CN114978670B - Identity authentication method and device based on fort machine - Google Patents

Identity authentication method and device based on fort machine Download PDF

Info

Publication number
CN114978670B
CN114978670B CN202210546317.XA CN202210546317A CN114978670B CN 114978670 B CN114978670 B CN 114978670B CN 202210546317 A CN202210546317 A CN 202210546317A CN 114978670 B CN114978670 B CN 114978670B
Authority
CN
China
Prior art keywords
address
access request
access
preset
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210546317.XA
Other languages
Chinese (zh)
Other versions
CN114978670A (en
Inventor
王公桃
叶雪峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202210546317.XA priority Critical patent/CN114978670B/en
Publication of CN114978670A publication Critical patent/CN114978670A/en
Application granted granted Critical
Publication of CN114978670B publication Critical patent/CN114978670B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an identity authentication method and device based on a fort machine, which can be applied to the field of network security or the field of finance. The method comprises the following steps: when an access request of the user which is not in the black list and corresponds to the IP address is detected, judging whether the access amount of the IP address in the preset duration is in a preset range or not; if the access quantity exceeds the preset range, judging whether the access request of the IP address accords with the preset blacklist standard by utilizing the fort system; if the access request meets the preset blacklist standard, rejecting the access request of the IP address; if the access amount is within the preset range, or if the access request of the IP address does not meet the preset blacklist standard, responding to the access request corresponding to the IP address to access the corresponding target system. The access amount corresponding to the checked IP address is within the preset range, and the IP address is checked to be in accordance with the preset blacklist standard, so that the authentication mode is increased, the recognition capability and the prevention capability of network attack are improved, and the safety of the system is ensured.

Description

Identity authentication method and device based on fort machine
Technical Field
The invention relates to the technical field of network security or the financial field, in particular to an identity authentication method and device based on a fort machine.
Background
At present, a plurality of service systems are used in banks, and users need to log in different service systems according to different service demands, so that the problem of complicated operation exists.
At present, a single sign-on system is used in a bank to realize that a user can use other service systems related to the single sign-on system after logging in the single sign-on system once, but the current single sign-on system only supports the use of passwords as authentication credentials, has single authentication conditions, is easy to cause information leakage and the like, and is difficult to ensure the network communication security of the service system.
Therefore, there is a need to solve the problem of low security of single sign-on system.
Disclosure of Invention
In view of the above, the embodiment of the invention provides an identity authentication method and device based on a fort machine, so as to solve the problem of low security of a single sign-on system.
In order to achieve the above object, the embodiment of the present invention provides the following technical solutions:
the first aspect of the embodiment of the invention discloses an identity authentication method based on a fort machine, which is applied to a single sign-on system, wherein the single sign-on system is used for accessing each target system, and the method comprises the following steps:
when an access request of an IP address corresponding to a user which is not in a black list is detected, judging whether the access amount of the IP address in a preset duration is in a preset range or not, wherein the access amount is the number of times that the IP address accesses a single sign-on system;
if the access quantity exceeds the preset range, judging whether the access request of the IP address accords with a preset blacklist standard or not by utilizing a fort system;
if the access request of the IP address accords with the preset blacklist standard, rejecting the access request of the IP address;
and if the access amount is within the preset range, or if the access request of the IP address does not meet the preset blacklist standard, responding to the access request corresponding to the IP address to access the corresponding target system.
Preferably, the responding to the access request corresponding to the IP address to access the corresponding target system includes:
judging whether the IP address is an intranet IP address or not;
if the IP address is an intranet IP address, accessing the target system corresponding to the access request according to the operation authority corresponding to the IP address in a system database, wherein the system database comprises the operation authority of the user for each target system;
and if the IP address is not the intranet IP address, responding to the access request according to the operation authority corresponding to the IP address in the system database so as to access the corresponding target system through a preset isolation area.
Preferably, when detecting an access request of an IP address corresponding to a user who is not in the blacklist, determining whether the access amount of the IP address in a preset duration is within a preset range or not, further includes:
when the IP address is an external network IP address, the IP address is converted into a corresponding internal network IP address by utilizing a preset preposition area.
Preferably, the determining, by using the bastion system, whether the access request of the IP address meets a preset blacklist standard includes:
collecting first log information of the target system and second log information corresponding to the IP address by using a fort system;
analyzing the first log information and the second log information to obtain an analysis result corresponding to the IP address;
judging whether the IP address has abnormal behaviors or not based on the analysis result;
if the IP address has abnormal behavior, determining that the access request of the IP address accords with a preset blacklist standard;
if the IP address does not have abnormal behavior, determining that the access request of the IP address does not accord with a preset blacklist standard.
Preferably, if the access request of the IP address meets the preset blacklist standard, after rejecting the access request of the IP address, the method further includes:
when the access request of the IP address accords with the preset blacklist standard, adding the IP address into a blacklist by utilizing the fort system;
analyzing the access request and the log information corresponding to the IP address, acquiring the attack information corresponding to the IP address, and generating and sending an analysis report according to the attack information, wherein the attack information at least comprises an attack time period, an attack means and attack frequency.
The second aspect of the embodiment of the invention discloses an identity authentication device based on a fort machine, which comprises:
the first judging unit is used for judging whether the access quantity of the IP address in the preset duration is in a preset range or not when the access request of the IP address corresponding to the user not in the blacklist is detected, wherein the access quantity is the number of times that the IP address accesses the single sign-on system;
the second judging unit is used for judging whether the access request of the IP address accords with a preset blacklist standard or not by utilizing a fort system if the access quantity exceeds the preset range;
a rejecting unit, configured to reject the access request of the IP address if the access request of the IP address meets the preset blacklist standard;
and the access unit is used for responding to the access request corresponding to the IP address to access the corresponding target system if the access amount is within the preset range or if the access request of the IP address does not accord with the preset blacklist standard.
Preferably, the access unit includes:
the first judging module is used for judging whether the IP address is an intranet IP address or not;
the first access module is used for accessing the target system corresponding to the access request according to the operation authority corresponding to the IP address in a system database if the IP address is an intranet IP address, wherein the system database comprises the operation authority of the user for each target system;
and the second access module is used for responding to the access request according to the operation authority corresponding to the IP address in the system database if the IP address is not the intranet IP address so as to access the corresponding target system through a preset isolation area.
Preferably, the apparatus further comprises:
and the conversion unit is used for converting the IP address into a corresponding intranet IP address by utilizing a preset preposed area when the IP address is an extranet IP address.
Preferably, the second judging unit includes:
the collecting module is used for collecting first log information of the target system and second log information corresponding to the IP address by using the fort system;
the analysis module is used for analyzing the first log information and the second log information to obtain an analysis result corresponding to the IP address;
the second judging module is used for judging whether the IP address has abnormal behaviors or not based on the analysis result;
the first determining module is used for determining that the access request of the IP address accords with a preset blacklist standard if the IP address has abnormal behaviors;
and the second determining module is used for determining that the access request of the IP address does not accord with the preset blacklist standard if the IP address does not have abnormal behavior.
Preferably, the apparatus further comprises:
the adding unit is used for adding the IP address into a blacklist by utilizing the fort system when the access request of the IP address meets the preset blacklist standard;
the analysis unit is used for analyzing the access request and the log information corresponding to the IP address, acquiring the attack information corresponding to the IP address, generating and sending an analysis report according to the attack information, wherein the attack information at least comprises an attack time period, an attack means and attack frequency.
Based on the identity authentication method and the identity authentication device based on the fort machine provided by the embodiment of the invention, the identity authentication method and the identity authentication device based on the fort machine can be applied to the field of network security or the field of finance. The method comprises the following steps: when an access request of the user which is not in the black list and corresponds to the IP address is detected, judging whether the access amount of the IP address in the preset duration is in a preset range or not; if the access quantity of the IP address exceeds the preset range, judging whether the access request of the IP address accords with the preset blacklist standard or not by utilizing the fort system; if the access request of the IP address accords with the preset blacklist standard, rejecting the access request of the IP address; if the access amount of the IP address is within the preset range, or if the access request of the IP address does not meet the preset blacklist standard, responding to the access request corresponding to the IP address to access the corresponding target system. The access amount corresponding to the checked IP address is within the preset range, and the IP address is checked to be in accordance with the preset blacklist standard, so that the authentication mode is increased, the recognition capability and the prevention capability of network attack are improved, and the safety of the system is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an identity authentication method based on a fort machine provided by an embodiment of the invention;
FIG. 2 is a block diagram of an identity authentication device based on a fort machine according to an embodiment of the present invention;
FIG. 3 is another block diagram of an identity authentication device based on a fort machine according to an embodiment of the present invention;
fig. 4 is a block diagram of another configuration of an identity authentication device based on a fort machine according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
It should be noted that the identity authentication method and device based on the fort machine provided by the invention can be used in the technical field of network security or the financial field. The foregoing is merely an example, and the application fields of the identity authentication method and device based on the fort machine provided by the invention are not limited.
As known from the background art, although the single sign-on system is used in the bank at present to realize that the user can use other service systems associated with the single sign-on system after logging in the single sign-on system once, the current single sign-on system has single authentication condition, which easily causes the problems of information leakage and the like, and is difficult to ensure the network communication security of the service system.
Therefore, the embodiment of the invention provides an identity authentication method and device based on a fort machine, which are used for judging whether the access quantity of an IP address in a preset duration is in a preset range or not when an access request of the IP address corresponding to a user which is not in a blacklist is detected; if the access quantity of the IP address exceeds the preset range, judging whether the access request of the IP address accords with the preset blacklist standard or not by utilizing the fort system; if the access request of the IP address accords with the preset blacklist standard, rejecting the access request of the IP address; if the access amount of the IP address is within the preset range, or if the access request of the IP address does not meet the preset blacklist standard, responding to the access request corresponding to the IP address to access the corresponding target system. The two authentication modes of judging whether the access quantity of the IP address in the preset duration is in the preset range and judging whether the access request of the IP address accords with the preset blacklist standard by utilizing the fort system are added, and the identification capability and the prevention capability of the single sign-on system on network attacks are effectively enhanced; the security of the single sign-on system is improved.
It should be noted that, the identity authentication method based on the fort machine provided by the embodiment of the invention is applied to a single sign-on system supporting secure access between an intranet system and a public network system, and the single sign-on system is developed based on a security assertion markup language (SecurityAssertion Markup Language, SAML) 2.0 and a computer network authorization protocol (Kerberos protocol) and is used for accessing each target system, wherein the target system is a service system pre-associated to the single sign-on system.
It will be appreciated that the users supported by the single sign-on system include the users of the internal employees of the bank and the affiliated subsidiary companies of the bank, allowing the internal employees of the bank to log into the single sign-on system using the employee number as the unique credential.
The system database of the single sign-on system stores the operation authority of each service system corresponding to the user, namely the authority of the user to use the internal data of the service system.
In some embodiments, the single sign-on system further includes a DC domain control, where the DC domain control stores the rights of the user to access the service system.
It should be noted that, the single sign-on system in the embodiment of the present invention integrates a plurality of different single sign-on protocols, and may operate in a Windows platform, a Linux platform, an IOS platform, an Android platform, and a HarmonyOS platform. Referring to fig. 1, a flowchart of an identity authentication method based on a fort machine according to an embodiment of the present invention is shown, where the authentication method includes:
step S101: when the access request of the user which is not in the black list and corresponds to the IP address is detected, judging whether the access amount of the IP address in the preset duration is in the preset range or not. If the access amount of the IP address within the preset duration is not within the preset range, step S102 is executed; if the access amount of the IP address within the preset duration is within the preset range, step S104 is executed.
It can be understood that when an access request is received, the source of the IP address corresponding to the access request is identified, and it is determined whether the IP address corresponding to the access request is the IP address corresponding to the user in the blacklist. And when receiving the access request of the IP address corresponding to the user on the blacklist, rejecting the access request.
The access amount is the number of times the IP address accesses the single sign-on system. The preset range is the frequency range of allowing the IP address to access the single sign-on system in the preset duration.
In some embodiments, the preset range is a fluctuation range of a standard range, the standard range indicating an access amount range specified by a certain IP address within a preset time period, the fluctuation range indicating an access amount range fluctuating up and down the standard range. For example: the standard range is 200 times to 400 times, the fluctuation range corresponds to 30% to 40% of the standard range up and down fluctuation, namely the fluctuation range can be 140 times to 560 times, and the preset range can be 140 times to 560 times.
For example: and the standard range of the IP address corresponding to the user A is 150 to 200 times per day, the fluctuation range of the permitted access times is 120 to 220 times, and if the access amount of the IP address in one day is 400 times, the access amount of the IP address in one day is determined not to be in the preset range.
Also for example: and the standard range of the IP address corresponding to the user B is 150 to 200 times per day, the fluctuation range of the permitted access times is 120 to 220 times, and if the access amount of the IP address in one day is 189 times, the access amount of the IP address in one day is determined to be in a preset range.
In some embodiments, in addition to determining whether the access request of the IP address is a normal access request by determining whether the access amount corresponding to the IP address is within a preset range, the pulse frequency, the maximum concurrency amount, which ports the access request involves, and the like of the access corresponding to the access request of the IP address are used to compare with standard data in a standard database to determine whether the access request of the IP address is a normal access request. The standard data in the standard database can be obtained by calculation according to the daily access frequency of the IP address.
It can be understood that when an access request of an IP address corresponding to a user not on the blacklist is received, it is determined whether the IP address is an external network IP address. Specifically, when the IP address is an external network IP address, the IP address is translated and isolated by using a preset prefix (e.g., DMV prefix), and the IP address is converted into a corresponding internal network IP address. When the IP address is an intranet IP address, a unique internal account number is allocated for the IP address.
It should be noted that, when the access amount corresponding to the IP address exceeds the preset range, it cannot be directly determined that the access request of the IP address is an access request of an illegal attack. That is, in actual situations, due to the different traffic in the special period, the IP address may generate an access request or a high-frequency access request which is super-concurrent, for example, the traffic increases before and after holidays, and the access request increases. At this time, the access request corresponding to the IP address may be a normal access request. It is therefore necessary to further determine whether the access request of the IP address is an abnormal access request, see the following steps for specific operations.
Step S102: and judging whether the access request of the IP address meets the preset blacklist standard or not by using the fort system. If the access request of the IP address meets the preset blacklist standard, step S103 is executed; if the access request of the IP address does not meet the preset blacklist standard, step S104 is performed.
It can be understood that, in the preset blacklist standard, an abnormal access request or an access request that is illegally attacked should be added to the blacklist, that is, an access request that may cause information leakage or information damage to the single sign-on system should be added to the blacklist, and the single sign-on system refuses to accept the access request of the IP address in the blacklist.
In the specific implementation process of step S102, if the access amount of the IP address within the preset duration is not within the preset range, the fort system is used to determine whether the access request of the IP address meets the preset blacklist standard. If the access request of the IP address meets the preset blacklist standard, step S103 is executed; if the access request of the IP address does not meet the preset blacklist standard, step S104 is performed.
It should be noted that, the use of the fort system to determine whether the access request of the IP address meets the preset blacklist standard may specifically be to use the fort system to collect the first log information of the target system and the second log information corresponding to the IP address. And analyzing the first log information and the second log information to obtain an analysis result, and judging whether the IP address has abnormal behaviors or not based on the analysis result.
For example: when the analysis result indicates that the IP address is stolen or attacked by virus software due to account number, for example: distributed denial of service attack (Distributed Denial ofService, DDOS) attacks, and initiates an abnormal access request, it is determined that the IP address has abnormal behavior.
It can be understood that if the IP address has abnormal behavior, it is determined that the access request of the IP address meets the preset blacklist standard, and at this time, the access request of the IP address cannot be processed, and step S103 is performed; if the IP address does not have abnormal behavior, it is determined that the access request of the IP address does not meet the preset blacklist standard, and the access request of the IP address may be processed, and step S104 is performed.
Step S103: the access request for the IP address is denied.
In the specific implementation process of step S103, if the access request of the IP address meets the preset blacklist standard, the access request of the IP address is denied.
It will be appreciated that after rejecting the access request for the IP address, the IP address is blacklisted using the fort system. Analyzing access requests and log information corresponding to the IP address, acquiring attack information corresponding to the IP address, generating and sending an analysis report according to the attack information, wherein the attack information at least comprises an attack time period, an attack means and attack frequency.
In some embodiments, the single sign-on system may adjust the single sign-on system or firewall based on the analysis report to improve the security and resistance of the single sign-on system.
Step S104: responding to the access request corresponding to the IP address to access the corresponding target system.
In the specific implementation process of step S104, when the access amount of the IP address within the preset duration is within the preset range, or when the access request of the IP address does not meet the preset blacklist standard, the access request corresponding to the IP address is responded to access the corresponding target system.
It can be understood that whether the IP address is an intranet IP address is judged; if the IP address is an intranet IP address, accessing a corresponding target system according to the operation authority corresponding to the IP address in a system database of the single sign-on system, wherein the system database contains the operation authority of the user for each target system.
If the IP address is an external network IP address, responding to the access request according to the operation authority corresponding to the IP address in the system database, and accessing the corresponding target system through a preset isolation area, such as an isolation area (Demilitarized Zone, DMZ).
It should be noted that, a preset isolation area is set at the interface of the intranet and the extranet to isolate the extranet IP address, so that the extranet IP address accesses the internal service system through the preset isolation area.
In the embodiment of the invention, the single sign-on system is utilized to intensively manage the access request of the user corresponding to the IP address, the barrier system is utilized to isolate the access request of illegal attack from the abnormal access request, the detailed information of network attack is analyzed, the identification capability of the single sign-on system to the network attack is improved, and the security of the single sign-on system is optimized.
Corresponding to the identity authentication method based on the fort machine provided by the embodiment of the invention, referring to fig. 2, a structural block diagram of the identity authentication device based on the fort machine provided by the embodiment of the invention is shown. The device comprises: a first judging unit 201, a second judging unit 202, a rejecting unit 203, and an accessing unit 204.
The first determining unit 201 is configured to determine, when detecting an access request of an IP address corresponding to a user not in the blacklist, whether an access amount of the IP address within a preset duration is within a preset range, where the access amount is a number of times that the IP address accesses the single sign-on system. If the access amount of the IP address within the preset duration is within the preset range, executing the access unit 204; if the access amount of the IP address in the preset duration exceeds the preset range, the second determining unit 202 is executed.
The second determining unit 202 is configured to determine whether the access request of the IP address meets a preset blacklist standard by using the fort system if the access amount exceeds a preset range. If the access request of the IP address meets the preset blacklist standard, executing the rejecting unit 203; if the access request of the IP address does not meet the preset blacklist standard, the access unit 204 is executed.
And a rejecting unit 203, configured to reject the access request of the IP address if the access request of the IP address meets the preset blacklist standard.
And the access unit 204 is configured to respond to the access request corresponding to the IP address to access the corresponding target system if the access amount is within the preset range or if the access request of the IP address does not meet the preset blacklist standard.
In the embodiment of the invention, for the external network IP address, the external network IP address is converted into the corresponding internal network IP address by utilizing the DMV front-end area, so that the security of the single sign-on system is protected. The method comprises the steps of detecting the access quantity of the IP address to the single sign-on system within a preset duration, and for the IP address with the access quantity within a normal range, realizing the direct access of the intranet IP address to the service system, and the extranet IP address accesses to the service system through a preset isolation area, so that the safety of the single sign-on system is further improved, and the precaution capability is improved.
Preferably, referring to fig. 3 in conjunction with fig. 2, another block diagram of an identity authentication device based on a bastion machine according to an embodiment of the present invention is shown, and the access unit 204 includes a first judging module 2041, a first access module 2042 and a second access module 2043.
The first determining module 2041 is configured to determine whether the IP address is an intranet IP address. If the IP address is an intranet IP address, executing the first access module 2042; if the IP address is not the intranet IP address, the second access module 2043 is executed.
The first access module 2042 is configured to access the target system corresponding to the access request according to the operation authority corresponding to the IP address in the system database if the IP address is an intranet IP address, where the system database includes the operation authority of the user for each target system.
And the second access module 2043 is configured to respond to the access request according to the operation authority corresponding to the IP address in the system database if the IP address is not the intranet IP address, so as to access the corresponding target system through the preset isolation zone.
Preferably, in combination with fig. 2, the apparatus further comprises: and the conversion unit is used for converting the IP address into a corresponding intranet IP address by utilizing the preset front area when the IP address is the extranet IP address.
Preferably, referring to fig. 4 in conjunction with fig. 2, a further block diagram of an identity authentication device based on a bastion machine according to an embodiment of the present invention is shown, where the second judging unit 202 includes a collecting module 2021, an analyzing module 2022, a second judging module 2023, a first determining module 2024 and a second determining module 2025.
The collection module 2021 is configured to collect, by using the fort system, the first log information of the target system and the second log information corresponding to the IP address.
The analysis module 2022 is configured to analyze the first log information and the second log information to obtain an analysis result corresponding to the IP address.
A second determining module 2023 is configured to determine whether the IP address has abnormal behavior based on the analysis result. If there is an abnormal behavior in the IP address, executing the first determining module 2024; if there is no abnormal behavior in the IP address, the second determination module 2025 is executed.
The first determining module 2024 is configured to determine that the access request of the IP address meets a preset blacklist criterion if the IP address has abnormal behavior.
A second determining module 2025 is configured to determine that the access request of the IP address does not meet the preset blacklist standard if the IP address does not have abnormal behavior.
Preferably, in combination with fig. 2, the device further comprises an addition unit and an analysis unit.
And the adding unit is used for adding the IP address into the blacklist by using the fort system when the access request of the IP address meets the preset blacklist standard.
The analysis unit is used for analyzing the access request and the log information corresponding to the IP address, acquiring the attack information corresponding to the IP address, generating and sending an analysis report according to the attack information, wherein the attack information at least comprises an attack time period, an attack means and attack frequency.
In summary, the embodiment of the invention provides an identity authentication method and device based on a fort machine, which are used for judging whether the access amount of an IP address in a preset duration is in a preset range or not when an access request of an IP address corresponding to a user who is not in a blacklist is detected; if the access quantity of the IP address exceeds the preset range, judging whether the access request of the IP address accords with the preset blacklist standard or not by utilizing the fort system; if the access request of the IP address accords with the preset blacklist standard, rejecting the access request of the IP address; if the access amount of the IP address is within the preset range, or if the access request of the IP address does not meet the preset blacklist standard, responding to the access request corresponding to the IP address to access the corresponding target system. Checking whether the access request of the IP address is a normal access request or not through a preset range of the access amount and a preset blacklist standard, distinguishing an access mode of an intranet IP address and an extranet IP address when the access request of the IP address is the normal access request, and performing isolated access on the extranet IP address through a preset isolation area; when the access request of the IP address is not a normal access request, the access request is refused, the IP address of the access request is added into a blacklist, and the attack mode and other detailed information of the IP address are monitored and analyzed, so that the precaution capability and the system security of the single sign-on system are greatly improved.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a system or system embodiment, since it is substantially similar to a method embodiment, the description is relatively simple, with reference to the description of the method embodiment being made in part. The systems and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. An identity authentication method based on a fort machine, which is applied to a single sign-on system, wherein the single sign-on system is used for accessing each target system, and the method comprises the following steps:
when an access request of an IP address corresponding to a user which is not in a black list is detected, judging whether the access amount of the IP address in a preset duration is in a preset range or not, wherein the access amount is the number of times that the IP address accesses a single sign-on system;
if the access quantity exceeds the preset range, judging whether the access request of the IP address accords with a preset blacklist standard or not by utilizing a fort system;
if the access request of the IP address accords with the preset blacklist standard, rejecting the access request of the IP address;
if the access amount is within the preset range, or if the access request of the IP address does not meet the preset blacklist standard, responding to the access request corresponding to the IP address to access the corresponding target system;
wherein the determining, by the bastion system, whether the access request of the IP address meets a preset blacklist criterion includes:
collecting first log information of the target system and second log information corresponding to the IP address by using a fort system;
analyzing the first log information and the second log information to obtain an analysis result corresponding to the IP address;
judging whether the IP address has abnormal behaviors or not based on the analysis result;
if the IP address has abnormal behavior, determining that the access request of the IP address accords with a preset blacklist standard;
if the IP address does not have abnormal behavior, determining that the access request of the IP address does not accord with a preset blacklist standard.
2. The method of claim 1, wherein responding to the access request corresponding to the IP address to access the corresponding target system comprises:
judging whether the IP address is an intranet IP address or not;
if the IP address is an intranet IP address, accessing the target system corresponding to the access request according to the operation authority corresponding to the IP address in a system database, wherein the system database comprises the operation authority of the user for each target system;
and if the IP address is not the intranet IP address, responding to the access request according to the operation authority corresponding to the IP address in the system database so as to access the corresponding target system through a preset isolation area.
3. The method according to claim 1, wherein when an access request of an IP address corresponding to a user who is not on a blacklist is detected, determining whether an access amount of the IP address within a preset duration is within a preset range or not, further comprises:
when the IP address is an external network IP address, the IP address is converted into a corresponding internal network IP address by utilizing a preset preposition area.
4. The method of claim 1, wherein if the access request of the IP address meets the preset blacklist criteria, rejecting the access request of the IP address further comprises:
when the access request of the IP address accords with the preset blacklist standard, adding the IP address into a blacklist by utilizing the fort system;
analyzing the access request and the log information corresponding to the IP address, acquiring the attack information corresponding to the IP address, and generating and sending an analysis report according to the attack information, wherein the attack information at least comprises an attack time period, an attack means and attack frequency.
5. An identity authentication device based on a fort machine, which is applied to a single sign-on system, wherein the single sign-on system is used for accessing various target systems, and the device comprises:
the first judging unit is used for judging whether the access quantity of the IP address in the preset duration is in a preset range or not when the access request of the IP address corresponding to the user not in the blacklist is detected, wherein the access quantity is the number of times that the IP address accesses the single sign-on system;
the second judging unit is used for judging whether the access request of the IP address accords with a preset blacklist standard or not by utilizing a fort system if the access quantity exceeds the preset range;
a rejecting unit, configured to reject the access request of the IP address if the access request of the IP address meets the preset blacklist standard;
the access unit is used for responding to the access request corresponding to the IP address to access the corresponding target system if the access amount is within the preset range or if the access request of the IP address does not accord with the preset blacklist standard;
wherein the second judging unit includes:
the collecting module is used for collecting first log information of the target system and second log information corresponding to the IP address by using the fort system;
the analysis module is used for analyzing the first log information and the second log information to obtain an analysis result corresponding to the IP address;
the second judging module is used for judging whether the IP address has abnormal behaviors or not based on the analysis result;
the first determining module is used for determining that the access request of the IP address accords with a preset blacklist standard if the IP address has abnormal behaviors;
and the second determining module is used for determining that the access request of the IP address does not accord with the preset blacklist standard if the IP address does not have abnormal behavior.
6. The apparatus of claim 5, wherein the access unit comprises:
the first judging module is used for judging whether the IP address is an intranet IP address or not;
the first access module is used for accessing the target system corresponding to the access request according to the operation authority corresponding to the IP address in a system database if the IP address is an intranet IP address, wherein the system database comprises the operation authority of the user for each target system;
and the second access module is used for responding to the access request according to the operation authority corresponding to the IP address in the system database if the IP address is not the intranet IP address so as to access the corresponding target system through a preset isolation area.
7. The apparatus of claim 5, wherein the apparatus further comprises:
and the conversion unit is used for converting the IP address into a corresponding intranet IP address by utilizing a preset preposed area when the IP address is an extranet IP address.
8. The apparatus of claim 5, wherein the apparatus further comprises:
the adding unit is used for adding the IP address into a blacklist by utilizing the fort system when the access request of the IP address meets the preset blacklist standard;
the analysis unit is used for analyzing the access request and the log information corresponding to the IP address, acquiring the attack information corresponding to the IP address, generating and sending an analysis report according to the attack information, wherein the attack information at least comprises an attack time period, an attack means and attack frequency.
CN202210546317.XA 2022-05-19 2022-05-19 Identity authentication method and device based on fort machine Active CN114978670B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210546317.XA CN114978670B (en) 2022-05-19 2022-05-19 Identity authentication method and device based on fort machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210546317.XA CN114978670B (en) 2022-05-19 2022-05-19 Identity authentication method and device based on fort machine

Publications (2)

Publication Number Publication Date
CN114978670A CN114978670A (en) 2022-08-30
CN114978670B true CN114978670B (en) 2024-03-01

Family

ID=82985904

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210546317.XA Active CN114978670B (en) 2022-05-19 2022-05-19 Identity authentication method and device based on fort machine

Country Status (1)

Country Link
CN (1) CN114978670B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174242B (en) * 2022-09-07 2023-04-11 广州集韵信息科技有限公司 Data safety transmission control method and system between internal network and external network
CN117061368A (en) * 2023-08-21 2023-11-14 北京优特捷信息技术有限公司 Automatic recognition method, device, equipment and medium for bypassing fort machine behaviors

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112398860A (en) * 2020-11-17 2021-02-23 珠海大横琴科技发展有限公司 Safety control method and device
CN113645213A (en) * 2021-08-03 2021-11-12 南方电网国际有限责任公司 Multi-terminal network management monitoring system based on VPN technology
CN113992356A (en) * 2021-09-28 2022-01-28 青岛海尔科技有限公司 Method and device for detecting IP attack and electronic equipment
CN114338105A (en) * 2021-12-16 2022-04-12 山西云时代研发创新中心有限公司 Bastion creating bastion machine system based on zero trust
CN114491452A (en) * 2022-01-27 2022-05-13 中远海运科技股份有限公司 Method for realizing cloud resource multi-account authority control facing cloud host and cloud bastion machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112398860A (en) * 2020-11-17 2021-02-23 珠海大横琴科技发展有限公司 Safety control method and device
CN113645213A (en) * 2021-08-03 2021-11-12 南方电网国际有限责任公司 Multi-terminal network management monitoring system based on VPN technology
CN113992356A (en) * 2021-09-28 2022-01-28 青岛海尔科技有限公司 Method and device for detecting IP attack and electronic equipment
CN114338105A (en) * 2021-12-16 2022-04-12 山西云时代研发创新中心有限公司 Bastion creating bastion machine system based on zero trust
CN114491452A (en) * 2022-01-27 2022-05-13 中远海运科技股份有限公司 Method for realizing cloud resource multi-account authority control facing cloud host and cloud bastion machine

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈健锋 ; 李永宁 ; 张勇 ; .浅析运维堡垒机的设计和应用前景.有线电视技术.2015,(05),全文. *

Also Published As

Publication number Publication date
CN114978670A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US11882109B2 (en) Authenticated name resolution
CN114978670B (en) Identity authentication method and device based on fort machine
US11831642B2 (en) Systems and methods for endpoint management
US8990356B2 (en) Adaptive name resolution
KR101265305B1 (en) Preventing fraudulent internet account access
EP3264720B1 (en) Using dns communications to filter domain names
US6938167B2 (en) Using trusted communication channel to combat user name/password theft
US7194004B1 (en) Method for managing network access
US8181010B1 (en) Distributed authentication user interface system
CN111510453B (en) Business system access method, device, system and medium
CN111416822B (en) Method for access control, electronic device and storage medium
CN111770090B (en) Single package authorization method and system
CN103248472A (en) Operation request processing method and system and attack identification device
CN114598540A (en) Access control system, method, device and storage medium
CN112613020A (en) Identity verification method and device
CN112653714A (en) Access control method, device, equipment and readable storage medium
CN116319024A (en) Access control method and device of zero trust system and zero trust system
JP2002297543A (en) Detection device of unauthorized login
CN116668190A (en) Cross-domain single sign-on method and system based on browser fingerprint
US10412097B1 (en) Method and system for providing distributed authentication
CN116996238A (en) Processing method and related device for network abnormal access
CN117353989B (en) Access admission identity authentication system based on security trust evaluation
Palmieri et al. Audit-based access control in nomadic wireless environments
CN111726331A (en) Code scanning login information processing method
CN116192460A (en) Traffic forwarding method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant