CN113360939A - Control method and device for security access - Google Patents
Control method and device for security access Download PDFInfo
- Publication number
- CN113360939A CN113360939A CN202110615234.7A CN202110615234A CN113360939A CN 113360939 A CN113360939 A CN 113360939A CN 202110615234 A CN202110615234 A CN 202110615234A CN 113360939 A CN113360939 A CN 113360939A
- Authority
- CN
- China
- Prior art keywords
- matching
- dimension
- strategy
- data
- execution sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for controlling security access, and relates to the technical field of computers. One embodiment of the method comprises: the method comprises the steps of obtaining a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions, determining the execution sequence of the matching dimensions in the matching strategy based on the time consumption value of the matching dimensions, judging whether access data matched with the matching dimensions exist or not, detecting whether security risks related to the matching strategy exist in the access data or not by utilizing one or more matching strategies, and improving the efficiency of security access control by determining the execution sequence of the matching dimensions, so that the user experience of accessing and obtaining data by a user is improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling secure access.
Background
With the development and wide application of internet technology, internet applications become indispensable tools in people's life and work, and therefore, the requirements on the security of internet application data are higher and higher.
At present, with the higher and higher requirements on data security, the security access control strategy for data is more and more complex, and the detection granularity included in the control strategy is also more and more fine, so that the efficiency of controlling the security access of the data is reduced due to the improvement of the complexity of the control strategy, and thus the response efficiency of accessing the data is influenced, and the user experience of accessing the data by a user is influenced.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for controlling security access, which can obtain a matching policy related to access data, where the matching policy includes multiple matching dimensions, determine an execution order of the matching dimensions in the matching policy based on a time consumption value of the matching dimensions, and determine whether there is access data matched with the matching dimensions, so as to detect whether there is a security risk associated with the matching policy in the access data by using one or more matching policies, and improve efficiency of security access control by determining the execution order of the matching dimensions, thereby improving user experience of accessing and obtaining data by a user.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method for controlling a secure access, including: obtaining a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions; acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with a small time consumption value is executed in advance; acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
Optionally, the method for controlling security access is characterized in that the matching each sequence of the feature data with a corresponding matching dimension in the execution sequence includes:
the following steps N1 to N5 are executed in a loop: n1: determining a current matching dimension in an execution sequence of each matching dimension in the matching strategy; n2: matching the feature data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is not successful, performing step N3, otherwise, performing step N4; n3: determining the condition that any one of the feature data is not matched with the control data corresponding to the corresponding matching dimension, and ending the current process; n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current process; otherwise, go to step N5; n5: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2.
Optionally, the method for controlling security access is characterized in that, when there are multiple matching policies, a policy execution order of the matching policies is determined based on a sum of time consumption values corresponding to matching dimensions included in the matching policies; wherein the policy execution order indicates that the matching policy having a small sum of time consumption values is executed first;
according to the strategy execution sequence, the following steps A1 to A3 are executed in a loop for each matching strategy: a1: acquiring a current matching strategy; performing steps N1-N5 for the current matching policy; a2: judging whether each feature data is matched with each matching dimension contained in the matching strategy or not, if so, ending the current process, and determining that the access data is abnormal; otherwise, a3 is executed; a3: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if not, taking the next matching strategy of the current matching strategy as the current matching strategy, and executing the step A1; if yes, the current flow is ended.
Optionally, the method of controlling secure access is characterized in that,
the matching dimensions include: the digital precise matching dimension, the text precise matching dimension, the range matching dimension and the fuzzy matching dimension can be any one or more.
Optionally, the method for controlling secure access is further characterized by:
under the condition that the matching dimension indication is the digital accurate matching dimension and/or the text accurate matching dimension, constructing a hash index for the control data corresponding to the matching dimension; and performing matching of the characteristic data sequence and the control data corresponding to the corresponding matching dimension based on the hash index.
Optionally, the method for controlling secure access is further characterized by:
under the condition that the matching dimension indicates a range matching dimension, constructing a red-black tree index or a balanced tree index for the control data corresponding to the matching dimension; and performing matching of the characteristic data sequence and the control data corresponding to the corresponding matching dimension based on the red and black tree index or the balanced tree index.
To achieve the above object, according to a second aspect of an embodiment of the present invention, there is provided a control apparatus for secure access, including: the method comprises the steps of obtaining a matching strategy module, a matching dimension processing module and a security access control module; wherein the content of the first and second substances,
the acquisition matching strategy module is used for acquiring a matching strategy related to access data, and the matching strategy comprises a plurality of matching dimensions;
the processing matching dimension module is used for acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with a small time consumption value is executed in advance;
the security access control module is used for acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
To achieve the above object, according to a third aspect of the embodiments of the present invention, there is provided an electronic device for controlling secure access, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out a method as in any one of the above methods of controlling secure access.
To achieve the above object, according to a fourth aspect of the embodiments of the present invention, there is provided a computer-readable medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the method as in any one of the above-described control methods of secure access.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps of obtaining a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions, determining the execution sequence of the matching dimensions in the matching strategy based on the time consumption value of the matching dimensions, judging whether access data matched with the matching dimensions exist or not, detecting whether security risks related to the matching strategy exist in the access data or not by utilizing one or more matching strategies, and improving the efficiency of security access control by determining the execution sequence of the matching dimensions, so that the user experience of accessing and obtaining data by a user is improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic flowchart of a method for controlling secure access according to an embodiment of the present invention;
FIG. 2 is a flow diagram illustrating a process for performing control of secure access according to one embodiment of the present invention;
FIG. 3 is a flow diagram illustrating another example of performing security access control according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a control apparatus for secure access according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 6 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1, an embodiment of the present invention provides a method for controlling secure access, where the method may include the following steps:
step S101: obtaining a matching strategy related to the access data, wherein the matching strategy comprises a plurality of matching dimensions.
Specifically, the access data is data that needs to be subjected to security access control, for example: including network-transmitted files, text, packets, network-related IP addresses, server domain names, local files, data, etc.
Further, a matching policy associated with the access data is obtained, the matching policy comprising a plurality of matching dimensions. Specifically, when controlling secure access to data, one or more matching policies may be set, one matching policy may include multiple matching dimensions, and each matching dimension may perform an and operation based on a matching result, for example, a matching policy 1 shown below includes 3 matching dimensions:
matching strategy 1: matching dimension 1& matching dimension 2& matching dimension 3
The matching dimensions include: the digital precise matching dimension, the text precise matching dimension, the range matching dimension and the fuzzy matching dimension can be any one or more.
The digital precise matching dimension is used for matching file types (such as text type 1, picture type 2, and the like), URL categories (such as absolute URL 1, relative URL 2, and the like; for example, URL containing IP address 1, URL containing domain name 2), and the like; text exact match dimensions are used, for example, to match host names, proxy host names, application identifications, and the like; the range matching dimension is used for matching a set time period, for example; the fuzzy matching dimension is used for matching keywords matched based on wildcards or regular expressions, URL texts, texts in transmission data packet messages and the like. The matching dimension can be set based on data needing security access control, and the invention does not limit the specific content of the access data, the matching strategy and the specific content of the matching dimension.
Step S102: and acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with a small time consumption value is executed in advance.
Specifically, the time consumption value corresponding to each matching dimension is obtained, for example: obtaining time consumption values of a digital precise matching dimension, a text precise matching dimension, a range matching dimension, and a fuzzy matching dimension, it is understood that the time consumption value when performing matching depends on the complexity of query and matching, for example, the order of the obtained time consumption values from small to large based on experience or test is: the method comprises the following steps of digital accurate matching dimension, text accurate matching dimension, range matching dimension and fuzzy matching dimension; the fuzzy matching dimension can be divided into categories such as fuzzy query and regular expression matching; the time consumption values may be further sized based on different categories, such as: the string fuzzy query time consumption value is less than the regular expression matching time consumption value.
Further, determining the execution sequence of each matching dimension in the matching strategy according to the time consumption value; for example: the matching strategy 1 for performing security access control comprises 3 matching dimensions, namely a text accurate matching dimension, a range matching dimension and a fuzzy matching dimension; for example, according to the time consumption value of each matching dimension, the execution sequence is determined from first to last as follows: text precision matching dimension & range matching dimension & fuzzy matching dimension; wherein the execution order indicates that the matching dimension with a small time consumption value is executed first; therefore, the matching dimension with a small time consumption value is executed firstly, for example, when the access data corresponding to the control data corresponding to the text precise matching dimension executed firstly is not matched, the condition that the access data has no abnormity is indicated; the control data corresponding to the matching dimension is one or more preset data with security risk, for example: the control data corresponding to the text accurate matching dimension can be a set of known preset abnormal host names; the control data corresponding to the digital accurate matching dimension can be a set of known preset abnormal file types and the like; the invention does not limit the specific quantity, the specific content and the specific format of the control data; it can be understood that whether security risks or anomalies exist in the feature data of the access data or not is judged by matching the control data corresponding to the dimensions.
Therefore, the access data without security risk (namely, no exception) can be determined by using the execution sequence with smaller time consumption, and compared with the case that the execution sequence of the matching dimensionality is not sequenced, the situation that the matching dimensionality with a larger time consumption value is executed first and then the matching dimensionality with a smaller time consumption value is executed can occur, especially, under the situation that the matching dimensionality with a smaller time consumption value has unmatched control data, the matching dimensionality with a smaller time consumption value is executed first, so that the matching time consumption is greatly reduced, the control efficiency of the security access is improved, and the user experience is improved.
Step S103: acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
Specifically, access data are received, and feature data related to each matching dimension contained in the access data are obtained; for example: the feature data associated with the digital exact match dimension is: file type, URL category, etc.; the feature data associated with the exact matching dimensions of the text are: hostname, proxy hostname, application identification, etc.; the feature data associated with the range matching dimension is: setting time period and the like; the feature data associated with the fuzzy matching dimension is keywords, URL text, text in a transmission data packet message, etc.
Further, matching each characteristic data sequence with a corresponding matching dimension in the execution sequence, for example, if security access control needs to be performed on information such as file types, URL categories, keywords, URL texts included in the access data, matching the information such as the file types, the URL categories, and the like in the access data with the digital accurate matching dimension is performed first, and then matching of the data such as the keywords, the URL texts and the like with the digital accurate matching dimension is performed; namely, matching each characteristic data sequence with the corresponding matching dimension in the execution sequence.
Further, if any feature data is not matched with the control data corresponding to the corresponding matching dimension, the matching operation aiming at the matching strategy is finished, and the fact that the access data is not abnormal is determined. For example: the matching strategy corresponding to the access data is matching strategy 1, and comprises the following 3 matching dimensions:
matching strategy 1: text precision matching dimension & range matching dimension & fuzzy matching dimension
In the process of executing matching, assuming that there is no control data matching between the host name and the text precise matching dimension in the access data, that is, it is stated that there is no exception in the access data including the host name, that is, if there is a mismatch between any of the feature data and the control data corresponding to the matching dimension, the matching result is set to FALSE, and since the matching result based on each matching dimension included in the matching policy is an and operation, if it is determined that there is no match in the text precise matching dimension executed first, and if it is determined that the result is FALSE, that is, it is indicated that the matching result of the matching policy is FALSE, it is not necessary to execute other matching dimensions other than the text precise matching dimension in the matching policy, thereby ending the operation of the matching policy, that is, ending the matching operation for the matching policy, and determining that there is no exception in the access data, therefore, the efficiency of eliminating data abnormity is improved by adopting the AND operation mode of the matching dimensionality; if the matching conditions exist in the three matching dimensions of 'text accurate matching dimension & range matching dimension & fuzzy matching dimension', the matching result of the matching strategy is TRUE; it indicates that there is a security risk in accessing the data, that is, there is an abnormality in the data, and in case it is determined that the access data is abnormal, a security prompt message about the access data may be generated and sent.
Preferably, under the condition that the matching dimension indicates the digital precise matching dimension and/or the text precise matching dimension, a hash index is constructed for the control data corresponding to the matching dimension; and performing matching of the characteristic data sequence and the control data corresponding to the corresponding matching dimension based on the hash index. The description of the control data is consistent with that of step S102, and is not repeated herein; by establishing the Hash index of the control data corresponding to the digital accurate matching dimension and/or the text accurate matching dimension, the efficiency of data matching is further improved, and therefore the execution efficiency of the security access control is improved.
Preferably, under the condition that the matching dimension indicates a range matching dimension, constructing a red-black tree index or a balanced tree index for the control data corresponding to the matching dimension; and performing matching of the characteristic data sequence and the control data corresponding to the corresponding matching dimension based on the red and black tree index or the balanced tree index. The description of the control data is consistent with that of step S102, and is not repeated herein; by establishing the red and black tree indexes or the balanced tree indexes of the control data corresponding to the range matching dimensionality, the data matching efficiency is further improved, and therefore the execution efficiency of the security access control is improved.
As shown in fig. 2, an embodiment of the present invention provides a method for performing control of secure access, which may include the following steps:
step S201: and determining the current matching dimension in the execution sequence of each matching dimension in the matching strategy.
Step S202: and matching the feature data related to the current matching dimension with the control data corresponding to the current matching dimension.
Step S203: and judging whether the matching is successful, if the matching is unsuccessful, executing the step S204, otherwise, executing the step S205.
Step S204: and determining that any feature data is matched with the control data corresponding to the corresponding matching dimension, and ending the current process (executing step S207).
Step S205: and judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, executing the step S207, otherwise, executing the step S206.
Step S206: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step S202.
Step S207: the current flow is ended.
Specifically, the descriptions of the matching policy, the matching dimension, and the determination of the execution order are consistent with the descriptions of steps S101 to S103, and are not repeated here. Further, steps S201 to S206 describe a process of performing control of security access for each matching dimension included in one matching policy, that is, the matching each feature data sequence with the corresponding matching dimension in the execution sequence includes: the following steps N1 to N5 are executed in a loop:
n1: determining a current matching dimension in an execution sequence of each matching dimension in the matching strategy;
n2: matching the feature data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is not successful, performing step N3, otherwise, performing step N4;
n3: determining the condition that any one of the feature data is not matched with the control data corresponding to the corresponding matching dimension, and ending the current process;
n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current process; otherwise, go to step N5;
n5: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2.
As shown in fig. 3, an embodiment of the present invention provides a method for performing control of secure access, which may include the following steps:
step S301: acquiring a current matching strategy; for the current matching policy, steps N1 through N5 are performed.
Step S302: judging and determining the condition that each feature data is matched with each matching dimension contained in the matching strategy; if yes, go to step S303, otherwise go to step S304.
Step S303: determining that the access data has an exception; and performs step S306.
Step S304: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if so, executing the step S306; otherwise, step S305 is performed.
Step S305: and taking the next matching strategy of the current matching strategies as the current matching strategy, and executing the step S301.
Step S306: the current flow is ended.
Steps S301 to S306 describe steps of a method of control of security access performed in the presence of a plurality of matching policies; specifically, in the case where there are a plurality of matching policies, the sum of the time consumption values of the matching dimensions included in the respective matching policies is calculated, for example:
matching strategy 1: accurate matching dimension of figures and accurate matching dimension of texts
Matching strategy 2: digital accurate matching dimension, range matching dimension
Matching strategy 3: text accurate matching dimension and fuzzy matching dimension
Determining the execution sequence of the matching strategies to be a matching strategy 1, a matching strategy 2 and a matching strategy 3 according to the time consumption value sum of the matching dimensions from small to large; it is understood that the matching policy in the present invention is an example, and the matching policy is set according to the feature data of the access data and the application scenario.
That is, when there are a plurality of matching policies, determining a policy execution order of the matching policies based on a sum of time consumption values corresponding to respective matching dimensions included in the matching policies; wherein the policy execution order indicates that the matching policy having a small sum of time consumption values is executed first;
according to the strategy execution sequence, the following steps A1 to A3 are executed in a loop for each matching strategy:
a1: acquiring a current matching strategy; performing steps N1-N5 for the current matching policy;
a2: judging whether each feature data is matched with each matching dimension contained in the matching strategy or not, if so, ending the current process, and determining that the access data is abnormal; otherwise, a3 is executed;
a3: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if not, taking the next matching strategy of the current matching strategy as the current matching strategy, and executing the step A1; if yes, the current flow is ended.
Preferably, an operation relationship that a matching result corresponding to a plurality of matching strategies is an or is set based on an application scenario, and when a result of any matching strategy is TRUE, the process may be ended, where it is determined that each feature data matches each matching dimension included in the matching strategies, that is, the result is TRUE. Therefore, the data matching efficiency is improved through matching the OR operation relation among the strategies and determining the strategy execution sequence of the matching strategies, and the execution efficiency of the security access control is improved.
As shown in fig. 4, an embodiment of the present invention provides a secure access control apparatus 400, including: a matching strategy obtaining module 401, a matching dimension processing module 402 and a security access control module 403; wherein the content of the first and second substances,
the obtaining matching policy module 401 is configured to obtain a matching policy related to access data, where the matching policy includes multiple matching dimensions;
the processing matching dimension module 402 is configured to obtain a time consumption value corresponding to each matching dimension, and determine an execution sequence of each matching dimension in the matching policy according to the time consumption value, where the execution sequence indicates that a matching dimension with a small time consumption value is executed first;
the security access control module 403 is configured to obtain feature data associated with each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
An embodiment of the present invention further provides an electronic device for controlling secure access, including: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method provided by any one of the above embodiments.
Embodiments of the present invention further provide a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method provided in any of the above embodiments.
Fig. 5 shows an exemplary system architecture 500 of a control method of a secure access or a control apparatus of a secure access to which an embodiment of the present invention can be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 serves to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 501, 502, 503 to interact with a server 505 over a network 504 to receive or send messages or the like. The terminal devices 501, 502, 503 may have various client applications installed thereon, such as an e-mall client application, a web browser application, a search-type application, an instant messaging tool, a mailbox client, and the like.
The terminal devices 501, 502, 503 may be various electronic devices having display screens and supporting various client applications, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server providing support for client applications used by users with the terminal devices 501, 502, 503. The background management server can control the security access of the received access data and feed back the matching result to the terminal equipment.
It should be noted that the method for controlling secure access provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the control device for secure access is generally provided in the server 505.
It should be understood that the number of terminal devices, networks, and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a block diagram of a computer system 600 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units described in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware. The described modules and/or units may also be provided in a processor, and may be described as: a processor includes an acquire matching policy module, a process matching dimension module, and a secure access control module. Where the names of these modules do not in some cases constitute a limitation on the module itself, for example, the get matching policy module may also be described as a "module that gets matching policies related to accessing data".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: obtaining a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions; acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with a small time consumption value is executed in advance; acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
According to the embodiment of the invention, the matching strategy related to the access data can be obtained, the matching strategy comprises a plurality of matching dimensions, the execution sequence of the matching dimensions in the matching strategy is determined based on the time consumption value of the matching dimensions, whether the access data matched with the matching dimensions exist or not is judged, whether the access data have the security risk related to the matching strategy or not is detected by using one or more matching strategies, and the efficiency of security access control is improved by determining the execution sequence of the matching dimensions, so that the user experience of accessing and obtaining the data by a user is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A method for controlling security access, comprising:
obtaining a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions;
acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with a small time consumption value is executed in advance;
acquiring feature data related to each matching dimension from the access data;
matching each characteristic data sequence with a corresponding matching dimension in the execution sequence;
and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
2. The method of claim 1, wherein matching each of the feature data sequences to a corresponding matching dimension in the execution sequence comprises:
the following steps N1 to N5 are executed in a loop:
n1: determining a current matching dimension in an execution sequence of each matching dimension in the matching strategy;
n2: matching the feature data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is not successful, performing step N3, otherwise, performing step N4;
n3: determining the condition that any one of the feature data is not matched with the control data corresponding to the corresponding matching dimension, and ending the current process;
n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current process; otherwise, go to step N5;
n5: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2.
3. The method of claim 2,
under the condition that a plurality of matching strategies exist, determining a strategy execution sequence of the matching strategies based on the sum of time consumption values corresponding to all matching dimensions contained in the matching strategies; wherein the policy execution order indicates that the matching policy having a small sum of time consumption values is executed first;
according to the strategy execution sequence, the following steps A1 to A3 are executed in a loop for each matching strategy:
a1: acquiring a current matching strategy; performing steps N1-N5 for the current matching policy;
a2: judging whether each feature data is matched with each matching dimension contained in the matching strategy or not, if so, ending the current process, and determining that the access data is abnormal; otherwise, a3 is executed;
a3: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if not, taking the next matching strategy of the current matching strategy as the current matching strategy, and executing the step A1; if yes, the current flow is ended.
4. The method of claim 1,
the matching dimensions include: the digital precise matching dimension, the text precise matching dimension, the range matching dimension and the fuzzy matching dimension can be any one or more.
5. The method of claim 4, further comprising:
under the condition that the matching dimension indication is the digital accurate matching dimension and/or the text accurate matching dimension, constructing a hash index for the control data corresponding to the matching dimension;
and performing matching of the characteristic data sequence and the control data corresponding to the corresponding matching dimension based on the hash index.
6. The method of claim 4, further comprising:
under the condition that the matching dimension indicates a range matching dimension, constructing a red-black tree index or a balanced tree index for the control data corresponding to the matching dimension;
and performing matching of the characteristic data sequence and the control data corresponding to the corresponding matching dimension based on the red and black tree index or the balanced tree index.
7. A control apparatus for secure access, comprising: the method comprises the steps of obtaining a matching strategy module, a matching dimension processing module and a security access control module; wherein the content of the first and second substances,
the acquisition matching strategy module is used for acquiring a matching strategy related to access data, and the matching strategy comprises a plurality of matching dimensions;
the processing matching dimension module is used for acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with a small time consumption value is executed in advance;
the security access control module is used for acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; and if any feature data is not matched with the control data corresponding to the corresponding matching dimension, ending the matching operation aiming at the matching strategy, and determining that the access data has no abnormality.
8. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
9. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110615234.7A CN113360939B (en) | 2021-06-02 | 2021-06-02 | Security access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110615234.7A CN113360939B (en) | 2021-06-02 | 2021-06-02 | Security access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113360939A true CN113360939A (en) | 2021-09-07 |
| CN113360939B CN113360939B (en) | 2023-05-05 |
Family
ID=77531352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110615234.7A Active CN113360939B (en) | 2021-06-02 | 2021-06-02 | Security access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113360939B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110688210A (en) * | 2019-09-17 | 2020-01-14 | Oppo广东移动通信有限公司 | Task priority determination method and device |
| CN112328383A (en) * | 2020-11-19 | 2021-02-05 | 湖南智慧畅行交通科技有限公司 | Priority-based job concurrency control and scheduling algorithm |
| CN112347138A (en) * | 2020-09-21 | 2021-02-09 | 西安交大捷普网络科技有限公司 | Strategy matching method, device, equipment and readable storage medium |
-
2021
- 2021-06-02 CN CN202110615234.7A patent/CN113360939B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110688210A (en) * | 2019-09-17 | 2020-01-14 | Oppo广东移动通信有限公司 | Task priority determination method and device |
| CN112347138A (en) * | 2020-09-21 | 2021-02-09 | 西安交大捷普网络科技有限公司 | Strategy matching method, device, equipment and readable storage medium |
| CN112328383A (en) * | 2020-11-19 | 2021-02-05 | 湖南智慧畅行交通科技有限公司 | Priority-based job concurrency control and scheduling algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113360939B (en) | 2023-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110765422A (en) | Parameter checking method and device | |
| WO2021023149A1 (en) | Method and apparatus for dynamically returning message | |
| CN109901987B (en) | Method and device for generating test data | |
| CN109376534B (en) | Method and apparatus for detecting applications | |
| CN111104675A (en) | Method and device for detecting system security vulnerability | |
| CN111563015B (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
| CN113076153B (en) | Interface calling method and device | |
| CN112948138A (en) | Method and device for processing message | |
| CN107634942B (en) | Method and device for identifying malicious request | |
| CN113360939B (en) | Security access control method and device | |
| CN115423030A (en) | Equipment identification method and device | |
| CN113141403B (en) | Log transmission method and device | |
| CN113778780B (en) | Application stability determining method and device, electronic equipment and storage medium | |
| CN111753675B (en) | Picture type junk mail identification method and device | |
| CN112257039B (en) | Identity attribute adding method and device and electronic equipment | |
| US10171486B2 (en) | Security and authentication daisy chain analysis and warning system | |
| CN112835609B (en) | Method and device for modifying download address of dependent packet | |
| CN113726885A (en) | Method and device for adjusting flow quota | |
| CN113342449A (en) | Data protection method and device | |
| CN113779018A (en) | Data processing method and device | |
| CN115309612B (en) | Method and device for monitoring data | |
| CN111460273B (en) | Information pushing method and device | |
| CN112016081B (en) | Method, device, medium and electronic equipment for realizing identifier mapping | |
| CN115037507B (en) | User access management method, device and system | |
| CN112448931B (en) | Network hijacking monitoring method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |