CN113630415A

CN113630415A - Network admission control method, apparatus, system, device, medium and product

Info

Publication number: CN113630415A
Application number: CN202110916011.4A
Authority: CN
Inventors: 吴子凡; 窦志强; 祝萍; 严晓娇
Original assignee: Industrial and Commercial Bank of China Ltd ICBC; ICBC Technology Co Ltd
Current assignee: Industrial and Commercial Bank of China Ltd ICBC; ICBC Technology Co Ltd
Priority date: 2021-08-10
Filing date: 2021-08-10
Publication date: 2021-11-09

Abstract

The present disclosure provides a method, apparatus, system, device, medium and product for network admission control. The network admission control method comprises the following steps: collecting network traffic data generated by access equipment accessing the network; analyzing the network flow data, and determining whether the access of the access equipment to the network is abnormal access; and sending an instruction for releasing or blocking the access of the access device to the network based on the result of determining whether the access of the access device to the network is abnormal access. According to the scheme of the embodiment of the disclosure, a client is not required to be installed in the equipment, whether the equipment is abnormal access equipment or not is directly and automatically judged according to the captured network flow data, the abnormal access equipment can be more accurately determined, the access of the abnormal access equipment to the intranet of the enterprise is blocked, and the safety and the protection capability of the intranet of the enterprise are improved.

Description

Network admission control method, apparatus, system, device, medium and product

Technical Field

The present disclosure relates to the field of network security control technologies, and in particular, to a method, an apparatus, a system, a device, a medium, and a product for controlling network admission.

Background

The network security access is the first guarantee of the security of the enterprise intranet, and security management personnel are concerned about what equipment is accessed to the enterprise intranet, what the equipment is doing, how the security is, whether certain threats are generated, and the equipment needs a network security access control system to make the security good. Most enterprises also choose to implement management of access to intranet equipment by installing a network security admission control system.

Currently, an 802.1X protocol is mostly adopted by an enterprise intranet to implement admission and control of devices, and the 802.1X protocol is a network access control protocol based on ports. The port-based network access control means that all accessed user equipment is authenticated and controlled at the level of the port of the local area network access equipment. The architecture of the 802.1X protocol includes 3 important parts: client, authentication system, authentication server. Client software is required to be installed in user equipment needing to be authenticated, an authentication server is provided with an authentication system, a control strategy based on access is defined in the authentication system in advance, the control strategy generally identifies one piece of equipment by using an MAC address and a user equipment name, and if the user equipment connected to a port can pass authentication, resources in an enterprise intranet can be accessed; if the authentication cannot be passed, the resources in the local area network cannot be accessed.

For user equipment which cannot install a client, a security access exception process is required to be carried out when the user equipment accesses an internal network, and then the technical means of MAC address binding is adopted for control.

However, the above technical scheme for network security admission has the following problems:

(1) the client software is additionally installed on the user equipment, so that the load of the user equipment is increased, and the running state of the client software can directly influence whether the intranet can be directly accessed.

(2) For the case of accessing the intranet by adopting the security access exception process, the following risks exist: if the MAC address is modified, the malicious terminal can illegally access the intranet; at present, the USB network card is used in a large scale, the binding is the MAC address of the USB network card, and the equipment which supports the USB network card can use the network card to access an enterprise intranet, so that higher safety risk is realized.

Disclosure of Invention

In view of the foregoing technical problems, embodiments of the present disclosure provide a network access control method, apparatus, system, device, medium, and product, which do not require a client to be installed in a device, directly and automatically determine whether the device is an abnormal access device according to captured network traffic data, and can more accurately determine the abnormal access device, block access of the abnormal access device to an intranet of an enterprise, and improve security and protection capability of the intranet of the enterprise.

According to a first aspect of the present disclosure, there is provided a network admission control method, including:

collecting network traffic data generated by access equipment accessing the network;

analyzing the network flow data, and determining whether the access of the access equipment to the network is an abnormal challenge;

and sending an instruction for releasing or blocking the access to the network by the access device based on the result of determining whether the access to the network by the access device is abnormal access.

According to the embodiment of the disclosure, the access device accesses the network through a switch, and the network is an intranet.

According to an embodiment of the present disclosure, the acquiring network traffic data generated when the access device accesses the network specifically includes: and acquiring all mirror image flow data of the access equipment accessing the network on a flow mirror image port of the switch as the network flow data.

According to an embodiment of the present disclosure, the network traffic data includes: a device fingerprint to uniquely identify the access device, an access time of the access device, an access duration of the access device, a device type of the access device, a source of the network traffic data.

According to an embodiment of the present disclosure, the method further comprises: storing the network traffic data in a database.

According to an embodiment of the present disclosure, the analyzing the network traffic data and determining whether the access of the access device to the network is an abnormal access specifically includes:

aiming at the network traffic data, determining the probability that the access of the access equipment to the network is normal access or abnormal access through a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library; and comparing the probability with a preset threshold value, and judging whether the access of the network equipment to the network is abnormal access, wherein the black-and-white list policy store stores equipment information corresponding to normal access equipment and abnormal access equipment.

According to an embodiment of the present disclosure, the comparing the probability with a preset threshold to determine whether the access of the network device to the network is an abnormal access specifically includes:

presetting normal access probability; comparing the determined probability that the access of the access equipment to the network is normal access with the preset normal access probability; when the determined probability that the access equipment accesses the network normally is larger than the preset normal access probability, judging that the access equipment accesses the network normally; when the determined probability that the access equipment accesses the network normally is smaller than or equal to the preset normal access probability, judging that the access of the access equipment to the network is abnormal; alternatively, the first and second electrodes may be,

presetting abnormal access probability; comparing the determined probability that the access of the access equipment to the network is abnormal access with the preset abnormal access probability; when the determined probability that the access equipment accesses the network abnormally is larger than the preset abnormal access probability, judging that the access equipment accesses the network abnormally; and when the determined probability that the access equipment accesses the network abnormally is smaller than or equal to the preset abnormal access probability, judging that the access equipment accesses the network normally.

According to the embodiment of the disclosure, the model between the feature information in the historical network traffic data and the device information in the black-and-white list policy base is established by the following method: and taking the equipment information in the black-and-white list policy library as a first data label, and establishing a model between the characteristic information in the historical network traffic data and the first data label through a supervised machine learning algorithm.

According to the embodiment of the disclosure, the blacklist and whitelist policy library is established by the following method: and clustering historical network flow data by using an unsupervised clustering algorithm, and adding equipment information corresponding to normal access equipment and abnormal access equipment obtained by clustering operation into a black-and-white list policy library.

According to the embodiment of the present disclosure, the clustering operation is performed on historical network traffic data by using an unsupervised clustering algorithm, and device information corresponding to normal access devices and abnormal access devices obtained by the clustering operation is added to a black-and-white list policy library, specifically including:

extracting characteristic information of the historical network traffic data;

clustering the characteristic information by using an unsupervised clustering algorithm, and dividing the access equipment into normal access equipment and abnormal access equipment;

and adjusting the result of the clustering operation by combining historical experience, and adding the adjusted equipment information corresponding to the normal access equipment and the abnormal access equipment into a black-and-white list policy library.

According to the embodiment of the disclosure, the device information in the black-and-white list policy base can also be added or deleted by an administrator according to actual conditions.

According to the embodiment of the disclosure, the characteristic information includes access time, access duration, and device type of the access device; the device information includes a device fingerprint corresponding to the device and flag information that the device is an abnormal access device or a normal access device.

According to an embodiment of the present disclosure, before the analyzing the network traffic data and determining whether the access of the challenge device to the network is an abnormal challenge, the method further includes:

judging whether the access equipment corresponding to the network traffic data exists in the black-and-white list policy library, if so, directly judging whether the access equipment accesses the network abnormally based on the equipment information in the black-and-white list policy library; and if the access equipment does not exist in the blacklist and whitelist policy library, executing the step of analyzing the network traffic data and determining whether the access equipment accesses the network abnormally.

According to an embodiment of the present disclosure, the determining whether the access device corresponding to the network traffic data exists in the blacklist and whitelist policy repository specifically includes:

and judging whether the device fingerprint of the access device corresponding to the network traffic data exists in the blacklist and whitelist policy library.

According to an embodiment of the present disclosure, the determining, directly based on the device information in the black-and-white list policy repository, whether the access of the access device to the network is an abnormal access specifically includes:

and inquiring marking information corresponding to the device fingerprint of the access device in the blacklist and whitelist policy library, and judging whether the access of the access device to the network is abnormal access or not based on the marking information.

According to the embodiment of the disclosure, after judging whether the access of the access device to the network is abnormal access, adding the device information corresponding to the access device into the black-and-white list policy library.

According to an embodiment of the present disclosure, before analyzing the network traffic data and determining whether the access device accesses the network abnormally, the method further includes: and cleaning or preprocessing the network flow data.

According to an embodiment of the present disclosure, the sending, to a switch, an instruction to release or block access to a network by an access device based on a result of determining whether the access to the network by the access device is an abnormal access includes:

when the access equipment accesses the network normally, an access admission instruction is sent to the switch, so that the switch releases the access of the access equipment to the network; and when the access of the access equipment to the network is abnormal access, sending an access blocking instruction to the switch, so that the switch blocks the access of the access equipment to the network.

According to an embodiment of the present disclosure, the method further comprises:

and receiving admission access instructions of an administrator for some abnormal access devices, and sending the admission access instructions for some abnormal access devices to a switch so that the switch admits the access of some abnormal access devices to a network.

According to an embodiment of the present disclosure, the method further comprises: and sending the device information of the access device which is abnormally accessed to the administrator.

A second aspect of the present disclosure provides a network admission control apparatus, including a traffic collection module, a traffic analysis module, and an admission control module, wherein:

the flow acquisition module is used for acquiring network flow data generated by the access equipment accessing the network;

the flow analysis module is used for analyzing the network flow data and determining whether the access of the access equipment to the network is abnormal access;

the admission control module is configured to: and sending an instruction for releasing or blocking the access of the access device to the network based on the result of determining whether the access of the access device to the network is abnormal access.

According to an embodiment of the present disclosure, the network traffic data is stored in a database.

and aiming at the network traffic data, determining the probability that the access of the access equipment to the network is normal access or abnormal access through a model between characteristic information in historical network traffic data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library, comparing the probability with a preset threshold value, and judging whether the access of the network equipment to the network is abnormal access, wherein the black-and-white list policy library stores the equipment information corresponding to the normal access equipment and the abnormal access equipment.

According to an embodiment of the present disclosure, the determining, by using a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and device information in a black-and-white list policy library, whether access of the access device to the network is a probability of normal access or a probability of abnormal access, comparing the probability with a preset threshold, and determining whether access of the network device to the network is abnormal access specifically includes:

presetting normal access probability, determining the probability that the access equipment accesses the network normally through a model between feature information in historical network flow data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library, comparing the determined probability that the access equipment accesses the network normally with the preset normal access probability, and judging that the access equipment accesses the network normally when the determined probability that the access equipment accesses the network normally is greater than the preset normal access probability; when the determined probability that the access equipment accesses the network normally is smaller than or equal to the preset normal access probability, judging that the access equipment accesses the network abnormally; alternatively, the first and second electrodes may be,

presetting abnormal access probability, determining the probability that the access equipment accesses the network abnormally through a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library, comparing the determined probability that the access equipment accesses the network abnormally with the preset abnormal access probability, and judging that the access equipment accesses the network abnormally when the determined probability that the access equipment accesses the network abnormally is greater than the preset abnormal access probability; and when the determined probability that the access equipment accesses the network abnormally is smaller than or equal to the preset abnormal access probability, judging that the access equipment accesses the network normally.

extracting characteristic information of the historical network traffic data;

According to an embodiment of the present disclosure, the traffic analysis module is further configured to determine whether an access device corresponding to the network traffic data exists in the blacklist and whitelist policy repository, and if the access device exists in the blacklist and whitelist policy repository, determine whether an access of the access device to the network is an abnormal access directly based on device information in the blacklist and whitelist policy repository; and if the access equipment does not exist in the blacklist and whitelist policy library, executing the step of analyzing the network traffic data and determining whether the access equipment accesses the network abnormally.

According to the embodiment of the present disclosure, the determining, directly based on the device information in the black-and-white list policy repository, whether the access to the network by the access device is an abnormal access specifically includes:

According to the embodiment of the disclosure, the flow acquisition module is further configured to clean or preprocess the network flow data.

According to the embodiment of the disclosure, the admission control module is further configured to receive admission access instructions for some abnormal access devices from an administrator, and send the admission access instructions for some abnormal access devices to a switch, so that the switch admits access to a network by some abnormal access devices.

According to the embodiment of the disclosure, the device further comprises an alarm module, and the alarm module is used for sending the device information of the access device which is accessed abnormally to an administrator.

A third aspect of the present disclosure provides a network admission control system, which includes an access device, a network admission control apparatus as described above, and a switch, wherein:

the access device is used for accessing a network through the switch;

the switch is used for receiving the instruction sent by the network admission control device and allowing or blocking the access of the access equipment to the network based on the instruction.

A fourth aspect of the present disclosure provides an electronic device, comprising: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform a network admission control method as described above.

A fifth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform a network admission control method as described above.

A sixth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements a network admission control method as described above.

The embodiment of the disclosure provides a network access control method, a device, a system, equipment, a medium and a product, which can automatically judge whether the equipment is allowed to access a network or not based on the analysis result of network flow data, can avoid the risk of bypassing binding through a single MAC address, is simultaneously suitable for any equipment accessing an intranet, and all analysis, judgment and disposal are performed in a network access control device connected with a switch.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:

figure 1 schematically illustrates a flow chart of a method of network admission control according to an embodiment of the present disclosure;

fig. 2 schematically shows a block diagram of a network admission control apparatus according to an embodiment of the present disclosure;

figure 3 schematically illustrates a block diagram of a network admission control system according to an embodiment of the present disclosure;

fig. 4 schematically shows a block diagram of an electronic device adapted to implement a network admission control method according to an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

Compared with the prior art, the present disclosure provides a network admission control method, apparatus, system, device, medium and product, where the network admission control method includes: collecting network traffic data generated by access equipment accessing the network; analyzing the network flow data, and determining whether the access of the access equipment to the network is abnormal access; and sending an instruction for releasing or blocking the access of the access device to the network to a switch based on the result of determining whether the access of the access device to the network is abnormal access. According to the scheme, a client is not required to be installed in the equipment, whether the equipment is abnormal access equipment or not is automatically judged according to the captured network flow data and based on a semi-supervised learning algorithm in machine learning, the abnormal access equipment can be accurately determined, access of the abnormal access equipment to an enterprise intranet is blocked, and the security and the protection capability of the enterprise intranet are improved.

A network admission control method, apparatus, system, device, medium, and article of manufacture of embodiments of the present disclosure are described in detail below with reference to fig. 1-4.

Fig. 1 schematically shows a flow chart of a network admission control method according to an embodiment of the present disclosure.

As shown in fig. 1, this embodiment provides a network admission control method, where the method includes operations S101 to S104, and specifically the following steps:

in operation S101, network traffic data generated by an access device accessing the network is collected.

The access equipment accesses the network through a switch, the network can be an enterprise intranet, all flow data of the access equipment accessing the network are collected by setting a flow mirror image port on the switch, and then all mirror image flow data of the access equipment accessing the network are collected through a flow collection module to serve as the network flow data.

The network traffic data includes: a device fingerprint to uniquely identify the access device, an access time of the access device, an access duration of the access device, a device type of the access device, a source of the network traffic data.

The operation S101 further includes: storing the network traffic data in a database.

In operation S102, the network traffic data is analyzed to determine whether the access device accesses the network abnormally.

Before analyzing the network traffic data and determining whether the access device accesses the network abnormally, the operation S102 further includes: and cleaning or preprocessing the network flow data.

The analyzing the network traffic data and determining whether the access of the access device to the network is an abnormal access includes: and aiming at the network flow data, determining the probability that the access of the access equipment to the network is normal access or abnormal access through a model between characteristic information in historical network flow data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library, comparing the probability with a preset threshold value, and judging whether the access of the network equipment to the network is abnormal access, wherein the black-and-white list policy library stores the equipment information corresponding to normal access equipment and abnormal access equipment.

The method includes the steps of determining the probability that the access of the access device to the network is normal access or abnormal access through a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and device information in a black-and-white list policy library, comparing the probability with a preset threshold value, and judging whether the access of the network device to the network is abnormal access, and specifically includes the following steps:

The model between the characteristic information in the historical network traffic data and the equipment information in the black-and-white list policy library is established by the following method: and taking the equipment information in the black-and-white list policy library as a first data label, and establishing a model between the characteristic information in the historical network traffic data and the first data label through a supervised machine learning algorithm.

The black and white list policy library is established in the following way: and clustering historical network flow data by using an unsupervised clustering algorithm, and adding equipment information corresponding to normal access equipment and abnormal access equipment obtained by clustering operation into a black-and-white list policy library. In addition, the device information in the black-and-white list policy base can be added or deleted by an administrator according to actual conditions.

The method for clustering historical network flow data by using the unsupervised clustering algorithm includes the steps of clustering historical network flow data by using the unsupervised clustering algorithm, and adding device information corresponding to normal access devices and abnormal access devices obtained by the clustering operation into a black and white list policy library, and specifically includes the following steps:

1) extracting characteristic information of the historical network traffic data;

2) clustering the characteristic information by using an unsupervised clustering algorithm, and dividing the access equipment into normal access equipment and abnormal access equipment;

3) and adjusting the result of the clustering operation by combining historical experience, and adding the adjusted equipment information corresponding to the normal access equipment and the abnormal access equipment into a black-and-white list policy library.

The characteristic information comprises access time, access duration and equipment type of access equipment. The device information includes a device fingerprint corresponding to the device and flag information that the device is an abnormal access device or a normal access device.

Before the analyzing the network traffic data and determining whether the access device accesses the network abnormally, the operation S102 further includes: judging whether the access equipment corresponding to the network traffic data exists in the black-and-white list policy library, if so, directly judging whether the access equipment accesses the network abnormally based on the equipment information in the black-and-white list policy library; and if the access equipment does not exist in the blacklist and whitelist policy library, executing the step of analyzing the network traffic data and determining whether the access equipment accesses the network abnormally.

The determining whether the access device corresponding to the network traffic data exists in the blacklist and whitelist policy repository specifically includes: and judging whether the device fingerprint of the access device corresponding to the network traffic data exists in the blacklist and whitelist policy library.

The determining, directly based on the device information in the blacklist and whitelist policy repository, whether the access of the access device to the network is an abnormal access specifically includes: and inquiring marking information corresponding to the device fingerprint of the access device in the blacklist and whitelist policy library, and judging whether the access of the access device to the network is abnormal access or not based on the marking information.

The operation S102 further includes: and after judging whether the access of the access equipment to the network is abnormal access or not, adding equipment information corresponding to the access equipment into the black-and-white list policy library.

After judging whether the access of the access device to the network is abnormal access, adding the device information corresponding to the access device into the black-and-white list policy library, specifically including: if the access equipment judges that the access to the network is normal access, adding equipment information corresponding to the normal access equipment into a black and white list policy library; and if the access of the access equipment to the network is judged to be abnormal access, adding equipment information corresponding to the abnormal access equipment into a black and white list policy library. By continuously supplementing the equipment information in the black and white list strategy library, more sample data can be accumulated in the next modeling process.

In operation S103, an instruction to release or block the access to the network by the access device is transmitted based on a result of determining whether the access to the network by the access device is an abnormal access.

The sending, to the switch, an instruction to release or block the access to the network by the access device based on the result of determining whether the access to the network by the access device is an abnormal access, specifically includes: when the access equipment accesses the network normally, an access admission instruction is sent to the switch, so that the switch releases the access of the access equipment to the network; and when the access of the access equipment to the network is abnormal access, sending an access blocking instruction to the switch, so that the switch blocks the access of the access equipment to the network.

The operation S103 further includes: and receiving admission access instructions of an administrator for some abnormal access devices, and sending the admission access instructions for some abnormal access devices to a switch so that the switch admits the access of some abnormal access devices to a network.

The operation S103 further includes: and all log information generated by the access control of the network is stored, so that the audit in the future is facilitated.

In operation S104, device information of the access device accessed abnormally is transmitted to the administrator.

By sending the device information of the access device which is accessed abnormally to the administrator, the administrator can judge whether the blocking of the access device needs to be released or not after knowing the relevant situation.

The sending the device information of the access device accessed abnormally to the administrator specifically includes: and sending the information of the device fingerprint, the access time, the access duration and the like of the blocked access device with abnormal access to an administrator in a message, mail or other modes.

By means of the network access control method provided by the disclosure, whether the access of the access-preventing equipment to the network is allowed or not can be automatically judged based on the analysis result of the network flow data, the risk of bypassing binding through a single MAC address can be avoided, meanwhile, the method is suitable for any equipment accessed to the intranet, all analysis, judgment and treatment are carried out in the network access control device connected with the switch, the network access terminal does not need to be provided with any program, the universality is strong, meanwhile, the leakage of a related analysis model is avoided, the accuracy of abnormal access discovery can be improved based on the abnormal detection and analysis of a machine learning semi-supervised learning algorithm, the requirements of service development and the information safety requirements are met, and the safety of the intranet of an enterprise is improved.

Based on the network admission control method shown in fig. 1, the present disclosure also provides a network admission control apparatus. The apparatus will be described in detail below with reference to fig. 2.

Fig. 2 schematically shows a block diagram of a network admission control device according to an embodiment of the present disclosure.

As shown in fig. 2, this embodiment provides a network admission control apparatus 200, where the apparatus 200 includes a traffic collection module 201, a traffic analysis module 202, an admission control module 203, and an alarm module 204.

The traffic collection module 201 is configured to collect network traffic data generated when the access device accesses the network.

The traffic collection module 201 is further configured to store the network traffic data in a database.

The traffic analysis module 202 is configured to analyze the network traffic data, and determine whether the access to the network by the access device is an abnormal access.

The traffic analysis module 202 is further configured to perform cleaning or preprocessing on the network traffic data before analyzing the network traffic data.

The analyzing the network traffic data and determining whether the challenge to the network by the challenge device is an abnormal challenge, including: and aiming at the network flow data, determining the probability that the access of the access equipment to the network is normal access or abnormal access through a model between characteristic information in historical network flow data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library, comparing the probability with a preset threshold value, and judging whether the access of the network equipment to the network is abnormal access, wherein the black-and-white list policy library stores the equipment information corresponding to normal access equipment and abnormal access equipment.

The method includes the steps of determining the probability that the access of the access device to the network is normal access or abnormal access through a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and device information in a black-and-white list policy library, comparing the probability with a preset threshold value, and judging whether the access of the network device to the network is abnormal access, and specifically includes the steps of:

presetting abnormal access probability, determining the probability that the access equipment accesses the network abnormally through a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library, comparing the determined probability that the access equipment accesses the network abnormally with the preset abnormal access probability, and judging that the access equipment accesses the network abnormally when the determined probability that the access equipment accesses the network abnormally is greater than the preset abnormal access probability; and when the determined probability that the access of the access equipment to the network is abnormal access is less than or equal to the preset abnormal access probability, judging that the access of the access equipment to the network is the constant access.

The traffic analysis module 202 is further configured to, after analyzing the network traffic data, determine whether an access device corresponding to the network traffic data exists in the blacklist and whitelist policy repository, and if the access device exists in the blacklist and whitelist policy repository, determine whether access of the access device to the network is abnormal access directly based on device information in the blacklist and whitelist policy repository; and if the access equipment does not exist in the blacklist and whitelist policy library, executing the step of analyzing the network traffic data and determining whether the access equipment accesses the network abnormally.

The determining whether the access device corresponding to the network traffic data exists in the blacklist and whitelist policy repository specifically includes: and judging whether the device fingerprint of the access device corresponding to the network traffic data exists in the black-and-white list policy library.

The traffic analysis module 202 is further configured to add the device information corresponding to the access device to the black-and-white list policy repository after determining whether the access of the access device to the network is an abnormal access.

The admission control module 203 is configured to: and sending an instruction for releasing or blocking the access of the access device to the network based on the result of determining whether the access of the access device to the network is abnormal access.

The admission control module 203 is further configured to receive an admission access instruction for some abnormal access devices from an administrator, and send the admission access instruction for some abnormal access devices to a switch, so that the switch admits access to a network by some abnormal access devices.

The admission control module 203 is further configured to store all log information generated by access control on the network, so as to facilitate future auditing.

The alarm module 204 is configured to send device information of the access device that is accessed abnormally to an administrator.

By sending the device information of the access device which is accessed abnormally to the administrator, the administrator can judge whether the blocking of the access device needs to be released or not after knowing the relevant conditions.

By means of the network access control device provided by the disclosure, whether the access device is allowed to access the network or not can be automatically judged based on the analysis result of the network flow data, the risk of bypassing binding through a single MAC address can be avoided, meanwhile, the network access control device is suitable for any device accessing the intranet, all analysis, judgment and disposal are performed in the network access control device connected with the switch, the network access terminal does not need to install any program, the universality is strong, meanwhile, the leakage of a related analysis model is avoided, the accuracy of abnormal access discovery can be improved based on the abnormal detection and analysis of a semi-supervised learning algorithm of machine learning, the requirements of service development and information safety requirements are met, and the safety of the intranet of an enterprise is improved.

Based on the network admission control method and device shown in fig. 1 and fig. 2, the present disclosure also provides a network admission control system. This system will be described in detail below in conjunction with fig. 3.

Fig. 3 schematically shows a block diagram of a network admission control system according to an embodiment of the present disclosure.

As shown in fig. 3, this embodiment provides a network admission control system 300, said system 300 comprising an access device 301, a network admission control arrangement 302 and a switch 303.

The access device 301 is configured to access a network through the switch. The network may be an intranet.

The network admission control apparatus 302 is the network admission control apparatus 200 related to the above disclosure, and the functions and module compositions implemented by the apparatus are completely the same as those implemented by the network admission control apparatus 200 related to the above disclosure, and includes a traffic collection module 3021, a traffic analysis module 3022, an admission control module 3023, and an alarm module 3024, which are completely the same as the traffic collection module 201, the traffic analysis module 202, the admission control module 203, and the alarm module 204 in fig. 2.

The switch 303 is configured to receive the instruction sent by the network admission control apparatus 302, and to grant or block the access to the network by the access device based on the instruction.

Fig. 4 schematically shows a block diagram of an electronic device adapted to implement a video tampering detection method according to an embodiment of the present disclosure.

As shown in fig. 4, an electronic device 400 according to an embodiment of the present disclosure includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. Processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 401 may also include onboard memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing the different actions of the method flows in accordance with embodiments of the present disclosure.

In the RAM 403, various programs and data necessary for the operation of the electronic apparatus 400 are stored. The processor 401, ROM 402 and RAM 403 are connected to each other by a bus 404. The processor 401 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 402 and/or the RAM 403. Note that the programs may also be stored in one or more memories other than the ROM 402 and RAM 403. The processor 401 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, electronic device 400 may also include an input/output (I/O) interface 405, input/output (I/O) interface 405 also being connected to bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 408 including a hard disk and the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. A driver 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 408 as necessary.

The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM 402 and/or RAM 403 and/or one or more memories other than ROM 402 and RAM 403 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided by the embodiment of the disclosure.

The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 401. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.

In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 409, and/or installed from the removable medium 411. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 409, and/or installed from the removable medium 411. The computer program, when executed by the processor 401, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.

In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.

The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims

1. A network admission control method, characterized in that the network admission control method comprises:

analyzing the network flow data, and determining whether the access of the access equipment to the network is abnormal access; and

and sending an instruction for releasing or blocking the access of the access device to the network based on the result of determining whether the access of the access device to the network is abnormal access.

2. The network admission control method according to claim 1, wherein the access device accesses the network through a switch, and the network is an intranet.

3. The method according to claim 2, wherein the collecting network traffic data generated by the access device accessing the network specifically includes: and acquiring all mirror image flow data of the access equipment accessing the network on a flow mirror image port of the switch as the network flow data.

4. A method for network admission control according to claim 3, wherein said network traffic data comprises: a device fingerprint to uniquely identify the access device, an access time of the access device, an access duration of the access device, a device type of the access device, and a source of the network traffic data.

5. A method for network admission control according to claim 1 or 2, wherein said method further comprises: storing the network traffic data in a database.

6. The method according to claim 1, wherein the analyzing the network traffic data to determine whether the access to the network by the access device is an abnormal access includes:

aiming at the network traffic data, determining the probability that the access of the access equipment to the network is normal access or abnormal access through a model between feature information in historical network traffic data established based on a supervised machine learning algorithm and equipment information in a black-and-white list policy library; and

comparing the probability with a preset threshold value, judging whether the access of the network equipment to the network is abnormal access,

and the black-and-white list policy base stores equipment information corresponding to normal access equipment and abnormal access equipment.

7. The method according to claim 6, wherein the comparing the probability with a preset threshold to determine whether the access of the network device to the network is an abnormal access specifically includes:

presetting normal access probability;

comparing the determined probability that the access of the access equipment to the network is normal access with the preset normal access probability;

when the determined probability that the access equipment accesses the network normally is larger than the preset normal access probability, judging that the access equipment accesses the network normally; and

when the determined probability that the access equipment accesses the network normally is smaller than or equal to the preset normal access probability, judging that the access equipment accesses the network abnormally; alternatively, the first and second electrodes may be,

comparing the probability with a preset threshold value, and judging whether the access of the network equipment to the network is abnormal access, specifically including:

presetting abnormal access probability;

comparing the determined probability that the access of the access equipment to the network is abnormal access with the preset abnormal access probability;

when the determined probability that the access equipment accesses the network abnormally is larger than the preset abnormal access probability, judging that the access equipment accesses the network abnormally; and

and when the determined probability that the access equipment accesses the network abnormally is smaller than or equal to the preset abnormal access probability, judging that the access equipment accesses the network normally.

8. The method according to claim 6 or 7, wherein the model between the characteristic information in the historical network traffic data and the device information in the blacklist and whitelist policy repository is established by: and taking the equipment information in the black-and-white list policy library as a first data label, and establishing a model between the characteristic information in the historical network traffic data and the first data label through a supervised machine learning algorithm.

9. The network admission control method according to claim 6 or 7, wherein the blacklist policy base is established by: and clustering historical network flow data by using an unsupervised clustering algorithm, and adding equipment information corresponding to normal access equipment and abnormal access equipment obtained by clustering operation into a black-and-white list policy library.

10. The network admission control method according to claim 9, wherein the clustering operation is performed on historical network traffic data by using an unsupervised clustering algorithm, and device information corresponding to normal access devices and abnormal access devices obtained by the clustering operation is added to a black-and-white list policy repository, specifically comprising:

extracting characteristic information of the historical network traffic data;

clustering the characteristic information by using an unsupervised clustering algorithm, and dividing the access equipment into normal access equipment and abnormal access equipment; and

11. A method for network admission control according to claim 9, wherein the method further comprises: and adding or deleting the equipment information in the black and white list policy library by the administrator according to the actual situation.

12. The network admission control method according to claim 6 or 7, wherein the characteristic information comprises access time, access duration, device type of the access device; the device information includes a device fingerprint corresponding to the device and flag information that the device is an abnormal access device or a normal access device.

13. The network admission control method according to claim 6 or 7,

before the analyzing the network traffic data and determining whether the access of the access device to the network is an abnormal access, the method further comprises:

14. The method according to claim 13, wherein the determining whether the access device corresponding to the network traffic data exists in the blacklist and whitelist policy repository specifically includes:

15. The method according to claim 14, wherein the determining whether the access to the network by the access device is an abnormal access directly based on the device information in the blacklist and whitelist policy repository specifically includes:

16. The method according to claim 6 or 7, wherein after determining whether the access to the network by the access device is an abnormal access, the method further comprises: and adding the equipment information corresponding to the question-asking equipment into the black and white list policy library.

17. The method of claim 1, wherein prior to analyzing the network traffic data to determine whether the access device has an abnormal access to the network, the method further comprises: and cleaning or preprocessing the network flow data.

18. The method according to claim 2, wherein the sending the instruction to release or block the access to the network by the access device based on the result of determining whether the access to the network by the access device is an abnormal access includes:

19. A method for network admission control according to claim 2, wherein the method further comprises:

20. The method of network admission control according to claim 1, further comprising: and sending the device information of the access device which is abnormally accessed to the administrator.

21. The utility model provides a network admission control device which characterized in that, the device includes flow acquisition module, flow analysis module and admission control module, wherein:

22. A network admission control apparatus according to claim 21, wherein the access device accesses the network via a switch, the network being an intranet.

23. A network admission control arrangement according to claim 21, wherein said network traffic data comprises: a device fingerprint to uniquely identify the access device, an access time of the access device, an access duration of the access device, a device type of the access device, and a source of the network traffic data.

24. The apparatus according to claim 21, wherein the analyzing the network traffic data to determine whether the access to the network by the access device is an abnormal access includes:

aiming at the network traffic data, a model is established between characteristic information in historical network traffic data and equipment information in a black-and-white list strategy library based on a supervised machine learning algorithm;

determining a probability that an access of the access device to the network is a normal access or an abnormal access; and

25. The apparatus of claim 21, further comprising an alarm module configured to send device information of an abnormally accessed access device to an administrator.

26. A network admission control system, comprising an access device, a network admission control arrangement according to any one of claims 21-25 and a switch, wherein:

the access device is used for accessing a network through the switch;

27. An electronic device, comprising:

one or more processors;

a storage device for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-20.

28. A computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the method of any one of claims 1-20.

29. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1-20.