CN116390091A - Terminal safety access method and system - Google Patents

Abstract

The application provides a terminal safety access method and a system thereof, which acquire network access identity information of access equipment through an intelligent acquisition technology and perform identity verification on the access terminal; and then, identifying the network configuration information of the access equipment through an intelligent identification technology, and carrying out compliance detection on the access equipment according to a preset network access configuration rule. And after passing the identity verification and the compliance detection, continuously monitoring the network behavior, and performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and if the attack behavior or the abnormal behavior of the access equipment is detected, or the access equipment does not pass the vulnerability detection, immediately performing access control on the access equipment. Therefore, the access equipment for accessing the Internet of things can be accurately controlled, illegal equipment and counterfeit equipment are prevented from being accessed, and the running stability of the Internet of things is maintained.

Description

Terminal safety access method and system

Technical Field

The embodiment of the application relates to the technical field of Internet of things security, in particular to a terminal security access method and system.

Background

The internet of things is an information carrier based on the internet, a traditional telecommunication network and the like, is an extended and expanded network based on the internet, combines various information sensing devices with the network to form a huge network, realizes interconnection and intercommunication of people, machines and objects at any time and any place, and enables all common physical objects which can be independently addressed to form an interconnection and intercommunication network.

The internet of things can not carry out identity verification on the access devices one by one in a manual verification mode because of a plurality of connected devices, so that the access devices can be illegal devices, devices carrying attack viruses or counterfeit devices, and damage is caused to the internet of things or other access devices. The traditional mode can only carry out identity verification on the access equipment through a local network manager of the access equipment, but the verification efficiency is very low, and the characteristic of rapid development expansion of the Internet of things is not met.

Disclosure of Invention

In order to overcome the problems in the related art, the application provides a terminal security access method and a system, which can improve the security of access equipment of the Internet of things and maintain the efficient and stable operation of a physical network.

According to a first aspect of embodiments of the present application, there is provided a terminal security access method, including the following steps:

acquiring network access identity information of access equipment through an intelligent acquisition technology, and performing identity verification on the access terminal according to the network access identity information;

identifying network configuration information of the access equipment passing the identity verification through an intelligent identification technology, and detecting compliance of the access equipment according to preset network configuration rules and the network configuration information of the access equipment;

and monitoring network behaviors of the access equipment which is detected through compliance, performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and performing access control on the access equipment if the attack behavior or the abnormal behavior of the access equipment is detected or the access equipment does not pass the vulnerability detection.

According to a second aspect of embodiments of the present application, there is provided a terminal security access system, including:

the identity verification module is used for acquiring network access identity information of the access equipment through an intelligent acquisition technology, and carrying out identity verification on the access terminal according to the network access identity information;

the compliance detection module is used for identifying the network configuration information of the access equipment passing the identity verification through an intelligent identification technology, and carrying out compliance detection on the access equipment according to a preset network access configuration rule and the network configuration information of the access equipment;

the behavior monitoring module is used for monitoring network behaviors of the access equipment detected through compliance, carrying out attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and carrying out access control on the access equipment if the attack behavior or the abnormal behavior of the access equipment is detected or the access equipment does not pass the vulnerability detection.

According to the terminal security access method and system, through an intelligent acquisition technology, network access identity information of access equipment is obtained, and identity verification is carried out on the access terminal; and then, identifying the network configuration information of the access equipment through an intelligent identification technology, and carrying out compliance detection on the access equipment according to a preset network access configuration rule. And after passing the identity verification and the compliance detection, continuously monitoring the network behavior, and performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and if the attack behavior or the abnormal behavior of the access equipment is detected, or the access equipment does not pass the vulnerability detection, immediately performing access control on the access equipment. Therefore, the access equipment for accessing the Internet of things can be accurately controlled, illegal equipment and counterfeit equipment are prevented from being accessed, and the running stability of the Internet of things is maintained.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

For a better understanding and implementation, the present invention is described in detail below with reference to the drawings.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flowchart of a terminal security access method according to an embodiment of the present application;

fig. 2 is a network access authentication page diagram provided by a terminal security access method according to an embodiment of the present application;

fig. 3 is a configuration page diagram of a non-inspection device database provided by a terminal security access method according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a terminal security access system according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the following detailed description of the embodiments of the present application will be given with reference to the accompanying drawings.

It should be understood that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, based on the embodiments herein, which would be apparent to one of ordinary skill in the art without making any inventive effort, are intended to be within the scope of the present application.

When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.

In the description of this application, it should be understood that the terms "first," "second," "third," and the like are used merely to distinguish between similar objects and are not necessarily used to describe a particular order or sequence, nor should they be construed to indicate or imply relative importance. The specific meaning of the terms in this application will be understood by those of ordinary skill in the art as the case may be. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The word "if"/"if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination". Furthermore, in the description of the present application, unless otherwise indicated, "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

Example 1

A detailed description will be given below of a terminal security access method provided in an embodiment of the present application with reference to fig. 1.

Referring to fig. 1, the method for secure access of a terminal provided in the embodiment of the present application mainly operates on the monitoring server, and includes the following steps:

step S101: acquiring network access identity information of access equipment through an intelligent acquisition technology, and performing identity verification on the access terminal according to the network access identity information;

step S102: identifying network configuration information of the access equipment passing the identity verification through an intelligent identification technology, and detecting compliance of the access equipment according to preset network configuration rules and the network configuration information of the access equipment;

step S103: and monitoring network behaviors of the access equipment which is detected through compliance, performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and performing access control on the access equipment if the attack behavior or the abnormal behavior of the access equipment is detected or the access equipment does not pass the vulnerability detection.

According to the terminal security access method, network access identity information of access equipment is obtained through an intelligent acquisition technology, and identity verification is carried out on the access terminal; and then, identifying the network configuration information of the access equipment through an intelligent identification technology, and carrying out compliance detection on the access equipment according to a preset network access configuration rule. And after passing the identity verification and the compliance detection, continuously monitoring the network behavior, and performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and if the attack behavior or the abnormal behavior of the access equipment is detected, or the access equipment does not pass the vulnerability detection, immediately performing access control on the access equipment. Therefore, the access equipment for accessing the Internet of things can be accurately controlled, illegal equipment and counterfeit equipment are prevented from being accessed, and the running stability of the Internet of things is maintained.

For step S101, network access identity information of an access device is obtained through an intelligent acquisition technology, and identity verification is performed on the access terminal according to the network access identity information.

The network access identity information comprises IP/MAC information, routing information, identity information, a host name, an operating system, position information and flow information;

the step of acquiring the network access identity information of the access equipment through the intelligent acquisition technology comprises one or more than two of the following various combinations:

by topology discovery and device discovery technology, the device can acquire SNMP information of the device by using a simple network management protocol (Simple Network Management Protocol, SNMP) mode, and can discover the access device in time when the device is accessed, comprising: information such as equipment type, MAC address, IP address, equipment name, connected network switch port, etc., and can be found in time when the equipment is offline.

Through an NMAP (Network Mapper) active scanning technology, the newly discovered device IP can be actively scanned, and the information such as the type, the open port and the like of the device can be determined.

The NetBIOS (Network Basic Input/Output System, basic input Output System) active scanning technology can be used for actively scanning the discovered new equipment, and the scanning result comprises equipment name, MAC address and other information.

The device flow of the network convergence interface can be grasped through the port mirror image device discovery technology, the protocol of the network convergence interface can be analyzed, the protocol comprises HTTP protocol, DHCP protocol, ARP protocol, IP protocol, TCP/UDP flow characteristics and the like, and the MAC address, the device name, the IP address and the fingerprint information of the device are obtained.

And acquiring and expanding specific port data, such as a WEB port, a 3389 port, a 1433 port and other specific ports, through the topology discovery and the equipment information and port information collected by the NMAP.

The acquisition function of the virtual asset fingerprint data of the access equipment is realized through the active scanning and flow mirroring technology, and a multi-dimensional asset fingerprint library comprising an IP address, an MAC address, an operating system, a port, a service, an application, an access position, a user, a connection relation and the like is constructed. And carrying out data merging and statistics, network segment analysis, user analysis, network flow analysis, network topology analysis and equipment on-line analysis on the acquired data, and then carrying out equipment classification according to the fingerprint characteristics of the access equipment.

In one embodiment, an authentication page may also be provided for selection by the user. As shown in fig. 2, the network entry authentication page includes a plurality of authentication mode selection controls.

The step of authenticating the access terminal further comprises:

displaying an on-line identity verification page, wherein the on-line identity verification page comprises a plurality of verification mode selection controls;

receiving a triggering instruction of a user for the verification mode selection control, and acquiring the verification mode type selected by the user;

generating a verification instruction according to the verification mode type and the network access identity information of the access equipment, acquiring verification data returned by the access equipment in response to the verification instruction, and judging whether the network access identity information of the access terminal is legal or not according to the verification data.

The verification mode type comprises the following steps: the system built-in user, the AD domain user, the mail user, the LDAP server user, the certificate authentication, the third party Radius authentication, the short message authentication and the like can be preferably selected from 3 verification modes, and the verification mode selection control can be manufactured.

In another embodiment, white list management may also be performed on a portion of devices that do not require verification by building a non-inspection device database. As shown in fig. 3, the inspection-free equipment database may be configured in the background by maintenance personnel.

The step of authenticating the access terminal further comprises: and comparing the access identity information of the access terminal with a preset non-inspection equipment database according to the access identity information of the access terminal, and judging that the access identity information of the access terminal is legal if the access identity information of the access terminal is matched with the non-inspection equipment information in the non-inspection equipment database. The leave-without-check device information includes a device type, an IP/MAC address of the device, and an access time.

By setting the inspection-free equipment database, white list management can be carried out on a part of equipment without verification, and the access speed of the equipment is improved.

For step S102, identifying network configuration information of the access device passing the authentication by using an intelligent identification technology, and performing compliance detection on the access device according to a preset network access configuration rule and the network configuration information of the access device;

the network information comprises network topology, equipment type, equipment manufacturer, equipment state, equipment safety state and connection relation among the equipment.

The identification of main stream equipment types and manufacturers such as PC equipment, network equipment, mobile equipment, ioT equipment (including video terminals and the like), ICS equipment and the like is supported through intelligent identification of network topology, equipment types, equipment manufacturers, equipment states (new equipment/online equipment/offline equipment), equipment security states (security, safer, unsafe) and connection relations among equipment and the like.

In one embodiment, the compliance detection includes at least one of the following: admission compliance detection, software compliance detection, configuration compliance detection, anonymity detection, NAT device detection, violation sharing, device access time checking, telnet compliance checking.

The step of detecting compliance of the access device comprises at least one of the following steps:

judging whether an unauthorised switch, an unauthorised router, an unauthorised switch port, an unauthorised network segment and unauthorised equipment exist according to a preset admittance equipment list, and if so, giving an alarm or performing access control on the unauthorised switch, the unauthorised router, the unauthorised switch port, the unauthorised network segment and the unauthorised equipment;

detecting software configuration information of terminal equipment, and if the access equipment without virus-proof software, the access equipment without enterprise compliance software or the access equipment with illegal software are arranged, giving an alarm or performing access control on the access equipment;

judging whether terminal equipment incorrectly configured with DNS, a illegal DNS server, a illegal AD server, equipment which does not join the domain, equipment which joins the domain but does not log in the domain, windows terminal equipment which is not provided with or provided with a wrong WSUS server exist or not according to preset network compliance configuration information, and sending an alarm or performing access control on the illegal equipment;

detecting an access mode of access equipment, and if an anonymous sharing server, an anonymous FTP server or access equipment for opening anonymous access illegally exist, sending an alarm or controlling access to the anonymous sharing server or the anonymous FTP server;

detecting a network configuration mode of the access equipment, and if network-in-network and illegal NAT equipment which are private in the network exist, sending an alarm or performing access control on the network-in-network and the illegal NAT equipment;

detecting a data sharing mode of the access equipment, and if an illegal network sharing server exists, sending an alarm or performing access control on the illegal network sharing server;

and acquiring the access time of the access equipment, and if the access equipment with non-working time exists, giving an alarm or performing access control on the access equipment.

Through the above-mentioned admission compliance detection, the switch/router/switch port, network segment, equipment and the like which are not admitted are supported to find out that the switch/router/switch port, network segment, equipment and the like are not admitted, and the condition that the switch/router is not admitted is found out that the switch port is not admitted is immediately alarmed or blocked. And the terminal equipment which is not provided with the antivirus software is supported to be found, the equipment which is not provided with enterprise compliance software or provided with the illegal software is supported to be found, and the equipment which is found the software illegal alarms or is blocked immediately. Supporting to find out the terminal equipment of the improper configuration DNS and the illegal DNS server; an AD server for supporting to find violations, a device which does not join the domain, and a device which joins the domain but does not log in the domain; and supporting the Windows terminal equipment which discovers the WSUS server which is not set or is set with errors, and immediately alarming or blocking the equipment which discovers the configuration violations. The method supports the discovery of an anonymous sharing server and an anonymous FTP server, and the discovery of devices which open anonymous accesses illegally immediately alarms or blocks. The network-in-network which is arranged inside the network in a private mode is supported to be found, such as network sharing is used in a violation mode, wireless AP access is opened in a violation mode, and the network-in-network can be immediately alarmed or blocked when the violation NAT equipment is found. And the network sharing server which supports the discovery of the illegal sharing can immediately alarm or block when the illegal sharing is discovered. And PC equipment, mobile terminal equipment and the like which support the discovery of the non-working time access network can be immediately alarmed or blocked when the discovery is carried out. The method supports the discovery of a Telnet server, can immediately alarm or block when the Telnet server is discovered, supports the non-proxy inspection of virus-proof version and patch information, and supports the identification of illegal external equipment.

In one embodiment, after the compliance detection of the access device, the method further includes:

transmitting equipment verification identity information to a system administrator, wherein the equipment verification identity information comprises login user information of the access terminal, equipment group information of the access terminal and access position information; if the confirmation information of the system administrator for the equipment verification identity information is received, judging that the access terminal is not counterfeited; and if the confirmation information of the equipment verification identity information by the system administrator is not received, judging that the access terminal is counterfeited.

By the method, the counterfeited equipment can be discovered early, and the suspected equipment can be removed by verification of a system administrator, so that the equipment is normally accessed.

And step S103, monitoring network behaviors of the access equipment detected through compliance, performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and performing access control on the access equipment if the attack behavior or the abnormal behavior of the access equipment is detected or the access equipment does not pass the vulnerability detection.

Wherein the attack behavior detection performed on the access device at least comprises one of the following:

connection behavior detection of access equipment and command and control server, doS attack detection, brute force cracking attack detection of RDP/SSH/FTP protocol, wantcy lux virus detection, botnet, worm, trojan horse attack detection, detection of Shellcode attack, detection of counterfeit antivirus software, permission cracking attack detection, audio and video protocol attack detection, and Xbash malware detection based on the port, database, web page scanning behavior detection of Nmap, nessus, nikto scanning tool.

Supporting the connection behavior of the detection device and C & C (command and control server) through C & C attack detection; through DOS attack detection, supporting DOS attack detection of SMTP/MYSQL/RDP/DNS/HTTP and other protocols; through brute force attack detection, supporting the detection of brute force attack of protocols such as RDP/SSH/FTP and the like; the detection of the WantCry and other Lexoviruses is supported through the detection of the Lexovirus; through botnet, worm and Trojan attack detection, the detection of the attack behaviors such as botnet, virus and worm is supported; through network scanning detection, the detection of scanning behaviors such as ports, databases, web page scanning and the like of common Nmap, nessus, nikto common scanning tools are supported; by means of Shellcode attack detection, common Shellcode attack detection is supported, for example, a section of code is written by using SHELL, and the code is sent to a server to obtain permission by using a specific vulnerability of the code; through malware attack detection, malware such as spyware, counterfeit antivirus software and the like are supported to be detected; the common or super manager right cracking attack is supported to be detected through right cracking attack detection; attack detection of video and voice protocols is supported through attack detection of the video and voice protocols; through Xbash detection, detection of Xbash malicious software is supported; the access device which detects and discovers the attack can be immediately alarmed or blocked.

In one embodiment, the step of vulnerability detection based on the obtained behavioral data comprises:

according to a preset weak password database, simulating artificial login through a Python script, sending a weak password applied by Web/SSH/TELNET/FTP to the access equipment, and detecting a feedback result of the access equipment on the weak password, wherein the weak password database comprises a preset account number and a password dictionary which are imported by a user, and a default account number and a default password.

The weak password detection of the access equipment is supported to detect the weak passwords of applications such as Web/SSH/TELNET/FTP, the user is supported to import autonomous account numbers and password dictionaries, the weak password detection of a camera is supported, the default account numbers and passwords of the original factory can be built in, and the weak password detection of the SSH/TELNET/FTP is supported.

In another embodiment, the step of performing abnormal behavior detection based on the obtained behavior data comprises:

based on the equipment type of the access equipment, constructing portrait data of the equipment type, judging whether the behavior data of the access equipment accords with the portrait data of the equipment type, and if not, sending an alarm or performing access control on the access equipment;

building a device connection model according to the connection relation between devices and behavior data of access internet through a machine learning technology, judging whether the connection relation of access devices accords with the device connection model, and if not, giving an alarm or performing access control on the access devices;

and constructing an inter-device flow behavior feature model and an access flow feature model through a machine learning technology, judging whether flow data of the access device in a preset time period accords with the inter-device flow behavior feature model and the access flow feature model, and if not, sending an alarm or performing access control on the access device.

The portrait data includes equipment type, IP, MAC, equipment name, operating system, system service, flow characteristics and behavior characteristics.

For the case of device impersonation, the present application supports device impersonation detection based on device type, IP, MAC, device name, operating system, system services, traffic characteristics, behavioral characteristics based on device portrayal technology. When the device is found to be counterfeit, an alarm is sent out or the device is automatically blocked. For abnormal connection, based on the combination of the machine self-learning technology and threat information, the connection relation between devices in a network and the behavior of accessing the Internet are automatically learned, the normal access behavior mode of a user is automatically constructed, and abnormal connection is intelligently found. When abnormal connection is found, an alarm is sent out or the device is automatically blocked. For abnormal flow, based on a machine self-learning technology, automatically learning flow behavior characteristics among devices in a network and accessing flow characteristics of the Internet, and when abnormal flow occurs in a certain time period, giving an alarm or automatically blocking. For the abnormal protocol, the access (such as 80 ports, running non-http protocol traffic) of the abnormal protocol can be found in time, namely, the alarm is given and the blocking is carried out. For abnormal online time, based on the equipment portrait technology, the online time of equipment is automatically learned, and once the equipment online time is found to be abnormal, the equipment is alarmed or blocked. For abnormal access locations, such as devices with relatively fixed access locations for servers, dumb terminal devices, ioT devices, etc., the alarm or block is given once the device access location is found to change. For abnormal domain names, a mode of combining machine learning and threat information can be adopted to analyze the suspicious degree of the domain names, and the malicious domain names can be found to be immediately alarmed or blocked.

To the access equipment that has the risk, this application can adopt following several modes to carry out intelligent handling according to its risk factor:

active alarm: the manager and the user can be notified through SMS/Email/Web and the like to respond in time;

network control: access control or blocking can be performed on the access equipment according to a preset control strategy, and the access equipment can be re-authenticated or jumped to a safe area for restoration;

third party interface notification: event centers such as SOC/SIEM and the like may be notified by Syslog/SNMP Trap and the like.

Information display: the risk warning information of abnormal behavior, attack behavior, compliance and vulnerability of the access equipment can be displayed through the display page.

Furthermore, according to the severity and distribution conditions of abnormal behaviors, attack behaviors, compliance and vulnerability of the access equipment, a machine learning algorithm is adopted to calculate the safety coefficient of each access equipment in real time, according to the value of the access equipment to the whole network, the safety coefficient of the whole network is calculated in real time by the machine learning algorithm, the equipment and the risk state of the whole network can be displayed in a qualitative or quantitative mode according to the two safety coefficients, and the analysis of the safety situation coefficient of the whole network is supported.

On the basis, a whole network equipment distribution diagram, an attack chain analysis view, an admission state view, an irregular equipment trend diagram, an abnormal behavior equipment trend diagram, an attack behavior equipment trend diagram, a phantom equipment trend diagram, a flow view, a domain name analysis view and the like are displayed, and an attack path diagram can be displayed in linkage with the leagView, so that the running conditions of the access equipment and the whole network are intuitively displayed.

Further, various data statistics reports can be supported to be derived in response to the data request of the user, wherein the statistics reports comprise the safety index of the equipment, the basic information, the non-compliance information, the attack behavior information, the abnormal behavior information, the network connection behavior information, the IP address and other relevant auxiliary information of the equipment and the like. And may provide certain risk analysis reports, such as automatically deriving risk reports by day, week, month, and custom time.

Example 2

As another embodiment of the present application, a terminal security access system is provided.

Referring to fig. 4, fig. 4 is a schematic structural diagram of a terminal security access system according to the present application. The terminal security access system comprises:

the identity verification module 401 is configured to obtain network access identity information of an access device through an intelligent acquisition technology, and perform identity verification on the access terminal according to the network access identity information;

the compliance detection module 402 is configured to identify network configuration information of the access device passing the identity verification through an intelligent identification technology, and perform compliance detection on the access device according to a preset network access configuration rule and the network configuration information of the access device;

the behavior monitoring module 403 is configured to monitor network behavior of the access device detected by the compliance, perform attack behavior detection, vulnerability detection, and abnormal behavior detection according to the obtained behavior data, and perform access control on the access device if it is detected that the access device has attack behavior or abnormal behavior, or the access device does not pass vulnerability detection.

It should be noted that the above embodiment 2 is an embodiment of the apparatus of the present application, and may be used to perform the method of embodiment 1 of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (media), such as modulated data signals and carrier waves

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (9)

1. The terminal safety access method is characterized by comprising the following steps:

acquiring network access identity information of access equipment through an intelligent acquisition technology, and performing identity verification on the access terminal according to the network access identity information;

identifying network configuration information of the access equipment passing the identity verification through an intelligent identification technology, and detecting compliance of the access equipment according to preset network configuration rules and the network configuration information of the access equipment;

and monitoring network behaviors of the access equipment which is detected through compliance, performing attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and performing access control on the access equipment if the attack behavior or the abnormal behavior of the access equipment is detected or the access equipment does not pass the vulnerability detection.

2. The method of claim 1, wherein the step of authenticating the access terminal further comprises:

displaying an on-line identity verification page, wherein the on-line identity verification page comprises a plurality of verification mode selection controls;

receiving a triggering instruction of a user for the verification mode selection control, and acquiring the verification mode type selected by the user;

generating a verification instruction according to the verification mode type and the network access identity information of the access equipment, acquiring verification data returned by the access equipment in response to the verification instruction, and judging whether the network access identity information of the access terminal is legal or not according to the verification data.

3. The method of claim 1, wherein the step of authenticating the access terminal further comprises:

comparing the access identity information of the access terminal with a preset inspection-free equipment database;

and if the network access identity information of the access terminal is matched with the inspection-free equipment information in the inspection-free equipment database, judging that the network access identity information of the access terminal is legal.

4. The method of claim 1, wherein the compliance detection of the access device comprises at least one of: admission compliance detection, software compliance detection, configuration compliance detection, anonymity detection, NAT device detection, violation sharing, device access time checking, telnet compliance checking.

5. The method of claim 1, wherein the step of compliance detecting the access device comprises at least one of:

judging whether an unauthorised switch, an unauthorised router, an unauthorised switch port, an unauthorised network segment and unauthorised equipment exist according to a preset admittance equipment list, and if so, giving an alarm or performing access control on the unauthorised switch, the unauthorised router, the unauthorised switch port, the unauthorised network segment and the unauthorised equipment;

detecting software configuration information of terminal equipment, and if the access equipment without virus-proof software, the access equipment without enterprise compliance software or the access equipment with illegal software are arranged, giving an alarm or performing access control on the access equipment;

judging whether terminal equipment incorrectly configured with DNS, a illegal DNS server, a illegal AD server, equipment which does not join the domain, equipment which joins the domain but does not log in the domain, windows terminal equipment which is not provided with or provided with a wrong WSUS server exist or not according to preset network compliance configuration information, and sending an alarm or performing access control on the illegal equipment;

detecting an access mode of access equipment, and if an anonymous sharing server, an anonymous FTP server or access equipment for opening anonymous access illegally exist, sending an alarm or controlling access to the anonymous sharing server or the anonymous FTP server;

detecting a network configuration mode of the access equipment, and if network-in-network and illegal NAT equipment which are private in the network exist, sending an alarm or performing access control on the network-in-network and the illegal NAT equipment;

detecting a data sharing mode of the access equipment, and if an illegal network sharing server exists, sending an alarm or performing access control on the illegal network sharing server;

and acquiring the access time of the access equipment, and if the access equipment with non-working time exists, giving an alarm or performing access control on the access equipment.

6. The method for secure access of a terminal according to claim 1, further comprising the steps of, after the compliance detection of the access device:

transmitting equipment verification identity information to a system administrator, wherein the equipment verification identity information comprises login user information of the access terminal, equipment group information of the access terminal and access position information;

if the confirmation information of the system administrator for the equipment verification identity information is received, judging that the access terminal is not counterfeited; and if the confirmation information of the equipment verification identity information by the system administrator is not received, judging that the access terminal is counterfeited.

7. The method for secure access of a terminal according to claim 1, wherein the step of vulnerability detection of the access device comprises:

according to a preset weak password database, simulating artificial login through a Python script, sending a weak password applied by Web/SSH/TELNET/FTP to the access equipment, and detecting a feedback result of the access equipment on the weak password, wherein the weak password database comprises a preset account number and a password dictionary which are imported by a user, and a default account number and a default password.

8. The terminal security access method according to claim 1, wherein the step of performing abnormal behavior detection based on the obtained behavior data comprises:

constructing portrait data of an equipment type based on the equipment type of the access equipment (wherein the portrait data comprises the equipment type, IP, MAC, equipment name, operating system, system service, flow characteristics and behavior characteristics), judging whether the behavior data of the access equipment accords with the portrait data of the equipment type, and if not, sending an alarm or performing access control on the access equipment;

building a device connection model according to the connection relation between devices and behavior data of access internet through a machine learning technology, judging whether the connection relation of access devices accords with the device connection model, and if not, giving an alarm or performing access control on the access devices;

and constructing an inter-device flow behavior feature model and an access flow feature model through a machine learning technology, judging whether flow data of the access device in a preset time period accords with the inter-device flow behavior feature model and the access flow feature model, and if not, sending an alarm or performing access control on the access device.

9. A terminal security access system, comprising:

the identity verification module is used for acquiring network access identity information of the access equipment through an intelligent acquisition technology, and carrying out identity verification on the access terminal according to the network access identity information;

the compliance detection module is used for identifying the network configuration information of the access equipment passing the identity verification through an intelligent identification technology, and carrying out compliance detection on the access equipment according to a preset network access configuration rule and the network configuration information of the access equipment;

the behavior monitoring module is used for monitoring network behaviors of the access equipment detected through compliance, carrying out attack behavior detection, vulnerability detection and abnormal behavior detection according to the obtained behavior data, and carrying out access control on the access equipment if the attack behavior or the abnormal behavior of the access equipment is detected or the access equipment does not pass the vulnerability detection.

Images