CN111314332A - Access control method, device, computer system and computer-readable storage medium - Google Patents

Access control method, device, computer system and computer-readable storage medium Download PDF

Info

Publication number
CN111314332A
CN111314332A CN202010081129.5A CN202010081129A CN111314332A CN 111314332 A CN111314332 A CN 111314332A CN 202010081129 A CN202010081129 A CN 202010081129A CN 111314332 A CN111314332 A CN 111314332A
Authority
CN
China
Prior art keywords
client
access
calculation
threshold
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010081129.5A
Other languages
Chinese (zh)
Inventor
吕博良
刘婉娇
旷亚和
叶红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202010081129.5A priority Critical patent/CN111314332A/en
Publication of CN111314332A publication Critical patent/CN111314332A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The present disclosure provides an access control method, including: monitoring an access request from a client, and determining whether the access frequency of the client exceeds a threshold value; determining the calculation difficulty corresponding to the client under the condition that the access frequency of the client exceeds a threshold value; sending a computing task matched with the computing difficulty to the client so that the client can execute the computing task; receiving a calculation result sent by a client, wherein the calculation result is obtained after the client executes a calculation task; and responding to the access request of the client under the condition that the calculation result is correct. The present disclosure also provides an access control apparatus, a computer system, and a computer-readable storage medium.

Description

Access control method, device, computer system and computer-readable storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an access control method, an access control apparatus, a computer system, and a computer-readable storage medium.
Background
At present, common cc (challenge collapsar) attacks, malicious network traffic such as crawlers and abnormal service interface accesses of the internet generally crowd server resources through high-frequency sending requests, so that a service system runs in an overload mode, a server may be crashed under the condition of high concurrency, and access of a legal user is blocked.
The traditional protection method is generally to prevent malicious access by installing a firewall and introducing man-machine identification authentication (such as verification codes). However, software firewalls can increase system load; hardware firewalls can increase hardware costs; authentication code identification is gradually losing security due to automated identification by the coding platform.
Disclosure of Invention
In view of the above, the present disclosure provides an access control method, an access control apparatus, a computer system, and a computer-readable storage medium.
One aspect of the present disclosure provides an access control method, including: monitoring an access request from a client, and determining whether the access frequency of the client exceeds a threshold value; determining a calculation difficulty corresponding to the client when the access frequency of the client exceeds the threshold; sending a calculation task matched with the calculation difficulty to the client so that the client can execute the calculation task; receiving a calculation result sent by the client, wherein the calculation result is obtained after the client executes the calculation task; and responding to the access request of the client under the condition that the calculation result is correct.
According to an embodiment of the present disclosure, the access request carries a current protection level identifier of the client, where the determining the calculation difficulty corresponding to the client includes: and determining the calculation difficulty corresponding to the client according to the current protection grade identification of the client.
According to an embodiment of the present disclosure, the method further includes: in the process of performing access control on the client, generating a message in a preset data format so as to control an access request of the client based on the message in the preset data format, wherein the message in the preset data format includes the following fields: the client side comprises an identifier of the client side, a current protection level identifier of the client side, an identifier used for representing whether the current access frequency of the client side exceeds a threshold value, an identifier used for representing whether the workload certification verification of the client side passes, an identifier used for representing whether the client side has a resource request right, and a Hashcash stamp.
According to an embodiment of the present disclosure, the method further includes: and generating the Hashcash stamp and the identifier for representing whether the client has the resource request authority according to a monitoring result obtained by monitoring the access request of the client and a verification result obtained by verifying the calculation result sent by the client.
According to an embodiment of the present disclosure, the hashcase stamp has a preset stamp format, and the preset stamp format includes the following fields: the hash value is used for representing a hash version number used by calculation, leading zero digits, a timestamp, a resource requested by the client, a random factor used for distinguishing stamps generated by different clients requesting the same resource on the same date, and an algorithm counter suffix.
According to an embodiment of the present disclosure, the threshold includes a plurality of levels of thresholds, and further includes: determining the level of the threshold value when the access frequency of the client exceeds the threshold value; and determining the current protection level identifier of the client according to the level of the threshold.
Another aspect of the present disclosure provides an access control apparatus including: the monitoring module is used for monitoring the access request from the client and determining whether the access frequency of the client exceeds a threshold value; a determining module, configured to determine a calculation difficulty corresponding to the client when the access frequency of the client exceeds the threshold; a sending module, configured to send a computation task matched with the computation difficulty to the client, so that the client executes the computation task; a receiving module, configured to receive a calculation result sent by the client, where the calculation result is obtained after the client executes the calculation task; and the response module is used for responding to the access request of the client under the condition that the calculation result is correct.
According to an embodiment of the present disclosure, the access request carries a current protection level identifier of the client, where the determining module is configured to: and determining the calculation difficulty corresponding to the client according to the current protection grade identification of the client.
According to an embodiment of the present disclosure, the apparatus further includes: a generating module, configured to generate a message in a preset data format in a process of performing access control on the client, so as to control an access request of the client based on the message in the preset data format, where the message in the preset data format includes the following fields: the client side comprises an identifier of the client side, a current protection level identifier of the client side, an identifier used for representing whether the current access frequency of the client side exceeds a threshold value, an identifier used for representing whether the workload certification verification of the client side passes, an identifier used for representing whether the client side has a resource request right, and a Hashcash stamp.
According to an embodiment of the present disclosure, wherein: the generating module is configured to generate the hashcase stamp and the identifier for representing whether the client has the resource request permission according to a monitoring result obtained by monitoring the access request of the client and a verification result obtained by verifying the calculation result sent by the client.
According to an embodiment of the present disclosure, the hashcase stamp has a preset stamp format, and the preset stamp format includes the following fields: the hash value is used for representing a hash version number used by calculation, leading zero digits, a timestamp, a resource requested by the client, a random factor used for distinguishing stamps generated by different clients requesting the same resource on the same date, and an algorithm counter suffix.
According to an embodiment of the present disclosure, the threshold includes a plurality of levels of thresholds, wherein the determining module is further configured to: determining the level of the threshold value when the access frequency of the client exceeds the threshold value; and determining the current protection level identifier of the client according to the level of the threshold.
Another aspect of the present disclosure provides a computer system comprising: one or more processors; a memory for storing one or more instructions, wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the disclosure provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement the method as described above.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
According to the embodiment of the disclosure, the access request of the client is monitored, the calculation difficulty of the client is determined by applying a workload certification mechanism according to the set grades, the calculation result returned by the client is used as the basis for judging whether the server gives effective response or not, the server resource can be obtained only when the calculation result is correct, therefore, the technical problem of server load operation caused by high-frequency server access of the client in the related technology is at least partially overcome, the calculation difficulty of the client of the attacker is intelligently adjusted under the condition of less server resource consumption and no influence on normal access of the user, the client can be required to complete calculation under the condition that the client does not sense, the risk of enterprise service and resource abuse is solved by consuming equipment resources of an attacker, the malicious attack efficiency of the attacker is reduced, high-frequency malicious attack is blocked, and the existing protection means is enriched.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which the access control method and apparatus may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically shows a flow chart of an access control method according to an embodiment of the present disclosure;
FIG. 3 schematically shows a flow chart of an access control method according to another embodiment of the present disclosure;
FIG. 4 schematically shows a flow chart of an access control method according to another embodiment of the present disclosure;
FIG. 5 schematically illustrates an exemplary system architecture to which the access control method and apparatus may be applied, according to another embodiment of the disclosure;
FIG. 6 schematically shows a flow chart of an access control method according to another embodiment of the present disclosure;
FIG. 7 schematically shows a block diagram of an access control device according to another embodiment of the present disclosure; and
FIG. 8 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method, according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
An embodiment of the present disclosure provides an access control method, including: monitoring an access request from a client, and determining whether the access frequency of the client exceeds a threshold value; determining the calculation difficulty corresponding to the client under the condition that the access frequency of the client exceeds a threshold value; sending a computing task matched with the computing difficulty to the client so that the client can execute the computing task; receiving a calculation result sent by a client, wherein the calculation result is obtained after the client executes a calculation task; and responding to the access request of the client under the condition that the calculation result is correct.
Fig. 1 schematically illustrates an exemplary system architecture to which the access control method and apparatus may be applied, according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include a terminal device 101, a terminal device 102, a terminal device 103, a network 104, and a server 105. Network 104 is the medium used to provide communication links between terminal device 101, terminal device 102, terminal device 103, and server 105. Network 104 may include various connection types, such as wired and/or wireless communication links, and so forth.
A user may interact with server 105 over network 104 using terminal device 101, terminal device 102, terminal device 103 to receive or send messages, etc. Various messaging client applications, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, and/or social platform software, etc. (examples only) may be installed on terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server that provides various services, such as a background management server (for example only) that provides support for websites browsed by users using the terminal devices 101, 102, and 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the access control method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the access control device provided by the embodiments of the present disclosure may be generally disposed in the server 105. The access control method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal device 101, the terminal device 102, the terminal device 103, and/or the server 105. Accordingly, the access control device provided in the embodiments of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal device 101, the terminal device 102, the terminal device 103, and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically shows a flow chart of an access control method according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S210 to S250.
In operation S210, access requests from the client are monitored, and it is determined whether the access frequency of the client exceeds a threshold.
According to an embodiment of the present disclosure, for example, the access frequency of the current client is 30 accesses per minute, and the threshold is 10 accesses. Then the access frequency of the current client exceeds the threshold.
In operation S220, in the case where the access frequency of the client exceeds a threshold, a calculation difficulty corresponding to the client is determined.
According to the embodiment of the disclosure, the calculation difficulty corresponding to the client can be determined according to the current access frequency of the client, for example, the calculation difficulty is increased along with the gradual increase of the access frequency. High-frequency malicious access attack is blocked through the protection capability of flexible control, enterprise resources are protected, and normal use of users is guaranteed.
According to the embodiment of the disclosure, the access request may carry a current protection level identifier of the client, where the calculation difficulty corresponding to the client may be determined according to the current protection level identifier of the client. The client's current protection level identification may be determined according to the client's current access frequency. The higher the access frequency of the client, the higher the protection level may be.
For example, the access frequency of the client is 10 accesses in one minute, the current protection level of the client is identified as the first level, and the corresponding calculation difficulty is easy; the access frequency of the client is 20 times of access in one minute, the current protection grade of the client is marked as the second grade, and the corresponding calculation difficulty is difficult; the access frequency of the client is 40 accesses in one minute, the current protection level of the client is marked as the third level, the corresponding calculation difficulty is very difficult, and the like. The protection level identifier may be generated by the client itself, or may be generated by the server for the client based on the last time the client requests access to the server. Through the embodiment of the disclosure, when an attacker has malicious high-frequency access, the calculation difficulty of the client is increased along with the increase of the protection level, so that the client can intelligently cope with attack strengths of different levels, and the frequency of malicious access of the attacker is effectively controlled.
In operation S230, the calculation task matching the calculation difficulty is transmitted to the client, so that the client performs the calculation task.
In operation S240, a calculation result sent by the client is received, where the calculation result is obtained after the client performs a calculation task.
In operation S250, in case that the calculation result is correct, an access request of the client is responded.
According to the embodiment of the disclosure, the access request of the client is monitored, the calculation difficulty of the client is determined by applying a workload certification mechanism according to the set grades, the calculation result returned by the client is used as the basis for judging whether the server gives effective response or not, the server resource can be obtained only when the calculation result is correct, therefore, the technical problem of server load operation caused by high-frequency server access of the client in the related technology is at least partially overcome, the calculation difficulty of the client of the attacker is intelligently adjusted under the condition of less server resource consumption and no influence on normal access of the user, the client can be required to complete calculation under the condition that the client does not sense, the risk of enterprise service and resource abuse is solved by consuming equipment resources of an attacker, the malicious attack efficiency of the attacker is reduced, high-frequency malicious attack is blocked, and the existing protection means is enriched.
The method shown in fig. 2 is further described with reference to fig. 3-6 in conjunction with specific embodiments.
Fig. 3 schematically shows a flow chart of an access control method according to another embodiment of the present disclosure.
As shown in fig. 3, the method may include operation S310 in addition to operations S210 to S250. Wherein operation S310 may be performed before operation S210.
In operation S310, in the process of performing access control on the client, a message in a preset data format is generated, so that an access request of the client is controlled based on the message in the preset data format.
According to an embodiment of the present disclosure, the message of the preset data format includes the following fields: the client side comprises an identification of the client side, an identification of a current protection level of the client side, an identification used for representing whether the current access frequency of the client side exceeds a threshold value, an identification used for representing whether the workload certification verification of the client side passes, an identification used for representing whether the client side has resource request permission, and a Hashcash stamp.
According to an embodiment of the present disclosure, a field description of a message of a preset data format is shown in table 1.
TABLE 1
Figure BDA0002380182410000091
According to an embodiment of the present disclosure, the hashcase stamp may be null in case the client makes a first access or does not get a computing task. Of course, other fields may be null in some cases, for example, the workload proof validation identifier may be null in the case where the client has not completed the computing task.
According to the embodiment of the disclosure, the hashcase stamp and the identifier used for representing whether the client has the resource request permission can be generated according to the monitoring result obtained by monitoring the access request of the client and the verification result obtained by verifying the calculation result sent by the client.
According to the embodiment of the disclosure, for example, the calculation result sent by the client is verified, the obtained verification result indicates that the calculation result is correct, the client has the resource request permission, and if the obtained verification result indicates that the calculation result is wrong, the client does not have the resource request permission.
According to an embodiment of the present disclosure, the hashcase stamp has a preset stamp format, which includes the following fields: the hash value is used for representing a hash version number used by calculation, leading zero bits, a timestamp, a resource requested by a client, a random factor used for distinguishing stamps generated by different clients requesting the same resource on the same date, and an algorithm counter suffix.
According to an embodiment of the present disclosure, the descriptions of the fields of the hashcase stamp in the preset stamp format are shown in table 2.
TABLE 2
Figure BDA0002380182410000101
For a detailed description of the message with the preset data format and the hashcase stamp according to the embodiment of the present disclosure, reference may be made to the description of fig. 5 and fig. 6, which will not be described herein again.
Fig. 4 schematically shows a flow chart of an access control method according to another embodiment of the present disclosure.
As shown in fig. 4, the method may include operations S410 to S420 in addition to operations S210 to S250.
In operation S410, in case that the access frequency of the client exceeds a threshold, the level of the threshold is determined.
According to embodiments of the present disclosure, each access threshold may correspond to a level, for example. For example, the first access threshold is 10 accesses per minute, corresponding to a low level; the second access threshold is 20 accesses in one minute, corresponding to a medium level; the third access threshold is 40 accesses in one minute, corresponding to a high rank. For example, if the access frequency of the current client is 15 accesses per minute, the threshold value corresponds to a low level. For example, if the access frequency of the current client is 45 accesses per minute, the level corresponding to the threshold is high.
In operation S420, a current protection level identifier of the client is determined according to the level of the threshold.
According to an embodiment of the present disclosure, the levels of different thresholds may correspond to different protection level identifications. For example, when the level of the threshold is low or equal, the protection level is identified as the first level; when the level of the threshold value is medium and equal, the protection level is marked as a second level; when the threshold level is high, the protection level is identified as the third level.
According to an embodiment of the present disclosure, for example, when the level of the currently determined threshold is medium, then the client's current level of protection is identified as the second level.
According to the embodiment of the disclosure, when an attacker has malicious high-frequency access, the calculation difficulty of the client can be increased along with the increase of the protection level, the attack strengths of different levels can be intelligently responded, and the malicious access frequency of the attacker can be effectively controlled.
Fig. 5 schematically illustrates an exemplary system architecture to which the access control method and apparatus may be applied, according to another embodiment of the present disclosure.
As shown in fig. 5, a user may request access to a system to be detected 520 using a communication device 510. The communication device 510 may include a mobile client, a PC terminal, and the like. The system to be detected 520 may include a web server, an application server, and the like.
When the user requests to access the system to be detected 520 by using the communication device 510, the system to be detected 520 may send an access request to the access control device 530, or when the communication device 510 requests to access the system to be detected 520, the access request directly passes through the access control device 530. Wherein. The access control means 530 may comprise a frequency monitoring server, a workload proof validation and stamp generation cluster, etc. The access control means 530 may send the access control result to the system to be detected 520, so that the system to be detected 520 determines whether to respond to the communication device 510 according to the access control result. The access control result may be a result of verifying a calculation result obtained after the communication device 510 performs a calculation task.
The operation of the system architecture shown in fig. 5 will be briefly described with reference to fig. 6.
Fig. 6 schematically shows a flow chart of an access control method according to another embodiment of the present disclosure.
As shown in fig. 6, the method includes operations S601 to S608.
In operation S601, the access control device 530 receives the client request access data through the frequency monitoring module, and monitors the access frequency. Wherein, the frequency monitoring module can be arranged in the frequency monitoring server.
In operation S602, it is determined whether the access frequency exceeds a threshold, and a message in a standard preset data format is generated. If not, performing operation S603; if the threshold is exceeded, operation S604 is performed.
In operation S603, it is determined whether the protection level is 0. If the protection level is not 0, operation S604 is performed, otherwise, operation S608 is performed with the frequent protection level of 0.
In operation S604, the workload proof verification module may receive the message in the preset data format transmitted by the frequency monitoring module, and calculate a hash value of the hashcase stamp sent by the client. The workload proof validation module may be disposed in a workload proof validation and stamp generation cluster.
In operation S605, the workload proof verification module compares the calculation result with the hash value sent by the client, generates a workload proof verification identifier and a resource request permission identifier, and if the result passes, performs operation S607, and if the result does not pass, performs operation S606.
In operation S606, access is denied.
In operation S607, a hashcase stamp is generated. Based on the characteristics of the hashcase stamp generation module receiving the workload certificate verification identifier, the resource request permission identifier, the protection level identifier, the original hashcase stamp and the like transmitted by the workload certificate verification module, a new hashcase stamp can be generated and transmitted to the service provider together with the resource request permission identifier, that is, the system to be detected 520.
In operation S608, the service provider provides a corresponding resource in response to the access of the client, and normally accesses the service.
According to an embodiment of the present disclosure, in this embodiment, the access control device 530 may include a frequency monitoring module, a workload certification verification module, and a hashcase stamp generation module.
According to the embodiment of the disclosure, the frequency monitoring module can monitor the access frequency of the client, the Hashcash stamp generation module can realize the elastic control of malicious access behaviors, and the workload certification and verification module can determine whether the server authorizes the access of the client. According to the embodiment of the disclosure, the workload calculation method can be embedded in the client, only the interaction with the server is needed, and the functions and system design of the client and the server are not affected.
According to an embodiment of the present disclosure, the frequency monitoring module may include an access receiving unit and a format generating unit. The access receiving unit is responsible for being in butt joint with the server, and the client access request data received by the server can be accessed to the access control device based on the workload certification through the access receiving unit of the frequency monitoring module.
The access receiving unit may receive the client identifier, the current access frequency, the current hashcase stamp, and the calculation result transmitted from the server, and determine whether the current access frequency is greater than the access threshold.
The format generating unit may standardize the data format received by the access receiving unit for facilitating subsequent processing by the access control device based on the workload certification.
According to an embodiment of the present disclosure, the workload certification verification module may include a protection level discrimination unit and a calculation result verification unit.
And the protection grade judging unit is responsible for receiving the monitoring result of the frequency monitoring module and the Hashcash stamp and the calculation result sent by the client.
And the calculation result verification unit is responsible for calculating the hash value of the Hashcash stamp sent by the client and comparing the hash value with the hash value sent by the client. If the two hash values are the same, the client is proved to have the authority to request the appointed resource; otherwise, the client requests for the specified resource without permission, and sends the detection result to the Hashcash stamp generation module.
According to the embodiment of the disclosure, the hashcase stamp generating module is responsible for generating the hashcase stamp and the resource request permission identifier according to the verification result of the monitoring module and the workload certification module, and sending the hashcase stamp and the resource request permission identifier to the service provider, where the hashcase stamp is [ version number: leading zero bit number: time stamping: requested resource X: reserving a bit: random factor salt: algorithm counter suffix ]. Where the algorithm counter suffix is the portion of the verification algorithm that is actually functional, given the first 6 fields, the client generates a hash stamp with a specified number of leading zeros, the client must try many consecutive suffix values, and the hashcase field is illustrated in tables 1 and 2.
According to the embodiment of the disclosure, the client calculates the mathematical problem Hash (X, salt) ═ 0000 … … … according to the received hashcas stamp, finds that the Hash value meeting the requirement is composed of N leading zeros, and tries to calculate if a reasonable Hash is obtained, and the calculation time depends on the Hash operation speed of the machine. When a node provides a reasonable Hash value, it shows that the node does go through a large number of trial and calculation, where X is the resource that the client wants to request, and salt is a random factor.
According to the method, whether the client is involved in corresponding calculation work or not is identified in a workload certification mode, reference basis for malicious access elastic protection is formed according to workload certification results, HashCash is used for achieving workload certification, the client solves the mathematical problem of HashCash, resources can be obtained after correct results are obtained through calculation, a large amount of work can be identified only by spending a small amount of resources, and therefore the method for elastic protection malicious access is formed, namely risk prevention and control capacity is improved, and a large amount of server resources are not consumed.
Fig. 7 schematically shows a block diagram of an access control device according to another embodiment of the present disclosure.
As shown in fig. 7, the access control device 700 includes a monitoring module 710, a determining module 720, a transmitting module 730, a receiving module 740, and a responding module 750.
The monitoring module 710 is configured to monitor access requests from the clients and determine whether the access frequency of the clients exceeds a threshold.
The determining module 720 is configured to determine a computational difficulty corresponding to the client if the frequency of access by the client exceeds a threshold.
The sending module 730 is configured to send the computing task matching the computing difficulty to the client, so that the client performs the computing task.
The receiving module 740 is configured to receive a calculation result sent by the client, where the calculation result is obtained after the client executes a calculation task.
The response module 750 is used for responding to the access request of the client if the calculation result is correct.
It should be noted that the functional modules of the access control device 700 shown in fig. 7 have the same or similar functions as those of the functional modules included in the access control device described in fig. 5 and 6, and the access control device 700 shown in fig. 7 may include the functional modules included in the access control device described in fig. 5 and 6 without affecting the processing logic.
According to the embodiment of the disclosure, by monitoring the access request of the client, applying the workload certification mechanism to adjust the calculation difficulty of the client according to the set grades, taking the calculation result returned by the client as the basis for whether the server gives effective response or not, only when the calculation result is correct, the server resource can be obtained, therefore, the technical problem of server load operation caused by high-frequency server access of the client in the related technology is at least partially overcome, the calculation difficulty of the client of the attacker is intelligently adjusted under the conditions of not consuming server resources and not influencing normal access of the user, the client can be required to complete calculation under the condition that the client does not sense, the risk of enterprise service and resource abuse is solved by consuming equipment resources of an attacker, the malicious attack efficiency of the attacker is reduced, high-frequency malicious attack is blocked, and the existing protection means is enriched.
According to the embodiment of the present disclosure, the access request carries a current protection level identifier of the client, where the determining module 720 is configured to: and determining the calculation difficulty corresponding to the client according to the current protection grade identification of the client.
According to an embodiment of the present disclosure, the access control device 700 further includes: the generating module is used for generating a message with a preset data format in the process of controlling the access of the client so as to control the access request of the client based on the message with the preset data format.
The message with the preset data format comprises the following fields: the client side comprises an identification of the client side, an identification of a current protection level of the client side, an identification used for representing whether the current access frequency of the client side exceeds a threshold value, an identification used for representing whether the workload certification verification of the client side passes, an identification used for representing whether the client side has resource request permission, and a Hashcash stamp.
According to an embodiment of the present disclosure, wherein: the generation module is used for generating HashCash stamps and identifiers used for representing whether the client has resource request permission or not according to a monitoring result obtained by monitoring the access request of the client and a verification result obtained by verifying a calculation result sent by the client.
According to an embodiment of the present disclosure, the hashcase stamp has a preset stamp format, which includes the following fields: the hash value is used for representing a hash version number used by calculation, leading zero bits, a timestamp, a resource requested by a client, a random factor used for distinguishing stamps generated by different clients requesting the same resource on the same date, and an algorithm counter suffix.
According to an embodiment of the present disclosure, the threshold comprises a plurality of levels of threshold, wherein the determining module is further configured to: determining a level of the threshold if the access frequency of the client exceeds the threshold; and determining the current protection grade identification of the client according to the grade of the threshold.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the monitoring module 710, the determining module 720, the sending module 730, the receiving module 740, and the responding module 750 may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the monitoring module 710, the determining module 720, the sending module 730, the receiving module 740, and the responding module 750 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the monitoring module 710, the determining module 720, the sending module 730, the receiving module 740, and the responding module 750 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
It should be noted that the access control device portion in the embodiment of the present disclosure corresponds to the access control method portion in the embodiment of the present disclosure, and the description of the access control device portion specifically refers to the access control method portion, and is not repeated here.
FIG. 8 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method, according to an embodiment of the present disclosure. The computer system illustrated in FIG. 8 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 8, a computer system 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 801 may also include onboard memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 803, various programs and data necessary for the operation of the system 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or RAM 803. Note that the programs may also be stored in one or more memories other than the ROM 802 and RAM 803. The processor 801 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
System 800 may also include an input/output (I/O) interface 805, also connected to bus 804, according to an embodiment of the disclosure. The system 800 may also include one or more of the following components connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program, when executed by the processor 801, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 802 and/or RAM 803 described above and/or one or more memories other than the ROM 802 and RAM 803.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (14)

1. An access control method comprising:
monitoring an access request from a client, and determining whether the access frequency of the client exceeds a threshold value;
determining a calculation difficulty corresponding to the client under the condition that the access frequency of the client exceeds the threshold;
sending a computing task matched with the computing difficulty to the client so that the client can execute the computing task;
receiving a calculation result sent by the client, wherein the calculation result is obtained after the client executes the calculation task; and
and responding to the access request of the client under the condition that the calculation result is correct.
2. The method of claim 1, wherein the access request carries an identification of a current level of protection of the client,
the determining the computational difficulty corresponding to the client comprises: and determining the calculation difficulty corresponding to the client according to the current protection grade identification of the client.
3. The method of claim 2, further comprising:
in the process of controlling access to the client, generating a message in a preset data format so as to control an access request of the client based on the message in the preset data format, wherein the message in the preset data format comprises the following fields:
the client side comprises an identifier of the client side, a current protection level identifier of the client side, an identifier used for representing whether the current access frequency of the client side exceeds a threshold value, an identifier used for representing whether the workload certification verification of the client side passes, an identifier used for representing whether the client side has a resource request authority, and a Hashcash stamp.
4. The method of claim 3, further comprising:
and generating the Hashcash stamp and the identifier for representing whether the client has the resource request permission according to a monitoring result obtained by monitoring the access request of the client and a verification result obtained by verifying a calculation result sent by the client.
5. The method of claim 3, wherein the Hashcash stamp has a preset stamp format comprising the following fields:
the system comprises a hash version number used for representing calculation, a leading zero bit number, a timestamp, a resource requested by the client, a random factor used for distinguishing stamps generated by different clients requesting the same resource on the same date, and an algorithm counter suffix.
6. The method of claim 2, wherein the threshold comprises a plurality of levels of threshold, the method further comprising:
determining a level of the threshold if the access frequency of the client exceeds the threshold; and
and determining the current protection grade identification of the client according to the grade of the threshold.
7. An access control device comprising:
the monitoring module is used for monitoring an access request from a client and determining whether the access frequency of the client exceeds a threshold value;
the determining module is used for determining the calculation difficulty corresponding to the client under the condition that the access frequency of the client exceeds the threshold;
the sending module is used for sending the calculation task matched with the calculation difficulty to the client so that the client can execute the calculation task;
the receiving module is used for receiving a calculation result sent by the client, wherein the calculation result is obtained after the client executes the calculation task; and
and the response module is used for responding to the access request of the client under the condition that the calculation result is correct.
8. The apparatus of claim 7, wherein the access request carries an identification of a current level of protection of the client,
the determination module is to: and determining the calculation difficulty corresponding to the client according to the current protection grade identification of the client.
9. The apparatus of claim 8, further comprising:
a generating module, configured to generate a message in a preset data format in a process of performing access control on the client, so as to control an access request of the client based on the message in the preset data format, where the message in the preset data format includes the following fields:
the client side comprises an identifier of the client side, a current protection level identifier of the client side, an identifier used for representing whether the current access frequency of the client side exceeds a threshold value, an identifier used for representing whether the workload certification verification of the client side passes, an identifier used for representing whether the client side has a resource request authority, and a Hashcash stamp.
10. The apparatus of claim 9, wherein:
the generation module is used for generating the Hashcash stamp and the identifier for representing whether the client has the resource request permission or not according to a monitoring result obtained by monitoring the access request of the client and a verification result obtained by verifying the calculation result sent by the client.
11. The apparatus of claim 9, wherein the hashcase stamp has a preset stamp format comprising the following fields:
the system comprises a hash version number used for representing calculation, a leading zero bit number, a timestamp, a resource requested by the client, a random factor used for distinguishing stamps generated by different clients requesting the same resource on the same date, and an algorithm counter suffix.
12. The apparatus of claim 8, wherein the threshold comprises a plurality of levels of threshold, wherein the means for determining is further configured to:
determining a level of the threshold if the access frequency of the client exceeds the threshold; and
and determining the current protection grade identification of the client according to the grade of the threshold.
13. A computer system, comprising:
one or more processors;
a memory to store one or more instructions that,
wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
14. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.
CN202010081129.5A 2020-02-05 2020-02-05 Access control method, device, computer system and computer-readable storage medium Pending CN111314332A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010081129.5A CN111314332A (en) 2020-02-05 2020-02-05 Access control method, device, computer system and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010081129.5A CN111314332A (en) 2020-02-05 2020-02-05 Access control method, device, computer system and computer-readable storage medium

Publications (1)

Publication Number Publication Date
CN111314332A true CN111314332A (en) 2020-06-19

Family

ID=71158247

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010081129.5A Pending CN111314332A (en) 2020-02-05 2020-02-05 Access control method, device, computer system and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN111314332A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038502A (en) * 2014-06-24 2014-09-10 五八同城信息技术有限公司 Verification method and system
US20160173526A1 (en) * 2014-12-10 2016-06-16 NxLabs Limited Method and System for Protecting Against Distributed Denial of Service Attacks
CN107688733A (en) * 2017-07-25 2018-02-13 上海壹账通金融科技有限公司 Business interface call method, device, user terminal and readable storage medium storing program for executing
CN109194664A (en) * 2018-09-14 2019-01-11 石家庄铁道大学 A kind of shift position secret protection access control method based on game theory
CN109617857A (en) * 2013-09-30 2019-04-12 瞻博网络公司 The effect of Denial of Service attack is limited by increasing client resource demand
CN109743295A (en) * 2018-12-13 2019-05-10 平安科技(深圳)有限公司 Access thresholds method of adjustment, device, computer equipment and storage medium
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain
CN110572700A (en) * 2019-09-19 2019-12-13 湖南快乐阳光互动娱乐传媒有限公司 Client risk identification method and system
CN110650142A (en) * 2019-09-25 2020-01-03 腾讯科技(深圳)有限公司 Access request processing method, device, system, storage medium and computer equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617857A (en) * 2013-09-30 2019-04-12 瞻博网络公司 The effect of Denial of Service attack is limited by increasing client resource demand
CN104038502A (en) * 2014-06-24 2014-09-10 五八同城信息技术有限公司 Verification method and system
US20160173526A1 (en) * 2014-12-10 2016-06-16 NxLabs Limited Method and System for Protecting Against Distributed Denial of Service Attacks
CN107688733A (en) * 2017-07-25 2018-02-13 上海壹账通金融科技有限公司 Business interface call method, device, user terminal and readable storage medium storing program for executing
CN109194664A (en) * 2018-09-14 2019-01-11 石家庄铁道大学 A kind of shift position secret protection access control method based on game theory
CN109743295A (en) * 2018-12-13 2019-05-10 平安科技(深圳)有限公司 Access thresholds method of adjustment, device, computer equipment and storage medium
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain
CN110572700A (en) * 2019-09-19 2019-12-13 湖南快乐阳光互动娱乐传媒有限公司 Client risk identification method and system
CN110650142A (en) * 2019-09-25 2020-01-03 腾讯科技(深圳)有限公司 Access request processing method, device, system, storage medium and computer equipment

Similar Documents

Publication Publication Date Title
US11799900B2 (en) Detecting and mitigating golden ticket attacks within a domain
US11818169B2 (en) Detecting and mitigating attacks using forged authentication objects within a domain
JP5961638B2 (en) System and method for application certification
US10032037B1 (en) Establishing application trust levels using taint propagation as a service
US9912682B2 (en) Aggregation of network traffic source behavior data across network-based endpoints
US9633199B2 (en) Using a declaration of security requirements to determine whether to permit application operations
CN111104675A (en) Method and device for detecting system security vulnerability
US11368464B2 (en) Monitoring resource utilization of an online system based on statistics describing browser attributes
US20230308459A1 (en) Authentication attack detection and mitigation with embedded authentication and delegation
EP3714388A1 (en) Authentication token in manifest files of recurring processes
US10860382B1 (en) Resource protection using metric-based access control policies
EP3900300A1 (en) Securing browser cookies
CN111316272A (en) Advanced cyber-security threat mitigation using behavioral and deep analytics
CN104253687A (en) Method for reducing verification efficiency, method for generating captcha, correlated system, and server
US8613097B2 (en) Methods and systems for detecting an access attack
US20230254146A1 (en) Cybersecurity guard for core network elements
CN111314332A (en) Access control method, device, computer system and computer-readable storage medium
CN114491489A (en) Request response method and device, electronic equipment and storage medium
CN114567678A (en) Resource calling method and device of cloud security service and electronic equipment
KR20130124885A (en) A apparatus and method of providing security to cloud data to prevent unauthorized access
EP4094402A1 (en) Privacy-preserving activity aggregation mechanism
US11019089B1 (en) Performing security assessments based on user credentials
CN113190812A (en) Login method, system, electronic equipment and storage medium
CN112104625A (en) Process access control method and device
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200619