CN116032570A - Network access management method, device, electronic equipment and storage medium - Google Patents

Network access management method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116032570A
CN116032570A CN202211620167.9A CN202211620167A CN116032570A CN 116032570 A CN116032570 A CN 116032570A CN 202211620167 A CN202211620167 A CN 202211620167A CN 116032570 A CN116032570 A CN 116032570A
Authority
CN
China
Prior art keywords
access request
strategy
data
data access
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211620167.9A
Other languages
Chinese (zh)
Inventor
贺译册
余思阳
李发财
曹京卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202211620167.9A priority Critical patent/CN116032570A/en
Publication of CN116032570A publication Critical patent/CN116032570A/en
Pending legal-status Critical Current

Links

Images

Abstract

The application provides a network access management method, a network access management device, electronic equipment and a storage medium. The method comprises the following steps: receiving a data access request and judging whether the data access request accords with an access control strategy; if the data access request accords with the access control strategy, intercepting the data access request and generating a record; if the data access request does not accord with the access control strategy, detecting whether the data access request accords with the data analysis strategy; and after the data access request is determined to accord with the data analysis strategy, sending a response message corresponding to the data access request. The method solves the problem of security threat caused by enterprise data transmission.

Description

Network access management method, device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a network access management method, a device, an electronic device, and a storage medium.
Background
The application of computer and information network technologies is becoming increasingly popular and widespread, and with the popularization of networks, network security has become an important factor affecting network performance. Data information is the most precious resource in the network, and data security is one of important problems to be considered in the information-based health development of enterprises.
At present, enterprises typically deploy point-of-presence (POP) serially at an internet outlet, the POP providing links to external services and sites, or Software-as-a-Service (SaaS) on public, private clouds. The SaaS is a mode of providing software through the Internet, a network security manufacturer uniformly deploys application software on a server of the network security manufacturer, the enterprise can order required application software services to the manufacturer through the Internet according to actual demands of the enterprise, pay the manufacturer for the cost according to the number and time of the ordered services, and obtain the services provided by the manufacturer through the Internet. When the enterprise applies the SaaS software, the enterprise data is stored in a data center of a manufacturer, the manufacturer ensures the safety during data access, and all data access is recorded and audited regularly.
Under the data access monitoring in the prior art, the situation that the encrypted data is sent out but not monitored still exists for enterprises, and the security of the enterprise data is threatened.
Disclosure of Invention
The application provides a network access management method, a device, electronic equipment and a storage medium, which are used for solving the security threat problem caused by the outward transmission of enterprise encrypted data.
In a first aspect, the present application provides a network access management method, including:
receiving a data access request and judging whether the data access request accords with an access control strategy;
if the data access request accords with the access control strategy, intercepting the data access request and generating a record;
if the data access request does not accord with the access control strategy, detecting whether the data access request accords with the data analysis strategy;
and after the data access request is determined to accord with the data analysis strategy, sending a response message corresponding to the data access request.
Optionally, after determining that the data access request meets the data analysis policy, further comprising:
training a security threat model according to the data access request;
and updating the access control strategy and the data analysis strategy by adopting a security threat model.
Optionally, after updating the access control policy and the data analysis policy, the method further includes:
receiving a first internet surfing strategy management instruction, wherein the first internet surfing strategy management instruction comprises an updated access control strategy and a data analysis strategy;
and configuring a surfing strategy according to the first surfing strategy management instruction.
Optionally, training the security threat model according to the data access request includes:
and determining the data access request as encryption traffic, and training a security threat model after extracting features of the data access request.
Optionally, before receiving the data access request, the method further includes:
receiving a second internet surfing strategy management instruction, wherein the second internet surfing strategy management instruction comprises an access control strategy and a data analysis strategy;
and configuring the Internet surfing strategy according to the second Internet surfing strategy management instruction.
Optionally, before receiving the second internet policy management instruction, the method further includes:
receiving safety resource configuration information;
according to the safety resource configuration information, carrying out safety resource arrangement;
and configuring the safety resource according to the arrangement result.
In a second aspect, the present application provides a network access management apparatus, the apparatus comprising:
the receiving module is used for receiving the data access request and judging whether the data access request accords with the access control strategy or not;
the interception module is used for intercepting the data access request and generating a record if the data access request accords with the access control strategy;
the detection module is used for detecting whether the data access request accords with the data analysis strategy or not if the data access request does not accord with the access control strategy;
and the sending module is used for sending a response message corresponding to the data access request after determining that the data access request accords with the data analysis strategy.
In a third aspect, the present application provides an electronic device, comprising: a memory and a processor;
the memory is used for storing a computer program;
the processor is configured to execute a computer program stored in the memory, and implement the network access management method in the first aspect and any embodiment of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium, in which a computer program is stored, which when executed by a processor, implements the network access management method in the first aspect and any one of the embodiments of the first aspect.
In a fifth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the network access management method of the first aspect and any one of the embodiments of the first aspect.
The network access management method, the device, the electronic equipment and the storage medium provided by the application detect the data access request according to the access control strategy and the data analysis strategy after receiving the data access request. If the data access request accords with the access control strategy, intercepting the data access request and generating a record; if the data access request does not accord with the access control policy, detecting whether the data access request accords with the data analysis policy. And after the data access request is determined to accord with the data analysis strategy, sending a response message corresponding to the data access request. The method can solve the security threat problem caused by the outward sending of the enterprise encrypted data.
Drawings
For a clearer description of the present application or of the prior art, the drawings that are used in the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic view of a scenario of network access management according to an embodiment of the present application;
fig. 2 is a flowchart of a network access management method according to an embodiment of the present application;
FIG. 3 is a flowchart of another method for managing network access according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a system for managing Internet surfing policies according to an embodiment of the present application;
fig. 5 is a signaling interaction diagram of a network access management method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network access management device according to an embodiment of the present application;
fig. 7 is a schematic hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The terms first, second, third, fourth and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged where appropriate. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope herein.
The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Furthermore, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise.
It will be further understood that the terms "comprises," "comprising," "includes," and/or "including" specify the presence of stated features, steps, operations, elements, components, items, categories, and/or groups, but do not preclude the presence, presence or addition of one or more other features, steps, operations, elements, components, items, categories, and/or groups.
The terms "or" and/or "as used herein are to be construed as inclusive, or meaning any one or any combination. Thus, "A, B or C" or "A, B and/or C" means "any of the following: a, A is as follows; b, a step of preparing a composite material; c, performing operation; a and B; a and C; b and C; A. b and C). An exception to this definition will occur only when a combination of elements, functions, steps or operations are in some way inherently mutually exclusive.
Data security is one of the important issues to be considered in the development of informationized health of enterprises.
In order to ensure data security, an enterprise typically deploys a POP in a serial manner at an internet outlet, the POP provides a link to external services and sites, or deploys SaaS on public cloud and private cloud, stores enterprise data in a data center of a network security manufacturer, and the network security manufacturer records and periodically audits all data accesses to ensure security during data access.
The internet surfing strategy management system is deployed at an enterprise internet outlet in a hardware mode, the problem that resource allocation cannot be dynamically adjusted exists, and the network opening and hardware use cost is relatively high for some enterprises with a plurality of office places in the whole country.
The Internet surfing strategy management system deployed on the cloud by the SaaS service has the advantage that for enterprises in all places of the office place distribution country, the time delay problem generated by the network convergence and security management and control strategy seriously affects the normal Internet surfing and office efficiency of enterprise users. And the data access is monitored by the method, the situation that the encrypted data is sent out but not monitored by an enterprise still exists, and the security of the enterprise data is threatened.
In view of the above problems, the present application proposes a network access management method, a device, an electronic apparatus, and a storage medium. After receiving the data access request, the method detects the data access request according to the access control strategy and the data analysis strategy. If the data access request accords with the access control strategy, intercepting the data access request and generating a record; if the data access request does not accord with the access control policy, detecting whether the data access request accords with the data analysis policy. And after the data access request is determined to accord with the data analysis strategy, sending a response message corresponding to the data access request. The access control strategy and the data analysis strategy are adopted to monitor the data access, so that the security threat problem caused by the outward transmission of the enterprise encrypted data is solved.
The technical scheme of the present application is described in detail below with specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
Fig. 1 is a schematic view of a network access management scenario according to an embodiment of the present application. As shown in fig. 1, when a user accesses internet data through a computer, a background server detects the data access through a network access policy management system, and returns a corresponding response message after determining that the data access accords with a preset network access policy.
In the present application, the network access management method of the following embodiment is executed with the electronic device as an execution subject. In particular, the execution body may be a hardware device of the electronic apparatus, or a software application implementing the embodiments described below in the electronic apparatus, or a computer-readable storage medium on which the software application implementing the embodiments described below is installed, or code of the software application implementing the embodiments described below.
Fig. 2 shows a flowchart of a network access management method according to an embodiment of the present application. As shown in fig. 2, with the electronic device as an execution body, the method of the present embodiment may include the following steps:
s201, receiving a data access request and judging whether the data access request accords with an access control strategy.
In this embodiment, the data access request may be generated by the user terminal accessing the internet.
S202, if the data access request accords with the access control strategy, intercepting the data access request and generating a record.
In this embodiment, the access control policy is used to detect a data access request, and if the data access request hits the access control policy, the data access request is limited access content, and the electronic device intercepts the data access request and generates a record.
S203, if the data access request does not accord with the access control policy, detecting whether the data access request accords with the data analysis policy.
In this embodiment, the data analysis policy is used to perform data analysis on the data access request, and detect whether the data access request is safe and compliant. If the data access request is not hit in the access control strategy, the data access request is further detected according to the data analysis strategy.
S204, after the data access request is determined to accord with the data analysis strategy, a response message corresponding to the data access request is sent.
In this embodiment, if the data access request hits the data analysis policy, it may be recorded and then a corresponding response message is returned. In this embodiment, a data access request hitting the data analysis policy is recorded without restricting the access request.
In an example, before step S201, further includes:
receiving safety resource configuration information; according to the safety resource configuration information, carrying out safety resource arrangement; and configuring the safety resource according to the arrangement result.
In this example, the secure resource configuration information refers to a secure resource requirement of a user, and after receiving the secure resource requirement, the electronic device performs secure resource arrangement and scheduling, and configures the secure resource.
The method can realize data isolation among different tenants of the SaaS, realize allocation of network drainage for enterprises with office places distributed in various places, allocate safety resources according to user requirements, and solve the problem of network delay caused by network drainage.
In an example, before step S201, further includes:
receiving a second internet surfing strategy management instruction, wherein the second internet surfing strategy management instruction comprises an access control strategy and a data analysis strategy; and configuring the Internet surfing strategy according to the second Internet surfing strategy management instruction.
In this example, the second internet surfing policy management instruction is used to instruct the electronic device to configure the internet surfing policy, and different internet surfing policy management instructions may be set up by the user according to the requirement. According to the method, the Internet surfing strategy is configured according to the second Internet surfing strategy management instruction, so that the Internet surfing strategy can meet the user requirement, and the detection result of the data access request also meets the user management requirement.
According to the network access management method, the access control strategy and the data analysis strategy are adopted to sequentially detect the data access request and corresponding processing is adopted, so that the problem of security threat caused by the fact that enterprise encrypted data are sent out is solved.
Fig. 3 is a flowchart of another network access management method according to an embodiment of the present application. Based on the embodiment of fig. 2, this embodiment can also update the internet policy to obtain the effect of accurately detecting the data access request. As shown in fig. 3, with the electronic device as an execution body, the method of the present embodiment may include the following steps:
s301, training a security threat model according to the data access request.
In this embodiment, the data access request refers to a data access request that does not conform to the access control policy but conforms to the data analysis policy after being detected according to the access control policy and the data analysis policy. Recording the data access requests, and when the number of the recorded data access requests reaches a preset threshold, carrying out security threat modeling and algorithm training by adopting the data access requests through a machine learning algorithm. The new data access request may also be used for model iteration when recording updates.
In one example, the data access request is determined to be encrypted traffic, and a security threat model is trained after feature extraction is performed on the data access request.
In this example, the feature extraction may be a uniform resource locator (Uniform Resource Locator, URL), a transport layer security protocol (Transport Layer Security, TLS) handshake information, a data packet length, a time, a feature distribution, and the like, where the TLS handshake information may include a cipher suite, a version, a cipher length, and the like, which may be understood with reference to the prior art, and not described in detail in this example.
S302, updating an access control strategy and a data analysis strategy by adopting a security threat model.
In this embodiment, the security threat model is iteratively updated, and adjustments are continuously made to the access control policy and the data analysis policy.
S303, receiving a first internet surfing strategy management instruction, wherein the first internet surfing strategy management instruction comprises an updated access control strategy and a data analysis strategy.
S304, configuring a surfing strategy according to the first surfing strategy management instruction.
In this embodiment, the first internet surfing policy management instruction is configured to instruct the electronic device to reconfigure the internet surfing policy according to the access control policy and the data analysis policy obtained by updating.
According to the network access management method, the access control strategy and the data analysis strategy are updated by establishing the security threat model, so that the access control strategy and the data analysis strategy are more accurate when used for detecting the data access request, and the security risk caused by the fact that enterprise encrypted data are sent out is further reduced.
Fig. 4 is a schematic diagram of an internet policy management system according to an embodiment of the present application. As shown in fig. 4, the internet policy management system includes a security capability orchestrator and a security capability resource pool, where the security capability resource pool includes a plurality of sub-resource pools, and each sub-resource pool includes an internet policy management subsystem, a data center, and a policy control gateway.
The security capability resource pool is used for providing computing resources and storage resources required by installation and deployment for the policy control gateway and the data center in a server centralized deployment mode, and realizing data isolation among different tenants. The resource pool is distributed in the data machine room of each place to serve enterprise or branch office users of the area in a nearby principle.
The internet strategy management subsystem is a business subsystem for carrying out strategy management based on the internet behavior of enterprises on staff, and the main functions comprise staff information management, internet strategy management, data leakage prevention and security audit.
Fig. 5 is a signaling interaction diagram of a network access management method according to an embodiment of the present application. As shown in fig. 5, when the internet policy management system is applied to network access management, the method may include the following steps:
s501, a user sends security resource configuration information to a security capability orchestrator through a server.
In this embodiment, the secure resource configuration information refers to the secure resource requirement of the user and basic information required for configuration. Basic information such as user equipment information.
Optionally, the internet policy management system has an operable interface or data transfer interface through which information may be sent.
S502, the security capability composer composes and schedules the security resources according to the security resource configuration information.
In this embodiment, the security capability composer may perform resource composition scheduling according to matching between the user information and the resource pool information. For example, the user location is matched to the location of the resource pool, and the user's secure resource needs are matched to the services that the resource pool can provide.
S503, the security capability composer sends a resource configuration instruction to the sub-resource pool.
S504, configuring the security resources by the sub-resource pool according to the arrangement result.
In this embodiment, the resource allocation instruction may include the scheduling result, so that the sub-resource pool is configured according to the result.
S505, the sub-resource pool returns the configuration result to the server used by the user through the security capability orchestrator.
In this embodiment, the returned configuration result indicates that the resource configuration is successful.
S506, the user sends a second internet surfing strategy management instruction to the internet surfing management subsystem through the server, wherein the second internet surfing strategy management instruction comprises an access control strategy and a data analysis strategy.
In this embodiment, the user may access the internet policy management subsystem through the interface or the interface, send the second internet policy management instruction to the internet policy management subsystem, and may also send the resource configuration information.
S507, the Internet surfing strategy management subsystem sends an Internet surfing strategy to the strategy control gateway.
In this embodiment, the internet access policy is an access control policy and a data analysis policy.
S508, the strategy control gateway configures the Internet surfing strategy according to the second Internet surfing strategy management instruction.
In this embodiment, the policy control gateway configures an access control policy and a data analysis policy, so as to facilitate management of network access according to the access control policy and the data analysis policy.
S509, the strategy control gateway returns a configuration result to the internet strategy management subsystem.
In this embodiment, after the policy control gateway configures the internet surfing policy, the configuration result may be fed back to the internet surfing policy management subsystem.
In this embodiment, when the network access management system performs network access management, the policy control gateway may manage the data access request according to the access control policy and the data analysis policy.
For a data access request that misses the access control policy and hits the data analysis policy, the policy control gateway may send the data access request to the internet policy management subsystem, and then return a response message corresponding to the data access request.
And after receiving the data access request, the internet strategy management subsystem judges whether the data access request is encrypted traffic. If yes, extracting data characteristics through an encryption flow analysis component, wherein the data characteristics comprise: URL, TLS handshake information, data packet length, time, feature distribution and the like, and then threat modeling, algorithm training and model iteration are carried out on the encrypted traffic based on a machine learning algorithm so as to update an access control strategy and a data analysis strategy. This process can be understood with reference to the prior art and is not described in detail herein.
And the Internet surfing strategy management subsystem sends the updated strategy to the strategy control gateway to form a safety service closed loop.
According to the method, resource arrangement scheduling is carried out through the security capability arrangement device and is issued to the policy control gateway, the internet surfing requirements and the regional attributes of enterprise users can be combined, a dynamic, elastic and customized internet surfing policy management subsystem and a data center are provided for the users, and the problems of security network access requirements, equal compliance requirements and time delay caused by deployment of the internet surfing policies of the users are solved. The problem of data leakage caused by the fact that enterprise staff encrypt and send out data can be solved.
Fig. 6 is a schematic structural diagram of a network access management apparatus according to an embodiment of the present application, as shown in fig. 6, a network access management apparatus 60 according to the present embodiment is configured to implement operations corresponding to electronic devices in any of the above method embodiments, where the network access management apparatus 60 according to the present embodiment includes:
a receiving module 601, configured to receive a data access request, and determine whether the data access request meets an access control policy;
the interception module 602 is configured to intercept the data access request and generate a record if the data access request meets the access control policy;
a detection module 603, configured to detect whether the data access request accords with the data analysis policy if the data access request does not accord with the access control policy;
and the sending module 604 is configured to send a response message corresponding to the data access request after determining that the data access request accords with the data analysis policy.
The network access management device 60 provided in the embodiment of the present application may execute the above-mentioned method embodiment, and the specific implementation principle and technical effects of the method embodiment may be referred to the above-mentioned method embodiment, which is not described herein again.
Fig. 7 shows a schematic hardware structure of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 70, configured to implement operations corresponding to the electronic device in any of the above method embodiments, the electronic device 70 of this embodiment may include: memory 701, processor 702.
Memory 701 for storing a computer program. The Memory 701 may include a high-speed random access Memory (Random Access Memory, RAM), and may further include a Non-Volatile Memory (NVM), such as at least one magnetic disk Memory, and may also be a U-disk, a removable hard disk, a read-only Memory, a magnetic disk, or an optical disk.
A processor 702 for executing the computer program stored in the memory to implement the network access management method in the above embodiment. Reference may be made in particular to the relevant description of the embodiments of the method described above. The processor 702 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
Alternatively, the memory 701 may be separate or integrated with the processor 702.
When the memory 701 is a separate device from the processor 702, the electronic device 70 may also include a bus. The bus is used to connect the memory 701 and the processor 702. The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, the buses in the drawings of the present application are not limited to only one bus or one type of bus.
The electronic device 70 may also include a communication interface that may be coupled to the processor 702 via a bus. The processor 702 may control the communication interface to perform the functions of receiving and transmitting signals.
The electronic device provided in this embodiment may be used to execute the above network access management method, and its implementation manner and technical effects are similar, and this embodiment is not repeated here.
The present application also provides a computer readable storage medium having stored therein a computer program/instruction which when executed by a processor is adapted to carry out the methods provided by the various embodiments described above.
The computer readable storage medium may be a computer storage medium or a communication medium. Communication media includes any medium that facilitates transfer of a computer program from one place to another. Computer storage media can be any available media that can be accessed by a general purpose or special purpose computer. For example, a computer-readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the computer-readable storage medium. In the alternative, the computer-readable storage medium may be integral to the processor. The processor and the computer readable storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC). In addition, the ASIC may reside in a user device. The processor and the computer-readable storage medium may also reside as discrete components in a communication device.
In particular, the computer readable storage medium may be implemented by any type or combination of volatile or non-volatile Memory devices, such as Static Random-Access Memory (SRAM), electrically erasable programmable Read-Only Memory (EEPROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The present application also provides a computer program product comprising a computer program/instructions stored in a computer readable storage medium. At least one processor of the device may read the computer program/instructions from a computer-readable storage medium, execution of the computer program/instructions by at least one processor causing the device to perform the methods provided by the various embodiments described above.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
Wherein the individual modules may be physically separated, e.g. mounted in different locations of one device, or mounted on different devices, or distributed over a plurality of network elements, or distributed over a plurality of processors. The modules may also be integrated together, e.g. mounted in the same device, or integrated in a set of codes. The modules may exist in hardware, or may also exist in software, or may also be implemented in software plus hardware. The purpose of the embodiment scheme can be achieved by selecting part or all of the modules according to actual needs.
It should be understood that, although the steps in the flowcharts in the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the figures may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily occurring in sequence, but may be performed alternately or alternately with other steps or at least a portion of the other steps or stages.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limited thereto. Although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments may be modified or some or all of the technical features may be replaced with equivalents. Such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. A network access management method, comprising:
receiving a data access request and judging whether the data access request accords with an access control strategy or not;
if the data access request accords with the access control strategy, intercepting the data access request and generating a record;
if the data access request does not accord with the access control strategy, detecting whether the data access request accords with a data analysis strategy;
and after the data access request is determined to accord with the data analysis strategy, sending a response message corresponding to the data access request.
2. The method of claim 1, wherein after said determining that the data access request meets the data analysis policy, further comprising:
training a security threat model according to the data access request;
and updating the access control strategy and the data analysis strategy by adopting the security threat model.
3. The method of claim 2, wherein after the updating the access control policy and the data analysis policy, further comprising:
receiving a first internet surfing strategy management instruction, wherein the first internet surfing strategy management instruction comprises the updated access control strategy and data analysis strategy;
and configuring a surfing strategy according to the first surfing strategy management instruction.
4. The method of claim 2, wherein training a security threat model based on the data access request comprises:
and determining the data access request as encryption traffic, and training a security threat model after extracting features of the data access request.
5. The method of claim 1, wherein prior to receiving the data access request, further comprising:
receiving a second internet surfing strategy management instruction, wherein the second internet surfing strategy management instruction comprises the access control strategy and the data analysis strategy;
and configuring a surfing strategy according to the second surfing strategy management instruction.
6. The method of claim 5, wherein prior to receiving the second internet policy management instruction, further comprising:
receiving safety resource configuration information;
according to the safety resource configuration information, safety resource arrangement is carried out;
and configuring the safety resource according to the arrangement result.
7. A network access management apparatus, the apparatus comprising:
the receiving module is used for receiving the data access request and judging whether the data access request accords with an access control strategy or not;
the interception module is used for intercepting the data access request and generating a record if the data access request accords with the access control strategy;
the detection module is used for detecting whether the data access request accords with a data analysis strategy or not if the data access request does not accord with the access control strategy;
and the sending module is used for sending a response message corresponding to the data access request after determining that the data access request accords with the data analysis strategy.
8. An electronic device, the device comprising: a memory and a processor;
the memory is used for storing a computer program;
the processor is configured to execute the computer program stored in the memory, and implement the network access management method according to any one of claims 1 to 6.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program for implementing the network access management method according to any of claims 1-6 when executed by a processor.
10. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the network access management method of any of claims 1-6.
CN202211620167.9A 2022-12-15 2022-12-15 Network access management method, device, electronic equipment and storage medium Pending CN116032570A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211620167.9A CN116032570A (en) 2022-12-15 2022-12-15 Network access management method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211620167.9A CN116032570A (en) 2022-12-15 2022-12-15 Network access management method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116032570A true CN116032570A (en) 2023-04-28

Family

ID=86090441

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211620167.9A Pending CN116032570A (en) 2022-12-15 2022-12-15 Network access management method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116032570A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139056A (en) * 2011-12-01 2013-06-05 北京天行网安信息技术有限责任公司 Secure gateway and network data interactive method
US20150256545A1 (en) * 2014-03-07 2015-09-10 Verite Group, Inc. Cloud-based network security and access control
US9436820B1 (en) * 2004-08-02 2016-09-06 Cisco Technology, Inc. Controlling access to resources in a network
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment
WO2020038273A1 (en) * 2018-08-20 2020-02-27 中兴通讯股份有限公司 Multi-tenant access control method and device and computer-readable storage medium
CN112511524A (en) * 2020-11-24 2021-03-16 北京天融信网络安全技术有限公司 Access control policy configuration method and device
CN114039777A (en) * 2021-11-09 2022-02-11 国家工业信息安全发展研究中心 Intelligent threat perception method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9436820B1 (en) * 2004-08-02 2016-09-06 Cisco Technology, Inc. Controlling access to resources in a network
CN103139056A (en) * 2011-12-01 2013-06-05 北京天行网安信息技术有限责任公司 Secure gateway and network data interactive method
US20150256545A1 (en) * 2014-03-07 2015-09-10 Verite Group, Inc. Cloud-based network security and access control
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment
WO2020038273A1 (en) * 2018-08-20 2020-02-27 中兴通讯股份有限公司 Multi-tenant access control method and device and computer-readable storage medium
CN112511524A (en) * 2020-11-24 2021-03-16 北京天融信网络安全技术有限公司 Access control policy configuration method and device
CN114039777A (en) * 2021-11-09 2022-02-11 国家工业信息安全发展研究中心 Intelligent threat perception method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WENFANG ZHAO: "Design of dynamic fine-grained role-based access control strategy", 《2012 IEEE 2ND INTERNATIONAL CONFERENCE ON CLOUD COMPUTING AND INTELLIGENCE SYSTEMS》, 14 November 2013 (2013-11-14) *
刘敖迪: "面向云服务组合的访问控制策略管理研究", 《中国优秀硕士学位论文全文库》, 15 June 2018 (2018-06-15) *

Similar Documents

Publication Publication Date Title
US11863581B1 (en) Subscription-based malware detection
US10798112B2 (en) Attribute-controlled malware detection
US10848397B1 (en) System and method for enforcing compliance with subscription requirements for cyber-attack detection service
US11876836B1 (en) System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US11456965B2 (en) Network service request throttling system
US10476906B1 (en) System and method for managing formation and modification of a cluster within a malware detection system
CN102090019B (en) Automatically distributed network protection
US20150347773A1 (en) Method and system for implementing data security policies using database classification
CN104933207B (en) The acquisition methods and system of user behavior data in application program
CN112181541A (en) Data processing method and device, electronic equipment and storage medium
JP6093043B2 (en) Quality configurable random data service
CN107111510B (en) Method and device for operating VNF packet
US11443037B2 (en) Identification of invalid requests
CN112672357A (en) Method and device for processing user account in business system and computer equipment
CN111083093B (en) Method and device for calling terminal capability, electronic equipment and storage medium
CN104253714A (en) Monitoring method, system, browser and server
CN108881190B (en) Information processing method and device
CN107645474A (en) Log in the method for open platform and log in the device of open platform
CN105847284B (en) A kind of communication service processing method, device and and server
CN115242433B (en) Data processing method, system, electronic device and computer readable storage medium
CN116032570A (en) Network access management method, device, electronic equipment and storage medium
CN109327864A (en) Flow processing method, device, equipment and storage medium
US11178068B1 (en) Connection management service
CN111932290A (en) Request processing method, device, equipment and storage medium
EP1722531B1 (en) Method and system for detecting malicious wireless applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination