CN116707841A

CN116707841A - Network access control method and device, computer readable medium and electronic equipment

Info

Publication number: CN116707841A
Application number: CN202210175719.3A
Authority: CN
Inventors: 吴岳廷
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-02-24
Filing date: 2022-02-24
Publication date: 2023-09-05

Abstract

The application discloses a control method and device for network access, a computer readable medium and electronic equipment, wherein the method comprises the following steps: acquiring a service access request for accessing a site, and determining a process identifier of an access process corresponding to the service access request; searching in a process characteristic cache according to the process identifier of the access process to obtain the process characteristic corresponding to the access process; matching in a blocking process buffer according to the process characteristics of the access process to determine whether the access process is a blocking process; if the access process is not the blocking process, determining an access mode of the service access request to the access site according to a second preset access condition. The application improves the acquisition efficiency of the process characteristics of the access process, improves the filtering efficiency of the blocking process and increases the convenience of network access control. The embodiment of the application can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like.

Description

Network access control method and device, computer readable medium and electronic equipment

Technical Field

The application belongs to the technical field of Internet and computers, and particularly relates to a control method and device for network access, a computer readable medium and electronic equipment.

Background

With the development of internet technology, security of network access is increasingly emphasized. Currently, management and control on network access are generally implemented by a gateway, and when a network request or traffic reaches the gateway, the gateway determines whether the network request or traffic is safe. If the gateway judges that the network request or the flow is safe, forwarding the network request or the flow to a corresponding target address; if the network request or the traffic is judged not to meet the forwarding requirement, which is equivalent to the fact that the network request or the traffic does not have safety, the gateway does not send the network request or the traffic to the corresponding target address. However, the gateway typically does not detect all received network requests, but only specific network requests, which results in a limitation of the control scope of the gateway control.

It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the application and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.

Disclosure of Invention

The application aims to provide a control method and device for network access, a computer readable medium and electronic equipment, which are used for solving the problem that the control range is limited when network access is controlled through a gateway in the related technology.

Other features and advantages of the application will be apparent from the following detailed description, or may be learned by the practice of the application.

According to an aspect of an embodiment of the present application, there is provided a method for controlling network access, including:

acquiring a service access request for accessing a site, and determining a process identifier of an access process corresponding to the service access request;

searching in a process characteristic cache according to the process identifier of the access process to obtain the process characteristic corresponding to the access process; the process characteristic cache is used for storing process identifiers of a plurality of processes and process characteristics associated with the process identifiers;

matching in a blocking process cache according to the process characteristics of the access process so as to determine whether the access process is a blocking process; the blocking process cache is used for storing process characteristics corresponding to the processes meeting the first preset access conditions; the first preset access condition comprises a management and control mode when the access site is a public network site;

if the access process is not a blocking process, determining an access mode of the service access request to the access site according to a second preset access condition; the second preset access condition comprises a management and control mode when the access site is an intranet site.

According to an aspect of an embodiment of the present application, there is provided a network access control apparatus including:

the access request acquisition module is used for acquiring a service access request for accessing a site and determining a process identifier of an access process corresponding to the service access request;

the process characteristic acquisition module is used for searching in a process characteristic cache according to the process identifier of the access process to acquire the process characteristic corresponding to the access process; the process characteristic cache is used for storing process identifiers of a plurality of processes and process characteristics associated with the process identifiers;

the process characteristic matching module is used for matching in a blocking process buffer according to the process characteristics of the access process so as to determine whether the access process is a blocking process or not; the blocking process cache is used for storing process characteristics corresponding to the processes meeting the first preset access conditions; the first preset access condition comprises a management and control mode when the access site is a public network site;

the access mode determining module is used for determining the access mode of the service access request to the access site according to a second preset access condition if the access process is not a blocking process; the second preset access condition comprises a management and control mode when the access site is an intranet site.

In one embodiment of the application, the apparatus further comprises: the process characteristic cache construction module is used for acquiring process identifiers of a plurality of first processes and process characteristics corresponding to each first process; the first process refers to a process which is created and not exited in the terminal equipment which initiates the service access request; and storing each process identifier and the process characteristics corresponding to each first process based on the form of a double linked list to form the process characteristic cache.

In one embodiment of the present application, the process feature cache construction module is specifically configured to: when the core layer of the terminal equipment detects that a process is created, taking the currently created process as a first process and acquiring a process identifier of the first process; and acquiring the process characteristics corresponding to the first process according to the process identification of the first process and the local cache process characteristics loaded by the application layer of the terminal equipment.

In one embodiment of the present application, the process feature cache construction module is further configured to: determining key characteristics of the first process according to the process identification of the first process; searching in the local cache process characteristics according to the key characteristics of the first process to determine whether the process characteristics of the first process exist in the local cache process characteristics; if the local cache process features have the same cache features as the key features of the first process, taking the process features corresponding to the cache features in the local cache process features as the process features of the first process; and if the local cache process characteristics do not have the same cache characteristics as the key characteristics of the first process, acquiring the process characteristics corresponding to the first process through the application layer.

In one embodiment of the present application, the first preset access condition includes a process blocking rule; the apparatus further comprises:

the blocking process buffer construction module is used for acquiring a process identifier and a process characteristic of a second process, wherein the second process is a process which is established in the terminal equipment for initiating the service access request; and if the process characteristics of the second process accord with the process blocking rule, storing the process identification and the process characteristics of the second process based on a form of a doubly linked list to form the blocking process cache.

In one embodiment of the present application, the second preset access condition includes a direct access condition, a proxy access condition, and a mandatory authentication access condition; the access mode determining module comprises:

the direct connection access unit is used for sending the service access request to the access site through the proxy client if the service access request meets the direct connection access condition;

the proxy access unit is used for sending the service access request to the access site through a gateway if the service access request meets the proxy access condition;

and the forced authentication access unit is used for sending the service access request to the access site through a gateway after the security check of the access site process if the service access request meets the forced authentication access condition.

In one embodiment of the present application, the proxy access unit is specifically configured to: initiating a credential acquisition request for the service access request to a client initiating the service access request through a proxy client, so that the client returns an access credential acquired from a corresponding server based on the credential acquisition request; and forwarding the access credential and the service access request to the gateway through the proxy client, so that the gateway sends the service access request to the access site when the access credential is successfully checked.

According to an aspect of the embodiments of the present application, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements a method of controlling network access as in the above technical solutions.

According to an aspect of an embodiment of the present application, there is provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of controlling network access as in the above claims via execution of the executable instructions.

According to an aspect of embodiments of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the control method of network access as in the above technical solution.

In the technical scheme provided by the embodiment of the application, the process characteristics are acquired by searching in the process characteristic cache according to the process identifier of the access process corresponding to the service access request, and the process characteristics of the access process do not need to be calculated in real time because the process characteristics in the process characteristic cache are calculated in advance, so that the acquisition efficiency of the process characteristics of the access process is improved. By matching the process characteristics in the blocking process cache, whether the access process is the blocking process conforming to the first preset access condition is determined, whether the access process is the blocking process can be rapidly determined, the filtering efficiency of the blocking process is improved, and when the access process to be processed is more (namely, the network traffic is larger), the access delay can be effectively reduced. And finally, further judging the service access request through a second preset access condition, so that the management and control of the public network access and the management and control of the intranet access are unified, and the convenience of network access management and control is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is evident that the drawings in the following description are only some embodiments of the present application and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.

Fig. 1 schematically shows a block diagram of an exemplary system architecture to which the technical solution of the present application is applied.

Fig. 2 schematically shows a flowchart of a method for controlling network access according to an embodiment of the present application.

Fig. 3A schematically illustrates a schematic diagram of a setting manner of an access site blocking rule according to an embodiment of the present application.

Fig. 3B schematically illustrates a schematic diagram of a setting manner of a process blocking rule according to an embodiment of the present application.

Fig. 3C schematically illustrates a detailed page diagram of the process blocking rule setting provided by the embodiment of the present application.

Fig. 4 schematically shows a system architecture diagram to which the technical solution provided by the embodiment of the present application is applied.

Fig. 5A shows a schematic diagram of a gateway configuration for executing a zero-trust access control policy according to an embodiment of the present application.

Fig. 5B shows a schematic configuration diagram of a trusted application and service system (intranet site) provided by an embodiment of the present application.

Fig. 5C shows a detailed page diagram of a service system configuration provided by an embodiment of the present application.

Fig. 5D shows a schematic configuration diagram of a service system and an associated gateway according to an embodiment of the present application.

Fig. 6 schematically shows a block diagram of a network access control device according to an embodiment of the present application.

Fig. 7 schematically shows a block diagram of a computer system suitable for use in implementing embodiments of the application.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the application may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the application.

The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.

As shown in fig. 1, system architecture 100 may include a terminal device 110, a network 120, and a server 130. Terminal device 110 may include, but is not limited to, a smart phone, tablet, notebook, desktop computer, smart speaker, smart watch, smart voice interaction device, smart home appliance, vehicle terminal, aircraft, and the like. The server 130 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, and the like. Network 120 may be a communication medium of various connection types capable of providing a communication link between terminal device 110 and server 130, and may be, for example, a wired communication link or a wireless communication link.

The system architecture in embodiments of the present application may have any number of terminal devices, networks, and servers, as desired for implementation. For example, the server 130 may be a server group composed of a plurality of server devices. The technical solution provided in the embodiment of the present application may be applied to the terminal device 110, or may be applied to the server 130, or may be implemented by the terminal device 110 and the server 130 together, which is not limited in particular.

For example, the method for controlling network access provided by the embodiment of the present application is implemented by the terminal device 110. When detecting that a service access request is initiated, the terminal device 110 may acquire the service access request and determine a process identifier of an access process corresponding to the service access request. Then the terminal equipment 110 searches in the process characteristic buffer according to the process identifier of the access process to obtain the process characteristic corresponding to the access process; the process feature cache is used for storing process identifications of a plurality of processes and process features associated with the process identifications. Next, the terminal device 110 matches in the blocking process buffer according to the process characteristics of the access process to determine whether the access process is a blocking process; the blocking process cache is used for storing process characteristics corresponding to the processes meeting the first preset access conditions; the first preset access condition comprises a management and control mode when the access site is a public network site. Finally, if the access process is not the blocking process, the terminal device 110 determines an access mode of the service access request to the access site according to the second preset access condition; the second preset access condition comprises a control mode when the access site is an intranet site.

The method for controlling network access provided by the application is described in detail below with reference to the specific embodiments.

Fig. 2 schematically illustrates a flowchart of a method for controlling network access according to an embodiment of the present application, which may be applied to various scenarios, including, but not limited to, cloud technology, artificial intelligence, intelligent transportation, assisted driving, etc. As shown in fig. 2, the method includes steps 210 to 240, specifically as follows:

step 210, acquiring a service access request for accessing a site, and determining a process identifier of an access process corresponding to the service access request.

Specifically, the access site refers to a party accessed in network access, that is, a final receiver of a service access request, and the access site may be enterprise intranet service resources, data, development test environments, operation and maintenance environments, and the like, and may also be referred to as an access object. The party initiating the access in the network access is called the access principal and may be an entity formed by a single component or combination of accounts, devices, applications, etc. When communication is required to an access site, the access principal initiates a service access request (service access request is also referred to as traffic) to the access site.

A Process is a running activity of a program in an electronic device on a certain data set, and is a basic execution entity of program code. When a service access request is initiated, the process for executing the service access request is the access process. The process identity (Process Identifier, PID), also called process ID, corresponds to a code of a process, each process having a unique process ID that is not negative.

In one embodiment of the application, the service access request includes five tuple information: source IP or domain name, source port, destination IP or domain name, destination port, and access application. The source IP or domain name refers to an IP address (Internet Protocol Address ) or domain name of the access subject or a device where the access subject is located, and the source port refers to a port occupied by the access subject or the device where the access subject is located when executing a service access request. The destination IP or domain name refers to the IP address (Internet Protocol Address ) or domain name of the access site or the device where the access site is located, and the destination port refers to the port occupied by the access site or the device where the access site is located when receiving the service access request. The access application refers to an application program for initiating a service access request, for example, the access subject is an account, the access application is an application program client registered by the account, and the application program client can be arranged in a terminal device.

In one embodiment of the application, after the device where the access subject is located obtains the service access request, the corresponding access process can be determined through the source port and the access application in the service access request, and then the process identification of the access process is obtained.

In one embodiment of the application, the device where the access subject is located is deployed with a proxy client for managing the security of the access. When an access subject initiates a service access request for an access site through an application client (hereinafter referred to as an application client), a proxy client acquires the service access request and a process identifier of an access process corresponding to the service access request, and executes the control method of network access provided by the embodiment of the application.

Step 220, searching in a process characteristic cache according to the process identifier of the access process to obtain the process characteristic corresponding to the access process; the process feature cache is used for storing process identifications of a plurality of processes and process features associated with the process identifications.

Specifically, the process characteristics refer to information related to the process, such as description information of the process, process name, process signature, version number, copyright information, and the like. The process characteristics are stored in a process characteristic cache, wherein the process characteristics are recorded in advance in the equipment where the access main body is located, and comprise process identifiers of a plurality of processes and process characteristics associated with the process identifiers, and in order to facilitate subsequent differentiation, the process identifiers in the process characteristic cache are recorded as cache process identifiers, and the process characteristics in the process characteristic cache are recorded as cache process characteristics. When the process identification is searched in the process feature cache, if the process identification which is the same as the process identification of the access process exists in the process feature cache, the process feature of the access process is indicated to be stored in the process feature cache in advance, and then the cached process feature corresponding to the cached process identification is the process feature corresponding to the access process.

In one embodiment of the present application, the process feature cache creation process includes: acquiring process identifiers of a plurality of first processes and process characteristics corresponding to each process; the first process refers to a process which is created and not exited in the terminal equipment which initiates the service access request; and storing each process identifier and the process characteristics corresponding to each first process based on the form of a double linked list to form a process characteristic cache.

Specifically, the process characteristics of all the current processes which are created and not exited by the terminal equipment initiating the service access request are stored in the process characteristics cache, the created and not exited is a process state, which indicates that the processes which are already created, are executing or wait for to be executed, and the exited processes indicate that the processes which are executed are completed or are terminated. And recording the created and unreported process as a first process, and storing the process identification and the process characteristics of the first process in a form of a doubly linked list structure to form a process characteristic cache.

One node in the linked list represents a process identifier and a process characteristic corresponding to one process. Each data node in the doubly linked list is provided with two pointers which point to the direct successor and the direct predecessor respectively, so that the predecessor node and the successor node of the node can be conveniently accessed from any node in the doubly linked list, and the doubly linked list is very convenient in data query. The doubly linked LIST structure in the embodiment of the application can be a list_entry doubly linked LIST structure of a Windows kernel.

In one embodiment of the application, the process feature cache is updated continuously, which is equivalent to a dynamic cache. When the new process creation in the device is detected, the currently created process is used as a first process, a node is added in the doubly linked list, and the node is used for recording the process identification and the process characteristics of the first process. When the process is detected to be exited in the process feature cache, deleting the node corresponding to the first process which is recorded to be exited in the doubly linked list, namely deleting the process identifier and the process feature corresponding to the first process which is required to be exited from the process feature cache. Thus, the dynamic update of the process feature cache ensures that the process identifier and the process feature of the first process are stored in the process feature cache.

In one embodiment of the present application, the process of obtaining the process characteristics specifically includes: when a core layer of the terminal equipment detects that a process is created, acquiring a process identifier of a first process; and acquiring the process characteristics corresponding to the first process according to the process identification of the first process and the local cache process characteristics loaded by the application layer of the terminal equipment.

Specifically, the privilege level of the CPU (Centre Process Unit, central processing unit) of the electronic device has 4 levels: ring0, ring1, ring2 and Ring3, the greater the number, the lower the rights. Windows generally uses Ring0 and Ring3, while Ring0 is used only by the operating system, called core layer, ring0 layer; ring3, also known as the application layer, ring3 layer, is available for use by the application.

When the core layer detects that a process is created, the currently created process is equivalent to the created and unremoved process, namely, the first process, and then the process identification of the first process is acquired. In one embodiment of the present application, the core layer detects the creation and exit of a process by using an API (Application Program Interface ) interface function pssetcreateprocessnotifydeutieex provided by a WDK (Windows Driver Kit, driver kit), and can obtain notification of creation and exit of all processes of the device by setting a callback function.

Specifically, when a new process is created, the callback function can acquire a process body, a process ID and a process characteristic of the new process, such as a parent process ID of the new process, a process ID (CreatingThreadId- > UniqueProcess) of the new process, a thread ID (CreatingThreadId- > UniqueThread) of the new process, a file object of an executable file corresponding to the new process, an exe file absolute path, a command line parameter of process creation, a state of process creation (whether the state identifier can control the process to be allowed to be created) and the like, through parameters of pps_create_notify_info type of the callback function. When it is detected that there is a process about to exit (i.e., there is a first process about to exit), a process ID of the process about to exit may be obtained according to a HANDLE type parameter of the callback function, and a process body of the process about to exit may be obtained according to a parameter of the PEPROCESS type, where the parameter represents a pointer to a process object of the process about to exit.

