CN117336101B - Fine-grained network access control method, system, equipment and medium - Google Patents
Fine-grained network access control method, system, equipment and medium Download PDFInfo
- Publication number
- CN117336101B CN117336101B CN202311608399.7A CN202311608399A CN117336101B CN 117336101 B CN117336101 B CN 117336101B CN 202311608399 A CN202311608399 A CN 202311608399A CN 117336101 B CN117336101 B CN 117336101B
- Authority
- CN
- China
- Prior art keywords
- network
- application
- network access
- access
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000011217 control strategy Methods 0.000 claims description 20
- 238000000605 extraction Methods 0.000 claims description 13
- 230000000903 blocking effect Effects 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 230000001960 triggered effect Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a fine-grained network access control method, a fine-grained network access control system, fine-grained network access control equipment and a fine-grained network access control medium, which mainly relate to the technical field of network control systems and are used for solving the problem that the internet access authority of a specific network application client in terminal equipment cannot be subdivided in the existing scheme, and in addition, after an illegal application is installed on a network terminal passing authentication, the illegal application access cannot be timely avoided. Comprising the following steps: acquiring a network message; extracting basic network information; determining a network access mode corresponding to a network terminal; when the network access mode is an application client and a preset controlled network segment is met, a corresponding black-and-white list mode is obtained; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access; and after determining that network access is allowed, sending the network message to a terminal corresponding to the basic network information.
Description
Technical Field
The present disclosure relates to the field of network control systems, and in particular, to a method, system, device, and medium for controlling access to a fine-grained network.
Background
The existing network access control technology is that through equipment user authentication, a client terminal performs authorization authentication by sending an authentication request and user name information, after the authentication is passed, the terminal device performs normal internet surfing, all applications can access a network, the network control granularity is low, basically, a device-level network control mode is adopted, and individual systems perform network control by adopting an access target TCP/UDP port mode.
The above-mentioned existing network access control system is basically characterized by identifying equipment, after passing through equipment security authentication, allowing all applications in the whole equipment to access to the internet, only the network access control method and system of the network layer and the transmission layer, the granularity of the control network is relatively coarse, the access authority of specific network applications in the terminal equipment cannot be subdivided, a certain scene limit exists, and part of the system has a larger limitation in distinguishing network applications and application access control simply by distinguishing network application TCP/UDP transmission layer port numbers, only known port applications can be identified, custom port applications cannot be identified, and if a client modifies an application service port, the application cannot be identified, so that the control network fails.
In addition, for the network terminal passing authentication, after the user installs illegal application, threat and impact are caused to the network, and a compliance risk is brought to the company, for example, the user installs illegal and pirated network application in a violation manner, so that the risk of enterprise violation is increased, and the network access control equipment cannot effectively and timely identify and discover the network.
Disclosure of Invention
Aiming at the defects in the prior art, the application provides a fine-grained network access control method, a system, equipment and a medium, so as to solve the problems that the existing method cannot subdivide the internet access authority of a specific network application client in terminal equipment, and in addition, after a user installs illegal application for a network terminal passing authentication, the illegal application access cannot be timely avoided.
In a first aspect, the present application provides a fine-grained network access control method, including: acquiring a network message initiated by network access of a network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to a network message; acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access; after the network access permission is determined, the network message is sent to the server, and the server response message is sent to the terminal corresponding to the basic network information.
Further, obtaining an application name, an application category and an HTTP/HTTPs internet surfing request corresponding to the network message specifically includes: extracting keyword features corresponding to the network request message; matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
Further, after determining the network access mode corresponding to the network terminal according to the HTTP/HTTPs internet surfing request, the method further includes: when the network access mode corresponding to the network terminal is web page browsing, pushing an HTTP authentication page to the network terminal to acquire user authentication information and basic network information corresponding to the network terminal; determining to allow access to the network when the user authentication information meets a preset user authentication condition and the basic network information meets a preset controlled network segment; when the network access mode corresponding to the network terminal is an HTTPS request port, entering a preset HTTPS redirection processing interface to obtain user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
Further, the method further comprises: when the network terminal is in a blacklist mode and the application name or the application category exists on the application blacklist, discarding the network message, and sending a TCP Reset blocking packet and triggering an alarm to the network terminal; when the network terminal is in the white list mode and the application name or the application category does not exist on the application white list, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
Further, the method further comprises: and setting specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist through a preset editing interface of the access management equipment so as to obtain a control strategy.
In a second aspect, the present application provides a fine-grained network access control system, the system comprising: the receiving module is used for acquiring a network message initiated by network access of the network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; the network message and the basic network information are sent to an application identification module; the application identification module is used for obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to the network message; the access control module is used for acquiring the control strategy issued by the access management module; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the mode is a blacklist mode and the application name and the application category do not exist on a blacklist corresponding to the network terminal, determining to allow network access; when the white list mode is adopted, and the application name and the application category are both on the white list corresponding to the network terminal, determining to allow network access; and the sending module is used for sending the network message to the server after determining that the network access is allowed, and sending the server response message to the terminal corresponding to the basic network information.
Further, the application recognition module comprises a feature extraction unit, an application matching engine, an application feature library and a recognition extraction unit; the feature extraction unit is used for extracting keyword features corresponding to the network request message; the application matching engine is used for matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and the identification and extraction unit is used for identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
Further, the access management module is connected with the access control module and is used for setting specific contents corresponding to a preset controlled network segment, an application blacklist and an application whitelist through a preset editing interface so as to obtain a control strategy, and the control strategy is issued to the access control module.
In a third aspect, the present application provides a fine-grained network access control device, the device comprising: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a fine-grained network access control method as in any of the above.
In a fourth aspect, the present application provides a non-volatile computer storage medium having stored thereon computer instructions which, when executed, implement a fine-grained network access control method as in any of the above.
As can be appreciated by those skilled in the art, the present application has at least the following beneficial effects:
the method can carry out fine-grained access control on the Internet surfing of the terminal equipment, can control whether specific network equipment can surf the Internet or not, can finely control whether specific application (application client) in the network equipment can surf the Internet or not, can carry out subdivision control on the Internet surfing of the network equipment based on the network application name and the application category, can finely control the application client on a white list to access the network, or can prohibit the application client on the black list from not allowing access to the network, and can timely find out that the network application which is not legal and legal is accessed to a preset controlled network segment.
In addition, the application characteristics (application name, application category and HTTP/HTTPS internet surfing request) corresponding to the network message can be deeply identified through a keyword identification technology.
The invention can effectively access control on the network of the company network or the campus network terminal equipment, prohibit the non-compliant application from surfing the network, for example prohibit students from playing games by using the campus machine room network, prohibit the enterprise staff from using the network application irrelevant to the work, promote the work efficiency, and the like.
Drawings
Some embodiments of the present disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a fine-grained network access control method provided in an embodiment of the application.
Fig. 2 is a schematic diagram of an internal structure of a fine-grained network access control system according to an embodiment of the application.
Fig. 3 is a schematic internal structure of a fine-grained network access control device according to an embodiment of the application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not represent that the present disclosure can be realized only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure, not for limiting the scope of the present disclosure. Based on the preferred embodiments provided by the present disclosure, all other embodiments that may be obtained by one of ordinary skill in the art without inventive effort shall still fall within the scope of the present disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The following describes in detail the technical solution proposed in the embodiments of the present application through the accompanying drawings.
The embodiment of the application provides a fine-grained network access control method, as shown in fig. 1, which mainly comprises the following steps:
step 110, obtaining a network message initiated by network access of a network terminal; and extracting basic network information in the network message.
It should be noted that, the basic network information at least includes: MAC address and IP address.
The method for obtaining the network message is an existing method, and the application is not limited to this. The method for extracting the basic network information in the network message can be as follows: through any feasible keyword feature extraction algorithm.
And 120, obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to the network message.
As an example, this step may be specifically: extracting keyword features corresponding to the network request message; matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and identifying and extracting the HTTP/HTTPS internet surfing request from the network request message. It should be noted that, the method for extracting the keyword features corresponding to the network request message may be implemented by any feasible keyword feature extraction algorithm. The specific content in the application feature library can be determined by one skilled in the art according to the actual situation. The specific method for identifying and extracting HTTP/HTTPs internet surfing requests may be implemented by the prior art, which is not limited in this application.
130, acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; and when the white list mode is adopted, and the application name and the application category exist on the application white list, determining that the network access is allowed.
It should be noted that, according to the HTTP/HTTPs internet surfing request, a specific scheme for determining the network access mode corresponding to the network terminal is the prior art, which is not limited in this application. The preset controlled network segment is data set by a person skilled in the art to limit the range of the MAC address and the IP address, and the person skilled in the art can adjust the preset controlled network segment according to the actual requirement. In addition, the specific content corresponding to the application blacklist and the application whitelist can be adjusted by those skilled in the art according to actual requirements.
In addition, the network access mode of the application further comprises the following steps: browse web pages and HTTPS request ports.
The web access permission of the web page browsing may specifically be: when the network access mode corresponding to the network terminal is web page browsing, pushing an HTTP authentication page to the network terminal to acquire user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
The allowing access to the HTTPS request port may specifically be: when the network access mode corresponding to the network terminal is an HTTPS request port, entering a preset HTTPS redirection processing interface to obtain user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
It should be noted that the preset user authentication condition may be specifically an existing mobile phone number authentication method.
In addition, the method and the device can block and alarm when the network access condition is not met.
As an example, when in the blacklist mode and an application name or application category exists on the application blacklist, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
As an example two, in the white list mode, when the application name or the application category does not exist on the application white list, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
In addition, the method and the device can also automatically adjust specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist. The specific method comprises the following steps: and setting specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist through a preset editing interface of the access management equipment so as to obtain a control strategy, thereby completing adjustment. It should be noted that, the access management device may be any feasible system, device or apparatus capable of acquiring a control policy and performing transmission of the control policy.
And 140, after determining that network access is allowed, sending the network message to a server, and sending a server response message to a terminal corresponding to the basic network information.
In addition, fig. 2 is a schematic diagram of a fine-grained network access control system according to an embodiment of the disclosure. As shown in fig. 2, the system provided in the embodiment of the present application mainly includes:
a receiving module 210, configured to obtain a network message initiated by network access of a network terminal; and extracting basic network information in the network message.
It should be noted that, the receiving module 210 may be any feasible device or apparatus capable of performing network message acquisition and basic network information extraction. Wherein the basic network information at least comprises: a MAC address and an IP address; the network message and the underlying network information are sent to the application identification module 220.
The application identification module 220 is configured to obtain an application name, an application category, and an HTTP/HTTPs internet surfing request corresponding to the network message.
It should be noted that, the application identification module 220 may be any feasible device or apparatus capable of obtaining an application name, an application category, and an HTTP/HTTPs internet surfing request corresponding to the network packet.
As an example, keyword features corresponding to the network request message are extracted by the feature extraction unit 221 in the application identification module 220; matching the corresponding application names or application categories of the keyword features in the application feature library 223 through the application matching engine 222 in the application recognition module 220; wherein, the application feature library 223 is preset with a plurality of application names and feature data corresponding to application categories; the HTTP/HTTPs internet surfing request is identified and extracted from the network request message by an identification extraction unit 224 in the application identification module 220.
An access control module 230, configured to obtain a control policy issued by the access management module 250; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the mode is a blacklist mode and the application name and the application category do not exist on a blacklist corresponding to the network terminal, determining to allow network access; and when the white list mode is adopted, and the application name and the application category are both on the white list corresponding to the network terminal, determining to allow network access.
It should be noted that, the access control module 230 may be any feasible device or apparatus capable of determining whether to access the network.
In addition, the access management module 250 is connected to the access control module 230, and is configured to set specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist, so as to obtain a control policy, and issue the control policy to the access control module 230.
And the sending module 240 is configured to send the network packet to the terminal corresponding to the basic network information after determining that the network access is allowed.
It should be noted that, the sending module 240 may be any feasible device or apparatus capable of sending a network packet.
The foregoing is a method embodiment in the present application, and based on the same inventive concept, the embodiment of the present application further provides a fine-grained network access control device. As shown in fig. 3, the apparatus includes: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a fine-grained network access control method as in the above embodiments.
Specifically, a server side acquires a network message initiated by network access of a network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to a network message; acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access; after the network access permission is determined, the network message is sent to the server, and the server response message is sent to the terminal corresponding to the basic network information.
In addition, the embodiment of the application also provides a nonvolatile computer storage medium, on which executable instructions are stored, and when the executable instructions are executed, the fine-grained network access control method is realized.
Thus far, the technical solution of the present disclosure has been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the protective scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments may be split and combined by those skilled in the art without departing from the technical principles of the present disclosure, and equivalent modifications or substitutions may be made to related technical features, which all fall within the scope of the present disclosure.
Claims (10)
1. A fine-grained network access control method, the method comprising:
acquiring a network message initiated by network access of a network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address;
obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to a network message;
acquiring a control strategy issued by access management equipment; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the blacklist mode is adopted, and the application name and the application category are not on the application blacklist, determining to allow network access; when the white list mode is adopted, and the application name and the application category exist on the application white list, determining to allow network access;
after the network access permission is determined, the network message is sent to the server, and the server response message is sent to the terminal corresponding to the basic network information.
2. The fine-grained network access control method according to claim 1, wherein obtaining an application name, an application category and an HTTP/HTTPs internet surfing request corresponding to the network message specifically comprises:
extracting keyword features corresponding to the network request message; matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance; and identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
3. The fine-grained network access control method according to claim 1, characterized in that after determining the network access mode corresponding to the network terminal according to the HTTP/HTTPs internet surfing request, the method further comprises:
when the network access mode corresponding to the network terminal is web page browsing, pushing an HTTP authentication page to the network terminal to acquire user authentication information and basic network information corresponding to the network terminal; determining to allow access to the network when the user authentication information meets a preset user authentication condition and the basic network information meets a preset controlled network segment;
when the network access mode corresponding to the network terminal is an HTTPS request port, entering a preset HTTPS redirection processing interface to obtain user authentication information and basic network information corresponding to the network terminal; and determining to allow access to the network when the user authentication information meets the preset user authentication condition and the basic network information meets the preset controlled network segment.
4. The fine-grained network access control method of claim 1, further comprising:
when the network terminal is in a blacklist mode and the application name or the application category exists on the application blacklist, discarding the network message, and sending a TCP Reset blocking packet and triggering an alarm to the network terminal;
when the network terminal is in the white list mode and the application name or the application category does not exist on the application white list, the network message is discarded, and a TCP Reset blocking packet is sent to the network terminal and an alarm is triggered.
5. The fine-grained network access control method of claim 1, further comprising:
and setting specific contents corresponding to the preset controlled network segment, the application blacklist and the application whitelist through a preset editing interface of the access management equipment so as to obtain a control strategy.
6. A fine-grained network access control system, the system comprising:
the receiving module is used for acquiring a network message initiated by network access of the network terminal; extracting basic network information in a network message; wherein the basic network information at least comprises: a MAC address and an IP address; the network message and the basic network information are sent to an application identification module;
the application identification module is used for obtaining an application name, an application category and an HTTP/HTTPS internet surfing request corresponding to the network message;
the access control module is used for acquiring the control strategy issued by the access management module; the control strategy at least comprises a preset controlled network segment, an application blacklist and an application whitelist; determining a network access mode corresponding to a network terminal according to the HTTP/HTTPS network access request; when the network access mode is an application client and the basic network information meets a preset controlled network segment, acquiring a black-and-white list mode corresponding to the current network terminal; when the mode is a blacklist mode and the application name and the application category do not exist on a blacklist corresponding to the network terminal, determining to allow network access; when the white list mode is adopted, and the application name and the application category are both on the white list corresponding to the network terminal, determining to allow network access;
and the sending module is used for sending the network message to the server after determining that the network access is allowed, and sending the server response message to the terminal corresponding to the basic network information.
7. The fine-grained network access control system of claim 6, wherein the application identification module comprises a feature extraction unit, an application matching engine, an application feature library, and an identification extraction unit;
the feature extraction unit is used for extracting keyword features corresponding to the network request message;
the application matching engine is used for matching the application names or application categories corresponding to the keyword features in the application feature library; the application feature library is provided with a plurality of feature data corresponding to application names and application categories in advance;
and the identification and extraction unit is used for identifying and extracting the HTTP/HTTPS internet surfing request from the network request message.
8. The fine-grained network access control system of claim 6, wherein the access management module is coupled to the access control module,
the method comprises the steps of setting specific contents corresponding to a preset controlled network segment, an application blacklist and an application whitelist to obtain a control strategy, and issuing the control strategy to an access control module.
9. A fine-grained network access control device, the device comprising:
a processor;
and a memory having executable code stored thereon that, when executed, causes the processor to perform a fine-grained network access control method according to any of claims 1-5.
10. A non-transitory computer storage medium having stored thereon computer instructions which, when executed, implement a fine-grained network access control method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311608399.7A CN117336101B (en) | 2023-11-29 | 2023-11-29 | Fine-grained network access control method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311608399.7A CN117336101B (en) | 2023-11-29 | 2023-11-29 | Fine-grained network access control method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117336101A CN117336101A (en) | 2024-01-02 |
| CN117336101B true CN117336101B (en) | 2024-02-23 |
Family
ID=89293766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311608399.7A Active CN117336101B (en) | 2023-11-29 | 2023-11-29 | Fine-grained network access control method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117336101B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101616076A (en) * | 2009-07-28 | 2009-12-30 | 武汉理工大学 | A kind of fine-granularity network access control method based on user connection information |
| CN103034799A (en) * | 2012-12-14 | 2013-04-10 | 南京中孚信息技术有限公司 | Kernel level desktop access control method |
| CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
| CN107465650A (en) * | 2016-06-06 | 2017-12-12 | 阿里巴巴集团控股有限公司 | A kind of access control method and device |
| CN108390874A (en) * | 2018-02-12 | 2018-08-10 | 北京工业大学 | Access control model and access method based on certificate in network structure |
| CN109462589A (en) * | 2018-11-13 | 2019-03-12 | 北京天融信网络安全技术有限公司 | The method, device and equipment of application program NS software |
| CN111092869A (en) * | 2019-12-10 | 2020-05-01 | 中盈优创资讯科技有限公司 | Security management and control method for terminal access to office network and authentication server |
| CN111711631A (en) * | 2020-06-17 | 2020-09-25 | 北京字节跳动网络技术有限公司 | Network access control method, device, equipment and storage medium |
| CN111885031A (en) * | 2020-07-13 | 2020-11-03 | 董鹏 | Fine-grained access control method and system based on session process |
| CN113472758A (en) * | 2021-06-21 | 2021-10-01 | 北京沃东天骏信息技术有限公司 | Access control method, device, terminal, connector and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7739724B2 (en) * | 2005-06-30 | 2010-06-15 | Intel Corporation | Techniques for authenticated posture reporting and associated enforcement of network access |
| US8151323B2 (en) * | 2006-04-12 | 2012-04-03 | Citrix Systems, Inc. | Systems and methods for providing levels of access and action control via an SSL VPN appliance |
-
2023
- 2023-11-29 CN CN202311608399.7A patent/CN117336101B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101616076A (en) * | 2009-07-28 | 2009-12-30 | 武汉理工大学 | A kind of fine-granularity network access control method based on user connection information |
| CN103034799A (en) * | 2012-12-14 | 2013-04-10 | 南京中孚信息技术有限公司 | Kernel level desktop access control method |
| CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
| CN107465650A (en) * | 2016-06-06 | 2017-12-12 | 阿里巴巴集团控股有限公司 | A kind of access control method and device |
| CN108390874A (en) * | 2018-02-12 | 2018-08-10 | 北京工业大学 | Access control model and access method based on certificate in network structure |
| CN109462589A (en) * | 2018-11-13 | 2019-03-12 | 北京天融信网络安全技术有限公司 | The method, device and equipment of application program NS software |
| CN111092869A (en) * | 2019-12-10 | 2020-05-01 | 中盈优创资讯科技有限公司 | Security management and control method for terminal access to office network and authentication server |
| CN111711631A (en) * | 2020-06-17 | 2020-09-25 | 北京字节跳动网络技术有限公司 | Network access control method, device, equipment and storage medium |
| CN111885031A (en) * | 2020-07-13 | 2020-11-03 | 董鹏 | Fine-grained access control method and system based on session process |
| CN113472758A (en) * | 2021-06-21 | 2021-10-01 | 北京沃东天骏信息技术有限公司 | Access control method, device, terminal, connector and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| "MAC-AODV Based Mutual Authentication Scheme for Constraint Oriented Networks";Muhammad Adil;《IEEE Access》;全文 * |
| 可信网络接入系统及其相关技术研究;王军武;李新友;;信息网络安全(第03期);全文 * |
| 王静怡." mHealth中细粒度策略隐藏和可追踪去中心访问控制方案".《计算机研究与发展》.2023,全文. * |
| 面向OPC UA/TSN架构的工业控制网络安全防护研究;卜天宇;严锦立;黄金锋;孙志刚;;网络空间安全(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117336101A (en) | 2024-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7562385B2 (en) | Systems and methods for dynamic authentication using physical keys | |
| US8918901B2 (en) | System and method for restricting access to requested data based on user location | |
| US9154459B2 (en) | Access control manager | |
| US8990573B2 (en) | System and method for using variable security tag location in network communications | |
| US20090172786A1 (en) | Encryption Sentinel System and Method | |
| US20080072304A1 (en) | Obscuring authentication data of remote user | |
| CN110134700B (en) | Data uplink method, device, computer equipment and storage medium | |
| CN107872445B (en) | Access authentication method, device and authentication system | |
| US9489529B2 (en) | Data security system | |
| CN112165536B (en) | Network terminal authentication method and device | |
| CN107426182B (en) | Access control method and system for storage management system | |
| CN110611682A (en) | Network access system, network access method and related equipment | |
| WO2018126616A1 (en) | Sharing method, apparatus and system | |
| JP2004062417A (en) | Certification server device, server device and gateway device | |
| US11818132B2 (en) | Authorized access list generation method and information security system using same | |
| CN112804222B (en) | Data transmission method, device, equipment and storage medium based on cloud deployment | |
| CN117336101B (en) | Fine-grained network access control method, system, equipment and medium | |
| CN108076500B (en) | Method and device for managing local area network and computer readable storage medium | |
| US20150067784A1 (en) | Computer network security management system and method | |
| US11258793B2 (en) | Managing system and managing method for managing authentication for cloud service system | |
| JP7127885B2 (en) | WIRELESS COMMUNICATION DEVICE AND UNAUTHORIZED ACCESS PREVENTION METHOD | |
| CN114172721B (en) | Malicious data protection method and device, electronic equipment and storage medium | |
| US20100095338A1 (en) | Cable modem and method for updating digital certificates of the cable modem | |
| JP5743822B2 (en) | Information leakage prevention device and restriction information generation device | |
| US10027668B2 (en) | Information protecting apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |