CN111131310B - Access control method, device, system, computer device and storage medium - Google Patents

Access control method, device, system, computer device and storage medium Download PDF

Info

Publication number
CN111131310B
CN111131310B CN201911415849.4A CN201911415849A CN111131310B CN 111131310 B CN111131310 B CN 111131310B CN 201911415849 A CN201911415849 A CN 201911415849A CN 111131310 B CN111131310 B CN 111131310B
Authority
CN
China
Prior art keywords
connection
host
target port
access
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911415849.4A
Other languages
Chinese (zh)
Other versions
CN111131310A (en
Inventor
刘成伟
张泽洲
简明
魏勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911415849.4A priority Critical patent/CN111131310B/en
Publication of CN111131310A publication Critical patent/CN111131310A/en
Application granted granted Critical
Publication of CN111131310B publication Critical patent/CN111131310B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an access control method, an access control device, an access control system, computer equipment and a storage medium. The access control method is applied to a connection receiving host and comprises the following steps: after the authorization of the authorization detection packet passes, opening a service exposure time window, wherein in the state that the service exposure time window is opened, a connection opening host sending the authorization detection packet can access a target port of a connection receiving host; capturing, connecting and receiving data packets transmitted and received by a host; analyzing the data packet to judge whether the target port completes access connection; when the target port has completed accessing the connection, the service exposure time window is closed. By the method and the device, the risk of piggyback attack can be reduced on the premise of not influencing normal access.

Description

Access control method, device, system, computer device and storage medium
Technical Field
The present invention relates to the field of access control technologies, and in particular, to an access control method, apparatus, system, computer device, and storage medium.
Background
With the emerging technologies of enterprise hugging cloud computing, mobile internet, ioT and the like, data and applications of enterprises are no longer limited to the intranet, so that traditional physical boundary defense based on a firewall cannot adapt to requirements, and Software Defined boundaries (SDP) is used instead. SDP is a new generation network security model proposed by the international Cloud Security Association (CSA) in 2014. SDP claims network stealth, zero trust and minimum authorization, and is an enterprise security architecture more suitable for cloud and mobile era.
In the SDP security framework, its basic components include: the SDP connection starts the host, and the SDP connection receives the host and the SDP controller. Wherein the SDP controller is operable to determine which SDP hosts may communicate with each other. The SDP controller may relay information to external authentication services such as authentication, geo-location, and/or identity servers. The SDP connection opening host (IH) communicates with the SDP controller to request that their connectable SDP connections accept the host (AH). By default, the SDP connection Accepting Host (AH) rejects all communications from all hosts other than the SDP controller. The SDP connection accepting host accepts the connection from the SDP connection opening host only after the SDP controller instructs it. In the SDP controller in the prior art, there is an implementation scheme based on Single Packet Authorization (SPA), in which, by default, a service hidden on an SDP connection accepting host is invisible to the outside, and only if a specified source IP address after the SPA, that is, a specified SDP connection opening host, is used to communicate with a port temporarily opened on the SDP connection accepting host.
In the current SPA implementation scheme, when the SDP connection opening host is located behind a Network Address Translation (NAT) device and is connected to an SDP accepting host after authorization by the SPA, the SDP connection opening host opens an external egress Address allowing the connection IP Address to be the SDP connection opening host, the external egress Address is the IP Address of the NAT device, for example, the IP Address of the SDP connection opening host is 192.168.1.2, and the external IP Address after the Translation is 10.10.1.10, all access requests with source IP of 10.10.1.10 can be accepted by the SDP connection accepting host after authorization, if there is an attacker in the same subnet as the SDP connection opening host (for example, the IP of the SDP connection opening host is 192.168.1.3), the external IP Address of the SDP connection opening host is also 10.10.1.10, and the attacker can directly access the SDP connection opening host within the service exposure time window of the SDP connection accepting host, that is also able to access the SDP connection opening host directly, that is easily set up an illegal piggy service access path (i.e., the SDP access is easily set up an illegal piggy service channel).
In the prior art, the risk of being attacked is reduced by adopting a random port and controlling the duration of a service exposure time window, but the inventor researches and discovers that the duration of the service exposure time window is difficult to accurately set, the duration of the service exposure time window is too short, a legal user has not yet reached to establish access connection, the time window is expired and closed, normal access is affected, the duration of the service exposure time window is too long, and an attacker is left with sufficient time to detect the random port to access the service.
Therefore, it is a technical problem to be solved in the art to provide an access control method, system, computer device and computer readable storage medium to further reduce the risk of piggyback attack without affecting normal access.
Disclosure of Invention
It is an object of the present invention to provide an access control method, apparatus, system, computer device and storage medium for solving the above technical problems in the prior art.
In one aspect, the present invention provides an access control method for achieving the above object.
The access control method is applied to a connection receiving host and comprises the following steps: after the authorization of the authorization detection packet passes, opening a service exposure time window, wherein in the state that the service exposure time window is opened, a connection opening host which sends the authorization detection packet can access a target port of a connection receiving host; capturing, connecting and receiving data packets transmitted and received by a host; analyzing the data packet to judge whether the target port completes access connection; when the target port has completed accessing the connection, the service exposure time window is closed.
Further, before the step of analyzing the data packet to determine whether the target port completes the access connection, the access control method further includes: determining authorization information corresponding to an authorization detection packet, wherein the authorization information comprises a target port and a connection protocol; filtering the data packet received and sent by the connection receiving host according to the authorization information to obtain a target data packet, wherein analyzing the data packet to judge whether the target port finishes accessing the connection specifically comprises: and analyzing the target data packet to judge whether the target port completes access connection.
Further, the authorization information further includes a maximum connection frequency, and the step of analyzing the target data packet to determine whether the target port completes the access connection includes: analyzing the target data packet to judge whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number; and when the times reach the maximum connection times, the target port finishes accessing connection.
Further, the step of analyzing the target packet to determine whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number includes: analyzing the target data packet, and counting the times of a handshake flow established with a target port; and judging whether the times of the handshake flow reach the maximum connection times.
In another aspect, the present invention provides an access control apparatus for achieving the above object.
The access control device is provided in a connection receiving host, and includes: the opening module is used for opening a service exposure time window after the authorization of the authorization detection packet passes, wherein the connection opening host which sends the authorization detection packet can access a target port of the connection receiving host in the state that the service exposure time window is opened; the grabbing module is used for grabbing and connecting data packets received and sent by the host; the analysis judging module is used for analyzing the data packet to judge whether the target port completes access connection; and the closing module is used for closing the service exposure time window when the target port finishes accessing the connection.
In another aspect, the present invention provides an access control system for achieving the above objects.
The access control system includes: connect and open host computer, connect and accept host computer and controller, wherein: the connection opening host is used for sending an authorization detection packet; the controller is used for verifying the authorization detection packet and sending a verification result to the connection receiving host; the connection receiving host is used for opening a service exposure time window when the verification result is that the verification is passed; the connection opening host is also used for accessing a target port of the connection receiving host in a state that the service exposure time window is opened; the connection receiving host is also used for capturing a data packet received and sent by the connection receiving host after the service exposure time window is opened, analyzing the data packet to judge whether the target port finishes the access connection, and closing the service exposure time window when the target port finishes the access connection.
Further, the connection opening host is also used for sending alarm information to the controller when the failure times of accessing the target port of the connection receiving host is greater than a preset threshold value; the controller is also used for carrying out alarm processing when the alarm information is received.
Further, the connection opening host includes a connection state machine, wherein: the initial state of the connection state machine is unauthorized; after sending the authorization detection packet, switching the state to authorized; when the target port of the access connection receiving host is normal and the service exposure time window is normally closed, returning to an unauthorized state; when the target port of the access connection receiving host fails, the switching state is unavailable; when the failure times of accessing the target port of the connection receiving host is greater than a preset threshold value, the switching state is an alarm state, the connection starting host is used for continuously sending alarm information to the controller when the connection state machine is in the alarm state, and the control is also used for returning an alarm response to the connection starting host after alarm processing; and when the alarm response is received, returning to an unauthorized state.
In another aspect, to achieve the above object, the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, and when the processor executes the computer program, the steps of the method are implemented.
In another aspect, to achieve the above object, the present invention further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the above method.
The access control method, the device, the system, the computer equipment and the storage medium provided by the invention have the advantages that after the connection receiving host opens the service exposure time window, the data packet sent and received by the connection receiving host is captured, the captured data packet is analyzed, whether the access connection of the target port is completed or not is judged through the analysis content, and when the access connection of the target port is completed, the service exposure time window is closed.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart of an access control method according to an embodiment of the present invention;
fig. 2 is a flowchart of an access control method according to a second embodiment of the present invention;
fig. 3 is a block diagram of an access control apparatus according to a third embodiment of the present invention;
fig. 4 is a block diagram of an access control system according to a fourth embodiment of the present invention;
fig. 5 is a block diagram of an access control system according to a fifth embodiment of the present invention;
fig. 6 is a schematic diagram illustrating state transition of a connection state machine of a connection startup host in an access control system according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a workflow of a connection accepting host in the access control system according to an embodiment of the present invention; and
fig. 8 is a hardware configuration diagram of a computer device according to a sixth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
In order to further reduce the risk that an SDP connection receiving host is subjected to piggy-back attack in an SDP security framework, the invention provides an access control method, a device, a system, computer equipment and a storage medium.
The following detailed description of the embodiments of the access control method, apparatus, system, computer device, and computer-readable storage medium provided by the present invention will be provided.
Example one
The embodiment of the invention provides an access control method, wherein an execution main body of the access control method is a connection receiving host, and through interaction between the connection receiving host and a connection opening host and a controller, a service exposure time window can be closed in time on the premise of not influencing normal access of the connection opening host to the connection receiving host, so that invalid time for opening the service exposure time window is reduced, the time for scanning and detecting by an attacker is reduced, and the risk of piggyback attack is reduced. Specifically, fig. 1 is a flowchart of an access control method according to an embodiment of the present invention, and as shown in fig. 1, the access control method according to the embodiment includes steps S101 to S104 as follows.
Step S101: and after the authorization of the authorization detection packet passes, opening a service exposure time window.
The access control system comprises a connection receiving host, a connection opening host and a controller, optionally, after the access control system is on line, firstly, authentication registration of the connection opening host is completed, specifically, the connection opening host sends authentication information to a server, after receiving the authentication information, the controller authenticates the connection opening host, informs the connection receiving host of an authentication result, and returns a list comprising information of the connection receiving host to the connection sending host so as to complete registration of the connection sending host in the access control system.
The hidden service on the connection receiving host is invisible to the outside, when the connection sending host needs to access the hidden service, an SPA detection authorization packet is sent to the connection receiving host, the connection receiving host sends an authentication request to the controller after receiving the SPA detection authorization packet, the controller feeds back an authentication result to the connection receiving host after passing the authentication, namely after the authorization of the authorization detection packet, the connection receiving host opens a service exposure time window, namely an access rule corresponding to the connection opening host is created in a network firewall, and the access rule allows the connection opening host to access the port corresponding to the hidden service.
In a state where the service exposure time window is open, the connection-open host that sends the authorization probe packet may access a target port of the connection-accepting host.
Step S102: and the grabbing connection receives the data packet transmitted and received by the host.
After the service exposure time window is opened, the connection receiving host captures a data packet received and transmitted by the connection receiving host, and optionally, the data packet is captured based on Libpcap (network data packet capture function packet under unix/linux platform).
Step S103: and analyzing the data packet to judge whether the target port completes the access connection.
In step S103, the captured data packet is analyzed to determine whether the target port completes access connection.
Optionally, a determination rule for determining whether the target port completes access connection is preset, and the contents of the data packets required by different determination rules may be different, so in this step, the data packets are analyzed to obtain the contents corresponding to the preset determination rule, and then the determination rule is adopted for determining the analyzed contents. The determination rule may be set according to a specific service form of the target port, which is not limited in the present application, so that the determination rule that whether the target port completes the access connection can be determined by the data packet.
For example, when the target port completes accessing the connection, response information including a specific identifier is fed back to the connection opening host, and at this time, when the captured data packet includes the response information, it may indicate that the target port completes accessing the connection.
For another example, based on a specific communication protocol, the communication protocol defines a port request data format and an access connection data format corresponding to a target port completing an access connection, and at this time, when a data packet including the content of the port request data format and a data packet including the data of the access connection data format are captured, it may indicate that the target port completes the access connection.
For another example, when the target port completes accessing the connection, the connection-opening host may send notification information including the specific identifier to the connection-accepting host, and at this time, when the captured packet includes the notification information, it may indicate that the target port completes accessing the connection.
When the target port has completed the access connection, the following step S104 is executed, and when the target port has not completed the access connection, the data packet is continuously captured for judgment.
Step S104: when the target port has completed accessing the connection, the service exposure time window is closed.
When it is determined that the target port has completed access connection in step S103, the service exposure time window is directly closed in step S104, and after the service exposure time window is closed, the target port cannot be accessed, and the service corresponding to the target port is hidden.
Optionally, after the service exposure time window is opened, the opening time of the service exposure time window is recorded at the same time, and when the opening time reaches the maximum duration of the service exposure time window, the service exposure time window is closed.
In the access control method provided in this embodiment, after the connection receiving host opens the service exposure time window, the connection receiving host captures a packet of a data packet received and transmitted by the connection receiving host, analyzes the captured data packet, and determines whether the target port completes access connection through the analysis content, and when the target port completes access connection, closes the service exposure time window, from which it can be seen that, with the access control method provided in this embodiment, the service exposure time window is closed when the target port completes access connection, and the service exposure time can be shortened as needed.
Example two
A second embodiment of the present invention provides a preferred access control method, so as to perform access control on a hidden service from a connection-opening host to a connection-receiving host, where some technical features are the same as those of the first embodiment, and reference may be made to the first embodiment for specific description and corresponding technical effects. Further, in the second embodiment, the number of times of connection between the connection-opening host and the connection-receiving host is tracked, and whether the target port completes access connection is determined by whether the number of times of connection reaches the maximum number of times of connection, so that the service exposure time window can be closed when appropriate, and the accuracy of access control is improved. Specifically, fig. 2 is a flowchart of an access control method according to a second embodiment of the present invention, and as shown in fig. 2, the access control method according to the second embodiment includes steps S201 to S206 as follows.
Step S201: and after the authorization of the authorization detection packet passes, opening a service exposure time window.
Wherein, in the state that the service exposure time window is opened, the connection opening host sending the authorization detection packet can access the target port of the connection accepting host.
Step S202: and the grabbing connection receives the data packet transmitted and received by the host.
Step S203: and determining authorization information corresponding to the authorization detection packet.
The authorization information includes a target port, a connection protocol, and a maximum connection number.
Step S204: and filtering the data packet received and sent by the connection receiving host according to the authorization information to obtain a target data packet.
Optionally, in step S203, data copy is collected from the network device driver of the connection accepting host through the network tap, and the capturing of the data packet is completed; in step S204, it is determined whether the data packet is received through a filter. That is, when a packet arrives at the network interface of the connection recipient host, first, the network tap obtains a copy of the packet from the link layer driver using the Socket that has been created, and then sends the packet to the filter. The filter matches the data packets one by one according to the filtering rules defined by the user, if the matching is successful, the data packets are put into a kernel buffer area for processing, and if the matching is failed, the data packets are directly discarded. The filtering rule is determined according to the authorization information, so that a data packet of data interaction between the connection protocol in the authorization information and the target port is a data packet matched with the filtering rule.
By filtering the data packets according to the authorization information, the data packets obtained after filtering can be processed in the subsequent steps as much as possible, and the data processing amount in the subsequent steps can be reduced.
Step S205: and analyzing the target data packet to judge whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number.
When the connection opening host sends the authorization detection packet to the connection receiving host, the connection opening host can determine a connection protocol and the maximum connection times which need to be connected with the target port according to the self requirements, and sends the connection protocol and the maximum connection times to the connection receiving host, wherein the connection receiving host counts the times of successfully accessing the target port through the connection protocol, and when the times reach the maximum connection times, the connection opening host indicates that the access of the connection opening host to the target port meets the self requirements, namely the target port completes access connection.
Specifically, when counting the number of times of successfully accessing the target port through the connection protocol, different methods may be used for counting based on the specific characteristics of the connection protocol. Optionally, the step of analyzing the target packet to determine whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number includes: analyzing the target data packet, and counting the times of a handshake flow established with a target port; and judging whether the times of the handshake process reach the maximum connection times. The connection protocol may be a TCP protocol, and for the TCP protocol, when the connection-opening host successfully accesses the target port, a TCP handshake process with the target port needs to be completed each time, so that the number of times of successfully accessing the target port by the connection-opening host can be counted by counting the number of times of the TCP handshake process established by the connection-opening host and the target port, and the number of times of successfully accessing the target port by the connection-opening host reaches the maximum connection number when the number of times of the TCP handshake process established by the connection-opening host and the target port reaches the maximum connection number, that is, the number of times of successfully accessing the target port by the connection-opening host reaches the maximum connection number.
Further, in one TCP handshake, two parties are required to perform an interaction period through the SYN packet, the SYN _ ACK packet, and when analyzing the target data packet and counting the number of times of the TCP handshake flow established by connecting the start host and the target port, the number of times of the interaction period is counted. When the analyzed target data packet is a SYN packet, the connection opening host opens a handshake to the target port; when the analyzed target data packet is a SYN + ACK packet, the target port returns a handshake response to the connection opening host; and when the analyzed target data packet is an ACK packet, the connection opening host sends response receiving feedback to the target port.
Step S206: and closing the service exposure time window when the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number.
In the access control method provided in this embodiment, the captured data packet is filtered according to the authorization information, so that when the data packet is analyzed, only the filtered data packet needs to be analyzed, which does not affect the judgment on whether the target port completes the access connection, reduces the data processing amount when the data packet is analyzed, and improves the response speed of access control; furthermore, the connection opening host sends the connection protocol and the maximum connection times to the connection receiving host, when the times of successfully accessing the target port through the connection protocol reach the maximum connection times, the target port is determined to finish access connection, the service exposure time window is closed, the service exposure window can be closed at a proper time, and the accuracy of access control is improved; furthermore, when the connection protocol is a TCP protocol, the number of times of successfully accessing the target port through the connection protocol is counted by counting the number of times of a TCP handshake flow established with the target port, the counting mode is simple and reliable, the accuracy is high, and the accuracy of access control can be further improved.
EXAMPLE III
Corresponding to the first embodiment, a third embodiment of the present invention provides an access control device, where the access control device is disposed in a connection receiving host, and reference may be made to the above for corresponding technical features and technical effects, which are not described herein again. Fig. 3 is a block diagram of an access control apparatus according to a third embodiment of the present invention, as shown in fig. 3, the apparatus includes an opening module 301, a grabbing module 302, an analysis and determination module 303, and a closing module 304.
The opening module 301 is configured to open a service exposure time window after the authorization of the authorization probe packet passes, where in a state that the service exposure time window is opened, the connection opening host that sends the authorization probe packet may access a target port of the connection accepting host; the grabbing module 302 is used for grabbing data packets which are received and sent by the host; the analysis judging module 303 is configured to analyze the data packet to judge whether the target port completes access connection; the closing module 304 is configured to close the service exposure time window when the target port has completed accessing the connection.
Optionally, in an embodiment, the access control apparatus further includes: the device comprises a determining module and a filtering module, wherein the determining module is used for determining authorization information corresponding to an authorization detection packet before the step of analyzing a data packet to judge whether a target port completes access connection or not, wherein the authorization information comprises the target port and a connection protocol; the filtering module is configured to filter a data packet received and sent by the connection receiving host according to the authorization information to obtain a target data packet, where when the parsing determining module 303 parses the data packet to determine whether the access connection is completed at the target port, a specific step performed includes parsing the target data packet to determine whether the access connection is completed at the target port.
Optionally, in an embodiment, the authorization information further includes a maximum connection number, and when the parsing determining module 303 parses the target packet to determine whether the target port completes access connection, the specifically executed steps include: the target data packet is parsed, judging whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number; and when the times reach the maximum connection times, the target port finishes accessing connection.
Optionally, in an embodiment, the connection protocol is a TCP protocol, and the parsing determining module 303 parses the target packet to determine whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number, where the specifically executed steps include: analyzing the target data packet, and counting the times of a TCP handshake flow established with a target port; and judging whether the times of the TCP handshake flow reach the maximum connection times.
Example four
An access control system according to a fourth embodiment of the present invention is provided, and fig. 4 is a block diagram of the access control system according to the fourth embodiment of the present invention, and as shown in fig. 4, the access control system includes: the connection opening host 401, the connection accepting host 402 and the controller 403, reference may be made to the above for related technical features and technical effects of the connection accepting host 402, and details are not described here again.
The connection opening host 401 is configured to send an authorization probe packet; the controller 403 is configured to verify the authorization probe packet and send a verification result to the connection accepting host 402; the connection accepting host 402 is used for opening a service exposure time window when the verification result is that the verification is passed; the connection opening host 401 is further configured to access a target port of the connection accepting host 402 in a state where the service exposure time window is opened; the connection receiving host 402 is further configured to capture a data packet received and transmitted by the connection receiving host 402 after the service exposure time window is opened, analyze the data packet to determine whether the target port completes access connection, and close the service exposure time window when the target port completes access connection.
Optionally, in an embodiment, before the step of analyzing the data packet to determine whether the target port completes the access connection, the connection receiving host 402 is further configured to determine authorization information corresponding to the authorization probe packet, where the authorization information includes the target port and a connection protocol, and filter, according to the authorization information, the data packet received and sent by the connection receiving host to obtain the target data packet, where when the connection receiving host 402 analyzes the data packet to determine whether the target port completes the access connection, the specifically performed step is: and analyzing the target data packet to judge whether the target port completes the access connection.
Optionally, in an embodiment, the authorization information further includes a maximum connection number, and when the connection accepting host 402 parses the target packet to determine whether the target port completes access connection, the specifically executed steps include: analyzing the target data packet to judge whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number; and when the times reach the maximum connection times, the target port finishes accessing connection.
Optionally, in an embodiment, when the connection accepting host 402 parses the target data packet to determine whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number, the specifically executed steps include: analyzing the target data packet, and counting the times of a handshake flow established with a target port; and judging whether the times of the handshake process reach the maximum connection times.
Optionally, in an embodiment, the connection opening host 401 is further configured to send an alarm message to the controller 403 when the number of failures in accessing the target port of the connection accepting host 402 is greater than a predetermined threshold; the controller 403 is also configured to perform alarm processing when the alarm information is received, and return an alarm response to the connection opening host 401 after the alarm processing.
As described above, the access connection accepting host 402 closes the service exposure time window when the number of times that the target port is successfully accessed reaches the maximum connection number is reached, and in a normal case, the number of times that the target port is successfully accessed reaches the maximum connection number, that is, the number of times that the connection opening host 401 successfully accesses the target port is the maximum connection number, however, in a hypothetical case, when an attacker has established a connection within the service exposure time window, the number of times that the attacker connects occupies the maximum connection number, that is, the number of times that the connection opening host 401 successfully accesses the target port does not reach the maximum connection number at this time, which may cause a failure in establishing a normal and legitimate connection to the target port by the connection opening host 401. In order to discriminate such situations, in this embodiment, the number of failures of the connection opening host to access the target port is counted, and if the number of failures is greater than a predetermined threshold, that is, if the connection opening host 401 does not successfully connect to the target port in a normal and legal manner, an alarm message is sent to the controller 403, so that the controller 403 performs alarm processing, for example, management and alarm, etc. according to a policy executed in advance.
Optionally, in an embodiment, the connection opening host comprises a connection state machine, wherein: the initial state of the connection state machine is unauthorized; after sending the authorization detection packet, switching the state to authorized; when the target port of the access connection receiving host is normal and the service exposure time window is normally closed, returning to an unauthorized state; when the target port of the access connection receiving host fails, the switching state is unavailable; when the failure times of accessing the target port of the connection receiving host is greater than a preset threshold value, the switching state is an alarm state, the connection starting host is used for continuously sending alarm information to the controller when the connection state machine is in the alarm state, and the control is also used for returning an alarm response to the connection starting host after alarm processing; and when the alarm response is received, returning to an unauthorized state.
By adopting the access control system provided by the embodiment, the connection opening host can send the alarm information to the controller for multiple times, so that the condition that the alarm is not effectively processed is avoided, and the controller returns an alarm response to the connection opening host after the alarm processing, so that the connection opening host can finish sending the alarm information in time.
EXAMPLE five
An access control system according to a fifth embodiment of the present invention is provided, fig. 5 is a block diagram of the access control system according to the fifth embodiment of the present invention, fig. 6 is a schematic diagram of state transition of a connection state machine connecting an open host in the access control system according to the fifth embodiment of the present invention, fig. 7 is a schematic diagram of a workflow of a connection accept host in the access control system according to the fifth embodiment of the present invention, and as shown in fig. 5 to 7, the access control system includes: a connection opening host, a connection receiving host and a controller, wherein the controller includes an alarm processing device, and the connection opening host includes a connection tracking device (i.e. the access control device in the above) in the connection receiving host and the service alarm device.
The alarm processing device is used for processing the service unavailable information sent by the service alarm device and alarming an administrator according to the information provided by the service unavailable information. A state machine is maintained in the service alarm device, and the initial state is unauthorized; sending a legal SPA packet (the SPA packet comprises an accessed port number, a service exposure time window validity period, maximum connection establishment times and the like) and switching the state into authorized state; if the service can be normally accessed, the state is switched to unauthorized again after the overtime time is reached; if the service can not be normally accessed, switching to 'unavailable'; when the number of inaccessibility times reaches a set threshold (without excluding that an attacker may have established a connection within the service exposure time window, therefore, the connection establishment times are occupied, so that the connection establishment failure of a legal connection starting host computer) is caused, the connection is switched to alarm, and alarm information is sent to the controller; the controller switches to the unauthorized state again after returning.
The connection tracking device is used for creating a connection tracking object (the connection establishment times are initialized to be 0) according to information (a source IP address, an accessed port, a used TCP (transmission control protocol) protocol and the maximum connection establishment times) when a connection opening host is authorized by a single packet; and (4) grabbing the packet by using the Libpcap, and sorting the grabbed data packet. Tracing a complete tcp handshake flow, and adding 1 to the connection times. When the connection establishment times reach the number authorized before, immediately closing the service exposure time window (deleting the iptable rule created when the access is allowed before); if the connection times do not reach the authorized maximum connection establishment times within the effective exposure time window, deleting the iptable rule when the service exposure time window expires.
Through the connection tracking device realized by the connection receiving host, the tracking method of realizing connection by utilizing the Libpcap at the connection receiving host closes the service exposure time window immediately after the connection is detected to meet the maximum connection times, so that the service is hidden in time, and unnecessary time is not left for an attacker to carry out scanning detection. At the same time. Through the service alarm device realized at the connection starting host, namely the connection alarm method realized at the connection starting host, when the number of times of continuous service access failure reaches the set threshold value after authorization, namely when the service access failure is detected, the controller is informed, the controller can check the service availability in time, and alarms an administrator according to a preset strategy, and the administrator can analyze and investigate problems according to the received alarm information. The embodiment shortens the service exposure time according to the requirement, and further improves the difficulty of carrying out the piggyback attack.
EXAMPLE six
The sixth embodiment further provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of multiple servers) capable of executing programs, and the like. As shown in fig. 8, the computer device 01 of the present embodiment at least includes but is not limited to: a memory 011 and a processor 012 which are communicatively connected to each other via a system bus, as shown in fig. 8. It is noted that fig. 8 only shows the computer device 01 having the component memory 011 and the processor 012, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
In this embodiment, the memory 011 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 011 can be an internal storage unit of the computer device 01, such as a hard disk or a memory of the computer device 01. In other embodiments, the memory 011 can also be an external storage device of the computer device 01, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 01. Of course, the memory 011 can also include both internal and external memory units of the computer device 01. In this embodiment, the memory 011 is generally used for storing an operating system installed in the computer apparatus 01 and various application software, for example, a program code of the access control device of the third embodiment. Further, the memory 011 can also be used to temporarily store various kinds of data that have been output or are to be output.
The processor 012 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor, or other data Processing chip in some embodiments. The processor 012 is generally used to control the overall operation of the computer device 01. In the present embodiment, the processor 012 is configured to execute a program code stored in the memory 011 or process data, for example, an access control method or the like.
EXAMPLE seven
The present embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer-readable storage medium of this embodiment is used for storing an access control device, and when executed by a processor, implements the access control method of the first embodiment.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or system comprising the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (8)

1. An access control method applied to a connection accepting host, comprising:
after the authorization of the authorization detection packet passes, opening a service exposure time window, wherein in the state that the service exposure time window is opened, a connection opening host sending the authorization detection packet can access a target port of the connection receiving host;
capturing the data packet received and transmitted by the connection receiving host;
determining authorization information corresponding to the authorization detection packet, wherein the authorization information comprises the target port, a connection protocol and the maximum connection times, and when the connection opening host sends the authorization detection packet to the connection receiving host, the connection opening host determines the connection protocol and the maximum connection times which need to be connected with the target port according to the self requirement, and sends the connection protocol and the maximum connection times to the connection receiving host;
filtering the data packet received and sent by the connection receiving host according to the authorization information to obtain a target data packet;
analyzing the target data packet to judge whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number, wherein when the number of times reaches the maximum connection number, the target port completes access connection; and when the target port finishes the access connection, closing the service exposure time window, and when the target port does not finish the access connection, continuously capturing the data packet for judgment.
2. The access control method of claim 1, wherein parsing the target packet to determine whether the number of successful accesses to the target port via the connection protocol reaches the maximum connection number comprises:
analyzing the target data packet, and counting the times of a handshake flow established with the target port; and
and judging whether the times of the handshake process reach the maximum connection times or not.
3. An access control device provided in a connection-accepting host, comprising:
the system comprises an opening module, a connection receiving host and a connection opening module, wherein the opening module is used for opening a service exposure time window after an authorization detection packet passes, and the connection opening host sending the authorization detection packet can access a target port of the connection receiving host under the state that the service exposure time window is opened;
the grabbing module is used for grabbing the data packet which is received and sent by the connection receiving host;
the device comprises a determining module, a connection receiving host and a judging module, wherein the determining module is used for determining authorization information corresponding to an authorization detection packet, the authorization information comprises a target port, a connection protocol and the maximum connection times, when the connection opening host sends the authorization detection packet to the connection receiving host, the connection opening host determines the connection protocol and the maximum connection times which need to be connected with the target port according to the self requirement, and sends the connection protocol and the maximum connection times to the connection receiving host;
the filtering module is used for filtering the data packet received and sent by the connection receiving host according to the authorization information to obtain a target data packet;
the analysis judging module is used for analyzing the target data packet to judge whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection number, wherein when the number of times reaches the maximum connection number, the target port finishes access connection;
a closing module for closing the service exposure time window when the target port has completed an access connection,
when the target port does not finish access connection, continuously capturing the data packet for judgment.
4. An access control system, comprising: connect and open host computer, connect and accept host computer and controller, wherein:
the connection opening host is used for sending an authorization detection packet, wherein when the connection opening host sends the authorization detection packet to the connection receiving host, the connection opening host determines a connection protocol and the maximum connection times which are required to be connected with a target port according to the self requirement, and sends the connection protocol and the maximum connection times to the connection receiving host;
the controller is used for verifying the authorization detection packet and sending a verification result to the connection receiving host;
the connection receiving host is used for opening a service exposure time window when the verification result is that the verification is passed;
the connection opening host is also used for accessing a target port of the connection receiving host in a state that the service exposure time window is opened;
the connection receiving host is further configured to capture a data packet received and sent by the connection receiving host after the service exposure time window is opened, determine authorization information corresponding to the authorization detection packet, wherein the authorization information includes the target port, the connection protocol and the maximum connection times, filter the data packet received and sent by the connection receiving host according to the authorization information to obtain a target data packet, analyze the target data packet to determine whether the number of times of successfully accessing the target port through the connection protocol reaches the maximum connection times, wherein when the number of times reaches the maximum connection times, the target port completes access connection, when the target port completes access connection, the service exposure time window is closed, and when the target port does not complete access connection, the data packet is continuously captured for determination.
5. The access control system of claim 4,
the connection opening host is also used for sending alarm information to the controller when the failure times of accessing the target port of the connection receiving host is greater than a preset threshold value;
the controller is also used for carrying out alarm processing when the alarm information is received.
6. The access control system of claim 5, wherein the connection-opening host comprises a connection state machine, wherein:
the initial state of the connection state machine is unauthorized;
after the authorization detection packet is sent, switching the state to authorized;
when the target port of the access connection receiving host is normal and the service exposure time window is normally closed, returning to the unauthorized state;
when the target port of the connection receiving host fails to be accessed, the switching state is unavailable;
when the failure times of accessing the target port of the connection receiving host is greater than the preset threshold value, the switching state is an alarm state, the connection starting host is used for continuously sending the alarm information to the controller when the connection state machine is in the alarm state, and the control is also used for returning an alarm response to the connection starting host after alarm processing;
and when the alarm response is received, returning to the unauthorized state.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 2 are implemented by the processor when executing the computer program.
8. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 2.
CN201911415849.4A 2019-12-31 2019-12-31 Access control method, device, system, computer device and storage medium Active CN111131310B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911415849.4A CN111131310B (en) 2019-12-31 2019-12-31 Access control method, device, system, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911415849.4A CN111131310B (en) 2019-12-31 2019-12-31 Access control method, device, system, computer device and storage medium

Publications (2)

Publication Number Publication Date
CN111131310A CN111131310A (en) 2020-05-08
CN111131310B true CN111131310B (en) 2022-10-18

Family

ID=70506757

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911415849.4A Active CN111131310B (en) 2019-12-31 2019-12-31 Access control method, device, system, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN111131310B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565193B (en) * 2020-05-12 2020-12-25 广州锦行网络科技有限公司 Safety hidden access control method
CN111600906B (en) * 2020-06-08 2022-04-15 奇安信科技集团股份有限公司 Data processing method, device, system, medium, and program
CN113810347B (en) * 2020-06-16 2023-07-18 中国电信股份有限公司 Service mode switching method and system under SDP architecture
CN111917714B (en) * 2020-06-18 2022-11-11 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN112822158B (en) * 2020-12-25 2022-11-11 奇安信科技集团股份有限公司 Network access method and device, electronic equipment and storage medium
CN114745145B (en) * 2021-01-07 2023-04-18 腾讯科技(深圳)有限公司 Business data access method, device and equipment and computer storage medium
CN113676487B (en) * 2021-08-31 2022-09-02 中国电信股份有限公司 Port connection control method, management method, device and storage medium
CN113992354A (en) * 2021-09-28 2022-01-28 新华三信息安全技术有限公司 Identity authentication method, device, equipment and machine readable storage medium
CN116346375A (en) * 2021-12-22 2023-06-27 中兴通讯股份有限公司 Access control method, access control system, terminal and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8228861B1 (en) * 2008-09-12 2012-07-24 Nix John A Efficient handover of media communications in heterogeneous IP networks using handover procedure rules and media handover relays
WO2013185696A2 (en) * 2013-02-06 2013-12-19 中兴通讯股份有限公司 Data processing method and device

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020091956A1 (en) * 2000-11-17 2002-07-11 Potter Scott T. Methods and systems for reducing power consumption in computer data communications
JP4352748B2 (en) * 2003-04-21 2009-10-28 パナソニック株式会社 Relay device
US7594268B1 (en) * 2003-09-19 2009-09-22 Symantec Corporation Preventing network discovery of a system services configuration
US9590981B2 (en) * 2012-04-06 2017-03-07 Wayne Odom System, method, and device for delivering communications and storing and delivering data
CN104734903B (en) * 2013-12-23 2018-02-06 中国科学院沈阳自动化研究所 The safety protecting method of OPC agreements based on Dynamic Tracing Technology
CN105530310B (en) * 2015-12-22 2019-03-08 浙江宇视科技有限公司 It is suitble to equipment connection method and the device of public affairs VPN traffics forwarding
CN108111376B (en) * 2017-12-14 2020-10-23 成都网丁科技有限公司 Method for gateway passive IP to access internet based on bridge mode
CN110049046A (en) * 2019-04-19 2019-07-23 北京奇安信科技有限公司 Access control method, terminal, server and system
CN110351298A (en) * 2019-07-24 2019-10-18 中国移动通信集团黑龙江有限公司 Access control method, device, equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8228861B1 (en) * 2008-09-12 2012-07-24 Nix John A Efficient handover of media communications in heterogeneous IP networks using handover procedure rules and media handover relays
WO2013185696A2 (en) * 2013-02-06 2013-12-19 中兴通讯股份有限公司 Data processing method and device

Also Published As

Publication number Publication date
CN111131310A (en) 2020-05-08

Similar Documents

Publication Publication Date Title
CN111131310B (en) Access control method, device, system, computer device and storage medium
US10454953B1 (en) System and method for separated packet processing and static analysis
US10157280B2 (en) System and method for identifying security breach attempts of a website
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
CN114598540B (en) Access control system, method, device and storage medium
WO2019178966A1 (en) Network attack defense method and apparatus, and computer device and storage medium
US11595385B2 (en) Secure controlled access to protected resources
US20190190934A1 (en) Mitigating against malicious login attempts
CN109067937A (en) Terminal admittance control method, device, equipment, system and storage medium
US10375099B2 (en) Network device spoofing detection for information security
US10320804B2 (en) Switch port leasing for access control and information security
US10375076B2 (en) Network device location information validation for access control and information security
CN115378625B (en) Cross-network information security interaction method and system
CN116346375A (en) Access control method, access control system, terminal and storage medium
CN116319024A (en) Access control method and device of zero trust system and zero trust system
US10462141B2 (en) Network device information validation for access control and information security
CN111147625B (en) Method, device and storage medium for acquiring local external network IP address
JPH09266475A (en) Address information management equipment and network system
US10412097B1 (en) Method and system for providing distributed authentication
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
WO2021026937A1 (en) Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus
CN117955739B (en) Interface security identification method and device, computing equipment and storage medium
CN116319103B (en) Network trusted access authentication method, device, system and storage medium
CN116094848B (en) Access control method, device, computer equipment and storage medium
CN116015876B (en) Access control method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: QAX Technology Group Inc.

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

GR01 Patent grant
GR01 Patent grant