After the process identifier of the first process is obtained, the process characteristics of the first process need to be obtained according to the process identifier and the local cache process characteristics loaded by the application layer, and the process characteristics comprise two parts: the process feature cache and the update of the process feature cache are created for the first time.

When the process feature cache is created for the first time, the core layer sends process information (such as a process ID, a process name and a converted process absolute path) of the first process to the application layer, and the application layer obtains the process feature of the first process in the application layer according to the process information, such as the latest modification time, description information, size, copyright information and the like of a process executable file, the version number of the process, signature information and the like. For example, the application layer calculates the latest modification time (updated time) of the process executable file according to the process ID and the absolute path (procpath) of the process, and obtains the version number (filer) of the process, the description information (filedate) of the process executable file, the size (filesize) of the process executable file and the copyright information (copyright) according to the absolute path (procpath) of the process. The application layer may also calculate a digest (MD 5 value) and other HASH values (e.g., SHA 256) of the process based on the absolute path (procpath) of the process, a signer name (sign_issuer) in the digital signature of the process executable, and a local signature verification result (sign_check_rst). The local signature verification result comprises: digital signature verification PASS (sign_check_pass), digital signature verification fail (sign_check_failed), digital signature verification TIMEOUT (sign_check_timeout), process NO digital signature (proc_no_sign_info).

All the first progress characteristics can be obtained through communication between the application layer and the core layer, and the progress characteristics and the progress ID are stored in a double-linked list constructed by the core layer in a correlated mode to form a progress characteristic cache.

When updating the process feature cache, the process feature which is successfully calculated before updating is stored in the local equipment to form the local cache process feature, and then the process of acquiring the process feature comprises the following steps: determining key characteristics of the first process according to the process identification of the first process; searching in the local cache process characteristics according to the key characteristics of the first process to determine whether the process characteristics of the first process exist in the local cache process characteristics; if the cache characteristics which are the same as the key characteristics of the first process exist in the local cache process characteristics, taking the process characteristics corresponding to the cache characteristics in the local cache process characteristics as the process characteristics of the first process; if the local cache process features do not have the same cache features as the key features of the first process, the process features corresponding to the first process are acquired through the application layer.

Specifically, when the core layer detects that a process is created, a key feature is calculated according to a process identifier of the first process, and then the key feature is sent to the application layer, wherein the key feature can be one or more process features of the first process. When the services of the application layer are started, the application layer first loads the local cache process features. And when the application layer receives the key features sent by the core layer, searching in the loaded local cache process features according to the key features, so as to determine whether the process features of the first process exist in the local cache process features, and for convenience of distinguishing, recording the process features in the local cache process features as cache features.

When the cache features which are the same as the key features exist in the local cache process features, the process features of the first process are calculated (or the first process is an old process), and then the cache features in the local cache process features are directly stored into the process feature cache as the corresponding process features without recalculation. If the local cache process features do not have the same cache features as the key features, the process features of the first process are not calculated temporarily, and the application layer is required to calculate to acquire the process features corresponding to the first process, and the specific calculation mode refers to the related description when the process feature cache is created for the first time.

In one embodiment of the present application, the key features may be an absolute path of the process file of the first process and a latest modification time, and then when the absolute path of the process file is unchanged and the latest modification time is unchanged, the process is considered unchanged, so that the cache feature in the local cache process feature may be regarded as a process feature of the process. The local cache process features enable the process features to be obtained in a data matching mode when the process features are cached for data updating, and corresponding process features do not need to be calculated for each process, so that the calculated amount is reduced, and the process feature cache construction and updating efficiency is improved.

Step 230, matching in the blocking process buffer according to the process characteristics of the access process to determine whether the access process is a blocking process; the blocking process cache is used for storing process characteristics corresponding to the processes meeting the first preset access conditions; the first preset access condition comprises a management and control mode when the access site is a public network site.

Specifically, the blocking process cache stores process characteristics of processes meeting the first preset access conditions, and the processes meeting the first preset access conditions are recorded as blocking processes, so that the blocking process cache stores process characteristics corresponding to the existing blocking processes. According to the process characteristics of the access process which are matched in the blocking process buffer, whether the access process is the blocking process is judged by determining whether the blocking process buffer stores the process characteristics which are the same as the access process, and the blocking process is the process which needs to be prevented from being executed. When the access process is judged to be a blocking process, the access process cannot be executed, and the service access request corresponding to the access process is prevented from being sent to the access site.

In one embodiment of the present application, the blocking process cache already stores the process characteristics corresponding to the process judged as the blocking process, when the access process is judged, the process characteristics of the access process are matched with the process characteristics of each blocking process in the blocking process cache, and when the blocking process is matched with the blocking process, the blocking process exists in the blocking process cache, and when the process characteristics are the same as the process of the access process, the access process is indicated to be the blocking process. If the process characteristics of any blocking process in the blocking process cache are different from the process characteristics of the access process, the access process is considered to be not the blocking process.

The first preset access condition is an access control mode aiming at the public website point. The public network is a wide area network which is connected to the internet through a modem dial-up or private line, or through a VPN (Virtual Private Network ), a router, etc., and the computers of the public network and other computers on the internet can be accessed to each other at will. Corresponding to public network is an intranet, which is also called local area network (Local Area Network, LAN), and is a computer communication network formed by mutually connecting various computers, external devices, databases and the like in a local geographical range (such as a school, a factory, a institution and the like, generally within a few kilometers). In general, since public network has less limitation, the gateway performs security detection on a service access request accessing an intranet, and does not perform security detection on the service access request accessing the public network.

In one embodiment of the application, the first preset access condition includes an access site blocking rule and a process blocking rule. The access site blocking rule may be set by the black-and-white list of the access site, which are mutually exclusive, and the black-and-white list of the access site, if either one of them is set, is not set, and vice versa. The blacklist of access sites represents a list of public sites that the access subject is prohibited from accessing, and public sites that are not blacklisted are allowed to access by the access subject. The white list of access sites represents a list of public sites that the access subject is only allowed to access, while the non-white list represents a list of public sites that the access subject is prohibited to access. Illustratively, the setting manner of the access site blocking rule is shown in fig. 3A, where a blacklist or a whitelist is selected by a button 301 in fig. 3A, and a specific rule is added by a button 302, and in fig. 3A, the access site blocking rule is an access site blacklist, and the blacklist includes two access sites with HOST addresses ". Abc.com" and "www.test.com".

Similarly, the process blocking rule is set by a black-and-white list of processes, and the black list of processes and the white list of processes are both taken as one. The blacklist of processes indicates that the accessing agent is prohibited from accessing the corresponding accessing site using processes in the blacklist, and the accessing agent can access the corresponding accessing site using processes not in the blacklist. The process whitelist indicates that the accessing agent can only access the corresponding accessing site by using the process in the whitelist, and the accessing agent is prohibited from accessing the corresponding accessing site by using the process not in the whitelist. Illustratively, the process blocking rule is set as shown in fig. 3B and 3C, where a process whitelist or a process blacklist is selected through a button 303 in fig. 3B (a process blacklist is selected in the example of fig. 3B), and a specific rule is added through a button 304 in fig. 3B. By setting the process characteristics (i.e., specific rule contents) of the process in the process blacklist in fig. 3C, specific process characteristics are added by the button 305 in fig. 3C, for example, the process characteristics are "process name equals abc" and "process signature contains abc".

In one embodiment of the present application, the access site blocking rules and the process blocking rules may be configured individually or in combination. For example, it may be configured to prohibit only processes (process whitelist) outside a certain range from accessing certain public network sites (access site blacklist), or it may be configured to prohibit processes (process blacklist) within a certain range from accessing public network sites (access site whitelist) that do not meet a certain feature.

In the embodiment of the present application, the process conforming to the first preset access condition refers to a process that is determined to be a process blocking process according to a process blocking rule. When the process blocking rule is a process blacklist, the process indicated by the process blacklist is a blocking process. When the process blocking rule is a process white list, the process which is not consistent with the process indicated by the process white list is the blocking process.

In one embodiment of the application, the blocking process cache creation is synchronized with the process feature cache creation. The process for creating the blocking process cache comprises the following steps: acquiring a process identifier and a process characteristic of a second process, wherein the second process is a process which is established in terminal equipment for initiating a service access request; if the process characteristics of the second process accord with the process blocking rule, storing the process identification and the process characteristics of the second process based on the form of a double linked list to form a blocking process cache.

Specifically, the data storage structure in the blocking process buffer is the same as the data storage structure in the process feature buffer, and is in the form of a bidirectional linked list. First, the process identifier and the process characteristic of the second process are acquired, and the second process includes the process already created in the terminal device, regardless of whether the process exits, so in some cases, the second process may be identical to the first process, for example, the currently created process belongs to both the first process and the second process. And then, the process characteristics of the second process are matched with the process blocking rules to determine whether the second process is a blocking process, and if so, the process identification and the process characteristics of the second process are stored through a node in the doubly linked list. It should be noted that, the process state of the process in the blocking process cache is created, whether the process exits or not, that is, the blocking process cache may include the process (the first process) that has not been created and may also include the process that has exited.

In one embodiment of the application, when a process blocking rule is updated, the blocking process cache needs to be updated synchronously. For example, a process is determined to be a blocking process before the process blocking rule is updated, and stored in the blocking process cache. After the process blocking rule is updated, the process is no longer a blocking process, and the blocking process cache deletes the process feature of the process.

In one embodiment of the present application, determining whether the access site corresponding to the service access request is a blocked access site according to the access site blocking rule is further included. When the access site blocking rule is that the access site blacklist is selected, if the access site corresponding to the service access request is the access site in the access site blacklist, the access site corresponding to the service access request is considered to be the blocking access site. When the access site blocking rule is the access site white list, if the access site corresponding to the service access request is not the access site in the access site white list, the access site corresponding to the service access request is considered to be the blocking access site. And when the access to the site is blocked, blocking the service access request. The step of judging the blocked access site may be performed in synchronization with the step of judging whether the access process is the blocking process according to the blocking process buffer, or may be performed before or after the step of judging the blocking process.

In one embodiment of the application, the process feature cache and the blocking process cache may also be embodied in the form of a database, for example, where the process features or blocking processes are stored in a relational database. The Database (Database), which can be considered as an electronic filing cabinet, is a place for storing electronic files, and users can perform operations such as adding, inquiring, updating, deleting and the like on the data in the files. A "database" is a collection of data stored together in a manner that can be shared with multiple users, with as little redundancy as possible, independent of the application.

The database management system (Database Management System, DBMS) is a computer software system designed for managing databases, and generally has basic functions of storage, interception, security, backup, and the like. The database management system may classify according to the database model it supports, e.g., relational, XML (Extensible Markup Language ); or by the type of computer supported, e.g., server cluster, mobile phone; or by the query language used, such as SQL (Structured Query Language ), XQuery; or by performance impact emphasis, such as maximum scale, maximum speed of operation; or other classification schemes. Regardless of the manner of classification used, some DBMSs are able to support multiple query languages across categories, for example, simultaneously.

Step 240, if the access process is not a blocking process, determining an access mode of the service access request to the access site according to a second preset access condition; the second preset access condition comprises a control mode when the access site is an intranet site.

Specifically, if the access process is not a blocking process, it indicates that the service access request has passed through the judgment of the access control mode of the public website, and then further judges the service access request according to the second preset access condition aiming at the management mode of the intranet website, so as to determine the access mode of the service access request to the access website.

The modes of the service access request for accessing the site include three modes: direct access, proxy access, and mandatory post-authentication access. Direct access refers to that a service access request is directly sent to an access site through a proxy client of an access subject, and response data of the access site is received through the client. Proxy access refers to forwarding a service access request to an access site through a gateway and forwarding response data of the access site to a client through the gateway. The forced authentication post-access refers to performing a real-time security check (such as short message verification, face verification, etc.) on an access subject initiating a service access request, and when the check is passed, sending the service access request to an access site in a proxy access mode.

In one embodiment of the present application, the second preset access condition includes a direct access condition, a proxy access condition, and a mandatory authentication access condition, which respectively correspond to access manners of the three service access requests to the access site. Then, the process of determining the sending mode of the service access request according to the second preset access condition includes: if the service access request meets the direct connection access condition, the service access request is sent to an access site through the proxy client; if the service access request meets the proxy access condition, the service access request is sent to an access site through a gateway; and if the service access request meets the mandatory authentication access condition, after the security check of the access site process, sending the service access request to the access site through the gateway.

In one embodiment of the application, the second preset access condition is a zero trust access control policy. The zero-trust access control strategy consists of process information (trusted application) which can be used by the account, accessible intranet sites (reachable areas), equipment information, login account information, protocol types corresponding to service access requests and the like, and under the condition that the zero-trust access control strategy is met, the account can access any intranet site through any one trusted application. The granularity of the zero-trust access control policy is a login account, allowing different zero-trust policies to be formulated for different login accounts.

In the zero-trust access control policy, intranet sites, login accounts, trusted applications, devices, etc. may be configured. When the intranet site is configured, the name, the category (domain name class, IP class or IP section) of the intranet site, the domain name or IP of the specific intranet site, ports (including a specified port list or all ports), the grouping of the intranet site, the protocol type (transport layer protocol in a network protocol stack) and the like can be configured. When setting the login account, the login account name, the login account ID, and the like may be configured. The trusted application is an application program carrier of the internal service system, wherein the application program carrier comprises an application program name, an application program MD5, signature information and the like, and the management and control mode of the trusted application can be configured by configuring the trusted application attribute, and the trusted application attribute comprises a process name (application name), copyright information, signature information and the like. The device is a terminal device that initiates a service access request and is identifiable by a device unique identifier.

According to the above configuration of the zero-trust access control policy, the direct access condition, the proxy access condition, and the mandatory authentication access condition may be combined in any of them. For example, when the application that initiated the service access request is a trusted application, the proxy access condition is used; when the access site corresponding to the service access request is a specific intranet site, using a forced authentication access condition; other cases use a direct access condition.

In one embodiment of the present application, the zero-trust access control policy is a static access control rule, and the second preset access condition may be set together with dynamic factors such as a terminal environment state, compliance detection, a specific network area, an access frequency of an account for an intranet, an access time period, and the like based on the zero-trust access control policy. For example, after compliance detection is passed (i.e., the device is determined to be a compliant device), when the application that initiated the service access request is a trusted application, a proxy access condition is used; when an access subject of a service access request is in a specific network area, using a direct access condition; when the service access request is initiated in a specific time period and the access site is a specific intranet site (e.g. the access site is a payroll system), a forced authentication access condition is used; when the access frequency of the account to the intranet is too high in a period of time, blocking access is carried out, wherein blocking access refers to blocking operation on a service access request, and the service access request cannot be sent to an access site.

In one embodiment of the present application, a device where an access subject is located is provided with a client of an application program and a proxy client, and the specific process of proxy access includes: a proxy client of a client where an access subject is located initiates a credential acquisition request for a service access request to the client, so that the client returns an access credential acquired from a corresponding server based on the credential acquisition request; and forwarding the access credential and the service access request to the gateway through the proxy client, so that the gateway sends the service access request to the access site when the access credential is successfully checked.

Specifically, when the proxy access is determined, a proxy client initiates a credential acquisition request to a client, after the client receives the credential acquisition request, the client applies for an access credential to a corresponding server, and then the client returns the access credential applied from the server to the proxy client. The access credential is authorization information issued by the server for a single network service access request, and is used to identify the authorization status of the network service access request. Then, the proxy client sends the access certificate and the service access request to the gateway, the gateway checks the access certificate, and the verification is mainly to verify the validity of the access certificate, and the specific verification process is as follows: the gateway initiates a credential verification request to the server according to the access credential, and the server verifies whether the access credential is the access credential sent by the server, if so, the gateway feeds back a verified message; otherwise, returning a message which is not passed by the verification to the gateway. The gateway forwards the service access request to the access site upon receiving the verified message (i.e., successfully verifying the access credentials). Meanwhile, the gateway also receives response information of the access site for the service access request, returns the response information to the proxy client and feeds the response information back to the access subject through the proxy client, so that the access subject accesses the access site.

The following describes a specific embodiment of the present application in a network access control method provided by the embodiment of the present application in a system iOA (Intelligent Office Automation, intelligent office automation system, also referred to as intelligent management informatization system).

Fig. 4 schematically illustrates a system architecture diagram applying the technical solution provided by the embodiment of the present application, as shown in fig. 4, the system includes terminal devices 410, iOA service end 420, gateway 430, service system 440 and public network 450, where application programs 411, iOA client 412 and proxy client 413 are provided in the terminal device 410. Service system 440 represents a collection of intranet sites, and service system 440 may include a plurality of service servers, each of which may be a visiting site. Public network 450 represents a collection of public network sites, which may include multiple servers.

First, the management side configures a first preset access condition and a second preset access condition through iOA, and stores them in iOA the server 420, where the configuration of the first preset access condition may refer to fig. 3A-3B. Configuration of second preset access conditions referring to fig. 5A-5D, fig. 5A shows a gateway configuration schematic for implementing a zero trust access control policy, with configuration gateway added via button 501 in fig. 5A. Fig. 5B shows a schematic diagram of the configuration of trusted applications and business systems (intranet sites), with the trusted applications being configured through area 502 of fig. 5B and the business systems being configured through area 503 of fig. 5B. Fig. 5C shows a detailed page view of a business system configuration, for example, a resource category (intranet site category) may be selected by region 504 of fig. 5C, a port may be selected by region 505, a protocol type may be selected by region 506, and so on. Fig. 5D shows a schematic configuration of a service system and associated gateways, with the gateways configured through area 507 of fig. 5D and the gateway access sequence configured through area 508 of fig. 5D. iOA server 420 sends iOA the set first preset access condition and second preset access condition to client 412, so that client 412 builds iOA the access blocking rule. It should be noted that, for the configuration of the login account and the device in the zero-trust access control policy, the login account and the device are dynamically changed, and the data size is large, so that the two configuration rules are stored in the iOA server 420, and after the device compliance is detected by the io server 420 through the security management methods such as compliance detection and vulnerability inspection, the security baseline inspection of the device, the zero-trust access control policy is issued with the granularity of the login account or the group where the login account is located.

The iOA client 412 pre-builds the process feature cache and the blocking process cache according to the first preset access condition, and the specific creation process may refer to the related description and will not be described herein. The process feature cache and the blocking process cache are stored in the terminal device 410.

When the technical scheme of the application operates, an access main body initiates a service access request aiming at an access site through an application program 411, and a proxy client 413 acquires the service access request and determines a process identifier of a corresponding access process. Next, the proxy client 413 obtains the process characteristics corresponding to the access process according to the process characteristic cache stored in the terminal device 410, and matches the process characteristics of the access process in the blocking process cache stored in the terminal device 410, so as to determine whether the access process is a blocking process. And if the access process is determined to be a blocking process, blocking operation is carried out on the service access request. If the access process is not the blocking process, judging whether the access site is the blocking access site according to the access site blocking rule in the first preset access condition. And if the access site is a blocking access site, blocking the service access request. If the access site is not the blocking access site, it is determined whether the access site is a public site, and if the access site is a public site, a service access request is sent to the access site (direct access) in the public network 450 through the proxy client 413. If the access site is not a public site (i.e. the access site is an intranet site), judging the service access request according to a second preset access condition.

If it is determined that the service access request meets the direct access condition, the service access request is sent to an access site (direct access) in the service system 440 through the proxy client 413.

If it is determined that the service access request meets the proxy access condition, the proxy client 413 initiates a credential acquisition request (also referred to as a ticket request) to the iOA client 412, the iOA client 412 applies for an access credential to the iOA server 420, the iOA server 420 returns an access credential to the iOA client 412, the iOA client 412 sends the access credential to the proxy client 413, and the proxy client 413 sends the access credential and the service access request to the gateway 430 together. After receiving the information sent by the proxy client 413, the gateway 430 initiates a credential verification request to the iOA server 420, and the iOA server 420 verifies the access credential and feeds back the verification result to the gateway 430. When gateway 430 receives the result of the verification pass, a service access request is sent to an access site (proxy access) in service system 440.

If it is determined that the service access request meets the mandatory authentication access condition, the proxy client 413 initiates mandatory authentication information to the application 411, and when it detects that mandatory authentication is passed, the proxy client sends the service access request to the access site in the service system 440 through the gateway 430 according to the proxy access procedure described above.

In an embodiment of the present application, the step of determining the service access request according to the second preset access condition may also be performed by the server side 420 of iOA. Specifically, when the proxy client 413 determines that the access site is not a public network site, it indicates that the service access request needs to be judged according to the second preset access condition, and the proxy client 413 initiates a flow authentication request to the iOA client 412, where the flow authentication is an operation of verifying the authenticity of the service access request, for example, verifying whether the identity of the initiator of the service access request is legal. When the iOA client 412 receives the traffic authentication request sent by the proxy client 413, the iOA client 412 collects the device characteristics of the terminal device 410, the process characteristics of the access process, the login account information, the terminal environment state, and the like, and initiates a credential acquisition request to the iOA server 420. Meanwhile, the terminal device 410 sends information such as environment sensing, compliance detection, network status and the like to the iOA server 420, and after the iOA server 420 receives the credential acquisition request, the service access request is judged according to dynamic factors such as the terminal environment status, access process compliance detection result, terminal security baseline and the like in combination with a second preset access condition, and the access mode (direct access, proxy access, forced authentication access and blocking access) of the service access request to the access site is determined, so as to determine whether to return the access credential to the iOA client 412. In general, when the iOA server 420 determines to block access, then instead of returning access credentials to the iOA client 412, a command to block the service access request (denoted as a block command) is returned to the iOA client 412. The iOA client 412 then sends a blocking command to the proxy client 413, while the iOA client 412 assigns a blocking validity period to the proxy client 413 according to the configuration parameters of the iOA server 420, and blocks the service access request during the blocking validity period. And, during the blocking validity period, the service access requests of the same type meeting the conditions are blocked directly at the proxy client 413 side, and the client 412 and the iOA server 420 do not need to judge to be blocked through iOA.

It will be appreciated that if the access manner of the service access request is changed, the iOA client 412 may notify the proxy client 413 to adjust the access manner for that type of service access request. For example, when the network area where the terminal device 410 is located changes and the compliance detection is changed from the non-compliance state to the compliance state by repairing the violation item, the service access request determined to be access blocking can be adjusted to other access modes. The blocking validity period can be shortened or the access mode can be changed directly to be non-blocking, so that the proxy client 412 does not adopt the direct blocking operation after acquiring the service access request of the same type, but the flow authentication is performed by sending the related information of the service access request to the iOA client 412, and the service end 420 jointly controls the access mode of the service access request through the iOA client 412 and the iOA.

It should be noted that although the steps of the methods of the present application are depicted in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in that particular order, or that all illustrated steps be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.

The following describes an embodiment of the apparatus of the present application, which may be used to perform the network access control method in the above embodiment of the present application. Fig. 6 schematically shows a block diagram of a network access control device according to an embodiment of the present application. As shown in fig. 6, a network access control device provided by an embodiment of the present application includes:

an access request obtaining module 610, configured to obtain a service access request for accessing a site, and determine a process identifier of an access process corresponding to the service access request;

the process feature obtaining module 620 is configured to search in a process feature cache according to a process identifier of the access process, so as to obtain a process feature corresponding to the access process; the process characteristic cache is used for storing process identifiers of a plurality of processes and process characteristics associated with the process identifiers;

a process feature matching module 630, configured to match in a blocking process cache according to a process feature of the access process, so as to determine whether the access process is a blocking process; the blocking process cache is used for storing process characteristics corresponding to the processes meeting the first preset access conditions; the first preset access condition comprises a management and control mode when the access site is a public network site;

An access mode determining module 640, configured to determine, if the access process is not a blocking process, an access mode of the service access request to the access site according to a second preset access condition; the second preset access condition comprises a management and control mode when the access site is an intranet site.

In one embodiment of the present application, the second preset access condition includes a direct access condition, a proxy access condition, and a mandatory authentication access condition; the access manner determining module 640 includes:

In one embodiment of the present application, the proxy access unit is specifically configured to: initiating a credential acquisition request for the service access request to the client through a proxy client, so that the client returns an access credential acquired from a corresponding server based on the credential acquisition request; and forwarding the access credential and the service access request to the gateway through the proxy client, so that the gateway sends the service access request to the access site when the access credential is successfully checked.

Specific details of the network access control device provided in each embodiment of the present application have been described in the corresponding method embodiments, and are not described herein.

Fig. 7 schematically shows a block diagram of a computer system of an electronic device for implementing an embodiment of the application.

It should be noted that, the computer system 700 of the electronic device shown in fig. 7 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.

As shown in fig. 7, the computer system 700 includes a central processing unit 701 (Central Processing Unit, CPU) which can execute various appropriate actions and processes according to a program stored in a Read-Only Memory 702 (ROM) or a program loaded from a storage section 708 into a random access Memory 703 (Random Access Memory, RAM). In the random access memory 703, various programs and data necessary for the system operation are also stored. The central processing unit 701, the read only memory 702, and the random access memory 703 are connected to each other via a bus 704. An Input/Output interface 705 (i.e., an I/O interface) is also connected to bus 704.

The following components are connected to the input/output interface 705: an input section 706 including a keyboard, a mouse, and the like; an output section 707 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a local area network card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the input/output interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.

In particular, the processes described in the various method flowcharts may be implemented as computer software programs according to embodiments of the application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The computer programs, when executed by the central processor 701, perform the various functions defined in the system of the present application.

It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.

From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a touch terminal, or a network device, etc.) to perform the method according to the embodiments of the present application.

Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.

It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A method for controlling network access, comprising:

2. The method of claim 1, wherein prior to looking up in a process feature cache based on a process identification of the access process, the method further comprises:

Acquiring process identifiers of a plurality of first processes and process characteristics corresponding to the first processes; the first process refers to a process which is created and not exited in the terminal equipment which initiates the service access request;

and storing each process identifier and the process characteristics corresponding to each first process based on the form of a double linked list to form the process characteristic cache.

3. The method for controlling network access according to claim 2, wherein obtaining process identifiers of a plurality of first processes and process characteristics corresponding to each process comprises:

when the core layer of the terminal equipment detects that a process is created, taking the currently created process as a first process and acquiring a process identifier of the first process;

and acquiring the process characteristics corresponding to the first process according to the process identification of the first process and the local cache process characteristics loaded by the application layer of the terminal equipment.

4. The method for controlling network access according to claim 3, wherein obtaining the process characteristics corresponding to the first process according to the process identifier of the first process and the local cache process characteristics loaded by the application layer of the terminal device includes:

Determining key characteristics of the first process according to the process identification of the first process;

searching in the local cache process characteristics according to the key characteristics of the first process to determine whether the process characteristics of the first process exist in the local cache process characteristics;

if the local cache process features have the same cache features as the key features of the first process, taking the process features corresponding to the cache features in the local cache process features as the process features of the first process;

and if the local cache process characteristics do not have the same cache characteristics as the key characteristics of the first process, acquiring the process characteristics corresponding to the first process through the application layer.

5. The method for controlling network access according to claim 1, wherein the first preset access condition includes a process blocking rule; before matching in the blocking process cache according to the process characteristics of the access process, the method further comprises:

acquiring a process identifier and a process characteristic of a second process, wherein the second process is a process which is established in the terminal equipment for initiating the service access request;

And if the process characteristics of the second process accord with the process blocking rule, storing the process identification and the process characteristics of the second process based on a form of a doubly linked list to form the blocking process cache.

6. The method according to any one of claims 1 to 5, wherein the second preset access condition includes a direct access condition, a proxy access condition, and a mandatory authentication access condition; determining an access mode of the service access request to the access site according to a second preset access condition, including:

if the service access request meets the direct connection access condition, sending the service access request to the access site through the proxy client;

if the service access request meets the proxy access condition, the service access request is sent to the access site through a gateway;

and if the service access request meets the mandatory authentication access condition, after the security check of the access site process, sending the service access request to the access site through a gateway.

7. The method of claim 6, wherein sending the service access request to the access site through a gateway comprises:

Initiating a credential acquisition request for the service access request to a client initiating the service access request through a proxy client, so that the client returns an access credential acquired from a corresponding server based on the credential acquisition request;

and forwarding the access credential and the service access request to the gateway through the proxy client, so that the gateway sends the service access request to the access site when the access credential is successfully checked.

8. A network access control apparatus, comprising:

9. A computer readable medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the network access control method according to any one of claims 1 to 7.

10. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein execution of the executable instructions by the processor causes the electronic device to perform the method of controlling network access of any one of claims 1 to 7.