CN114024904B - Access control method, device, equipment and storage medium - Google Patents

Access control method, device, equipment and storage medium Download PDF

Info

Publication number
CN114024904B
CN114024904B CN202111279578.1A CN202111279578A CN114024904B CN 114024904 B CN114024904 B CN 114024904B CN 202111279578 A CN202111279578 A CN 202111279578A CN 114024904 B CN114024904 B CN 114024904B
Authority
CN
China
Prior art keywords
flow
data
request
access
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111279578.1A
Other languages
Chinese (zh)
Other versions
CN114024904A (en
Inventor
贾臻
龚为川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Bank Co Ltd
Original Assignee
Ping An Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Bank Co Ltd filed Critical Ping An Bank Co Ltd
Priority to CN202111279578.1A priority Critical patent/CN114024904B/en
Publication of CN114024904A publication Critical patent/CN114024904A/en
Application granted granted Critical
Publication of CN114024904B publication Critical patent/CN114024904B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention relates to the field of operation and maintenance of base frames and discloses an access control method, device, equipment and storage medium. The method comprises the following steps: acquiring a data stream of a gateway in network service, and analyzing the data stream to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value; acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters; calculating an abnormal flow request parameter, a full flow request parameter and a target flow request value based on a linear interpolation algorithm to obtain a target flow return value; and performing access control on the data access request according to the target flow return value. The invention smoothes the flow intermediate process from abnormal data access to full data access request by linear interpolation algorithm, thereby increasing the stability of application service data request.

Description

Access control method, device, equipment and storage medium
Technical Field
The present invention relates to the field of operation and maintenance of a base frame, and in particular, to an access control method, apparatus, device, and storage medium.
Background
With the high-speed development of network technology, the network traffic transmitted in the application service is more and more huge, and if larger network fluctuation is encountered in the network transmission process, the application service is easy to be unstable, no data response is caused, and the user experience is further affected.
The existing access control method generally sets a designated threshold value to limit the number of times the application service is accessed, and when network fluctuation occurs, the stability of the application service when data is requested is low.
Disclosure of Invention
The invention mainly aims to solve the problem of lower stability of the existing access control method when the application service data is requested due to network fluctuation.
The first aspect of the present invention provides an access control method, including:
acquiring a data stream of a gateway in network service, and analyzing the data stream to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
Calculating the abnormal flow request parameter, the full flow request parameter and the target flow request value based on a linear interpolation algorithm to obtain a target flow return value of the data access request;
and performing access control on the data access request according to the target flow return value of the data access request.
Optionally, in a first implementation manner of the first aspect of the present invention, the obtaining a data stream of a gateway in a network service, and analyzing the data stream, and obtaining information of a data access request includes:
acquiring a data stream of a gateway in network service, and carrying out flow analysis on the data stream to obtain a service end flow and a database end flow;
respectively carrying out data analysis on the service end flow and the database end flow to obtain a service end flow parameter and a database end flow parameter, wherein the service end flow parameter and the database end flow parameter both comprise flow addresses and flow access information;
and correlating the server side flow with the database side flow based on the flow address and the flow access information in the server side flow parameter and the flow address and the flow access information in the database side flow parameter to obtain information of a data access request.
Optionally, in a second implementation manner of the first aspect of the present invention, the information of the data access request further includes a token application parameter, after the obtaining of the data flow of the gateway in the network service and the analyzing of the data flow, after obtaining the information of the data access request, before obtaining the historical traffic request data of the target service scenario according to the access information parameter, the method further includes:
carrying out validity check on the application id and the secret key in the token application parameter, and if the verification is successful, sending an access token to the terminal, wherein the access token comprises identity information, validity period information and encryption signature information;
and sequentially verifying the identity information, the validity period information and the encrypted signature information, if the verification is correct, receiving the data access request, otherwise, rejecting the data access request.
Optionally, in a third implementation manner of the first aspect of the present invention, the access information parameter includes a service database identifier, a service channel parameter, and a feature keyword, and the acquiring, according to the access information parameter, historical traffic request data of a target service scenario includes:
Determining a database of a target service scene according to the service database identification;
screening a target data table from a database of the target service scene based on the service channel parameters, wherein the target data table comprises multiple types of characteristic index data in the target service scene;
and screening historical flow data of the target service scene from the multi-class characteristic index data in the target data table according to the characteristic keywords.
Optionally, in a fourth implementation manner of the first aspect of the present invention, the calculating, based on a linear interpolation algorithm, the abnormal flow request parameter, the full flow request parameter, and the target flow request value, to obtain a target flow return value of the data access request includes:
constructing a flow request coordinate system of the target service scene according to the abnormal flow request parameter and the full flow request parameter, wherein the flow request coordinate system is used for describing a linear relation between a flow request value and a flow passing rate;
calculating the flow passing rate corresponding to the target flow request value based on the flow request coordinate system to obtain a target flow passing rate;
And calculating a target flow return value of the data access request according to the target flow request value and the target flow passing rate.
Optionally, in a fifth implementation manner of the first aspect of the present invention, before the performing, according to the target flow return value of the data access request, access control on the data access request, the method further includes:
and receiving the data security parameters input by the user, and generating an access interception policy for access control according to the data security parameters.
Optionally, in a sixth implementation manner of the first aspect of the present invention, after the performing access control on the data access request according to the target flow return value of the data access request, the method further includes:
and protecting the data packet returned by the data access request based on a preset data protection rule.
A second aspect of the present invention provides an access control apparatus comprising:
the data flow analysis module is used for acquiring the data flow of the gateway in the network service, analyzing the data flow and obtaining the information of the data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
The historical data acquisition module is used for acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
the return value calculation module is used for calculating the abnormal flow request parameter, the full flow request parameter and the target flow request value based on a linear interpolation algorithm to obtain a target flow return value of the data access request;
and the access control module is used for carrying out access control on the data access request according to the target flow return value of the data access request.
Optionally, in a first implementation manner of the second aspect of the present invention, the data flow parsing module specifically includes:
the flow analysis unit is used for acquiring the data flow of the gateway in the network service, and carrying out flow analysis on the data flow to obtain the flow of the server side and the flow of the database side;
the data analysis unit is used for respectively carrying out data analysis on the service end flow and the database end flow to obtain a service end flow parameter and a database end flow parameter, wherein the service end flow parameter and the database end flow parameter both comprise flow addresses and flow access information;
And the data association unit is used for associating the service end flow with the database end flow based on the flow address and the flow access information in the service end flow parameter and the flow address and the flow access information in the database end flow parameter to obtain the information of the data access request.
Optionally, in a second implementation manner of the second aspect of the present invention, the historical data acquisition module specifically includes:
the determining unit is used for determining a database of the target business scene according to the business database identifier;
the first screening unit is used for screening a target data table from the database of the target service scene based on the service channel parameters, wherein the target data table comprises multiple types of characteristic index data in the target service scene;
and the second screening unit is used for screening the historical flow data of the target service scene from the multi-class characteristic index data in the target data table according to the characteristic keywords.
Optionally, in a third implementation manner of the second aspect of the present invention, the return value calculating unit specifically includes:
the construction unit is used for constructing a flow request coordinate system of the target service scene according to the abnormal flow request parameter and the full flow request parameter, wherein the flow request coordinate system is used for describing a linear relation between a flow request value and a flow passing rate;
The first calculation unit is used for calculating the flow passing rate corresponding to the target flow request value based on the flow request coordinate system to obtain the target flow passing rate;
and the second calculation unit is used for calculating a target flow return value of the data access request according to the target flow request value and the target flow passing rate.
A third aspect of the present invention provides an access control apparatus comprising: a memory and at least one processor, the memory having instructions stored therein; the at least one processor invokes the instructions in the memory to cause the access control device to perform the access control method described above.
A fourth aspect of the present invention provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the above-described access control method.
According to the technical scheme provided by the invention, the data access request is obtained by carrying out flow analysis on the data flow of the gateway in the network service, the historical data of a specific service scene is obtained according to the request, mathematical modeling is further carried out, the linear distribution of the general flow return value in the service scene is returned, and the returned actual flow is controlled according to the linear distribution of the flow return value. The invention models the flow request process through the linear interpolation algorithm, thereby smoothing the flow intermediate process from abnormal data access to full data access request, and further increasing the stability of application service.
Drawings
FIG. 1 is a schematic diagram of a first embodiment of an access control method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a second embodiment of an access control method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a third embodiment of an access control method according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a fourth embodiment of an access control method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an embodiment of an access control device according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of another embodiment of an access control device according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an embodiment of an access control device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an access control method, an access control device, a storage medium and a storage medium, and the stability is higher.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
The server in the embodiment of the invention can be an independent server, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDNs), basic cloud computing services such as big data and artificial intelligent platforms, and the like.
For ease of understanding, a specific flow of an embodiment of the present invention is described below with reference to fig. 1, where an embodiment of an access control method in an embodiment of the present invention includes:
101. acquiring a data stream of a gateway in network service, and analyzing the data stream to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
it can be understood that the enterprise builds a dedicated network service based on the private network, and when the access subject accesses the enterprise network through the public network, the data flow in the enterprise network realizes the receiving, extracting and forwarding of the access data through the gateway. The access subject may be a user, or may be a process initiated by a user, a service, or an extranet device, etc. The gateway of the enterprise can be scanned by an open source scanning tool to obtain the data stream of the gateway, such as nmap, port scanning program, and the like.
In this embodiment, the data stream is parsed to obtain data stream information, so that complete data access request information including address information, user information and access information can be obtained. The data stream information includes: user, user data, access time, session information, source IP address, destination IP address, port number, protocol, thread id, thread context, request protocol, etc.
Optionally, the information of the data access request may further include a token application parameter, so that the server performs corresponding access right verification on the data access request. Specifically, the server performs validity verification on the application id and the secret key in the token application parameter, if verification is successful, the server sends an access token to the terminal, wherein the access token comprises identity information, validity period information and encryption signature information, then the identity information, the validity period information and the encryption signature information are verified in sequence, if verification is correct, the data access request is received, and otherwise the data access request is refused.
The token application parameter is used for the service request end to acquire the access token (namely, the certificate representing legal identity), the token application request can comprise the application id and the secret key, the server further checks the validity of the application id and the secret key, and the access token is issued to the service request end when the verification is successful. The issued access token may be a JWT (Json Web Token) format access token with identity information, validity period information, and with one-way encrypted signature information.
Specifically, when the server verifies the access token, the validity of the encrypted signature of the access token can be verified first, if the verification of the encrypted signature fails, the data access request is refused, and refused access information is generated and fed back to the service request end, and the network connection is disconnected; after the encryption signature is successfully verified, the validity period of the access token can be checked to verify, whether the access token is out of date is judged, and the out-of-date access token can be refused and disconnected; after the validity period information is checked successfully, the identity information of the access token is checked, and whether the identity information is listed in a preset shielding list or not is judged. If the mask list contains current identity information, the service request is denied and disconnected.
102. Acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
it can be understood that the access information parameter includes service scene identification information for indicating that the data request object belongs to, so as to determine a target service scene; meanwhile, the access information parameters also comprise data matching parameters or control conditions for acquiring historical flow request data, and further related data are screened out from a database of the target service scene. The database of the target service scene is all stock data of the service scene, wherein the stock data at least comprises abnormal flow request parameters and full flow request parameters in the service scene, and can also comprise flow request parameters in other ranges in the service scene. The abnormal flow request parameters are corresponding flow request values and flow passing rates under the condition of abnormal data access, the full flow request parameters are corresponding flow request values and flow passing rates under the condition of normal data full access, for example, under a business scene of an online mall, the data traffic volume is taken as the size of the flow request values, corresponding flow return values and flow returning rates are recorded in a segmented mode, a corresponding data table is formed, and please refer to the first table.
When the predetermined flow request value is 0, the corresponding flow request parameter is (0, 0), and when the flow request value is 2000, the corresponding flow request parameter is (2000,0.6), the abnormal flow request is determined.
Flow request value 0 500 1000 1500 2000
Flow return value 0 300 400 800 1200
Flow rate of passage 0 0.6 0.4 0.53 0.6
List one
103. Calculating an abnormal flow request parameter, a full flow request parameter and a target flow request value based on a linear interpolation algorithm to obtain a target flow return value of a data access request;
it can be understood that the linear interpolation is an interpolation method for one-dimensional data, and performs numerical estimation according to two data adjacent to the left and right of a point to be interpolated in a one-dimensional data sequence, so as to reasonably compensate for data loss between the two points. In this embodiment, the server uses the abnormal flow request parameter and the full flow request parameter as two reference points in the linear interpolation, and uses the target flow request value in the data access request as missing data between the two reference points, so that the calculated flow return value is subjected to linear distribution, the size of the returned data packet is dynamically controlled, and the excessive flow request scene is smoothed.
Optionally, in an embodiment, the historical flow data acquired by the server includes a plurality of flow request parameters, and the server constructs a multi-segment linear relationship according to the flow request parameters, and then fits different linear relationships, so as to process the multi-segment linear relationship into a one-segment linear relationship. For example, the server comprises an abnormal flow request parameter A, a full flow request parameter B, a flow request parameter C and a flow request parameter D, wherein a flow request value x (C) corresponding to the flow request parameter C and a flow request value x (D) corresponding to the flow request parameter D are both in a range of a flow request value x (A) corresponding to the abnormal flow request parameter A and a flow request value x (B) corresponding to the full flow request parameter B, x (A) < x (C) < x (D) < x (B), the server respectively takes A, C and D and B as two groups of datum points, two linear relations are constructed, fitting processing is carried out on the two linear relations, and therefore linear distribution F (A, B) between the two parameters of A, B is constructed, and C, D is subjected to linear distribution F (A, B) after fitting.
104. And performing access control on the data access request according to the target flow return value of the data access request.
It can be understood that the server responds to the data access request, and generates a corresponding number of data packets according to the calculated target flow return value so as to return to the request terminal, and the request terminal loads resources according to the returned data packets so as to realize visual presentation. For example, 100 data requests are sent through HTTP requests in a browser of a terminal, a target flow return value of the HTTP requests is determined to be 70 data after flow control calculation (interpolation calculation) through a server, the data are packaged in response messages and sent to the browser of the terminal, and then the data are loaded into corresponding page modules in an asynchronous data request mode.
Optionally, before the server performs access control on the data access request according to the target flow return value of the data access request, the server further receives a data security parameter input by a user, and generates an access interception policy for access control according to the data security parameter.
It can be understood that, in order to improve the security of data access, the server also receives the data security parameters set by the user in a differentiated manner, so as to generate a corresponding access interception policy to filter the data with potential safety hazards, for example, filter the sensitive data in the returned data packet, and relate to the enterprise sensitive data in the network data such as the enterprise information system, including property information, health information, identity information, behavior identification information, and the like, and the privacy and security of the data can be better protected by performing desensitization processing on the data packet through the access interception policy. The desensitization treatment refers to the deformation of data of certain sensitive information in a desensitization mode, so that the reliable protection of the sensitive data is realized. Specifically, the data to be desensitized in the data packet can be preconfigured, and a desensitization field, a desensitization position, a desensitization length and a desensitization mode are preset. Wherein the desensitization field can be in text or digital form, such as property information, mobile phone number, etc.; the desensitization position is from which position to start desensitization; the desensitization length is the desensitization number of bits; the desensitization mode can be deformation desensitization, mask shielding, data replacement, invalidation, random desensitization, format retention encryption, data encryption and the like. Of course, the desensitization mode can be customized, and the desensitization of the data stream information can be performed according to the predefined desensitization mode.
In this embodiment, modeling is performed on the flow request process through a linear interpolation algorithm, so that the flow intermediate process from abnormal data access to full data access request is smoothed, and stability of application service is further improved.
Referring to fig. 2, a second embodiment of an access control method according to an embodiment of the present invention includes:
201. acquiring a data stream of a gateway in network service, and carrying out flow analysis on the data stream to obtain a service end flow and a database end flow;
it can be understood that the server filters the data stream according to the access port in the traffic access information, and when the access port in the traffic access information contains the database port, the data stream includes the server side traffic and the database side traffic.
202. Respectively carrying out data analysis on the service end flow and the database end flow to obtain a service end flow parameter and a database end flow parameter, wherein the service end flow parameter and the database end flow parameter both comprise flow addresses and flow access information;
it can be understood that the server may parse the data identifier, the keyword, the regular expression, etc. to obtain the server-side flow parameter and the database-side flow parameter, which is not limited in this embodiment.
203. Based on the flow address and the flow access information in the flow parameters of the server side and the flow address and the flow access information in the flow parameters of the database side, correlating the flow of the server side and the flow of the database side to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
it should be understood that the server correlates the server side traffic with the database side traffic according to the server side traffic address, the server side traffic access information, the database side traffic address, and the database side traffic access information, to obtain information of the data access request. For example, data stream association may be made by thread id: after the access main body initiates an access request, the server side starts a thread A to respond to the request and access the database, wherein the thread A acquires the server side flow address information and the server side flow access information. The data flow when the corresponding user initiates access is supervised through the thread id, the data flow can be identified in data transmission through tracking and mapping of the thread id, and the server side flow and the database side flow are associated to obtain information of a data access request.
204. Acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
205. calculating an abnormal flow request parameter, a full flow request parameter and a target flow request value based on a linear interpolation algorithm to obtain a target flow return value of a data access request;
206. and performing access control on the data access request according to the target flow return value of the data access request.
Steps 204-206 are similar to the steps 102-104, and are not repeated here.
In this embodiment, the process of analyzing the data stream is described in detail, and the server side flow and the database side flow are respectively analyzed to correlate the server side flow and the database side flow, so as to obtain the related information of the data access request.
Referring to fig. 3, a third embodiment of an access control method according to an embodiment of the present invention includes:
301. acquiring a data stream of a gateway in network service, and analyzing the data stream to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value, and the access information parameter comprises a service database identifier, a service channel parameter and a characteristic keyword;
Step 301 is similar to the above-mentioned step 101, and is not described herein.
302. Determining a database of the target business scene according to the business database identification;
it can be understood that the server searches the database where the corresponding service scene is located according to the service database identifier, and stores all relevant data of the service scene in the process from service construction to service landing, for example, information such as service requirement data, test records, previous iteration versions, and the like, where the service database identifier may include information such as names of the databases, addresses of servers where the databases are located, and the databases may be Oracle, mySql, and the like, and the embodiment is not limited thereto.
303. Screening a target data table from a database of a target service scene based on the service channel parameters, wherein the target data table comprises multiple types of characteristic index data in the target service scene;
it can be understood that, in view of the fact that the stock data of the business scenario is more, the data in the database is divided into a plurality of business channels for sub-table storage, for example, into business team data, development team data, test team data, after-sales team data, etc. according to the data source, and may also be divided into production data, test data, etc. according to the data purpose, which is not limited in this embodiment.
304. According to the characteristic keywords, historical flow data of a target service scene is screened from multiple types of characteristic index data in a target data table, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
it can be understood that the feature keywords are used for screening relevant fields in the data table, and the relevant historical flow data is screened by taking the relevant fields as matching conditions, for example, the feature keywords are "order volume and" flow passing rate ", so that the corresponding flow passing rates under different order volume are screened.
305. Calculating an abnormal flow request parameter, a full flow request parameter and a target flow request value based on a linear interpolation algorithm to obtain a target flow return value of a data access request;
306. and performing access control on the data access request according to the target flow return value of the data access request.
Steps 305 to 306 are similar to the steps 103 to 104, and are not repeated here.
In this embodiment, the process of obtaining the historical traffic data is described in detail, and the historical traffic data corresponding to the target service scenario is rapidly located through the database identifier, the service channel parameter and the feature keyword.
Referring to fig. 4, a fourth embodiment of an access control method according to an embodiment of the present invention includes:
401. acquiring a data stream of a gateway in network service, and analyzing the data stream to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
402. acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
403. constructing a flow request coordinate system of a target service scene according to the abnormal flow request parameter and the full flow request parameter, wherein the flow request coordinate system is used for describing a linear relation between a flow request value and a flow passing rate;
it should be understood that, it is understood that the abnormal flow request parameter is denoted as point a (x 1, y 1), the full flow request parameter is denoted as point B (x 2, y 2), and the two points A, B are taken as base points to establish a flow request coordinate system, the x-axis of the coordinate system represents the flow request value, the y-axis represents the flow passing rate, and then any point (x, y) between the two points A, B satisfies a linear relationship, please refer to formula one:
Figure BDA0003326480710000101
Wherein x1, y1, x2 and y2 are all historical flow data, x is a flow request value of the flow passing rate to be calculated, k is a flow control coefficient corresponding to x, and the formula I can be transformed to obtain the formula II:
y=(1-k)y 0 +k*y 1
formula II
404. Calculating the flow passing rate corresponding to the target flow request value based on the flow request coordinate system to obtain the target flow passing rate;
it will be appreciated that, given the target flow request value X, which is subject to the linear relationship established at the two points A, B, the corresponding flow control coefficient may be calculated according to the first formula, and then the target flow rate request value X and the corresponding flow control coefficient may be used to calculate the target flow rate passing rate Y.
405. Calculating a target flow return value of the data access request according to the target flow request value and the target flow passing rate;
it can be understood that the server calculates the target flow return value S corresponding to the target flow request value X according to the flow passing rate, that is, s=x×y.
406. And performing access control on the data access request according to the target flow return value of the data access request.
In this embodiment, the calculation process of the target flow rate return value is described in detail, and the abnormal flow rate request parameter and the total flow rate request parameter are used as reference points, and other flow rate request data between the two reference points is subjected to linear interpolation processing, so that the target flow rate return value conforming to the linear distribution is calculated.
The access control method in the embodiment of the present invention is described above, and the access control device in the embodiment of the present invention is described below, referring to fig. 5, where an embodiment of the access control device in the embodiment of the present invention includes:
the data flow analysis module 501 is configured to obtain a data flow of a gateway in a network service, and analyze the data flow to obtain information of a data access request, where the information of the data access request includes an access information parameter and a target flow request value;
the historical data obtaining module 502 is configured to obtain historical flow request data of a target service scenario according to the access information parameter, where the historical flow request data at least includes an abnormal flow request parameter and a full flow request parameter;
a return value calculation module 503, configured to calculate the abnormal flow request parameter, the full flow request parameter, and the target flow request value based on a linear interpolation algorithm, so as to obtain a target flow return value of the data access request;
and the access control module 504 is configured to perform access control on the data access request according to the target flow return value of the data access request.
In this embodiment, modeling is performed on the flow request process through a linear interpolation algorithm, so that the flow intermediate process from abnormal data access to full data access request is smoothed, and stability of application service is further improved.
Referring to fig. 6, another embodiment of an access control apparatus according to an embodiment of the present invention includes:
the data flow analysis module 501 is configured to obtain a data flow of a gateway in a network service, and analyze the data flow to obtain information of a data access request, where the information of the data access request includes an access information parameter and a target flow request value;
the historical data obtaining module 502 is configured to obtain historical flow request data of a target service scenario according to the access information parameter, where the historical flow request data at least includes an abnormal flow request parameter and a full flow request parameter;
a return value calculation module 503, configured to calculate the abnormal flow request parameter, the full flow request parameter, and the target flow request value based on a linear interpolation algorithm, so as to obtain a target flow return value of the data access request;
and the access control module 504 is configured to perform access control on the data access request according to the target flow return value of the data access request.
The data flow parsing module 501 specifically includes:
the flow analysis unit 5011 is configured to obtain a data flow of a gateway in a network service, and perform flow analysis on the data flow to obtain a server flow and a database flow;
the data analysis unit 5012 is configured to perform data analysis on the server-side flow and the database-side flow respectively, so as to obtain a server-side flow parameter and a database-side flow parameter, where the server-side flow parameter and the database-side flow parameter both include a flow address and flow access information;
and the data association unit 5013 is configured to associate the server side flow with the database side flow based on the flow address and the flow access information in the server side flow parameter and the flow address and the flow access information in the database side flow parameter, so as to obtain information of a data access request.
The historical data obtaining module 502 specifically includes:
a determining unit 5021, configured to determine a database of a target service scenario according to the service database identifier;
a first screening unit 5022, configured to screen, based on the service channel parameter, a target data table from the database of the target service scenario, where the target data table includes multiple types of feature index data in the target service scenario;
And the second screening unit 5023 is used for screening the historical flow data of the target service scene from the multi-class characteristic index data in the target data table according to the characteristic keywords.
The return value calculating module 503 specifically includes:
a construction unit 5031, configured to construct a traffic request coordinate system of the target traffic scenario according to the abnormal traffic request parameter and the full traffic request parameter, where the traffic request coordinate system is used to describe a linear relationship between a traffic request value and a traffic passing rate;
a first calculating unit 5032, configured to calculate, based on the flow request coordinate system, a flow passing rate corresponding to the target flow request value, to obtain a target flow passing rate;
a second calculating unit 5033, configured to calculate a target traffic return value of the data access request according to the target traffic request value and the target traffic passing rate.
In the embodiment of the invention, the modularized design enables the hardware of each part of the access control device to concentrate on the realization of a certain function, the performance of the hardware is realized to the maximum extent, and meanwhile, the modularized design also reduces the coupling among the modules of the device, thereby being more convenient for maintenance.
The access control device in the embodiment of the present invention is described in detail above in fig. 5 and 6 from the point of view of modularized functional entities, and the access control apparatus in the embodiment of the present invention is described in detail below from the point of view of hardware processing.
Fig. 7 is a schematic structural diagram of an access control device according to an embodiment of the present invention, where the access control device 700 may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 710 (e.g., one or more processors) and a memory 720, and one or more storage media 730 (e.g., one or more mass storage devices) storing application programs 733 or data 732. Wherein memory 720 and storage medium 730 may be transitory or persistent. The program stored in the storage medium 730 may include one or more modules (not shown), each of which may include a series of instruction operations in the access control device 700. Still further, the processor 710 may be configured to communicate with the storage medium 730 and execute a series of instruction operations in the storage medium 730 on the access control device 700.
The access control device 700 may also include one or more power supplies 740, one or more wired or wireless network interfaces 750, one or more input/output interfaces 760, and/or one or more operating systems 731, such as Windows Serve, mac OS X, unix, linux, freeBSD, and the like. It will be appreciated by those skilled in the art that the access control device structure shown in fig. 7 is not limiting of the access control device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
The present invention also provides an access control device comprising a memory and a processor, the memory storing computer readable instructions which, when executed by the processor, cause the processor to perform the steps of the access control method in the above embodiments.
The present invention also provides a computer readable storage medium, which may be a non-volatile computer readable storage medium, or a volatile computer readable storage medium, having stored therein instructions that, when executed on a computer, cause the computer to perform the steps of the access control method.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An access control method, characterized in that the access control method comprises:
acquiring a data stream of a gateway in network service, and analyzing the data stream to obtain information of a data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
calculating the abnormal flow request parameter, the full flow request parameter and the target flow request value based on a linear interpolation algorithm to obtain a target flow return value of the data access request;
And performing access control on the data access request according to the target flow return value of the data access request.
2. The access control method according to claim 1, wherein the obtaining the data flow of the gateway in the network service and analyzing the data flow to obtain the information of the data access request includes:
acquiring a data stream of a gateway in network service, and carrying out flow analysis on the data stream to obtain a service end flow and a database end flow;
respectively carrying out data analysis on the service end flow and the database end flow to obtain a service end flow parameter and a database end flow parameter, wherein the service end flow parameter and the database end flow parameter both comprise flow addresses and flow access information;
and correlating the server side flow with the database side flow based on the flow address and the flow access information in the server side flow parameter and the flow address and the flow access information in the database side flow parameter to obtain information of a data access request.
3. The access control method according to claim 1, wherein the information of the data access request further includes a token application parameter, after the obtaining the data flow of the gateway in the network service and analyzing the data flow to obtain the information of the data access request, before the obtaining the historical traffic request data of the target traffic scene according to the access information parameter, the method further includes:
Carrying out validity check on the application id and the secret key in the token application parameter, and if the verification is successful, sending an access token to the terminal, wherein the access token comprises identity information, validity period information and encryption signature information;
and sequentially verifying the identity information, the validity period information and the encrypted signature information, if the verification is correct, receiving the data access request, otherwise, rejecting the data access request.
4. The access control method according to claim 1, wherein the access information parameters include a service database identifier, a service channel parameter, and a feature key, and the obtaining, according to the access information parameters, historical traffic request data of a target service scenario includes:
determining a database of a target service scene according to the service database identification;
screening a target data table from a database of the target service scene based on the service channel parameters, wherein the target data table comprises multiple types of characteristic index data in the target service scene;
and screening historical flow data of the target service scene from the multi-class characteristic index data in the target data table according to the characteristic keywords.
5. The access control method according to claim 1, wherein the calculating the abnormal flow request parameter, the full flow request parameter, and the target flow request value based on the linear interpolation algorithm, to obtain a target flow return value of the data access request includes:
constructing a flow request coordinate system of the target service scene according to the abnormal flow request parameter and the full flow request parameter, wherein the flow request coordinate system is used for describing a linear relation between a flow request value and a flow passing rate;
calculating the flow passing rate corresponding to the target flow request value based on the flow request coordinate system to obtain a target flow passing rate;
and calculating a target flow return value of the data access request according to the target flow request value and the target flow passing rate.
6. The access control method according to claim 1, characterized by further comprising, before the access control of the data access request according to the target traffic return value of the data access request:
and receiving the data security parameters input by the user, and generating an access interception policy for access control according to the data security parameters.
7. The access control method according to any one of claims 1 to 6, characterized by further comprising, after the access control of the data access request according to the target traffic return value of the data access request:
and protecting the data packet returned by the data access request based on a preset data protection rule.
8. An access control apparatus, characterized in that the access control apparatus comprises:
the data flow analysis module is used for acquiring the data flow of the gateway in the network service, analyzing the data flow and obtaining the information of the data access request, wherein the information of the data access request comprises an access information parameter and a target flow request value;
the historical data acquisition module is used for acquiring historical flow request data of a target service scene according to the access information parameters, wherein the historical flow request data at least comprises abnormal flow request parameters and full flow request parameters;
the return value calculation module is used for calculating the abnormal flow request parameter, the full flow request parameter and the target flow request value based on a linear interpolation algorithm to obtain a target flow return value of the data access request;
And the access control module is used for carrying out access control on the data access request according to the target flow return value of the data access request.
9. An access control device, characterized in that the access control device comprises: a memory and at least one processor, the memory having instructions stored therein;
the at least one processor invoking the instructions in the memory to cause the access control device to perform the access control method of any of claims 1-7.
10. A computer readable storage medium having instructions stored thereon, which when executed by a processor, implement the access control method of any of claims 1-7.
CN202111279578.1A 2021-10-28 2021-10-28 Access control method, device, equipment and storage medium Active CN114024904B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111279578.1A CN114024904B (en) 2021-10-28 2021-10-28 Access control method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111279578.1A CN114024904B (en) 2021-10-28 2021-10-28 Access control method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114024904A CN114024904A (en) 2022-02-08
CN114024904B true CN114024904B (en) 2023-05-30

Family

ID=80059268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111279578.1A Active CN114024904B (en) 2021-10-28 2021-10-28 Access control method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114024904B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865396B (en) * 2022-09-06 2024-03-01 中国联合网络通信集团有限公司 Carbon emission identification reading method and device, electronic equipment and readable storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194539A (en) * 2018-08-13 2019-01-11 中国平安人寿保险股份有限公司 Data management-control method, device, computer equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103596173B (en) * 2013-09-30 2018-04-06 北京智谷睿拓技术服务有限公司 Wireless network authentication method, client and service end wireless network authentication device
US10498538B2 (en) * 2017-09-25 2019-12-03 Amazon Technologies, Inc. Time-bound secure access

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194539A (en) * 2018-08-13 2019-01-11 中国平安人寿保险股份有限公司 Data management-control method, device, computer equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李华康 ; 刘盼 ; 杨一涛 ; 孙国梓 ; .一种基于节点映射关系的云数据安全代理访问机制.中国科学技术大学学报.2017,(第04期),全文. *

Also Published As

Publication number Publication date
CN114024904A (en) 2022-02-08

Similar Documents

Publication Publication Date Title
CN109862018B (en) Anti-crawler method and system based on user access behavior
US20190340642A1 (en) Authenticating users for accurate online audience measurement
CN104184832B (en) Data submission method and device in network application
EP3697042A1 (en) Traffic analysis method, public service traffic attribution method and corresponding computer system
CN106534114B (en) Malicious attack prevention system based on big data analysis
US9864855B2 (en) Verification data processing method and device and storage medium
JP2017532649A (en) Confidential information processing method, apparatus, server, and security determination system
EP2963958A1 (en) Network device, terminal device and information security improving method
CN111641658A (en) Request intercepting method, device, equipment and readable storage medium
CN111104675A (en) Method and device for detecting system security vulnerability
CN113676563B (en) Scheduling method, device, equipment and storage medium of content distribution network service
CN106713242B (en) Data request processing method and processing device
CN106101134A (en) User&#39;s multiple domain is under one&#39;s name across the method for station roaming checking logging status
CN114024904B (en) Access control method, device, equipment and storage medium
US9571492B2 (en) Hardware identification through cookies
CN114218322A (en) Data display method, device, equipment and medium based on ciphertext transmission
CN116324766A (en) Optimizing crawling requests by browsing profiles
CN107911383A (en) A kind of cryptographic check method and apparatus
JP6707952B2 (en) Control device, control method and program
US9723017B1 (en) Method, apparatus and computer program product for detecting risky communications
CN109857748B (en) Contract data processing method and device and electronic equipment
CN111814064A (en) Abnormal user processing method and device based on Neo4j, computer equipment and medium
CN111400027A (en) Distributed task processing method, device and system
CN113132383B (en) Network data acquisition method and system
CN106803830B (en) Method, device and system for identifying internet access terminal and User Identity Module (UIM) card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant