CN112073400A - Access control method, system and device and computing equipment - Google Patents
Access control method, system and device and computing equipment Download PDFInfo
- Publication number
- CN112073400A CN112073400A CN202010889163.5A CN202010889163A CN112073400A CN 112073400 A CN112073400 A CN 112073400A CN 202010889163 A CN202010889163 A CN 202010889163A CN 112073400 A CN112073400 A CN 112073400A
- Authority
- CN
- China
- Prior art keywords
- characteristic information
- information
- access control
- verification
- process characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 560
- 230000008569 process Effects 0.000 claims abstract description 485
- 238000012795 verification Methods 0.000 claims abstract description 199
- 238000013475 authorization Methods 0.000 claims abstract description 137
- 230000000977 initiatory effect Effects 0.000 claims abstract description 27
- 238000012790 confirmation Methods 0.000 claims description 40
- 238000012545 processing Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 9
- 238000003860 storage Methods 0.000 description 39
- 238000007726 management method Methods 0.000 description 27
- 238000001514 detection method Methods 0.000 description 19
- 238000005516 engineering process Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 15
- 238000004458 analytical method Methods 0.000 description 13
- 230000007246 mechanism Effects 0.000 description 13
- 238000004891 communication Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 6
- 241000700605 Viruses Species 0.000 description 5
- 230000006399 behavior Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 5
- 230000035515 penetration Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000149 penetrating effect Effects 0.000 description 2
- 238000012954 risk control Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The application provides an access control method, an access control system, an access control device and computing equipment, relates to the technical field of cloud, in particular to the technical field of cloud security in the technical field of cloud, and is used for improving the effectiveness of access control and reducing network security risks. The method comprises the following steps: responding to the access triggering operation, and initiating a service access request through a target application process; acquiring process characteristic information of the target application process, wherein the process characteristic information is used for identifying the target application process; when the process characteristic information passes the credibility verification, acquiring process authorization information corresponding to the target application process; and sending the service access request and the process authorization information to an admission gateway so as to allow or intercept the service access request through the admission gateway according to an authentication result of the service access request, wherein the service access request is authenticated through the authorization information.
Description
Technical Field
The application relates to the technical field of cloud, in particular to the technical field of cloud security, and specifically relates to an access control method, system, device and computing equipment.
Background
With the rapid development of internet technology, an access control technology is one of core means for ensuring network information security, and is currently widely applied to various application scenarios, such as cloud computing, cloud security and the like.
Taking an access control scenario as an example, a trust control mechanism based on a region is generally adopted in the related art, that is, a trust region is divided based on a network location (e.g., an IP (Internet Protocol) address) where a user is located, and when performing access control, whether to intercept or release an access request of the user is determined by judging whether the network location where the user is located is trusted.
In the above access control method, after confirming that the network location of the user is trusted, the device is allowed to enter the network, once the device enters the network, the device can access the internal network service through any application in the device, and some malicious codes have the capability of penetrating the network to invade the service system, thereby causing the potential safety hazard of the service system. That is, the access control mechanism in the related art has a large network security risk, and the effectiveness of the access control is low.
Disclosure of Invention
The embodiment of the application provides an access control method, system, device and computing equipment, which are used for improving the effectiveness of access control, reducing the risk of network security and enhancing the network security.
In one aspect, an access control method is provided, the method including:
responding to the access triggering operation, and initiating a service access request through a target application process;
acquiring process characteristic information of the target application process, wherein the process characteristic information is used for identifying the target application process;
when the process characteristic information passes the credibility verification, obtaining authorization information corresponding to the target application process;
and sending the service access request and the authorization information to an admission gateway so as to pass through the admission gateway according to an authentication result of the service access request or intercept the service access request, wherein the service access request is authenticated through the authorization information.
Optionally, the method further includes:
and when the user confirmation result is different from the credible verification result of the process characteristic information, sending the user confirmation result to the access control unit.
In one aspect, an access control method is provided, the method including:
receiving process characteristic information sent by a terminal, wherein the process characteristic information is used for identifying a target application process initiating a service access request in the terminal;
when the process characteristic information is confirmed to pass the credibility verification, confirming authorization information corresponding to the target application process, and sending the authorization information to the terminal;
receiving the service access request and the authorization information sent by an access gateway;
and authenticating the service access request according to the authorization information, and sending an authentication result to the access gateway so as to pass through the access gateway or intercept the service access request according to the authentication result.
Optionally, determining whether the process characteristic information passes the trusted verification includes:
determining whether the process characteristic information passes the credibility verification according to whether the process characteristic information has a matching result in a second process list; alternatively, the first and second electrodes may be,
calling a cloud query interface, sending the process characteristic information to a cloud verification platform corresponding to the cloud query interface, and determining whether the process characteristic information passes trusted verification according to third verification result information sent by the verification platform; alternatively, the first and second electrodes may be,
and sending the process characteristic information to a security detection and analysis platform, so as to perform security detection on the operation behavior of the target application process through the security detection and analysis platform according to the process characteristic information, and determining whether the process characteristic information passes trusted verification according to a detection result output by the security detection and analysis platform.
Optionally, the method further includes:
receiving user account information sent by the terminal and access link information corresponding to the service access request;
then, determining whether the process characteristic information passes the trusted verification includes:
determining a related terminal logged in by related account information corresponding to the user account information;
and sending the process characteristic information and the access link information to the associated terminal, and determining whether the process characteristic passes the credible verification or fails the credible verification according to the user decision information sent by the associated terminal.
Optionally, sending the process feature information and the access link information to the associated terminal includes:
determining whether the process characteristic information passes trusted verification or not to obtain fourth verification result information;
and sending the fourth verification result information, the process characteristic information and the access link information to the associated terminal.
In one aspect, an access control system is provided, the system comprising an access control unit and an admission gateway, wherein:
the access control unit is used for receiving process characteristic information sent by a terminal, determining authorization information corresponding to a target application process when the process characteristic information is determined to pass credibility verification, and sending the authorization information to the terminal, wherein the process characteristic information is used for identifying the target application process initiating a service access request in the terminal;
the access gateway is used for receiving the service access request and the authorization information sent by the terminal, sending the service access request and the authorization information to the access control unit, and obtaining an authentication result sent by the access control unit;
the access control unit is further configured to receive the service access request and the authorization information sent by the admission gateway, authenticate the service access request according to the authorization information, and send an authentication result to the admission gateway;
and the access gateway is also used for releasing or intercepting the service access request according to the authentication result.
In one aspect, an access control apparatus is provided, the apparatus comprising:
the access module is used for responding to the access triggering operation and initiating a service access request through the target application process;
an obtaining module, configured to obtain process characteristic information of the target application process, where the process characteristic information is used to identify the target application process;
the verification module is used for obtaining the authorization information corresponding to the target application process when the process characteristic information passes the credible verification;
and the sending module is used for sending the service access request and the authorization information to an access gateway so as to pass through the access gateway according to an authentication result of the service access request or intercept the service access request, wherein the service access request is authenticated through the authorization information.
In one aspect, an access control apparatus is provided, the apparatus comprising:
the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving process characteristic information sent by a terminal, and the process characteristic information is used for identifying a target application process of a service access request initiated by the terminal;
the determining module is used for determining authorization information corresponding to the target application process when the process characteristic information is determined to pass the credibility verification;
a sending module, configured to send the authorization information to the terminal;
the receiving module is further configured to receive the service access request and the authorization information sent by an admission gateway;
and the access control module is used for authenticating the service access request according to the authorization information and sending an authentication result to the access gateway so as to release or intercept the service access request according to the authentication result through the access gateway.
In one aspect, a computing device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the method includes the steps of any one of the above-mentioned aspects.
In one aspect, a storage medium is provided, the storage medium storing computer-executable instructions for causing a computer to perform the steps included in the access control method of any one of the above aspects.
In one aspect, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform the steps included in the access control method described in the various possible implementations described above.
In the embodiment of the application, when a terminal initiates a service access request, process characteristic information of an application process (for example, referred to as a target application process) used for initiating the service access request may be obtained, and then trusted verification is performed on the process characteristic information, which is equivalent to that the target application process is trusted verified, and only when the process characteristic information used for identifying the target application process passes the trusted verification, an authorization credential is issued to the target application process, that is, the terminal may obtain authorization information corresponding to the target application process. Further, the access control unit may authenticate the service access request initiated by the terminal by using the authorization information, and send the authentication result to the admission gateway, so that the admission gateway can release or intercept the service access request initiated by the target service process according to the authentication result, thereby implementing effective control on the service access request. In the embodiment of the application, an authorization and verification management mechanism for the application processes is added, a strong management strategy and a safety submission capability for the application processes are provided, access control granularity is detailed to each application process in the equipment, the legality of a process source initiating access can be verified, and under the strong management verification strategy, some high-level threats or security threats of a virus Trojan penetration service system caused by tampering of the application processes can be effectively detected and prevented, so that the virus Trojan penetration is blocked, execution of malicious codes can be greatly reduced, the effectiveness of access control is improved, the security risk of the service system can be reduced, and network safety is enhanced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1a is a schematic diagram of an application scenario in an embodiment of the present application;
FIG. 1b is another diagram illustrating an application scenario in an embodiment of the present application;
fig. 2 is a schematic flow chart of an access control method in an embodiment of the present application;
FIG. 3 is a diagram illustrating process profile information in an embodiment of the present application;
fig. 4 is another schematic flow chart of the access control method in the embodiment of the present application;
fig. 5 is another schematic flow chart of the access control method in the embodiment of the present application;
fig. 6 is another schematic flow chart of the access control method in the embodiment of the present application;
fig. 7 is another schematic flow chart of an access control method in the embodiment of the present application;
fig. 8 is another schematic flow chart of an access control method in the embodiment of the present application;
FIG. 9 is a block diagram of an access control system according to an embodiment of the present application;
fig. 10 is a block diagram showing the structure of an access control device in the embodiment of the present application;
fig. 11 is another block diagram of the access control device in the embodiment of the present application;
fig. 12 is a schematic structural diagram of a computing device in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the embodiments of the present application will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by one of ordinary skill in the art from the embodiments given herein without making any creative effort, shall fall within the scope of the claimed protection. In the present application, the embodiments and features of the embodiments may be arbitrarily combined with each other without conflict. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The terms "first" and "second" in the description and claims of the present application and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the term "comprises" and any variations thereof, which are intended to cover non-exclusive protection. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus. The "plurality" in the present application may mean at least two, for example, two, three or more, and the embodiments of the present application are not limited.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this document generally indicates that the preceding and following related objects are in an "or" relationship unless otherwise specified.
Some terms referred to herein are explained below to facilitate understanding by those skilled in the art.
1. A process, by narrow definition, refers to an instance of an application program that is running, and may also be referred to as an application process, for example, and as broadly understood, a process is a running activity of a program with some independent functionality with respect to some data set.
The concept of the process has two main points:
(1) a process is an entity. Each process has its own address space, typically including a text region, a data region, and a stack. Wherein the text area stores code executed by the processor; a data area stores variables and dynamically allocated memory used during process execution; the stack area stores the instructions and local variables of the active procedure call.
(2) A process is an "executing program," where the program is, for example, an executable program with the suffix name of.exe, which is an inanimate entity that can only become an active entity if the processor renders the program alive (operating system executing), which can be referred to as a process.
2. Zero trust, which is a security concept, is not essentially the same dimensional concept as traditional security products/devices, but because the zero trust architecture is in the ground, it cooperates with traditional security products/devices, and there may even be some situations to replace some traditional security products/devices.
Zero trust can be understood literally, namely, any object is not trusted, particularly in an access control system, people (users), terminals, resources and the like are assumed to be untrusted, and a trusted request for resource security is realized by establishing a trust chain from people to terminals to resources and dynamically verifying the trust chain in real time, so that network attack is blocked, and network security is improved.
The idea of the present application is presented below.
As described above, in the current service access control, a trust control mechanism based on a region is generally adopted in the related art, a device is allowed to enter a network after the network location of a user is confirmed to be trusted, and once the device enters the network, the device can access an internal network service through any application in the device, that is, once the device is trusted and enters the network, it means that any code executed by the device has an access right of a service system, in the process, an execution code of an application process may be tampered maliciously, some malicious codes also have a capability of penetrating the network to invade the service system, and at this time, an access of an intranet service is only a device initiating access, but an application process on the device is not refined, so the access control mechanism in the related art cannot detect that the application process is tampered, which results in some high-level threats or viruses and trojan penetration into the service system, therefore, the access control mechanism in the related art has a large network security risk, and the effectiveness of the access control is low.
In view of this, an embodiment of the present application provides an access control method, and in particular, when a terminal initiates a service access request, a process feature information of an application process (for example, referred to as a target application process) used for initiating the service access request may be obtained, and then the process feature information is trusted and verified, where the trusted verification of the process feature information is equivalent to the trusted verification of the target application process, and only when the process feature information used for identifying the target application process passes the trusted verification, an authorization credential is issued to the target application process, that is, the terminal may obtain authorization information corresponding to the target application process. Further, the access control unit may authenticate the service access request initiated by the terminal by using the authorization information, and send the authentication result to the admission gateway, so that the admission gateway can release or intercept the service access request initiated by the target service process according to the authentication result, thereby implementing effective control on the service access request.
Compared with the access control mechanism in the related technology, the scheme integrates a zero trust mechanism, namely, the default of the application process initiating the service access request is not trusted, on the basis, an authorization and verification management mechanism for the application process is added, strong management strategy and safety inspection capability for the application process are provided, the access control granularity is thinned to each application process in the equipment, the legality of the source of the process initiating the access can be verified, under the strong management verification strategy, some high-level threats or security threats of a virus Trojan penetration service system caused by tampering of the application process can be effectively detected and prevented, and the like service network penetration is blocked, so that the execution of malicious codes can be greatly reduced, the effectiveness of access control is improved, and the security risk of the service system can be reduced, the network security is enhanced.
It should be noted that the access control method provided in the embodiment of the present application mainly relates to Cloud technology (Cloud technology), which is a hosting technology for unifying serial resources such as hardware, software, and network in a wide area network or a local area network to implement calculation, storage, processing, and sharing of data. Similarly, the technology is a general term of a network technology, an information technology, an integration technology, a management platform technology, an application technology and the like based on cloud computing business model application, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Further, in the field of Cloud technologies, the access control method provided in the embodiment of the present application is mainly applied to Cloud computing (Cloud computing), Cloud Security (Cloud Security), and Cloud storage (Cloud storage). The related art is described below.
(1) Cloud computing (cloud computing) is a computing mode that distributes computing tasks over a resource pool formed by a large number of computers, so that various application systems can acquire computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand. As a basic capability provider of cloud computing, a cloud computing resource pool, which is referred to as a cloud platform for short and is generally called an Infrastructure as a Service (IaaS) platform, is established, and multiple types of virtual resources are deployed in the resource pool and are used by external clients selectively. The cloud computing resource pool mainly comprises: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. Cloud Computing is a product of development and fusion of traditional computers and Network Technologies, such as Grid Computing (Grid Computing), Distributed Computing (Distributed Computing), Parallel Computing (Parallel Computing), Utility Computing (Utility Computing), Network Storage (Network Storage Technologies), Virtualization (Virtualization), Load balancing (Load Balance), and the like. With the development of diversification of internet, real-time data stream and connecting equipment and the promotion of demands of search service, social network, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Different from the prior parallel distributed computing, the generation of cloud computing can promote the revolutionary change of the whole internet mode and the enterprise management mode in concept.
(2) Cloud Security (Cloud Security), which refers to a generic term for Security software, hardware, users, organizations, and Security Cloud platforms applied based on Cloud computing business models. The cloud security integrates emerging technologies and concepts such as parallel processing, network computing and unknown disease behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of Trojan and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and Trojan solution is distributed to each client.
The main research directions of cloud security include: firstly, cloud computing security is mainly researched to ensure the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and the cloud computing technology is used for constructing a super-large-scale security event and an information acquisition and processing platform, so that the acquisition and correlation analysis of mass information are realized, and the handling control capability and the risk control capability of the security event of the whole network are improved; and thirdly, cloud security services mainly research various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
(3) A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and distributed storage file system, and provides a data storage function and a service access function to the outside. At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices.
In order to better understand the technical solution provided by the embodiment of the present application, some brief descriptions are provided below for application scenarios to which the technical solution provided by the embodiment of the present application is applicable, and it should be noted that the application scenarios described below are only used for illustrating the embodiment of the present application and are not limited. In specific implementation, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
Referring to fig. 1a, fig. 1a shows an access control system to which the technical solution of the embodiment of the present application is applied, where the access control system includes an access control unit and an admission gateway, where the access control unit includes an authentication module and an access control module, and in a specific network topology, the access control unit and the admission gateway may be integrated on one server or may also be integrated on different servers respectively, that is, the access control unit and the admission gateway may be understood as two logical functional units, and a specific physical implementation of the access control unit and the admission gateway is not limited in this embodiment of the present application.
Wherein the main functions of the access control unit include: the method comprises the steps of authenticating and authorizing the identity of a user and a terminal, and performing continuous access control, wherein the access control comprises the establishment and the deployment of an access control strategy, dynamic security detection and dynamic protection response. The access control management background can provide centralized management capability, and the main functions comprise: user management, terminal management, resource management, and policy management, among others.
An admission gateway is a system which is exposed outside and can be directly accessed by a user (namely a terminal), and the main functions comprise forwarding a user request and intercepting the user request. The user request forwarding means authentication and authorization forwarding of an unauthorized request of visiting, and resource access forwarding of a user request which is correctly authorized, and the interception means interception and blocking of a user request which is forbidden to access so as to prevent the user request from continuing to access the back end of the network.
The access control unit is located in the control layer, the access control unit located in the control plane can implement the control functions of authentication, authorization, verification, authentication and the like in the access control, the access gateway is located in the data layer, and the access gateway located in the data layer can implement the decision of forwarding or intercepting the user request. Thus, the control channel and the data channel are separated, the mutual influence after the blockage can be prevented as much as possible, and the function of each logic function module in the access control can be more reasonably realized.
Referring to fig. 1b in combination with fig. 1a, fig. 1b is an application scenario to which the technical solution in the embodiment of the present application is applied, that is, the access control method in the embodiment of the present application may be applied to the application environments shown in fig. 1a and fig. 1 b. As shown in fig. 1b, the application scenario is composed of a terminal system, an access control system, and a service system. The terminal system comprises an intra-enterprise terminal (taking the terminal 110-1 and the terminal 110-2 as examples in fig. 1 b) and an extra-enterprise terminal (taking the terminal 110-3 and the terminal 110-4 as examples in fig. 1 b); the access control system comprises an access control unit 120 and an admission gateway 121; the business system is composed of a plurality of business servers (in fig. 1b, the business server 130-1, the business server 130-2, and the business server 130-3 are taken as examples), and the business system can implement enterprise public cloud business, enterprise private cloud business, and enterprise local business, that is, the business system can provide public cloud service, private cloud service, and local business service, and can also provide hybrid cloud service (not shown in fig. 1 b).
The access control system is deployed between the terminal system and the service system, the access control unit 120 can authenticate and authorize each terminal and can authenticate a service access request initiated to the service system, and the admission gateway 121 passes or intercepts the service access request sent by the terminal according to the authentication result of the access control unit 102, equivalently, a layer of admission control mechanism is added between the terminal and the service system, so that direct coupling between the terminal and the service system can be avoided, and the service access request initiated by the terminal can be effectively controlled. Each terminal may communicate with access control unit 100 and admission gateway 121 may communicate with each traffic server in the traffic system, the communication network between each terminal and access control unit 100 and admission gateway 121, and the communication network between admission gateway 121 and each traffic server, including but not limited to a wide area network, a metropolitan area network, or a local area network.
Public Cloud (Public Cloud) refers to a Cloud that can be used and provided by a third-party provider for a user, the Public Cloud can be generally used through the Internet and can be free or low-cost, the core attribute of the Public Cloud is a shared resource service, and the Cloud has many examples and can provide services in the whole open Public network.
Private Cloud (Private Cloud) is a method for creating Cloud infrastructure and software and hardware resources in a firewall so that each department in an organization or enterprise can share the resources in a data center. A private cloud is created, typically with cloud equipment as a Service (IaaS) software in addition to hardware resources. The private cloud computing also comprises three layers of cloud hardware, a cloud platform and cloud service. In contrast, the cloud hardware is the user's own personal computer or server, not the cloud computing vendor's data center. Private cloud computing serves only friends and relatives for an individual and the employees and customers and suppliers of the enterprise for the enterprise, so that the personal computer or server of the individual or enterprise is sufficient to provide cloud services.
Hybrid Cloud (Hybrid Cloud) merges public Cloud and private Cloud, and is the main mode and development direction of Cloud computing in recent years. The private cloud is mainly oriented to enterprise users, for safety, enterprises prefer to store data in the private cloud, but meanwhile hope to obtain computing resources of the public cloud, in the situation, the hybrid cloud is adopted more and more, the public cloud and the private cloud are mixed and matched to obtain the best effect, and the personalized solution achieves the purposes of saving money and being safe.
Based on the application scenario shown in fig. 1b, taking the terminal 110-1 as an example, in the embodiment of the present application, when a user uses the terminal 110-1 to initiate a service access request to a service system, the terminal 110-1 obtains process characteristic information of an application process for initiating the service access request, the process signature information is then trusted for verification, one possible way of verification is asynchronous submission verification, in particular, sending the process signature information to the access control unit 120, to verify the process signature information by the access control unit 120, another possible way of verifying is local verification, that is, the terminal 110-1 may match the process feature information using a trusted process list (also referred to as a process white list) previously cached from the access control unit 120 to implement trusted verification of the process feature information. When the process characteristic information passes the trusted verification, the corresponding authorization information can be obtained, the authorization information is used for indicating that the initiated application process of the service access request is a trusted application process passing the system authentication, and the authorization information can indicate that the application process is a trusted process and indicates that the application process is safe.
Further, when sending a service access request to the admission gateway 121, the terminal 110-1 may send the issued authorization information to the admission gateway 121 together, and the admission gateway 121 may send the service access request (specifically, access link information in the service access request) and the authorization information to the access control unit 120 together, so that the access control unit 120 authenticates the service access request sent together according to the authorization control information, which is equivalent to authenticating an application process initiating the service access request, and when the authentication is passed, it indicates that the application process initiating the service access request is indeed a security process verified by the credit, so that the service access request may be forwarded to a corresponding service server in the service system to implement secure access to the service system, and when the authentication is not passed, it indicates that the application process initiating the service access request has a security risk, at this time, the service access request may be intercepted (for example, discarded), and danger prompt information may be returned to the terminal 110-1 to notify that a potential safety hazard may occur in the application process of the terminal 110-1 that currently initiates the service access request, so that the terminal user can discover and process potential network security in time.
In the process of processing the service access request, the application process initiating the service access request is used as detection and granularity control, the fine-grained access control mechanism provides a strong management strategy for the safe submission of the application process, and the validity of the access control can be improved by verifying the validity of the source of the process initiating the access, so that the safety risk of a service system is reduced, and the safety performance of the service system is enhanced.
Based on the business access control of the application scene, the traditional region-based credit control mode is broken through, and based on a strong management strategy of an application process, the forced access must be authenticated and authorized, so that a user (such as enterprise staff) can safely access business resources in an enterprise wherever and when the user uses any equipment, the business access can be effectively detected and controlled, the flexibility and the access experience are good, the safety risks of data leakage and the like are reduced, and the overall safety of the enterprise office is improved.
The access control unit 120, the admission gateway 121, and each service server (i.e., the service server 130-1, the service server 130-2, and the service server 130-3) in the service system may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud function, cloud storage, Network service, cloud communication, middleware service, domain name service, security service, Content Delivery Network (CDN), and a big data and artificial intelligence platform. Terminal device 110-1, terminal device 110-2, terminal device 110-3, and terminal device 110-4 may be, but are not limited to, a laptop computer, a desktop computer, a kiosk, a smart phone, a tablet computer, and the like.
To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although the embodiments of the present application provide the method operation steps as shown in the following embodiments or figures, more or less operation steps may be included in the method based on the conventional or non-inventive labor. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application. The method can be executed in sequence or in parallel according to the method shown in the embodiment or the figure when the method is executed in an actual processing procedure or a device.
The access control method provided by the embodiment of the present application mainly relates to a terminal that initiates a service access request and an access control unit that authenticates the service access request, and can be implemented in an application scenario as shown in fig. 1a or fig. 1b, and the access control method provided by the embodiment of the present application is described below from the perspective of the terminal and the access control unit, respectively.
Referring to the access control method shown in fig. 2, the terminal is, for example, any one of the terminals inside the enterprise or the terminals outside the enterprise in the application scenario shown in fig. 1 b. The flow shown in fig. 2 is described as follows.
Step 201: and responding to the access trigger operation, and initiating a service access request through the target application process.
When a user needs to request a Resource from the service system, that is, when the user needs to access the service system, a specific trigger operation may be performed on the terminal, for example, the trigger operation is referred to as an access trigger operation, for example, the access trigger operation is an input operation performed by the user to input an address of a specified URL (Uniform Resource Locator), or for example, the access trigger operation is a click operation performed by the user to click a specified folder inside an enterprise, and the like.
In a specific implementation process, a user generally performs an access triggering operation on an application installed in a terminal, where the application is, for example, an office application used in an enterprise or other applications, and after the access triggering operation is detected, an application process corresponding to the application may be called to initiate a service access request, for example, the application process initiating the service access request is referred to as a target application process. An "application process" of an application may also be referred to as a process, and is an instance of the application in the process of running.
Step 202: and acquiring process characteristic information of the target application process.
Each application process has corresponding process characteristic information, and the process characteristic information of one application process is information for identifying the application process and is used for uniquely identifying the application process, namely, the process characteristic information corresponding to the application process has uniqueness. In a specific implementation process, the process characteristic information of the application process may include one or more combinations of process identifiers (e.g., process names), process signature information, process MD5(Message Digest Algorithm, fifth version of Message Digest Algorithm 5), process sha256 (an Algorithm), process version numbers, and the like. For example, the process characteristic information of the application process with the process name "wehaha.exe" is shown in fig. 3, and information of the process name of the application process, the application name of the application to which the application belongs, the applicable operating system, the process signature information, the process MD5, the process version, the process sha256, and the like is shown in fig. 3.
Step 203: and when the process characteristic information passes the credibility verification, obtaining the authorization information corresponding to the target application process.
The authorization information corresponding to the target application process is used to indicate that the corresponding target application process is a trusted application process verified by the system, and the authorization information can indicate that the corresponding application process is a trusted process and indicates that the corresponding application process is safe, that is, the authorization information can be regarded as an identity credential that the application process is a trusted application process, so the authorization information can be called authorization information and a process authorization credential, or the authorization information of the process can be called a "ticket" or a "process ticket", and the authorization information of the process is equivalent to a pass of the application process in the process of accessing the service system.
In the embodiment of the application, the process characteristic information of the target application process initiating the service access request needs to be subjected to trusted verification, and the process characteristic information is subjected to trusted authentication, which is equivalent to the trusted verification of the corresponding target application process, so that when the process characteristic information passes the trusted verification, the process characteristic information is equivalent to the trusted verification of the corresponding target application process. The trusted verification, which may also be referred to as security verification or security authentication, is to verify the security of the target application process by using the process characteristic information.
In the specific implementation process, the process feature information may be authenticated in multiple ways, and for the terminal, one possible way of authentication is asynchronous submission authentication, and another possible way of authentication is local authentication, which are described below with reference to fig. 4. Referring to fig. 4, steps 401 to 404 (i.e., steps 401, 402, 403 and 404) show the asynchronous submission authentication process, and steps 401, 405 and 406 show the local authentication process. The following is a detailed description.
Step 401: and acquiring process characteristic information of the target application process.
This step is the same as the implementation of step 202 described above and will not be repeated here.
Step 402: and sending the process characteristic information to the access control unit so as to carry out credible verification on the process characteristic information through the access control unit.
The asynchronous submission authentication is that the terminal sends the process characteristic information to other devices (for example, an access control unit) for remote authentication, and after receiving the process characteristic information, the access control unit may perform trusted authentication on the process characteristic information in some possible ways, and several possible authentication ways are provided below.
Mode 1:
the access control unit locally stores a second process list, which may be a trusted process list, for example, referred to as a white list, and correspondingly, may also be an untrusted process list, for example, referred to as a black list. The access control unit may match the process feature information with a trusted process list and an untrusted process list stored locally, and may consider the process feature information as a trusted process if it is determined that the process feature information exists in the white list, that is, it indicates that trusted verification is passed, and may consider the process feature information as an untrusted process if it is determined that the process feature information exists in the black list, that is, it indicates that trusted verification is failed.
In another possible scenario, the process characteristic information is not present in the white list or the black list, and may be referred to as "gray process", that is, the system does not know whether the process is a trusted white process or an untrusted black process, and the access control unit may output the identification result of the "gray process" to the user, for example, back to the terminal or directly display the identification result to the administrator, so that the user can determine the identification result by himself. Or, in some scenes with strong security requirements, such as a bank system, a financial system, a secret-related system and other scenes with strong security requirements, the system can directly consider the 'grey process' as an untrusted process, that is, the 'grey process' and the black process are processed in the same manner, so that the security of the system can be ensured as much as possible.
In the mode 1, the access control unit locally verifies the process characteristic information through the locally stored process name list, so that the verification efficiency is high, and the locally stored process name list is set by an administrator according to enterprise properties and enterprise requirements in advance, so that the filtering verification mode can meet the requirements of actual business scenes as much as possible, and the verification effectiveness is high.
Mode 2:
the access control unit can purchase cloud authentication services of some third-party authentication platforms or establish a cooperative relationship with the cloud authentication services, and based on the cloud authentication services, the access control unit can call a cloud query interface, send the process characteristic information to a cloud authentication platform corresponding to the cloud query interface, and determine whether the process characteristic information passes trusted authentication according to second authentication result information sent by the cloud authentication platform. That is to say, the access control unit can perform remote auxiliary verification through the third party verification platform, so that the verification work of the access control unit can be reduced, the processing load of the access control unit is reduced, and the third party verification platform is generally a verification structure with strong speciality, so that the validity of trusted verification on the process characteristic information can be improved to a certain extent.
Mode 3:
and the access control unit sends the process characteristic information to the security detection analysis platform so as to carry out security detection on the operation behavior of the target application process through the security detection analysis platform according to the process characteristic information and determine whether the process characteristic information passes the credible verification according to the detection result output by the security detection analysis platform. The Security detection and analysis platform may be a service system providing Security Management, such as an SOC (Security Operations Center), a SIEM (Security Information Event Management), an MSS (Management Security services), and the like, and may be integrated in the access control unit, or may be integrated in another server in a distributed manner, or may be an independent analysis platform. That is to say, the security detection analysis platform may determine the target application process according to the process characteristic information, and further dynamically detect the operation process of the target application process, for example, perform security-related trusted verification on the target application process according to the operation log data of the target application process within a recent period of time, so that the target application process may be effectively trusted verified.
After the access control unit performs the trusted verification on the process feature information in any way, a final verification result may be obtained, and the verification result is represented by first verification result information, where the first verification result information is used to indicate whether the process feature information passes the trusted verification, for example, the first verification result information is used to indicate that the process feature information passes the trusted verification, or the first verification result information is used to indicate that the process feature information does not pass the trusted verification. Further, the first authentication result information may be returned to the terminal.
Step 403: and receiving first verification result information sent by the access control unit.
After receiving the first verification result information sent by the access control unit, the terminal can make clear whether the target application process currently initiating the service access request is safe and reliable according to the indication of the first verification result information.
Step 404: and receiving authorization information corresponding to the process characteristic information sent by the access control unit.
In a possible implementation manner, the access control unit may generate corresponding authorization credential information according to the process characteristic information, and send the generated authorization credential information to the terminal, so as to implement verification and trust of the target application process, for example, the authorization credential information is referred to as authorization information.
Step 405: and matching the process characteristic information with a first process list stored locally.
The first process list stored in the terminal may be downloaded from the access control unit in advance and cached, the first process list may be a process white list or a process black list, and an implementation manner in which the terminal verifies the credibility of the process feature information by using the first process list is similar to the above-described implementation manner in which the access control unit performs credibility verification by using the second process list locally stored, so that the implementation of step 405 may refer to the description of the above-described manner 1, and a description thereof will not be repeated.
Step 406: and if the matching result shows that the process characteristic information belongs to the white process, namely is located in the trusted process list, generating authorization information corresponding to the process characteristic information.
If the process characteristic information is credible, the target application process is safe and credible, at this time, the terminal can self-act to issue the authorization information, and certainly, the terminal generates the corresponding authorization information for the target application process according to the authorization mode appointed between the terminal and the access control unit, for example, the process characteristic information is encrypted according to the encryption algorithm appointed between the terminal and the access control unit, so that the corresponding authorization information is obtained.
In the above description, two modes, namely asynchronous submission authentication and terminal local authentication, are introduced, and in the specific implementation process, the two modes may be implemented alternatively to perform single authentication or may be implemented simultaneously to perform dual authentication, which is not limited in the embodiment of the present application.
For the above-described two modes of asynchronous submission authentication and terminal local authentication, after the terminal or the access control unit obtains the trusted authentication result for the process feature information, the authentication result can be output to the user, so that the user can perform final manual confirmation. For example:
for the local authentication of the terminal and the authentication performed by the access control unit, after the terminal obtains the trusted authentication result of the device on the process feature information, a result confirmation interface may be displayed, where the result confirmation interface includes the trusted authentication result of the process feature information. Further, the user may select whether to approve the verification result of the device according to actual cognition and understanding of the user, specifically, the user may perform a confirmation operation (for example, referred to as a first confirmation operation) on the result confirmation interface, the terminal may obtain the user confirmation result in response to the first confirmation operation, and then use the user confirmation result as a final verification result, that is, update the above-mentioned trusted verification result of the process feature information obtained by the device with the user confirmation result. By means of secondary confirmation of the terminal user, actual understanding conditions of the terminal user on the application process can be met as much as possible, and validity of verification is further improved.
For the asynchronous verification mode performed by the access control unit, after obtaining the trusted verification result for the process feature information, the access control unit may display a management operation interface, where the management operation interface includes the trusted verification result for the process feature information, and an administrator of the access control unit may perform secondary confirmation on the verification result of the access control unit in a manual confirmation mode, so that the administrator may perform a confirmation operation (for example, referred to as a second confirmation operation) for the management operation interface, and the access control unit may obtain the administrator confirmation result in response to the second confirmation operation, and then update the trusted verification result for the process feature information obtained by the control gateway through verification with the administrator confirmation result. The secondary verification mode at the management end is also used for further improving the verification effectiveness.
In the above description, two ways of performing trusted authentication on the process feature information are illustrated by using fig. 4, and in a specific implementation process, the process feature information may also be verified in a manner of dual-terminal verification.
Firstly, besides the process characteristic information sent to the access control unit, the terminal can also send the user account information logged in by the terminal and the access link information corresponding to the service access request to the process characteristic information.
Further, the access control unit may perform trusted verification on the process characteristic information by using the method described above and obtain a verification result, and in another embodiment, the access control unit may not perform trusted verification on the process characteristic information.
Then, the access control unit determines, according to the user account information, a terminal to which the account information associated with the access control unit is logged in, in an embodiment of the present application, the account information associated with the user account information of the terminal is referred to as associated account information, and the terminal to which the associated account information is logged in is referred to as an associated terminal. Furthermore, the access control unit sends the process characteristic information and the access link information to the associated terminal, or if the access control unit verifies the process characteristic information, the access control unit can also send the verification result to the associated terminal together with the process characteristic information and the access link information.
Then, after receiving the process characteristic information and the access link information (which may also include a verification result of the access control unit on the process characteristic information), the associated terminal may display the process characteristic information and the access link information to a user, and the user of the associated terminal may select whether to determine the process characteristic information as authentic or not, and then trigger the associated terminal to generate user decision information and return the user decision information to the access control unit, which indicates whether the process characteristic information passes the authentic verification. In the process, the access control unit sends the verification result of the access control unit to the user together, which is equivalent to that a certain risk prompt is given to the user, if the user does not follow the verification result of the access control unit but makes a decision in an opposite way, the later safety problem for the user can be assumed by the user, so in one embodiment, if the user decision information is opposite to the verification result of the access control unit, the access control unit can store the user decision information and the corresponding user account information and access link information in an associated manner, on one hand, the user decision information can be directly adopted when the subsequent safety accidents occur, on the other hand, the reason can be recorded so as to analyze the reason and divide the responsibility when the subsequent safety accidents occur, and the like.
In the above embodiment, the associated account information corresponding to the user account information may be the user account information itself, for example, the user logs in the user account information of himself at the computer end and the mobile phone end at the same time, when the service access request is initiated at the computer end, the access control unit may further send the relevant process characteristic information and the access link information to the mobile phone end, so that the user performs secondary authentication at the mobile phone end, that is, performs secondary authentication through another terminal having the same login identity, and thus, the validity and the security of access control may be further improved by means of the dual-terminal authentication.
In another embodiment, the associated account information corresponding to the user account information is other user account information different from the user account information, for example, account information of other users in the same group as the user is account information of a company administrator, or account management information of a boss of the user, and the like, so that, equivalently, an audit role is added through the associated terminal, and validity and security of access control can be further improved through a dual-terminal verification mode.
Step 204: and sending the service access request and the authorization information to an admission gateway so as to pass through the admission gateway or intercept the service access request according to the authentication result of the service access request, wherein the service access request is authenticated through the authorization information.
After obtaining the authorization information, the terminal may assemble the service access request and the authorization information and send the assembled service access request and authorization information to the admission gateway, for example, reassemble the service access request and authorization information into one piece of information according to a transmission protocol between the terminal and the admission gateway and send the information to the admission gateway, so that the admission gateway can correctly receive the service access request and the corresponding authorization information sent by the terminal.
After receiving the service access request and the corresponding authorization information, the admission gateway may send the service access request and the corresponding authorization information to the access control unit for authentication processing, specifically, for example, send access connection information and authorization information corresponding to the service access request to the access control unit, further, the access control unit authenticates the service access request by using the authorization information, for example, decrypts the authorization information according to an agreed decryption algorithm, and then, needs to judge whether the authorization information is within a valid period, if both verifications are met, the current service access request may be considered to be safe, that is, the service access request is authenticated, and further, the authentication result may be notified to the admission gateway.
The access gateway can correspondingly process the service access request according to the authentication result returned by the access control unit. Specifically, when the authentication is passed, the admission gateway may distribute the service access request to the corresponding service server, so as to obtain the corresponding resource from the service server and forward the resource to the terminal, or directly send the corresponding resource to the terminal by the service server. When the authentication is not passed, the service access request may be intercepted, for example, the service access request may be directly discarded, and meanwhile, danger prompt information may be returned to the terminal, so as to inform a user of the terminal that a security risk exists or a target application process currently initiating the service access request is illegal.
In the embodiment of the application, the application process is used as the granularity of access control, and the fine-grained access control mechanism can ensure the availability of each application and carry out risk control from the source of the access process, so that the effectiveness of access control can be effectively improved, and the safety of the whole service system is improved.
In the embodiment of the present application, based on the above-described access control on the application process, the authority verification may be performed on the user, which is described as an example below.
In one implementation mode, the user account information and the application identifier of the application to which the target application process belongs are sent to the access control unit, so that whether the account corresponding to the user account information has the application indicated by the application identifier, or not, is determined by the access control unit, a first permission matching result sent by the access control unit is received, and then the account corresponding to the user account information has the application indicated by the application identifier, which is permitted to use, is determined according to the first permission matching result. That is to say, the corresponding usable application of the user right can be judged first, and the application which the user does not have the right to use does not support the user to initiate the service access request, so that the user right can be verified, the resource leakage is avoided, and the access safety is improved.
In another embodiment, the user account information and the resource identification information of the target resource to be accessed corresponding to the service access request are sent to the access control unit, so that whether the account corresponding to the user account information has the right to access the target resource is determined through the access control unit, the second right matching node sent by the access control unit is received, and then the account corresponding to the user account information is determined to have the right to access the target resource according to the second right matching result. That is to say, the resource that the user has the authority to access can be verified, so that the user authority can be verified, the resource leakage is avoided, and the access safety is improved.
For the convenience of understanding of those skilled in the art, the technical solutions provided by the embodiments of the present application will be described below with reference to the accompanying drawings.
Referring to fig. 5, a specific embodiment of the process for asynchronous submission of process characteristic information in a terminal by an access control unit in an access control system is shown in fig. 5, and a flow shown in fig. 5 is described as follows.
Step 501: and the terminal initiates a service access request through the target application process and obtains process characteristic information of the target application process.
Step 502: and the terminal sends the process characteristic information to the access control unit so as to carry out asynchronous verification on the process characteristic information through the network control unit.
Step 503: and the access control unit carries out credible verification on the process characteristic information.
Step 504: upon determining that the process characteristic information is subject to trusted authentication, the access control unit generates authorization information corresponding to the target application process, which may be referred to as a "ticket," for example.
Step 505: and the access control unit sends the generated authorization information to the terminal.
Step 506: and the terminal sends the service access request and the authorization information to an admission gateway in the service control system.
Step 507: the access gateway sends the received service access request and authorization information to the access control unit for authentication.
After receiving the service access request and the authorization information sent by the terminal, the admission gateway needs to authenticate the service access request and the authorization information, specifically, requests the access control unit to authenticate the service access request and the authorization information.
Step 508: and the access control unit authenticates the service access request according to the authorization information to obtain an authentication result, wherein the authentication result indicates that the authentication is passed or not passed.
Step 509: and the access control unit sends the authentication result to the access gateway.
And the admission gateway forwards the service access request to the service server to request corresponding resources from the service server when determining that the authentication is passed according to the authentication result.
On the other hand, if the access gateway determines that the authentication is not passed according to the authentication result, the service access request is directly intercepted locally, so that the security control of network access is realized.
Step 510: and the admission gateway forwards the service access request to the service server to request corresponding resources from the service server when determining that the authentication is passed according to the authentication result.
Referring again to fig. 6, which is a flowchart illustrating a process for jointly verifying process feature information by an access control unit and a terminal in an access control system, in an embodiment, the process shown in fig. 6 is described as follows.
Step 601: and the terminal initiates a service access request through the target application process and obtains process characteristic information of the target application process.
Step 602: and the terminal locally verifies the credibility of the process characteristic information.
For example, the terminal may match the process characteristic information with a local first process list (a process white list or a process black list) to determine that the process characteristic information is located in the process white list or the process black list, so as to determine whether the process characteristic information passes the trust verification.
During local verification, the process characteristic information may not be in a white list nor a black list, and at this time, the process characteristic information may be regarded as a "grey process", and for the "grey process", a prompt message may be popped out to a user to allow the user to manually confirm a trusted verification result, or in some strong security service scenarios, the "grey process" may be directly regarded as a black process.
Step 603: and when the local verification passes, the terminal sends the process characteristic information to the access control unit so as to carry out secondary verification through the network control unit, thereby realizing the purpose of joint verification.
Step 604: and the access control unit carries out credible verification on the process characteristic information.
Step 605: upon determining that the process characteristic information is subject to trusted authentication, the access control unit generates authorization information corresponding to the target application process, which may be referred to as a "ticket," for example.
Step 606: and the access control unit sends the generated authorization information to the terminal.
Step 607: and the terminal sends the service access request and the authorization information to an admission gateway in the service control system.
Step 608: the access gateway sends the received service access request and authorization information to the access control unit for authentication.
After receiving the service access request and the authorization information sent by the terminal, the admission gateway needs to authenticate the service access request and the authorization information, specifically, requests the access control unit to authenticate the service access request and the authorization information.
Step 609: and the access control unit authenticates the service access request according to the authorization information to obtain an authentication result, and the dispute result indicates that the authentication is passed or the authentication is not passed.
Step 610: and the access control unit sends the authentication result to the access gateway.
Step 611: and the admission gateway forwards the service access request to the service server to request corresponding resources from the service server when determining that the authentication is passed according to the authentication result.
On the other hand, if the access gateway determines that the authentication is not passed according to the authentication result, the service access request is directly intercepted locally, so that the security control of network access is realized.
Referring again to another specific embodiment shown in fig. 7, fig. 7 illustrates a process of independently verifying process characteristic information by a terminal, and a flow shown in fig. 7 is described as follows.
Step 701: and the terminal initiates a service access request through the target application process and obtains process characteristic information of the target application process.
Step 702: and the terminal locally verifies the credibility of the process characteristic information.
For example, the terminal may match the process characteristic information with a local first process list (a process white list or a process black list) to determine that the process characteristic information is located in the process white list or the process black list, so as to determine whether the process characteristic information passes the trust verification.
During local verification, the process characteristic information may not be in a white list nor a black list, and at this time, the process characteristic information may be regarded as a "grey process", and for the "grey process", a prompt message may be popped out to a user to allow the user to manually confirm a trusted verification result, or in some strong security service scenarios, the "grey process" may be directly regarded as a black process.
Step 703: and when the local verification passes, the terminal generates authorization information corresponding to the target application process.
It should be noted that the manner of generating the authorization information by the terminal needs to be agreed with the access control unit in advance, so that the access control unit can authenticate the service access request initiated by the terminal according to the authorization information subsequently.
Step 704: and the terminal sends the service access request and the authorization information to an admission gateway in the service control system.
Step 705: the access gateway sends the received service access request and authorization information to the access control unit for authentication.
After receiving the service access request and the authorization information sent by the terminal, the admission gateway needs to authenticate the service access request and the authorization information, specifically, requests the access control unit to authenticate the service access request and the authorization information.
Step 706: and the access control unit authenticates the service access request according to the authorization information to obtain an authentication result, and the dispute result indicates that the authentication is passed or the authentication is not passed.
Step 707: and the access control unit sends the authentication result to the access gateway.
Step 708: and the admission gateway forwards the service access request to the service server to request corresponding resources from the service server when determining that the authentication is passed according to the authentication result.
Referring again to another specific embodiment shown in fig. 8, fig. 8 illustrates a process of performing dual-terminal authentication on process characteristic information by a terminal and an associated terminal associated with the terminal, and a flow shown in fig. 8 is described as follows.
Step 801: and the terminal initiates a service access request through the target application process and obtains process characteristic information of the target application process.
Step 802: and the terminal sends the process characteristic information, the user account information and the access link information corresponding to the service access request to the access control unit.
Step 803: and the access control unit carries out credible verification on the process characteristic information to obtain a verification result.
In a specific implementation, step 803 is an optional step, which may or may not be performed.
Step 804: and the access control unit determines a terminal, called a related terminal, logged in by the related account information corresponding to the user account information according to the user account information.
Step 805: and the access control unit sends the process characteristic information and the access link information to the associated terminal.
In another embodiment, if step 803 is performed, the verification result may be sent to the associated terminal in step 805.
Step 806: the associated terminal outputs (e.g., presents) the process characteristic information and the access link information to the user, and obtains user decision information.
The user decision information is used for indicating whether the process characteristic information passes the credible verification, the user decision information is a decision made manually by the user, the decision indicates an actual selection result of the user, and it can be known that the selection result of the user and the verification result obtained by the access control unit may be the same or different.
Step 807: and the associated terminal sends the user decision information to the access control unit.
Step 808: and the access control unit determines whether the process characteristic information passes the credibility verification according to the user decision information.
Step 809: and when the access control unit determines that the process characteristic information passes the credibility verification, generating authorization information and sending the authorization information to the terminal.
Step 810: and the terminal sends a service access request and authorization information to the access gateway.
Step 811: and when the admission gateway determines that the authentication is passed, the admission gateway forwards the service access request to a service server to request corresponding resources.
In the above-mentioned specific implementation process of fig. 5 to 8, reference may be made to the description part of the embodiment of fig. 2 to 4, and the description will not be repeated here.
The embodiment of the application provides multiple ways of performing trusted verification on the process characteristic information, has good flexibility, can perform independent verification or perform multiple and reverse combined verification in a specific implementation process, and is not limited in the embodiment of the application.
Based on the same inventive concept, an access control system provided in the embodiments of the present application, as shown in fig. 9, includes an access control unit 901 and an admission gateway 902, where:
an access control unit 901, configured to receive process characteristic information sent by a terminal, determine authorization information corresponding to a target application process when it is determined that the process characteristic information passes trusted verification, and send the authorization information to the terminal, where the process characteristic information is used to identify the target application process initiating a service access request in the terminal;
an admission gateway 902, configured to receive a service access request and authorization information sent by a terminal, send the service access request and the authorization information to an access control unit, and obtain an authentication result sent by the access control unit;
the access control unit 901 is further configured to receive a service access request and authorization information sent by the admission gateway, authenticate the service access request according to the authorization information, and send an authentication result to the admission gateway;
the admission gateway 902 is further configured to release or intercept the service access request according to the authentication result.
The specific implementation of the access control unit 901 in this embodiment may refer to the description of the access control unit in the foregoing method embodiment, and the specific implementation of the admission gateway 902 in the first stage may refer to the description of the admission gateway in the foregoing method embodiment, and the description is not repeated here.
Based on the same inventive concept, the embodiments of the present application provide an access control device, which may be a hardware structure, a software module, or a hardware structure plus a software module. The access control device is, for example, any one of the terminals in fig. 1b, or may be a functional device disposed in any one of the terminals, and the access control device may be implemented by a system-on-chip, and the system-on-chip may be formed by a chip, or may include a chip and other discrete devices. Referring to fig. 10, the access control apparatus in the embodiment of the present application includes an access module 1001, an obtaining module 1002, an authenticating module 1003, and a sending module 1004, where:
an access module 1001, configured to initiate a service access request through a target application process in response to an access trigger operation;
an obtaining module 1002, configured to obtain process characteristic information of the target application process, where the process characteristic information is used to identify the target application process;
the verification module 1003 is configured to obtain authorization information corresponding to the target application process when the process feature information passes trusted verification;
a sending module 1004, configured to send the service access request and the authorization information to an admission gateway, so as to allow the admission gateway to pass or intercept the service access request according to an authentication result of the service access request, where the service access request is authenticated through the authorization information.
In one possible implementation, the verification module 1003 is configured to:
sending the process characteristic information to an access control unit so as to carry out credible verification on the process characteristic information through the access control unit;
receiving first verification result information sent by an access control unit;
and determining whether the process characteristic information passes the trusted verification or fails the trusted verification according to the first verification result information.
In one possible implementation, the verification module 1003 is configured to:
matching the process characteristic information with a first process list;
and determining whether the process characteristic information passes the credibility verification according to the matching result of the first process list.
In one possible implementation, the verification module 1003 is configured to:
determining that the process characteristic information fails credible verification according to the matching result; alternatively, the first and second electrodes may be,
determining that the process characteristic information passes the credible verification according to the matching result; alternatively, the first and second electrodes may be,
and when the process characteristic information is confirmed to pass the credible verification according to the matching result, sending the process characteristic information to the access control unit, and confirming whether the process characteristic information passes the credible verification according to second verification result information sent by the access control unit.
In one possible implementation, the verification module 1003 is configured to:
displaying a result confirmation interface, wherein the result confirmation interface comprises a credible verification result of the process characteristic information;
responding to a first confirmation operation aiming at a result confirmation interface, and obtaining a user confirmation result used for representing whether the process characteristic information passes the credibility verification;
and updating the credible verification result of the process characteristic information with the user confirmation result.
In one possible implementation, the verification module 1003 is further configured to:
and when the user confirmation result is different from the credible verification result of the process characteristic information, sending the user confirmation result to the access control unit.
In one possible implementation, the verification module 1003 is configured to:
when the process characteristic information passes the credibility verification, receiving authorization information generated and sent by the access control unit; alternatively, the first and second electrodes may be,
and when the process characteristic information passes the credibility verification, generating authorization information.
In one possible implementation, the verification module 1003 is configured to:
sending the user account information and the application identifier of the application to which the target application process belongs to an access control unit, and determining whether an account corresponding to the user account information has the authority to use the application indicated by the application identifier through the access control unit;
receiving a first permission matching result sent by an access control unit;
and determining that the account corresponding to the user account information has the authority to use the application indicated by the application identifier according to the first authority matching result.
In one possible implementation, the verification module 1003 is configured to:
sending the user account information and the resource identification information of the target resource to be accessed corresponding to the service access request to an access control unit so as to determine whether an account corresponding to the user account information has authority to access the target resource or not through the access control unit;
receiving a second permission matching result sent by the control gateway;
and determining that the account corresponding to the user account information has the authority to access the target resource according to the second authority matching result.
All relevant contents of each step related in the foregoing embodiment of the access control method may be cited in the description of the function module corresponding to the access control device in the embodiment of the present application, and are not described herein again.
Based on the same inventive concept, the embodiments of the present application provide an access control device, which may be a hardware structure, a software module, or a hardware structure plus a software module. The access control device is, for example, the access control unit 120 in fig. 1b, or may be a functional device disposed in the access control unit, and the access control device may be implemented by a chip system, and the chip system may be formed by a chip, or may include a chip and other discrete devices. Referring to fig. 11, an access control apparatus in this embodiment of the present application includes a receiving module 1101, a determining module 1102, a sending module 1103, and an access control module 1104, where:
a receiving module 1101, configured to receive process characteristic information sent by a terminal, where the process characteristic information is used to identify a target application process of a service access request initiated by the terminal;
a determining module 1102, configured to determine authorization information corresponding to a target application process when it is determined that the process characteristic information passes the trusted verification;
a sending module 1103, configured to send the authorization information to the terminal;
the receiving module 1101 is further configured to receive a service access request and authorization information sent by an admission gateway;
and the access control module 1104 is configured to authenticate the service access request according to the authorization information, and send an authentication result to the admission gateway, so that the service access request is released or intercepted through the admission gateway according to the authentication result.
In one possible implementation, the access control module 1104 is further configured to:
displaying a management operation interface, wherein the management operation interface comprises a credible verification result of the process characteristic information;
responding to a second confirmation operation aiming at the management operation interface, and obtaining an administrator confirmation result used for representing whether the process characteristic information passes the credibility verification;
and updating the credible verification result of the process characteristic information with the confirmation result of the administrator.
In a possible implementation manner, the receiving module 1101 is further configured to receive user account information and access link information corresponding to a service access request sent by a terminal;
then, the access control module 1104 is configured to:
determining a related terminal logged in by related account information corresponding to the user account information;
and sending the process characteristic information and the access link information to the associated terminal, and determining whether the process characteristic passes the credible verification or fails the credible verification according to the user decision information sent by the associated terminal.
In one possible implementation, the determining module 1102 is configured to:
determining whether the process characteristic information passes the credibility verification according to whether the process characteristic information has a matching result in a second process list; alternatively, the first and second electrodes may be,
calling a cloud query interface, sending the process characteristic information to a cloud verification platform corresponding to the cloud query interface, and determining whether the process characteristic information passes trusted verification according to third verification result information sent by the verification platform; alternatively, the first and second electrodes may be,
and sending the process characteristic information to a security detection analysis platform so as to perform security detection on the operation behavior of the target application process through the security detection analysis platform according to the process characteristic information, and determining whether the process characteristic information passes credible verification according to a detection result output by the security detection analysis platform.
In a possible implementation manner, receiving user account information and access link information corresponding to a service access request sent by a terminal;
then, determining whether the process characteristic information passes the trusted verification includes:
determining a related terminal logged in by related account information corresponding to the user account information;
and sending the process characteristic information and the access link information to the associated terminal, and determining whether the process characteristic passes the credible verification or fails the credible verification according to the user decision information sent by the associated terminal.
Optionally, the access control module 1104 is configured to:
determining whether the process characteristic information passes the credible verification to obtain fourth verification result information;
and sending the fourth verification result information, the process characteristic information and the access link information to the associated terminal.
All relevant contents of each step related in the foregoing embodiment of the access control method may be cited in the description of the function module corresponding to the access control device in the embodiment of the present application, and are not described herein again.
The division of the modules in the embodiments of the present application is schematic, and only one logical function division is provided, and in actual implementation, there may be another division manner, and in addition, each functional module in each embodiment of the present application may be integrated in one processor, may also exist alone physically, or may also be integrated in one module by two or more modules. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
Based on the same inventive concept, an embodiment of the present application provides a computing device, for example, any of the foregoing terminals in fig. 1b or the access control unit 120, and the computing device is capable of executing the access control method provided in the embodiment of the present application, as shown in fig. 12, the computing device in the embodiment of the present application includes at least one processor 1201, and a memory 1202 and a communication interface 1203 connected to the at least one processor 1201, a specific connection medium between the processor 1201 and the memory 1202 is not limited in the embodiment of the present application, in fig. 12, the processor 1201 and the memory 1202 are connected by a bus 1200 as an example, the bus 1200 is represented by a thick line in fig. 12, and a connection manner between other components is merely illustrated schematically and is not limited. The bus 1200 may be divided into an address bus, a data bus, a control bus, etc., and for ease of illustration only one thick line is shown in fig. 12, but not to indicate only one bus or type of bus.
In the embodiment of the present application, the memory 1202 stores a computer program executable by the at least one processor 1201, and the at least one processor 1201 may execute the steps included in the foregoing method for recommending content by executing the computer program stored in the memory 1202.
The processor 1201 is a control center of the computing device, and may connect various parts of the entire computing device by using various interfaces and lines, and perform various functions and process data of the computing device by operating or executing instructions stored in the memory 1202 and calling data stored in the memory 1202, thereby performing overall monitoring of the computing device. Optionally, the processor 1201 may include one or more processing modules, and the processor 1201 may integrate an application processor and a modem processor, where the processor 1201 mainly handles an operating system, a user interface, an application program, and the like, and the modem processor mainly handles wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 1201. In some embodiments, the processor 1201 and the memory 1202 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 1201 may be a general-purpose processor, such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
The communication interface 1203 is a transmission interface capable of performing communication, and may receive data or transmit data through the communication interface 1203, for example, data interaction with other devices through the communication interface 1203 may be performed to achieve the purpose of communication.
Further, the computing device includes a basic input/output system (I/O system) 1204, a mass storage device 1208 for storing an operating system 1205, application programs 1206, and other program modules 1207, which facilitate transfer of information between the various devices within the computing device.
The basic input/output system 1204 includes a display 1209 for displaying information and an input device 1210 such as a mouse, keyboard, etc. for user input of information. Where a display 1209 and an input device 1210 are connected to the processor 1201 through the basic input/output system 1204 connected to the system bus 1200. The basic input/output system 1204 may also include an input/output controller for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, an input-output controller may also provide output to a display screen, a printer, or other type of output device.
The mass storage device 1208 is connected to the processor 1201 through a mass storage controller (not shown) connected to the system bus 1200. The mass storage device 1208 and its associated computer-readable media provide non-volatile storage for the server package. That is, the mass storage device 1208 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM drive.
According to various embodiments of the present application, the computing device package may also be operated by a remote computer connected to the network through a network, such as the Internet. That is, the computing device may be connected to the network 1211 through a communication interface 1203 connected to the system bus 1200, or may be connected to another type of network or remote computer system (not shown) using the communication interface 1203.
Based on the same inventive concept, the present application also provides a storage medium, which may be a computer-readable storage medium, and the storage medium stores computer instructions, which, when executed on a computer, cause the computer to perform the steps of the access control method as described above.
Based on the same inventive concept, embodiments of the present application further provide a chip system, where the chip system includes a processor and may further include a memory, and is configured to implement the steps of the foregoing access control method. The chip system may be formed by a chip, and may also include a chip and other discrete devices.
In some possible implementations, various aspects of the access control method provided in the embodiments of the present application may also be implemented in the form of a program product including program code for causing a computer to perform the steps of the access control method according to various exemplary implementations of the present application described above when the program product is run on the computer.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (15)
1. An access control method, characterized in that the method comprises:
responding to the access triggering operation, and initiating a service access request through a target application process;
acquiring process characteristic information of the target application process, wherein the process characteristic information is used for identifying the target application process;
when the process characteristic information passes the credibility verification, obtaining authorization information corresponding to the target application process;
and sending the service access request and the authorization information to an admission gateway so as to pass through the admission gateway according to an authentication result of the service access request or intercept the service access request, wherein the service access request is authenticated through the authorization information.
2. The method of claim 1, wherein determining whether the process characteristic information passes a trusted verification comprises:
sending the process characteristic information to an access control unit so as to carry out credible verification on the process characteristic information through the access control unit;
receiving first verification result information sent by the access control unit;
and determining whether the process characteristic information passes the trusted verification or fails the trusted verification according to the first verification result information.
3. The method of claim 1, wherein determining whether the process characteristic information passes a trusted verification comprises:
matching the process characteristic information with a first process list;
and determining whether the process characteristic information passes the credibility verification according to the matching result of the first process list.
4. The method of claim 3, wherein determining whether the process characteristic information passes trust verification based on a match to the first process list comprises:
determining that the process characteristic information fails trusted verification according to the matching result; alternatively, the first and second electrodes may be,
determining that the process characteristic information passes credible verification according to the matching result; alternatively, the first and second electrodes may be,
and when the process characteristic information is confirmed to pass the credible verification according to the matching result, sending the process characteristic information to an access control unit, and confirming whether the process characteristic information passes the credible verification according to second verification result information sent by the access control unit.
5. The method of any of claims 2-4, wherein the method further comprises:
displaying a result confirmation interface, wherein the result confirmation interface comprises a credible verification result of the process characteristic information;
responding to a first confirmation operation aiming at the result confirmation interface, and obtaining a user confirmation result used for representing whether the process characteristic information passes the credibility verification;
and updating the credible verification result of the process characteristic information according to the user confirmation result.
6. The method of claim 1, wherein obtaining authorization information corresponding to the target application process when the process characteristic information passes trusted verification comprises:
when the process characteristic information passes the credibility verification, receiving the authorization information generated and sent by an access control unit; alternatively, the first and second electrodes may be,
and when the process characteristic information passes the credibility verification, generating the authorization information.
7. The method of claim 1, wherein the method further comprises:
sending user account information and an application identifier of an application to which the target application process belongs to the access control unit, so as to determine whether an account corresponding to the user account information has permission to use the application indicated by the application identifier through the access control unit;
receiving a first permission matching result sent by the access control unit;
and determining that the account corresponding to the user account information has the authority to use the application indicated by the application identifier according to the first authority matching result.
8. The method of claim 1, wherein prior to obtaining process characteristic information for the target application process, the method further comprises:
sending user account information and resource identification information of a target resource to be accessed corresponding to the service access request to the access control unit, so as to determine whether an account corresponding to the user account information has authority to access the target resource through the access control unit;
receiving a second permission matching result sent by the control gateway;
and determining that the account corresponding to the user account information has the authority to access the target resource according to the second authority matching result.
9. An access control method, characterized in that the method comprises:
receiving process characteristic information sent by a terminal, wherein the process characteristic information is used for identifying a target application process initiating a service access request in the terminal;
when the process characteristic information is confirmed to pass the credibility verification, confirming authorization information corresponding to the target application process, and sending the authorization information to the terminal;
receiving the service access request and the authorization information sent by an access gateway;
and authenticating the service access request according to the authorization information, and sending an authentication result to the access gateway so as to pass through the access gateway or intercept the service access request according to the authentication result.
10. The method of claim 9, wherein the method further comprises:
displaying a management operation interface, wherein the management operation interface comprises a credible verification result of the process characteristic information;
responding to a second confirmation operation aiming at the management operation interface, and obtaining an administrator confirmation result used for representing whether the process characteristic information passes the credibility verification;
and updating the credible verification result of the process characteristic information with the administrator confirmation result.
11. The method of claim 9, wherein the method further comprises:
receiving user account information sent by the terminal and access link information corresponding to the service access request;
then, determining whether the process characteristic information passes the trusted verification includes:
determining a related terminal logged in by related account information corresponding to the user account information;
and sending the process characteristic information and the access link information to the associated terminal, and determining whether the process characteristic passes the credible verification or fails the credible verification according to the user decision information sent by the associated terminal.
12. An access control system, characterized in that the system comprises an access control unit and an admission gateway, wherein:
the access control unit is used for receiving process characteristic information sent by a terminal, determining authorization information corresponding to a target application process when the process characteristic information is determined to pass credibility verification, and sending the authorization information to the terminal, wherein the process characteristic information is used for identifying the target application process initiating a service access request in the terminal;
the access gateway is used for receiving the service access request and the authorization information sent by the terminal, sending the service access request and the authorization information to the access control unit, and obtaining an authentication result sent by the access control unit;
the access control unit is further configured to receive the service access request and the authorization information sent by the admission gateway, authenticate the service access request according to the authorization information, and send an authentication result to the admission gateway;
and the access gateway is also used for releasing or intercepting the service access request according to the authentication result.
13. An access control apparatus, characterized in that the apparatus comprises:
the access module is used for responding to the access triggering operation and initiating a service access request through the target application process;
an obtaining module, configured to obtain process characteristic information of the target application process, where the process characteristic information is used to identify the target application process;
the verification module is used for obtaining the authorization information corresponding to the target application process when the process characteristic information passes the credible verification;
and the sending module is used for sending the service access request and the authorization information to an access gateway so as to pass through the access gateway according to an authentication result of the service access request or intercept the service access request, wherein the service access request is authenticated through the authorization information.
14. An access control apparatus, characterized in that the apparatus comprises:
the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving process characteristic information sent by a terminal, and the process characteristic information is used for identifying a target application process of a service access request initiated by the terminal;
the determining module is used for determining authorization information corresponding to the target application process when the process characteristic information is determined to pass the credibility verification;
a sending module, configured to send the authorization information to the terminal;
the receiving module is further configured to receive the service access request and the authorization information sent by an admission gateway;
and the access control module is used for authenticating the service access request according to the authorization information and sending an authentication result to the access gateway so as to release or intercept the service access request according to the authentication result through the access gateway.
15. A computing device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps comprised by the method of any one of claims 1 to 8 or the steps comprised by the method of any one of claims 9 to 11 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010889163.5A CN112073400A (en) | 2020-08-28 | 2020-08-28 | Access control method, system and device and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010889163.5A CN112073400A (en) | 2020-08-28 | 2020-08-28 | Access control method, system and device and computing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112073400A true CN112073400A (en) | 2020-12-11 |
Family
ID=73660327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010889163.5A Pending CN112073400A (en) | 2020-08-28 | 2020-08-28 | Access control method, system and device and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112073400A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866232A (en) * | 2021-01-13 | 2021-05-28 | 新华三信息安全技术有限公司 | Access control system, access control method and related device |
| CN113282628A (en) * | 2021-06-09 | 2021-08-20 | 支付宝(杭州)信息技术有限公司 | Big data platform access method and device, big data platform and electronic equipment |
| CN113422768A (en) * | 2021-06-21 | 2021-09-21 | 深圳竹云科技有限公司 | Application access method and device in zero trust and computing equipment |
| CN113946815A (en) * | 2021-10-21 | 2022-01-18 | 深圳致星科技有限公司 | Authorization method for federal learning and privacy calculations |
| CN114124556A (en) * | 2021-11-29 | 2022-03-01 | 深信服科技股份有限公司 | Network access control method, device, equipment and storage medium |
| CN114143783A (en) * | 2021-09-15 | 2022-03-04 | 杭州优云科技有限公司 | Method and system for identifying illegal access equipment in wireless local area network |
| CN114363373A (en) * | 2021-12-31 | 2022-04-15 | 中国第一汽车股份有限公司 | Application communication management system, method, device, electronic device and storage medium |
| CN114417336A (en) * | 2022-01-24 | 2022-04-29 | 北京新桥信通科技股份有限公司 | Application system side safety management and control method and system |
| CN114553484A (en) * | 2022-01-18 | 2022-05-27 | 国电南瑞科技股份有限公司 | Dual access authority control method and system based on two-dimensional security marker |
| CN114567678A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Resource calling method and device of cloud security service and electronic equipment |
| CN114745145A (en) * | 2021-01-07 | 2022-07-12 | 腾讯科技(深圳)有限公司 | Business data access method, device and equipment and computer storage medium |
| CN114760181A (en) * | 2022-03-16 | 2022-07-15 | 山东省大数据中心 | System and method for realizing dynamic cluster expansion based on distributed cluster architecture |
| CN115001770A (en) * | 2022-05-25 | 2022-09-02 | 山东极光智能科技有限公司 | Zero-trust-based service access control system and control method |
| CN115134175A (en) * | 2022-09-01 | 2022-09-30 | 北京辰尧科技有限公司 | Security communication method and device based on authorization strategy |
| CN116094849A (en) * | 2023-04-11 | 2023-05-09 | 深圳竹云科技股份有限公司 | Application access authentication method, device, computer equipment and storage medium |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090221266A1 (en) * | 2005-10-13 | 2009-09-03 | Ntt Docomo, Inc. | Mobile terminal, access control management device, and access control management method |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| US9058504B1 (en) * | 2013-05-21 | 2015-06-16 | Malwarebytes Corporation | Anti-malware digital-signature verification |
| CN105094996A (en) * | 2015-07-21 | 2015-11-25 | 电子科技大学 | Security-enhancing method and system of Android system based on dynamic authority verification |
| CN105577730A (en) * | 2014-10-24 | 2016-05-11 | 腾讯数码(深圳)有限公司 | Data transfer method and device |
| US20160321653A1 (en) * | 2015-05-01 | 2016-11-03 | Capital One Services, Llc | Systems and Methods for Secure Authentication of Online Transactions Using Tokens |
| WO2016188256A1 (en) * | 2016-01-25 | 2016-12-01 | 中兴通讯股份有限公司 | Application access authentication method, system, apparatus and terminal |
| CN106778327A (en) * | 2016-11-28 | 2017-05-31 | 龙存(苏州)科技有限公司 | A kind of safety certifying method of distributed file system |
| CN107689944A (en) * | 2016-08-05 | 2018-02-13 | 阿里巴巴集团控股有限公司 | Identity identifying method, device and system |
| CN107766744A (en) * | 2017-11-11 | 2018-03-06 | 创元网络技术股份有限公司 | File destination guard method based on forced symmetric centralization |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN111181987A (en) * | 2020-01-02 | 2020-05-19 | 随锐科技集团股份有限公司 | Secondary verification method and system based on cloud different terminal devices |
| CN111277565A (en) * | 2020-01-08 | 2020-06-12 | 北京松果电子有限公司 | Information processing method and device, and storage medium |
| AU2020100734A4 (en) * | 2019-05-24 | 2020-06-18 | Medikey Australia Pty Ltd | Systems and methods for secure digital file sharing and authenticating |
| CN111416826A (en) * | 2020-03-24 | 2020-07-14 | 江苏易安联网络技术有限公司 | System and method for safely releasing and accessing application service |
| CN111506915A (en) * | 2019-01-31 | 2020-08-07 | 阿里巴巴集团控股有限公司 | Authorized access control method, device and system |
-
2020
- 2020-08-28 CN CN202010889163.5A patent/CN112073400A/en active Pending
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090221266A1 (en) * | 2005-10-13 | 2009-09-03 | Ntt Docomo, Inc. | Mobile terminal, access control management device, and access control management method |
| US9058504B1 (en) * | 2013-05-21 | 2015-06-16 | Malwarebytes Corporation | Anti-malware digital-signature verification |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN105577730A (en) * | 2014-10-24 | 2016-05-11 | 腾讯数码(深圳)有限公司 | Data transfer method and device |
| US20160321653A1 (en) * | 2015-05-01 | 2016-11-03 | Capital One Services, Llc | Systems and Methods for Secure Authentication of Online Transactions Using Tokens |
| CN105094996A (en) * | 2015-07-21 | 2015-11-25 | 电子科技大学 | Security-enhancing method and system of Android system based on dynamic authority verification |
| WO2016188256A1 (en) * | 2016-01-25 | 2016-12-01 | 中兴通讯股份有限公司 | Application access authentication method, system, apparatus and terminal |
| CN107689944A (en) * | 2016-08-05 | 2018-02-13 | 阿里巴巴集团控股有限公司 | Identity identifying method, device and system |
| CN106778327A (en) * | 2016-11-28 | 2017-05-31 | 龙存(苏州)科技有限公司 | A kind of safety certifying method of distributed file system |
| CN107766744A (en) * | 2017-11-11 | 2018-03-06 | 创元网络技术股份有限公司 | File destination guard method based on forced symmetric centralization |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN111506915A (en) * | 2019-01-31 | 2020-08-07 | 阿里巴巴集团控股有限公司 | Authorized access control method, device and system |
| AU2020100734A4 (en) * | 2019-05-24 | 2020-06-18 | Medikey Australia Pty Ltd | Systems and methods for secure digital file sharing and authenticating |
| CN111181987A (en) * | 2020-01-02 | 2020-05-19 | 随锐科技集团股份有限公司 | Secondary verification method and system based on cloud different terminal devices |
| CN111277565A (en) * | 2020-01-08 | 2020-06-12 | 北京松果电子有限公司 | Information processing method and device, and storage medium |
| CN111416826A (en) * | 2020-03-24 | 2020-07-14 | 江苏易安联网络技术有限公司 | System and method for safely releasing and accessing application service |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745145A (en) * | 2021-01-07 | 2022-07-12 | 腾讯科技(深圳)有限公司 | Business data access method, device and equipment and computer storage medium |
| CN112866232B (en) * | 2021-01-13 | 2022-03-29 | 新华三信息安全技术有限公司 | Access control system, access control method and related device |
| CN112866232A (en) * | 2021-01-13 | 2021-05-28 | 新华三信息安全技术有限公司 | Access control system, access control method and related device |
| CN113282628A (en) * | 2021-06-09 | 2021-08-20 | 支付宝(杭州)信息技术有限公司 | Big data platform access method and device, big data platform and electronic equipment |
| CN113422768A (en) * | 2021-06-21 | 2021-09-21 | 深圳竹云科技有限公司 | Application access method and device in zero trust and computing equipment |
| CN114143783A (en) * | 2021-09-15 | 2022-03-04 | 杭州优云科技有限公司 | Method and system for identifying illegal access equipment in wireless local area network |
| CN113946815A (en) * | 2021-10-21 | 2022-01-18 | 深圳致星科技有限公司 | Authorization method for federal learning and privacy calculations |
| CN114124556A (en) * | 2021-11-29 | 2022-03-01 | 深信服科技股份有限公司 | Network access control method, device, equipment and storage medium |
| CN114124556B (en) * | 2021-11-29 | 2023-12-29 | 深信服科技股份有限公司 | Network access control method, device, equipment and storage medium |
| CN114363373A (en) * | 2021-12-31 | 2022-04-15 | 中国第一汽车股份有限公司 | Application communication management system, method, device, electronic device and storage medium |
| CN114363373B (en) * | 2021-12-31 | 2024-03-15 | 中国第一汽车股份有限公司 | Application communication management system, method, device, electronic equipment and storage medium |
| CN114553484A (en) * | 2022-01-18 | 2022-05-27 | 国电南瑞科技股份有限公司 | Dual access authority control method and system based on two-dimensional security marker |
| CN114417336A (en) * | 2022-01-24 | 2022-04-29 | 北京新桥信通科技股份有限公司 | Application system side safety management and control method and system |
| CN114567678A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Resource calling method and device of cloud security service and electronic equipment |
| CN114760181A (en) * | 2022-03-16 | 2022-07-15 | 山东省大数据中心 | System and method for realizing dynamic cluster expansion based on distributed cluster architecture |
| CN115001770A (en) * | 2022-05-25 | 2022-09-02 | 山东极光智能科技有限公司 | Zero-trust-based service access control system and control method |
| CN115134175A (en) * | 2022-09-01 | 2022-09-30 | 北京辰尧科技有限公司 | Security communication method and device based on authorization strategy |
| CN115134175B (en) * | 2022-09-01 | 2022-11-15 | 北京辰尧科技有限公司 | Security communication method and device based on authorization strategy |
| CN116094849A (en) * | 2023-04-11 | 2023-05-09 | 深圳竹云科技股份有限公司 | Application access authentication method, device, computer equipment and storage medium |
| CN116094849B (en) * | 2023-04-11 | 2023-06-09 | 深圳竹云科技股份有限公司 | Application access authentication method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073400A (en) | Access control method, system and device and computing equipment | |
| US11075955B2 (en) | Methods and systems for use in authorizing access to a networked resource | |
| US11102190B2 (en) | Method and system for blockchain based cyber protection of network entities | |
| US9479481B2 (en) | Secure scalable multi-tenant application delivery system and associated method | |
| EP3014847B1 (en) | Secure hybrid file-sharing system | |
| US9148414B1 (en) | Credential management in a multi-tenant environment | |
| EP3583531A1 (en) | Method and system for blockchain based cyber protection of network entities | |
| CN114679293A (en) | Access control method, device and storage medium based on zero trust security | |
| CN115113970A (en) | Data processing method based on container engine and related equipment | |
| JP2024505692A (en) | Data processing methods, devices and computer equipment based on blockchain networks | |
| US9485234B1 (en) | Virtualized endpoints in a multi-tenant environment | |
| Uddin et al. | Mobile agent based multi-layer security framework for cloud data centers | |
| Ding et al. | Bloccess: enabling fine-grained access control based on blockchain | |
| CN111597537B (en) | Block chain network-based certificate issuing method, related equipment and medium | |
| CN113051611B (en) | Authority control method of online file and related product | |
| Lin et al. | User-managed access delegation for blockchain-driven IoT services | |
| CN112104625B (en) | Process access control method and device | |
| CN111769956B (en) | Service processing method, device, equipment and medium | |
| Kim et al. | A new cost-saving and efficient method for patch management using blockchain | |
| Kandil et al. | Mobile agents' authentication using a proposed light Kerberos system | |
| US20220150277A1 (en) | Malware detonation | |
| US20240022546A1 (en) | Master ledger and local host log extension detection and mitigation of forged authentication attacks | |
| Bhandari et al. | A Preliminary Study On Emerging Cloud Computing Security Challenges | |
| Ismail et al. | Key distribution framework for a mobile agent platform | |
| KR20220168860A (en) | System and method for authenticating security level of content provider |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40035775 Country of ref document: HK |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210914 Address after: 100086 Beijing Haidian District Zhichun Road 49 No. 3 West 309 Applicant after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 35th floor, Tencent building, Keji Zhongyi Road, high tech Zone, Nanshan District, Shenzhen City, Guangdong Province Applicant before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |