CN114915427B - Access control method, device, equipment and storage medium - Google Patents

Abstract

The application provides an access control method, an access control device, access control equipment and a storage medium. The method comprises the following steps: and receiving a first access request of the SDP client, wherein the access request is used for requesting to access intranet resources, and carrying out identity verification on the SDP client. And if the identity verification of the SDP client passes, acquiring the historical access credibility of the SDP client. The historical access credibility is used for representing the security of the SDP client when accessing the intranet resources. And carrying out intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client. The method of the application improves the safety of remote access to intranet resources and improves the expansion capability of the network.

Description

Access control method, device, equipment and storage medium

Technical Field

The present application relates to communications technologies, and in particular, to an access control method, apparatus, device, and storage medium.

Background

With the growing demand for remote offices, users often need to use terminal apparatuses to remotely access resources in an enterprise intranet, such as applications, data, etc. in the intranet. In this scenario, the enterprise's information technology (Information Technology, IT) architecture transitions from "bordered" to "borderless" based on the traditional security boundaries of the enterprise's internal network becoming obscured. Currently, terminal devices often use virtual private network (Virtual Private Network, VPN) technology to remotely access resources in an enterprise intranet.

However, based on the current remote access means, the network attacker can illegally invade the intranet by scanning the VPN gateway exposed in the public network by the intranet and cracking the user account. Thus, remote access to resources in an enterprise intranet using VPN technology has a problem of low security.

Disclosure of Invention

The application provides an access control method, an access control device, access control equipment and a storage medium, which are used for solving the problem of low security in remote access to an intranet.

In a first aspect, the present application provides an access control method, which is applied to an SDP controller, including:

receiving a first access request of an SDP client, wherein the access request is used for requesting to access intranet resources;

carrying out identity verification on the SDP client;

if the identity verification of the SDP client passes, acquiring the historical access credibility of the SDP client; the historical access credibility is used for representing the security of the SDP client when accessing the intranet resources;

and carrying out intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client.

Optionally, the obtaining the historical access credibility of the SDP client terminal includes:

If the SDP client side does not access the intranet resource through the SDP gateway before, taking the preset access credibility as the historical access credibility of the SDP client side;

if the SDP client accesses the intranet resource at least once before through an SDP gateway, reading recorded historical access credibility of the SDP client, wherein the historical access credibility is obtained based on first log audit information reported by the SDP gateway connected when the SDP client accesses the intranet resource last time and second log audit information reported by the SDP client; and the first log audit information and the second log audit information are used for recording information of the SDP client accessing intranet resources last time.

Optionally, the performing intranet resource access control on the SDP client terminal through an SDP gateway according to the historical access reliability of the SDP client terminal includes:

determining the intranet resource access authority of the SDP client according to the historical access credibility of the SDP client;

and sending an access response to the SDP client, wherein the access response is used for indicating an SDP gateway connected when the SDP client is allowed to access the intranet resources, and the intranet resources access authority of the SDP client.

Optionally, the determining the intranet resource access authority of the SDP client terminal according to the historical access credibility of the SDP client terminal includes:

determining the credibility level of the SDP client according to the historical access credibility of the SDP client;

and determining the intranet resource access authority of the SDP client according to the trusted level of the SDP client and the mapping relation between the trusted level and the intranet access authority.

Optionally, after the intranet resource access control is performed on the SDP client terminal through the SDP gateway, the method further includes:

receiving third log audit information from an SDP gateway currently connected with the SDP client and fourth log audit information of the SDP client; the third log audit information and the fourth log audit information are used for recording the information of the SDP client currently accessing intranet resources;

and updating the historical access credibility of the SDP client according to the third log audit information and the fourth log audit information.

Optionally, the updating the historical access reliability of the SDP client terminal according to the third log audit information and the fourth log audit information includes:

Extracting the value of at least one historical access reliability vector in the access reliability function according to the third log audit information and the fourth log audit information;

and updating the historical access credibility of the SDP client according to the access credibility function and the extracted value of at least one historical access credibility vector.

Optionally, after the updating the historical access trustworthiness of the SDP client, the method further includes:

if it is determined that the intranet resource access authority of the SDP client changes according to the updated historical access credibility of the SDP client, and the SDP client accesses the intranet resource at present, the SDP client is subjected to intranet resource access control through an SDP gateway according to the updated historical access credibility of the SDP client.

In a second aspect, the present application provides an access control device, the device being applied to an SDP controller, comprising:

the receiving module is used for receiving a first access request of the SDP client, wherein the access request is used for requesting to access intranet resources;

the verification module is used for carrying out identity verification on the SDP client;

the acquisition module is used for acquiring the historical access credibility of the SDP client if the identity verification of the SDP client passes; the historical access credibility is used for representing the security of the SDP client when accessing the intranet resources;

And the control module is used for carrying out intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client.

In a third aspect, the present application provides an access control apparatus, the apparatus being applied to an SDP client, comprising:

and the sending module is used for sending a first access request to the SDP controller, wherein the first access request is used for requesting to access the intranet resources.

And the receiving module is used for receiving the control information sent by the SDP controller, and the control information is used for controlling the access of the intranet resources to the SDP client through an SDP gateway.

And the access module is used for initiating a connection request to the SDP gateway, and accessing the intranet resources through the connection established with the SDP gateway after the connection is successful.

In a fourth aspect, the present application provides an access control device, the device being applied to an SDP gateway, comprising:

and the receiving module is used for receiving the indication information sent by the SDP controller, wherein the indication information is used for indicating the SDP gateway to allow the SDP client to be accessed.

And the connection module is used for receiving the connection request of the SDP client and establishing connection with the SDP client.

In a fifth aspect, the present application provides an SDP controller comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;

the memory stores computer-executable instructions;

the communication interface performs communication interaction with external equipment;

the processor executes computer-executable instructions stored by the memory to implement the method of any one of the first aspects.

In a sixth aspect, the present application provides an SDP client, comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;

the memory stores computer-executable instructions;

the communication interface performs communication interaction with external equipment;

the processor executes computer-executable instructions stored by the memory to implement the method of any one of the first aspects.

In a seventh aspect, the present application provides an SDP gateway comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;

the memory stores computer-executable instructions;

The communication interface performs communication interaction with external equipment;

the processor executes computer-executable instructions stored by the memory to implement the method of any one of the first aspects.

In an eighth aspect, the present application provides an access control system, the system comprising: an SDP controller as described in the fifth aspect, an SDP client as described in the sixth aspect, and an SDP gateway as described in the seventh aspect.

In a ninth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for implementing the access control method according to any one of the first aspects when executed by a processor.

In a tenth aspect, the application provides a computer program product comprising a computer program which, when executed by a processor, implements the method according to any of the first aspects.

According to the access control method, the device, the equipment and the storage medium, through the identity verification and the historical access reliability verification of the SDP client side sending the access request, the SDP gateway corresponding to the intranet resources which can be accessed by the SDP client side and the intranet resource access authority are determined, so that the SDP client side can only access the intranet resources corresponding to the historical access reliability of the SDP client side, and the safety of the intranet resources in a remote access scene is improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

Fig. 1 is a schematic architecture diagram of an enterprise intranet remotely accessed through VPN technology according to an embodiment of the present application;

fig. 2 is a schematic diagram of an architecture of one possible access control method according to an embodiment of the present application;

fig. 3 is a schematic flow chart of an access control method according to an embodiment of the present application;

fig. 4 is a flow chart of another access control method according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an access control device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of another access control device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of another access control device according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an access control device according to an embodiment of the present application.

Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.

Currently, resources in the intranet may include, for example, data in a database, applications in the intranet, and so on. The data in the database may include, for example, financial data, administrative data, etc. of the enterprise; the application can be a system or software mainly based on information technology for meeting various demands of enterprises, and can be used online through a webpage (Web) end or used through an application program installed on terminal equipment; the system may be, for example, an OA system of an enterprise, a flow system, or the like. The user needs to access the resources in the enterprise intranet through a terminal device connected with the enterprise intranet, for example, the terminal device is deployed in an entity position of the enterprise and is connected to the enterprise intranet in a wired or unlimited manner.

However, based on the rapid growth of demand for remote offices, there is also an increasing demand for users to access resources in an enterprise intranet remotely using terminal devices. For example, when a user is at home or at business, access to resources in the intranet is sometimes required to complete the job. Therefore, IT is required to break the enterprise IT architecture that is traditionally bounded by the enterprise's intranet, so that IT transitions from "bordered" to "borderless".

In the prior art, a user connects a terminal device to a VPN deployed by an enterprise to which the user belongs, so that the user can remotely connect to an intranet of a corresponding enterprise through the VPN to access resources in the intranet of the enterprise. Next, a scenario in which resources in an intranet are remotely accessed through VPN technology will be described.

Fig. 1 is a schematic architecture diagram of an enterprise intranet remotely accessed through VPN technology according to an embodiment of the present application. As shown in fig. 1, the architecture includes:

VPN client: and the system is arranged on the terminal equipment and is used for realizing the remote access function of the terminal equipment by using VPN technology. For example, when the enterprise user is not in the entity location corresponding to the enterprise intranet, the resources in the enterprise intranet can be accessed remotely by installing the VPN client on the terminal device. The terminal device may be, for example, a computer, a smart phone, etc.

VPN gateway: the terminal equipment is connected to a corresponding gateway in an enterprise intranet through VPN technology, so that the function of remotely connecting the external terminal equipment to the intranet is realized.

Under the architecture, a user is connected to a VPN gateway exposed in a public network of an enterprise intranet through a client of the VPN, so that the terminal equipment is accessed to the enterprise intranet. After the connection is completed, the terminal equipment can access resources in the enterprise intranet according to actual needs. The resource may be, for example, data in the intranet, or an application in the intranet, etc. The data in the intranet may be stored in a database, for example. The application in the enterprise intranet can be, for example, an application with various functions provided based on data resources, for example, an application with personnel management functions provided based on enterprise employee information in a database; based on financial data in the database, an application provided with a financial analysis function, and the like.

However, remote access to an enterprise intranet through VPN technology has the following problems:

problem 1: is vulnerable to attack. Because the VPN gateway of the enterprise intranet is directly exposed in the public network, all users in the public network can acquire the VPN gateway of the enterprise intranet, so that an attacker can connect to the VPN gateway according to the acquired VPN gateway of the enterprise intranet, and thus enter the intranet of the enterprise. And because the resources on the enterprise intranet can be widely accessed by connecting to the enterprise intranet through the VPN technology, the resources in the intranet can be exposed to an attacker by the widely accessed method, so that the attacker can acquire the resources in the enterprise intranet. Therefore, VPN technology has problems of over trust and wide access, and based on these problems, remote access to an intranet using VPN technology is easily invaded or attacked by an illegal user.

Problem 2: the network expansion capability is poor. When an enterprise has a plurality of data centers under different networks, for example, an intranet network corresponding to a data center in Beijing and an intranet network corresponding to a data center in Shanghai, the enterprise needs to configure a policy of a firewall of a VPN gateway for the intranet network corresponding to the data center different in each network. The firewall is a protective barrier used for protecting the safety of resources in an intranet on a VPN gateway, and can timely discover and process possible safety risks during network access, and the policy of the firewall can be set according to actual needs. Therefore, in this scenario, the enterprise needs to configure the firewall policy of the VPN gateway multiple times, and the network expansion method is troublesome.

Problem 3: the related data required by the credibility judgment mode of the VPN account is single. The gateway of the VPN is exposed in the public network at present, and an attacker can acquire the VPN gateway on the public network in a port scanning mode. The reliability judging mode of VPN is mainly to judge whether the user is legal or not through authorized user account numbers and passwords, and the reliability judging mode of other angles is lacking. If an attacker obtains the port through port scanning and breaks the user account and the password of a legal user, the attacker can easily obtain the authorization, thereby illegally accessing or modifying the enterprise data resources.

In summary, the method of remotely accessing the intranet through the VPN in the prior art has the problems of low security and poor network expansion capability, and cannot meet the security protection requirement of the remote office scene.

A Software Defined boundary (SDP) is a security framework developed by the cloud security alliance (Cloud Security Alliance, CSA). The SDP technology is based on the network security protection concept of zero trust, continuously monitors network access business activities in various credibility judgment modes, continuously updates the trust scores of terminal equipment using SDP services, dynamically adjusts control strategies and access rights to deal with network attacks, and effectively protects the security of data resources of enterprises. The network security protection concept of zero trust refers to a protection mode of default not trust any person, any equipment or any system, continuously verifying all visitors and never trust.

In view of this, the present application provides an access control method based on SDP technology, which can adopt a dual authentication mode of identity and historical access reliability of an SDP client to control access of the SDP client to an intranet, so as to improve security of a user for remotely accessing resources in the intranet. In addition, the access control method based on SDP technology controls the connection between the SDP client and the SDP gateway through the SDP controller, and the resource access authority when the SDP client accesses the resource in the intranet. That is, the user only needs to configure the SDP controller, or update the SDP controller, so that the security policies of all SDP gateways can be managed and controlled through the configuration of the SDP client terminal, and firewall policies of different geographic locations and different network configuration VPNs are not required to be configured respectively like in the VPN architecture, so that the network expansion capability of the method can be improved.

Fig. 2 is a schematic diagram of an architecture of a possible access control method according to an embodiment of the present application. As shown in fig. 2, the architecture includes:

SDP controller: for example, the method may be a server or a server cluster, which is used for managing all SDP clients and SDP gateways, and issuing control information to the SDP clients, for example, determining which SDP clients can communicate with which SDP gateways, indicating resource access rights of the SDP clients, or relaying information obtained from the SDP clients and the SDP gateways to an external authentication service, such as 4A authentication, geographic location and/or identity server, so as to implement verification of the SDP clients, where the verification may be, for example, verification of identity information of a user using the SDP clients, verification of validity of a terminal device where the SDP clients are located, and so on.

SDP client: the SDP client is arranged on the user terminal equipment and used for requesting an SDP gateway list which can be connected with the SDP client and the intranet resource access authority of the SDP client from the SDP controller so as to access the resources in the intranet corresponding to the SDP gateway which can be connected with the SDP client.

SDP gateway: the SDP controller is used for receiving the indication of the SDP controller and connecting with a corresponding SDP client according to the indication, so as to provide resources in the corresponding intranet for the SDP client.

The technical scheme of the embodiment of the application is described in detail below with reference to specific embodiments. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.

Fig. 3 is a flow chart of an access control method according to an embodiment of the present application. As shown in fig. 3, the method includes:

s301, the SDP client sends a first access request to the SDP controller.

Accordingly, the SDP controller receives the first access request, where the first access request is for requesting access to an intranet resource.

The user can initiate the first access request to the SDP controller by operating the SDP client terminal, so as to request to access the intranet resources which can be accessed by the SDP client terminal.

The SDP controller opens the network stealth function, and the service port is closed by default, so that other devices cannot be connected to the network and cannot scan the service port of the SDP controller. In this case, the first access request may be transmitted to the SDP controller based on, for example, a one-packet authorization authentication (Single Packet Authorization, SPA). The single-packet authorization authentication mode is used, so that the SDP client side can send the first access request to the SDP controller which closes the service port by default. The first access request is sent to the SDP controller in a specific authentication message format that causes the SDP controller to open services for the IP address of the SDP client.

By using the embodiment, the possibility that an attacker attacks the SDP controller through a port scanning method of the SDP controller can be reduced, so that the security of the access control method is improved.

S302, carrying out identity verification on the SDP client. If the verification is passed, it indicates that the identity information of the user logged in by the SDP client terminal is legal, and step S303 is performed to further determine the credibility of the SDP client terminal. If the verification fails, the identity information of the user logged in by the SDP client is illegal, and the access request of the SDP client is directly refused.

After receiving the first access request of the SDP client, the SDP controller firstly verifies the SDP client through the identity information of the user included in the data packet where the first access request is located. The authentication of the user's identity may be performed by acquiring the identity information of the user using the SDP client, for example, by using an account number and/or a password, and/or facial recognition, and/or fingerprint recognition, and/or voice recognition, etc. to determine whether the user's identity is legal.

Optionally, the data packet where the first access request is located may further include hardware information, and verifying the SDP client may further include verifying the hardware information of the terminal device where the SDP client is located, so as to verify whether the terminal device is legal. For example, the hardware information may include the identity of the terminal device, the media access control address (Media Access Control Address, MAC), etc.

S303, acquiring the historical access credibility of the SDP client, wherein the historical access credibility is used for representing the security of the SDP client when accessing the intranet resources.

The historical access reliability of the SDP client terminal refers to the security of the SDP client terminal when the SDP client terminal accesses the intranet resource, which is determined by the historical access times and the historical access behaviors of the SDP client terminal.

Case 1: if the SDP client has not previously accessed the intranet resources through the SDP gateway.

One possible implementation manner uses a preset access reliability as the historical access reliability of the SDP client, where the preset access reliability may be set according to actual needs, and the application is not limited to this.

In another possible implementation manner, the SDP controller first makes a preliminary determination of access reliability of the SDP client, and uses the preliminary determination result as the historical access reliability of the SDP client.

Case 2: if the SDP client terminal accesses the intranet resource at least once through the SDP gateway before:

in one possible implementation manner, the recorded historical access reliability of the SDP client terminal is read, where the historical access reliability is obtained based on first log audit information reported by an SDP gateway connected when the SDP client terminal last accessed an intranet resource, and second log audit information reported by the SDP client terminal. The first log audit information and the second log audit information are used for recording information of the SDP client accessing the intranet resource last time.

In another possible implementation, the historical access reliability is obtained based on a plurality of historical access reliabilities of the SDP client when accessing intranet resources multiple times. Each historical access credibility is obtained according to the first log audit information reported by the connected SDP gateway and the second log audit information reported by the SDP client. For example, the average value of the historical access credibility is calculated as the historical access credibility corresponding to the current access through the historical access credibility corresponding to all times of the historical access of the SDP client. It should be appreciated that the present application is only exemplified by an average value, and the method of how to deal with multiple historic access credibility is not limited.

S304, performing intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client.

And the SDP controller controls whether the SDP client can access the intranet and how to access the intranet according to the historical access credibility of the SDP client, and can control which intranet resources can be accessed.

The SDP controller issues a list of SDP gateways which can be accessed and correspond to the SDP clients according to the historical access credibility of the SDP clients, and when the SDP clients access each SDP gateway, the SDP clients have intranet resource access rights. After the SDP client receives the information, the SDP client sends a network connection application to the SDP gateway in the list of the SDP gateway.

And the SDP controller indicates the SDP client which needs to accept the connection and the intranet resource access authority of the SDP client to the SDP gateway according to the historical access credibility of the SDP client. After receiving the network connection application sent by the SDP client, the SDP gateway receives the network connection application of the SDP client, thereby establishing connection. After the connection is completed, the SDP gateway controls the resources which can be accessed by the SDP client according to the intranet resource access rights of the SDP client obtained from the SDP controller, so that the SDP client can only access the resources in the intranet resource access rights, and the safety of the intranet resources is ensured.

According to the access control method provided by the embodiment of the application, through carrying out authentication and historical access reliability authentication on the SDP client side sending the access request, the SDP gateway corresponding to the intranet resource which can be accessed by the SDP client side and the intranet resource access authority are determined, so that the SDP client side can only access the intranet resource corresponding to the historical access reliability thereof, and the safety of the intranet resource in a remote access scene is improved.

The following describes in detail how to obtain the historical access reliability of an SDP client when the SDP client sends an access request, where the SDP client has previously accessed the intranet resource at least once through an SDP gateway.

The method comprises the steps of obtaining a historical access credibility vector of an SDP client, and obtaining a credibility value corresponding to each historical access credibility vector according to elements in the vector. And acquiring the historical access credibility of the SDP client according to the credibility values corresponding to all the acquired historical access credibility vectors of the SDP client and the corresponding weighting coefficients.

The historical access reliability vector of the SDP client may be historical reported by the SDP controller, and/or log audit information reported by the SDP gateway, and/or log audit information reported by the third-party analysis system, where the log audit information may be further divided into a plurality of audit information categories, each audit information category includes a plurality of audit information items, and each audit information item is an element in the historical access reliability vector.

The log audit information at least comprises one or more of the following audit information categories:

(1) User behavior analysis information. Under the audit information category, at least one or more of audit information items such as high-frequency inquiry, high-frequency downloading, multiple-time trial login, multiple-time mail copying and the like are included.

(2) Network behavior analysis information. Under the audit information category, at least one or more of audit information items such as flow abnormality, protocol abnormality and the like are included.

(3) And (5) comprehensive audit analysis information. Under the audit information category, at least one or more of audit information items such as log association analysis, security system abnormality and the like are included.

(4) System operating environment information. Under the audit information category, at least one or more of the audit information items such as closed antivirus software, open high-risk port, system vulnerability outbreak, modified registry and the like are included.

(5) Terminal operation environment information. Under the audit information category, at least one or more of the audit information items such as the leaving of authorized persons, the surrounding observation of multiple persons and the like are included.

(6) Burst security information is newly added. Under the audit information category, at least one or more of the audit information items such as burst industry risk, emergency blocking protection and the like are included.

Through the audit information categories, the historical access credibility of the SDP client is comprehensively calculated and judged from the aspects of user behavior, network behavior, system operation environment, terminal operation environment, newly added burst safety information and comprehensive audit, so that the problem of singleness of relevant data required by the credibility judgment mode of the VPN account in the prior art is solved, and the safety of the SDP client for accessing intranet resources is improved.

In the following, taking the above audit information category as an example, how to obtain the historical access reliability of the SDP client terminal is described in detail in various embodiments.

Embodiment 1: and acquiring the historical access credibility of the SDP client through the first log audit information and the second log audit information.

S3031, acquiring first log audit information and second log audit information.

The first log audit information is reported by an SDP gateway connected when the SDP client accesses the intranet last time. The first log audit information may include, for example: user behavior analysis information. The user behavior analysis information may be, for example, a user behavior generated when the SDP client accesses an intranet last time the SDP client accessed through the SDP gateway. The user behavior may be, for example, a high-frequency query behavior for a part of resources, where the resources may be resources above a preset security level, a high-frequency download behavior for sensitive information, or a behavior of attempting to log in a certain system or an application in an intranet multiple times, for example. The first log audit information may be, for example, as shown in table 1 below:

TABLE 1

Audit information category	Audit information items	Variable symbol corresponding to itemNumber (number)
			User behavior analysis information	High frequency query	A1
User behavior analysis information	High frequency download	A2
			User behavior analysis information	Multiple attempts to log in	A3
User behavior analysis information	Multiple copy mail	A4

The high-frequency query may be, for example, that the SDP gateway monitors at least one preset sensitive information in the intranet corresponding to the SDP gateway, and if the SDP client terminal exists for a certain sensitive information within a preset time or the query times of all the sensitive information exceeds a preset threshold, records the query behavior of the SDP client terminal. The query behavior may include, for example, an identifier of the SDP client, an identifier of the queried sensitive information, and information such as the number of times of querying the sensitive information, and it is to be understood that the content of the recorded query behavior may be adjusted according to the actual requirement, which is not limited by the present application.

The high-frequency downloading may be, for example, a downloading action of the sensitive information, and the obtaining manner of the downloading action is similar to that of the high-frequency query, which is not described herein.

The multiple attempts to log in may be, for example, that the SDP client terminal multiple attempts to log in to a system or an application in the intranet exceeds a preset log-in number threshold within a preset time. For example, whether the SDP client terminal is successful or not in final login can be set, but the SDP client terminal needs to be recorded as long as the preset login frequency threshold value is exceeded; it may also be provided that the SDP client is recorded only if it has not finally succeeded in logging in.

The copying of the mail for multiple times can be, for example, that the copying of the historical mail in the mail system/mail application of the intranet exceeds a preset copying time threshold, and the copying times are recorded.

The second log audit information is reported by the SDP client when the SDP client accesses the intranet last time. The second log audit information may include, for example: network anomaly analysis information and system environment analysis information. The second log audit information may be, for example, as shown in table 2 below:

TABLE 2

The network anomaly analysis information is used for monitoring the network condition of the terminal equipment where the SDP client is located, and can be that a network condition monitoring module is integrated on the SDP client so as to monitor the network condition of the terminal equipment, or the SDP client can obtain the monitoring result of the network monitoring software on the terminal equipment so as to obtain the network condition of the terminal equipment. The abnormal traffic may mean that the network traffic of the terminal device fluctuates severely in a short time, so that congestion, packet loss, delay and the like of the network may be caused. Protocol abnormality refers to abnormality of network protocol configuration of the terminal equipment.

The system environment analysis information is monitoring the system security condition of the terminal device where the SDP client terminal is located, and may be that a system security monitoring module is integrated on the SDP client terminal so as to monitor the system security condition of the terminal device, or that the SDP client terminal obtains a monitoring result of system security monitoring software on the terminal device, for example, a monitoring result of antivirus software on the terminal device, so as to obtain the system security condition of the terminal device. The high-risk port may be, for example, at least one network port determined according to actual requirements. The system vulnerability outbreak may, for example, refer to whether the number of system vulnerabilities existing in the terminal device currently exceeds a preset number of system vulnerabilities and exceeds a range of the preset number. The registry being modified refers to whether the registry in the terminal device is modified, and if so, the terminal device is characterized as possibly being attacked by an attacker, so that potential safety hazards exist.

S3032, after the first log audit information and the second log audit information are obtained, mapping information corresponding to each audit information item into a trusted value.

For example, the score corresponding to each audit information item may be obtained by inputting the information corresponding to each audit information item into a trained machine learning model, such as a convolutional neural network model, and analyzing the input information. The score is a trusted value mapped by the information corresponding to each audit information item.

S3033, based on the audit information categories, obtaining the category credible values corresponding to each audit information category.

And obtaining the class credible value corresponding to the audit information class according to the credible value of each audit information item under the audit information class.

One possible implementation manner is to take the sum average value, or weighted average value, of the trusted values of all audit information items corresponding to each audit information category as the category trusted value corresponding to the audit information category. Taking the method of summing average value to process the user behavior analysis information as an example, the formula corresponding to this embodiment may be, for example:

wherein a is a type trusted value corresponding to the user behavior analysis information, n is the number of corresponding audit information items under the user behavior analysis information, ai is a trusted value corresponding to each audit information item, for example, A1 is a trusted value corresponding to the high-frequency query, and A2 is a trusted value corresponding to the high-frequency download, etc.

In another possible implementation manner, the minimum value of the trusted values of all the audit information items corresponding to each audit information category is used as the category trusted value corresponding to the audit information category. Because the smaller the credibility value is, the lower the credibility of the audit information item is represented, and the higher the attack risk from the terminal equipment is, by using the embodiment, the reliability judging mode of each audit information category can be ensured to take the audit information item with the highest risk as a judging standard, thereby controlling the attack risk of the intranet resource more strictly and further improving the safety of the method.

S3034, based on the class credibility value corresponding to each audit information class, the historical access credibility of the SDP client is obtained.

Wherein the value of the historical access reliability ZTD of the SDP client is between intervals [0,1 ].

One possible implementation manner obtains the historical access credibility of the SDP client only according to the category credibility value corresponding to the audit information category with the risk.

Under the implementation mode, the weight value of each type of audit information category is obtained through correlation analysis and/or importance analysis among various types of audit information categories, and the historical access credibility of the SDP client is obtained through weighted average of the audit information categories and the corresponding weight values. The correlation analysis and/or the importance analysis may be performed by similar methods in the prior art, and are not described herein.

The weight value of each audit information category may be a preset constant weight value, or may be an adjusted weight value according to different log audit information obtained each time, for example, different occurrence frequencies of risk behaviors, different risk degrees, and the like, which result in different correlation analysis and/or different results of importance analysis.

In another possible implementation manner, the historical access credibility of the SDP client terminal is obtained according to the category credibility values corresponding to all the audit information categories.

In this embodiment, the method for obtaining the historical access reliability of the SDP client is similar to that of the previous embodiment, and will not be described herein.

Embodiment 2: and acquiring the historical access credibility of the SDP client through fifth log audit information acquired by a third-party analysis system connected with the SDP controller.

The fifth log audit information is log audit information which can be obtained only through a third party analysis system, and can comprise terminal operation environment analysis information, comprehensive audit analysis information, newly added burst security risk information and the like.

The terminal operation environment analysis information may include, for example, authorized person away items, multi-person surrounding items, and the like, which are acquired by a video monitoring system that monitors a camera screen of the terminal device. For example, a communication connection exists between the video monitoring system of the third party and the terminal device where the SDP client terminal is located, and monitoring of the picture in the camera of the terminal device may be implemented. When the user is connected to the intranet, if the picture in the camera displays that the authorized user leaves the terminal equipment, the authorized user is considered to have the risk of resource leakage caused by the leaving of the authorized person. If the picture in the camera shows that there is a multi-person surrounding behavior around the authorized user, it means that there may be an unauthorized user around the authorized user that can obtain the resources in the intranet from the terminal device, for example, the surrounding unauthorized user can see the resources in the intranet through the display of the terminal device. Therefore, this case is considered to have a risk of resource leakage in the intranet due to multi-person observation.

The terminal operation environment analysis information obtained according to the video monitoring system can be sent to the SDP controller through the video monitoring system, and can also be sent to the SDP controller through the terminal equipment provided with the video monitoring system, so that the SDP controller can process the terminal operation environment analysis information through the method and calculate the historical access credibility of the SDP client.

The comprehensive audit analysis information may include, for example, log-associated analysis items obtained by an audit analysis system, security system anomaly items, and the like. The audit analysis system is connected with the terminal equipment where the SDP client is located, and audits whether the terminal equipment has problems or not by acquiring the system log of the terminal equipment. And then sending the auditing result to an SDP controller for judging the credibility of the SDP client. The log association analysis item may be, for example, an analysis of association abnormality existing in the system logs of the plurality of terminal devices, and the abnormality may be, for example, a case where presence of illegal login is displayed in the system logs. The security system exception item refers to the security system exception information of the SDP client through the security log obtained by the SDP client.

The comprehensive audit analysis information obtained according to the audit analysis system can be sent to the SDP controller through the audit analysis system, and can also be sent to the SDP controller through an SDP client connected with the audit analysis system, so that the SDP controller can process the comprehensive audit analysis information through the method and calculate the historical access credibility of the SDP client.

The newly added burst security risk information can comprise burst industry risk projects, emergency blocking protection projects and the like acquired through a threat information system. The threat intelligence system can acquire burst risk information in the industry in real time and monitor whether the terminal equipment where the SDP client is located has the characteristic of conforming to the burst risk. Emergency blocking protection means that, for example, an enterprise discovers a vulnerability that needs emergency blocking, and a threat intelligence system monitors that a terminal device where the SDP client terminal is located has a feature that accords with the vulnerability.

The newly-added burst security risk information obtained according to the threat information system can be sent to the SDP controller through the threat information system, and can also be sent to the SDP controller through an SDP gateway connected with the threat information system, so that the SDP controller can process the newly-added burst security risk information through the method, and the historical access credibility of the SDP client is calculated.

In embodiment 2, the specific method for obtaining the historical access reliability of the SDP client terminal according to the fifth log audit information is similar to that of embodiment 1, and will not be described here again.

The method for obtaining the historical access credibility of the SDP client through the first log audit information, the second log audit information and the fifth log audit information can be the method for obtaining the historical access credibility of the SDP client through the three types of log audit information, or the method for obtaining the historical access credibility of the SDP client according to at least one type of log audit information in the three types of log audit information, and the application is not limited to the above.

According to the method for acquiring the historical access credibility of the SDP client, various risk information possibly existing in the process of remotely accessing the intranet by a user is acquired through various acquisition means, so that the risk information is quantized, correlation and importance among the risk information are considered in a balanced mode, the historical access credibility of the SDP client is comprehensively acquired, and therefore safety of the access control method is improved.

Next, in the foregoing step S304, how to "perform intranet resource access control on the SDP client according to the historical access reliability of the SDP client" will be described in detail.

Fig. 4 is a flow chart of another access control method according to an embodiment of the present application, as shown in fig. 4, where the method includes:

s401, determining the intranet resource access authority of the SDP client according to the historical access credibility of the SDP client.

The historical access reliability of the SDP client is obtained through the step S303. The intranet access authority of the SDP client may refer to, for example, which SDP gateways the SDP client can access the intranet, which resources corresponding to the SDP gateway can be accessed by the SDP client after the SDP client accesses the intranet through different SDP gateways, and what manner the SDP client may access the intranet resources, for example, operations of viewing, modifying, deleting, etc. different authority levels.

One possible implementation determines the trust level of the SDP client based on the historical access trustworthiness of the SDP client. And determining the intranet access authority of the SDP client according to the trusted level of the SDP client and the mapping relation between the trusted level and the intranet access authority.

For example, the range of values [0,1] of the historical access reliability ZTD of the SDP client may be divided into four trusted levels, as shown in table 3 below:

TABLE 3 Table 3

Trusted class name	ZTD value range
		Trusted (Trust)	[0.85，1]
Middle-level trust (Midtjust)	[0.7，0.85]
		Low-level trust (Lowtrus)	[0.6，0.7]
Untrusted (Untrust)	[0，0.6]

For the four trust levels described above,

when the historical access credibility of the SDP client is Trust, the user can access the application authorized to the user account in the intranet through the SDP client.

When the historical access reliability of the SDP client is Midtrust, the access authority of the SDP client is limited, for example, a user can only access the Web end of an authorized application and cannot access the database of the application, etc. The control function for limiting the access right of the SDP client may be implemented by the SDP gateway sending the access right to the SDP gateway through the SDP controller. For example, the SDP gateway allows the SDP client to access the application within its access rights, and the database of the application, to the SDP client whose historical access reliability is Trust; the SDP gateway only allows the SDP client to access the Web end of the application in the access right of the SDP client, and does not allow the SDP client to access the database of the application, etc., for the SDP client whose historical access reliability is Midtrust. The above-mentioned permission manner may be, for example, for an SDP client terminal whose historical access reliability is Midtrust, when the SDP client terminal issues an access request to the database of the application, the SDP gateway refuses to accept the access request of the SDP client terminal; when the SDP client sends out an access request for the Web end of the application, the SDP gateway receives the access request of the SDP client and logs in the Web end of the application to the SDP client.

When the historical access reliability of the SDP client is Lowtrust, the user account is locked, the user account cannot be used for accessing intranet resources, and the user needs to apply for self-service unlocking or contact a network administrator to release the account locking. Or the SDP client enters an isolation area (demilitarized zone, DMZ) of the server, the DMZ area of the server guides the user using the SDP client to carry out further zero-trust strong authentication, and if the historical access credibility of the SDP client can not be repaired or can not pass authentication after being repaired, the access request of the SDP client is refused.

When the historical access reliability of the SDP client is Untrust, the SDP controller pulls the user account number and the SDP client into a blacklist, and the subsequent access request based on single-package authorization authentication sent by the SDP client is not received by the SDP controller, so that the user has to contact a network administrator to release the blacklist.

It should be understood that the present application is only exemplified by the above-mentioned division of four trusted levels, and the division of the trusted levels in actual operation may be adjusted according to actual requirements, which is not limited by the present application.

In another possible implementation manner, the intranet access authority of the SDP client is determined according to the historical access reliability of the SDP client.

In this embodiment, the intranet access authority of the SDP client may be directly obtained according to a value corresponding to the historical access reliability of the SDP client. For example, after the SDP controller obtains a value corresponding to the historical access reliability of the SDP client, the intranet access authority of the SDP client may be determined according to a mapping relationship corresponding to the value and the intranet access authority; alternatively, the value may be input into a processing model of the access right, and the intranet access right corresponding to the value may be calculated from the model.

S402, sending an access response to the SDP client, wherein the access response is used for indicating an SDP gateway connected when the SDP client is allowed to access the intranet resources and the intranet resource access authority of the SDP client.

Correspondingly, the SDP client receives the access response sent by the SDP controller, and determines the SDP gateway connected when the SDP client accesses the intranet resources and the intranet resource access authority of the SDP client according to the access response.

If the SDP client has intranet access rights according to the determination in step S401, a bidirectional secure transport layer protocol (Transport Layer Security, TLS) connection is established between the SDP controller and the SDP client. The SDP controller sends an access response to the SDP client over the bi-directional TLS connection.

The access response may include, for example, a list of SDP gateways connected when the SDP client is allowed to access the intranet resources, and an access permission range of the SDP client for each connectable SDP gateway.

Meanwhile, the SDP controller also needs to send indication information to the SDP gateway in the SDP gateway list, where the indication information is used to indicate that the SDP gateway allows the SDP client terminal to access, and intranet resource access permission information of the SDP client terminal. The connection between the SDP controller and the SDP gateway may be pre-established when the SDP architecture is deployed, or may be pre-established when the SDP architecture is maintained. The maintenance SDP architecture may be, for example, adding a new SDP gateway.

After the SDP controller completes execution of the operation, the SDP client sends a connection request to the SDP gateway, the SDP gateway responds to the connection request of the SDP client, and then a bidirectional TLS connection between the SDP client and the SDP gateway is established, so that the function of remotely accessing the intranet resource is achieved through the bidirectional TLS connection.

According to the access control method provided by the embodiment of the application, through the historical access credibility of the SDP client, different access rights corresponding to different historical access credibility are obtained, then the access request of the unreliable SDP client is refused, and different access rights are authorized for the SDP client with different credibility, so that the risk of the attack of the intranet is reduced.

Optionally, after the SDP client establishes a connection with the SDP gateway, the method may further include:

s403, third log audit information of the SDP gateway connected with the SDP client side at present and fourth log audit information of the SDP client side are received. And updating the historical access credibility of the SDP client according to the third log audit information and the fourth log audit information.

The third log audit information and the fourth log audit information are used for recording information of the SDP client accessing the intranet currently. The third log audit information is identical to the category and the project included in the first log audit information, and the difference is only that the third log audit information is based on the current access behavior, and the SDP client terminal is currently connected with the SDP gateway for feeding back the log audit information. The fourth log audit information is consistent with the category and the project included in the second log audit information, and the difference is only that the fourth log audit information is based on the current access behavior, and the log audit information fed back by the SDP client.

One possible implementation way is to extract a value of at least one historical access reliability vector in the access reliability function according to the third log audit information and the fourth log audit information. And updating the historical access credibility of the SDP client according to the access credibility function and the extracted value of at least one historical access credibility vector.

The historical access reliability vector is, as described in the foregoing step S3031, one for each audit information category. The access credibility function is obtained by a plurality of historical access credibility vectors, and the weight value of each historical access credibility vector is used for calculating the access credibility of the SDP client.

And updating the value of the historical access reliability vector from the information in the third log audit information and/or the fourth log audit information according to the reliability function and the value of at least one historical access reliability vector by the SDP controller so as to acquire the access reliability vector based on the current access behavior, thereby completing updating the historical access reliability of the SDP client. The calculation manner of the historical access reliability of the SDP client terminal is the same as that in the foregoing step S303, and the present application is not repeated.

After updating the historical access reliability of the SDP client terminal according to the third log audit information and the fourth log audit information, the method further comprises:

if it is determined that the intranet access authority of the SDP client changes according to the updated historical access reliability of the SDP client, and the SDP client accesses the intranet currently, the SDP client is controlled to access the intranet through the SDP gateway according to the updated historical access reliability of the SDP client.

For example, if the Trust level corresponding to the historical access Trust level of the SDP client before updating is Trust, the Trust level corresponding to the historical access Trust level of the SDP client after updating is Midtrust, and the SDP client has not finished the intranet access this time yet, the SDP controller issues a new access policy corresponding to the Trust level of the SDP client to the SDP gateway according to the historical access Trust level of the SDP client after updating. The SDP gateway then changes the access interaction with the SDP controller, such as disconnecting the SDP client from the accessing application, prompting the SDP client that only Web applications are currently available, etc., according to the access policy.

According to the access control method provided by the embodiment of the application, the historical access credibility of the SDP client is updated in real time according to the state, the operating environment, the access behavior with the SDP gateway and the like of the SDP client during the period that the SDP client accesses the intranet, and the access authority of the SDP client is changed in real time based on the change of the historical access credibility, so that even in the behavior of accessing the intranet at the same time, the access behavior of the SDP client through the SDP gateway can be controlled in real time according to the change of the access credibility of the SDP client, the instantaneity of security protection is further improved, and the danger that an attacker attacks intranet resources by using the authorized SDP client in the intranet access process is reduced.

Fig. 5 is a schematic structural diagram of an access control device according to an embodiment of the present application. As shown in fig. 5, the access control apparatus is applied to an SDP controller, and includes: the device comprises a receiving module 11, a verification module 12, an acquisition module 13 and a control module 14. In one possible embodiment, the method further comprises: updating module 15.

A receiving module 11, configured to receive a first access request of an SDP client, where the access request is used to request access to an intranet resource;

an authentication module 12, configured to perform identity authentication on the SDP client terminal;

an obtaining module 13, configured to obtain a historical access reliability of the SDP client terminal if the identity verification of the SDP client terminal passes; the historical access credibility is used for representing the security of the SDP client when accessing the intranet resource;

and the control module 14 is used for performing intranet resource access control on the SDP client through the SDP gateway according to the historical access credibility of the SDP client.

In a possible implementation manner, if the SDP client terminal has not previously accessed the intranet resource through the SDP gateway, the obtaining module 13 is specifically configured to use the preset access reliability as the historical access reliability of the SDP client terminal. If the SDP client terminal accesses the intranet resource through the SDP gateway at least once before, the obtaining module 13 is specifically configured to read recorded historical access reliability of the SDP client terminal, where the historical access reliability is obtained based on first log audit information reported by the SDP gateway connected when the SDP client terminal accesses the intranet resource last time, and second log audit information reported by the SDP client terminal. And the first log audit information and the second log audit information are used for recording information of the SDP client accessing intranet resources last time.

A possible implementation manner, the control module 14 is specifically configured to determine, according to the historical access reliability of the SDP client, an intranet resource access right of the SDP client, send an access response to the SDP client, where the access response is used to indicate an SDP gateway connected when the SDP client is allowed to access an intranet resource, and the intranet resource access right of the SDP client.

A possible implementation manner, the control module 14 is specifically configured to determine a trust level of the SDP client according to the historical access trust level of the SDP client, and determine an intranet resource access right of the SDP client according to the trust level of the SDP client and a mapping relationship between the trust level and the intranet access right.

In one possible implementation manner, after the control module 14 performs intranet resource access control on the SDP client terminal through the SDP gateway, the update module 15 is configured to receive third log audit information from the SDP gateway to which the SDP client terminal is currently connected, and fourth log audit information of the SDP client terminal, and update the historical access reliability of the SDP client terminal according to the third log audit information and the fourth log audit information. The third log audit information and the fourth log audit information are used for recording information of the SDP client currently accessing intranet resources.

In one possible implementation manner, the updating module 15 is specifically configured to extract a value of at least one historical access reliability vector in the access reliability function according to the third log audit information and the fourth log audit information. And updating the historical access credibility of the SDP client according to the access credibility function and the extracted value of at least one historical access credibility vector.

In one possible implementation manner, after the updating module 15 updates the historical access reliability of the SDP client, the control module 14 is further configured to determine that the intranet resource access permission of the SDP client changes according to the updated historical access reliability of the SDP client, and if the SDP client is still accessing the intranet resource, perform intranet resource access control on the SDP client through the SDP gateway according to the updated historical access reliability of the SDP client.

The access control device provided by the embodiment of the application can execute the access control method in the embodiment of the method, and the implementation principle and the technical effect are similar and are not repeated here.

Fig. 6 is a schematic structural diagram of an access control device according to an embodiment of the present application. As shown in fig. 6, the access control device is applied to an SDP client terminal, and includes: a transmitting module 21, a receiving module 22, and an accessing module 23.

A sending module 21, configured to send a first access request to the SDP controller, where the access request is for requesting access to an intranet resource.

The receiving module 22 is configured to receive control information sent by the SDP controller, where the control information is used to perform intranet resource access control on the SDP client terminal through the SDP gateway.

And the access module 23 is used for initiating a connection request to the SDP gateway, and accessing the intranet resources through the connection established with the SDP gateway after the connection is successful.

In a possible implementation manner, when the SDP client accesses the intranet resource last time, the sending module 21 is further configured to report second log audit information to the SDP controller, where the second log audit information is used to record information that the SDP client accessed the intranet resource last time.

In a possible implementation manner, when the SDP client terminal accesses the intranet resource currently, the sending module 21 is further configured to report fourth log audit information to the SDP controller, where the fourth log audit information is used to record information that the SDP client terminal accesses the intranet resource currently.

The access control device provided by the embodiment of the application can execute the access control method in the embodiment of the method, and the implementation principle and the technical effect are similar and are not repeated here.

Fig. 7 is a schematic structural diagram of an access control device according to an embodiment of the present application. As shown in fig. 7, the access control device is applied to an SDP gateway, and includes: a receiving module 31, a connecting module 32. In one possible embodiment, the method further comprises: a transmitting module 33.

A receiving module 31, configured to receive indication information sent by the SDP controller, where the indication information is used to instruct the SDP gateway to allow access of the SDP client terminal.

And the connection module 32 is configured to accept the connection request of the SDP client terminal and establish a connection with the SDP client terminal.

In a possible implementation manner, when the SDP client accesses the intranet resource last time, the sending module 33 is further configured to report first log audit information to the SDP controller, where the first log audit information is used to record information that the SDP client accessed the intranet resource last time.

In a possible implementation manner, when the SDP client terminal accesses the intranet resource currently, the sending module 33 is further configured to report third log audit information to the SDP controller, where the third log audit information is used to record information that the SDP client terminal accesses the intranet resource currently.

The access control device provided by the embodiment of the application can execute the access control method in the embodiment of the method, and the implementation principle and the technical effect are similar and are not repeated here.

Fig. 8 is a schematic structural diagram of an access control device according to an embodiment of the present application. Wherein the access control device is adapted to perform the aforementioned access control method. The access control device may be, for example, a SDP controller as described above, or an SDP client, or an SDP gateway. As shown in fig. 8, the access control device 800 may include: at least one processor 801, a memory 802, and a communication interface 803.

A memory 802 for storing programs. In particular, the program may include program code including computer-operating instructions.

Memory 802 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

The processor 801 is configured to execute computer-executable instructions stored in the memory 802 to implement the methods described in the foregoing method embodiments. The processor 801 may be a CPU or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC) or one or more integrated circuits configured to implement embodiments of the present application.

The processor 801 may interact with external devices by way of a communication interface 803. When the access control device is an SDP controller, the external device referred to herein may be, for example, an SDP client, or an SDP gateway. When the access control device is an SDP client, the external device referred to herein may be, for example, an SDP client, or an SDP gateway. When the access control device is an SDP gateway, the external device may be, for example, an SDP client, or an SDP controller, or a device corresponding to an intranet resource.

In a specific implementation, if the communication interface 803, the memory 802, and the processor 801 are implemented independently, the communication interface 803, the memory 802, and the processor 801 may be connected to each other and perform communication with each other through a bus. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (Peripheral Component, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. Buses may be divided into address buses, data buses, control buses, etc., but do not represent only one bus or one type of bus.

Alternatively, in a specific implementation, if the communication interface 803, the memory 802, and the processor 801 are implemented on a single chip, the communication interface 803, the memory 802, and the processor 801 may complete communication through internal interfaces.

The present application also provides an access control system as in fig. 2, comprising: SDP client, SDP controller, SDP gateway. The SDP client is configured to execute the actions of the SDP client described in the foregoing method embodiment, the SDP controller is configured to execute the actions of the SDP controller described in the foregoing method embodiment, and the SDP gateway is configured to execute the actions of the SDP gateway described in the foregoing method embodiment, so that a user can implement a function of remotely accessing an intranet through a terminal device, and its implementation principle and technical effects are similar to those of the foregoing method embodiment and are not repeated herein.

The present application also provides a computer-readable storage medium, which may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, etc., in which program codes may be stored, and in particular, the computer-readable storage medium stores program instructions for the methods in the above embodiments.

The present application also provides a program product comprising execution instructions stored in a readable storage medium. The at least one processor of the access control device may read the execution instructions from the readable storage medium, the execution instructions being executed by the at least one processor to cause the access control device to implement the access control methods provided by the various embodiments described above.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims (9)

1. An access control method, wherein the method is applied to an SDP controller, the method comprising:

receiving a first access request of an SDP client, wherein the access request is used for requesting to access intranet resources;

carrying out identity verification on the SDP client;

if the identity verification of the SDP client passes, acquiring the historical access credibility of the SDP client; the historical access credibility is used for representing the security of the SDP client when accessing the intranet resources;

performing intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client;

the obtaining the historical access credibility of the SDP client terminal includes:

if the SDP client side does not access the intranet resource through the SDP gateway before, taking the preset access credibility as the historical access credibility of the SDP client side;

if the SDP client accesses the intranet resource at least once before through an SDP gateway, reading recorded historical access credibility of the SDP client, wherein the historical access credibility is obtained based on first log audit information reported by the SDP gateway connected when the SDP client accesses the intranet resource last time and second log audit information reported by the SDP client; and the first log audit information and the second log audit information are used for recording information of the SDP client accessing intranet resources last time.

2. The method of claim 1, wherein the performing intranet resource access control on the SDP client terminal through the SDP gateway according to the historical access reliability of the SDP client terminal comprises:

determining the intranet resource access authority of the SDP client according to the historical access credibility of the SDP client;

and sending an access response to the SDP client, wherein the access response is used for indicating an SDP gateway connected when the SDP client is allowed to access the intranet resources, and the intranet resources access authority of the SDP client.

3. The method of claim 2, wherein the determining the intranet resource access rights of the SDP client based on the historical access trustworthiness of the SDP client comprises:

determining the credibility level of the SDP client according to the historical access credibility of the SDP client;

and determining the intranet resource access authority of the SDP client according to the trusted level of the SDP client and the mapping relation between the trusted level and the intranet access authority.

4. The method of claim 2, wherein after the intranet resource access control is performed on the SDP client terminal through an SDP gateway, the method further comprises:

Receiving third log audit information from an SDP gateway currently connected with the SDP client and fourth log audit information of the SDP client; the third log audit information and the fourth log audit information are used for recording the information of the SDP client currently accessing intranet resources;

and updating the historical access credibility of the SDP client according to the third log audit information and the fourth log audit information.

5. The method of claim 4, wherein updating the historical access trustworthiness of the SDP client based on the third and fourth log audit information comprises:

extracting the value of at least one historical access reliability vector in the access reliability function according to the third log audit information and the fourth log audit information;

and updating the historical access credibility of the SDP client according to the access credibility function and the extracted value of at least one historical access credibility vector.

6. The method of claim 4, wherein after the updating the historical access trustworthiness of the SDP client, the method further comprises:

If it is determined that the intranet resource access authority of the SDP client changes according to the updated historical access credibility of the SDP client, and the SDP client accesses the intranet resource at present, the SDP client is subjected to intranet resource access control through an SDP gateway according to the updated historical access credibility of the SDP client.

7. An access control apparatus, the apparatus being applied to an SDP controller, comprising:

the receiving module is used for receiving a first access request of the SDP client, wherein the access request is used for requesting to access intranet resources;

the verification module is used for carrying out identity verification on the SDP client;

the acquisition module is used for acquiring the historical access credibility of the SDP client if the identity verification of the SDP client passes; the historical access credibility is used for representing the security of the SDP client when accessing the intranet resources;

the control module is used for carrying out intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client;

if the SDP client terminal has not accessed the intranet resource through the SDP gateway before, the obtaining module is specifically configured to use the preset access reliability as the historical access reliability of the SDP client terminal;

If the SDP client terminal accesses the intranet resource at least once through an SDP gateway before, the acquiring module is specifically configured to read recorded historical access reliability of the SDP client terminal, where the historical access reliability is obtained based on first log audit information reported by the SDP gateway connected when the SDP client terminal accesses the intranet resource last time, and second log audit information reported by the SDP client terminal; and the first log audit information and the second log audit information are used for recording information of the SDP client accessing intranet resources last time.

8. An SDP controller comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;

the memory stores computer-executable instructions;

the communication interface performs communication interaction with external equipment;

the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 6.

9. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to implement the access control method of any of claims 1 to 6.