电信股份有限公司 | Configuration method and device for device permission |
| CN115296874A (en) * | 2022-07-26 | 2022-11-04 | 北京科能腾达信息技术股份有限公司 | Computer network security system, method, medium, equipment and terminal |
| CN116361760A (en) * | 2023-06-01 | 2023-06-30 | 湖南三湘银行股份有限公司 | Identity authentication device based on biological probe technology |
| CN116361760B (en) * | 2023-06-01 | 2023-08-15 | 湖南三湘银行股份有限公司 | Identity authentication device based on biological probe technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10607009B2 (en) | System and method for blocking ransomware infections | |
| CN110851819A (en) | Multi-application access authority control method and device and electronic equipment | |
| CN108268354B (en) | Data security monitoring method, background server, terminal and system | |
| CN105577608B (en) | Network attack behavior detection method and device | |
| Mbelli et al. | Cyber security, a threat to cyber banking in South Africa: an approach to network and application security | |
| Chowdhury | Recent cyber security attacks and their mitigation approaches–an overview | |
| Osuagwu et al. | Mitigating social engineering for improved cybersecurity | |
| Altwairqi et al. | Four most famous cyber attacks for financial gains | |
| Hutchings et al. | Cloud computing for small business: Criminal and security threats and prevention measures | |
| CN105162763B (en) | Communication data processing method and device | |
| Khairnar et al. | Fog computing: A new concept to minimize the attacks and to provide security in cloud computing environment | |
| Pagura | Law report:'Small business and'cyber security | |
| Belmabrouk | Cyber criminals and data privacy measures | |
| Data | Georgia | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| Zlatanov | Computer security and mobile security challenges | |
| CN113343278B (en) | Login request verification method and device for preventing CSRF attack | |
| Sankhwar et al. | Defending Against Phishing: Case Studies. | |
| Kang et al. | A study on the needs for enhancement of personal information protection in cloud computing security certification system | |
| Harris et al. | Cybersecurity in the golden state | |
| JP2013069016A (en) | Information leakage prevention device and limitation information generation device | |
| Iordache | Database–Web Interface Vulnerabilities | |
| Duncan | EU General Data Protection Regulation compliance challenges for cloud users | |
| Viswanathan et al. | Dynamic monitoring of website content and alerting defacement using trusted platform module | |
| Cho et al. | Detection and response of identity theft within a company utilizing location information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |