CN113360939B - Security access control method and device - Google Patents
Security access control method and device Download PDFInfo
- Publication number
- CN113360939B CN113360939B CN202110615234.7A CN202110615234A CN113360939B CN 113360939 B CN113360939 B CN 113360939B CN 202110615234 A CN202110615234 A CN 202110615234A CN 113360939 B CN113360939 B CN 113360939B
- Authority
- CN
- China
- Prior art keywords
- matching
- dimension
- strategy
- data
- execution sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000002159 abnormal effect Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 8
- 239000000758 substrate Substances 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000011217 control strategy Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a control method and a device for secure access, and relates to the technical field of computers. One embodiment of the method comprises the following steps: the method comprises the steps of acquiring a matching strategy related to access data, determining the execution sequence of the matching dimension in the matching strategy based on the time consumption value of the matching dimension, judging whether the access data matched with the matching dimension exist or not, detecting whether the access data have safety risks related to the matching strategy or not by using one or more matching strategies, and improving the efficiency of safety access control by determining the execution sequence of the matching dimension, so that the user experience of accessing and acquiring the data by a user is improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for controlling secure access.
Background
With the development and wide application of internet technology, internet application becomes an indispensable tool in life and work of people, so the requirement on the security of internet application data is also increasing.
The security of information or data can be improved by performing security access control on the access data, at present, as the requirement on the security of the data is higher, the security access control strategy on the data is also more and more complex, meanwhile, the detection granularity contained in the control strategy is also more and more fine, and the efficiency of the security access control on the data is reduced due to the improvement of the complexity of the control strategy, so that the response efficiency of the access data is influenced, and the user experience of a user for accessing the data is influenced.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a method and an apparatus for controlling secure access, which can obtain a matching policy related to access data, where the matching policy includes a plurality of matching dimensions, determine an execution sequence of the matching dimensions in the matching policy based on a time consumption value of the matching dimensions, and determine whether access data matching the matching dimensions exists, so as to detect whether the access data has a security risk related to the matching policy by using one or more matching policies, and improve efficiency of secure access control by determining an execution sequence of the matching dimensions, thereby improving user experience of accessing and obtaining data by a user.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method for controlling secure access, including: acquiring a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions; acquiring time consumption values corresponding to the matching dimensions, and determining the execution sequence of the matching dimensions in the matching strategy according to the time consumption values, wherein the execution sequence indicates that the matching dimensions with small time consumption values are executed in advance; acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; if any one of the characteristic data and the control data corresponding to the matching dimension are not matched, finishing the matching operation aiming at the matching strategy, and determining that the access data is not abnormal.
Optionally, the method for controlling secure access is characterized in that the matching each of the feature data sequences with a corresponding matching dimension in the execution sequence includes:
the following steps N1 to N5 are cyclically performed: n1: determining the current matching dimension in the execution sequence of each matching dimension in the matching strategy; n2: matching the characteristic data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is unsuccessful, executing the step N3, otherwise, executing the step N4; and N3: determining that any one of the characteristic data is not matched with the corresponding control data corresponding to the matching dimension, and ending the current flow; n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current flow; otherwise, executing the step N5; n5: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2.
Optionally, the method for controlling secure access is characterized in that, in the case that a plurality of matching policies exist, the policy execution sequence of the matching policies is determined based on a sum of time consumption values corresponding to respective matching dimensions contained in the matching policies; the policy execution sequence indicates that the matching policy with small sum of time consumption values is executed in advance;
according to the policy execution sequence, for each of the matching policies, the following steps A1 to A3 are cyclically executed: a1: acquiring a current matching strategy; executing steps N1 to N5 aiming at the current matching strategy; a2: judging whether each characteristic data is matched with each matching dimension contained in the matching strategy, if so, ending the current flow, and determining that the access data is abnormal; otherwise, executing A3; a3: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if not, taking the next matching strategy of the current matching strategy as the current matching strategy, and executing the step A1; if yes, ending the current flow.
Optionally, the method for controlling secure access is characterized in that,
the matching dimension includes: any one or more of a digital precise matching dimension, a text precise matching dimension, a range matching dimension and a fuzzy matching dimension.
Optionally, the method for controlling secure access is further characterized by comprising:
when the matching dimension indicates the digital precise matching dimension and/or the text precise matching dimension, constructing a hash index for control data corresponding to the matching dimension; and executing the step of matching each characteristic data sequence with the control data corresponding to the matching dimension based on the hash index.
Optionally, the method for controlling secure access is further characterized by comprising:
under the condition that the matching dimension indicates a range matching dimension, constructing a red-black tree index or a balanced tree index for control data corresponding to the matching dimension; and executing the step of matching each characteristic data sequence with the control data corresponding to the matching dimension based on the red-black tree index or the balanced tree index.
In order to achieve the above object, according to a second aspect of an embodiment of the present invention, there is provided a control device for secure access, comprising: the method comprises the steps of obtaining a matching strategy module, a matching dimension processing module and a security access control module; wherein,,
the access data acquisition module is used for acquiring access data of the access data, and acquiring a matching policy related to the access data, wherein the matching policy comprises a plurality of matching dimensions;
the processing matching dimension module is used for acquiring time consumption values corresponding to the matching dimensions, and determining the execution sequence of the matching dimensions in the matching strategy according to the time consumption values, wherein the execution sequence indicates that the matching dimension with the small time consumption value is executed in advance;
the security access control module is used for acquiring characteristic data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; if any one of the characteristic data and the control data corresponding to the matching dimension are not matched, finishing the matching operation aiming at the matching strategy, and determining that the access data is not abnormal.
To achieve the above object, according to a third aspect of an embodiment of the present invention, there is provided an electronic device for controlling secure access, including: one or more processors; and a storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method as described in any of the methods of secure access control above.
To achieve the above object, according to a fourth aspect of the embodiments of the present invention, there is provided a computer-readable medium having stored thereon a computer program, characterized in that the program, when executed by a processor, implements a method as described in any one of the above-described control methods of secure access.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps of acquiring a matching strategy related to access data, determining the execution sequence of the matching dimension in the matching strategy based on the time consumption value of the matching dimension, judging whether the access data matched with the matching dimension exist or not, detecting whether the access data have safety risks related to the matching strategy or not by using one or more matching strategies, and improving the efficiency of safety access control by determining the execution sequence of the matching dimension, so that the user experience of accessing and acquiring the data by a user is improved.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a flow chart of a method for controlling secure access according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a control for performing secure access in accordance with one embodiment of the present invention;
FIG. 3 is a flow diagram of another control of performing secure access provided by one embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a control device for secure access according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 6 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1, an embodiment of the present invention provides a method for controlling secure access, which may include the following steps:
step S101: a matching policy associated with the access data is obtained, the matching policy comprising a plurality of matching dimensions.
Specifically, the access data is data that needs security access control, for example: including network transmitted files, text, data packets, network related IP addresses, server domain names, local files, data, etc.
Further, a matching policy associated with the access data is obtained, the matching policy comprising a plurality of matching dimensions. Specifically, in the control of secure access to data, one or more matching policies may be set, where a matching policy may include multiple matching dimensions, and each matching dimension may perform an and operation based on a matching result, for example, matching policy 1 as shown below includes 3 matching dimensions:
matching strategy 1: matching dimension 1& matching dimension 2& matching dimension 3
The matching dimension includes: any one or more of a digital precise matching dimension, a text precise matching dimension, a range matching dimension and a fuzzy matching dimension.
The digital precise matching dimension is used for matching file types (for example, text type is 1, picture type is 2 and the like), URL categories (for example, absolute URL is 1, relative URL is 2 and the like; for example, URL containing IP address is 1, URL containing domain name is 2) and the like; text exact match dimensions are used, for example, to match hostnames, proxy hostnames, application identifications, etc.; the range matching dimension is used, for example, to match a set period of time; the fuzzy matching dimension is used to match keywords, URL text, text in a transmitted data packet message, etc., based on wild card or regular expression matching. The matching dimension can be set based on the data needing to be subjected to security access control, and the invention does not limit the specific content of the access data, the matching strategy and the specific content of the matching dimension.
Step S102: and acquiring a time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with the small time consumption value is executed in advance.
Specifically, the time consumption value corresponding to each matching dimension is obtained, for example: the time consumption values of the digital precise matching dimension, the text precise matching dimension, the range matching dimension and the fuzzy matching dimension are obtained, and it is understood that the time consumption values when the matching is performed depend on the complexity of the query and the matching, for example, the order of the time consumption values obtained based on experience or test from small to large is as follows: a digital precise matching dimension, a text precise matching dimension, a range matching dimension and a fuzzy matching dimension; the fuzzy matching dimension can be divided into classes such as fuzzy query, regular expression matching and the like; the size of the time consumption value may be further determined based on different categories, such as: the string fuzzy query time consumption value is less than the regular expression matching time consumption value.
Further, determining an execution order of each matching dimension in the matching policy based on the time consumption value; for example: the matching strategy 1 for carrying out the security access control comprises 3 matching dimensions, namely a text precise matching dimension, a range matching dimension and a fuzzy matching dimension; determining the execution order from first to last, for example, according to the time consumption value of each matching dimension, is: text precision matching dimension, range matching dimension, fuzzy matching dimension; wherein the execution order indicates that the matching dimension with small time consumption value is executed in advance; thus, the matching dimension with small time consumption value is executed in advance, for example, when the access data corresponding to the control data corresponding to the text accurate matching dimension executed first is not matched, the access data is indicated to have no abnormality; the control data corresponding to the matching dimension is one or more preset data with safety risk, for example: the control data corresponding to the text precise matching dimension can be a set of known preset abnormal host names; the control data corresponding to the digital precise matching dimension can be a set of known preset abnormal file types and the like; the invention does not limit the specific quantity, specific content and specific format of the control data; it can be understood that whether the feature data of the access data has security risk or abnormality is judged by matching the control data corresponding to the dimension.
Therefore, compared with the fact that the execution sequence is not ordered, for example, the situation that the matching dimension with a larger time consumption value is executed first and then the matching dimension with a smaller time consumption value is executed can occur, particularly, under the situation that the unmatched control data exists in the matching dimension with a smaller time consumption value, the matching dimension with a smaller time consumption value is executed first, so that the time consumed by matching is greatly reduced, and the control efficiency of safety access and the user experience are improved.
Step S103: acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; if any one of the characteristic data and the control data corresponding to the matching dimension are not matched, finishing the matching operation aiming at the matching strategy, and determining that the access data is not abnormal.
Specifically, receiving access data, and acquiring feature data related to each matching dimension contained in the access data; for example: the feature data associated with the digital exact match dimension are: file type, URL category, etc.; the feature data associated with the text exact match dimension is: hostname, proxy hostname, application identification, etc.; the feature data associated with the range matching dimension is: setting a time period and the like; the feature data associated with the fuzzy matching dimension is keywords, URL text, text in the transmitted data packet message, etc.
Further, matching each characteristic data sequence with a matching dimension corresponding to the execution sequence, for example, security access control needs to be performed on information such as file type, URL category, keyword, URL text and the like contained in the access data, then matching is performed on the information such as file type, URL category and the like in the access data with the digital precise matching dimension, and then matching is performed on the data such as keyword, URL text and the like with the digital precise matching dimension; and matching each characteristic data sequence with a corresponding matching dimension in the execution sequence.
Further, if any of the feature data does not match with the control data corresponding to the matching dimension, the matching operation for the matching policy is ended, and it is determined that no abnormality exists in the access data. For example: the matching strategy corresponding to the access data is a matching strategy 1, and comprises the following 3 matching dimensions:
matching strategy 1: text precision matching dimension & range matching dimension & fuzzy matching dimension
In the process of executing matching, assuming that the control data corresponding to the precise matching dimension of the text does not exist in the access data, namely, the fact that the access data containing the host name is not abnormal is indicated, namely, if any characteristic data is not matched with the control data corresponding to the matching dimension, the matching result is set to be FALSE, since the matching result of each matching dimension contained in the matching strategy is AND operation, the situation that the matching is not performed in the precise matching dimension of the text which is executed first is determined, and if the result is FALSE, namely, the matching result of the matching strategy is FALSE, other matching dimensions except the precise matching dimension of the text in the matching strategy are not required to be executed, so that the operation of the matching strategy is ended, namely, the matching operation for the matching strategy is ended, and the fact that the access data is not abnormal is determined, therefore, the efficiency of eliminating the data abnormality is improved by adopting the AND operation mode of the matching dimension; if the three matching dimensions of the text precise matching dimension, the range matching dimension and the fuzzy matching dimension are judged to have matching conditions, the matching result of the matching strategy is TRUE; it is stated that there is a security risk in accessing the data, i.e., there is an abnormality in the data, and in case it is determined that the access data is abnormal, security prompt information about the access data may be generated and transmitted.
Preferably, when the matching dimension indicates that the matching dimension is the digital precise matching dimension and/or the text precise matching dimension, a hash index is built for the control data corresponding to the matching dimension; and executing the step of matching each characteristic data sequence with the control data corresponding to the matching dimension based on the hash index. The description of the control data is identical to the description of step S102, and will not be repeated here; by establishing the hash index of the control data corresponding to the digital precise matching dimension and/or the text precise matching dimension, the efficiency of data matching is further improved, and the execution efficiency of the security access control is further improved.
Preferably, when the matching dimension indicates a range matching dimension, constructing a red-black tree index or a balanced tree index for control data corresponding to the matching dimension; and executing the step of matching each characteristic data sequence with the control data corresponding to the matching dimension based on the red-black tree index or the balanced tree index. The description of the control data is identical to the description of step S102, and will not be repeated here; by establishing the red-black tree index or the balance tree index of the control data corresponding to the range matching dimension, the data matching efficiency is further improved, and the execution efficiency of the security access control is improved.
As shown in fig. 2, an embodiment of the present invention provides a method for performing control of secure access, which may include the steps of:
step S201: and determining the current matching dimension in the execution sequence of each matching dimension in the matching strategy.
Step S202: and matching the characteristic data related to the current matching dimension with the control data corresponding to the current matching dimension.
Step S203: whether the matching is successful or not is judged, if the matching is unsuccessful, step S204 is executed, otherwise, step S205 is executed.
Step S204: and determining that any one of the feature data matches the control data corresponding to the matching dimension, and ending the current flow (step S207 is executed).
Step S205: and judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, executing step S207, otherwise, executing step S206.
Step S206: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing step S202.
Step S207: ending the current flow.
Specifically, descriptions about the matching policy, matching dimension, and determining the execution order are identical to those of steps S101 to S103, and will not be described in detail herein. Further, step S201-step S206 describe a flow of performing control of secure access for each matching dimension included in one matching policy, that is, said matching each of the feature data sequences with a corresponding matching dimension in the execution sequence, including: the following steps N1 to N5 are cyclically performed:
n1: determining the current matching dimension in the execution sequence of each matching dimension in the matching strategy;
n2: matching the characteristic data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is unsuccessful, executing the step N3, otherwise, executing the step N4;
and N3: determining that any one of the characteristic data is not matched with the corresponding control data corresponding to the matching dimension, and ending the current flow;
n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current flow; otherwise, executing the step N5;
n5: and taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2.
As shown in fig. 3, an embodiment of the present invention provides a method for performing control of secure access, which may include the steps of:
step S301: acquiring a current matching strategy; and executing steps N1 to N5 aiming at the current matching strategy.
Step S302: judging and determining that each characteristic data is matched with each matching dimension contained in the matching strategy; if yes, step S303 is executed, otherwise step S304 is executed.
Step S303: determining that the access data is abnormal; and performs step S306.
Step S304: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if so, executing step S306; otherwise, step S305 is performed.
Step S305: and taking the next matching strategy of the current matching strategy as the current matching strategy, and executing step S301.
Step S306: ending the current flow.
Steps S301-S306 describe steps of a method of controlling the security access performed in the case where there are a plurality of matching policies; specifically, in the case where there are a plurality of matching policies, the sum of time consumption values of matching dimensions included in the respective matching policies is calculated, for example:
matching strategy 1: digital precise matching dimension and text precise matching dimension
Matching strategy 2: digital accurate matching dimension and range matching dimension
Matching strategy 3: text precision matching dimension and fuzzy matching dimension
Determining the execution sequence of the matching strategies as a matching strategy 1, a matching strategy 2 and a matching strategy 3 from small to large according to the sum of the time consumption values of the matching dimensions; it will be appreciated that the matching policy in the present invention is exemplified, and the matching policy is set according to the feature data of the access data and the application scenario.
That is, when a plurality of matching strategies exist, determining the strategy execution sequence of the matching strategies based on the sum of time consumption values corresponding to the matching dimensions contained in the matching strategies; the policy execution sequence indicates that the matching policy with small sum of time consumption values is executed in advance;
according to the policy execution sequence, for each of the matching policies, the following steps A1 to A3 are cyclically executed:
a1: acquiring a current matching strategy; executing steps N1 to N5 aiming at the current matching strategy;
a2: judging whether each characteristic data is matched with each matching dimension contained in the matching strategy, if so, ending the current flow, and determining that the access data is abnormal; otherwise, executing A3;
a3: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if not, taking the next matching strategy of the current matching strategy as the current matching strategy, and executing the step A1; if yes, ending the current flow.
Preferably, the operation relation that the matching results corresponding to the plurality of matching strategies are 'or' is set based on the application scene, and when the result of any matching strategy is TRUE, the process can be ended, wherein the situation that the characteristic data are matched with the matching dimensions contained in the matching strategies is judged and determined, namely the result is TRUE. Therefore, the data matching efficiency is improved through the OR operation relation among the matching strategies and the strategy execution sequence of the matching strategies, so that the execution efficiency of the security access control is improved.
As shown in fig. 4, an embodiment of the present invention provides a control apparatus 400 for secure access, including: an acquire matching policy module 401, a process matching dimension module 402, and a security access control module 403; wherein,,
the acquiring matching policy module 401 is configured to acquire a matching policy related to the access data, where the matching policy includes a plurality of matching dimensions;
the processing matching dimension module 402 is configured to obtain a time consumption value corresponding to each matching dimension, and determine an execution sequence of each matching dimension in the matching policy according to the time consumption value, where the execution sequence indicates that a matching dimension with a small time consumption value is executed in advance;
the secure access control module 403 is configured to obtain, from the access data, feature data related to each matching dimension; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; if any one of the characteristic data and the control data corresponding to the matching dimension are not matched, finishing the matching operation aiming at the matching strategy, and determining that the access data is not abnormal.
The embodiment of the invention also provides an electronic device for controlling the security access, which comprises: one or more processors; and a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method provided by any of the embodiments described above.
The embodiment of the invention also provides a computer readable medium, on which a computer program is stored, which when executed by a processor implements the method provided by any of the above embodiments.
Fig. 5 illustrates an exemplary system architecture 500 to which the secure access control method or the secure access control apparatus of the embodiment of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 is used as a medium to provide communication links between the terminal devices 501, 502, 503 and the server 505. The network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 505 via the network 504 using the terminal devices 501, 502, 503 to receive or send messages or the like. Various client applications such as an electronic mall client application, a web browser application, a search class application, an instant messaging tool, a mailbox client, and the like may be installed on the terminal devices 501, 502, 503.
The terminal devices 501, 502, 503 may be a variety of electronic devices having a display screen and supporting a variety of client applications, including but not limited to smartphones, tablet computers, laptop and desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server providing support for client applications used by the user with the terminal devices 501, 502, 503. The background management server can control the safe access of the received access data and feed back the matching result to the terminal equipment.
It should be noted that, the method for controlling secure access provided in the embodiment of the present invention is generally executed by the server 505, and accordingly, the device for controlling secure access is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, there is illustrated a schematic diagram of a computer system 600 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 6 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 601.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units involved in the embodiments of the present invention may be implemented in software, or may be implemented in hardware. The described modules and/or units may also be provided in a processor, e.g., may be described as: a processor includes an acquire match policy module, a process match dimension module, and a secure access control module. The names of these modules do not constitute a limitation on the module itself in some cases, and for example, the module for acquiring a matching policy may also be described as "a module for acquiring a matching policy related to access data".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include: acquiring a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions; acquiring time consumption values corresponding to the matching dimensions, and determining the execution sequence of the matching dimensions in the matching strategy according to the time consumption values, wherein the execution sequence indicates that the matching dimensions with small time consumption values are executed in advance; acquiring feature data related to each matching dimension from the access data; matching each characteristic data sequence with a corresponding matching dimension in the execution sequence; if any one of the characteristic data and the control data corresponding to the matching dimension are not matched, finishing the matching operation aiming at the matching strategy, and determining that the access data is not abnormal.
According to the embodiment of the invention, the matching strategy related to the access data can be obtained, the matching strategy comprises a plurality of matching dimensions, the execution sequence of the matching dimensions in the matching strategy is determined based on the time consumption value of the matching dimensions, whether the access data matched with the matching dimensions exist or not is judged, whether the security risk related to the matching strategy exists in the access data is detected by utilizing one or more matching strategies, and the efficiency of security access control is improved by determining the execution sequence of the matching dimensions, so that the user experience of accessing and obtaining the data by a user is improved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (7)
1. A method for controlling secure access, comprising:
acquiring a matching strategy related to access data, wherein the matching strategy comprises a plurality of matching dimensions; wherein the matching dimension comprises: any number of digital precise matching dimension, text precise matching dimension, range matching dimension and fuzzy matching dimension;
acquiring a preset time consumption value corresponding to each matching dimension, and determining an execution sequence of each matching dimension in the matching strategy according to the time consumption value, wherein the execution sequence indicates that the matching dimension with the small time consumption value is executed in advance; wherein, the matching results of each matching dimension contained in the matching strategy are subjected to AND operation;
determining a policy execution sequence of the matching policies based on a sum of time consumption values corresponding to various matching dimensions contained in the matching policies when a plurality of matching policies exist; the policy execution sequence indicates that the matching policy with small sum of time consumption values is executed in advance; wherein, the matching results corresponding to the matching strategies are OR-operated;
acquiring feature data related to each matching dimension from the access data;
matching each feature data with a corresponding matching dimension in the execution sequence in sequence, wherein the matching comprises the following steps: the following steps N1 to N5 are cyclically performed:
n1: determining the current matching dimension in the execution sequence of each matching dimension in the matching strategy;
n2: matching the characteristic data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is unsuccessful, executing the step N3, otherwise, executing the step N4;
and N3: determining that any one of the characteristic data is not matched with the corresponding control data corresponding to the matching dimension, and ending the current flow;
n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current flow; otherwise, executing the step N5;
n5: taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2;
if any one of the characteristic data and the corresponding control data corresponding to the matching dimension are not matched, ending the matching operation aiming at the matching strategy, and determining that the access data is not abnormal; the control data corresponding to the matching dimension are one or more preset data with safety risks.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
in the case where there are a plurality of matching strategies,
according to the policy execution sequence, for each of the matching policies, the following steps A1 to A3 are cyclically executed:
a1: acquiring a current matching strategy; executing steps N1 to N5 aiming at the current matching strategy;
a2: judging whether each characteristic data is matched with each matching dimension contained in the matching strategy, if so, ending the current flow, and determining that the access data is abnormal; otherwise, executing A3;
a3: judging whether the current matching strategy is the last matching strategy in the strategy execution sequence, if not, taking the next matching strategy of the current matching strategy as the current matching strategy, and executing the step A1; if yes, ending the current flow.
3. The method as recited in claim 1, further comprising:
when the matching dimension indicates the digital precise matching dimension and/or the text precise matching dimension, constructing a hash index for control data corresponding to the matching dimension;
and executing the step of matching each characteristic data with the control data corresponding to the corresponding matching dimension in sequence based on the hash index.
4. The method as recited in claim 1, further comprising:
under the condition that the matching dimension indicates a range matching dimension, constructing a red-black tree index or a balanced tree index for control data corresponding to the matching dimension;
and executing the step of matching each characteristic data with the control data corresponding to the corresponding matching dimension in sequence based on the red-black tree index or the balanced tree index.
5. A control device for secure access, comprising: the method comprises the steps of obtaining a matching strategy module, a matching dimension processing module and a security access control module; wherein,,
the access data acquisition module is used for acquiring access data of the access data, and acquiring a matching policy related to the access data, wherein the matching policy comprises a plurality of matching dimensions; wherein the matching dimension comprises: any number of digital precise matching dimension, text precise matching dimension, range matching dimension and fuzzy matching dimension;
the matching dimension processing module is configured to obtain preset time consumption values corresponding to the matching dimensions, and determine an execution sequence of the matching dimensions in the matching policy according to the time consumption values, where the execution sequence indicates that the matching dimension with the small time consumption value is executed in advance; wherein, the matching results of each matching dimension contained in the matching strategy are subjected to AND operation; determining a policy execution sequence of the matching policies based on a sum of time consumption values corresponding to various matching dimensions contained in the matching policies when a plurality of matching policies exist; the policy execution sequence indicates that the matching policy with small sum of time consumption values is executed in advance; wherein, the matching results corresponding to the matching strategies are OR-operated;
the security access control module is used for acquiring characteristic data related to each matching dimension from the access data; matching each feature data with a corresponding matching dimension in the execution sequence in sequence, wherein the matching comprises the following steps: the following steps N1 to N5 are cyclically performed: n1: determining the current matching dimension in the execution sequence of each matching dimension in the matching strategy; n2: matching the characteristic data related to the current matching dimension with the control data corresponding to the current matching dimension; if the matching is unsuccessful, executing the step N3, otherwise, executing the step N4; and N3: determining that any one of the characteristic data is not matched with the corresponding control data corresponding to the matching dimension, and ending the current flow; n4: judging whether the current matching dimension is the last matching dimension in the execution sequence, if so, ending the current flow; otherwise, executing the step N5; n5: taking the next matching dimension corresponding to the current matching dimension in the execution sequence as the current matching dimension, and executing the step N2;
if any one of the characteristic data and the corresponding control data corresponding to the matching dimension are not matched, ending the matching operation aiming at the matching strategy, and determining that the access data is not abnormal; the control data corresponding to the matching dimension are one or more preset data with safety risks.
6. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-4.
7. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110615234.7A CN113360939B (en) | 2021-06-02 | 2021-06-02 | Security access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110615234.7A CN113360939B (en) | 2021-06-02 | 2021-06-02 | Security access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113360939A CN113360939A (en) | 2021-09-07 |
| CN113360939B true CN113360939B (en) | 2023-05-05 |
Family
ID=77531352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110615234.7A Active CN113360939B (en) | 2021-06-02 | 2021-06-02 | Security access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113360939B (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110688210B (en) * | 2019-09-17 | 2023-08-22 | Oppo广东移动通信有限公司 | Task priority determining method and device |
| CN112347138A (en) * | 2020-09-21 | 2021-02-09 | 西安交大捷普网络科技有限公司 | Strategy matching method, device, equipment and readable storage medium |
| CN112328383A (en) * | 2020-11-19 | 2021-02-05 | 湖南智慧畅行交通科技有限公司 | Priority-based job concurrency control and scheduling algorithm |
-
2021
- 2021-06-02 CN CN202110615234.7A patent/CN113360939B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113360939A (en) | 2021-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107302597B (en) | Message file pushing method and device | |
| CN110765422A (en) | Parameter checking method and device | |
| WO2021023149A1 (en) | Method and apparatus for dynamically returning message | |
| CN113076153B (en) | Interface calling method and device | |
| CN112825096B (en) | Data desensitization method and device | |
| CN115423030A (en) | Equipment identification method and device | |
| CN111401684A (en) | Task processing method and device | |
| CN118312076A (en) | Map icon processing method and device, electronic equipment and computer readable medium | |
| CN113360939B (en) | Security access control method and device | |
| CN112948138A (en) | Method and device for processing message | |
| CN111753675B (en) | Picture type junk mail identification method and device | |
| CN112835609B (en) | Method and device for modifying download address of dependent packet | |
| CN114764713A (en) | Method and device for generating merchant patrol task, electronic equipment and storage medium | |
| CN112825519B (en) | Method and device for identifying abnormal login | |
| CN113726885A (en) | Method and device for adjusting flow quota | |
| CN113342449A (en) | Data protection method and device | |
| CN113141403A (en) | Log transmission method and device | |
| CN113448652A (en) | Request processing method and device | |
| CN113722193A (en) | Method and device for detecting page abnormity | |
| CN113556370A (en) | Service calling method and device | |
| CN111786936A (en) | Method and device for authentication | |
| CN114301778B (en) | Access control method and device | |
| CN112448931B (en) | Network hijacking monitoring method and device | |
| CN112016081B (en) | Method, device, medium and electronic equipment for realizing identifier mapping | |
| CN116260855B (en) | Communication method, communication device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |