CN117336101A - Fine-grained network access control method, system, equipment and medium - Google Patents

Fine-grained network access control method, system, equipment and medium Download PDF

Info

Publication number
CN117336101A
CN117336101A CN202311608399.7A CN202311608399A CN117336101A CN 117336101 A CN117336101 A CN 117336101A CN 202311608399 A CN202311608399 A CN 202311608399A CN 117336101 A CN117336101 A CN 117336101A
Authority
CN
China
Prior art keywords
network
application
network access
access
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311608399.7A
Other languages
Chinese (zh)
Other versions
CN117336101B (en
Inventor
郑海树
蒋荣
许小奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Zhongfu Information Technology Co Ltd
Original Assignee
Nanjing Zhongfu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Zhongfu Information Technology Co Ltd filed Critical Nanjing Zhongfu Information Technology Co Ltd
Priority to CN202311608399.7A priority Critical patent/CN117336101B/en
Publication of CN117336101A publication Critical patent/CN117336101A/en
Application granted granted Critical
Publication of CN117336101B publication Critical patent/CN117336101B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a fine-grained network access control method, a fine-grained network access control system, fine-grained network access control equipment and a fine-grained network access control medium, which mainly relate to the technical field of network control systems and are used for solving the problem that the internet access authority of a specific network application client in terminal equipment cannot be subdivided in the existing scheme, and in addition, after an illegal application is installed on a network terminal passing authentication, the illegal application access cannot be timely avoided. Comprising the following steps: acquiring a network message; extracting basic network information; determining a network access mode corresponding to a network terminal; when the network access mode is an application client and a preset controlled network segment is met, a corresponding black-and-white list mode is obtained; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access; and after determining that network access is allowed, sending the network message to a terminal corresponding to the basic network information.

Description

Fine-grained network access control method, system, equipment and medium
Technical Field
The present disclosure relates to the field of network control systems, and in particular, to a method, system, device, and medium for controlling access to a fine-grained network.
Background
The existing network access control technology is that through equipment user authentication, a client terminal performs authorization authentication by sending an authentication request and user name information, after the authentication is passed, the terminal device performs normal internet surfing, all applications can access a network, the network control granularity is low, basically, a device-level network control mode is adopted, and individual systems perform network control by adopting an access target TCP/UDP port mode.
The above-mentioned existing network access control system is basically characterized by identifying equipment, after passing through equipment security authentication, allowing all applications in the whole equipment to access to the internet, only the network access control method and system of the network layer and the transmission layer, the granularity of the control network is relatively coarse, the access authority of specific network applications in the terminal equipment cannot be subdivided, a certain scene limit exists, and part of the system has a larger limitation in distinguishing network applications and application access control simply by distinguishing network application TCP/UDP transmission layer port numbers, only known port applications can be identified, custom port applications cannot be identified, and if a client modifies an application service port, the application cannot be identified, so that the control network fails.
In addition, for the network terminal passing authentication, after the user installs illegal application, threat and impact are caused to the network, and a compliance risk is brought to the company, for example, the user installs illegal and pirated network application in a violation manner, so that the risk of enterprise violation is increased, and the network access control equipment cannot effectively and timely identify and discover the network.
Disclosure of Invention
Aiming at the defects in the prior art, the application provides a fine-grained network access control method, a system, equipment and a medium, so as to solve the problems that the existing method cannot subdivide the internet access authority of a specific network application client in terminal equipment, and in addition, after a user installs illegal application for a network terminal passing authentication, the illegal application access cannot be timely avoided.
In a first aspect, the present application provides a fine-grained network access control method, including: acquiring a network message initiated by network access of a network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to a network message; acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access; after the network access permission is determined, the network message is sent to the server, and the server response message is sent to the terminal corresponding to the basic network information.
Further, obtaining an application name, an application category and an HTTP/HTTPs internet surfing request corresponding to the network message specifically includes: extracting keyword features corresponding to the network request message; matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
Further, after determining the network access mode corresponding to the network terminal according to the HTTP/HTTPs internet surfing request, the method further includes: when the network access mode corresponding to the network terminal is web page browsing, pushing an HTTP authentication page to the network terminal to acquire user authentication information and basic network information corresponding to the network terminal; determining to allow access to the network when the user authentication information meets a preset user authentication condition and the basic network information meets a preset controlled network segment; when the network access mode corresponding to the network terminal is an HTTPS request port, entering a preset HTTPS redirection processing interface to obtain user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
Further, the method further comprises: when the network terminal is in a blacklist mode and the application name or the application category exists on the application blacklist, discarding the network message, and sending a TCP Reset blocking packet and triggering an alarm to the network terminal; when the network terminal is in the white list mode and the application name or the application category does not exist on the application white list, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
Further, the method further comprises: and setting specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist through a preset editing interface of the access management equipment so as to obtain a control strategy.
In a second aspect, the present application provides a fine-grained network access control system, the system comprising: the receiving module is used for acquiring a network message initiated by network access of the network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; the network message and the basic network information are sent to an application identification module; the application identification module is used for obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to the network message; the access control module is used for acquiring the control strategy issued by the access management module; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the mode is a blacklist mode and the application name and the application category do not exist on a blacklist corresponding to the network terminal, determining to allow network access; when the white list mode is adopted, and the application name and the application category are both on the white list corresponding to the network terminal, determining to allow network access; and the sending module is used for sending the network message to the server after determining that the network access is allowed, and sending the server response message to the terminal corresponding to the basic network information.
Further, the application recognition module comprises a feature extraction unit, an application matching engine, an application feature library and a recognition extraction unit; the feature extraction unit is used for extracting keyword features corresponding to the network request message; the application matching engine is used for matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and the identification and extraction unit is used for identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
Further, the access management module is connected with the access control module and is used for setting specific contents corresponding to a preset controlled network segment, an application blacklist and an application whitelist through a preset editing interface so as to obtain a control strategy, and the control strategy is issued to the access control module.
In a third aspect, the present application provides a fine-grained network access control device, the device comprising: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a fine-grained network access control method as in any of the above.
In a fourth aspect, the present application provides a non-volatile computer storage medium having stored thereon computer instructions which, when executed, implement a fine-grained network access control method as in any of the above.
As can be appreciated by those skilled in the art, the present application has at least the following beneficial effects:
the method can carry out fine-grained access control on the Internet surfing of the terminal equipment, can control whether specific network equipment can surf the Internet or not, can finely control whether specific application (application client) in the network equipment can surf the Internet or not, can carry out subdivision control on the Internet surfing of the network equipment based on the network application name and the application category, can finely control the application client on a white list to access the network, or can prohibit the application client on the black list from not allowing access to the network, and can timely find out that the network application which is not legal and legal is accessed to a preset controlled network segment.
In addition, the application characteristics (application name, application category and HTTP/HTTPS internet surfing request) corresponding to the network message can be deeply identified through a keyword identification technology.
The invention can effectively access control on the network of the company network or the campus network terminal equipment, prohibit the non-compliant application from surfing the network, for example prohibit students from playing games by using the campus machine room network, prohibit the enterprise staff from using the network application irrelevant to the work, promote the work efficiency, and the like.
Drawings
Some embodiments of the present disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a fine-grained network access control method provided in an embodiment of the application.
Fig. 2 is a schematic diagram of an internal structure of a fine-grained network access control system according to an embodiment of the application.
Fig. 3 is a schematic internal structure of a fine-grained network access control device according to an embodiment of the application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not represent that the present disclosure can be realized only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure, not for limiting the scope of the present disclosure. Based on the preferred embodiments provided by the present disclosure, all other embodiments that may be obtained by one of ordinary skill in the art without inventive effort shall still fall within the scope of the present disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The following describes in detail the technical solution proposed in the embodiments of the present application through the accompanying drawings.
The embodiment of the application provides a fine-grained network access control method, as shown in fig. 1, which mainly comprises the following steps:
step 110, obtaining a network message initiated by network access of a network terminal; and extracting basic network information in the network message.
It should be noted that, the basic network information at least includes: MAC address and IP address.
The method for obtaining the network message is an existing method, and the application is not limited to this. The method for extracting the basic network information in the network message can be as follows: through any feasible keyword feature extraction algorithm.
And 120, obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to the network message.
As an example, this step may be specifically: extracting keyword features corresponding to the network request message; matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and identifying and extracting the HTTP/HTTPS internet surfing request from the network request message. It should be noted that, the method for extracting the keyword features corresponding to the network request message may be implemented by any feasible keyword feature extraction algorithm. The specific content in the application feature library can be determined by one skilled in the art according to the actual situation. The specific method for identifying and extracting HTTP/HTTPs internet surfing requests may be implemented by the prior art, which is not limited in this application.
130, acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; and when the white list mode is adopted, and the application name and the application category exist on the application white list, determining that the network access is allowed.
It should be noted that, according to the HTTP/HTTPs internet surfing request, a specific scheme for determining the network access mode corresponding to the network terminal is the prior art, which is not limited in this application. The preset controlled network segment is data set by a person skilled in the art to limit the range of the MAC address and the IP address, and the person skilled in the art can adjust the preset controlled network segment according to the actual requirement. In addition, the specific content corresponding to the application blacklist and the application whitelist can be adjusted by those skilled in the art according to actual requirements.
In addition, the network access mode of the application further comprises the following steps: browse web pages and HTTPS request ports.
The web access permission of the web page browsing may specifically be: when the network access mode corresponding to the network terminal is web page browsing, pushing an HTTP authentication page to the network terminal to acquire user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
The allowing access to the HTTPS request port may specifically be: when the network access mode corresponding to the network terminal is an HTTPS request port, entering a preset HTTPS redirection processing interface to obtain user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
It should be noted that the preset user authentication condition may be specifically an existing mobile phone number authentication method.
In addition, the method and the device can block and alarm when the network access condition is not met.
As an example, when in the blacklist mode and an application name or application category exists on the application blacklist, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
As an example two, in the white list mode, when the application name or the application category does not exist on the application white list, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
In addition, the method and the device can also automatically adjust specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist. The specific method comprises the following steps: and setting specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist through a preset editing interface of the access management equipment so as to obtain a control strategy, thereby completing adjustment. It should be noted that, the access management device may be any feasible system, device or apparatus capable of acquiring a control policy and performing transmission of the control policy.
And 140, after determining that network access is allowed, sending the network message to a server, and sending a server response message to a terminal corresponding to the basic network information.
In addition, fig. 2 is a schematic diagram of a fine-grained network access control system according to an embodiment of the disclosure. As shown in fig. 2, the system provided in the embodiment of the present application mainly includes:
a receiving module 210, configured to obtain a network message initiated by network access of a network terminal; and extracting basic network information in the network message.
It should be noted that, the receiving module 210 may be any feasible device or apparatus capable of performing network message acquisition and basic network information extraction. Wherein the basic network information at least comprises: a MAC address and an IP address; the network message and the underlying network information are sent to the application identification module 220.
The application identification module 220 is configured to obtain an application name, an application category, and an HTTP/HTTPs internet surfing request corresponding to the network message.
It should be noted that, the application identification module 220 may be any feasible device or apparatus capable of obtaining an application name, an application category, and an HTTP/HTTPs internet surfing request corresponding to the network packet.
As an example, keyword features corresponding to the network request message are extracted by the feature extraction unit 221 in the application identification module 220; matching the corresponding application names or application categories of the keyword features in the application feature library 223 through the application matching engine 222 in the application recognition module 220; wherein, the application feature library 223 is preset with a plurality of application names and feature data corresponding to application categories; the HTTP/HTTPs internet surfing request is identified and extracted from the network request message by an identification extraction unit 224 in the application identification module 220.
An access control module 230, configured to obtain a control policy issued by the access management module 250; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the mode is a blacklist mode and the application name and the application category do not exist on a blacklist corresponding to the network terminal, determining to allow network access; and when the white list mode is adopted, and the application name and the application category are both on the white list corresponding to the network terminal, determining to allow network access.
It should be noted that, the access control module 230 may be any feasible device or apparatus capable of determining whether to access the network.
In addition, the access management module 250 is connected to the access control module 230, and is configured to set specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist, so as to obtain a control policy, and issue the control policy to the access control module 230.
And the sending module 240 is configured to send the network packet to the terminal corresponding to the basic network information after determining that the network access is allowed.
It should be noted that, the sending module 240 may be any feasible device or apparatus capable of sending a network packet.
The foregoing is a method embodiment in the present application, and based on the same inventive concept, the embodiment of the present application further provides a fine-grained network access control device. As shown in fig. 3, the apparatus includes: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a fine-grained network access control method as in the above embodiments.
Specifically, a server side acquires a network message initiated by network access of a network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to a network message; acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access; after the network access permission is determined, the network message is sent to the server, and the server response message is sent to the terminal corresponding to the basic network information.
In addition, the embodiment of the application also provides a nonvolatile computer storage medium, on which executable instructions are stored, and when the executable instructions are executed, the fine-grained network access control method is realized.
Thus far, the technical solution of the present disclosure has been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the protective scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments may be split and combined by those skilled in the art without departing from the technical principles of the present disclosure, and equivalent modifications or substitutions may be made to related technical features, which all fall within the scope of the present disclosure.

Claims (10)

1. A fine-grained network access control method, the method comprising:
acquiring a network message initiated by network access of a network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address;
obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to a network message;
acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access;
after the network access permission is determined, the network message is sent to the server, and the server response message is sent to the terminal corresponding to the basic network information.
2. The fine-grained network access control method according to claim 1, wherein obtaining an application name, an application category and an HTTP/HTTPs internet surfing request corresponding to the network message specifically comprises:
extracting keyword features corresponding to the network request message; matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
3. The fine-grained network access control method according to claim 1, characterized in that after determining the network access mode corresponding to the network terminal according to the HTTP/HTTPs internet surfing request, the method further comprises:
when the network access mode corresponding to the network terminal is web page browsing, pushing an HTTP authentication page to the network terminal to acquire user authentication information and basic network information corresponding to the network terminal; determining to allow access to the network when the user authentication information meets a preset user authentication condition and the basic network information meets a preset controlled network segment;
when the network access mode corresponding to the network terminal is an HTTPS request port, entering a preset HTTPS redirection processing interface to obtain user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
4. The fine-grained network access control method of claim 1, further comprising:
when the network terminal is in a blacklist mode and the application name or the application category exists on the application blacklist, discarding the network message, and sending a TCP Reset blocking packet and triggering an alarm to the network terminal;
when the network terminal is in the white list mode and the application name or the application category does not exist on the application white list, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
5. The fine-grained network access control method of claim 1, further comprising:
and setting specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist through a preset editing interface of the access management equipment so as to obtain a control strategy.
6. A fine-grained network access control system, the system comprising:
the receiving module is used for acquiring a network message initiated by network access of the network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; the network message and the basic network information are sent to an application identification module;
the application identification module is used for obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to the network message;
the access control module is used for acquiring the control strategy issued by the access management module; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the mode is a blacklist mode and the application name and the application category do not exist on a blacklist corresponding to the network terminal, determining to allow network access; when the white list mode is adopted, and the application name and the application category are both on the white list corresponding to the network terminal, determining to allow network access;
and the sending module is used for sending the network message to the server after determining that the network access is allowed, and sending the server response message to the terminal corresponding to the basic network information.
7. The fine-grained network access control system of claim 6, wherein the application identification module comprises a feature extraction unit, an application matching engine, an application feature library, and an identification extraction unit;
the feature extraction unit is used for extracting keyword features corresponding to the network request message;
the application matching engine is used for matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance;
and the identification and extraction unit is used for identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
8. The fine-grained network access control system of claim 6, wherein the access management module is coupled to the access control module,
the method comprises the steps of setting specific contents corresponding to a preset controlled network segment, an application blacklist and an application whitelist to obtain a control strategy, and issuing the control strategy to an access control module.
9. A fine-grained network access control device, the device comprising:
a processor;
and a memory having executable code stored thereon that, when executed, causes the processor to perform a fine-grained network access control method according to any of claims 1-5.
10. A non-transitory computer storage medium having stored thereon computer instructions which, when executed, implement a fine-grained network access control method according to any of claims 1-5.
CN202311608399.7A 2023-11-29 2023-11-29 Fine-grained network access control method, system, equipment and medium Active CN117336101B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311608399.7A CN117336101B (en) 2023-11-29 2023-11-29 Fine-grained network access control method, system, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311608399.7A CN117336101B (en) 2023-11-29 2023-11-29 Fine-grained network access control method, system, equipment and medium

Publications (2)

Publication Number Publication Date
CN117336101A true CN117336101A (en) 2024-01-02
CN117336101B CN117336101B (en) 2024-02-23

Family

ID=89293766

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311608399.7A Active CN117336101B (en) 2023-11-29 2023-11-29 Fine-grained network access control method, system, equipment and medium

Country Status (1)

Country Link
CN (1) CN117336101B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070006282A1 (en) * 2005-06-30 2007-01-04 David Durham Techniques for authenticated posture reporting and associated enforcement of network access
US20070245409A1 (en) * 2006-04-12 2007-10-18 James Harris Systems and Methods for Providing Levels of Access and Action Control Via an SSL VPN Appliance
CN101616076A (en) * 2009-07-28 2009-12-30 武汉理工大学 A kind of fine-granularity network access control method based on user connection information
CN103034799A (en) * 2012-12-14 2013-04-10 南京中孚信息技术有限公司 Kernel level desktop access control method
CN104796261A (en) * 2015-04-16 2015-07-22 长安大学 Secure access control system and method for network terminal nodes
CN107465650A (en) * 2016-06-06 2017-12-12 阿里巴巴集团控股有限公司 A kind of access control method and device
CN108390874A (en) * 2018-02-12 2018-08-10 北京工业大学 Access control model and access method based on certificate in network structure
CN109462589A (en) * 2018-11-13 2019-03-12 北京天融信网络安全技术有限公司 The method, device and equipment of application program NS software
CN111092869A (en) * 2019-12-10 2020-05-01 中盈优创资讯科技有限公司 Security management and control method for terminal access to office network and authentication server
CN111711631A (en) * 2020-06-17 2020-09-25 北京字节跳动网络技术有限公司 Network access control method, device, equipment and storage medium
CN111885031A (en) * 2020-07-13 2020-11-03 董鹏 Fine-grained access control method and system based on session process
CN113472758A (en) * 2021-06-21 2021-10-01 北京沃东天骏信息技术有限公司 Access control method, device, terminal, connector and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070006282A1 (en) * 2005-06-30 2007-01-04 David Durham Techniques for authenticated posture reporting and associated enforcement of network access
US20070245409A1 (en) * 2006-04-12 2007-10-18 James Harris Systems and Methods for Providing Levels of Access and Action Control Via an SSL VPN Appliance
CN101616076A (en) * 2009-07-28 2009-12-30 武汉理工大学 A kind of fine-granularity network access control method based on user connection information
CN103034799A (en) * 2012-12-14 2013-04-10 南京中孚信息技术有限公司 Kernel level desktop access control method
CN104796261A (en) * 2015-04-16 2015-07-22 长安大学 Secure access control system and method for network terminal nodes
CN107465650A (en) * 2016-06-06 2017-12-12 阿里巴巴集团控股有限公司 A kind of access control method and device
CN108390874A (en) * 2018-02-12 2018-08-10 北京工业大学 Access control model and access method based on certificate in network structure
CN109462589A (en) * 2018-11-13 2019-03-12 北京天融信网络安全技术有限公司 The method, device and equipment of application program NS software
CN111092869A (en) * 2019-12-10 2020-05-01 中盈优创资讯科技有限公司 Security management and control method for terminal access to office network and authentication server
CN111711631A (en) * 2020-06-17 2020-09-25 北京字节跳动网络技术有限公司 Network access control method, device, equipment and storage medium
CN111885031A (en) * 2020-07-13 2020-11-03 董鹏 Fine-grained access control method and system based on session process
CN113472758A (en) * 2021-06-21 2021-10-01 北京沃东天骏信息技术有限公司 Access control method, device, terminal, connector and storage medium

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
MUHAMMAD ADIL: ""MAC-AODV Based Mutual Authentication Scheme for Constraint Oriented Networks"", 《IEEE ACCESS》 *
卜天宇;严锦立;黄金锋;孙志刚;: "面向OPC UA/TSN架构的工业控制网络安全防护研究", 网络空间安全, no. 10 *
王军武;李新友;: "可信网络接入系统及其相关技术研究", 信息网络安全, no. 03 *
王静怡: "" mHealth中细粒度策略隐藏和可追踪去中心访问控制方案"", 《计算机研究与发展》 *

Also Published As

Publication number Publication date
CN117336101B (en) 2024-02-23

Similar Documents

Publication Publication Date Title
US7562385B2 (en) Systems and methods for dynamic authentication using physical keys
CN109067937B (en) Terminal access control method, device, equipment, system and storage medium
US20110191862A1 (en) System and Method for Restricting Access to Requested Data Based on User Location
US8990573B2 (en) System and method for using variable security tag location in network communications
US20150089625A1 (en) Access Control Manager
US11818132B2 (en) Authorized access list generation method and information security system using same
US20080072304A1 (en) Obscuring authentication data of remote user
CN110134700B (en) Data uplink method, device, computer equipment and storage medium
CN107872445B (en) Access authentication method, device and authentication system
CN106899561B (en) TNC (network node controller) authority control method and system based on ACL (Access control List)
CN112165536B (en) Network terminal authentication method and device
CN107426182B (en) Access control method and system for storage management system
US20130097696A1 (en) Data security system
CN110611682A (en) Network access system, network access method and related equipment
WO2018126616A1 (en) Sharing method, apparatus and system
CN111935123B (en) Method, equipment and storage medium for detecting DNS spoofing attack
JP2004062417A (en) Certification server device, server device and gateway device
CN108076500B (en) Method and device for managing local area network and computer readable storage medium
CN117336101B (en) Fine-grained network access control method, system, equipment and medium
CN112804222A (en) Data transmission method, device, equipment and storage medium based on cloud deployment
EP1387550A2 (en) Method and system for preventing unauthorized access to the internet
US20200021587A1 (en) Managing system and managing method for managing authentication for cloud service system
US11853443B1 (en) Systems and methods for providing role-based access control to web services using mirrored, secluded web instances
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
US10027668B2 (en) Information protecting apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant