CN117811754A - Data access method, device, storage medium and equipment - Google Patents
Data access method, device, storage medium and equipment Download PDFInfo
- Publication number
- CN117811754A CN117811754A CN202211174424.0A CN202211174424A CN117811754A CN 117811754 A CN117811754 A CN 117811754A CN 202211174424 A CN202211174424 A CN 202211174424A CN 117811754 A CN117811754 A CN 117811754A
- Authority
- CN
- China
- Prior art keywords
- terminal device
- terminal equipment
- bill
- remote access
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 117
- 238000003860 storage Methods 0.000 title claims abstract description 30
- 238000001514 detection method Methods 0.000 claims abstract description 235
- 230000008569 process Effects 0.000 claims abstract description 56
- 238000012795 verification Methods 0.000 claims description 147
- 230000004044 response Effects 0.000 claims description 53
- 238000004590 computer program Methods 0.000 claims description 18
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 230000003993 interaction Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 27
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 13
- 230000006399 behavior Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 10
- 241000700605 Viruses Species 0.000 description 9
- 230000002452 interceptive effect Effects 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 8
- 230000000903 blocking effect Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 206010000117 Abnormal behaviour Diseases 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 230000003862 health status Effects 0.000 description 5
- 230000009545 invasion Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000036541 health Effects 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
Abstract
The embodiment of the application discloses a data access method, a data access device, a storage medium and data access equipment, which are suitable for the field of cloud technology security. The method comprises the following steps: if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, verifying the access legitimacy of the first terminal equipment according to the first remote access ticket, and verifying the access legitimacy of the second terminal equipment according to the second remote access ticket; if the first terminal equipment has access legitimacy and the second terminal equipment has access legitimacy, establishing remote access connection; in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, detecting the security of the remote access connection to obtain a security detection result; and if the security detection result indicates that the remote access connection does not have security, interrupting the remote access connection between the first terminal equipment and the second terminal equipment. By the method and the device, the access security can be improved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a data access method, apparatus, storage medium, and device.
Background
Traditional network security is based on a physical boundary defense mode of a firewall, and the premise of the defense mode is that all office equipment and data resources of an enterprise are in an intranet, and the intranet is completely trusted, namely, a user can access the data resources in the enterprise through the intranet and the office equipment of the enterprise. In practice, it is found that the defense method is severely dependent on boundary division of network locations (such as an enterprise intranet and an enterprise extranet), and when the boundary is broken, the security of data resources in the enterprise cannot be effectively isolated and protected, so that the security of data access is lower. For example, some illegal personnel can illegally invade a user (for example, user 1) in an intranet, so that when the invasion is successful, the illegal personnel can easily replace user 1, illegally acquire service data information of the user 1, which can access the intranet enterprise, and the disclosure of private data information of the intranet enterprise is easily caused, thereby improving the security risk of data disclosure, and further leading to lower security of data access.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present application is to provide a data access method, apparatus, storage medium and device, which can improve the security of data access.
An aspect of an embodiment of the present application provides a data access method, including:
if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to a first remote access ticket of the first terminal equipment to obtain a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to a second remote access ticket of the second terminal equipment to obtain a second verification result;
if the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, establishing remote access connection between the first terminal equipment and the second terminal equipment;
in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, detecting the security of the remote access connection to obtain a security detection result;
and if the security detection result indicates that the remote access connection does not have security, interrupting the remote access connection between the first terminal equipment and the second terminal equipment.
An aspect of an embodiment of the present application provides a data access device, including:
the verification module is used for verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to the first remote access ticket of the first terminal equipment if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, obtaining a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to the second remote access ticket of the second terminal equipment, obtaining a second verification result;
the first establishing module is used for establishing remote access connection between the first terminal equipment and the second terminal equipment if the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment;
the security detection module is used for detecting the security of the remote access connection in the process that the first terminal equipment and the second terminal equipment are connected with the interactive service data through the remote access to obtain a security detection result;
and the interruption module is used for interrupting the remote access connection between the first terminal equipment and the second terminal equipment if the security detection result indicates that the remote access connection has no security.
In one aspect, a computer device is provided, including: a processor and a memory;
the processor is connected to the memory, wherein the memory is configured to store a computer program, and when the computer program is executed by the processor, the computer device is caused to execute the method provided in the embodiment of the application.
In one aspect, the present application provides a computer readable storage medium storing a computer program adapted to be loaded and executed by a processor, so that a computer device having the processor performs the method provided in the embodiments of the present application.
In one aspect, the present application provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the method provided in the embodiments of the present application.
In the embodiment of the present application, when a remote access connection between a first terminal device and a second terminal device needs to be established, that is, after objects corresponding to the first terminal device and the second terminal device are all logged in to a remote access client, and before service data is interacted between the first terminal device and the second terminal device, access legitimacy of the first terminal device for the second terminal device is verified through a first remote access ticket of the first terminal device, and access legitimacy of the second terminal device for the first terminal device is verified according to a second remote access ticket of the second terminal device. Therefore, as long as remote access connection needs to be established between the terminal devices, access validity verification needs to be carried out, and the fact that boundary division is not relied on any more can be achieved, so that the access safety is improved. Further, the remote access connection between the first terminal device and the second terminal device is established only when the first terminal device has access legitimacy for the second terminal device and the second terminal device has access legitimacy for the first terminal device, so that the probability of the terminal device being utilized by illegal software can be reduced, and the access security is further improved. Meanwhile, in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, secondary security detection is carried out on the security of the remote access connection, if the remote access connection does not have security, the remote access connection between the first terminal equipment and the second terminal equipment is interrupted, the situation that the terminal equipment is used by illegal software invasion in the process of remote access connection can be avoided, security verification is carried out in the process before and after the establishment of the remote access connection, the security of access can be further improved through multi-point security guarantee, and the reliability and usability of access are obviously enhanced.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data access system according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an application scenario of data access provided in an embodiment of the present application;
fig. 3 is a schematic flow chart of a data access method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of configuring access rights of a login object according to an embodiment of the present application;
FIG. 5 is a schematic diagram of configuring access rights of a login object according to an embodiment of the present application;
fig. 6 is a schematic diagram of a list of rights terminal devices with login objects having access rights provided in an embodiment of the present application;
FIG. 7 is a schematic diagram of a remote access connection provided by an embodiment of the present application;
fig. 8 is a schematic flow chart of a data access method according to an embodiment of the present application;
FIG. 9 is a schematic diagram of detecting a remote access connection provided by an embodiment of the present application;
fig. 10 is a schematic structural diagram of a data access device according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The application mainly relates to cloud security application scenes in cloud technology, in particular to the application, wherein the cloud technology is utilized to perform security verification in the processes before and after the establishment of the remote access connection, so that terminal equipment is prevented from being invaded and utilized by illegal software in the process of the remote access connection, the security of access can be further improved through multi-point security guarantee, and the reliability and the availability of the access are obviously enhanced.
Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. Cloud technology (Cloud technology) is based on the general terms of network technology, information technology, integration technology, management platform technology, application technology and the like applied by Cloud computing business models, and can form a resource pool, so that the Cloud computing business model is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing. Cloud technology is widely applied to the fields of cloud storage, cloud computing, cloud security and the like.
Cloud Security (Cloud Security) refers to a generic term of Security software, hardware, users, institutions, and Security Cloud platforms based on Cloud computing business model application. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and illegal programs in the Internet through abnormal detection of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a data access system in an embodiment of the present application, where the data access system shown in fig. 1 includes a terminal device cluster, and the terminal device cluster may include one or at least two terminal devices, and the number of the terminal devices will not be limited herein. As shown in fig. 1, the terminal device cluster may include terminal devices 100a, 100b, 100c, …, 100n.
Alternatively, the terminal devices 100a, 100b, 100c, …, 100n may communicate by way of a connection with a server. As shown in fig. 1, the data access system shown in fig. 1 further includes a server 10, and each terminal device establishes communication connection with the server 10; when data access is required between every two terminal devices, it is required that one terminal device (e.g., a transmitting terminal device) transmits data to the server 10, and the server 10 forwards the data to the other terminal device (e.g., a receiving terminal device). That is, the server 10 may be used for an intermediate device that communicates between the respective terminal devices. The server 10 may specifically refer to a background server that processes data in a terminal device. The server 10 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms.
Wherein each terminal device in the terminal device cluster may include: the intelligent terminal equipment with the data access function comprises vehicle-mounted terminal equipment, a smart phone, a tablet personal computer, a notebook computer, a desktop computer, wearable equipment, intelligent home, head-mounted equipment and the like. It should be appreciated that each terminal device in the cluster of terminal devices shown in fig. 1 may be provided with a target application, which, when running in the respective terminal device, may interact with the server 10 shown in fig. 1, respectively, as described above. The application client herein may include an application capable of remote access, such as an applet, web page or application program for remote access, and the like.
For easy understanding, further, please refer to fig. 2, fig. 2 is a schematic diagram of an application scenario of data access provided in an embodiment of the present application. The server 20c shown in fig. 2 may be the above-mentioned server 10, the first terminal device 20a shown in fig. 2 may be any one of the terminal device clusters shown in fig. 1, and the second terminal device 20b shown in fig. 2 may be any one of the terminal device clusters shown in fig. 1 except the first terminal device 20 a. As shown in fig. 2, when the first terminal device 20a needs to access the second terminal device 20b, step S1 may be performed to send a first remote connection request of the first terminal device 20a for the second terminal device 20b to the server 20 c. The first remote connection request may refer to a push data request that the first terminal device 20a needs to push data to the second terminal device 20b, or a pull data request that the first terminal device 20a pulls data to the second terminal device 20 b. Wherein the first remote connection request may carry a first remote access ticket of the first terminal device 20 a. The server 20c issues a remote access ticket to the terminal device, and the remote access ticket issued by the server 20c received by each terminal device is used for reflecting access authority information of the corresponding terminal device, so that the terminal device needs to carry the remote access ticket when needing to remotely access other terminal devices.
Further, after receiving the first remote connection request sent by the first terminal device 20a, the server 20c may execute step S3, and verify, according to the first remote access ticket carried in the first remote connection request, the access legitimacy of the first terminal device for the second terminal device, to obtain a first verification result. It will be appreciated that the server 20c may issue the remote access ticket of the first terminal device 20a to the first terminal device 20a in advance, and the remote access ticket of the first terminal device 20a issued by the server 20c is used to identify the access right information of the first terminal device 20 a. Of course, if the first remote connection request does not carry the first remote access ticket, it may be directly determined that the first terminal device 20a does not have access legitimacy with respect to the second terminal device 20 b. When the server 20c verifies the access legitimacy of the first terminal device 20a, the first terminal device 20a may verify the access legitimacy of the second terminal device 20b according to the remote access ticket of the first terminal device 20a issued by the server 20c and the first remote access ticket carried in the first remote connection request of the first terminal device 20a, so as to obtain a first verification result. When the server 20c passes the verification of the access legitimacy of the first terminal device 20a to the second terminal device 20b, a first verification result is generated that the first terminal device 20a has the access legitimacy to the second terminal device 20 b.
Likewise, when the second terminal device 20b needs to access the first terminal device 20a, step S2 may be performed to send, to the server 20c, a second remote connection request of the second terminal device 20b for the first terminal device 20a, which may be, as such, a data pull request that the second terminal device 20b needs to pull data to the first terminal device 20a, or a data push request that the second terminal device 20b needs to push data to the first terminal device 20 a. Wherein the second remote connection request may carry a second remote access ticket of the second terminal device 20 b. After receiving the second remote connection request sent by the second terminal device 20b, the server 20c may execute step S4, and verify, according to the second remote access ticket, the access legitimacy of the second terminal device 20b with respect to the first terminal device, to obtain a second verification result. Of course, if the second remote connection request of the second terminal device 20b carries the second remote access ticket of the second terminal device 20b, it may be determined that the second terminal device 20b does not have access legitimacy with respect to the first terminal device 20 a. It can be understood that when the server 20c verifies the access legitimacy of the second terminal device 20b, the second terminal device 20b may verify the access legitimacy of the first terminal device 20a according to the remote access ticket issued by the server 20c to the second terminal device 20b and the second remote access ticket carried in the first remote connection request of the second terminal device 20b, so as to obtain a second verification result. When the server 20c passes the verification of the access legitimacy of the second terminal device 20b for the first terminal device 20a, a second verification result is generated that the second terminal device 20b has the access legitimacy for the first terminal device 20 a.
Further, if the server 20c determines that the first terminal device 20a has access legitimacy for the second terminal device 20b, and that the second terminal device 20b has access legitimacy for the first terminal device 20a, step S5 may be performed to establish a remote access connection between the first terminal device 20a and the second terminal device 20 b. For example, the server 20c may receive remote access data pushed by the first terminal device 20a to the second terminal device 20b, and send the remote access data pushed by the first terminal device 20a to the second terminal device 20b; alternatively, the server 20c may receive remote access data pushed by the second terminal device 20b to the first terminal device 20a, and send the remote access data pushed by the second terminal device 20b to the first terminal device 20a. In this way, when remote access is required between the terminal devices, the server 20c is required to verify the access legitimacy of the terminal devices, and only when the access legitimacy of the terminal devices is verified, the remote access connection between the terminal devices is established, so that the situation that data are revealed due to the fact that illegal software is utilized in the process of data access between the terminal devices can be avoided, and the access safety is improved.
Specifically, during the service interaction between the first terminal device 20a and the second terminal device 20b through the remote access connection, the server 20c may execute step S6 to detect the security of the remote access connection between the first terminal device 20a and the second terminal device 20b, and obtain a security detection result. Of course, the security of the remote access connection between the first terminal device 20a and the second terminal device 20b may also be detected by the first terminal device 20a, so as to obtain a security detection result; the security of the remote access connection between the first terminal device 20a and the second terminal device 20b may also be detected by the second terminal device 20b, resulting in a security detection result. When the server 20c determines that the security detection result indicates that the remote access connection does not have security, step S7 may be performed to interrupt the remote access connection between the first terminal device 20a and the second terminal device 20 b. In particular, interrupting the remote access connection may refer to the server interrupting the remote access between the first terminal device 20a and the second terminal device 20 b.
For example, taking the first terminal device 20a as a push data terminal (i.e., a terminal device that pushes data), and the second terminal device 20b as a pull data terminal device (i.e., a terminal device that pulls data), interrupting the remote access connection between the first terminal device 20a and the second terminal device 20b may include, but is not limited to, the following four ways: mode one: the server 20c stops receiving the remote access data pushed by the first terminal device 20a to the second terminal device 20 b; mode two: the server 20c stops forwarding the remote access data pushed by the first terminal device 20a to the second terminal device 20 b; mode three: the server 20c sends a blocking push instruction to the first terminal device 20a, the blocking push instruction being for instructing the first terminal device 20a to stop pushing the remote access data to the second terminal device 20 b; mode four: the server 20c transmits a block pull instruction to the second terminal device 20b for instructing the second terminal device 20b to stop pulling the remote access data to the first terminal device 20 a. Therefore, when the terminal equipment is accessed, the validity of the access of the terminal equipment is required to be verified, and the remote access connection between the terminal equipment is established only when the verification is passed, and the boundary division is not relied on, so that the security of the remote access is improved. Meanwhile, in the process of remote access connection, security verification on the remote access connection is also needed, abnormal behaviors in the remote access connection can be detected, an automatic intervention mechanism for interrupting the remote access connection is realized, the probability of being utilized by illegal software in the process of remote access connection between terminal devices can be reduced, the security of access is improved through a multi-aspect security detection mechanism, and the reliability and usability of remote access are enhanced. Meanwhile, the leakage of the data resources can be avoided, the safety of the data resources is improved, convenience can be brought to remote office work, and the flexibility of staff office work is improved.
Referring to fig. 3, fig. 3 is a flowchart of a data access method according to an embodiment of the present application. The data access method may be performed by any terminal device in fig. 1, may be performed by the server 10 in fig. 1, or may be performed by any terminal device in fig. 1 and the server 10 in fig. 1 together, where the devices for performing the method may be collectively referred to as a computer device in this application. As shown in fig. 3, the data access method may include, but is not limited to, the following steps:
s101, if remote access connection between the first terminal equipment and the second terminal equipment is required to be established, verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to a first remote access ticket of the first terminal equipment, obtaining a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to a second remote access ticket of the second terminal equipment, obtaining a second verification result.
Specifically, service data interaction can be performed between the first terminal device and the second terminal device through the server, for example, when the first terminal device needs to push remote access data to the second terminal device, the remote access data pushed by the first terminal device can be sent to the server, and when the second terminal device requests to pull the remote access data pushed by the first terminal device, the remote access data pushed by the first terminal device is sent to the second terminal device, so as to establish remote access connection (i.e., remote access session) between the first terminal device and the second terminal device. If the computer equipment determines that the remote access connection between the first terminal equipment and the second terminal equipment needs to be established, the computer equipment can acquire a first remote access ticket of the first terminal equipment and a second remote access ticket of the second terminal equipment. Wherein the computer device determining that a remote access connection between the first terminal device and the second terminal device needs to be established may comprise: the computer equipment receives a first remote connection request sent by the first terminal equipment and aiming at the second terminal equipment, or the computer equipment receives a second remote connection request sent by the second terminal equipment and aiming at the first terminal equipment. When the first terminal device needs to access the second terminal device, a first remote connection request generated by the first terminal device for the second terminal device may be sent to the server. The first terminal device needing to access the second terminal device may mean that the first terminal device needs to pull data of the second terminal device, or that the first terminal device needs to push data of the first terminal device to the second terminal device. Likewise, when the second terminal device needs to access the first terminal device, a second remote connection request generated by the second terminal device for the first terminal device may be sent to the server. The second terminal device needs to access the first terminal device may mean that the second terminal device needs to pull the data of the first terminal device, or that the second terminal device needs to push the data of the second terminal device to the first terminal device.
Specifically, when the computer device receives a first remote connection request sent by the first terminal device and aiming at the second terminal device, whether the first remote connection request carries a remote access ticket or not can be detected. If the first remote connection request carries the remote access ticket, the remote access ticket carried by the first remote connection request can be used as the first remote access ticket of the first terminal device.
Similarly, after the computer device receives the second remote connection request sent by the second terminal device, it may be detected whether the second remote connection request carries a remote access ticket. If the second remote connection request carries the remote access ticket, the remote access ticket carried by the second remote connection request can be used as the second remote access ticket of the second terminal device. And verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to the first remote access ticket of the first terminal equipment to obtain a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to the second remote access ticket of the second terminal equipment to obtain a second verification result. Of course, if the first remote connection request of the first terminal device does not carry the remote access ticket, it may be directly determined that the first terminal device does not have access legitimacy for the second terminal device. If the second remote connection request of the second terminal device does not carry the remote access ticket, the second terminal device can be directly determined that the second terminal device does not have access legitimacy aiming at the first terminal device.
The computer device may issue a remote access ticket of the first terminal device to the first terminal device in advance, issue a remote access ticket of the second terminal device to the second terminal device, and instruct the first terminal device and the second terminal device to carry the corresponding remote access ticket when generating the corresponding remote access request. The remote access bill type can be a data push bill type and a data pull bill type, and the remote access bill of the data push bill type is used for pushing remote access data to a server by the terminal equipment and forwarding the remote access data through the server; the remote access ticket of the data pull ticket type is used for the terminal equipment to pull the remote access data from the server.
Optionally, the first remote access ticket of the first terminal device may be a data push ticket for reflecting that the first terminal device needs to push data to the second terminal device, and a specific way for the computer device to verify the access legitimacy of the first terminal device may include: and acquiring a first remote connection request which is sent by the first terminal equipment and aims at the second terminal equipment, wherein the first remote connection request carries a data push bill of the first terminal equipment. If a check bill matched with the data plug flow bill exists in the first check bill database, determining that the first terminal equipment has access legitimacy aiming at the second terminal equipment; the first verification ticket database comprises verification tickets which are generated according to the device information of the terminal device with the data pushing authority, and a first verification result that the first terminal device has access legitimacy for the second terminal device is generated.
Specifically, when the first terminal device needs to push data to the second terminal device, a first remote connection request for the second terminal device may be generated, and the first remote connection request is sent to the server, where the first remote connection request carries a data push ticket of the first terminal device. The server may obtain a first remote connection request sent by the first terminal device for the second terminal device, and obtain a data plug-flow ticket of the first terminal device from the first remote connection request. Further, the computer device may obtain a first check ticket database, where the first check ticket database includes check tickets corresponding to M terminal devices, and the check ticket included in the first check ticket database is generated according to device information of the terminal device with data pushing authority, where M is a positive integer, and if M may take a value of 1,2,3 or …. The computer device can detect whether a check bill matched with the data pushing bill of the first terminal device exists in the first check bill database, and if the check bill matched with the data pushing bill of the first terminal device exists in the first check bill database, the data pushing bill of the first terminal device is indicated to have validity, namely, the data pushing bill of the first terminal device is generated according to the terminal device with the data pushing authority. It can be understood that, when the data push ticket of the first terminal device is generated according to the terminal device with the data push permission, and the data push ticket of the first terminal device reflects that the first terminal device needs to push data to the second terminal device, which indicates that the first terminal device has the data push permission for the second terminal device, the computer device can determine that the first terminal device has the access legitimacy for the second terminal device. Further, the computer device may generate a first verification result that the first terminal device has access legitimacy for the second terminal device.
Specifically, if the computer device determines that the verification ticket matched with the data push ticket of the first terminal device does not exist in the first verification ticket database, it indicates that the data push ticket of the first terminal device does not have validity, that is, the data push ticket of the first terminal device is not generated according to the terminal device with the data push authority, and the data push ticket of the first terminal device may be counterfeit. If the computer equipment determines that the data push bill of the first terminal equipment does not have validity, the computer equipment determines that the first terminal equipment does not have access validity for the second terminal equipment, and generates a first verification result that the first terminal equipment has access validity for the second terminal equipment. Thus, illegal terminal equipment carrying fake remote access notes can be avoided, other terminal equipment can be accessed, access safety can be improved, and data of the terminal equipment is prevented from being revealed. When the computer equipment determines that the first verification result indicates that the first terminal equipment does not have access legitimacy aiming at the second terminal equipment, access illegality indication information is returned to the first terminal equipment, wherein the access illegality indication information is used for prompting that the first terminal equipment does not have access legitimacy aiming at the second terminal equipment, the second terminal equipment cannot be accessed, and if the second terminal equipment cannot be pushed with data. It can be seen that when the first terminal device pushes the remote access data to the second terminal device, the validity of the first terminal device for accessing the second terminal device needs to be verified, and only when the verification passes (i.e. when the computer device determines that the first terminal device has the validity of accessing the second terminal device), the first terminal device is allowed to access the second terminal device. Therefore, the boundary division is not relied on any more, and all accesses need to be verified, so that the security of remote access is improved.
Optionally, the specific manner of determining whether the check ticket matched with the data plug flow ticket exists in the first check ticket database by the computer device may include: and determining the format matching degree between the bill format of the data plug-flow bill and the bill format corresponding to the check bill of the first check bill database. And if the format matching degree is greater than or equal to the format matching degree threshold, determining the content matching degree between the bill content of the data plug bill and the bill content of the check bill of the first check bill database. If the first check bill database contains check bills with the corresponding content matching degree being greater than or equal to the content matching degree threshold value, determining that the first check bill database contains check bills matched with the data plug flow bill.
Specifically, the computer device may determine a format matching degree between the data plug-flow ticket of the first terminal device and a ticket format corresponding to the check ticket of the first check ticket database. The bill formats respectively corresponding to all check bills in the first check bill database can be the same. And if the format matching degree is greater than or equal to the format matching degree threshold, indicating that the data plug flow bill of the first terminal equipment is matched with the bill format corresponding to the check bill in the first check bill database. If the format matching degree is smaller than the format matching degree threshold value, the fact that the data pushing bill of the first terminal device is not matched with the bill format corresponding to the check bill in the first check bill database is indicated, and it can be determined that the check bill matched with the data pushing bill does not exist in the first check bill database. For example, taking the format matching degree threshold value as 100% as an example, if the format matching degree is equal to 100%, it may be determined that the data push ticket of the first terminal device matches (i.e. is the same as) the ticket format corresponding to the check ticket in the first check ticket database; if the format matching degree is less than 100%, it can be determined that the data push bill of the first terminal device is not matched with the bill format corresponding to the check bill in the first check bill database.
Further, the computer device may determine a content matching degree between the ticket content of the data plug-flow ticket and the ticket content of the verification ticket of the first verification ticket database, where the ticket content may refer to information recorded in the ticket. If the first check bill database contains check bills with the corresponding content matching degree being greater than or equal to the content matching degree threshold value, determining that the first check bill database contains check bills matched with the data plug flow bill. If the first check bill database does not contain the check bill with the corresponding content matching degree larger than or equal to the content matching degree threshold value, determining that the first check bill database does not contain the check bill matched with the data plug flow bill. For example, taking the content matching degree threshold value as 100% as an example, when the bill format of the data pushing bill of the first terminal device is the same as the bill format corresponding to the check bill in the first check bill database, if the check bill corresponding to the content matching degree equal to 100% exists in the first check bill database, it is indicated that the check bill matched (i.e. the same) with the data pushing bill exists in the first check bill database; and if the first check bill database does not contain the check bill with the corresponding content matching degree equal to 100%, indicating that the first check bill database does not contain the check bill matched with the data plug flow bill. It can be understood that the computer device can verify the ticket format and the ticket content of the data push ticket of the first terminal device, and if the ticket format and the ticket content of the data push ticket of the first terminal device are verified, it can be determined that the data push ticket of the first terminal device has validity. When the data push bill of the first terminal equipment is valid, the data push bill of the first terminal equipment is generated according to the equipment information of the terminal equipment with the data push authority, for example, the data push bill of the first terminal equipment can be a remote access bill issued to the first terminal equipment by a server. If the ticket format and the ticket content of the data push ticket of the first terminal device are not checked, it can be determined that the data push ticket of the first terminal device is not valid, that is, the data push ticket of the first terminal device is not generated according to the device information of the terminal device with the data push permission, and is not a remote access ticket (such as counterfeit) issued to the first terminal device by the server.
Optionally, the specific manner of determining the content matching degree between bill contents by the computer device may include: if the format matching degree is larger than the format matching degree threshold value, inquiring a check bill with the bill validity period including the target time from a first check bill database as a target check bill; the target time is the time at which the first remote connection request was received. Analyzing the bill content of the data push bill to obtain the object information of the first login object in the data push bill; the first login object is an object logged into the first terminal device. And analyzing the bill content of the target check bill to obtain the object information of the authorized login object in the target check bill. And determining the object information matching degree between the object information of the first login object and the object information of the authorized login object in the target check bill, and determining the object information matching degree to be the content matching degree between the bill content of the data plug bill and the bill content of the check bill of the first check bill database.
Specifically, the computer device may query, from the first check ticket database, a check ticket whose ticket validity period includes a target time, where the target time may refer to a time when the computer device receives the first remote connection request sent by the first terminal device, as the target check ticket. It will be appreciated that the computer device may query the first check ticket database for unexpired check tickets as target check tickets. Further, the computer device may analyze the ticket content of the data inference ticket of the first terminal device to obtain object information of a first login object recorded in the data inference ticket, where the first login object may be an object logged in the first terminal device. The computer equipment can analyze the bill content of the target check bill to obtain the object information of the authorized login object recorded in the target check bill. The authorization login object may refer to a login object of the corresponding terminal device when the computer device generates a check ticket of the corresponding terminal device. The computer device may determine an object information matching degree between object information of the first login object and object information of the authorized login object in the target check ticket, and determine a content matching degree between ticket content of the data plug flow ticket and ticket content of the check ticket of the first check ticket database. Specifically, if the object matching degree between the object information of the first login object recorded in the data plug-flow ticket of the first terminal device and the object information of the authorized login object in the target check ticket is greater than or equal to the object matching degree threshold, determining that a check ticket matched with the data plug-flow ticket of the first terminal device exists in the first check ticket database. It can be understood that when the computer device verifies the bill content of the data push bill of the first terminal device, it can verify whether the data push bill of the first terminal device is out of date or not, and verify whether the object information of the first login object recorded in the data push bill of the first terminal device is matched or not. If the data plug bill of the first terminal equipment is not expired and the check bill matched with the object information of the first login object recorded in the data plug bill of the first terminal equipment exists in the first check bill database, determining that the check bill matched with the bill content of the data plug bill of the first terminal equipment exists in the first check bill database.
It will be appreciated that, after the computer device receives the first remote connection request of the first terminal device, the first remote access ticket of the first terminal device may be extracted from the first remote connection request. If the first remote access ticket is a data plug ticket type, the computer device verifies that the contents of the first remote access ticket include, but are not limited to, the following: first, check if the ticket format is compliant (i.e., matches the format of the check ticket); second, check if the first remote access ticket is a ticket issued by the server (if there is a check ticket in the first check ticket database that matches the check ticket, then the description is issued by the server, not generated by other means); third, check if the first remote access ticket is within the expiration date (the ticket will automatically fail if it exceeds the expiration date); fourth, checking whether the bill content of the first remote access bill is compliant, that is, checking whether the object information and the device feature information of the login object recorded in the first remote access bill are matched with the device feature information and the object information of the login object of the first terminal device, and checking whether the object information and the device feature information and the object information of the authorized login object recorded in the check bill in the first check bill database are matched. Meanwhile, the mapping relation exists between the equipment characteristic information and the object information, so that the remote access bill is prevented from being falsely used by other terminal equipment or login objects, and the access safety can be improved. In other words, the computer device can check whether the bill information recorded in the first remote access bill is matched with the equipment information of the first terminal device or not, and the bill information is matched with the check bill in the first check bill database, so that the remote access bill is prevented from being falsely used by other terminal devices or login objects, and the access security can be improved.
Optionally, the second remote access ticket of the second terminal device is a data pull ticket for reflecting that the second terminal device needs to pull service data from the first terminal device, i.e. the second remote access ticket is of a data pull ticket type. The specific way for the computer device to verify the access legitimacy of the second terminal device may include: and acquiring a second remote connection request which is sent by the second terminal equipment and aims at the first terminal equipment, wherein the second remote connection request carries a data stream drawing bill of the second terminal equipment. If the second check bill database contains a check bill matched with the data stream drawing bill, determining a bill corresponding relation between the data stream drawing bill and the data stream pushing bill; the second check ticket database includes check tickets generated based on device information of the terminal device having the right to pull data. If the ticket correspondence indicates that the data pull ticket and the data push ticket have ticket binding relations, determining that the second terminal equipment has access legitimacy aiming at the first terminal equipment, and generating a second verification result that the second terminal equipment has access legitimacy aiming at the first terminal equipment.
Specifically, when the second terminal device needs to pull the remote access data to the first terminal device, a second remote connection request for the first terminal device may be generated, and the second remote connection request is sent to the server, where the second remote connection request carries a second remote access ticket of the second terminal device. After the computer device obtains the second remote connection request sent by the second terminal device and aiming at the first terminal device, the computer device can obtain a second remote access ticket of the second terminal device from the second remote connection request. Further, the computer device may obtain a second check ticket database, where the second check ticket database includes check tickets corresponding to N terminal devices, and the check ticket included in the second check ticket database is generated according to device information of the terminal device with data pulling authority, where N is a positive integer, and if N may take values of 1,2,3 and …. The computer device may detect whether a check ticket matching the data pull ticket of the second terminal device exists in the second check ticket database. If the computer equipment determines that the verification ticket matched with the data stream drawing ticket of the second terminal equipment exists in the second verification ticket database, the data stream drawing ticket of the second terminal equipment is generated according to the terminal equipment with the data pushing authority.
Further, the computer device may further determine a ticket correspondence between the data pull ticket of the second terminal device and the data pull ticket of the first terminal device, where the ticket correspondence may include a ticket binding relationship and a ticket unbinding relationship. The bill binding relationship is used for indicating terminal equipment corresponding to the data pulling bill in the bill binding relationship, and the data pushed by the terminal equipment corresponding to the data pushing bill in the bill binding relationship can be pulled. For example, if the data push ticket of the terminal device a1 has a ticket binding relationship with the data pull ticket of the terminal device a2, the terminal device a1 may push data to the terminal device a2, and the terminal device a2 may pull data to the terminal device a 1. If the ticket correspondence indicates that the data pull ticket and the data push ticket have ticket binding relations, determining that the second terminal equipment has access legitimacy aiming at the first terminal equipment, and generating a second verification result that the second terminal equipment has access legitimacy aiming at the first terminal equipment. The data stream drawing bill of the second terminal equipment is generated according to the terminal equipment with the data drawing authority, and reflects that the second terminal equipment needs to draw data to the first terminal equipment, the second terminal equipment has the data stream drawing authority aiming at the first terminal equipment, and the data stream drawing bill of the second terminal equipment has validity. Further, the computer device may further need to verify a ticket correspondence between the data push ticket of the first terminal device and the data push ticket of the second terminal device, and determine, according to the ticket correspondence, whether the second terminal device accesses the first terminal device legally, that is, whether the second terminal device can pull the data in the first terminal device. If the bill corresponding relation indicates that the data stream drawing bill and the data stream pushing bill do not have the bill binding relation, determining that the second terminal equipment has access legitimacy aiming at the first terminal equipment. In this way, the second terminal device can be prevented from pulling the data sent to other terminal devices by the first terminal device, and the reliability and the safety of access can be improved.
Specifically, if the computer device determines that the verification ticket matched with the data pull ticket of the second terminal device does not exist in the second verification ticket database, it indicates that the data pull ticket of the second terminal device does not have validity, that is, the data pull ticket of the second terminal device is not generated according to the terminal device with the data pull authority, and the data pull ticket of the second terminal device may be counterfeit. If the computer equipment determines that the data stream drawing bill of the second terminal equipment does not have validity, the computer equipment determines that the second terminal equipment does not have access validity aiming at the first terminal equipment, and generates a second verification result that the second terminal equipment has access validity aiming at the first terminal equipment. Thus, illegal terminal equipment carrying fake remote access notes can be avoided, other terminal equipment can be accessed, access safety can be improved, and data of the terminal equipment is prevented from being revealed. When the computer equipment determines that the second verification result indicates that the second terminal equipment does not have access legitimacy aiming at the first terminal equipment, access legitimacy indication information is returned to the second terminal equipment, wherein the access legitimacy indication information is used for prompting the second terminal equipment not to have the access legitimacy aiming at the first terminal equipment, the first terminal equipment cannot be accessed, and if the first terminal equipment cannot be pulled with data. It can be seen that when the second terminal device requests to pull remote access data of the first terminal device from the server, the server needs to verify the data pull stream ticket of the second terminal device and the ticket correspondence relationship between the data pull stream ticket of the first terminal device and the data pull stream ticket of the second terminal device, and only when the verification is passed (i.e. when the computer device determines that the second terminal device has access validity for the second terminal device), the second terminal device is allowed to pull corresponding data in the second terminal device. Therefore, the boundary division is not relied on any more, and all accesses need to be verified, so that the security of remote access is improved.
Optionally, the specific manner of determining the ticket correspondence by the computer device may include: and if the verification ticket matched with the data stream drawing ticket exists in the second verification ticket database, acquiring the ticket identification of the data stream drawing ticket and the ticket identification of the data stream drawing ticket. And inquiring bill corresponding relation indication information between the data stream drawing bill and the data stream pushing bill from the corresponding relation table according to the bill identification of the data stream drawing bill and the bill identification of the data stream pushing bill. And determining the bill corresponding relation between the data stream drawing bill and the data stream pushing bill according to the inquired bill corresponding relation indicating information.
Specifically, if a verification ticket matched with the data pull ticket exists in the second verification ticket database, the computer equipment can acquire the ticket identifier of the data pull ticket of the first terminal equipment and the ticket identifier of the data pull ticket of the second terminal equipment. And inquiring bill corresponding relation indication information between the data stream drawing bill and the data stream pushing bill from the corresponding relation table according to the bill identification of the data stream drawing bill and the bill identification of the data stream pushing bill. The bill correspondence indicating information may be information indicating a bill correspondence, for example, "0" indicates that the bill correspondence is a bill unbound relationship, and "1" indicates that the bill correspondence is a bill bound relationship. The computer equipment can determine the bill corresponding relation between the data drawing bill and the data pushing bill according to the inquired bill corresponding relation indicating information. Of course, the computer device may obtain specific content of the ticket correspondence through the queried ticket correspondence indication information, such as correspondence between device feature information, correspondence between object information of login objects, correspondence between ticket identifiers, and the like.
For example, the login object User1 of the terminal device a initiates a remote access to the terminal device B, and the login object of the B machine is User2. And the terminal equipment A (login object User 1) and the terminal equipment B (login object User 2) establish a 1-to-1 remote access relationship, and the data stream drawing bill of the terminal equipment A and the data stream pushing bill of the terminal equipment B also have a 1-to-1 bill binding corresponding relationship. The computer equipment only successfully detects the data stream drawing bill of the terminal equipment A, the data stream pushing bill corresponding to the data stream drawing bill of the terminal equipment A exists, and the data stream drawing bill of the terminal equipment A and the equipment characteristic information and the login object information bound in the data stream drawing bill of the terminal equipment B also have a corresponding relation, and only the data stream drawing bill of the terminal equipment A is approved, the access legitimacy of the terminal equipment A for the terminal equipment B is determined, and the terminal equipment A is allowed to draw the data of the terminal equipment B.
Optionally, the computer device may receive a first remote connection request of the first terminal device and a second remote connection request of the second terminal device through the CDN node, and send a first remote access ticket carried in the first remote connection request and a second remote access ticket carried in the second remote connection request to the server. The server verifies the access of the first terminal equipment according to the first remote access ticket to obtain a first verification result, verifies the access of the second terminal equipment according to the second remote access ticket to obtain a second verification result, and returns the first verification result and the second verification result to the CDN node. The CDN node may detect whether to establish a remote access connection between the first terminal device and the second terminal device according to the first authentication result and the second authentication result. The CDN node may refer to a data forwarding node of a server, so that an object obtains required content nearby, network congestion is reduced, and object access response speed and hit rate are improved. The CDN node can serve as a bridge of the first terminal device and the second terminal device, the first remote access component in the first terminal device can push streams to the CDN, and the second remote access component in the second terminal device pulls streams from the CDN node or the server. Specifically, when determining the CDN node, configuration information may be negotiated between the first terminal device and the second terminal device, and the CDN node may be determined from the server according to the configuration information. After the second terminal device queries or the server queries the CDN node information, the CDN node information is sent to the first terminal device through the IOACloud (IOA cloud), so that both sides can push and pull streams to the same CDN node, and the IOACloud serves as a signaling channel for transmitting the CDN node information in the process.
Optionally, a remote access client may be installed in each of the first terminal device and the second terminal device, where the remote access client is used to establish a remote access connection between the terminal devices, and the remote access client may be an IOA client, where the IOA is a zero trust security management system. The server may refer to an IOA background server, and the login object in the terminal device may refer to an object for logging in the IOA client. It should be understood that, by the data access method provided in the embodiment of the present application, the conventional Trusted control manner based on the area is broken through by the remote access client, and the access permission is granted by adopting the "4T principle" based on the Trusted identity (Trusted identity), the Trusted device (Trusted device), the Trusted application (Trusted application) and the Trusted link (Trusted link), and all accesses are forced to be authenticated, authorized and encrypted, so that the "zero trust" design concept is actually practiced, and the data information of the enterprise where the object is located can be safely accessed no matter where the object is located, when the object is used, and therefore, the deployment flexibility and the access experience of the object can be improved, so as to improve the overall security of the enterprise office. In the aspect of trusted identity, the remote access client can adapt to identity authentication modes of different enterprises and support various verification modes such as enterprise micro-letter scanning codes, LDAP authentication, HTTP authentication, local identity, domain identity and the like; in the aspect of trusted equipment, the remote access client can support a custom compliance datum line and comprehensive safety protection capability, including virus killing, vulnerability restoration, system safety reinforcement, compliance detection, data protection, threat response and the like; in the aspect of trusted application, the remote access client can allow the trusted application in the white list to access the authorized service, and the illegal process is discovered, namely the access is intercepted; in the aspect of a trusted link, through a prepositive trusted access gateway (namely an intelligent gateway), a service server corresponding to a hidden service application is forced to be authenticated, authorized and encrypted, and meanwhile, the problem of blocking or slowing of the access of a cross-border and cross-transport manager is solved by combining a self-developed long and short connection mode and a global network acceleration service, so that the safety and stability of the link are ensured. And the remote access client in the terminal equipment initiates the access to other terminal equipment, so that the security and the reliability of the access can be improved through a security channel in the zero-trust network architecture.
Taking the remote office scenario as an example, an end user may log into an IOA client (i.e., a remote access client) to implement a zero-trust office function in a zero-trust network. The enterprise administrator can configure a zero-trust network access policy through the IOA management and control end, and specify access rights of a login object (i.e. a user logged in to the IOA client) to enterprise resources. Fig. 4 is a schematic diagram of configuring access rights of a login object according to an embodiment of the present application, and as shown in fig. 4, an enterprise administrator may configure intranet resources that may be accessed by the login object U1. On a configuration interface for configuring intranet resources which can be accessed by a login object, a resource name option, a resource type option, a port option, a domain name option, a resource grouping option, a resource access mode option and a protocol type option are displayed. As shown in fig. 4, the name of the resource that the login object U1 can access is configured as a news website, the category of the resource that the login object U1 can access is configured as a domain name, and the domain name is specifically shown as follows; the port of the login object U1, which can access the resource, is a designated port, the resource group of the login object U1, which can access the resource, is CC, and the protocol type of the login object U1, which can access the resource, is TCP (a transmission control protocol). Therefore, the intranet resource which can be accessed by the login object can be configured, so that the management of the intranet resource access is facilitated. Fig. 5 is a schematic diagram of configuring access rights of a login object according to an embodiment of the present application, where, as shown in fig. 5, an enterprise administrator may configure a gateway that may access intranet resources. And displaying the gateway with the access authority for the intranet resources on a configuration interface for configuring the gateway with the access authority for the intranet resources, wherein the accessible gateway IP is 9.135. The display on the configuration interface is formed by adding a new gateway control, and when an enterprise manager triggers the new gateway control, a new gateway capable of accessing intranet resources can be added. In this way, the gateway resource can be conveniently managed by configuring the gateway with the access right for the intranet resource.
Fig. 6 is a schematic diagram of a list of rights terminal devices with access rights for a login object according to an embodiment of the present application, where the rights display interface shown in fig. 6 shows the list of rights terminal devices with access rights for the login object with object identifier V1234. The rights presentation interface presents the object identification of the login object (i.e., V1234), the name of the login object (i.e., user a), the department (i.e., V2), the group (i.e., 123) of the location, the account status (i.e., startup). Further, the rights display interface also displays the resource access rights of the login object, including all authorized resources of the login object, and the computer device can sort all authorized resources of the login object. As shown in FIG. 6, the rights presentation interface demonstrates that the login object inherits a resource grant from a parent group that includes a resource named first organization, a resource of type V, and a resource named second organization, a resource of type V. The rights display interface displays the current authorized resource of the login object, namely the resource with the name of the third mechanism, the type of the resource and the source of the group B resource. Therefore, all authorized resource lists of the login object can be checked at the management and control end, so that whether the login object accesses the legality or not can be verified conveniently.
Optionally, the first terminal device and the second terminal device may each be provided with a remote access component, where the remote access component may be invoked by the remote access client to use a channel between the remote access client and the remote access client to pull data of other terminal devices, or push data to other terminal devices, so as to establish a remote access connection between the terminal devices. Specifically, the remote access component may operate in a service component of the device system of the corresponding terminal device, operate in the background in the form of a device system resident service, and provide SDK files (software data packages) to the corresponding terminal device for control and application, including starting the remote access interface, stopping the remote access interface, transferring key parameter interfaces, and the like.
Specifically, in the following description, the remote desktop technology is implemented, where the first terminal device pushes data to the second terminal device, and the second terminal device pulls data to the first terminal device, for example, a first remote access component of the first terminal device may be a agent component (i.e., an agent component), and a second remote access component of the second terminal device is a client component. The first remote access component of the first terminal device may capture, without interruption, a desktop image of an operating system of the first terminal device, compress and encode the desktop image of the first terminal device, and then transmit to the second terminal device. Further, the second remote access component of the first terminal device can display the content of the remote desktop of the first terminal device on the screen of the second terminal device, and the second remote access component can transmit the operation instructions of the devices such as a keyboard and a mouse of the second terminal device back to the first terminal device in real time, so that the user can operate the remote desktop system of the first terminal device at the second terminal device like the first terminal device, and the remote desktop technology is realized. The remote desktop technology not only uses RDP protocol (a remote desktop protocol) and VNC protocol (a remote desktop protocol) of the main stream of business, but also uses cloud computing technology to realize remote access function through video encoding and decoding and real-time transmission technology. The first terminal equipment is responsible for capturing desktop pictures of an operating system of the first terminal equipment, transmitting the desktop pictures to the second terminal equipment through a network, and displaying the desktop pictures to a user in real time. Meanwhile, the first terminal equipment also receives interactive instructions of users in the second terminal equipment for real-time processing and response. The remote access has more links such as desktop capturing, network transmission, data transcoding and the like, the remote access component can achieve link hardware acceleration, and a desktop capturing and H265 hardware encoding and decoding scheme based on a GPU (i.e. an image processor) is adopted, and a real-time transmission technology is combined on the basis of a WebRTC (real-time communication technology), so that low-time-delay remote desktop use experience is provided. The remote access component in the embodiment of the application may refer to a cloud desktop technology that adopts a cloud computing technology to implement video encoding and decoding and a real-time transmission technology on the basis of WebRTC.
The second remote access component and the process in the second terminal device are responsible for initiating a remote access connection request to a remote desktop (i.e. the desktop of the first remote terminal), and after the connection is successful, a full-screen window is created locally in the second terminal device for displaying the content of the remote desktop. The first remote access component in the first terminal device has the main responsibility of capturing the desktop image of the first terminal device at a fixed frequency and performing real-time encoding and push to the second terminal device. The second remote access component in the second terminal device can pull the desktop image data pushed by the first terminal device, decode and render the desktop image data to the local window of the second terminal device.
Specifically, after the first remote access component of the first terminal device is called by the first remote access client (IOA client) in the first terminal device to initiate the interface, the first remote access component may capture a desktop image of the device system of the first terminal device at a fixed frequency, encode in real time, and push to the second terminal device. Meanwhile, the first remote access component can process the keyboard and mouse events of the second terminal equipment in real time, and simultaneously process the camera and the microphone equipment of the second terminal equipment in a virtual equipment mode, and the processing of functions such as clipboard and file system mounting in the first terminal equipment is also included. Specifically, the second remote access component of the second terminal device may initiate a remote desktop connection request to the first terminal device, and after the connection is successful, a full screen window is locally created in the second terminal device for displaying the content of the remote desktop in the first terminal device. Meanwhile, the second remote access component of the second terminal device may display a MiniBar (hanging window) on top of the full screen window of the second terminal device. MiniBar can provide basic configuration or remote desktop related operations for users, mainly comprising the functions of Rtc streaming protocol (a data streaming protocol), remote desktop mapping of cameras and microphone devices in the second terminal device to the first terminal device, processing of keyboard and mouse events, function modules for clipboard and file system mounting, and the like.
The second terminal equipment can initiate a remote access request for the second terminal equipment, and after the server sends the remote access request initiated by the second terminal equipment to the first terminal equipment, the first terminal equipment applies for the data push bill to the server, and the second terminal equipment can apply for the data push bill to the server. The first terminal equipment can push data to the second terminal equipment only by carrying the data push bill issued by the server, and the second terminal equipment can pull data to the first terminal equipment only by carrying the data push bill issued by the server.
Optionally, the computer device may obtain a remote access request sent by the second terminal device for the first terminal device, and if the first terminal device belongs to the permission terminal device list, obtain first device information of the first terminal device and second device information of the second terminal device according to the remote access request; the list of authorized terminal devices includes terminal devices for which the second terminal device has access rights. A first access state of the first terminal device is detected based on the first device information, and a second access state of the second terminal device is detected based on the second device information. And if the first access state indicates that the first terminal equipment is in an accessible state and the second access state indicates that the second terminal equipment is in an accessible state, transmitting a remote access request to the first terminal equipment.
Specifically, the user may log in the second remote access client (i.e., the IOA client) of the second terminal device, which becomes a login object of the second remote access client, and the computer device may log in the login object of the second remote access client, which is a login object of the second terminal device. Further, the user may initiate a request for a remote access connection in the second terminal device by invoking a second remote access component in the second terminal device through the second remote access client. The second remote access client of the second terminal device may employ second device information of the second terminal device, where the second device information may include object information (such as an object identifier, an object position, etc.) of a login object of the second terminal device and device feature information (device identifier, device address, etc.) of the second terminal device, and generate an authorization terminal acquisition request according to the object information of the login object of the second terminal device and the device feature information of the second terminal device, where the authorization terminal acquisition request is used to request to acquire a terminal device having access authorization for the second terminal device. The second remote access client may send an access terminal acquisition request to the server (i.e. the IOA background server), and after the server receives the access terminal acquisition request sent by the second remote access client, the server may determine, according to the device feature information and the object information in the access terminal acquisition request, a list of access terminal devices of the second terminal device having access rights, and return the list of access terminal devices to the second terminal device.
Further, the second terminal device may select one terminal device from the permission terminal list returned by the server, where the terminal device selected by the first terminal device from the permission terminal device list is the first terminal device. The second remote access component may be invoked by a second remote access client of the second terminal device, initiating a remote access request for the first terminal device. A terminal control process (e.g., IOA terminal control process) in a second remote access client in a second terminal device sends a device detection request to the server requesting the server to detect a first access state and a second access state of the first terminal device. After receiving the device detection request sent by the second terminal device, the server may acquire first device information of the first terminal device and second device information of the second terminal device, where the first device information may include information such as whether the first terminal device is turned on, whether the first terminal device installs a remote access component, whether the first terminal device has a virus, whether the first terminal device installs security management software, and the like. Similarly, the first device information may also include information such as whether the second terminal device is powered on, whether the second terminal device has a remote access component installed, whether the second terminal device has a virus, whether the second terminal device has security management software installed, and the like. The server may detect a device health status of the first terminal device based on the first device information, the device health status including healthy and unhealthy. For example, if the first terminal device satisfies the conditions of being in a power-on state, installing a remote access component, having no virus, installing security management software, and the like, the health state of the first terminal device may be determined to be healthy; if the first terminal device does not meet the conditions of being in a power-on state, installing a remote access component, having no virus, installing safety management software and the like, the health state of the first terminal device can be determined to be unhealthy.
Likewise, the server may determine a device health status of the second terminal device based on the second device information of the second terminal device. Further, the computer device may determine the first access state of the first terminal device based on the device health state of the first terminal device. For example, if the device health status of the first terminal device is healthy, the computer device may determine that the first access status of the first terminal device is an accessible status; if the device health status of the first terminal device is unhealthy, the computer device may determine that the first access status of the first terminal device is an inaccessible status. Likewise, the computer device may also determine the second access state of the second terminal device based on the device health state of the second terminal device. If the first access state indicates that the first terminal device is in an accessible state and the second access state indicates that the second terminal device is in an accessible state, the server sends a remote access request to the first terminal device. In this way, the server transmits the remote access request of the second terminal device to the first terminal device only by limiting the second terminal device to access the first terminal device with authority access and after confirming that the first access state of the first terminal device and the second access state of the second terminal device are both accessible states. Thus, the illegal remote access request can be primarily eliminated, and the safety and reliability of remote access are improved.
The process of the server generating the first check ticket of the first terminal device and the second check ticket of the second terminal device is described in detail below by taking the first remote access ticket of the first terminal device as a data push ticket and the second remote access ticket of the second terminal device as a data push ticket.
Optionally, after the first terminal device receives the remote access request sent by the second terminal device, the computer device receives a first ticket generating request generated by the first terminal device based on the remote access request; the first ticket generation request carries first device information of the first terminal device. And according to the first equipment information of the first terminal equipment, checking the access right of the first terminal equipment for the second terminal equipment to obtain a first equipment checking result. And if the first equipment verification result indicates that the first terminal equipment has the access right for the second terminal equipment, generating a first verification bill corresponding to the first terminal equipment according to the first equipment information. And storing the first check bill corresponding to the first terminal equipment into a first check bill database.
Specifically, after receiving the remote access request of the second terminal device, the first terminal device may collect, by the first remote access client in the first terminal device, first device information of the first terminal device. The first device information may include device feature information of the first terminal device, object information of a first current login object in the first terminal device, and pairing information between the first terminal device and the second terminal device, where the pairing information refers to that the second terminal device accesses the first terminal device to pull remote access data of the first terminal device. For example, the pairing information may be second terminal device→first terminal device. Wherein for a first terminal device, it is only possible to remotely access it by at most one terminal device at the same time. The first remote access client in the first terminal device may generate a first ticket generation request regarding the remote access request based on the first device information of the first terminal device, and send the first ticket generation request to the server. After receiving the first bill generation request sent by the first terminal equipment, the server can check the access right of the first terminal equipment for the second terminal equipment according to the first equipment information of the first terminal equipment, and a first equipment check result is obtained.
Specifically, the specific content of the computer device for verifying the access right of the first terminal device may include, but is not limited to: the computer device may obtain historical operation log data of the first terminal device, and determine the reliability of the first terminal device according to the historical operation log data of the first terminal device. For example, if the computer device detects that the first terminal device has a risk of being illegally used according to the historical operation log data of the first terminal device, it may be determined that the reliability of the first terminal device is low; if the computer equipment detects that the first terminal equipment does not have the risk of being illegally utilized by the first terminal equipment according to the historical operation log data of the first terminal equipment, the computer equipment can determine that the credit of the first terminal equipment is higher. If the computer equipment detects that the first terminal equipment has viruses according to the historical operation log data of the first terminal equipment, the reliability of the first terminal equipment can be determined to be lower; if the computer equipment detects that the first terminal equipment does not have viruses according to the historical operation log data of the first terminal equipment, the computer equipment can determine that the credit of the first terminal equipment is higher. The computer device may acquire object information of a first current login object of the first terminal device, and determine a confidence level of the first current login object according to the object information of the first current login object in the first terminal device.
Specifically, the computer device may determine, according to object information of the first current login object in the first terminal device, whether a jump or a job departure tendency exists in the first current login object in the first terminal device. If the first current login object in the first terminal equipment has a jump groove or a job departure tendency, determining that the credit of the first current login object in the first terminal equipment is lower; if the first current login object in the first terminal equipment does not have the jump groove or the departure tendency, determining that the credit of the first current login object in the first terminal equipment is higher. Specifically, the computer device may determine, according to the object information of the first current login object in the first terminal device, an object behavior deviation degree of the first current login object of the first terminal device. If the access habit of the first current login object of the first terminal device suddenly generates larger deviation, or the type difference between the access behavior and the historical access behavior is larger, the object behavior deviation degree of the first current login object of the first terminal device can be determined to be larger, otherwise, the object behavior deviation degree is smaller. If the object behavior deviation degree of the first current login object of the first terminal device is larger, determining that the credit degree of the first current login object of the first terminal device is lower; if the object behavior deviation degree of the first current login object of the first terminal device is smaller, it can be determined that the credit degree of the first current login object of the first terminal device is higher. The computer device may also determine, based on object information of a first current login object of the first terminal device, whether the first current login object of the first terminal device has data push authority for the second terminal device.
Specifically, the computer device may verify the access right of the first terminal device to the second terminal device according to the reliability of the first current login object in the first terminal device, the reliability of the first terminal device, and whether the first current login object of the first terminal device has the data push right to the second terminal device, so as to obtain a first device verification result. If the credit of the first current login object in the first terminal device is greater than or equal to a first credit threshold, the credit of the first terminal device is greater than or equal to a second credit threshold, and the first current login object of the first terminal device has data push permission for the second terminal device, determining that the first terminal device has access permission for the second terminal device, and generating a first device check result that the first terminal device has access permission for the second terminal device. If the credit of the first current login object in the first terminal device is smaller than the first credit threshold, the credit of the first terminal device is smaller than the second credit threshold, and the first current login object of the first terminal device does not have data push permission for the second terminal device, determining that the first terminal device does not have access permission for the second terminal device, and generating a first device check result that the first terminal device does not have access permission for the second terminal device. Optionally, since the first terminal device is passively pulled by the second terminal device, the access right of the second terminal device may be verified, or the first terminal device may not be verified.
Further, if the computer equipment determines that the first equipment verification result indicates that the first terminal equipment has the access right for the second terminal equipment, a first verification bill corresponding to the first terminal equipment is generated according to the first equipment information. Specifically, the computer device may acquire a ticket generating format, and generate a first check ticket corresponding to the first terminal device according to the ticket generating format and the first device information, where the first check ticket may include device feature information (such as terminal identification information) of the first terminal device, object information (such as a login object identifier) of a first current login object of the first terminal device, and a pairing relationship (i.e., a matching relationship between the first terminal device and the second terminal device). The computer device can determine the ticket validity period of the first check ticket of the first terminal device according to the first device information of the first terminal device. For example, if the credit of the first terminal device and the credit of the first current login object of the first terminal device are higher, the ticket validity period of the first check ticket of the first terminal device is longer, for example, 48 hours; if the credit of the first terminal device and the credit of the first current login object of the first terminal device are lower, the ticket validity period of the first check ticket of the first terminal device is shorter, for example, 1 hour. In this way, security and reliability of access can be improved. Of course, the computer device may determine, according to the setting of the administrator, that the more the ticket validity period of the first check ticket of the first terminal device is, for example, the validity period of all check tickets generated by the server is 24 hours.
Similarly, after the second terminal device sends the remote access request to the first terminal device, second device information of the second terminal device may be collected through a second remote access ticket of the second terminal device, and a second ticket generation request of the second terminal device may be generated according to the second device information. The second device information may include device feature information of the second terminal device, object information of a second current login object in the second terminal device, and pairing information between the first terminal device and the second terminal device, where the pairing information refers to that the second terminal device accesses the first terminal device to pull remote access data of the first terminal device. For example, the pairing information may be second terminal device→first terminal device. For the second terminal device, remote access data of one or more terminal devices are pulled at the same time, a data pulling bill applied by the second terminal device can be used for pulling remote access data of one terminal device, and a data pulling bill applied by the second terminal device can also be used for pulling remote access data of one terminal device.
Specifically, the second remote access client in the second terminal device may generate a second ticket generation request regarding the remote access request based on the second device information of the second terminal device, and send the second ticket generation request to the server. After receiving the second ticket generation request sent by the second terminal device, the server can check the access right of the second terminal device to the first terminal device according to the second device information of the second terminal device, and obtain a second device check result.
Optionally, the second device information of the second terminal device includes a device running log of the second terminal device and a second current login object of the second terminal device when the second ticket generating request is generated. Specific contents of the computer device for verifying the access rights of the second terminal device may include, but are not limited to: and determining the equipment reliability of the second terminal equipment according to the equipment operation log of the second terminal equipment. If the equipment reliability of the second terminal equipment is greater than or equal to the first reliability threshold, acquiring the object characteristic information of a second current login object of the second terminal equipment, and determining the object reliability of the login object according to the object characteristic information of the second current login object. And if the object credit degree of the second current login object is greater than or equal to a second credit degree threshold, determining the data pull permission of the second current login object for the first terminal equipment according to the object characteristic information of the second current login object. And if the data pulling authority indicates that the second current login object has the authority to pull the multimedia data of the first terminal equipment, generating a second equipment verification result that the second terminal equipment has the access authority for the first terminal equipment.
Specifically, the computer device may obtain a device running log of the second terminal device, and determine, according to the device running log of the second terminal device, a device reliability of the second terminal device. For example, if the computer device detects that the second terminal device has a risk of being illegally used according to the device running log of the second terminal device, it may be determined that the credit degree of the second terminal device is lower; if the computer equipment detects that the second terminal equipment does not have the risk of being illegally utilized by soft according to the equipment operation log of the second terminal equipment, the computer equipment can determine that the credit of the second terminal equipment is higher. It will be appreciated that the computer device may detect the device risk of the second terminal device based on the second device information of the second terminal device. Further, if the device reliability of the second terminal device is greater than or equal to the first reliability threshold, the computer device may obtain object feature information of the second current login object, and determine the object reliability of the second current login object according to the object feature information of the second current login object. For example, if the second current login object has abnormal behaviors such as a jump or a departure tendency, and a large deviation occurs suddenly in access habit, it can be determined that the object reliability of the second current login object is low; if the second current login object does not have abnormal behaviors such as jump or departure tendency, and sudden large deviation of access habit, the object reliability of the second current login object can be determined to be high. And if the equipment reliability of the second terminal equipment is smaller than the first credit threshold, determining that the second terminal equipment does not have the access right for the first terminal equipment.
Further, if the object confidence level of the second current login object is greater than or equal to the second confidence level threshold, determining the data pulling authority of the second current login object for the first terminal device according to the object feature information of the second current login object. And if the object credit of the second current login object is smaller than a second credit threshold, determining that the second terminal equipment does not have the access right for the first terminal equipment. And if the data pulling authority indicates that the second current login object has the authority to pull the multimedia data of the first terminal equipment, generating a second equipment verification result that the second terminal equipment has the access authority for the first terminal equipment.
Further, if the computer equipment determines that the second equipment verification result indicates that the second terminal equipment has the access right for the first terminal equipment, generating a second verification bill corresponding to the second terminal equipment according to the second equipment information. Specifically, the computer device may acquire a ticket generating format, and generate a second check ticket corresponding to the second terminal device according to the ticket generating format and the second device information, where the second check ticket may include device feature information (such as terminal identification information) of the second terminal device, object information (such as a login object identifier) of a second current login object of the second terminal device, and a pairing relationship (i.e., a matching relationship between the first terminal device and the second terminal device). Similarly, the computer device may also determine a ticket validity period of the second verification ticket of the second terminal device according to the second device information of the second terminal device. Of course, the computer device may determine, according to the setting of the administrator, the more the ticket validity periods of the second check ticket of the second terminal device, for example, the validity periods of all check tickets generated by the server are 24 hours.
Optionally, the first device information includes a first current login object of the first terminal device when the first ticket generating request is generated, and after the computer device generates the first check ticket of the first terminal device and the second check ticket of the second terminal device, an object matching relationship between an authorized login object of the first check ticket and an authorized login object of the second check ticket can be established; the authorized login object of the first check bill is a first current login object, and the authorized login object of the second check bill is a second current login object. And establishing an equipment matching relation between the first terminal equipment and the second terminal equipment, and establishing an identification matching relation between the bill identification of the first check bill and the bill identification of the second check bill. And generating bill corresponding relation indicating information for the bill binding relation between the first check bill and the second check bill according to the object matching relation, the equipment matching relation and the identification matching relation. And storing bill corresponding relation indicating information for indicating the bill binding relation between the first check bill and the second check bill into a corresponding relation table.
Specifically, the computer device may establish an object matching relationship between an authorized login object of the first check ticket and an authorized login object of the second check ticket, where the authorized login object of the first check ticket is a first current login object, and the authorized login object of the second check ticket is a second current login object. Further, the computer device may use the authorized login object of the first check ticket as the first current login object, and the authorized login object of the second check ticket as the second current login object. For example, the login object User1 of the terminal device a initiates a remote access to the terminal device B, and the login object of the B machine is User2. After the server generates the first check ticket P1 of the terminal device a (the login object User 1) and generates the second check ticket P2 of the terminal device B (the login object User 2), an object matching relationship, such as User1→user2, between the login object User1 and the login object User2 may be established. The server may also establish a device matching relationship between the terminal device a and the terminal device B, such as terminal device a→terminal device B, and an identifier matching relationship between the ticket identifier of the first verification ticket P1 and the ticket identifier of the second verification ticket P2, such as p1→p2.
Further, the computer equipment generates bill correspondence indicating information for the bill binding relationship between the first check bill and the second check bill according to the object matching relationship, the equipment matching relationship and the identification matching relationship, and stores the bill correspondence indicating information for indicating the bill binding relationship between the first check bill and the second check bill into the correspondence table. The computer device can take the first check bill as a remote access bill of the first terminal device and issue the first check bill to a first remote access client in the first terminal device. The computer device may issue the second check ticket as a remote access ticket for the second terminal device to a second remote access client of the second terminal device.
S102, if the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, establishing remote access connection between the first terminal equipment and the second terminal equipment.
Specifically, if the computer device determines that the first verification result indicates that the first terminal device has access legitimacy for the second terminal device, and the second verification result indicates that the second terminal device has access legitimacy for the first terminal device, the computer device may be remotely connected to access between the first terminal device and the second terminal device. Wherein the remote access connection may refer to a remote access session. For example, the first terminal device pushes the remote access data to the second terminal device, and the second terminal device pulls the remote access data to the first terminal device. If the computer equipment determines that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second terminal equipment has access legitimacy aiming at the first terminal equipment, remote access data pushed by the first terminal equipment can be received, and the remote access data is forwarded to the second terminal equipment so as to establish a remote access session between the first terminal equipment and the second terminal equipment. Therefore, the remote access connection between the first terminal equipment and the second terminal equipment is established only after the access legitimacy of the first terminal equipment and the access legitimacy of the second terminal equipment are verified, the probability of stealing the remote access data after illegal software intrusion utilization can be avoided, and the security of remote access can be improved.
Optionally, the specific manner of establishing the remote access connection between the first terminal device and the second terminal device by the computer device may include: and if the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, generating access connection indication information. Sending the access connection indication information to a data forwarding node; the access connection indication information is used for indicating the data forwarding node to forward the remote access data sent by the first terminal device to the second terminal device so as to establish the remote access connection between the first terminal device and the second terminal device.
Specifically, the computer device may establish a remote access connection between the first terminal device and the second terminal device through a data forwarding node in the server. When the first terminal device needs to push remote access data to the second terminal device, the remote access data may be obtained by editing a desktop image of the first terminal device by the first remote access component, and the first terminal device may send a remote access ticket issued by the server to the first terminal device to the first remote access component through the first remote access client. The first remote access component carries a server to issue a remote access ticket carrying a first remote terminal device and a first remote connection request of remote access data, and the first remote connection request is uploaded to a data forwarding node in the server, wherein the data forwarding node can be a CDN node. The data forwarding node may acquire the remote access ticket sent by the first terminal device from the first remote connection request as the first remote access ticket. Further, the data forwarding node may send the first remote access ticket to the server, and the server verifies the access legitimacy of the first terminal device according to the first remote access ticket, so as to obtain a first verification result. If the first verification result indicates that the first terminal device has access legitimacy for the second terminal device, the computer device may instruct the data forwarding node to receive remote access data in the first remote connection request.
Similarly, when the second terminal device needs to pull the remote access data pushed by the first terminal device, the second terminal device can send the remote access ticket issued by the server to the second terminal device to the second remote access component through the second remote access client. And the second remote access component carries a second remote connection request issued by the server to the remote access ticket carrying the second remote terminal equipment, and the second remote connection request is uploaded to a data forwarding node in the server. The data forwarding node may acquire the remote access ticket sent by the second terminal device from the second remote connection request as the second remote access ticket. Further, the data forwarding node may send the second remote access ticket to the server, and the server verifies the access legitimacy of the second terminal device according to the second remote access ticket, so as to obtain a second verification result. If the second verification result indicates that the second terminal device has access legitimacy for the first terminal device, the computer device may generate access connection indication information, and send the access connection indication information to the data forwarding node. The access connection indication information is used for indicating the data forwarding node to forward the remote access data sent by the first terminal device to the second terminal device so as to establish the remote access connection between the first terminal device and the second terminal device. After receiving the access connection indication information, the data forwarding node may forward the remote access data sent by the first terminal device to the second terminal device, so as to establish a remote access connection between the first terminal device and the second terminal device. Therefore, the remote access connection between the first terminal equipment and the second terminal equipment is established only after the access legitimacy of the first terminal equipment and the access legitimacy of the second terminal equipment are verified, the probability of stealing the remote access data after illegal software intrusion utilization can be avoided, and the security of remote access can be improved.
S103, in the process of remotely accessing and connecting the interactive service data between the first terminal equipment and the second terminal equipment, detecting the security of the remote access connection to obtain a security detection result.
Specifically, in the process of remotely accessing and connecting the interactive service data between the first terminal and the second terminal equipment, the computer equipment can detect the security of the remote access connection to obtain a security detection result. The security detection result may indicate that the remote access connection is secure or that the remote access connection is not secure. In this way, in the process of remotely accessing and connecting the interactive service data between the first terminal equipment and the second terminal equipment, the remote access connection is subjected to secondary verification, so that the probability of being utilized by illegal software can be reduced, meanwhile, the security channel in the zero trust network architecture is utilized to verify in the processes before and after the establishment of the remote access connection, the security is ensured through multiple points, the security of data access can be improved, and the reliability and the usability of an access system are obviously enhanced.
Specifically, the security of the remote access connection may refer to the security of the first terminal device, the security of the second terminal device, and the security of the access channel between the first terminal device and the second terminal device. The computer device can detect the security of the first terminal device, the security of the second terminal device and the security of the access channel between the first terminal device and the second terminal device, so as to detect the security of the remote access connection, and obtain a security detection result.
Optionally, the specific manner in which the computer device detects the security of the remote access connection may include: in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, forwarding a security detection instruction generated by the first terminal equipment to the second terminal equipment through remote access connection; the security detection instruction includes detection request information. And acquiring detection response information returned by the second terminal equipment based on the security detection instruction, and detecting the security of the remote access connection according to the detection request information and the detection response information to obtain a security detection result.
Specifically, any terminal device in the first terminal device and the second terminal device can periodically or randomly initiate a secondary checking mechanism of dynamic challenges or signaling in terms of software and hardware environments, identity states, security compliance and the like of the opposite terminal, so as to realize the security of detecting the remote access connection. Taking the example that the first terminal equipment initiates the security detection instruction for the second terminal equipment, in the process that the first terminal equipment and the second terminal equipment interact service data through remote access connection, the first terminal equipment can generate the security detection instruction for detecting the security of the second terminal equipment through the first remote access client. The security detection instruction may include detection request information for indicating detection of second device information, login status, software and hardware environment condition, risk condition, and the like of the second terminal device. The first remote access client may send the security detection instruction to a first remote access component in the first terminal device, and send the security detection instruction for the second terminal device to the data forwarding node through the first remote access component. After receiving the security detection instruction sent by the first terminal device, the data forwarding node may forward the security detection instruction generated by the first terminal device to the second remote access component of the second terminal device. After the second remote access component receives the security detection instruction sent by the first terminal device, the security detection instruction sent by the first terminal device can be sent to the second remote access client, and the second remote access client generates detection response information corresponding to the security detection instruction based on the security detection instruction sent by the first terminal device.
Further, the second remote access client may send the detection response information to the second remote access component, the second remote access component sends the detection response information to the data forwarding node, the data forwarding node returns the detection response information to the first remote access component of the first terminal device, and the first remote access component returns the detection response information to the first remote access client. The first remote access client can detect the security of the remote access connection according to the detection request information and the detection response information to obtain a security detection result. Of course, the first remote access client may send the detection response information to the server, and the server detects the security of the remote access connection according to the detection response information, so as to obtain a security detection result. In this way, through the channel between the remote access components and the bidirectional call between the remote access client and the remote access components, a secondary verification mechanism of dynamic challenges or signaling is realized, thereby realizing an abnormal behavior detection and automatic intervention mechanism in the process of detecting remote access.
Optionally, the second terminal device may initiate a security detection instruction for the first terminal device, where the first terminal returns detection response information, or the server may initiate security detection instructions for the first terminal device and the second terminal device, where the first terminal device and the second terminal device respectively return detection response information, so as to implement security detection for remote access connection.
Optionally, the detection request information includes object information of a second login object logged into the first terminal device, and the detection response information includes object information of a third login object logged into the second terminal device. Specific ways in which the computer device can detect the security of the remote access connection may include: and determining the data access relation between the second login object and the third login object according to the object information of the second login object and the object information of the third login object. If the data access relation is abnormal, a security detection result that the remote access connection does not have security is generated.
Specifically, the detection request information includes object information of a second login object logged into the first terminal device when the first terminal device generates the security detection instruction, where the detection request information may instruct the second terminal device to return object information of a third login object currently logged into the second terminal device. After the second terminal device receives the security detection instruction of the first terminal device, the second terminal device can acquire the object information of the third login object currently logged in to the second terminal device based on the security detection instruction, take the object information of the third login object currently logged in to the second terminal device as detection response information, and return the detection response information to the first terminal device. The computer device may determine a data access relationship between the second login object and the third login object based on the object information of the second login object and the object information of the third login object. The computer equipment can generate a security detection result that the remote access connection does not have security according to the object access relation between the object information stored in the first check bill and the second check bill, if the data access relation is inconsistent with the object access relation, which indicates that the data access relation is abnormal. If the data access relationship is consistent with the object access relationship, the data access relationship is not abnormal, and a security detection result with security of the remote access connection is generated.
Optionally, the detection request information indicates to detect a login state of the remote access client in the second terminal device; the remote access client is a client for establishing remote access connection; and detecting the response information as the login state of the remote access client in the second terminal equipment. Specific ways in which the computer device can detect the security of the remote access connection may include: and if the login state is used for indicating that the login state of the remote access client in the second terminal equipment is in an interrupt state, generating a security detection result that the remote access connection is not secure. And if the login state is used for indicating that the current login object of the remote access client in the second terminal equipment is inconsistent with the authorized login object of the second remote access ticket, generating a security detection result that the remote access connection does not have security.
Specifically, the detection request information generated by the first terminal device may be used to indicate to detect a login state of the remote access client in the second terminal device, and after the second remote access client in the second terminal device may receive the detection request information, the login state of the remote access client (i.e., the second remote access client) in the second terminal device may be detected, so as to obtain the login state of the second remote access client, and the login state of the second remote access client is used as detection response information. Further, the second remote access client may return the detection response information to the data forwarding node through the second remote access component, and the data forwarding node may return the detection response information to the first terminal device. The computer equipment can detect the security of the remote access connection according to the login state of the second remote access client to obtain a security detection result. Specifically, if the login state of the second remote access client indicates that the login state of the remote access client in the second terminal device is in an interrupt state, a security detection result that the remote access connection does not have security is generated. If the login state indicates that the current login object of the remote access client in the second terminal device is inconsistent with the login object recorded in the second remote access ticket, and the login object of the second terminal device is changed, a security detection result that the remote access connection does not have security is generated.
Alternatively, the security detection instruction may refer to a logic operation instruction agreed between the first terminal device and the second terminal device. Specifically, after the first terminal device sends the logic operation instruction to the second terminal device, the second terminal device may return the logic operation result to the first terminal device based on the logic operation instruction sent by the first terminal device. After the first terminal device receives the logic operation result, whether the second terminal device has an abnormality or not can be detected according to the logic operation result. For example, if the first terminal device detects that the logical operation result is inaccurate, determining that the second terminal device is abnormal, and generating a security detection result that the remote access connection does not have security; if the first terminal equipment detects that the logic operation result is accurate, the second terminal equipment is determined to be free of abnormality, and a security detection result with security of remote access connection is generated. For example, if the logic operation agreed between the first terminal device and the second terminal device is that 1 is added to the basis of obtaining the answer of the corresponding question, a "1+1=? After that, if the second terminal equipment returns the operation result 3 to indicate that the second terminal equipment has safety, a safety detection result with safety of remote access connection is generated; and if the second terminal equipment returns other results except the operation result 3, which indicate that the second terminal equipment does not have security, generating a security detection result that the remote access connection does not have security.
It should be noted that, the specific manner of detecting the security of the remote access connection is not limited in the embodiments of the present application, and only a secondary verification mechanism of dynamic challenges or signaling is implemented, so that an abnormal behavior detection and automatic intervention mechanism in the remote access process can be detected.
And S104, if the security detection result indicates that the remote access connection has no security, interrupting the remote access connection between the first terminal equipment and the second terminal equipment.
Specifically, if the computer device determines that the security detection result indicates that the remote access connection does not have security, the remote access connection between the first terminal device and the second terminal device is interrupted. In particular, the manner in which the remote access connection is interrupted may include, but is not limited to, the following: mode one: the server stops receiving the remote access data pushed to the second terminal device by the first terminal device; mode two: the server stops forwarding the remote access data pushed to the second terminal equipment by the first terminal equipment; mode three: the server sends a blocking push command to the first terminal equipment, wherein the blocking push command is used for indicating the first terminal equipment to stop pushing remote access data to the second terminal equipment; mode four: the server sends a stream blocking instruction to the second terminal device, wherein the stream blocking instruction is used for instructing the second terminal device to stop pulling the remote access data to the first terminal device. Therefore, the embodiment of the application can reduce the probability of the vulnerability of the remote access component being utilized by illegal software, and utilizes the security channel in the zero trust network architecture (namely IOA) to carry out security check in the processes before and after the establishment of the remote access connection. Therefore, the security of access can be improved through multi-point guarantee, the security of equipment access to the intranet host data in the heterogeneous network environment can also be improved, and the reliability and the availability of a remote access system are obviously enhanced.
Fig. 7 is a schematic diagram of a remote access connection according to an embodiment of the present application, and as shown in fig. 7, a first terminal device 70a (i.e. a target device) pushes service data (i.e. remote access data) to a second terminal device 70f (i.e. a client), and the second terminal device 70f pulls the service data to the first terminal device 70a. The first terminal device 70a may perform step 1 to send a first ticket generation request to the server 70b, where the first ticket generation request carries the device ID of the first terminal device (i.e., the current device), the device ID of the second terminal device (i.e., the opposite device), the object information of the first current login object of the first terminal device, the machine software and hardware information, the current time, and other first device information. After receiving the first ticket generation request of the first terminal device 70a, the server 70b may verify the access right of the first terminal device 70a for the second terminal device 70f according to the first device information. If the server 70b determines that the first terminal device 70a has access rights to the second terminal device 70f, a data push ticket for the first terminal device 70a is generated. Further, the server 70b may perform step 2 to return the data push ticket of the first terminal device 70a to the first terminal device 70a. The first terminal device 70a may receive, through the first remote access client in the first terminal device 70a, the data push ticket of the first terminal device 70a returned by the server 70 b. The first remote access client may perform step 3 of delivering the data push ticket and related key parameters (e.g., device information, object information, etc.) of the first terminal device 70a to the target machine component 70c of the first terminal device 70a. The first remote access client invokes the target machine component 70c to generate a first remote connection request carrying the data push ticket issued by the server 70b to push the remote access data of the first terminal device 70a to the second terminal device 70 f.
Further, the target machine component 70c may execute step 4 to send the first remote connection request to the CDN node 70d, and after the CDN node 70d receives the first remote connection request, the data push ticket carried by the first remote connection request may be extracted as the first remote access ticket of the first terminal device 70 a. The CDN node 70d may generate a plug ticket check request carrying the first remote access ticket of the first terminal device 70a, perform step 5, and send the plug ticket check request to the server 70b. The server 70b verifies the first remote access ticket of the first terminal device 70a to obtain a plug flow ticket verification result, and executes step 6 to return the plug flow ticket verification result to the CDN node 70d. The CDN node 70d may determine whether the first terminal device 70a has access legitimacy for the second terminal device 70f according to the push ticket checking result. If the push ticket verification result indicates that the first remote access ticket of the first terminal device 70a passes the verification, the CDN node 70d may execute step 7, and receive remote access data pushed by the second terminal device 70f to the first terminal device 70 a.
Similarly, the second terminal device 70f may perform step 8 to send a second ticket generation request to the server 70b, where the second ticket generation request carries the device ID of the second terminal device (i.e., the current device), the device ID of the first terminal device (i.e., the opposite device), the object information of the second current login object of the second terminal device, the machine software and hardware information, the current time, and other second device information. After receiving the second ticket generation request of the second terminal device 70f, the server 70b may verify the access right of the second terminal device 70f with respect to the first terminal device 70a according to the second device information. If the server 70b determines that the second terminal device 70f has access rights to the first terminal device 70a, a data pull ticket for the second terminal device 70f is generated. Further, the server 70b may perform step 9 to return the data-drawing ticket of the second terminal device 70f to the second terminal device 70f. The second terminal device 70f may receive the data pull ticket of the second terminal device 70f returned by the server 70b through the second remote access client in the second terminal device 70f. The second remote access client may perform step 10 of communicating the data-drawing ticket of the second terminal device 70f and related key parameters (e.g., device information, object information, etc.) to the client component 70e of the second terminal device 70f. The second remote access client may invoke the client component 70e to generate a second remote connection request carrying the data pull ticket issued by the server 70b to pull the remote access data of the first terminal device 70 a.
Further, the client component 70e may execute step 11 to send the second remote connection request to the CDN node 70d, and after the CDN node 70d receives the second remote connection request, the data pull ticket carried by the second remote connection request may be extracted as the second remote access ticket of the second terminal device 70 f. The CDN node 70d may generate a pull ticket check request carrying the second remote access ticket of the second terminal device 70f, perform step 12, and send the pull ticket check request to the server 70b. The server 70b verifies the second remote access ticket of the second terminal device 70f to obtain a pull flow ticket verification result, and executes step 13 to return the pull flow ticket verification result to the CDN node 70d. The CDN node 70d may determine whether the second terminal device 70f has access legitimacy for the first terminal device 70a according to the pull ticket checking result. If the pull ticket checking result indicates that the second remote access ticket of the second terminal device 70f passes the verification, the CDN node 70d may execute step 14 to send the remote access data of the first terminal device 70a to the second terminal device 70f, so as to establish a remote access connection between the first terminal device 70a and the second terminal device 70 f. Specific details can be found in the above steps S101 to S104, and the embodiments of the present application are not described herein.
In the embodiment of the application, when the remote access connection between the first terminal device and the second terminal device is required to be established, namely after the objects corresponding to the first terminal device and the second terminal device are logged in to the remote access client, and before the service data are interacted between the first terminal device and the second terminal device, the access legitimacy of the first terminal device for the second terminal device is verified through the first remote access ticket of the first terminal device, and the access legitimacy of the second terminal device for the first terminal device is verified according to the second remote access ticket of the second terminal device. Therefore, as long as remote access connection needs to be established between the terminal devices, access validity verification needs to be carried out, and the fact that boundary division is not relied on any more can be achieved, so that the access safety is improved. Further, the remote access connection between the first terminal device and the second terminal device is established only when the first terminal device has access legitimacy for the second terminal device and the second terminal device has access legitimacy for the first terminal device, so that the probability of the terminal device being utilized by illegal software can be reduced, and the access security is further improved. Meanwhile, in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, secondary security detection is carried out on the security of the remote access connection, if the remote access connection does not have security, the remote access connection between the first terminal equipment and the second terminal equipment is interrupted, the situation that the terminal equipment is used by illegal software invasion in the process of remote access connection can be avoided, security verification is carried out in the process before and after the establishment of the remote access connection, the security of access can be further improved through multi-point security guarantee, and the reliability and usability of access are obviously enhanced.
Referring to fig. 8, fig. 8 is a flowchart of a data access method according to an embodiment of the present application. The data access method may be performed by any terminal device in fig. 1, may be performed by the server 10 in fig. 1, or may be performed by any terminal device in fig. 1 and the server 10 in fig. 1 together, where the devices for performing the method may be collectively referred to as a computer device in this application. As shown in fig. 8, the data access method may include, but is not limited to, the following steps:
s201, if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to the first remote access ticket of the first terminal equipment, obtaining a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to the second remote access ticket of the second terminal equipment, obtaining a second verification result.
S202, if the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, establishing remote access connection between the first terminal equipment and the second terminal equipment.
Specifically, the specific content of steps S201 to S202 in the embodiment of the present application may be referred to the content of steps S101 to S102 in fig. 3, and the embodiment of the present application is not described herein in detail.
S203, forwarding a security detection instruction generated by the first terminal device to the second terminal device through the remote access connection in the process that the first terminal device and the second terminal device interact service data through the remote access connection.
Specifically, in the process that the first terminal and the second terminal device remotely access and connect the interactive service data, the first terminal device can generate a security detection instruction for detecting the security of the second terminal device through the first remote access client. The first remote access client may send the security detection instruction to a first remote access component in the first terminal device, and the security detection instruction for the second terminal device is sent to the second terminal device through the first remote access component, and the security detection instruction generated by the first terminal device may be forwarded to the data forwarding node through the remote access connection. After receiving the security detection instruction sent by the first terminal device, the data forwarding node may forward the security detection instruction generated by the first terminal device to the second remote access component of the second terminal device. The security detection instruction may include detection request information for indicating to detect aspects of second device information, login status, software and hardware environment conditions, risk conditions, and the like of the second terminal device, and may also include detection logic operation agreed between the first terminal device and the second terminal device. In this way, in the process of remotely accessing and connecting the interactive service data between the first terminal equipment and the second terminal equipment, the remote access connection is subjected to secondary verification, so that the probability of being utilized by illegal software can be reduced, meanwhile, the security channel in the zero trust network architecture is utilized to verify in the processes before and after the establishment of the remote access connection, the security is ensured through multiple points, the security of data access can be improved, and the reliability and the usability of an access system are obviously enhanced.
S204, if the detection response information returned by the second terminal equipment based on the safety detection instruction is not received within the target duration, forwarding the safety detection instruction to the second terminal equipment again through the remote access connection.
Specifically, if the computer device does not receive the detection response information returned by the second terminal device based on the security detection instruction within the target duration, possibly due to a network problem, and the second terminal device does not receive the security detection instruction, the computer device may forward the security detection instruction to the second terminal device again through the remote access connection. Thus, the problem that the second terminal equipment is judged to have no safety by mistake can be avoided. The forwarding of the security detection instruction to the second terminal device may refer to the content of sending the security detection instruction to the second terminal device, which is not described herein in detail.
S205, if the number of times of forwarding the security detection instruction to the second terminal equipment is larger than the number of times threshold, and the detection response information returned by the second terminal equipment based on the security detection instruction is not received, generating a security detection result that the remote access connection does not have security.
Specifically, after the computer device forwards the security detection instruction to the second terminal device again, if the detection response information returned by the second terminal device based on the security detection instruction is not received within the target duration, the computer device may further forward the security detection instruction to the second terminal device. If the number of times of forwarding the security detection instruction to the second terminal equipment is larger than the number of times threshold, and the detection response information returned by the second terminal equipment based on the security detection instruction is not received, generating a security detection result that the remote access connection does not have security. Therefore, the probability of being utilized by illegal software can be reduced while the problem of misjudging that the second terminal equipment does not have safety is avoided, meanwhile, the safety channel in the zero trust network architecture is utilized to verify in the processes before and after the establishment of the remote access connection, the safety of data access can be improved through multi-point guarantee, and the reliability and the usability of an access system are obviously enhanced.
S206, if the security detection result indicates that the remote access connection has no security, the remote access connection between the first terminal device and the second terminal device is interrupted.
Specifically, the specific content of step S206 in the embodiment of the present application may be referred to the content of step S104 in fig. 3, which is not described herein in detail.
Fig. 9 is a schematic diagram of detecting a remote access connection according to an embodiment of the present application, and as shown in fig. 9, a first terminal device 90a generates, by using a first remote access client of the first terminal device 90a, a security detection instruction for detecting security of a second terminal device. The security detection instruction may include detection request information for indicating detection of second device information, login status, software and hardware environment condition, risk condition, and the like of the second terminal device. The first remote access client may perform step 1, send the security detection instruction to the target machine component 90b in the first terminal device, and send the security detection instruction to the CDN node 90c through the target machine 90b component. After receiving the security detection instruction sent by the first terminal device 90a, the CDN node 90c may forward the security detection instruction to the client component 90d of the second terminal device 90 e. After receiving the security detection instruction, the client component 90d may execute step 2, where the security detection instruction is sent to the second remote access client of the second terminal device 90e, and the second remote access client generates detection response information corresponding to the security detection instruction based on the security detection instruction sent by the first terminal device.
Further, the second remote access client may perform step 3, send the detection response information to the client component, send the detection response information to the CDN node 90c by the client component, return the detection response information to the target component 90b by the CDN node 90c, perform step 4 by the target component 90b, and return the detection response information to the first remote access client. The first remote access client may generate a data verification request regarding the detection reply information and perform step 5, which occurs to the server 90f. The server 90f may check the detection response information to obtain a check result regarding the detection response information, and perform step 6 to return the check result regarding the detection response information to the first terminal device 90a. If the first terminal device 90a determines that the verification result indicates that the second terminal device is abnormal, the remote access connection between the first terminal device 90a and the second terminal device 90e is interrupted. Therefore, the security of access can be improved through multi-point guarantee, the security of equipment access to the intranet host data in the heterogeneous network environment can also be improved, and the reliability and the availability of a remote access system are obviously enhanced.
In the embodiment of the application, when the remote access connection between the first terminal device and the second terminal device is required to be established, namely after the objects corresponding to the first terminal device and the second terminal device are logged in to the remote access client, and before the service data are interacted between the first terminal device and the second terminal device, the access legitimacy of the first terminal device for the second terminal device is verified through the first remote access ticket of the first terminal device, and the access legitimacy of the second terminal device for the first terminal device is verified according to the second remote access ticket of the second terminal device. Therefore, as long as remote access connection needs to be established between the terminal devices, access validity verification needs to be carried out, and the fact that boundary division is not relied on any more can be achieved, so that the access safety is improved. Further, the remote access connection between the first terminal device and the second terminal device is established only when the first terminal device has access legitimacy for the second terminal device and the second terminal device has access legitimacy for the first terminal device, so that the probability of the terminal device being utilized by illegal software can be reduced, and the access security is further improved. Meanwhile, in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, secondary security detection is carried out on the security of the remote access connection, if the remote access connection does not have security, the remote access connection between the first terminal equipment and the second terminal equipment is interrupted, the situation that the terminal equipment is used by illegal software invasion in the process of remote access connection can be avoided, security verification is carried out in the process before and after the establishment of the remote access connection, the security of access can be further improved through multi-point security guarantee, and the reliability and usability of access are obviously enhanced. Meanwhile, after the computer equipment forwards the security detection instruction to the second terminal equipment again, if the detection response information returned by the second terminal equipment based on the security detection instruction is not received within the target duration, the computer equipment can also continue to forward the security detection instruction to the second terminal equipment. If the number of times of forwarding the security detection instruction to the second terminal device is greater than the number of times threshold and the detection response information returned by the second terminal device based on the security detection instruction is not received, a security detection result that the remote access connection does not have security is generated, so that the occurrence of misjudgment that the second terminal device does not have security can be avoided,
Referring to fig. 10, fig. 10 is a schematic structural diagram of a data access device according to an embodiment of the present application. The data access means may be a computer program (comprising program code) running in a computer device, for example the data access means is an application software; the data access device can be used for executing corresponding steps in the data access method provided by the embodiment of the application. As shown in fig. 10, the data access apparatus may include: the system comprises a verification module 11, a first establishment module 12, a security detection module 13, an interruption module 14, a first receiving module 15, a first verification module 16, a first generation module 17, a first storage module 18, a second receiving module 19, a second verification module 20, a second generation module 21, a second storage module 22, a second establishment module 23, a third establishment module 24, a third generation module 25, a third storage module 26, a first acquisition module 27, a second acquisition module 28, a state detection module 29 and a sending module 30.
A verification module 11, configured to verify, if a remote access connection between a first terminal device and a second terminal device needs to be established, access legitimacy of the first terminal device for the second terminal device according to a first remote access ticket of the first terminal device, to obtain a first verification result, and verify, according to a second remote access ticket of the second terminal device, access legitimacy of the second terminal device for the first terminal device, to obtain a second verification result;
A first establishing module 12, configured to establish a remote access connection between the first terminal device and the second terminal device if the first verification result indicates that the first terminal device has access legitimacy for the second terminal device, and the second verification result indicates that the second terminal device has access legitimacy for the first terminal device;
the security detection module 13 is configured to detect security of the remote access connection during the process of connecting the interactive service data between the first terminal device and the second terminal device through the remote access connection, so as to obtain a security detection result;
and an interruption module 14, configured to interrupt the remote access connection between the first terminal device and the second terminal device if the security detection result indicates that the remote access connection has no security.
The first remote access ticket of the first terminal equipment is a data push ticket used for reflecting that the first terminal equipment needs to push data to the first terminal equipment;
the verification module 11 includes:
a first obtaining unit 1101, configured to obtain a first remote connection request sent by a first terminal device and directed to a second terminal device, where the first remote connection request carries a data plug flow ticket of the first terminal device;
A first determining unit 1102, configured to determine that the first terminal device has access legitimacy for the second terminal device if a check ticket matched with the data push ticket exists in the first check ticket database; the first check bill database comprises check bills which are generated according to the equipment information of the terminal equipment with the data pushing authority;
a first generating unit 1103 is configured to generate a first verification result that the first terminal device has access validity for the second terminal device.
Wherein the verification module 11 further comprises:
a second determining unit 1104, configured to determine a format matching degree between a ticket format of the data plug-flow ticket and a ticket format corresponding to a verification ticket of the first verification ticket database;
a third determining unit 1105, configured to determine, if the format matching degree is greater than the format matching degree threshold, a content matching degree between the ticket content of the data plug-flow ticket and the ticket content of the check ticket of the first check ticket database;
the fourth determining unit 1106 is configured to determine that a check ticket matched with the data plug flow ticket exists in the first check ticket database if a check ticket whose corresponding content matching degree is greater than the content matching degree threshold exists in the first check ticket database.
The third determining unit 1105 is specifically configured to:
if the format matching degree is larger than the format matching degree threshold value, inquiring a check bill with the bill validity period including the target time from a first check bill database as a target check bill; the target time is the time when the first remote connection request is received;
analyzing the bill content of the data push bill to obtain the object information of the first login object in the data push bill; the first login object is an object logged in to the first terminal device;
analyzing the bill content of the target check bill to obtain the object information of the authorized login object in the target check bill;
determining the matching degree of the object information between the object information of the first login object and the object information of the authorized login object in the target check bill;
and determining the matching degree of the object information to be the matching degree of the contents between the bill contents of the data plug bill and the bill contents of the check bill of the first check bill database.
The second remote access ticket of the second terminal equipment is a data stream pulling ticket for reflecting that the second terminal equipment needs to pull service data from the first terminal equipment;
the verification module 11 includes:
A second obtaining unit 1107, configured to obtain a second remote connection request sent by a second terminal device and directed to the first terminal device, where the second remote connection request carries a data pull stream ticket of the second terminal device;
a fifth determining unit 1108, configured to determine a ticket correspondence between the data pull ticket and the data push ticket if a check ticket matched with the data pull ticket exists in the second check ticket database; the second check bill database comprises check bills which are generated according to the equipment information of the terminal equipment with the data pulling authority;
a sixth determining unit 1109, configured to determine that the second terminal device has access legitimacy for the first terminal device if the ticket correspondence indicates that there is a ticket binding relationship between the data pull ticket and the data push ticket;
a second generating unit 1110, configured to generate a second verification result that the second terminal device has access legitimacy for the first terminal device.
The fifth determining unit 1108 is specifically configured to:
if the second check bill database contains a check bill matched with the data stream drawing bill, acquiring a bill identification of the data stream drawing bill and a bill identification of the data stream drawing bill;
Inquiring bill corresponding relation indication information between the data drawing bill and the data pushing bill from a corresponding relation table according to the bill identification of the data drawing bill and the bill identification of the data pushing bill;
and determining the bill corresponding relation between the data stream drawing bill and the data stream pushing bill according to the inquired bill corresponding relation indicating information.
Wherein the first setup module 12 comprises:
a third generating unit 1201, configured to generate access connection indication information if the first verification result indicates that the first terminal device has access legitimacy for the second terminal device, and the second verification result indicates that the second terminal device has access legitimacy for the first terminal device;
a first transmitting unit 1202 configured to transmit access connection indication information to a data forwarding node; the access connection indication information is used for indicating the data forwarding node to forward the remote access data sent by the first terminal device to the second terminal device so as to establish the remote access connection between the first terminal device and the second terminal device.
Wherein the security detection module 13 comprises:
a first forwarding unit 1301, configured to forward, in a process that the first terminal device and the second terminal device interact service data through a remote access connection, a security detection instruction generated by the first terminal device to the second terminal device through the remote access connection; the security detection instruction comprises detection request information;
A third obtaining unit 1302, configured to obtain detection response information returned by the second terminal device based on the security detection instruction;
the detecting unit 1303 is configured to detect security of the remote access connection according to the detection request information and the detection response information, and obtain a security detection result.
The detection request information comprises object information of a second login object logged into the first terminal equipment, and the detection response information comprises object information of a third login object logged into the second terminal equipment;
the third acquisition unit 1302 specifically is configured to:
determining a data access relation between the second login object and the third login object according to the object information of the second login object and the object information of the third login object;
if the data access relation is abnormal, a security detection result that the remote access connection does not have security is generated.
The detection request information indicates to detect the login state of the remote access client in the second terminal equipment; the remote access client is a client for establishing remote access connection; detecting that the response information is the login state of the remote access client in the second terminal equipment;
the third acquisition unit 1302 specifically is configured to:
If the login state indicates that the login state of the remote access client in the second terminal equipment is in an interrupt state, generating a security detection result that the remote access connection does not have security;
and if the login state indicates that the current login object of the remote access client in the second terminal device is inconsistent with the login object recorded in the second remote access ticket, generating a security detection result that the remote access connection does not have security.
Wherein the security detection module 13 comprises:
a second forwarding unit 1304, configured to forward, during a process of the interaction service data between the first terminal device and the second terminal device through the remote access connection, a security detection instruction generated by the first terminal device to the second terminal device through the remote access connection; the security detection instruction comprises detection request information;
a re-forwarding unit 1305, configured to, if the detection response information returned by the second terminal device based on the security detection instruction is not received within the target duration, forward the security detection instruction to the second terminal device again through the remote access connection;
the fourth generating unit 1306 is configured to generate a security detection result that the remote access connection does not have security if the number of times of forwarding the security detection instruction to the second terminal device is greater than the number threshold and the detection response information returned by the second terminal device based on the security detection instruction is not received.
Wherein the data access device further comprises:
the first receiving module 15 is configured to receive, after the first terminal device receives the remote access request sent by the second terminal device, a first ticket generation request generated by the first terminal device based on the remote access request; the first bill generation request carries first equipment information of first terminal equipment;
the first verification module 16 is configured to verify, according to first device information of the first terminal device, an access right of the first terminal device for the second terminal device, to obtain a first device verification result;
a first generation module 17, configured to generate a first check ticket corresponding to the first terminal device according to the first device information if the first device check result indicates that the first terminal device has access rights for the second terminal device;
the first storage module 18 is configured to store a first check ticket corresponding to the first terminal device in a first check ticket database.
Wherein the data access device further comprises:
a second receiving module 19, configured to receive a second ticket generating request generated by a second terminal device based on the remote access request; the second bill generation request carries second equipment information of second terminal equipment;
The second checking module 20 is configured to check, according to second device information of the second terminal device, an access right of the second terminal device for the first terminal device, to obtain a second device checking result;
a second generating module 21, configured to generate a second check ticket corresponding to the second terminal device according to the second device information if the second device check result indicates that the second terminal device has access validity for the first terminal device;
and a second storage module 22, configured to store a second check-up ticket corresponding to the second terminal device into a second check-up ticket database.
The second device information of the second terminal device comprises a device running log of the second terminal device and a second current login object of the second terminal device when the second terminal device generates a second bill generation request;
the second checking module 20 checks, according to the second device information of the second terminal device, the access right of the second terminal device for the first terminal device, to obtain a second device checking result, including:
determining the equipment reliability of the second terminal equipment according to the equipment operation log of the second terminal equipment;
if the equipment reliability of the second terminal equipment is greater than or equal to the first reliability threshold, acquiring object characteristic information of a login object of the second terminal equipment, and determining the object reliability of a second current login object according to the object characteristic information of the login object;
If the object credit rating of the second current login object is greater than or equal to a second credit rating threshold, determining the data pulling authority of the second current login object for the first terminal device according to the object characteristic information of the second current login object;
and if the data pulling authority indicates that the second current login object has the authority to pull the multimedia data of the first terminal equipment, generating a second equipment verification result that the second terminal equipment has the access authority for the first terminal equipment.
The first equipment information comprises a first current login object of the first terminal equipment when a first bill generation request is generated; the data access device further includes:
a second establishing module 23, configured to establish an object matching relationship between the authorized login object of the first check ticket and the authorized login object of the second check ticket; the authorized login object of the first check bill is a first current login object, and the authorized login object of the second check bill is a second current login object;
a third establishing module 24, configured to establish a device matching relationship between the first terminal device and the second terminal device, and an identifier matching relationship between the ticket identifier of the first check ticket and the ticket identifier of the second check ticket;
A third generating module 25, configured to generate ticket correspondence indicating information for a ticket binding relationship between the first check ticket and the second check ticket according to the object matching relationship, the device matching relationship, and the identifier matching relationship;
the third storage module 26 is configured to store ticket correspondence relation instruction information for instructing a ticket binding relation between the first check ticket and the second check ticket into the correspondence relation table.
Wherein the data access device further comprises:
a first obtaining module 27, configured to obtain a remote access request sent by the second terminal device and directed to the first terminal device;
a second obtaining module 28, configured to obtain, if the first terminal device belongs to the permission terminal device list, first device information of the first terminal device and second device information of the second terminal device according to the remote access request; the authority terminal equipment list comprises terminal equipment with access authority of the second terminal equipment;
a state detection module 29, configured to detect a first access state of the first terminal device according to the first device information, and detect a second access state of the second terminal device according to the second device information;
the sending module 30 is configured to send a remote access request to the first terminal device if the first access status indicates that the first terminal device is in an accessible state and the second access status indicates that the second terminal device is in an accessible state.
According to an embodiment of the present application, each module in the data access apparatus shown in fig. 10 may be separately or completely combined into one or several units to form a structure, or some (some) of the units may be further split into a plurality of sub-units with smaller functions, so that the same operation may be implemented without affecting the implementation of the technical effects of the embodiments of the present application. The above modules are divided based on logic functions, and in practical applications, the functions of one module may be implemented by a plurality of units, or the functions of a plurality of modules may be implemented by one unit. In other embodiments of the present application, the data access device may also include other units, and in practical applications, these functions may also be implemented with assistance from other units, and may be implemented by cooperation of multiple units.
In the embodiment of the application, when the remote access connection between the first terminal device and the second terminal device is required to be established, namely after the objects corresponding to the first terminal device and the second terminal device are logged in to the remote access client, and before the service data are interacted between the first terminal device and the second terminal device, the access legitimacy of the first terminal device for the second terminal device is verified through the first remote access ticket of the first terminal device, and the access legitimacy of the second terminal device for the first terminal device is verified according to the second remote access ticket of the second terminal device. Therefore, as long as remote access connection needs to be established between the terminal devices, access validity verification needs to be carried out, and the fact that boundary division is not relied on any more can be achieved, so that the access safety is improved. Further, the remote access connection between the first terminal device and the second terminal device is established only when the first terminal device has access legitimacy for the second terminal device and the second terminal device has access legitimacy for the first terminal device, so that the probability of the terminal device being utilized by illegal software can be reduced, and the access security is further improved. Meanwhile, in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, secondary security detection is carried out on the security of the remote access connection, if the remote access connection does not have security, the remote access connection between the first terminal equipment and the second terminal equipment is interrupted, the situation that the terminal equipment is used by illegal software invasion in the process of remote access connection can be avoided, security verification is carried out in the process before and after the establishment of the remote access connection, the security of access can be further improved through multi-point security guarantee, and the reliability and usability of access are obviously enhanced. Meanwhile, after the computer equipment forwards the security detection instruction to the second terminal equipment again, if the detection response information returned by the second terminal equipment based on the security detection instruction is not received within the target duration, the computer equipment can also continue to forward the security detection instruction to the second terminal equipment. If the number of times of forwarding the security detection instruction to the second terminal device is greater than the number of times threshold and the detection response information returned by the second terminal device based on the security detection instruction is not received, a security detection result that the remote access connection does not have security is generated, so that the occurrence of misjudgment that the second terminal device does not have security can be avoided,
Referring to fig. 11, fig. 11 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 11, the above-mentioned computer device 1000 may include: processor 1001, network interface 1004, and memory 1005, and in addition, the above-described computer device 1000 may further include: a user interface 1003, and at least one communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface, among others. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one magnetic disk memory. The memory 1005 may also optionally be at least one storage device located remotely from the processor 1001. As shown in fig. 11, an operating system, a network communication module, a user interface module, and a device control application may be included in the memory 1005, which is one type of computer-readable storage medium.
In the computer device 1000 shown in FIG. 11, the network interface 1004 may provide network communication functions; while user interface 1003 is primarily used as an interface for providing input to a user; and the processor 1001 may be used to invoke a device control application stored in the memory 1005 to implement:
if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to a first remote access ticket of the first terminal equipment to obtain a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to a second remote access ticket of the second terminal equipment to obtain a second verification result;
if the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, establishing remote access connection between the first terminal equipment and the second terminal equipment;
in the process that the first terminal equipment and the second terminal equipment exchange service data through remote access connection, detecting the security of the remote access connection to obtain a security detection result;
And if the security detection result indicates that the remote access connection does not have security, interrupting the remote access connection between the first terminal equipment and the second terminal equipment.
It should be understood that the computer device 1000 described in the embodiments of the present application may perform the description of the data access method in the embodiment corresponding to fig. 3 or fig. 8, and may also perform the description of the data access device in the embodiment corresponding to fig. 10, which is not repeated herein. In addition, the description of the beneficial effects of the same method is omitted.
Furthermore, it should be noted here that: the embodiments of the present application further provide a computer readable storage medium, where the computer readable storage medium stores a computer program executed by the aforementioned data access device, where the computer program includes program instructions, when executed by a processor, can perform the description of the data access method in the embodiment corresponding to fig. 3 and fig. 8, and therefore, a detailed description will not be given here.
In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application. As an example, the program instructions may be deployed to be executed on one computer device or on multiple computer devices at one site or, alternatively, on multiple computer devices distributed across multiple sites and interconnected by a communication network, where the multiple computer devices distributed across multiple sites and interconnected by a communication network may constitute a blockchain system.
In addition, it should be noted that: embodiments of the present application also provide a computer program product or computer program that may include computer instructions that may be stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor can execute the computer instructions, so that the computer device performs the description of the data access method in the embodiment corresponding to fig. 3 and fig. 8, and thus, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments related to the present application, please refer to the description of the method embodiments of the present application.
In the above embodiments, when the operation information of the login object and the object information such as the behavior log of the login object are required, the permission or consent of the login object is required, and the relevant laws and regulations of the relevant country and region are required to be complied with.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the described order of action, as some steps may take other order or be performed simultaneously according to the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.
The modules in the device of the embodiment of the application can be combined, divided and deleted according to actual needs.
Those of ordinary skill in the art will appreciate that implementing all or part of the processes in the methods of the embodiments described above,
those skilled in the art will appreciate that the processes implementing all or part of the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the processes of the embodiments of the methods as above when executed. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random-access Memory (Random Access Memory, RAM), or the like.
The foregoing disclosure is illustrative of the present invention and is not to be construed as limiting the scope of the invention, which is defined by the appended claims.
Claims (20)
1. A method of data access, comprising:
if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to a first remote access ticket of the first terminal equipment to obtain a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to a second remote access ticket of the second terminal equipment to obtain a second verification result;
If the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, establishing remote access connection between the first terminal equipment and the second terminal equipment;
in the process that the first terminal equipment and the second terminal equipment exchange business data through the remote access connection, detecting the security of the remote access connection to obtain a security detection result;
and if the security detection result indicates that the remote access connection does not have security, interrupting the remote access connection between the first terminal equipment and the second terminal equipment.
2. The method of claim 1, wherein the first remote access ticket of the first terminal device is a data push ticket for reflecting that the first terminal device needs to push data to the first terminal device;
the verifying, according to the first remote access ticket of the first terminal device, the access legitimacy of the first terminal device for the second terminal device, to obtain a first verification result, includes:
Acquiring a first remote connection request which is sent by the first terminal equipment and is aimed at the second terminal equipment, wherein the first remote connection request carries a data plug flow bill of the first terminal equipment;
if a check bill matched with the data plug flow bill exists in a first check bill database, determining that the first terminal equipment has access legitimacy aiming at the second terminal equipment; the first check bill database comprises check bills which are generated according to the equipment information of the terminal equipment with the data pushing authority;
generating a first verification result that the first terminal device has access legitimacy for the second terminal device.
3. The method according to claim 2, wherein the method further comprises:
determining the format matching degree between the bill format of the data plug flow bill and the bill format corresponding to the check bill of the first check bill database;
if the format matching degree is larger than a format matching degree threshold, determining the content matching degree between the bill content of the data plug-flow bill and the bill content of the check bill of the first check bill database;
if the first check bill database contains check bills with the corresponding content matching degree larger than the content matching degree threshold value, determining that the first check bill database contains check bills matched with the data plug flow bill.
4. The method of claim 3, wherein determining a content match between the ticket content of the data plug ticket and the ticket content of the check ticket of the first check ticket database if the format match is greater than a format match threshold comprises:
if the format matching degree is larger than a format matching degree threshold value, inquiring a check bill with the bill validity period including target time from the first check bill database as a target check bill; the target time is the time when the first remote connection request is received;
analyzing the bill content of the data push bill to obtain the object information of a first login object in the data push bill; the first login object is an object logged in to the first terminal device;
analyzing the bill content of the target check bill to obtain the object information of the authorized login object in the target check bill;
determining the matching degree of the object information between the object information of the first login object and the object information of the authorized login object in the target check bill;
and determining the matching degree of the object information as the content matching degree between the bill content of the data plug bill and the bill content of the check bill of the first check bill database.
5. The method of claim 2, wherein the second remote access ticket of the second terminal device is a data pull ticket for reflecting that the second terminal device needs to pull service data from the first terminal device;
and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to the second remote access ticket of the second terminal equipment to obtain a second verification result, wherein the second verification result comprises the following steps:
acquiring a second remote connection request which is sent by the second terminal equipment and is aimed at the first terminal equipment, wherein the second remote connection request carries a data stream drawing bill of the second terminal equipment;
if the second check bill database contains a check bill matched with the data stream drawing bill, determining a bill corresponding relation between the data stream drawing bill and the data stream drawing bill; the verification ticket included in the second verification ticket database is generated according to the equipment information of the terminal equipment with the data pulling authority;
if the bill corresponding relation indicates that the data stream drawing bill and the data stream pushing bill have bill binding relation, determining that the second terminal equipment has access legitimacy aiming at the first terminal equipment;
Generating a second verification result that the second terminal device has access legitimacy for the first terminal device.
6. The method of claim 5, wherein determining a ticket correspondence between the data pull ticket and the data push ticket if a check ticket matching the data pull ticket exists in a second check ticket database comprises:
if the second check bill database contains a check bill matched with the data stream drawing bill, acquiring a bill identification of the data stream drawing bill and a bill identification of the data stream drawing bill;
inquiring bill corresponding relation indication information between the data drawing bill and the data pushing bill from a corresponding relation table according to the bill identification of the data drawing bill and the bill identification of the data pushing bill;
and determining the bill corresponding relation between the data stream drawing bill and the data stream pushing bill according to the inquired bill corresponding relation indicating information.
7. The method of claim 1, wherein the establishing the remote access connection between the first terminal device and the second terminal device if the first verification result indicates that the first terminal device has access legitimacy for the second terminal device and the second verification result indicates that the second terminal device has access legitimacy for the first terminal device comprises:
If the first verification result indicates that the first terminal equipment has access legitimacy aiming at the second terminal equipment, and the second verification result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, generating access connection indication information;
transmitting the access connection indication information to a data forwarding node; the access connection indication information is used for indicating the data forwarding node to forward the remote access data sent by the first terminal device to the second terminal device so as to establish the remote access connection between the first terminal device and the second terminal device.
8. The method according to claim 1, wherein the detecting the security of the remote access connection during the process of the interaction service data between the first terminal device and the second terminal device through the remote access connection, to obtain a security detection result, includes:
in the process that the first terminal equipment and the second terminal equipment exchange service data through the remote access connection, forwarding a security detection instruction generated by the first terminal equipment to the second terminal equipment through the remote access connection; the security detection instruction comprises detection request information;
Acquiring detection response information returned by the second terminal equipment based on the safety detection instruction;
and detecting the security of the remote access connection according to the detection request information and the detection response information to obtain a security detection result.
9. The method according to claim 8, wherein the detection request information includes object information of a second login object logged into the first terminal device, and the detection response information includes object information of a third login object logged into the second terminal device;
the detecting the security of the remote access connection according to the detection request information and the detection response information to obtain a security detection result comprises the following steps:
determining a data access relation between the second login object and the third login object according to the object information of the second login object and the object information of the third login object;
and if the data access relation is abnormal, generating a security detection result that the remote access connection does not have security.
10. The method according to claim 8, wherein the detection request information indicates detection of a login status of a remote access client in the second terminal device; the remote access client is a client for establishing the remote access connection; the detection response information is the login state of the remote access client in the second terminal equipment;
The detecting the security of the remote access connection according to the detection request information and the detection response information to obtain a security detection result comprises the following steps:
if the login state indicates that the login state of the remote access client in the second terminal equipment is in an interrupt state, generating a security detection result that the remote access connection does not have security;
and if the login state indicates that the current login object of the remote access client in the second terminal device is inconsistent with the login object recorded in the second remote access ticket, generating a security detection result that the remote access connection does not have security.
11. The method according to claim 1, wherein the detecting the security of the remote access connection during the process of the interaction service data between the first terminal device and the second terminal device through the remote access connection, to obtain a security detection result, includes:
in the process that the first terminal equipment and the second terminal equipment exchange service data through the remote access connection, forwarding a security detection instruction generated by the first terminal equipment to the second terminal equipment through the remote access connection; the security detection instruction comprises detection request information;
If the detection response information returned by the second terminal equipment based on the safety detection instruction is not received within the target duration, forwarding the safety detection instruction to the second terminal equipment again through the remote access connection;
and if the number of times of forwarding the security detection instruction to the second terminal equipment is larger than a number of times threshold, and the detection response information returned by the second terminal equipment based on the security detection instruction is not received, generating a security detection result that the remote access connection does not have security.
12. The method of claim 5, wherein the method further comprises:
after the first terminal equipment receives a remote access request sent by the second terminal equipment, receiving a first bill generation request generated by the first terminal equipment based on the remote access request; the first bill generation request carries first equipment information of the first terminal equipment;
according to the first equipment information of the first terminal equipment, checking the access right of the first terminal equipment for the second terminal equipment to obtain a first equipment checking result;
if the first equipment verification result indicates that the first terminal equipment has the access right for the second terminal equipment, generating a first verification bill corresponding to the first terminal equipment according to the first equipment information;
And storing the first check bill corresponding to the first terminal equipment into the first check bill database.
13. The method according to claim 12, wherein the method further comprises:
receiving a second bill generation request generated by the second terminal equipment based on the remote access request; the second bill generation request carries second equipment information of the second terminal equipment;
according to second equipment information of the second terminal equipment, checking access rights of the second terminal equipment to the first terminal equipment to obtain a second equipment checking result;
if the second equipment checking result indicates that the second terminal equipment has access legitimacy aiming at the first terminal equipment, generating a second checking bill corresponding to the second terminal equipment according to the second equipment information;
and storing the second check-up ticket corresponding to the second terminal equipment into the second check-up ticket database.
14. The method of claim 13, wherein the second device information of the second terminal device includes a device log of the second terminal device and a second current login object of the second terminal device when generating the second ticket generation request;
And according to the second device information of the second terminal device, verifying the access right of the second terminal device to the first terminal device to obtain a second device verification result, including:
determining the equipment reliability of the second terminal equipment according to the equipment operation log of the second terminal equipment;
if the equipment reliability of the second terminal equipment is greater than or equal to a first credit threshold, acquiring object characteristic information of a login object of the second terminal equipment, and determining the object reliability of the second current login object according to the object characteristic information of the login object;
if the object credit degree of the second current login object is greater than or equal to a second credit degree threshold, determining the data pulling authority of the second current login object for the first terminal device according to the object characteristic information of the second current login object;
and if the data pulling authority indicates that the second current login object has the authority to pull the multimedia data of the first terminal equipment, generating a second equipment verification result that the second terminal equipment has the access authority for the first terminal equipment.
15. The method of claim 14, wherein the first device information comprises a first current login object of the first terminal device at the time of generating the first ticket generation request; the method further comprises the steps of:
establishing an object matching relationship between an authorized login object of the first check bill and an authorized login object of the second check bill; the authorized login object of the first check bill is the first current login object, and the authorized login object of the second check bill is the second current login object;
establishing a device matching relationship between the first terminal device and the second terminal device, and establishing an identification matching relationship between the bill identification of the first check bill and the bill identification of the second check bill;
generating bill correspondence indicating information for the bill binding relationship between the first check bill and the second check bill according to the object matching relationship, the equipment matching relationship and the identification matching relationship;
and storing bill corresponding relation indicating information for indicating the bill binding relation between the first check bill and the second check bill into a corresponding relation table.
16. The method according to claim 12, wherein the method further comprises:
acquiring a remote access request sent by the second terminal equipment and aiming at the first terminal equipment;
if the first terminal equipment belongs to the authority terminal equipment list, acquiring first equipment information of the first terminal equipment and second equipment information of the second terminal equipment according to the remote access request; the authority terminal equipment list comprises terminal equipment with access authority of the second terminal equipment;
detecting a first access state of the first terminal equipment according to the first equipment information, and detecting a second access state of the second terminal equipment according to the second equipment information;
and if the first access state indicates that the first terminal equipment is in an accessible state and the second access state indicates that the second terminal equipment is in an accessible state, sending the remote access request to the first terminal equipment.
17. A data access device, comprising:
the verification module is used for verifying the access legitimacy of the first terminal equipment for the second terminal equipment according to a first remote access ticket of the first terminal equipment if the remote access connection between the first terminal equipment and the second terminal equipment is required to be established, obtaining a first verification result, and verifying the access legitimacy of the second terminal equipment for the first terminal equipment according to a second remote access ticket of the second terminal equipment, obtaining a second verification result;
A first establishing module, configured to establish a remote access connection between the first terminal device and the second terminal device if the first verification result indicates that the first terminal device has access legitimacy for the second terminal device, and the second verification result indicates that the second terminal device has access legitimacy for the first terminal device;
the security detection module is used for detecting the security of the remote access connection in the process that the first terminal equipment and the second terminal equipment exchange service data through the remote access connection to obtain a security detection result;
and the interruption module is used for interrupting the remote access connection between the first terminal equipment and the second terminal equipment if the security detection result indicates that the remote access connection has no security.
18. A computer device, comprising: a processor and a memory;
the processor is connected to a memory, wherein the memory is configured to store a computer program, and the processor is configured to invoke the computer program to cause the computer device to perform the method of any of claims 1-16.
19. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the method of any of claims 1-16.
20. A computer program product or computer program, characterized in that it comprises computer instructions stored in a computer-readable storage medium, which are adapted to be read and executed by a processor to cause a computer device with the processor to perform the method of any of claims 1-16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211174424.0A CN117811754A (en) | 2022-09-26 | 2022-09-26 | Data access method, device, storage medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211174424.0A CN117811754A (en) | 2022-09-26 | 2022-09-26 | Data access method, device, storage medium and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117811754A true CN117811754A (en) | 2024-04-02 |
Family
ID=90420913
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211174424.0A Pending CN117811754A (en) | 2022-09-26 | 2022-09-26 | Data access method, device, storage medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117811754A (en) |
-
2022
- 2022-09-26 CN CN202211174424.0A patent/CN117811754A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| CN112073400A (en) | Access control method, system and device and computing equipment | |
| US10419431B2 (en) | Preventing cross-site request forgery using environment fingerprints of a client device | |
| KR102150750B1 (en) | Trusted login method and device | |
| US11570203B2 (en) | Edge network-based account protection service | |
| JP2017503288A (en) | Automatic SDK acceptance | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| CN105306534A (en) | Information verification method based on open platform and open platform | |
| CN115118705B (en) | Industrial edge management and control platform based on micro-service | |
| CN113225351B (en) | Request processing method and device, storage medium and electronic equipment | |
| CN114117264A (en) | Illegal website identification method, device, equipment and storage medium based on block chain | |
| CN115242546A (en) | Industrial control system access control method based on zero trust architecture | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| CN113098758B (en) | Enterprise message pushing security gateway system based on enterprise WeChat | |
| US20170024187A1 (en) | Automated approval | |
| CN111371811B (en) | Resource calling method, resource calling device, client and service server | |
| CN117811754A (en) | Data access method, device, storage medium and equipment | |
| CN111586344B (en) | Message sending method and device of network camera | |
| CN104113511A (en) | IMS network access method, system, and correlative device | |
| CN115189897A (en) | Access processing method and device for zero trust network, electronic equipment and storage medium | |
| CN115664686A (en) | Login method, login device, computer equipment and storage medium | |
| CN113225348B (en) | Request anti-replay verification method and device | |
| CN113507450A (en) | Internal and external network data filtering method and device based on parameter feature vector | |
| CN116707926A (en) | Anti-theft method and device for page data, electronic equipment and storage medium | |
| CN116015824A (en) | Unified authentication method, equipment and medium for platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |