CN116800533A - Terminal identification method and device for accessing intranet - Google Patents

Terminal identification method and device for accessing intranet Download PDF

Info

Publication number
CN116800533A
CN116800533A CN202310934844.2A CN202310934844A CN116800533A CN 116800533 A CN116800533 A CN 116800533A CN 202310934844 A CN202310934844 A CN 202310934844A CN 116800533 A CN116800533 A CN 116800533A
Authority
CN
China
Prior art keywords
terminal
identification
information
mac address
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310934844.2A
Other languages
Chinese (zh)
Inventor
张严林
吴大宝
徐勇建
王冲
刘伟杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qichacha Technology Co ltd
Original Assignee
Qichacha Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qichacha Technology Co ltd filed Critical Qichacha Technology Co ltd
Priority to CN202310934844.2A priority Critical patent/CN116800533A/en
Publication of CN116800533A publication Critical patent/CN116800533A/en
Pending legal-status Critical Current

Links

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The application relates to a terminal identification method and device for accessing an intranet. The method comprises the following steps: acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address; comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification; identifying the terminal based on an identification method to obtain an identification result; and constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal. By adopting the method, the terminal can be accurately identified, and the management efficiency is improved.

Description

Terminal identification method and device for accessing intranet
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for identifying a terminal accessing an intranet.
Background
An intranet refers to a local area network established within an organization or institution. Based on certain network technology and protocol, the system is connected with different computers, servers and devices in an internal range, so that the functions of resource sharing, data transmission, cooperation and the like are realized. And when the terminal needs to access the intranet, the terminal needs to be safely identified to determine whether the terminal is allowed to access.
The conventional identification method identifies through the MAC (Media Access Control, medium access control) address of the terminal. However, the identification method in the conventional technology can only rely on the MAC address, and a single identification means cannot handle the situations of multiple network interfaces and multiple MAC addresses.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method and apparatus for identifying a terminal that can handle access to an intranet with multiple network interfaces and multiple MAC addresses.
In a first aspect, the present application provides a method for identifying a terminal accessing an intranet. The terminal identification method for accessing the intranet comprises the following steps:
acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address;
comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
identifying the terminal based on an identification method to obtain an identification result;
and constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
In one embodiment, the history terminal request includes a plurality of MAC history addresses and a plurality of history log-in information; comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal, comprising the following steps:
comparing more than one MAC address with the MAC historical address to obtain a first comparison result, and comparing the service login information with the historical login information to obtain a second comparison result;
and determining an identification method of the terminal according to the first comparison result and the second comparison result.
In one embodiment, the method for determining the identification of the terminal according to the first comparison result and the second comparison result includes:
if more than one MAC address is judged to be known in the first comparison result and the service login information is judged to be known in the second comparison result, determining that the identification method of the terminal is non-MAC address identification;
if more than one MAC address is judged to be unknown in the first comparison result and the service login information is judged to be unknown in the second comparison result, determining that the identification method of the terminal is MAC address identification;
otherwise, determining the identification method of the terminal as hybrid identification.
In one embodiment, a security policy is constructed, and more than one MAC address and service login information are determined based on the security policy, so as to determine security information of the terminal, including:
constructing a security policy according to the historical terminal request; security policies include white lists and black lists;
and comparing the hardware information and the service login information of the terminal with the white list and the black list respectively to obtain the security information of the terminal.
In one embodiment, before the security policy is constructed, more than one MAC address and service login information are determined based on the security policy, security information of the terminal is determined, and the identification result and the security information are output to the terminal, the method further includes:
if the MAC addresses are multiple, screening effective addresses in the multiple MAC addresses;
and cleaning and merging the effective addresses based on the categories of the MAC addresses, and updating more than one MAC address according to the cleaning and merging result.
In one embodiment, the method for identifying a terminal accessing to an intranet further includes:
determining a trusted class of the terminal based on the identification result and the security information; the trusted class includes trusted devices and untrusted devices;
and determining whether to allow the terminal to access the network according to the trusted category.
In a second aspect, the application further provides a terminal identification device for accessing the intranet. The terminal identification device accessing the intranet comprises:
the device information acquisition module is used for acquiring hardware information and service login information of the terminal sending the request; the hardware information includes more than one MAC address;
the equipment identification module is used for comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
the identification result determining module is used for identifying the terminal based on the identification method to obtain an identification result;
the security management module is used for constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
In a third aspect, the present application also provides a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address;
comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
identifying the terminal based on an identification method to obtain an identification result;
and constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
In a fourth aspect, the present application also provides a computer-readable storage medium. A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address;
comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
identifying the terminal based on an identification method to obtain an identification result;
and constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
In a fifth aspect, the present application also provides a computer program product. Computer program product comprising a computer program which, when executed by a processor, realizes the steps of:
acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address;
comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
identifying the terminal based on an identification method to obtain an identification result;
and constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
The terminal identification method and the terminal identification device for accessing the intranet acquire the hardware information and the service login information of the terminal, compare the MAC address, the service login information and the historical terminal request in the hardware information of the terminal, determine the identification method of the terminal, and acquire the identification result based on the identification method. After the safety policy is adopted to judge the safety of the terminal, the safety information of the terminal is obtained, and the intranet can determine whether the terminal is allowed to be accessed or not based on the identification result and the safety information and feed the information back to the terminal. Compared with the prior art that a single MAC address identification method is adopted, the technical scheme provided by the application adopts a plurality of identification methods, and the identification accuracy of equipment is greatly improved by selecting according to specific conditions, so that the method can be applied to a scene that a terminal has a plurality of MAC addresses, the accurate identification of the terminal is realized, and the management efficiency of enterprises is improved.
Drawings
Fig. 1 is an application environment diagram of a terminal identification method for accessing an intranet in an embodiment;
fig. 2 is a flow chart of a method for identifying a terminal accessing an intranet in an embodiment;
FIG. 3 is a flowchart illustrating steps of an identification method for determining a terminal according to an embodiment;
FIG. 4 is a flow chart of determining terminal security information by a security policy in one embodiment;
fig. 5 is a flow chart of a method for identifying a terminal accessing an intranet in another embodiment;
FIG. 6 is a timing diagram illustrating a method for identifying a terminal accessing an intranet in one embodiment;
fig. 7 is a block diagram of a terminal identification device accessing an intranet in one embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The terminal identification method for accessing the intranet, provided by the embodiment of the application, can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The server may be provided with a device identification system, and when the terminal 102 sends a networking request to the server 104, the device identification system identifies the terminal 102, determines whether the terminal 102 meets the security requirement, feeds back to the terminal 102, and determines whether to allow the terminal 102 to be networked. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a method for identifying a terminal accessing an intranet is provided, and the method is applied to the server 104 in fig. 1 for illustration, and includes the following steps S202 to S208:
s202, acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address.
The terminal 102 sends an intranet access request to the server 104, and the server 104 performs security judgment on the terminal 102. Server 104 may be a server of an enterprise intranet. For sending a network access request to the server 104 after the terminal 102 logs in, where the server 104 receives both the hardware information of the device 102 and the service login information of the user. Illustratively, the terminal 102 may have a device information generation module that is responsible for generating device hardware information and service login information when the device accesses the network.
The intranet may be an office network within an enterprise: in the application scene, enterprises need to manage the computers and the mobile equipment of staff, so that the network safety and the data safety are ensured. The intranet can also be a production network, and in the application scenario, production equipment and sensors need to be connected to the network for data interaction and control. The intranet can also be a network environment in the industries of finance, medical treatment and the like, in which the management requirement on the access equipment is more strict, and the equipment needs to be accurately identified and safely managed.
The hardware information is device information of the terminal device, at least including a MAC address, and may also be a device model, a device IP address, a device type, and the like. The MAC address may have a plurality.
The service login information is information that a user logs in at the terminal device, and comprises a user login name, login time, login position and the like.
S204, comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification.
The history terminal request is a request set sent by other terminal devices before the terminal 102 sends a request for accessing the intranet.
If the terminal request exists in the historical terminal request and is once judged to be safe, the terminal can also be considered to be safe, so that the safety degree of the terminal is primarily judged, and which identification method is selected by the terminal is determined based on the safety degree.
MAC address identification is authentication or authorization of access by identifying the MAC address of the terminal device. The network administrator may permit or deny access to the device based on the device's MAC address. The advantage of this approach is that it is straightforward, but the disadvantage is that the MAC address can be forged and thus vulnerable to spoofing.
Hybrid identification is the integrated use of multiple identification techniques to improve accuracy and security. In addition to MAC addresses, identification may be performed in combination with information such as IP address, user credentials, device type, location, etc. For example, the device may be identified using a combination of a MAC address and a username-password, or in combination with device type and location information. The advantage of hybrid identification is that it provides more information to identify the device and is difficult to forge simply, but is more complex to implement.
non-MAC address identification refers to a technique that relies more than just on MAC addresses for identification. It may use other identifiers, features, or algorithms to identify devices such as digital certificates, device fingerprints, behavioral analysis, and the like. The non-MAC address identification has the advantage of providing higher security and accuracy independent of the uniqueness of the MAC address. The disadvantage is the high implementation complexity and the possible concern of user privacy issues.
Therefore, all MAC addresses, service login information and historical terminal requests of the terminals are compared, the safety degree of the terminals can be preliminarily determined, and a proper identification method is selected based on the safety degree.
S206, identifying the terminal based on the identification method to obtain an identification result.
After the identification method is determined, the terminal is identified based on the identification method, and an identification result can be obtained.
And through the identification result, whether the equipment has specific access authority or identity authentication can be determined.
S208, constructing a security policy, judging more than one MAC address and service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
After the identification result of the terminal is determined, whether the terminal is safe or not needs to be further determined.
The security policy may be a criterion for the MAC address and the service login information, and the security information of the terminal is determined based on the security policy. The intranet or the server can determine whether the terminal is allowed to be accessed or not based on the identification result and the safety information, so that the identification result and the safety information are fed back to the terminal, and the terminal is enabled to be aware.
In the terminal identification method for accessing the intranet, the hardware information and the service login information of the terminal are acquired first, the identification method of the terminal is determined by comparing the MAC address, the service login information and the historical terminal request in the hardware information of the terminal, and the identification result is obtained based on the identification method. After the safety policy is adopted to judge the safety of the terminal, the safety information of the terminal is obtained, and the intranet can determine whether the terminal is allowed to be accessed or not based on the identification result and the safety information and feed the information back to the terminal. Compared with the prior art that a single MAC address identification method is adopted, the technical scheme provided by the application adopts a plurality of identification methods, and the identification accuracy of equipment is greatly improved by selecting according to specific conditions, so that the method can be applied to a scene that a terminal has a plurality of MAC addresses, the accurate identification of the terminal is realized, and the management efficiency of enterprises is improved.
In one embodiment, as shown in fig. 3, in step S204, the history terminal request includes a plurality of MAC history addresses and a plurality of history login information; comparing more than one MAC address, service login information and historical terminal requests to determine an identification method of the terminal, comprising the following steps:
s302, comparing more than one MAC address with the MAC historical address to obtain a first comparison result, and comparing the service login information with the historical login information to obtain a second comparison result.
The historical terminal request is a set of prior requests of the plurality of terminals to the intranet, thereby generating a plurality of MAC historical addresses and a plurality of historical login information. Illustratively, may be stored in a data storage system.
And comparing the MAC address of the terminal requested at the time with the MAC historical address to obtain a first comparison result. The first comparison result may be whether the MAC address of the current request exists in the MAC history address, and if so, it may be further determined whether the MAC address is allowed to access the intranet in the previous request.
Similarly, the second comparison result may be whether the service login information of the current request exists in the history login information, and if so, it may be further determined whether the service login information in the previous request is allowed to access the intranet.
S304, determining an identification method of the terminal according to the first comparison result and the second comparison result.
The identification method of the terminal comprises MAC address identification, mixed identification and non-MAC address identification, and can be determined according to a first comparison result and a second comparison result.
In one possible implementation, if more than one MAC address is determined to be known in the first comparison result and the service registration information is determined to be known in the second comparison result, determining that the identification method of the terminal is non-MAC address identification; if more than one MAC address is judged to be unknown in the first comparison result and the service login information is judged to be unknown in the second comparison result, determining that the identification method of the terminal is MAC address identification; otherwise, determining the identification method of the terminal as hybrid identification.
If the MAC address is known and the service registration information is known, in order to avoid forging other devices into the known information, non-MAC address identification is adopted, and the advantage of non-MAC address identification is that the non-MAC address identification is independent of the uniqueness of the MAC address, so that higher security and accuracy can be provided.
If the MAC addresses are unknown and the service login information is unknown, the device is considered to be the first device to send out the intranet access request, and the MAC address identification is adopted, so that the method is simple and efficient.
In other cases, hybrid identification is used, including cases where part of the MAC address is known, part is not known, the MAC address is known and the service registration information is not known, or the MAC address is not known and the service registration information is known. The hybrid identification can use the combination of the MAC address and the service login information to carry out authentication or combine the equipment type and the position information to identify the equipment, thereby improving the identification accuracy.
In this embodiment, the identification method for determining the terminal device based on whether the MAC address is known or not and whether the service login information is known or not is adopted, so that the scheme provided by the application can classify the terminal device, and different identification methods are selected according to different classification results, so that on one hand, the identification accuracy is improved, on the other hand, the judgment efficiency is improved, and the balance between the accuracy and the efficiency is realized.
In one embodiment, as shown in fig. 4, the step S208 of constructing a security policy, determining security information of a terminal based on the security policy to determine more than one MAC address and service login information includes:
s402, constructing a security policy according to a history terminal request; the security policy includes a white list and a black list.
The historical terminal request includes a plurality of terminal request data, and a white list and a black list can be constructed based on the historical terminal request. Illustratively, it may be constructed based on the MAC history address or history login information in the history terminal request.
The whitelist is an authorized list of trusted terminals that are allowed to access the system or resource. Only the whitelisted terminals can obtain access rights and other entities not whitelisted will be barred or restricted from access.
The blacklist is a forbidden list listing terminals that are not trusted or allowed to access the system or resource. Entities on the blacklist will be barred from access or restricted.
S404, comparing the hardware information and the business login information of the terminal with the white list and the black list respectively to obtain the security information of the terminal.
The hardware information of the terminal requested at this time is respectively compared with the white list and the black list, and the service login information is respectively compared with the white list and the black list, so that whether the terminal exists in the white list or the black list can be determined, and the security information of the terminal is obtained.
If the terminal exists in the white list, the security of the terminal is considered to be high, and if the terminal exists in the black list, the security of the terminal is considered to be poor.
In this embodiment, a white list and a black list of the security policy are constructed, and security information of the terminal is determined by comparing hardware information and service login information of the device with the white list and the black list. In conventional schemes, security management may not be effectively implemented due to inaccuracy in device identification. According to the method and the device, through accurate device identification, a more accurate security policy can be implemented on the terminal device, and unauthorized terminal devices are prevented from accessing the enterprise intranet.
In one embodiment, the method further includes, before constructing a security policy in step S208, determining more than one MAC address and service login information based on the security policy, determining security information of the terminal, and outputting the identification result and the security information to the terminal: if the MAC addresses are multiple, screening effective addresses in the multiple MAC addresses; and cleaning and merging the effective addresses based on the categories of the MAC addresses, and updating more than one MAC address according to the cleaning and merging result.
When processing a multi-network card device or a device with a plurality of MAC addresses, the service login information and the plurality of MAC addresses are required to be cleaned and combined so as to realize unified identification and management of the device.
In performing the cleansing merge of the MAC address, for each received MAC address, it is first checked whether the MAC address is valid (e.g., whether the format rule of the MAC address is met, whether it belongs to the MAC address range of a known device manufacturer, etc.). The module then merges all valid MAC addresses into one unified MAC address identity to update all MAC addresses of the device. After the MAC address cleaning and merging module finishes cleaning and merging the MAC address, the identification result of the equipment and the unified MAC address identification are sent to the security management module for further processing.
The technical scheme provided by the embodiment solves the identification problem of the multi-network card equipment. In conventional approaches, the identification of the multi-network card device may lead to confusion and inaccuracy of the identification. However, the present embodiment successfully overcomes this problem by identifying multiple network interfaces at the same time, and cleaning and merging multiple MAC addresses.
In one embodiment, the method for identifying the terminal accessing to the intranet further comprises: determining a trusted class of the terminal based on the identification result and the security information; the trusted class includes trusted devices and untrusted devices; and determining whether to allow the terminal to access the network according to the trusted category.
If the identification result shows that the equipment has specific access authority or identity authentication, the terminal is considered to be a trusted equipment. If the security information indicates that the terminal is a secure device, the terminal is also considered to be a trusted device. And only when the identification result shows that the device does not have authority and identity authentication and the safety information shows that the device is not safe, the device is considered to be an untrusted device.
For a trusted device, it will be allowed to access the network. For an untrusted device, access to the network will be blocked, and a security alert may also be generated, fed back to the terminal.
In this embodiment, the trusted class of the terminal is determined based on the identification result and the security information, and whether the terminal can access the intranet is further determined. By means of the method, the security of the terminal is evaluated, malicious invasion is avoided, and the security of an intranet is guaranteed.
As shown in fig. 5, in one embodiment, a method for identifying a terminal accessing an intranet includes the following steps:
s502, acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address.
S504, comparing more than one MAC address with the MAC historical address to obtain a first comparison result, and comparing the service login information with the historical login information to obtain a second comparison result.
S506, determining an identification method of the terminal according to the first comparison result and the second comparison result; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification.
S508, identifying the terminal based on the identification method to obtain an identification result.
S510, if the MAC addresses have a plurality, the effective addresses in the plurality of MAC addresses are filtered.
S512, cleaning and merging the effective addresses based on the categories of the MAC addresses, and updating more than one MAC address according to the cleaning and merging result.
S514, constructing a security policy according to the historical terminal request; the security policy includes a white list and a black list.
S516, the hardware information and the business login information of the terminal are respectively compared with the white list and the black list to obtain the security information of the terminal, and the identification result and the security information are output to the terminal.
S518, determining the credible category of the terminal based on the identification result and the safety information; the trusted class includes trusted devices and untrusted devices.
And S520, determining whether to allow the terminal to access the network according to the trusted category.
Referring to fig. 6 at the same time, fig. 6 shows an execution timing diagram for determining a terminal in this embodiment, where the device identification system may be a server of an intranet, and is configured to perform identification of a terminal device. In fig. 6, the terminal device is a device that accesses the intranet; the selection and identification method is to select an identification method according to the first comparison result and the second comparison result, and obtain an identification result, namely an identification result; purging and merging MAC addresses means that purging and merging are required when there are a plurality of MAC addresses, so this step is performed only if necessary; applying the security policy refers to applying the MAC address input value to the security policy to obtain security information, that is, security management information.
Specifically, in this embodiment, first, hardware information and service login information of a terminal device are obtained, an MAC address in the hardware information and an MAC historical address are compared to obtain a first comparison result, and service login information and historical login information are compared to obtain a second comparison result. And determining an identification method for the terminal according to the first comparison result and the second comparison result, wherein the identification method is selected from one of MAC address identification, hybrid identification and non-MAC address identification, and obtaining the identification result according to the identification method. If the number of the MAC addresses in the terminal is multiple, the multiple MAC addresses are required to be cleaned and combined, and the combined unified address is input into the security policy for judgment. The security policy includes a white list and a black list, and security information of the terminal device can be determined based on the white list and the black list. And finally, determining the credible category of the terminal equipment based on the identification result and the safety information, and feeding back to the terminal. The terminal identification method for accessing the intranet provided by the embodiment realizes accurate identification of the terminal and improves the management efficiency of enterprises.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an intranet-access terminal identification device for realizing the intranet-access terminal identification method. The implementation scheme of the device for solving the problem is similar to the implementation scheme described in the above method, so the specific limitation in the embodiments of the device for identifying a terminal accessing an intranet provided below may refer to the limitation of the method for identifying a terminal accessing an intranet, which is not described herein.
In one embodiment, as shown in fig. 7, there is provided a terminal identification device 700 for accessing an intranet, including: a device information acquisition module 702, a device identification module 704, an identification result determination module 706, and a security management module 708, wherein:
a device information obtaining module 702, configured to obtain hardware information and service login information of a terminal that sends a request; the hardware information includes more than one MAC address.
The device identification module 704 is configured to compare more than one MAC address, service login information, and a historical terminal request, and determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification.
The identification result determining module 706 is configured to identify the terminal based on the identification method, so as to obtain an identification result.
The security management module 708 is configured to construct a security policy, determine more than one MAC address and service login information based on the security policy, determine security information of the terminal, and output an identification result and the security information to the terminal.
In one embodiment, the history terminal request includes a plurality of MAC history addresses and a plurality of history log-in information; the device identification module 704 specifically is configured to: comparing more than one MAC address with the MAC historical address to obtain a first comparison result, and comparing the service login information with the historical login information to obtain a second comparison result; and determining an identification method of the terminal according to the first comparison result and the second comparison result.
In one embodiment, the device identification module 704 is specifically configured to: if more than one MAC address is judged to be known in the first comparison result and the service login information is judged to be known in the second comparison result, determining that the identification method of the terminal is non-MAC address identification; if more than one MAC address is judged to be unknown in the first comparison result and the service login information is judged to be unknown in the second comparison result, determining that the identification method of the terminal is MAC address identification; otherwise, determining the identification method of the terminal as hybrid identification.
In one embodiment, the security management module 708 is specifically configured to: constructing a security policy according to the historical terminal request; security policies include white lists and black lists; and comparing the hardware information and the service login information of the terminal with the white list and the black list respectively to obtain the security information of the terminal.
In one embodiment, the terminal identification device 700 accessing to the intranet further includes a MAC address cleaning and merging module, where the MAC address cleaning and merging module is configured to: if the MAC addresses are multiple, screening effective addresses in the multiple MAC addresses; and cleaning and merging the effective addresses based on the categories of the MAC addresses, and updating more than one MAC address according to the cleaning and merging result.
In one embodiment, the terminal identification device 700 accessing to the intranet further includes a device reliability judging module, where the device reliability judging module is configured to determine a reliability class of the terminal based on the identification result and the security information; the trusted class includes trusted devices and untrusted devices; and determining whether to allow the terminal to access the network according to the trusted category.
All or part of the modules in the terminal identification device accessing the intranet can be realized by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing historical terminal request data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by the processor, implements a method for identifying a terminal accessing an intranet.
It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. A method for identifying a terminal accessing an intranet, the method comprising:
acquiring hardware information and service login information of a terminal sending a request; the hardware information includes more than one MAC address;
comparing the more than one MAC addresses, the service login information and the historical terminal request to determine an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
identifying the terminal based on the identification method to obtain an identification result;
constructing a security policy, judging the more than one MAC addresses and the service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
2. The method of claim 1, wherein the history terminal request comprises a plurality of MAC history addresses and a plurality of history log-in information; the method for comparing the more than one MAC addresses, the service login information and the historical terminal request and determining the identification method of the terminal comprises the following steps:
comparing the more than one MAC addresses with the MAC historical addresses to obtain a first comparison result, and comparing the service login information with the historical login information to obtain a second comparison result;
and determining an identification method of the terminal according to the first comparison result and the second comparison result.
3. The method of claim 2, wherein the determining the identification method of the terminal according to the first comparison result and the second comparison result comprises:
if the first comparison result judges that the more than one MAC addresses are known and the second comparison result judges that the service login information is known, determining that the identification method of the terminal is non-MAC address identification;
if the first comparison result judges that the more than one MAC addresses are unknown, and the second comparison result judges that the service login information is unknown, determining that the identification method of the terminal is MAC address identification;
otherwise, determining that the identification method of the terminal is hybrid identification.
4. The method of claim 1, wherein the constructing a security policy, determining security information for the terminal based on the security policy to determine the one or more MAC addresses and the traffic login information, comprises:
constructing a security policy according to the historical terminal request; the security policy includes a white list and a black list;
and comparing the hardware information and the service login information of the terminal with the white list and the black list respectively to obtain the security information of the terminal.
5. The method according to claim 1, wherein before said constructing a security policy, determining the security information of the terminal based on the security policy by determining the one or more MAC addresses and the service registration information, and outputting the identification result and the security information to the terminal, the method further comprises:
if the MAC addresses are multiple, screening effective addresses in the multiple MAC addresses;
and cleaning and merging the effective addresses based on the category of each MAC address, and updating more than one MAC address according to the cleaning and merging result.
6. The method according to any one of claims 1-5, further comprising:
determining a trusted category of the terminal based on the identification result and the security information; the trusted category comprises trusted devices and untrusted devices;
and determining whether the terminal is allowed to access a network according to the trusted category.
7. A terminal identification device for accessing an intranet, the device comprising:
the device information acquisition module is used for acquiring hardware information and service login information of the terminal sending the request; the hardware information includes more than one MAC address;
the equipment identification module is used for comparing the more than one MAC addresses, the service login information and the historical terminal request and determining an identification method of the terminal; the identification method is selected from one of MAC address identification, mixed identification and non-MAC address identification;
the identification result determining module is used for identifying the terminal based on the identification method to obtain an identification result;
and the security management module is used for constructing a security policy, judging the more than one MAC addresses and the service login information based on the security policy, determining the security information of the terminal, and outputting the identification result and the security information to the terminal.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
CN202310934844.2A 2023-07-27 2023-07-27 Terminal identification method and device for accessing intranet Pending CN116800533A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310934844.2A CN116800533A (en) 2023-07-27 2023-07-27 Terminal identification method and device for accessing intranet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310934844.2A CN116800533A (en) 2023-07-27 2023-07-27 Terminal identification method and device for accessing intranet

Publications (1)

Publication Number Publication Date
CN116800533A true CN116800533A (en) 2023-09-22

Family

ID=88036856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310934844.2A Pending CN116800533A (en) 2023-07-27 2023-07-27 Terminal identification method and device for accessing intranet

Country Status (1)

Country Link
CN (1) CN116800533A (en)

Similar Documents

Publication Publication Date Title
US11868490B2 (en) Device and methods for management and access of distributed data sources
US8856909B1 (en) IF-MAP provisioning of resources and services
US8590052B2 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
AU2012100459A4 (en) Personal control of personal information
US8250628B2 (en) Dynamic augmentation, reduction, and/or replacement of security information by evaluating logical expressions
WO2019144549A1 (en) Vulnerability testing method and device, computer equipment, and storage medium
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
AU2019361716B2 (en) Computing system with an email privacy filter and related methods
US10749886B1 (en) Analyzing diversely structured operational policies
US9781090B2 (en) Enterprise computing environment with continuous user authentication
CN112738100B (en) Authentication method, device, authentication equipment and authentication system for data access
US20210006583A1 (en) System and method of secure communication with internet of things devices
EP3794485B1 (en) Method and network node for managing access to a blockchain
CN113872990B (en) VPN network certificate authentication method and device based on SSL protocol and computer equipment
CN113839945A (en) Credible access control system and method based on identity
US20220086182A1 (en) Risk-adaptive dns forwarder
WO2015062266A1 (en) System and method of authenticating user account login request messages
CN116800533A (en) Terminal identification method and device for accessing intranet
US11392766B2 (en) Understanding and mediating among diversely structured operational policies
CN114567678A (en) Resource calling method and device of cloud security service and electronic equipment
Khan Dynamically Configurable Architecture for User Identification and Authentication for Internet of Things Platform
CN110969321B (en) Industrial information asset management method and device
CN110233814B (en) Intelligent virtual private network system for industrial Internet of things
CN114666129A (en) Network security authentication method, system, computer device and storage medium
CN107276965B (en) Authority control method and device of service discovery component

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination