CN114944955A - Access control method and access control server - Google Patents

Access control method and access control server Download PDF

Info

Publication number
CN114944955A
CN114944955A CN202210575829.9A CN202210575829A CN114944955A CN 114944955 A CN114944955 A CN 114944955A CN 202210575829 A CN202210575829 A CN 202210575829A CN 114944955 A CN114944955 A CN 114944955A
Authority
CN
China
Prior art keywords
dns request
detection result
wind control
parameter
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210575829.9A
Other languages
Chinese (zh)
Inventor
汪勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202210575829.9A priority Critical patent/CN114944955A/en
Publication of CN114944955A publication Critical patent/CN114944955A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The application discloses an access control method and an access control server, and relates to the technical field of access control. The method of the present application comprises: detecting the DNS request according to a wind control rule to obtain a detection result, wherein the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition meeting the wind control rule and a condition not meeting the wind control rule; when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request; and determining a target operation corresponding to the behavior type from a preset response strategy, and executing the target operation, wherein the preset response strategy comprises an operation corresponding to each behavior type.

Description

Access control method and access control server
Technical Field
The present application relates to the field of access control technologies, and in particular, to an access control method and an access control server.
Background
As technology advances, network technology also advances. However, the accompanying risk to the network also increases. Particularly, in the DNS service, when a user initiates a DNS request, since a target website or address of the request may have a security risk, such as a trojan horse, a phishing website, and the like, a DNS service provider is required to perform risk identification on the DNS request, so that a network security risk brought by the DNS request of the user to a device thereof or a local area network in which the device is located is reduced.
Currently, in the process of performing risk identification on a DNS request, risk identification is generally performed by analyzing each traffic data packet after mirroring and backing up traffic data of a user side based on a core switch, or some domain names restricted by the DNS request are set based on an authoritative server, so that risks caused by access to such domain names are avoided. However, in practical applications, there are significant disadvantages to both of the above approaches: the former is only identified by a bypass access mode, that is, only whether the performed DNS request has risk can be judged, and the access process cannot be directly interfered during access; the latter often can only block the access target of the DNS request in a 'one-time' mode. Therefore, the current access control method in the DNS service has a problem of delay and hardening.
Disclosure of Invention
The embodiment of the application provides an access control method and an access control server, and mainly aims to solve the problems of hysteresis and rigidity of an access control mode in the process of DNS service at present.
In order to solve the above technical problem, an embodiment of the present application provides the following technical solutions:
in a first aspect, the present application provides an access control method, where the method is applied to an access control server, where the access control server is disposed between a user terminal and an authoritative server, and the user terminal interactively communicates with the authoritative server through the access control server, and the method includes:
detecting the DNS request according to a wind control rule to obtain a detection result, wherein the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition meeting the wind control rule and a condition not meeting the wind control rule;
when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request;
and determining a target operation corresponding to the behavior type from a preset response strategy, and executing the target operation, wherein the preset response strategy comprises an operation corresponding to each behavior type.
Optionally, the detecting the DNS request according to the wind control rule to obtain a detection result includes:
judging whether a target website corresponding to the DNS request is matched with website information contained in the threat intelligence or not according to the threat intelligence;
if so, determining that the detection result is that the wind control rule is not met;
if not, determining whether the DNS request is matched with the parameter information contained in the safety rule;
if the detection result is matched with the parameter information, determining that the detection result is that the wind control rule is not met;
and if the detection result is determined to be not matched with the parameter information, determining that the detection result accords with the wind control rule.
Optionally, the behavior types include a dangerous website access behavior, a verification and calculation behavior, and a request limiting behavior;
the determining a target operation corresponding to the behavior type from a preset response strategy and executing the target operation comprises:
when the behavior type of the DNS request is the dangerous website access behavior or the verification and calculation behavior, forbidding the DNS request; and/or the presence of a gas in the gas,
and when the behavior type of the DNS request is a request limiting behavior, ignoring the DNS request and feeding back the DNS request according to preset webpage information.
Optionally, the website information is a pre-marked dangerous domain name parameter;
the step of judging whether the target website corresponding to the DNS request is matched with website information contained in the threat intelligence according to the threat intelligence comprises the following steps:
determining a target website domain name of the target website according to the DNS request;
matching according to the domain name of the target website and the dangerous domain name parameter;
if the target website corresponding to the DNS request is judged to be matched with the website information contained in the threat information according to the threat information, determining that the detection result is that the target website does not conform to the wind control rule, and the method comprises the following steps:
if the target website domain name is determined to be matched with the dangerous domain name parameter, determining that the detection result is that the target website domain name does not accord with the wind control rule;
if the target website corresponding to the DNS request is judged not to be matched with the website information contained in the threat intelligence according to the threat intelligence, determining whether the DNS request is matched with the parameter information contained in the safety rule or not, wherein the steps of:
and if the domain name of the target website is determined not to be matched with the dangerous domain name parameter, determining whether the DNS request is matched with the parameter information contained in the safety rule.
Optionally, the parameter information includes first parameter information; the security rules comprise filtering rules, and the filtering rules are used for screening the DNS request based on the first parameter information;
the determining whether the DNS request matches parameter information contained in the security rule comprises:
acquiring a first request parameter from the DNS request, and judging whether the first request parameter is matched with the first parameter;
if the detection result is determined to be matched with the parameter information, determining that the detection result is that the wind control rule is not met, including:
if the first request parameter is matched with the first parameter information, determining that the detection result is that the first request parameter does not accord with the wind control rule;
if the determination result is not matched with the parameter information, determining that the detection result is in accordance with the wind control rule, including:
and if the first request parameter is determined not to be matched with the first parameter information, determining that the detection result is in accordance with the wind control rule.
Optionally, the parameter information includes second parameter information; the security rule comprises a release rule, and the release rule is used for screening the DNS request based on the second parameter information;
the determining whether the DNS request matches parameter information contained in the security rule comprises:
acquiring a second request parameter from the DNS request, and judging whether the second request parameter is matched with the second parameter;
if the detection result is determined to be matched with the parameter information, determining that the detection result is that the wind control rule is not met, including:
if the second request parameter is determined to be matched with the second parameter information, determining that the detection result is in accordance with the wind control rule;
if the determination result is not matched with the parameter information, determining that the detection result is in accordance with the wind control rule, including:
and if the request parameter is determined not to be matched with the second parameter information, determining that the detection result is that the wind control rule is not met.
Optionally, after the DNS request is detected according to the wind control rule and a detection result is obtained, the method further includes:
and recording the detection result, and sending prompt information to a target server based on the detection result, wherein the prompt information comprises the detection result and alarm information, and the alarm information is used for prompting that the DNS request has risks.
In a second aspect, the present application further provides an access control server, including:
the access control server is arranged between a user side and an authoritative server, the user side is in interactive communication with the authoritative server through the access control server, and the server comprises:
the system comprises a detection unit, a processing unit and a processing unit, wherein the detection unit is used for detecting a DNS request according to a wind control rule to obtain a detection result, the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition that the wind control rule is met and a condition that the wind control rule is not met;
the obtaining unit is used for obtaining the behavior type of the DNS request when the detection result is that the DNS request does not accord with the wind control rule;
and the control unit is used for determining a target operation corresponding to the behavior type from a preset response strategy and executing the target operation, wherein the preset response strategy comprises an operation corresponding to each behavior type.
Optionally, the detecting unit includes:
the judging module is used for judging whether a target website corresponding to the DNS request is matched with website information contained in the threat intelligence or not according to the threat intelligence;
the first determining module is used for determining that the detection result is that the target website corresponding to the DNS request is not in accordance with the wind control rule if the target website corresponding to the DNS request is judged to be matched with website information contained in the threat information according to the threat information;
a second determining module, configured to determine whether the DNS request matches parameter information included in the security rule if it is determined, according to the threat intelligence, that the target website corresponding to the DNS request does not match website information included in the threat intelligence;
a third determining module, configured to determine that the detection result is that the DNS request does not comply with the wind control rule if it is determined that the DNS request matches parameter information included in the security rule;
and the fourth determining module is used for determining that the detection result is in accordance with the wind control rule if the DNS request is determined not to be matched with the parameter information contained in the safety rule.
Optionally, the behavior types include a dangerous website access behavior, a verification and calculation behavior, and a request limiting behavior;
the execution unit includes:
a first execution module, configured to prohibit the DNS request when the behavior type of the DNS request is the dangerous website access behavior or the verification and verification behavior;
and the second execution module is used for ignoring the DNS request and feeding back the DNS request according to preset webpage information when the behavior type of the DNS request is a request limiting behavior.
Optionally, the website information is a pre-marked dangerous domain name parameter;
the judging module comprises:
the determining submodule is used for determining a target website domain name of the target website according to the DNS request;
the matching sub-module is used for matching the target website domain name with the dangerous domain name parameter;
the first determining module is further configured to determine that the detection result is that the target website domain name does not conform to the wind control rule if it is determined that the target website domain name matches the dangerous domain name parameter;
the second determining module is further configured to determine whether the DNS request matches parameter information included in the security rule if it is determined that the domain name of the target website does not match the parameter of the dangerous domain name.
Optionally, the parameter information includes first parameter information; the security rules comprise filtering rules, and the filtering rules are used for screening the DNS request based on the first parameter information;
the second determining module is further specifically configured to obtain a first request parameter from the DNS request, and determine whether the first request parameter matches the first parameter;
the third determining module is further specifically configured to determine that the detection result is that the wind control rule is not met if it is determined that the first request parameter matches the first parameter information;
the fourth determining module is further specifically configured to determine that the detection result is that the wind control rule is met if it is determined that the first request parameter is not matched with the first parameter information.
Optionally, the parameter information includes second parameter information; the security rules comprise a release rule, and the release rule is used for screening the DNS request based on the second parameter information;
the second determining module is further configured to obtain a second request parameter from the DNS request, and determine whether the second request parameter matches the second parameter;
the third determining module is further specifically configured to determine that the detection result is that the wind control rule is met if it is determined that the second request parameter matches the second parameter information;
the fourth determining module is further specifically configured to determine that the detection result is that the wind control rule is not met if it is determined that the request parameter is not matched with the second parameter information.
Optionally, the server further includes:
and the recording unit is used for recording the detection result and sending prompt information to a target server based on the detection result, wherein the prompt information comprises the detection result and alarm information, and the alarm information is used for prompting that the DNS request has risks when the detection result is that the DNS request does not accord with the wind control rule.
In a third aspect, an embodiment of the present application provides a storage medium, where the storage medium includes a stored program, and when the program runs, a device in which the storage medium is located is controlled to execute the access control method of the terminal device according to the first aspect.
In a fourth aspect, embodiments of the present application provide an access control apparatus, the apparatus comprising a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions, when executed, perform the method for controlling access of a terminal device according to the first aspect.
By means of the technical scheme, the technical scheme provided by the application at least has the following advantages:
the application provides an access control method and an access control server, and the access control method and the access control server can detect a DNS request according to a wind control rule to obtain a detection result, then when the detection result is that the DNS request does not accord with the wind control rule, the behavior type of the DNS request is obtained, finally, target operation corresponding to the behavior type is determined from a preset response strategy, and the target operation is executed, so that an access control function is realized. Compared with the prior art, the wind control rule is constructed according to threat information and safety rules, the threat information comprises at least one website information, and the detection result comprises that the wind control rule is met and the wind control rule is not met, so that the DNS request can be detected and identified in the process of providing DNS service in the execution process of the method. Meanwhile, the preset response strategy in the method comprises the operation corresponding to each behavior type, so that in the detection process, when the DNS request is determined to be not in accordance with the wind control rule based on the detection result, the specific operation behavior can be selected according to the behavior type of the DNS request, the real-time management and control effect when the DNS request is in risk is realized, namely the effect of carrying out different management and control modes on different DNS requests is realized, the 'one-time' management and control mode on all DNS requests is avoided, and the flexible access control function is realized.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present application will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present application are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
fig. 1 is a flowchart illustrating an access control method provided in an embodiment of the present application;
fig. 2 is a flowchart illustrating another access control method provided in an embodiment of the present application;
fig. 3 is a block diagram illustrating components of an access control server according to an embodiment of the present disclosure;
fig. 4 shows a block diagram of another access control server provided in the embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which this application belongs.
An embodiment of the present application provides an access control method, which is applied to an access control server, wherein the access control server is disposed between a user side and an authoritative server, and the user side communicates with the authoritative server through the access control server, specifically as shown in fig. 1, the method includes:
101. and detecting the DNS request according to the wind control rule to obtain a detection result.
The wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition meeting the wind control rule and a condition not meeting the wind control rule.
In the embodiment of the present application, an application scenario is in a process of providing a DNS service, where the DNS service, that is, a Domain Name System (DNS for short), is a service of the internet, and the service is a distributed database that can map a Domain Name and an IP address to each other, so that a user can conveniently access the internet based on a DNS request. With the help of DNS services, each user terminal does not need to know the specific location or address where it needs to access the content, but can access it directly based on the DNS server.
Based on this, when a DNS request is detected, there may be security risks due to the content of the DNS request, including but not limited to phishing websites, trojan links, verification and accounting activities, and so on. Or some websites restricting the user's access, such as malicious push websites.
In this step, the wind control rule is based on two parts: one is threat information, which contains website information with obvious maliciousness and danger, such as phishing websites, websites hung with malicious viruses, or aggressive artificial intelligence AI websites and the like, wherein the threat information can be regularly maintained and updated by network security personnel; the second is a security rule, which can be set by various parameters, wherein the parameters can include, but are not limited to, a domain name group, an asset IP, a forwarding address, and the like. In this way, DNS requests can be analyzed and detected based on threat intelligence to determine whether a received DNS request is at a security risk. It should be noted that, in the process of setting the security rule, the DNS request including some parameters may be set to be not in accordance with the wind control rule, or the DNS request only including some parameters may be set to be in accordance with the wind control rule, and a specific setting manner may be performed based on a selection of a user, which is not limited herein.
102. And when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request.
In the embodiment of the application, control needs to be performed in a targeted manner based on different access targets of the user, so that when a detection result of the DNS request is detected to be not in accordance with the wind control rule, the behavior type of the DNS request needs to be acquired. Wherein the behavior type can be understood as identifying the behavior type of the DNS request. Generally, the access behavior with security risk may include, for example, the access behavior of dangerous websites, the access behavior of verification and calculation or some access behavior that restricts the user from accessing websites. The dangerous website may be understood as a website that causes loss of devices and data of the user terminal or the local area network where the user terminal is located after being accessed, such as a website on which a worm virus is mounted. The verification and check action requires a large amount of calculation power of the user terminal or the network where the user terminal is located, which may cause severe loss to hardware devices. The websites that the user is restricted from accessing may be some websites that do not comply with the local laws or regulations, such as non-compliant websites. It may also be a website that some devices do not have access to, such as an external website that some research institutes or scientific structures do not allow access to on the user's side.
In this embodiment, the specific behavior type of the obtained DNS request may be determined based on parameters in the DNS request, and since the DNS request includes a large number of parameters required for access behavior, such as various fields representing different meanings, the DNS request may be directly parsed after it is determined that the DNS request does not conform to the wind control rule, and each field obtained after the parsing is identified, thereby determining the behavior type of the DNS request.
103. And determining the target operation corresponding to the behavior type from the preset response strategy, and executing the target operation.
And the preset response strategy comprises the operation corresponding to each behavior type.
After the behavior types are determined, based on the description in step 102, it can be known that different behavior types have different influences on the user terminal or the network where the user terminal is located, and therefore, in this embodiment, corresponding operations need to be selected based on the different behavior types to implement control on the access behavior, and in this step, the target operation may be determined according to an actual situation, where the method at least includes two types of manners of allowing and prohibiting, for example, when it is determined that the DNS request does not conform to the wind control rule, the corresponding target operation may be selected to perform control, that is, the DNS request is prohibited, so that a risk brought by the DNS request is avoided.
The embodiment of the application provides an access control method, the DNS request can be detected according to a wind control rule to obtain a detection result, then when the detection result is that the DNS request does not accord with the wind control rule, the behavior type of the DNS request is obtained, finally, target operation corresponding to the behavior type is determined from a preset response strategy, and the target operation is executed, so that an access control function is realized. Compared with the prior art, the wind control rule is constructed according to threat information and safety rules, the threat information comprises at least one website information, and the detection result comprises that the wind control rule is met and the wind control rule is not met, so that the DNS request can be detected and identified in the process of providing DNS service in the execution process of the method. Meanwhile, the preset response strategy in the method comprises operation corresponding to each behavior type, so that when the DNS request is determined to be not in accordance with the wind control rule based on the detection result in the detection process, specific operation behaviors can be selected according to the behavior types of the DNS request, and the real-time management and control effect when the DNS request has risks is achieved, namely the effect of performing different management and control modes on different DNS requests is achieved, so that a 'one-to-one' mode management and control mode on all DNS requests is avoided, and a flexible access control function is achieved.
To be described in more detail below, an embodiment of the present application provides another access control method, which is applied to an access control server, where the access control server is disposed between a user terminal and an authoritative server, and the user terminal interactively communicates with the authoritative server through the access control server, and the method is applied to the access control server, and specifically, as shown in fig. 2, the method includes:
201. and detecting the DNS request according to the wind control rule to obtain a detection result.
The wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition that the wind control rule is met and a condition that the wind control rule is not met.
In a specific application, when the method described in this step performs detection, the execution process may specifically be:
A. judging whether a target website corresponding to the DNS request is matched with website information contained in the threat intelligence or not according to the threat intelligence;
B. if so, determining that the detection result is that the wind control rule is not met;
C. if not, determining whether the DNS request is matched with the parameter information contained in the security rule;
D. if the detection result is matched with the parameter information, determining that the detection result is that the wind control rule is not met;
E. and if the detection result is determined to be not matched with the parameter information, determining that the detection result accords with the wind control rule.
Based on the steps a to E, in the actual detection in this embodiment, the first-stage detection may be performed based on the threat intelligence, and when the detected DNS request relates to website information in the threat intelligence, it indicates that the DNS request is about to access a phishing website, and at this time, it may be directly determined that the DNS request does not conform to the wind control rule, thereby facilitating subsequent access control; when the first stage does not detect that the DNS request relates to website information related to threat intelligence, the second stage of detection may be performed, that is, detection is performed according to the security rule to determine whether the DNS request relates to parameter information included in the security rule. In this embodiment, the parameter information related to the security rule may be understood as some preset parameters for limiting the DNS request, for example, some IP addresses do not allow access to the external network, and if it is detected that the IP address included in the DNS request is consistent with the IP address set in the security rule, it indicates that a user side corresponding to the IP address that does not allow access to the external network is applying for an action of accessing the external network, and at this time, the DNS request may be determined as not conforming to the wind control rule, so that the DNS request is conveniently managed and controlled subsequently.
In some specific application scenarios, since the website information includes many parameters, and too many parameters may occupy more system resources, especially when the number of websites related to threat intelligence is in the order of tens of millions or even hundreds of millions, too many parameters in the website information may bring a large system resource burden, and in fact, the website information is most mainly and directly domain name information. The initial intention of many websites set by an organization or an momentum is to phish a user to attack the user's device or network with programs such as trojans, viruses, etc. Therefore, in this embodiment, the network security expert may directly mark the website with the threat, and particularly mark the domain name parameter thereof, so that when the DNS request is detected, the DNS request can be directly identified based on the domain name parameter included in the DNS request to determine whether the domain name parameter of the website exists.
Based on this, step a determines, according to the threat intelligence, whether the target website corresponding to the DNS request matches website information included in the threat intelligence, and when executing, may specifically be: firstly, determining a target website domain name of the target website according to the DNS request; and then, matching according to the domain name of the target website and the parameters of the dangerous domain name.
Based on this, the step a is specifically determined based on a domain name method, and therefore the subsequent step B is specifically: if the target website domain name is matched with the dangerous domain name parameter, determining that the detection result is that the target website domain name does not accord with the wind control rule;
similarly, the step C specifically comprises the following steps: and if the domain name of the target website is determined not to be matched with the dangerous domain name parameter, determining whether the DNS request is matched with the parameter information contained in the safety rule.
Because the domain name information is directly detected in the detection process, the domain name in the DNS request can be directly analyzed in the whole detection process and compared with the domain name parameters of each dangerous website contained in the threat information, so that the condition that the system resources are influenced by excessive data brought in the process of setting the threat information is reduced, the judgment can be carried out only in a domain name mode in the detection process, the data analysis amount in the detection process is reduced, and the occupation of the system resources in the access control process is reduced.
Further, when it is determined that the DNS request does not relate to a website included in the DNS request after the first stage is detected based on threat intelligence, further detection needs to be performed based on a security rule, and a determination method differs depending on a manner of setting the security rule. That is to say, in the process of executing step D, based on different security rules, there is a difference in the execution manner, which may specifically be as follows:
in one aspect, when the security rule is a filtering rule, the filtering rule may be understood as filtering the DNS request based on the first parameter information, where the parameter information includes the first parameter information.
In step C, determining whether the DNS request matches the parameter information included in the security rule, the execution may specifically be:
and acquiring a first request parameter from the DNS request, and judging whether the first request parameter is matched with the first parameter.
Based on this, if it is determined that the parameter information matches the detection result obtained in step D, it is determined that the detection result does not conform to the wind control rule, and the execution specifically includes:
if the first request parameter is determined to be matched with the first parameter information, determining that the detection result is that the wind control rule is not met;
similarly, if it is determined that the parameter information is not matched with the parameter information in step E, it is determined that the detection result is that the wind control rule is met, and the executing specifically includes:
and if the first request parameter is determined not to be matched with the first parameter information, determining that the detection result is in accordance with the wind control rule.
In the embodiment of the present application, when the security rule is a filtering rule, that is, the parameter information involved in the filtering rule is a filtering rule for filtering the DNS request, and when the first request parameter involved in the DNS request is consistent with the first parameter information of the filtering rule, it indicates that the DNS request is not allowed to directly respond, but needs to be controlled, and then the DNS request may be determined to be not compliant with the wind control rule based on the filtering rule. On the contrary, when the first request parameter is inconsistent with the first parameter information, it indicates that the parameter information needing to be limited is not in the DNS request, and the DNS request is in accordance with the wind control rule.
On the other hand, when the security rule is a release rule, the release rule may be understood as screening the DNS request by the second parameter information, and when the second parameter information is included, the DNS request may be released. The parameter information includes second parameter information.
Thus, determining whether the DNS request matches the parameter information contained in the security rule in step C may be performed by:
acquiring a second request parameter from the DNS request, and judging whether the second request parameter is matched with the second parameter;
based on this, if it is determined in step D that the parameter information matches the detection result, it is determined that the detection result does not comply with the wind control rule, including:
if the second request parameter is determined to be matched with the second parameter information, determining that the detection result is in accordance with the wind control rule;
similarly, if it is determined that the parameter information is not matched with the parameter information in step E, determining that the detection result is that the wind control rule is met includes:
and if the request parameter is determined not to be matched with the second parameter information, determining that the detection result is that the wind control rule is not met.
In the above step, since the security rule is a release rule, that is, if the parameter information related to the release rule exists in the DNS request, the DNS request can be released directly, that is, when the second request parameter is consistent with the second parameter information, it is described that the DNS request needs to be released, so that it can be determined that the DNS request conforms to the wind control rule. On the contrary, when the second request parameter in the DNS request is inconsistent with the second parameter information in the release rule, it indicates that the DNS request cannot be released, and thus it is determined that the DNS request does not comply with the wind control rule.
In this step, regardless of the filtering rule or the release rule, the type, quantity, and form of the specific parameter included in the first parameter information and the second parameter information are not limited herein, but the comparison is performed on the premise that the type, quantity, and form of the first requested parameter are consistent with those of the first parameter information, and the comparison is performed on the premise that the type, quantity, and form of the second requested parameter are consistent with those of the second parameter information.
202. And when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request.
Specifically, the behavior types include a dangerous website access behavior, a verification and calculation behavior and a restriction request behavior.
In the embodiment of the present application, the manner of determining the behavior type may directly resolve the DNS request to obtain the fields corresponding to the respective portions, and since different fields have different meanings, for example, a field in the domain name portion can represent which website the DNS request needs to access. Therefore, in the implementation, it can be directly determined whether the behavior type related to the DNS request is access information of a dangerous website, or a verification and verification behavior, or a request limiting behavior based on the information included in the DNS request.
It should be noted that, in this embodiment, the dangerous website access behavior may be understood that the target website is a website with a similar worm virus or trojan script, and such a website may cause serious damage to a device or a network of a client that initiates the DNS request. In addition, the restricted request behavior may be understood as a website access behavior with access rights that some clients do not have, for example, some laboratories or research institutes, where data security requires that some clients are not allowed to perform an external network access behavior, and when such a client initiates a DNS request to access an external network, the behavior type of the DNS request may be understood as a restricted request behavior. Specifically, the type and number of the access limiting behaviors are not limited herein, and may be selected and set based on the actual needs of the user.
203. And determining the target operation corresponding to the behavior type from the preset response strategy, and executing the target operation.
And the preset response strategy comprises the operation corresponding to each behavior type.
Specifically, because different behavior types have different risk degrees to the user side, and due to the need of flexibly controlling the access process, in the embodiment of the present application, it is further necessary to select a suitable target behavior based on the different behavior types in combination with a preset response policy to perform access control, and generally, in addition to a simple request allowing and a request prohibiting, different operations such as request forwarding, request redirection, and the like may also be included, and therefore, in the execution process of this step, the method may specifically be:
and when the behavior type of the DNS request is the dangerous website access behavior or the verification and calculation behavior, forbidding the DNS request. As can be seen from the foregoing description, since dangerous website access behaviors may cause severe hardware or data loss on a device at a user end or a network where the device is located, when it is determined that the behavior type of the DNS request is the access behavior of such a website, it is necessary to directly prohibit the DNS request from being executed, and meanwhile, since the verification and validation behavior may cause a huge expenditure on the user end or the network where the user end is located, it is also necessary to immediately prohibit the DNS request when it is determined that the DNS request is to be subjected to the verification and validation behavior. Therefore, when a DNS request with serious risk to a user side is faced, the DNS request is directly forbidden, and the security of the user side where the DNS request is located is guaranteed.
And when the behavior type of the DNS request is a request limiting behavior, ignoring the DNS request and feeding back the DNS request according to preset webpage information. The method of this step is actually the process of redirecting the DNS request, where redirection can be understood as redirecting the network request to another location rather than the location where the original request was requested. The redirection process can include web page redirection, domain name redirection, and other different ways. For example, when a user accesses a website that is not authorized or prohibited by law, such as an unqualified website, it is necessary to feed back preset web page information to the DNS request, but not an unqualified website that the DNS request needs to access, i.e., the DNS request is redirected to feed back pages that the DNS request can view. For example, when the user's DNS request wants to access a certain non-compliant website, the preset error page "Eorro 404" may be directly fed back in this step. Therefore, the preset page is fed back to the limited request behavior, so that the limited access behavior is avoided, the effect of prompting the user side is achieved, and the communication pressure caused by multiple invalid accesses is reduced.
204. And recording the detection result, and sending prompt information to the target server based on the detection result.
The prompt information comprises the detection result and alarm information, and the alarm information is used for prompting that the DNS request has risk.
In this step, after performing access control on the DNS request, the detection result may be recorded, so that it is ensured that subsequent related staff can trace back the access process. Meanwhile, the prompt information can be sent to the server based on the detection result, so that the target server can be prompted in time after detection, and related workers can know what access behaviors the DNS request is based on prompt in time in the access control process, so that the monitoring of the DNS access behaviors is facilitated, and particularly the monitoring of the access process under the condition that a plurality of clients exist in enterprises, factories, schools and the like is utilized.
It should be noted that the content and the form included in the alarm information included in the prompt information are not limited herein, and may be selected based on the needs of the user, for example, the alarm may be an alarm mail.
In order to achieve the above object, according to another aspect of the present application, an embodiment of the present application further provides a storage medium, where the storage medium includes a stored program, and when the program runs, a device on which the storage medium is located is controlled to execute the above access control method.
In order to achieve the above object, according to another aspect of the present application, an embodiment of the present application further provides an access control apparatus, which includes a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions execute the access control method when running.
Further, as an implementation of the method shown in fig. 1 and fig. 2, another embodiment of the present application further provides an access control server. The access control server embodiment corresponds to the foregoing method embodiment, and for convenience of reading, details in the foregoing method embodiment are not described in detail again in this access control server embodiment, but it should be clear that the system in this embodiment can correspondingly implement all the contents in the foregoing method embodiment. The access control server is disposed between a user terminal and an authoritative server, and the user terminal is in interactive communication with the authoritative server through the access control server, specifically as shown in fig. 3, the access control server includes:
the detection unit 31 may be configured to detect the DNS request according to a wind control rule to obtain a detection result, where the wind control rule is constructed according to threat information and a safety rule, the threat information includes at least one website information, and the detection result includes a condition that the wind control rule is met and a condition that the wind control rule is not met;
the obtaining unit 32 may be configured to obtain a behavior type of the DNS request when the detection result is that the DNS request does not conform to the wind control rule;
the control unit 33 may be configured to determine a target operation corresponding to the behavior type from a preset response policy, and execute the target operation, where the preset response policy includes an operation corresponding to each behavior type.
Further, as shown in fig. 4, the detecting unit 31 includes:
a judging module 311, configured to judge, according to the threat intelligence, whether a target website corresponding to the DNS request matches website information included in the threat intelligence;
a first determining module 312, configured to determine that the detection result is that the target website corresponding to the DNS request is not in compliance with the wind control rule if it is determined that the target website included in the DNS request matches website information included in the threat intelligence according to the threat intelligence;
a second determining module 313, configured to determine whether the DNS request matches the parameter information included in the security rule if it is determined, according to the threat intelligence, that the target website corresponding to the DNS request does not match the website information included in the threat intelligence;
a third determining module 314, configured to determine that the detection result is that the DNS request does not conform to the wind control rule if it is determined that the DNS request matches parameter information included in the security rule;
the fourth determining module 315 may be configured to determine that the detection result is that the DNS request conforms to the wind control rule if it is determined that the DNS request does not match the parameter information included in the security rule.
Further, as shown in fig. 4, the behavior types include a dangerous website access behavior, a verification and calculation behavior, and a restriction request behavior;
the execution unit 33 includes:
a first executing module 331, configured to prohibit the DNS request when the behavior type of the DNS request is the dangerous website access behavior or the verification and calculation behavior;
the second executing module 332 may be configured to, when the behavior type of the DNS request is a request restriction behavior, ignore the DNS request, and feed back the DNS request according to preset web page information.
Further, as shown in fig. 4, the website information is a pre-marked dangerous domain name parameter;
the determining module 311 includes:
a determining sub-module 3111, configured to determine a domain name of the target website according to the DNS request;
a matching sub-module 3112, configured to match the dangerous domain name parameter with the domain name of the target website;
the first determining module 312 may be further configured to determine that the detection result is that the target website domain name does not conform to the wind control rule if it is determined that the target website domain name matches the dangerous domain name parameter;
the second determining module 313 may be further configured to determine whether the DNS request matches parameter information included in the security rule if it is determined that the domain name of the target website does not match the dangerous domain name parameter.
Further, as shown in fig. 4, the parameter information includes first parameter information; the security rules comprise filtering rules, and the filtering rules are used for screening DNS requests based on the first parameter information;
the second determining module 313 may be further specifically configured to obtain a first request parameter from the DNS request, and determine whether the first request parameter matches the first parameter;
the third determining module 314 may be further specifically configured to determine that the detection result is that the wind control rule is not met if it is determined that the first request parameter matches the first parameter information;
the fourth determining module 315 may be further specifically configured to determine that the detection result is that the wind control rule is met if it is determined that the first request parameter is not matched with the first parameter information.
Further, as shown in fig. 4, the parameter information includes second parameter information; the security rule comprises a release rule, and the release rule is used for screening the DNS request based on the second parameter information;
the second determining module 313 may be further configured to obtain a second request parameter from the DNS request, and determine whether the second request parameter matches the second parameter;
the third determining module 314 may be further specifically configured to determine that the detection result is that the wind control rule is met if it is determined that the second request parameter matches the second parameter information;
the fourth determining module 315 may be further specifically configured to determine that the detection result is that the wind control rule is not met if it is determined that the request parameter is not matched with the second parameter information.
Further, as shown in fig. 4, the server further includes:
the recording unit 34 may be configured to record the detection result, and send a prompt message to a target server based on the detection result, where the prompt message includes the detection result and alarm information, and the alarm information is used to prompt that the DNS request is risky when the detection result indicates that the DNS request does not comply with the wind control rule.
The embodiment of the application provides an access control method and an access control server, and the access control method and the access control server can detect a DNS request according to a wind control rule to obtain a detection result, then when the detection result is that the DNS request does not accord with the wind control rule, the behavior type of the DNS request is obtained, finally, target operation corresponding to the behavior type is determined from a preset response strategy, and the target operation is executed, so that an access control function is realized. Compared with the prior art, the wind control rule is constructed according to threat information and safety rules, the threat information comprises at least one website information, and the detection result comprises that the wind control rule is met and the wind control rule is not met, so that the DNS request can be detected and identified in the process of providing DNS service in the execution process of the method. Meanwhile, the preset response strategy in the method comprises the operation corresponding to each behavior type, so that in the detection process, when the DNS request is determined to be not in accordance with the wind control rule based on the detection result, the specific operation behavior can be selected according to the behavior type of the DNS request, the real-time management and control effect when the DNS request is in risk is realized, namely the effect of carrying out different management and control modes on different DNS requests is realized, the 'one-time' management and control mode on all DNS requests is avoided, and the flexible access control function is realized.
The embodiment of the application provides a storage medium, which comprises a stored program, wherein when the program runs, a device where the storage medium is located is controlled to execute the access control method.
The storage medium may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present application further provides an access control apparatus, which includes a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; when the program instruction runs, the access control method is executed.
The embodiment of the application provides equipment, the equipment comprises a processor, a memory and a program which is stored on the memory and can run on the processor, and the following steps are realized when the processor executes the program:
detecting the DNS request according to a wind control rule to obtain a detection result, wherein the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition meeting the wind control rule and a condition not meeting the wind control rule;
when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request;
and determining a target operation corresponding to the behavior type from a preset response strategy, and executing the target operation, wherein the preset response strategy comprises an operation corresponding to each behavior type.
Further, the detecting the DNS request according to the wind control rule to obtain a detection result includes:
judging whether a target website corresponding to the DNS request is matched with website information contained in the threat intelligence or not according to the threat intelligence;
if so, determining that the detection result is that the wind control rule is not met;
if not, determining whether the DNS request is matched with the parameter information contained in the security rule;
if the detection result is matched with the parameter information, determining that the detection result is that the wind control rule is not met;
and if the detection result is determined to be not matched with the parameter information, determining that the detection result accords with the wind control rule.
Further, the behavior types comprise dangerous website access behaviors, verification and calculation behaviors and request limiting behaviors;
the determining a target operation corresponding to the behavior type from a preset response strategy and executing the target operation comprises:
when the behavior type of the DNS request is the dangerous website access behavior or the verification and calculation behavior, forbidding the DNS request; and/or the presence of a gas in the gas,
and when the behavior type of the DNS request is a request limiting behavior, ignoring the DNS request and feeding back the DNS request according to preset webpage information.
Further, the website information is a pre-marked dangerous domain name parameter;
the step of judging whether the target website corresponding to the DNS request is matched with website information contained in the threat intelligence according to the threat intelligence comprises the following steps:
determining a target website domain name of the target website according to the DNS request;
matching according to the domain name of the target website and the dangerous domain name parameters;
if the target website corresponding to the DNS request is judged to be matched with the website information contained in the threat information according to the threat information, determining that the detection result is that the target website does not conform to the wind control rule, and the method comprises the following steps:
if the target website domain name is determined to be matched with the dangerous domain name parameter, determining that the detection result is that the target website domain name does not accord with the wind control rule;
if the target website corresponding to the DNS request is judged not to be matched with the website information contained in the threat intelligence according to the threat intelligence, determining whether the DNS request is matched with the parameter information contained in the safety rule or not, wherein the steps of:
and if the domain name of the target website is determined not to be matched with the dangerous domain name parameter, determining whether the DNS request is matched with the parameter information contained in the safety rule.
Further, the parameter information includes first parameter information; the security rules comprise filtering rules, and the filtering rules are used for screening the DNS request based on the first parameter information;
the determining whether the DNS request matches parameter information contained in the security rule comprises:
acquiring a first request parameter from the DNS request, and judging whether the first request parameter is matched with the first parameter;
if the detection result is determined to be matched with the parameter information, determining that the detection result is that the wind control rule is not met, including:
if the first request parameter is determined to be matched with the first parameter information, determining that the detection result is that the wind control rule is not met;
if the determination result is not matched with the parameter information, determining that the detection result is in accordance with the wind control rule, including:
and if the first request parameter is determined not to be matched with the first parameter information, determining that the detection result is in accordance with the wind control rule.
Further, the parameter information includes second parameter information; the security rule comprises a release rule, and the release rule is used for screening the DNS request based on the second parameter information;
the determining whether the DNS request matches parameter information contained in the security rule comprises:
acquiring a second request parameter from the DNS request, and judging whether the second request parameter is matched with the second parameter;
if the detection result is determined to be matched with the parameter information, determining that the detection result is that the wind control rule is not met, including:
if the second request parameter is determined to be matched with the second parameter information, determining that the detection result is in accordance with the wind control rule;
if the determination result is not matched with the parameter information, determining that the detection result is in accordance with the wind control rule, including:
and if the request parameter is determined not to be matched with the second parameter information, determining that the detection result is that the wind control rule is not met.
Further, after the DNS request is detected according to the wind control rule and a detection result is obtained, the method further includes:
and recording the detection result, and sending prompt information to a target server based on the detection result, wherein the prompt information comprises the detection result and alarm information, and the alarm information is used for prompting that the DNS request has risks.
The present application further provides a computer program product adapted to perform program code for initializing the following method steps when executed on a data processing device: detecting the DNS request according to a wind control rule to obtain a detection result, wherein the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition meeting the wind control rule and a condition not meeting the wind control rule; when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request; and determining a target operation corresponding to the behavior type from a preset response strategy, and executing the target operation, wherein the preset response strategy comprises an operation corresponding to each behavior type.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. An access control method is applied to an access control server, wherein the access control server is arranged between a user side and an authoritative server, and the user side interactively communicates with the authoritative server through the access control server, and the method comprises the following steps:
detecting the DNS request according to a wind control rule to obtain a detection result, wherein the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition meeting the wind control rule and a condition not meeting the wind control rule;
when the detection result is that the DNS request does not accord with the wind control rule, acquiring the behavior type of the DNS request;
and determining a target operation corresponding to the behavior type from a preset response strategy, and executing the target operation, wherein the preset response strategy comprises the operation corresponding to each behavior type.
2. The method according to claim 1, wherein the detecting the DNS request according to the wind control rule to obtain a detection result comprises:
judging whether a target website corresponding to the DNS request is matched with website information contained in the threat intelligence or not according to the threat intelligence;
if the detection result is matched with the wind control rule, determining that the detection result does not accord with the wind control rule;
if not, determining whether the DNS request is matched with the parameter information contained in the security rule;
if the detection result is matched with the parameter information, determining that the detection result is that the wind control rule is not met;
and if the detection result is determined to be not matched with the parameter information, determining that the detection result accords with the wind control rule.
3. The method of claim 1, wherein the behavior types include dangerous website access behavior, verification and accounting behavior, and restriction request behavior;
the determining a target operation corresponding to the behavior type from a preset response strategy and executing the target operation comprises:
when the behavior type of the DNS request is the dangerous website access behavior or the verification and calculation behavior, forbidding the DNS request; and/or the presence of a gas in the gas,
and when the behavior type of the DNS request is a request limiting behavior, ignoring the DNS request and feeding back the DNS request according to preset webpage information.
4. The method of claim 2, wherein the website information is a pre-tagged dangerous domain name parameter;
the step of judging whether the target website corresponding to the DNS request is matched with website information contained in the threat intelligence according to the threat intelligence comprises the following steps:
determining a target website domain name of the target website according to the DNS request;
matching according to the domain name of the target website and the dangerous domain name parameters;
if the target website corresponding to the DNS request is judged to be matched with the website information contained in the threat information according to the threat information, determining that the detection result is that the target website does not accord with the wind control rule, wherein the steps of:
if the target website domain name is determined to be matched with the dangerous domain name parameter, determining that the detection result is that the target website domain name does not accord with the wind control rule;
if the target website corresponding to the DNS request is judged not to be matched with the website information contained in the threat intelligence according to the threat intelligence, determining whether the DNS request is matched with the parameter information contained in the safety rule or not, wherein the steps of:
and if the domain name of the target website is determined not to be matched with the dangerous domain name parameter, determining whether the DNS request is matched with the parameter information contained in the safety rule.
5. The method of claim 4, wherein the parameter information comprises first parameter information; the security rules comprise filtering rules, and the filtering rules are used for screening the DNS request based on the first parameter information;
the determining whether the DNS request matches parameter information contained in the security rule comprises:
acquiring a first request parameter from the DNS request, and judging whether the first request parameter is matched with the first parameter;
if the detection result is determined to be matched with the parameter information, determining that the detection result is that the wind control rule is not met, including:
if the first request parameter is determined to be matched with the first parameter information, determining that the detection result is that the wind control rule is not met;
if the determination result is not matched with the parameter information, determining that the detection result is in accordance with the wind control rule, including:
and if the first request parameter is determined not to be matched with the first parameter information, determining that the detection result is in accordance with the wind control rule.
6. The method of claim 4, wherein the parameter information comprises second parameter information; the security rule comprises a release rule, and the release rule is used for screening the DNS request based on the second parameter information;
the determining whether the DNS request matches parameter information contained in the security rule comprises:
acquiring a second request parameter from the DNS request, and judging whether the second request parameter is matched with the second parameter;
if the detection result is determined to be matched with the parameter information, determining that the detection result is that the wind control rule is not met, including:
if the second request parameter is determined to be matched with the second parameter information, determining that the detection result is in accordance with the wind control rule;
if the determination result is not matched with the parameter information, determining that the detection result is in accordance with the wind control rule, including:
and if the request parameter is determined not to be matched with the second parameter information, determining that the detection result is that the wind control rule is not met.
7. The method according to any one of claims 1-6, wherein after the detecting the DNS request according to the wind control rule, the method further comprises:
and recording the detection result, and sending prompt information to a target server based on the detection result, wherein the prompt information comprises the detection result and alarm information, and the alarm information is used for prompting that the DNS request has risks.
8. An access control server, wherein the access control server is disposed between a user side and an authoritative server, and the user side interactively communicates with the authoritative server through the access control server, the server comprising:
the system comprises a detection unit, a processing unit and a processing unit, wherein the detection unit is used for detecting a DNS request according to a wind control rule to obtain a detection result, the wind control rule is constructed according to threat information and a safety rule, the threat information comprises at least one website information, and the detection result comprises a condition that the wind control rule is met and a condition that the wind control rule is not met;
the obtaining unit is used for obtaining the behavior type of the DNS request when the detection result is that the DNS request does not accord with the wind control rule;
and the control unit is used for determining a target operation corresponding to the behavior type from a preset response strategy and executing the target operation, wherein the preset response strategy comprises an operation corresponding to each behavior type.
9. A storage medium comprising a stored program, wherein a device on which the storage medium is located is controlled to perform the access control method of any one of claims 1 to 7 when the program is run.
10. An access control apparatus, characterized in that the apparatus comprises a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions when executed perform the access control method of any one of claims 1 to 7.
CN202210575829.9A 2022-05-25 2022-05-25 Access control method and access control server Pending CN114944955A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210575829.9A CN114944955A (en) 2022-05-25 2022-05-25 Access control method and access control server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210575829.9A CN114944955A (en) 2022-05-25 2022-05-25 Access control method and access control server

Publications (1)

Publication Number Publication Date
CN114944955A true CN114944955A (en) 2022-08-26

Family

ID=82908621

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210575829.9A Pending CN114944955A (en) 2022-05-25 2022-05-25 Access control method and access control server

Country Status (1)

Country Link
CN (1) CN114944955A (en)

Similar Documents

Publication Publication Date Title
US9800594B2 (en) Method and system for detecting unauthorized access attack
CN108183916B (en) Network attack detection method and device based on log analysis
US9444834B2 (en) Method and system for detecting behavior of remotely intruding into computer
WO2015184752A1 (en) Abnormal process detection method and apparatus
CN111274583A (en) Big data computer network safety protection device and control method thereof
US20140310807A1 (en) Cloud-based secure download method
CN109862003B (en) Method, device, system and storage medium for generating local threat intelligence library
CN103607385A (en) Method and apparatus for security detection based on browser
US11706220B2 (en) Securing application behavior in serverless computing
CN111726364A (en) Host intrusion prevention method, system and related device
JP6282217B2 (en) Anti-malware system and anti-malware method
US20210400106A1 (en) Predictive model application for file upload blocking determinations
CN112600797A (en) Method and device for detecting abnormal access behavior, electronic equipment and storage medium
CN114024761B (en) Network threat data detection method and device, storage medium and electronic equipment
CN106911635B (en) Method and device for detecting whether backdoor program exists in website
CN111241547B (en) Method, device and system for detecting override vulnerability
CN114944955A (en) Access control method and access control server
CN114021115A (en) Malicious application detection method and device, storage medium and processor
CN114218578A (en) Method and device for generating threat information
CN114861208A (en) Data authority control method and data authority control service
CN115189938A (en) Service safety protection method and device
Xu et al. Identification of ICS security risks toward the analysis of packet interaction characteristics using state sequence matching based on SF-FSM
CN113656809A (en) Mirror image security detection method, device, equipment and medium
CN107103242B (en) Data acquisition method and device
CN111865976A (en) Access control method, device and gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination